use jwks caching feature of openid_connect gem

lib/omniauth/strategies/openid_connect.rb

@@ -181,10 +181,12 @@ def authorize_uri
         client.authorization_uri(opts.reject { |_k, v| v.nil? })
       end
 
-      def public_key
-        return config.jwks if options.discovery
-
-        key_or_secret || config.jwks
+      def public_key_or_config
+        if options.discovery || key_or_secret.blank?
+          config
+        else
+          key_or_secret
+        end
       end
 
       private
@@ -231,7 +233,7 @@ def access_token
       end
 
       def decode_id_token(id_token)
-        ::OpenIDConnect::ResponseObject::IdToken.decode(id_token, public_key)
+        ::OpenIDConnect::ResponseObject::IdToken.decode(id_token, public_key_or_config)
       end
 
       def client_options

omniauth_openid_connect.gemspec

@@ -29,7 +29,7 @@ Gem::Specification.new do |spec|
 
   spec.add_dependency 'addressable', '~> 2.5'
   spec.add_dependency 'omniauth', '>= 1.9', '< 3'
-  spec.add_dependency 'openid_connect', '~> 1.1'
+  spec.add_dependency 'openid_connect', '~> 1.4'
   spec.add_development_dependency 'faker', '~> 2.0'
   spec.add_development_dependency 'guard', '~> 2.14'
   spec.add_development_dependency 'guard-bundler', '~> 2.2'

test/lib/omniauth/strategies/openid_connect_test.rb

@@ -568,11 +568,37 @@ def test_option_client_auth_method
         assert(strategy.send(:access_token))
       end
 
+      def test_with_no_key_nor_discovery
+        config = ::OpenIDConnect::Discovery::Provider::Config::Response.new(
+          issuer: 'https://example.com/',
+          authorization_endpoint: 'https://example.com/authorization',
+          jwks_uri: 'https://example.com/jwks'
+        )
+        ::OpenIDConnect::Discovery::Provider::Config.stubs(:discover!).with('https://example.com/').returns(config)
+        strategy.options.issuer = 'https://example.com/'
+        strategy.options.discovery = true
+
+        assert_equal config, strategy.public_key_or_config
+      end
+
+      def test_public_key_with_discovery
+        config = ::OpenIDConnect::Discovery::Provider::Config::Response.new(
+          issuer: 'https://example.com/',
+          authorization_endpoint: 'https://example.com/authorization',
+          jwks_uri: 'https://example.com/jwks'
+        )
+        ::OpenIDConnect::Discovery::Provider::Config.stubs(:discover!).with('https://example.com/').returns(config)
+        strategy.options.issuer = 'https://example.com/'
+        strategy.options.discovery = true
+
+        assert_equal config, strategy.public_key_or_config
+      end
+
       def test_public_key_with_jwks
         strategy.options.client_signing_alg = :RS256
         strategy.options.client_jwk_signing_key = File.read('./test/fixtures/jwks.json')
 
-        assert_equal JSON::JWK::Set, strategy.public_key.class
+        assert_equal JSON::JWK::Set, strategy.public_key_or_config.class
       end
 
       def test_public_key_with_jwk
@@ -582,19 +608,19 @@ def test_public_key_with_jwk
         jwk = jwks['keys'].first
         strategy.options.client_jwk_signing_key = jwk.to_json
 
-        assert_equal JSON::JWK, strategy.public_key.class
+        assert_equal JSON::JWK, strategy.public_key_or_config.class
       end
 
       def test_public_key_with_x509
         strategy.options.client_signing_alg = :RS256
         strategy.options.client_x509_signing_key = File.read('./test/fixtures/test.crt')
-        assert_equal OpenSSL::PKey::RSA, strategy.public_key.class
+        assert_equal OpenSSL::PKey::RSA, strategy.public_key_or_config.class
       end
 
       def test_public_key_with_hmac
         strategy.options.client_options.secret = 'secret'
         strategy.options.client_signing_alg = :HS256
-        assert_equal strategy.options.client_options.secret, strategy.public_key
+        assert_equal strategy.options.client_options.secret, strategy.public_key_or_config
       end
 
       def test_id_token_auth_hash