Security updates

Web Login with OIDC and HTTP bearerAuth

Dynamic key updates: The cross-process cache for JSON Web Keys (JWKs) will now dynamically update the published keys for a provider after receiving a token signed with an unknown key from that provider. By default no single provider will be updated more than once every 30 seconds. This interval can be varied between 5 and 60 seconds with the OIDC_PROVIDER_CACHE_UPDATE_INTERVAL notes.ini parameter.
The Web Login with OIDC and HTTP bearerAuth features now log many successful and failed attempts into log.nsf.
A new flag, fJWT_validate_AllowEmptyScopes, has been added for the C SDK function SECValidateAccessToken. This flag is analogous to setting OIDC_ALLOW_ACCESS_TOKEN_WITHOUT_SCOPE=1 but will naturally apply to only that single validation request.
The fJWT_validate_UseProviderAsHostname flag which was added to SECValidateAccessToken in 14.5.1 EAP1 has been enhanced; the values configured in the specified Trusted OIDC Provider document in idpcat.nsf can be leveraged for several input parameters including the required scope and the allowed client list.

Notes Federated Login with OIDC is now supported starting in 14.5.1 EAP2. See Enabling federated login with OIDC for Notes for details.
The OIDC Provider's authorization endpoint now supports the login_hint=<username> parameter per OIDC.Core. See Domino OIDC provider HTTP endpoints for details.
The Domino OIDC provider's "prompt=login" parameter should now work correctly when passkey authentication is being used.
In order better support multi-account setups, the "Simplify Passkey Login" setting will now be ignored when the HCL Verse mobile and HCL Sametime mobile clients authenticate against a Domino OIDC provider. The list of client_ids that will bypass "Simplify Passkey Login" in this fashion can be edited by using the OIDC_PROVIDER_DISABLE_SIMPLIFY_PASSKEY_LOGIN notes.ini variable to set a different comma-separated list of client_ids.
The OIDC_PROVIDER_DYNAMIC_CLAIMS notes.ini has been replaced with the "Custom Claims" field in the Registered OAuth Client document in idpcat.nsf. For more information, see Dynamic custom claims and limiting access to OAuth clients.
Use of custom claims no longer requires the profile scope.
Several issues when using non-ASCII characters with OIDC are resolved.
A new Session method for LotusScript is added for acquiring an access token from the Domino OIDC provider. For details, see GetOIDCAccessToken (NotesSession - LotusScript).

In order better support multi-account setups, the "Simplify Passkey Login" setting will now be ignored when the HCL Verse mobile and HCL Sametime mobile clients authenticate against a Domino OIDC provider. The list of client_ids that will bypass "Simplify Passkey Login" in this fashion can be edited by using the OIDC_PROVIDER_DISABLE_SIMPLIFY_PASSKEY_LOGIN notes.ini variable to set a different comma-separated list of client_ids.
The Domino OIDC provider's "prompt=login" and "max_age=0" parameters now work correctly when passkey authentication is being used.
Several issues when using non-ASCII characters with passkeys are resolved.
It is now possible to manually add an authenticator to the metadata list in passkey.nsf by using the new "Add custom authenticator" button.

The OpenSSL library has been updated to version 3.5.4 in Domino 14.5.1 EAP2. This is a Long Term Support (LTS) version of the library that has been submitted the CVMP for FIPS 140-3 verification. See Encryption standards for details.
The cryptographic layer underlying Notes and Domino now leverages OpenSSL 3.5 to support multiple algorithms relevant to protect against attacks based on quantum computing, such as ML-DSA, ML-KEM, SHAKE-128, and SHAKE-256. As this field is rapidly evolving and the IETF standards are still being written, there is no end-user PQC functionality currently available for use in 14.5.1.