DEBUG_OIDCLogin – Detailed OIDC Login Tracing (HCL Domino)

Parameter: DEBUG_OIDCLogin

Short description: Enables detailed tracing of the web-login-with-OIDC flow on the Domino server console. Five levels (0–4) from disabled to maximally verbose — indispensable when troubleshooting OIDC login problems.

Profile

Parameter	`DEBUG_OIDCLogin`
Category	Logging / Debug (OIDC / web SSO)
Component	Server (HTTP task)
Available since	14.0
Supported versions	14.0, 14.5, 14.5.1
GUI equivalent	`notes.ini` only (no GUI)
Possible values	0 = debug disabled (default) 1 = basic tracing (login start, success/failure) 2 = extended tracing (redirects, token requests) 3 = detailed tracing incl. claims mapping 4 = maximally verbose: all HTTP headers, all id_token claims, complete cookie state

Description

The web-login flow with OIDC comprises several stations: the browser calls a protected URL → Domino detects a missing session → redirect to the OIDC provider → user authenticates → provider redirects back with authorization code → Domino exchanges the code for tokens → id_token is validated → claims are mapped against the Domino directory → session cookie is set → the original URL is delivered.

If something goes wrong at any point in this flow, the cause is often hard to find without tracing — the typical browser error messages (Unable to authenticate, Authentication failed) are little help. DEBUG_OIDCLogin enables verbose logging on the Domino server console.

Recommended levels:

=1 — First diagnosis: where does the login flow get stuck? Provider reachability, basic token response.

=2 — If level 1 is not enough: additionally redirect details, state parameter, cookie setting.

=3 — If authentication at the provider works but mapping into the Domino directory fails: shows used claims, lookup keys, hits/misses.

=4 — Maximum depth: full id_token claims (decrypted), headers, cookies. Caution: This level logs sensitive data (tokens, possibly email addresses) — do not enable permanently in production.

Example configuration

Enable full tracing temporarily:


DEBUG_OIDCLogin=4

Disable after diagnostics:


DEBUG_OIDCLogin=0

Or at runtime on the server console:


set config DEBUG_OIDCLogin=2

Notes & pitfalls

Security risk at level 4: The console shows id_token claims in clear text — including email addresses, subject IDs, and possibly provider metadata. Protect log files accordingly or delete them after diagnostics.

For redirect diagnostics, DEBUG_OIDC_LOGIN_REDIRECT=1 is useful as a complement — that parameter tracks only the auto-redirect logic (OIDC_LOGIN_ENABLE_REDIRECT).

For provider-side issues, also check the provider console (Keycloak, Azure AD sign-in logs) — Domino can only see what arrives at the server.

For issues with the HTTP Bearer Authentication layer (token validation, JWKS endpoint), additionally enable DEBUG_OIDC=... (separate parameter for bearer auth).

Prerequisite: HTTP Bearer Authentication and web login with OIDC are enabled in the relevant Internet Site document.

Change takes effect immediately via set config DEBUG_OIDCLogin=… — no HTTP restart needed.

Works only on Windows and Linux servers.

Tracing appears both on the live console and in console.log (Domino data directory).

Sources (HCL Product Documentation)

HCL Domino 14.5.1 – Configuring OIDC-based SSO for web users: help.hcl-software.com/domino/14.5.1/admin/secu_config_oidc_based_sso_for_web.html