Parameter:
OIDC_LOGIN_CLOCK_SKEW_SECShort description: Maximum tolerated clock difference (in seconds) between the Domino server and the OIDC provider when validating ID tokens during web login with OIDC. Default: 15 seconds.
Profile
Parameter | OIDC_LOGIN_CLOCK_SKEW_SEC |
Category | Security / TLS (OIDC / Web SSO) |
Component | Server (HTTP task) |
Available since | 14.0 |
Supported versions | 14.0, 14.5, 14.5.1 |
GUI equivalent | notes.ini only (no GUI) |
Possible values | Integer 0–600 seconds — default: 15 |
Description
When validating the id_token (JWT) returned by the OIDC provider, Domino checks, among other things, the fields
iat (Issued At), exp (Expiration), and nbf (Not Before). Since the clocks of the Domino server and the OIDC provider are never 100% synchronized — even with NTP, there are typically differences of a few seconds — strict checking would falsely reject valid tokens as "expired" or "not yet valid".OIDC_LOGIN_CLOCK_SKEW_SEC defines the permitted tolerance limit in seconds within which Domino ignores small time differences. The default of 15 seconds is a reasonable compromise between security and robustness.Adjustment makes sense if:
- Higher (e.g. 60–120 s): in environments without central NTP synchronization or with virtualized servers showing time drift — symptom: login fails sporadically with "token used before issued" or "token expired".
- Lower (e.g. 0–5 s): in security-critical environments where NTP runs reliably and token replay attacks should be minimized.
Important: too high a tolerance weakens security, since expired tokens would be accepted longer — with
OIDC_LOGIN_CLOCK_SKEW_SEC=600 (10 minutes), this would be a clear risk window.Example configuration
OIDC_LOGIN_CLOCK_SKEW_SEC=30
Notes & pitfalls
- Values outside the range 0–600 are ignored and reset to the default.
- NTP synchronization on all Domino servers is the much better solution than a high clock skew value.
- Symptom for too low a value: HTTP console logs errors like
OIDC: id_token validation failed: token expiredor… not yet valid, although the user just logged in.
- With
DEBUG_OIDCLogin=4, the exactiat/exp/nbfvalues and the calculated local time can be traced on the server console.
- Change takes effect after HTTP task restart or via
set config OIDC_LOGIN_CLOCK_SKEW_SEC=….
- Works only on Windows and Linux servers.
- With cloud OIDC providers (Azure AD, Okta), the provider clock is usually exact — problems mostly arise on the Domino side.
Sources (HCL Product Documentation)
- HCL Domino 14.5.1 – Configuring OIDC-based SSO for web users: help.hcl-software.com/domino/14.5.1/admin/secu_config_oidc_based_sso_for_web.html