[OIDC] Support the OIDC redirect (Cookies) flow only for the specific endpoints

[aivinog1]

Helidon Version: 4.3.2

Enhancement Request: Granular Redirect Strategy for OIDC Provider

Summary

Currently, the redirect property in OidcConfig acts as a global toggle:

• redirect(true): Always initiates the OIDC authorization redirect.
• redirect(false): Always returns 401 Unauthorized.

I propose a granular redirect strategy that allows different behavior depending on the request path or request headers.

Motivation

When building a Single Page Application (SPA) using a cookie-based OIDC flow with a third-party Identity Provider (e.g., Auth0 or Okta), we face a common constraint:

1. API calls (AJAX/Fetch): Must return 401 Unauthorized. Browser CORS restrictions prevent these requests from following cross-origin redirects to the IdP's /authorize endpoint.
2. Interactive endpoints (e.g., /login): Must initiate the full OIDC redirect flow. This involves generating state/nonce cookies, constructing the authorization request, and performing the top-level browser redirect.

This "hybrid" approach (401 for APIs, Redirect for specific routes) is the standard for secure SPA + OIDC architectures.

Current Limitation

With the current global redirect setting:

• Enabling redirect(true) causes SPA fetch calls to fail due to CORS when the session expires.
• Enabling redirect(false) forces developers to manually reimplement Helidon’s internal OIDC logic (handling state cookies, building complex URI strings) inside a custom "bridge" endpoint to support manual logins.

Reimplementing this internal logic is error-prone and leads to maintenance overhead and potential security gaps.