At the outset WildFly Elytron contained a Bearer authentication mechanism and a TokenSecurityRealm with validator to support RFC-7523, within the OIDC implementation this behaviour is duplicated.

Whilst it may be desirable for end users to be able to switch between the different approaches we should look to eliminate duplicate code and refactor this to a single shared implementation.

This also extends to JWK handling, we have two different implementations for processing a JSON Web Key File, as this is backed by a single specification we should have a single implementation.

From there we also have two different implementations responsible for fetching remote JWK files which again should be combined. If we combine I would suggest here can we look at providing an Executor and possibly the use of asynchronous HTTP APIs to possible initiate the move to some non-blocking calls.