The OpenID specification requires a JWKs endpoint to list public keys that can verify ID tokens.
Current thinking is to store them in the filesystem either in PEM or JSON format. A Flask command can be created to rotate these on a schedule. These should be stored with the correct file permissions (o-rwx at a minimum).
We should support the EC and RSA algorithms (EC is preferred, RSA is still required by the spec).