SpringBoot Defer OIDC lookup until first use of the issuer location JwtDecoder

Spring Security 5.6 is shipping with a new JwtDecoder that defers the OIDC discovery lookups that normally happen during startup.

Users will be able to do, for example:

@Bean 
JwtDecoder jwtDecoder() {
    Supplier<JwtDecoder> jwtDecoder = () -> JwtDecoders.fromIssuerLocation("https://issuer/endpoint");
    return new SupplierJwtDecoder(jwtDecoder);
}

And the startup configuration won't be invoked until the app first calls JwtDecoder#decode.

Today, Spring Boot does something like the following when only an issuer-uri is provided:

@Bean 
JwtDecoder jwtDecoder() {
    return JwtDecoders.fromIssuerLocation("https://issuer/endpoint");
}

It would be nice if Spring Boot published the JwtDecoder as a SupplierJwtDecoder to provide a quicker and more resilient startup experience.

If there is a need for users to restore the previous eager-loading behavior, they can publish the bean themselves; however, a property may also be worth considering.

Comment From: mbhave

Closing in favor of PR #28169.