Start/notes.ini Parameters/DEBUG_OIDC_CACHE

DEBUG_OIDC_CACHE

Parameter: DEBUG_OIDC_CACHE
Short description: Enables debug tracing for the global OIDC provider cache (JWK cache) starting with Domino 14.0. Replaces the earlier DEBUG_JWK_CACHE and DEBUG_JWK_CACHE_MGR parameters from 12.0.2.

Profile

Parameter
DEBUG_OIDC_CACHE
Category
Logging / Debug
Component
Server (HTTP task / OIDC cache)
Available since
Domino 14.0
Supported versions
14.0, 14.5, 14.5.1
GUI equivalent
notes.ini only (no GUI)
Possible values
0, 1, 2, 3, 4, 5, 6 — default 0 (off)

Description

With Domino 14.0, the per-process JWK cache and the JWKCacheMgrThread from 12.0.2 were merged into a global, cross-process OIDC provider cache. This cache centrally holds the .well-known/openid-configuration documents, the signing keys delivered via jwks_uri, as well as further metadata of the configured OIDC providers.
DEBUG_OIDC_CACHE controls the level of detail of the trace output around this cache:
  • Initial loading of the provider configuration
  • Updating the JWKs delivered by the provider (key rotation)
  • Cache hits/misses per key ID (kid)
  • Expiry of cached configurations and next due time
  • Cryptographic checks and signature validation
Thus DEBUG_OIDC_CACHE replaces the two older notes.ini variables DEBUG_JWK_CACHE and DEBUG_JWK_CACHE_MGR, which still existed separately in 12.0.2 and have been removed from 14.0 onward.
Typical use cases:
  • Errors in OIDC web login or HTTP Bearer Auth whose cause is not in the token itself but in key resolution („kid not found“)
  • Diagnostics after key rotation at the IdP
  • Verifying whether OIDC_LOGIN_CLOCK_SKEW_SEC takes effect or when the cache is considered stale

Example configuration

DEBUG_OIDC_CACHE=3
Dynamically on the server console:
set config DEBUG_OIDC_CACHE=3
To turn off:
set config DEBUG_OIDC_CACHE=0

Notes & pitfalls

  • Available only from Domino 14.0. In 12.0.2 use DEBUG_JWK_CACHE and DEBUG_JWK_CACHE_MGR instead — these have been removed from 14.0 onward.
  • Only takes effect if at least one OIDC provider is configured in idpcat.nsf on the server and HTTP Bearer Auth or OIDC web login is actively used.
  • For failed bearer logins themselves, DEBUG_HTTP_BEARER_AUTH is more informative; DEBUG_OIDC_CACHE targets exclusively the JWK/provider cache layer.
  • For configuration questions around the provider entry, additionally enable DEBUG_OIDC_CONFIG.
  • For connection problems to the provider (proxy, TLS trust, DNS), DEBUG_OIDC_CURL_APIS provides further details.
  • Effect is dynamic — no HTTP or server restart needed.

Sources (HCL Product Documentation)