DEBUG_OIDC_CURL_APIS – OIDC Debug Tracing (HCL Domino)

Parameter: DEBUG_OIDC_CURL_APIS

Short description: Enables debug tracing for the Domino server's HTTPS connection to the OIDC provider (libcurl calls). First choice for connection, proxy, or TLS trust issues between Domino and the IdP.

Profile

Parameter	`DEBUG_OIDC_CURL_APIS`
Category	Logging / Debug
Component	Server (HTTP task, libcurl)
Available since	Domino 12.0.2
Supported versions	12.0.2, 14.0, 14.5, 14.5.1
GUI equivalent	`notes.ini` only (no GUI)
Possible values	`0`, `1`, `2`, `3`, `4` — default `0` (off)

Description

DEBUG_OIDC_CURL_APIS logs the curl-based HTTPS calls with which the Domino HTTP task contacts the configured provider's OIDC endpoints. These include:

Discovery document (.well-known/openid-configuration)

JWK endpoint (jwks_uri) for key retrieval

Token endpoint (for OIDC web login authorization code flow)

Userinfo endpoint (if used)

Output includes URLs, request and response headers, HTTP status codes, and libcurl error messages. This makes it possible to diagnose classic connection problems between the Domino server and the IdP:

Provider unreachable (firewall, DNS, wrong hostname)

TLS trust missing — the provider certificate is not stored in certstore.nsf

Wrong proxy configuration — HCL does not support proxies for OIDC; the server must reach the IdP directly

Invalid redirect/endpoint URLs

Timeouts during JWK refresh

The parameter is documented in 12.0.2 and remains valid unchanged in 14.0/14.5/14.5.1.

Example configuration


DEBUG_OIDC_CURL_APIS=2

Dynamically on the server console:


set config DEBUG_OIDC_CURL_APIS=2

To turn off:


set config DEBUG_OIDC_CURL_APIS=0

Notes & pitfalls

Only takes effect if at least one OIDC provider is configured in idpcat.nsf on the server and Bearer Token or OIDC Login is active in the Internet Site or Server document.

For TLS trust errors (SSL certificate problem, unable to get local issuer certificate): add the IdP's root/intermediate certificates to certstore.nsf and link them to the Internet Site.

For token/claim validation itself, DEBUG_HTTP_BEARER_AUTH is more informative; DEBUG_OIDC_CURL_APIS targets the HTTP/TLS layer.

For configuration questions, use DEBUG_OIDC_CONFIG additionally; for JWK cache topics, use DEBUG_OIDC_CACHE.

HCL explicitly notes that proxies are not supported for OIDC — the server must be able to reach the IdP directly.

Effect is dynamic — no HTTP or server restart needed.

Sources (HCL Product Documentation)

NOTES.INI settings for HTTP Bearer authentication (Domino 12.0.2)

Global OpenID Connect (OIDC) enhancements (Domino 14.0)

Configuring OIDC-based SSO for HCL Domino web users — Webinar (HCLSoftwareU, April 2025)