kumarT24
diff --git a/‎docs/src/main/asciidoc/config/io_helidon_security_providers_oidc_OidcProvider.adoc‎
Lines changed: 31 additions & 2 deletions b/‎docs/src/main/asciidoc/config/io_helidon_security_providers_oidc_OidcProvider.adoc‎
Lines changed: 31 additions & 2 deletions
diff --git a/‎docs/src/main/asciidoc/config/io_helidon_security_providers_oidc_common_OidcConfig.adoc‎
Lines changed: 31 additions & 2 deletions b/‎docs/src/main/asciidoc/config/io_helidon_security_providers_oidc_common_OidcConfig.adoc‎
Lines changed: 31 additions & 2 deletions
diff --git a/‎microprofile/security/src/main/java/io/helidon/microprofile/security/SecurityFilter.java‎
Lines changed: 13 additions & 1 deletion b/‎microprofile/security/src/main/java/io/helidon/microprofile/security/SecurityFilter.java‎
Lines changed: 13 additions & 1 deletion
diff --git a/‎microprofile/security/src/main/java/io/helidon/microprofile/security/SecurityFilterCommon.java‎
Lines changed: 6 additions & 1 deletion b/‎microprofile/security/src/main/java/io/helidon/microprofile/security/SecurityFilterCommon.java‎
Lines changed: 6 additions & 1 deletion
@@ -1,6 +1,6 @@
 ///////////////////////////////////////////////////////////////////////////////
 
-    Copyright (c) 2023 Oracle and/or its affiliates.
+    Copyright (c) 2023, 2024 Oracle and/or its affiliates.
 
     Licensed under the Apache License, Version 2.0 (the "License");
     you may not use this file except in compliance with the License.
@@ -71,13 +71,35 @@ This type provides the following service implementations:
 |`client-timeout-millis` |Duration |`30000` |Timeout of calls using web client.
 |`cookie-domain` |string |{nbsp} |Domain the cookie is valid for.
  Not used by default.
+|`cookie-encryption-enabled` |boolean |`false` |Whether to encrypt token cookie created by this microservice.
+ Defaults to `false`.
+|`cookie-encryption-enabled-id-token` |boolean |`true` |Whether to encrypt id token cookie created by this microservice.
+ Defaults to `true`.
+|`cookie-encryption-enabled-refresh-token` |boolean |`true` |Whether to encrypt refresh token cookie created by this microservice.
+ Defaults to `true`.
+|`cookie-encryption-enabled-tenant-name` |boolean |`true` |Whether to encrypt tenant name cookie created by this microservice.
+ Defaults to `true`.
+|`cookie-encryption-name` |string |{nbsp} |Name of the encryption configuration available through Security#encrypt(String, byte[]) and
+ Security#decrypt(String, String).
+ If configured and encryption is enabled for any cookie,
+ Security MUST be configured in global or current `io.helidon.common.context.Context` (this
+ is done automatically in Helidon MP).
+|`cookie-encryption-password` |char[] |{nbsp} |Master password for encryption/decryption of cookies. This must be configured to the same value on each microservice
+ using the cookie.
 |`cookie-http-only` |boolean |`true` |When using cookie, if set to true, the HttpOnly attribute will be configured.
  Defaults to `OidcCookieHandler.Builder#DEFAULT_HTTP_ONLY`.
 |`cookie-max-age-seconds` |long |{nbsp} |When using cookie, used to set MaxAge attribute of the cookie, defining how long
  the cookie is valid.
  Not used by default.
 |`cookie-name` |string |`JSESSIONID` |Name of the cookie to use.
  Defaults to `DEFAULT_COOKIE_NAME`.
+|`cookie-name-id-token` |string |`JSESSIONID_2` |Name of the cookie to use for id token.
+ Defaults to `DEFAULT_COOKIE_NAME`_2.
+
+ This cookie is only used when logout is enabled, as otherwise it is not needed.
+ Content of this cookie is encrypted.
+|`cookie-name-refresh-token` |string |`JSESSIONID_3` |The name of the cookie to use for the refresh token.
+ Defaults to `DEFAULT_REFRESH_COOKIE_NAME`.
 |`cookie-name-tenant` |string |`HELIDON_TENANT` |The name of the cookie to use for the tenant name.
  Defaults to `DEFAULT_TENANT_COOKIE_NAME`.
 |`cookie-path` |string |`/` |Path the cookie is valid for.
@@ -97,6 +119,9 @@ This type provides the following service implementations:
  process header containing a JWT.
  Default is "Authorization" header with a prefix "bearer ".
 |`header-use` |boolean |`true` |Whether to expect JWT in a header field.
+|`id-token-signature-validation` |boolean |`true` |Whether id token signature check should be enabled.
+ Signature check is enabled by default, and it is highly recommended to not change that.
+ Change this setting only when you really know what you are doing, otherwise it could case security issues.
 |`identity-uri` |URI |{nbsp} |URI of the identity server, base used to retrieve OIDC metadata.
 |`introspect-endpoint-uri` |URI |{nbsp} |Endpoint to use to validate JWT.
  Either use this or set #signJwk(JwkKeys) or #signJwk(Resource).
@@ -123,7 +148,8 @@ This type provides the following service implementations:
  Defaults to `DEFAULT_PROXY_PORT`
 |`proxy-protocol` |string |`http` |Proxy protocol to use when proxy is used.
  Defaults to `DEFAULT_PROXY_PROTOCOL`.
-|`query-param-name` |string |`accessToken` |Name of a query parameter that contains the JWT token when parameter is used.
+|`query-id-token-param-name` |string |`id_token` |Name of a query parameter that contains the JWT id token when parameter is used.
+|`query-param-name` |string |`accessToken` |Name of a query parameter that contains the JWT access token when parameter is used.
 |`query-param-tenant-name` |string |`h_tenant` |Name of a query parameter that contains the tenant name when the parameter is used.
  Defaults to #DEFAULT_TENANT_PARAM_NAME.
 |`query-param-use` |boolean |`false` |Whether to use a query parameter to send JWT token from application to this
@@ -167,6 +193,9 @@ This type provides the following service implementations:
  code.
  If not defined, it is obtained from #oidcMetadata(Resource), if that is not defined
  an attempt is made to use #identityUri(URI)/oauth2/v1/token.
+|`token-signature-validation` |boolean |`true` |Whether access token signature check should be enabled.
+ Signature check is enabled by default, and it is highly recommended to not change that.
+ Change this setting only when you really know what you are doing, otherwise it could case security issues.
 |`use-jwt-groups` |boolean |`true` |Claim `groups` from JWT will be used to automatically add
   groups to current subject (may be used with jakarta.annotation.security.RolesAllowed annotation).
 |`validate-jwt-with-jwk` |boolean |`true` |Use JWK (a set of keys to validate signatures of JWT) to validate tokens.
 
@@ -1,6 +1,6 @@
 ///////////////////////////////////////////////////////////////////////////////
 
-    Copyright (c) 2023 Oracle and/or its affiliates.
+    Copyright (c) 2023, 2024 Oracle and/or its affiliates.
 
     Licensed under the Apache License, Version 2.0 (the "License");
     you may not use this file except in compliance with the License.
@@ -60,13 +60,35 @@ Type: link:{javadoc-base-url}/io.helidon.security.providers.oidc.common/io/helid
 |`client-timeout-millis` |Duration |`30000` |Timeout of calls using web client.
 |`cookie-domain` |string |{nbsp} |Domain the cookie is valid for.
  Not used by default.
+|`cookie-encryption-enabled` |boolean |`false` |Whether to encrypt token cookie created by this microservice.
+ Defaults to `false`.
+|`cookie-encryption-enabled-id-token` |boolean |`true` |Whether to encrypt id token cookie created by this microservice.
+ Defaults to `true`.
+|`cookie-encryption-enabled-refresh-token` |boolean |`true` |Whether to encrypt refresh token cookie created by this microservice.
+ Defaults to `true`.
+|`cookie-encryption-enabled-tenant-name` |boolean |`true` |Whether to encrypt tenant name cookie created by this microservice.
+ Defaults to `true`.
+|`cookie-encryption-name` |string |{nbsp} |Name of the encryption configuration available through Security#encrypt(String, byte[]) and
+ Security#decrypt(String, String).
+ If configured and encryption is enabled for any cookie,
+ Security MUST be configured in global or current `io.helidon.common.context.Context` (this
+ is done automatically in Helidon MP).
+|`cookie-encryption-password` |char[] |{nbsp} |Master password for encryption/decryption of cookies. This must be configured to the same value on each microservice
+ using the cookie.
 |`cookie-http-only` |boolean |`true` |When using cookie, if set to true, the HttpOnly attribute will be configured.
  Defaults to `OidcCookieHandler.Builder#DEFAULT_HTTP_ONLY`.
 |`cookie-max-age-seconds` |long |{nbsp} |When using cookie, used to set MaxAge attribute of the cookie, defining how long
  the cookie is valid.
  Not used by default.
 |`cookie-name` |string |`JSESSIONID` |Name of the cookie to use.
  Defaults to `DEFAULT_COOKIE_NAME`.
+|`cookie-name-id-token` |string |`JSESSIONID_2` |Name of the cookie to use for id token.
+ Defaults to `DEFAULT_COOKIE_NAME`_2.
+
+ This cookie is only used when logout is enabled, as otherwise it is not needed.
+ Content of this cookie is encrypted.
+|`cookie-name-refresh-token` |string |`JSESSIONID_3` |The name of the cookie to use for the refresh token.
+ Defaults to `DEFAULT_REFRESH_COOKIE_NAME`.
 |`cookie-name-tenant` |string |`HELIDON_TENANT` |The name of the cookie to use for the tenant name.
  Defaults to `DEFAULT_TENANT_COOKIE_NAME`.
 |`cookie-path` |string |`/` |Path the cookie is valid for.
@@ -86,6 +108,9 @@ Type: link:{javadoc-base-url}/io.helidon.security.providers.oidc.common/io/helid
  process header containing a JWT.
  Default is "Authorization" header with a prefix "bearer ".
 |`header-use` |boolean |`true` |Whether to expect JWT in a header field.
+|`id-token-signature-validation` |boolean |`true` |Whether id token signature check should be enabled.
+ Signature check is enabled by default, and it is highly recommended to not change that.
+ Change this setting only when you really know what you are doing, otherwise it could case security issues.
 |`identity-uri` |URI |{nbsp} |URI of the identity server, base used to retrieve OIDC metadata.
 |`introspect-endpoint-uri` |URI |{nbsp} |Endpoint to use to validate JWT.
  Either use this or set #signJwk(JwkKeys) or #signJwk(Resource).
@@ -107,7 +132,8 @@ Type: link:{javadoc-base-url}/io.helidon.security.providers.oidc.common/io/helid
  Defaults to `DEFAULT_PROXY_PORT`
 |`proxy-protocol` |string |`http` |Proxy protocol to use when proxy is used.
  Defaults to `DEFAULT_PROXY_PROTOCOL`.
-|`query-param-name` |string |`accessToken` |Name of a query parameter that contains the JWT token when parameter is used.
+|`query-id-token-param-name` |string |`id_token` |Name of a query parameter that contains the JWT id token when parameter is used.
+|`query-param-name` |string |`accessToken` |Name of a query parameter that contains the JWT access token when parameter is used.
 |`query-param-tenant-name` |string |`h_tenant` |Name of a query parameter that contains the tenant name when the parameter is used.
  Defaults to #DEFAULT_TENANT_PARAM_NAME.
 |`query-param-use` |boolean |`false` |Whether to use a query parameter to send JWT token from application to this
@@ -151,6 +177,9 @@ Type: link:{javadoc-base-url}/io.helidon.security.providers.oidc.common/io/helid
  code.
  If not defined, it is obtained from #oidcMetadata(Resource), if that is not defined
  an attempt is made to use #identityUri(URI)/oauth2/v1/token.
+|`token-signature-validation` |boolean |`true` |Whether access token signature check should be enabled.
+ Signature check is enabled by default, and it is highly recommended to not change that.
+ Change this setting only when you really know what you are doing, otherwise it could case security issues.
 |`validate-jwt-with-jwk` |boolean |`true` |Use JWK (a set of keys to validate signatures of JWT) to validate tokens.
  Use this method when you want to use default values for JWK or introspection endpoint URI.
 
 
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2018, 2023 Oracle and/or its affiliates.
+ * Copyright (c) 2018, 2024 Oracle and/or its affiliates.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -43,6 +43,7 @@
 import io.helidon.security.integration.common.SecurityTracing;
 import io.helidon.security.internal.SecurityAuditEvent;
 import io.helidon.security.providers.common.spi.AnnotationAnalyzer;
+import io.helidon.webserver.security.SecurityHttpFeature;
 
 import jakarta.annotation.PostConstruct;
 import jakarta.annotation.Priority;
@@ -56,6 +57,7 @@
 import jakarta.ws.rs.container.ContainerResponseFilter;
 import jakarta.ws.rs.core.Application;
 import jakarta.ws.rs.core.Context;
+import jakarta.ws.rs.core.MultivaluedMap;
 import jakarta.ws.rs.core.Response;
 import org.glassfish.jersey.server.ExtendedUriInfo;
 import org.glassfish.jersey.server.model.AbstractResourceModelVisitor;
@@ -182,6 +184,16 @@ public void filter(ContainerRequestContext requestContext, ContainerResponseCont
         } else {
             return;
         }
+        io.helidon.common.context.Context helidonContext = Contexts.context()
+                .orElseThrow(() -> new IllegalStateException("Context must be available in Jersey"));
+        helidonContext.get(SecurityHttpFeature.CONTEXT_RESPONSE_HEADERS, Map.class)
+                .map(it -> (Map<String, List<String>>) it)
+                .ifPresent(it -> {
+                    MultivaluedMap<String, Object> headers = responseContext.getHeaders();
+                    for (Map.Entry<String, List<String>> entry : it.entrySet()) {
+                        entry.getValue().forEach(value -> headers.add(entry.getKey(), value));
+                    }
+                });
 
         SecurityFilterContext fc = (SecurityFilterContext) requestContext.getProperty(PROP_FILTER_CONTEXT);
         SecurityDefinition methodSecurity = jerseySecurityContext.methodSecurity();
 
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2018, 2023 Oracle and/or its affiliates.
+ * Copyright (c) 2018, 2024 Oracle and/or its affiliates.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -24,6 +24,7 @@
 
 import io.helidon.common.HelidonServiceLoader;
 import io.helidon.common.config.Config;
+import io.helidon.common.context.Contexts;
 import io.helidon.common.uri.UriQuery;
 import io.helidon.microprofile.security.spi.SecurityResponseMapper;
 import io.helidon.security.AuthenticationResponse;
@@ -37,6 +38,7 @@
 import io.helidon.security.integration.common.AtnTracing;
 import io.helidon.security.integration.common.AtzTracing;
 import io.helidon.security.integration.common.SecurityTracing;
+import io.helidon.webserver.security.SecurityHttpFeature;
 
 import jakarta.ws.rs.WebApplicationException;
 import jakarta.ws.rs.container.ContainerRequestContext;
@@ -198,6 +200,9 @@ protected void processAuthentication(SecurityFilterContext context,
         switch (responseStatus) {
             case SUCCESS -> {
                 //everything is fine, we can continue with processing
+                io.helidon.common.context.Context helidonContext = Contexts.context()
+                        .orElseThrow(() -> new IllegalStateException("Context must be available in Jersey"));
+                helidonContext.register(SecurityHttpFeature.CONTEXT_RESPONSE_HEADERS, response.responseHeaders());
             }
             case FAILURE_FINISH -> {
                 if (methodSecurity.authenticationOptional()) {