Parameter:
OIDC_LOGIN_REQUEST_PROFILE_SCOPEShort description: Controls whether Domino, during web login with OIDC, requests the OAuth scope
profile in addition to openid and email. Default: enabled (1) — Domino sends scope=openid email profile.Profile
Parameter | OIDC_LOGIN_REQUEST_PROFILE_SCOPE |
Category | Security / TLS (OIDC / Web SSO) |
Component | Server (HTTP task) |
Available since | 14.0 |
Supported versions | 14.0, 14.5, 14.5.1 |
GUI equivalent | notes.ini only (no GUI) |
Possible values | 0 = do not request profile scope (only openid email)1 = request profile scope (default) |
Description
With the OIDC authorization request, a client (in this case the Domino HTTP server) sends a list of desired scopes to the OIDC provider. Each scope controls which information about the user the provider may return in the id_token or via the UserInfo endpoint.
Standard scopes that Domino requests:
openid— mandatory, enables OIDC at all.
email— required for user identification (the email address ends up in the id_token).
profile— additional profile information (name, given name, locale, picture, etc.) — requested withOIDC_LOGIN_REQUEST_PROFILE_SCOPE=1(default).
Set to 0 when:
- The OIDC provider does not support the
profilescope and aborts with errorinvalid_scope.
- Privacy requirements (GDPR / Privacy by Design) demand that only the absolute minimum of user data is requested — for authentication, Domino only needs
openid+ an email identifier; further profile data is not persisted anyway.
- The provider requires separate consent for
profile, complicating the login flow.
Domino does not use a profile picture or name from the id_token to personalize the Domino UI — the display still relies on the Person document in the Domino Directory.
Example configuration
OIDC_LOGIN_REQUEST_PROFILE_SCOPE=0
Notes & pitfalls
- Default is
=1— in most environments no change is necessary.
- If the provider rejects the scope: the symptom is the error
invalid_scopeduring the authorization request, visible in the browser or withDEBUG_OIDCLogin=4.
- Prerequisite: HTTP Bearer Authentication and web login with OIDC are enabled in the relevant Internet Site document.
- Change takes effect after a restart of the HTTP task or via
set config OIDC_LOGIN_REQUEST_PROFILE_SCOPE=….
- Works only on Windows and Linux servers.
- If the provider does not return an
emailclaim,OIDC_LOGIN_CUSTOM_CLAIM_NAMEmay additionally be required to use an alternative identifier.
- Some providers (e.g. Azure AD, certain Keycloak configurations) deliver the user name exclusively in the
profilescope — disabling then leads to login problems if mappings depend on it.
Sources (HCL Product Documentation)
- HCL Domino 14.5.1 – Configuring OIDC-based SSO for web users: help.hcl-software.com/domino/14.5.1/admin/secu_config_oidc_based_sso_for_web.html