Web user login with OIDC enhancements

HCL Domino 14.0 provides the following web user login with OIDC enhancements.

Enabling redirect
Configuring the Internet Site for Web Login with OIDC redirects unauthenticated users to an OIDC Provider (OP) for authentication. This redirect will not occur if the Internet Site's idpcat.nsf entry does not contain a configured client_id or the OP does not publish the endpoints needed for the OIDC Authorization Code flow with PKCE. This means that an Internet Site configured for just HTTP bearerAuth can exist on the same Domino server as a site configured for Web Login with OIDC, and the former site will not redirect unauthenticated clients to the OP (likely generating a username/password or passkey login form instead) but the latter will. (By default, the OIDC_LOGIN_ENABLE_REDIRECT notes.ini has a value of 1. If you wish to disable this redirect globally across your entire server, you can set OIDC_LOGIN_ENABLE_REDIRECT=0 in your server's notes.ini.)
Note that clients sending an Authorization: Bearer header or setting xhr=1 will never be redirected to an OP for authentication, and should not receive an HTTP login form.

In Domino 14, the authentication technique used to connect to the OIDC provider's token endpoint can be configured by using a drop-down menu in idpcat.nsf. The default setting is client_secret_basic. Select "none" for public clients that lack a secret.

private_key_jwt authentication is also now supported. Copy a private signing key in PEM or JWK format into the "client secret" field of the OIDC Provider document and set the authorization type field to "private key jwt". The corresponding public JWK will be published in jwks_uri format at /auth/protocol/oidc/keys so dynamic key updates can be supported.

In Domino 14, the client_id and client_secret are now configured by using fields in idpcat.nsf instead of the OIDC_LOGIN_CLIENT_ID and OIDC_LOGIN_CLIENT_SECRET notes.ini variables. Those notes.inis have been removed.

The OIDC_LOGIN_CLOCK_SKEW_SEC, OIDC_LOGIN_COOKIE_DURATION_SEC, and DEBUG_OIDCLogin notes.ini variables still exist and work as they did in 12.0.2.

Back-channel logout

OIDC back-channel logout is now supported. Back-channel logout requests are accepted on the Domino server's callback URL -- either /names.nsf?OIDCLogin or /auth/protocol/oidc.