Feature Request: Support passing HS256/HS384/HS512 shared secret directly in Keys config

[NemSimpraga]

Currently, when using the plugin with symmetric algorithms (HS256/ HS384 / HS512), it is not possible to provide the shared secret directly in Keys configuration. The plugin only accepts either:

• A PEM certificate or public key, or
• A JWKS URL endpoint

However, for symmetric algorithms, there is no public key or PEM format — the signing key is the shared secret.

Expected behavior:

If Alg is HS256 / HS384 / HS512, the plugin should allow the following config:

Keys:
  - "my-shared-secret"
Alg: HS256

This should be sufficient for HS-based algorithms — no JWKS server should be required to expose that secret, which is inherently even less secure than this method.

Current behavior:

When trying to pass the secret this way, the plugin returns:
Invalid configuration, expecting a certificate, public key or JWK URL

Why this matters:

• For HS* algorithms, exposing the shared secret via a JWKS endpoint does not make sense — JWKS is designed for publishing public keys (for asymmetric algorithms), not for distributing symmetric secrets.
• Hosting an artificial JWKS server just to expose a static shared secret is unnecessary overhead and creates potential risk.
• The shared secret is already known to the system — it should be passed directly in the config.
• The change is backward compatible and easy to implement.

Suggested change:

In ParseKeys() — add support for treating a plain string as the shared secret when:

Alg: HS256 / HS384 / HS512

and the string is not PEM or URL.

I'd be happy to prepare a PR for this — if maintainers agree!