app/vmgateway: add OpenID discovery of JWKS endpoints

Signed-off-by: Zakhar Bessarab <z.bessarab@victoriametrics.com>

app/vmgateway/README.md

@@ -206,6 +206,31 @@ mwIDAQAB
 ```
 This command will result in 3 keys loaded: 2 keys from files and 1 from command line.
 
+### Using OpenID discovery endpoint for JWT signature verification
+
+`vmgateway` supports using OpenID discovery endpoint for JWKS keys discovery.
+
+In order to enable [OpenID discovery](https://openid.net/specs/openid-connect-discovery-1_0.html) endpoint for JWT signature verification, you need to specify OpenID discovery endpoint URLs by using `auth.oidcDiscoveryEndpoints` flag.
+When `auth.oidcDiscoveryEndpoints` is specified `vmageteway` will fetch JWKS keys from the specified endpoint and use them for JWT signature verification.
+
+Example usage for tokens issues by Azure Active Directory:
+```console
+/bin/vmgateway -eula \
+  -enable.auth \
+  -write.url=http://localhost:8480 \
+  -read.url=http://localhost:8481 \
+  -auth.oidcDiscoveryEndpoints=https://login.microsoftonline.com/common/v2.0/.well-known/openid-configuration
+```
+
+Example usage for tokens issues by Google:
+```console
+/bin/vmgateway -eula \
+  -enable.auth \
+  -write.url=http://localhost:8480 \
+  -read.url=http://localhost:8481 \
+  -auth.oidcDiscoveryEndpoints=https://accounts.google.com/.well-known/openid-configuration
+```
+
 ### Using JWKS endpoint for JWT signature verification
 
 `vmgateway` supports using JWKS endpoint for JWT signature verification.
@@ -222,6 +247,15 @@ Example usage for tokens issues by Azure Active Directory:
   -auth.jwksEndpoints=https://login.microsoftonline.com/common/discovery/v2.0/keys
 ```
 
+Example usage for tokens issues by Google:
+```console
+/bin/vmgateway -eula \
+  -enable.auth \
+  -write.url=http://localhost:8480 \
+  -read.url=http://localhost:8481 \
+  -auth.jwksEndpoints=https://www.googleapis.com/oauth2/v3/certs
+```
+
 ## Configuration
 
 The shortlist of configuration flags include the following:

docs/vmgateway.md

@@ -210,6 +210,31 @@ mwIDAQAB
 ```
 This command will result in 3 keys loaded: 2 keys from files and 1 from command line.
 
+### Using OpenID discovery endpoint for JWT signature verification
+
+`vmgateway` supports using OpenID discovery endpoint for JWKS keys discovery.
+
+In order to enable [OpenID discovery](https://openid.net/specs/openid-connect-discovery-1_0.html) endpoint for JWT signature verification, you need to specify OpenID discovery endpoint URLs by using `auth.oidcDiscoveryEndpoints` flag.
+When `auth.oidcDiscoveryEndpoints` is specified `vmageteway` will fetch JWKS keys from the specified endpoint and use them for JWT signature verification.
+
+Example usage for tokens issues by Azure Active Directory:
+```console
+/bin/vmgateway -eula \
+  -enable.auth \
+  -write.url=http://localhost:8480 \
+  -read.url=http://localhost:8481 \
+  -auth.oidcDiscoveryEndpoints=https://login.microsoftonline.com/common/v2.0/.well-known/openid-configuration
+```
+
+Example usage for tokens issues by Google:
+```console
+/bin/vmgateway -eula \
+  -enable.auth \
+  -write.url=http://localhost:8480 \
+  -read.url=http://localhost:8481 \
+  -auth.oidcDiscoveryEndpoints=https://accounts.google.com/.well-known/openid-configuration
+```
+
 ### Using JWKS endpoint for JWT signature verification
 
 `vmgateway` supports using JWKS endpoint for JWT signature verification.
@@ -226,6 +251,15 @@ Example usage for tokens issues by Azure Active Directory:
   -auth.jwksEndpoints=https://login.microsoftonline.com/common/discovery/v2.0/keys
 ```
 
+Example usage for tokens issues by Google:
+```console
+/bin/vmgateway -eula \
+  -enable.auth \
+  -write.url=http://localhost:8480 \
+  -read.url=http://localhost:8481 \
+  -auth.jwksEndpoints=https://www.googleapis.com/oauth2/v3/certs
+```
+
 ## Configuration
 
 The shortlist of configuration flags include the following: