Context:

Referring to https://support.atlassian.com/requests/PSSRV-52688/
When I requested help to debug SSO error from Jira then my admin team requested Jira logs to see what claims where received (or not) by Jira
IdP tool were showing all the needed claims were sent.

Requesting Jira Support help, I was answered : nothing exists in Jira to logs claims !

Probem:

When SSO connection failed due to lack of OIDC information in claims a simple error message is shown, but no more element are available to debug and understand what happened.
example of error message :
com.atlassian.plugins.authentication.impl.web.usercontext.impl.jit.JitException: Received no groups claim in OIDC response, the group mapping may be incorrect. Mapping user 'usernam@idp' for IdP 'Atlassian SSO' at com.atlassian.plugins.authentication.impl.web.usercontext.impl.jit.mapping.OidcUserDataFromIdpMapper.mapUser(OidcUserDataFromIdpMapper.java:44) at com.atlassian.plugins.authentication.impl.web.oidc.OidcConsumerServlet.doGet(OidcConsumerServlet.java:124)

OIDC Admins tell all claims are sent, but Jira can't prove that there is a miss somewhere because what is received can't be logged !
And Jira Support can't help, it was useless !

Suggested Solution

Add an option on the SSO configuration to show claims and token data received from Identity Provider (IdP) in Jira logs.

Why This Is Important

This would facilitate the investigations on OIDC errors.

Workaround

No workaround available.