Web user login with OIDC enhancements
HCL Domino 14.0 provides the following web user login with OIDC enhancements.
- Enabling redirect
- Configuring the Internet Site for Web Login with OIDC redirects unauthenticated users to an OIDC Provider (OP) for authentication. This redirect will not occur if the Internet Site's idpcat.nsf entry does not contain a configured client_id or the OP does not publish the endpoints needed for the OIDC Authorization Code flow with PKCE. This means that an Internet Site configured for just HTTP bearerAuth can exist on the same Domino server as a site configured for Web Login with OIDC, and the former site will not redirect unauthenticated clients to the OP (likely generating a username/password or passkey login form instead) but the latter will. (By default, the OIDC_LOGIN_ENABLE_REDIRECT notes.ini has a value of 1. If you wish to disable this redirect globally across your entire server, you can set OIDC_LOGIN_ENABLE_REDIRECT=0 in your server's notes.ini.)
- Authentication
-
In Domino 14, the authentication technique used to connect to the OIDC provider's token endpoint can be configured by using a drop-down menu in idpcat.nsf. The default setting is client_secret_basic. Select "none" for public clients that lack a secret.
- Configuration
-
In Domino 14, the client_id and client_secret are now configured by using fields in idpcat.nsf instead of the OIDC_LOGIN_CLIENT_ID and OIDC_LOGIN_CLIENT_SECRET notes.ini variables. Those notes.inis have been removed.
The OIDC_LOGIN_CLOCK_SKEW_SEC, OIDC_LOGIN_COOKIE_DURATION_SEC, and DEBUG_OIDCLogin notes.ini variables still exist and work as they did in 12.0.2.
- Back-channel logout
-
OIDC back-channel logout is now supported. Back-channel logout requests are accepted on the Domino server's callback URL -- either /names.nsf?OIDCLogin or /auth/protocol/oidc.