Test against other OIDC providers other than Keycloak

[korydraughn]

No description provided.

[MartinFlores751]

A brief survey of public OpenID Providers' methods for validating access tokens:

• Google
  • Access token only verifiable through following link:
    • https://oauth2.googleapis.com/tokeninfo?access_token=ACCESS_TOKEN
  • See other issue for more details:
    • Have the HTTP API be an OAuth protected resource #155 (comment)
• Microsoft
  • Access token is a JWT, and is verifiable locally (i.e. validating signatures, etc.)
  • Documentation stating this is here:
    • https://learn.microsoft.com/en-us/entra/identity-platform/access-tokens
• Yahoo
  • Provides an introspection endpoint in their well-known configuration
  • Unsure if their access token is a JWT
• Facebook
  • Unsure, but it seems the standard way to verify these tokens are through the following link:
    • https://graph.facebook.com/debug_token?input_token={token-to-inspect}&access_token={app-token-or-admin-token}
  • Documentation here:
    • https://developers.facebook.com/docs/facebook-login/guides/advanced/manual-flow#checktoken

A note on what we're trying to look for:

Ideally, we see if an introspection endpoint or JWT access token is provided. This is because they are well-defined methods in standards for verifying access tokens.