Description
The TokenResource class mixes the use of the JAX-RS Response builder and an injected HttpServletResponse context object. These really can't be mixed.
The entity content is written to the injected HttpServletResponse, but the JAX-RS Response object is returned separately. The result is that the entity gets to the client, but the content-related headers don't reflect that content because they're written by the Response object (which doesn't know anything about the content).
Rather than using the injected HttpServletResponse object, TokenResource should use ONLY the JAX-RS facility for writing the response content.
// return Response.ok().entity(jsonResponse).build();