Add troubleshooting

Author: lcrilly

README.md

@@ -87,6 +87,19 @@ Review the following files copied from the GitHub repository so that they match
   * **openid_connect.js** - this is the JavaScript code for performing the authorization code exchange and nonce hashing
     * No changes are required unless modifying the code exchange or validation process
 
+## Troubleshooting
+
+Any errors generated by the OpenID Connect flow are logged in a separate file, `/var/log/nginx/oidc_error.log`. Check the contents of this file as it may include error responses received by the IdP.
+
+  * **400 error from IdP**
+    * This is typically caused by incorrect configuration related to the client ID and client secret.
+    * Check the values of the `$oidc_client` and `$oidc_client_secret` variables against the IdP configuration.
+
+  * **Authentication is successful but browser shows too many redirects**
+    * This is typically because the JWT sent to the browser cannot be validated, resulting in 'authorization required' `401` response and starting the authentication process again. But the user is already authenticated so is redirected back to NGINX,  hence the redirect loop.
+    * Check the error log `/var/log/nginx/oidc_error.log` for JWT/JWK errors.
+    * Ensure that the JWK file (`$oidc_jwt_keyfile` variable) is correct and that the nginx workers have permission to read it.
+
 ## Support
 
 All reference OpenID Connect implementations within the GitHub repository are supported for NGINX Plus subscribers.