I'm creating a monolithic application (something like a e-commerce or a marketplace) and I'm concerned that it is secure. I understand (broadly speaking) how JWT works, but not sure about HTTP Session or OAuth2 and OpenID Connect.
When is it advisable to use each of these options?
For a monolith, I would rather recommend HTTP session over JHipster's JWT implementation because it's more secure: on client, it uses an http-only secure cookie while JWT is stored in browser's LocalStorage. If you want to scale horizontally your monolith by running multiple instances, you will have to manage session replication but Spring does it well. HTTP session is well known and described in Spring Security docs.
OAuth2 and OpenID Connect is better when you want to authenticate against other identity providers like Google, Facebook, ... It makes also more sense in the context of a microservices architecture.