Parameter:
DEBUG_OIDCShort description: Enables debug output for the OIDC provider and OIDC client functionality introduced in 14.5 – shows token requests, ID token claims, and IdP catalog lookups.
Profile
Parameter | DEBUG_OIDC |
Category | Logging / Debug |
Component | Server |
Available since | 14.5 |
Supported versions | 14.5, 14.5.1 |
GUI equivalent | notes.ini only (no GUI) |
Possible values | 0 = off (default), 1 = basic, 2 = verbose, 3 = trace (incl. tokens – temporary only!) |
Description
Domino 14.5 brings its own OIDC provider implementation as well as OIDC client support for login via external Identity Providers (Azure AD/Entra ID, Okta, Keycloak, Google…).
DEBUG_OIDC writes detailed trace output for all OIDC operations – authorization code flow, token requests, ID token validation, claim mapping, JWKS lookups, and refresh token handling.Ideal for topics such as login via Entra ID fails, claim not mapped to a Notes user, token validation fails, IdP catalog entry not found, refresh token not accepted.
Example configuration
DEBUG_OIDC=2 Debug_Outfile=/local/notesdata/IBM_TECHNICAL_SUPPORT/oidc_debug.log
Notes & pitfalls
- Level
3logs complete ID tokens – sensitive, enable only temporarily.
- Takes effect immediately via
set config DEBUG_OIDC=...; a restart of the HTTP task is not strictly required.
- Entries appear in
console.logand inDebug_Outfile.
- Complementary to
DEBUG_OIDC_VAULT,DEBUG_OIDCLOGIN,DEBUG_HTTPINOUT,DEBUG_LTPA.
- For mapping problems, check the IdP catalog document and
iam-client-config.nsf.