DEBUG_OIDC_CONFIG

Profile

Description

• Checking the discovery URL (.well-known/openid-configuration) and the endpoints returned by the provider

• Mapping of Internet Sites to a provider entry

• Resolving issuer and audience values

• Validation of Allowed Client IDs and Alternate Audiences

• Validation of access tokens against the providers and keys configured in the IdP catalog (v14-specific)

• wrong issuer (iss does not match the discovery document)

• missing link of the provider document to the Internet Site

• incorrect entry of client_id or client_secret

• invalid redirect URI

• missing activation of Bearer Token or OIDC Login in the Internet Site or Server document

Example configuration

DEBUG_OIDC_CONFIG=3

set config DEBUG_OIDC_CONFIG=3

set config DEBUG_OIDC_CONFIG=0

Notes & pitfalls

• Available only from Domino 14.0. In 12.0.2 there was no directly comparable configuration trace; similar information was distributed across DEBUG_HTTP_BEARER_AUTH, DEBUG_JWK_CACHE, and DEBUG_JWS.

• Only takes effect if at least one OIDC provider is configured in idpcat.nsf on the server and Bearer Token or OIDC Login is active in the Internet Site or Server document.

• Use additionally: DEBUG_HTTP_BEARER_AUTH (token validation), DEBUG_OIDC_CACHE (JWK cache), DEBUG_OIDC_CURL_APIS (HTTPS connection to the provider), DEBUG_OIDC_JSON_PARSER (JSON parsing of token contents).

• Effect is dynamic — no HTTP or server restart needed.

• After diagnostics are complete, reset to 0 to avoid unnecessarily loading the console.

Sources (HCL Product Documentation)

• Global OpenID Connect (OIDC) enhancements (Domino 14.0)

• HTTP Bearer authentication replacements (Domino 14.0)

• Configuring OIDC-based SSO for HCL Domino web users — Webinar (HCLSoftwareU, April 2025)