Parameter:
OIDC_LOGIN_CLOCK_SKEW_SECShort description: Allowed clock skew (in seconds) between the Domino server and the OIDC provider when validating the
id_token.Profile
Parameter | OIDC_LOGIN_CLOCK_SKEW_SEC |
Category | Security / TLS |
Component | Server |
Available since | 12.0.2 |
Supported versions | 12.0, 14.0, 14.5, 14.5.1 |
GUI equivalent | notes.ini only (no GUI) |
Possible values | 0–600 seconds (default 15) |
Description
OIDC
id_tokens are valid for a limited time (iat, nbf, exp). When the clocks of the Domino server and the OIDC provider drift apart, otherwise valid tokens are rejected as “future-dated” or “expired” – login fails. OIDC_LOGIN_CLOCK_SKEW_SEC sets the tolerated deviation. The default of 15 seconds is enough for clean NTP setups; in heterogeneous environments (cloud IdP, Hyper-V time drift), 60–120 seconds may be necessary.Example configuration
OIDC_LOGIN_CLOCK_SKEW_SEC=60
Notes & pitfalls
- The primary fix is clean time synchronization via NTP – high skew values are only a workaround.
- Takes effect after an HTTP restart.
- Values above 300 seconds open replay windows and should only be set as a transitional measure.
- For recurring “token used before issued / expired” errors, check NTP / server time first.
- Pairs with
OIDC_LOGIN_COOKIE_DURATION_SECandOIDC_LOGIN_ENABLE_REDIRECT.