OIDC - maybe allow id token for authentication

[tomas-langer]

Similar to what was proposed in #3457

This requires some analysis whether such usage is the right way to go.

[jmntn2000]

The one issue is the expire time is usually longer on the ID token then the access token. Access tokens usually have a short lifespan so that applications have to check in with IDP to make sure session is still valid. If the ID token had a longer time to live set then application may incorrectly assume user is still logged in.

I do think we need to take your recent changes with putting ID token in the cookie and utilize that to build the principal since it usually has more attributes about the user then the access token.

[jmntn2000]

See pull request #3637

Tried to build off of the updates from @tomas-langer and add the following functionality to OIDC:

1. Added server side refresh. If you are using cookies and server side OIDC provider you run into issues when the access token expires. All javascript related calls from the client will fail due to expired token and js calls for SPA will not redirect to lean on OIDC Provider for new tokens. To solve this I saved the refresh token encrypted in a separate cookie and when access token used for the request is expired I refresh it and update cookies so there is no disruption to the client (assuming refresh token is still valid).

2. Change the build subject to utilize the id token for principal if available.

3. Added the logout-uri option to the config

4. Added a force https option to config for building redirect URIs. This is helpful if you are behind an https load balancer and helidon itself is serving http causing the get schema or issecure methods to return http. This option will force all url builds to use https even if helidon itself served http on the received request.

[jmntn2000]

@tomas-langer Could you please review these OIDC changes so we can look at getting them merged? Let me know if you see anything you want changed or added and I can get it done. Thanks!