Investigate options for authenticating jku claims on a client jwt

Conversation/background on this one is at https://chat.fhir.org/#narrow/stream/179250-bulk-data/topic/Are.20servers.20required.20to.20validate.20the.20jku.20header.3F

If we can easilly patch the Keycloak behavior, lets do it.  If not, we can revive this thread in the fhir/smart community.