lock public JWKS generation and re-check cache (#27929)

---------

Co-authored-by: kpcraig <3031348+kpcraig@users.noreply.github.com>

changelog/27929.txt

@@ -0,0 +1,3 @@
+```release-note:bug
+identity/oidc: prevent JWKS from being generated by multiple concurrent requests
+```

vault/identity_store_oidc.go

@@ -1857,6 +1857,20 @@ func (i *IdentityStore) generatePublicJWKS(ctx context.Context, s logical.Storag
 		return jwksRaw.(*jose.JSONWebKeySet), nil
 	}
 
+	i.generateJWKSLock.Lock()
+	defer i.generateJWKSLock.Unlock()
+
+	// Check the cache again incase another requset acquired the lock
+	// before this request.
+	jwksRaw, ok, err = i.oidcCache.Get(ns, "jwks")
+	if err != nil {
+		return nil, err
+	}
+
+	if ok {
+		return jwksRaw.(*jose.JSONWebKeySet), nil
+	}
+
 	if _, err := i.expireOIDCPublicKeys(ctx, s); err != nil {
 		return nil, err
 	}

vault/identity_store_structs.go

@@ -58,8 +58,9 @@ type IdentityStore struct {
 	db *memdb.MemDB
 
 	// locks to make sure things are consistent
-	lock     sync.RWMutex
-	oidcLock sync.RWMutex
+	lock             sync.RWMutex
+	oidcLock         sync.RWMutex
+	generateJWKSLock sync.Mutex
 
 	// groupLock is used to protect modifications to group entries
 	groupLock sync.RWMutex