DEBUG_OIDC_JSON_PARSER – JSON Parsing Trace (HCL Domino)

Parameter: DEBUG_OIDC_JSON_PARSER

Short description: Enables debug tracing for JSON parsing of OIDC data structures (discovery document, JWKs, JWT claims). At level 4, Domino writes the complete JWT bearer token to the server console.

Profile

Parameter	`DEBUG_OIDC_JSON_PARSER`
Category	Logging / Debug
Component	Server (HTTP task, OIDC/JWT processing)
Available since	Domino 12.0.2
Supported versions	12.0.2, 14.0, 14.5, 14.5.1
GUI equivalent	`notes.ini` only (no GUI)
Possible values	`0`, `1`, `2`, `3`, `4` — default `0` (off)

Description

DEBUG_OIDC_JSON_PARSER controls the level of detail of the trace output when parsing all JSON structures processed during OIDC authentication. These include:

the discovery document (.well-known/openid-configuration)

the JWK keys from jwks_uri

the headers and claims of ID and access tokens (JWT)

Userinfo responses (if used)

With increasing values, more fields and structures are logged. At the highest level (4), Domino logs the complete JWT bearer token in clear text on the console. This is extremely useful for seeing which claims (iss, aud, sub, exp, groups, ...) are actually delivered by the IdP — e.g. to analyze mapping issues between token claim and Notes name.

At the same time, level 4 is security-sensitive: the token in the log is a valid bearer credential. Logs should be protected accordingly and cleaned up again after diagnosis.

The parameter is documented in 12.0.2 and remains usable in 14.0/14.5/14.5.1.

Example configuration


DEBUG_OIDC_JSON_PARSER=4

Dynamically on the server console:


set config DEBUG_OIDC_JSON_PARSER=4

To turn off:


set config DEBUG_OIDC_JSON_PARSER=0

Notes & pitfalls

Security: Level 4 writes the full JWT to the console/log file. Do not share these logs, archive or delete them after diagnostics are complete, and reset the parameter to 0.

Only takes effect if at least one OIDC provider is configured in idpcat.nsf on the server and Bearer Token or OIDC Login is active in the Internet Site or Server document.

For configuration questions (provider doc, Internet Site mapping), DEBUG_OIDC_CONFIG is the better entry point.

For connection/TLS issues to the IdP: DEBUG_OIDC_CURL_APIS.

For token/authentication flow: DEBUG_HTTP_BEARER_AUTH.

For JWK cache topics: DEBUG_OIDC_CACHE.

Effect is dynamic — no HTTP or server restart needed.

Sources (HCL Product Documentation)

NOTES.INI settings for HTTP Bearer authentication (Domino 12.0.2)

Global OpenID Connect (OIDC) enhancements (Domino 14.0)

Configuring OIDC-based SSO for HCL Domino web users — Webinar (HCLSoftwareU, April 2025)