Update the server stack to support per-resource-server encryption material

[kevinchalet]

Confirm you've already contributed to this project or that you sponsor it

• I confirm I'm a sponsor or a contributor

Describe the solution you'd like

It's already possible to select a specific key on-the-fly using the events model (via the GenerateToken event) to achieve that, but OpenIddict doesn't currently offer a way to do that automatically.

As part of this task, we'll likely want to support both static key material (stored as a JsonWebKeySet alongside the OpenIddict*Application DB entry representing the resource server app) and dynamic key material (represented as a new JsonWebKeySetUri property allowing to retrieve the JWKS document dynamically, using HTTP/HTTPS).

Additional context

No response

[kevinchalet]

(represented as a new JsonWebKeySetUri property allowing to retrieve the JWKS document dynamically, using HTTP/HTTPS).

Note that we may also want to combine that with #2400 to avoid hardcoding the JWKS URI and retrieve the URI dynamically using resource server metadata.