feat: Multi-Custom Domain (MCD) support with OIDC discovery and unified caching

[Copilot]

Adds Multi-Custom Domain support, enabling token validation against multiple issuer domains for multi-tenant deployments. JWTValidator now performs OIDC discovery (/.well-known/openid-configuration) per issuer to obtain jwks_uri dynamically and cross-validates the discovered issuer against the token's iss claim.

Domain Configuration (three modes)

• Single domain (auth0.domain) — existing behavior, fully backward compatible
• Static list (auth0.domains) — YAML-configured list of allowed issuers
• Dynamic resolver (Auth0DomainResolver bean) — resolves allowed issuers per request from headers, URL path, or unverified iss claim; takes precedence over static list

// Core API — dynamic resolver
AuthOptions options = new AuthOptions.Builder()
    .domainsResolver(context -> {
        String host = context.getHeaders().get("host");
        return lookupIssuersForHost(host);
    })
    .audience("https://api.example.com")
    .build();

# Spring Boot — static list
auth0:
  domains:
    - "https://tenant-a.us.auth0.com/"
    - "https://tenant-b.eu.auth0.com/"
  cacheMaxEntries: 200
  cacheTtlSeconds: 900

// Spring Boot — dynamic resolver bean (auto-wired, overrides auth0.domains)
@Bean
public Auth0DomainResolver domainResolver(TenantService svc) {
    return ctx -> List.of(svc.getDomain(ctx.getHeaders().get("x-tenant-id")));
}

Caching

New AuthCache<V> interface with a default thread-safe LRU InMemoryAuthCache. Caches both OIDC discovery metadata and JwkProvider instances using key prefixes (discovery: / jwks:). Configurable via auth0.cacheMaxEntries / auth0.cacheTtlSeconds, or replaceable with a custom implementation (e.g., Redis).

API Surface Changes

• AuthClient.verifyRequest() now takes only HttpRequestInfo (headers embedded); separate headers parameter removed
• New model classes: RequestContext, OidcMetadata, Auth0RequestContext (Spring adapter)
• New core interface: DomainResolver; Spring-specific: Auth0DomainResolver
• Auth0AutoConfiguration auto-wires all three domain modes and bridges Auth0DomainResolver → core DomainResolver

---

💡 You can make Copilot smarter by setting up custom instructions, customizing its development environment and configuring Model Context Protocol (MCP) servers. Learn more Copilot coding agent tips in the docs.