.well-known/openid-configuration and jwks
from that location as application/json documents.
Jenkins will continue to maintain the private key,
but beware that unauthorized modification of either document could allow id tokens to be forged.