Global OpenID Connect (OIDC) enhancements

In Domino 14.0, the per-process JWK Cache and JWKCacheMgrThread from 12.0.2 have been combined into a global, cross-process OIDC provider cache.

The notes.ini variables used to tune this cache have changed accordingly:

  • DEBUG_JWK_CACHE, DEBUG_JWK_CACHE_MGR was replaced with DEBUG_OIDC_CACHE=(1,2,3,4,5,6)
  • DEBUG_JWS, DEBUG_OIDC_CURL_APIS, and DEBUG_OIDC_JSON_PARSER notes.ini variables are unchanged from 12.0.2
  • OIDC_PROVIDER_CACHE_POLLING_INTERVAL was removed; the server task currently checks for updates every minute.
  • OIDC_PROVIDER_CACHE_ADVANCE_RENEWAL has a new default of 10 minutes (600 seconds).
  • OIDC_PROVIDER_CACHE_DEFAULT_EXPIRATION has a new default of 30 minutes (1800 seconds).
  • OIDC_JWK_CACHE_PURGE_INTERVAL and OIDC_JWK_CACHE_PURGE_EXPIRED_SEC are unchanged from 12.0.2, retaining their 12 and 24 hour defaults, respectively.

The OIDC Provider document in idpcat.nsf has been expanded to include additional per-provider configuration information that was configured globally with notes.ini variables in 12.0.2. The old notes.ini variables have been removed; for details, see the section that follows this one. Tracing for this functionality can be enabled with DEBUG_OIDC_CONFIG=(1,2,3)

The server stats for OIDC-related functionality have been consolidated:
  • Security.OIDC.Providers.Configured
  • Security.OIDC.Providers.Initialized
  • Security.OIDC.Providers.BearerCapable
  • Security.OIDC.Providers.LoginCapable
  • Security.OIDC.Providers.LastChecked
  • Security.OIDC.JWKs.Cached
  • Security.OIDC.JWKs.Cache.Hits
  • Security.OIDC.JWKs.Cache.Misses
  • Security.OIDC.JWKs.Cache.Expired
  • Security.OIDC.Bearer.Success
  • Security.OIDC.Bearer.Failures
  • Security.OIDC.Auth.Login.Success
  • Security.OIDC.Auth.Login.Failures
  • Security.OIDC.Auth.Logout.Success
  • Security.OIDC.Auth.Logout.Failures