[Bug] Enable token decryption certificates rotation

[jmprieur]

Which version of Microsoft Identity Web are you using?
1.5.1

Where is the issue?

• Web API
  • [x ] Protected web APIs (validating tokens)

Is this a new or an existing app?
New or existing

Repro
Today, Microsoft.Identity.Web allows the developers to provide a collection of token decryption certificates (to be able to rotate certificates), but only the fist one is used. See this code

Expected behavior
Developers need to be able to rotate their certificates, and therefore all the certs provided in the TokenDecryptionCertificates property

Actual behavior
Only the first certificate is loaded and used for the token decryption

Possible solution
Use TokenValidationParameters.TokenDecryptionKeys instead of TokenValidationParameters.TokenDecryptionKey. We'll also need to have a new method DefaultCertificateLoader.LoadAllCertificates in addition to the existing method DefaultCertificateLoader.LoadFirstCertificate, with the same signature, but returning a collection of X509Certificate2.

Note we don't want to remove the existing method (LoadFirstCertificate) as it will still be used for client certificates, for which the rotation is helped by the use of sendX5c.

[brentschmaltz]

@jmprieur A note about specifying certificates.
Some users have seen issues when specifying the certificate.
A more performant pattern would be to obtain the RSA object from the certificate once on startup and pass an RSASecurityKey (s) instantiated with the RSA object. Our libraries will not dispose of the RSA as they did not create it.

[jennyf19]

@jmprieur there was fix for the issue i hit w/this is in IdentityModel.* 6.8.0, however, Microsoft.AspNetCore.Authentication.* is currently on 6.7.1 of IdentityModel.*, and updating to 6.7.1 does not support net472 or netcoreapp3.1.

so, marking as blocked, we can discuss how to proceed.

[jmprieur]

Fixed by #909

[jennyf19]

Included in 1.6.0 release.