Is SAML / OIDC Debugger free to use?

SAML / OIDC Debugger is part of the open-source DebugTools toolkit and the core browser workflow is free to use.

Does SAML / OIDC Debugger send my data to a server?

SAML / OIDC Debugger is local-first. The core workflow runs in your browser and does not require sending pasted content to DebugTools servers.

tools / saml-oidc-debugger

SAML / OIDC Debugger

Paste SAML responses, OIDC errors, redirect URLs, discovery JSON, callback logs, or token exchange notes to detect auth-flow breakage.

P0Auth / SecurityHigh severity

100

debug signal score

4 signals

4 signals detected. Start with redirect uri mismatch.

Detected signals

Redirect URI mismatch

The callback URL sent by the app does not match the identity-provider registration.

Compare the exact scheme, host, path, and trailing slash in the app config and identity-provider redirect URI.

OIDC grant or token exchange failure

The authorization code or client configuration failed during token exchange.

Check client ID, secret, PKCE verifier, clock skew, one-time code reuse, and token endpoint URL.

SAML payload detected

A SAML response or assertion is present and should be decoded before debugging claims.

Decode the SAMLResponse, verify audience, recipient, issuer, signature, and NotBefore/NotOnOrAfter timestamps.

State or nonce validation issue

The login flow may be rejecting a replayed, missing, or mismatched state/nonce value.

Verify cookie domain, SameSite policy, session storage, and callback host consistency.

Highlighted lines

line 1

GET /callback?error=invalid_grant&state=abc

OIDC grant or token exchange failureState or nonce validation issue

line 2

AADSTS50011: redirect_uri_mismatch

Redirect URI mismatch

line 3

SAMLResponse=... RelayState=abc

SAML payload detected

line 4

nonce validation failed

State or nonce validation issue

Fix checklist

Compare the exact scheme, host, path, and trailing slash in the app config and identity-provider redirect URI.

Check client ID, secret, PKCE verifier, clock skew, one-time code reuse, and token endpoint URL.

Decode the SAMLResponse, verify audience, recipient, issuer, signature, and NotBefore/NotOnOrAfter timestamps.

Verify cookie domain, SameSite policy, session storage, and callback host consistency.

Capture the exact authorize URL and callback URL.

Decode tokens or SAML assertions locally before sharing.

Verify issuer, audience, redirect URI, clock skew, scopes, state, and nonce.

DebugTools product

SAML / OIDC Debugger

SAML / OIDC Debugger is a focused DebugTools mini-product for developers. Paste SAML responses, OIDC errors, redirect URLs, discovery JSON, callback logs, or token exchange notes to detect auth-flow breakage.

Use cases

Debug redirect URI, state, nonce, issuer, audience, and token-exchange issues.
Read SAML/OIDC clues without turning auth logs into guesswork.
Prepare a checklist for identity-provider configuration fixes.

How it works

Paste or load the snippet you want to inspect in SAML / OIDC Debugger.
Run the tool in the browser and review the highlighted output.
Copy, export, or turn the result into the next debugging step.

Privacy

SAML / OIDC Debugger is local-first. The core workflow runs in your browser and does not require sending pasted content to DebugTools servers.

This tool history

Recent Saml Oidc Debugger sessions

Only visits for this tool are shown. Pasted content, tokens, request bodies, and logs are not stored here.

Loading this tool history...