Parameter:
OIDC_LOGIN_ENABLE_ROEID_WORKAROUNDSShort description: Enables workarounds for OIDC providers that strictly reject extra fields in the request body when using
client_secret_basic — avoids HTTP 500 during OIDC login.Profile
Parameter | OIDC_LOGIN_ENABLE_ROEID_WORKAROUNDS |
Category | General / OIDC login (workaround) |
Component | Domino server (HTTP task, OIDC login) |
Value range | 0 (default, workaround disabled) or 1 (workaround active) |
Default | 0 (no workaround — Domino sends the additional fields in the request body) |
Available since | 14.0 (with the introduction of Domino web OIDC login) |
Effective | After tell http q and load http, or after a restart of the HTTP task |
GUI equivalent | None — only via notes.ini or set config OIDC_LOGIN_ENABLE_ROEID_WORKAROUNDS=1 |
Description
Enables workarounds for OIDC providers that strictly reject extra fields in the request body when authenticating with
client_secret_basic. With OIDC_LOGIN_ENABLE_ROEID_WORKAROUNDS=1, Domino refrains from sending those fields and thereby avoids HTTP 500 errors during OIDC login.According to HCL KB0119112, the issue manifests as the error message „Error 500 You are not authorized to perform this operation“ after a successful login at the identity provider — typically when the OIDC document in
idpcat.nsf is configured to Client Secret Basic mode.Example
OIDC_LOGIN_ENABLE_ROEID_WORKAROUNDS=1
Runtime activation via the console:
set config OIDC_LOGIN_ENABLE_ROEID_WORKAROUNDS=1 tell http q load http
Notes
- The parameter is explicitly a workaround for providers that strictly enforce the
client_secret_basicspecification — not every OIDC provider needs it.
- Symptom before enabling: after a successful login at the IdP, Domino returns
Error 500 You are not authorized to perform this operationand the browser does not arrive at the requested page (see HCL KB0119112).
- The workaround is only required for OIDC providers that reject additional fields in the body when
client_secret_basicis used.
- Domino web OIDC login is configured in the Identity Provider Catalog (
idpcat.nsf) (HCL Domino 14.5 „Configuring Web login with OIDC for web users“).
- For the Domino REST API, OIDC configuration is done via the separate Domino REST API documentation (authentication and token validation) — this setting primarily affects the Domino web OIDC login (HTTP task).
Sources (HCL Product Documentation)
- HCL Customer Support – KB0119112 „OIDC Login fails with error 'Error 500 You are not authorized to perform this operation'“ (Applies to: HCL Domino, with
OIDC_LOGIN_ENABLE_ROEID_WORKAROUNDS=1as the solution): support.hcl-software.com/csm?id=kb_article&sysparm_article=KB0119112
- HCL Domino 14.5 – „Configuring Web login with OIDC for web users“ (Domino web OIDC login via Authorization Code Flow with PKCE): help.hcl-software.com/domino/14.5.0/admin/secu_config_oidc_based_sso_for_web.html
- HCL Domino REST API – „Configure Domino REST API to use an OIDC provider“ (related OIDC setup): opensource.hcltechsw.com/Domino-rest-api/howto/IdP/configureoidc.html
- HCL Domino 14.5.1 – NOTES.INI Settings (overview): help.hcl-software.com/domino/14.5.1/admin/conf_notesinisettings_c.html