diff --git a/backend/app/api/auth.py b/backend/app/api/auth.py
index adb4869..f1a4c42 100644
--- a/backend/app/api/auth.py
+++ b/backend/app/api/auth.py
@@ -25,6 +25,20 @@ async def oidc_callback(request: Request, db: Session = Depends(get_db)) -> Redi
 
     userinfo = token.get("userinfo") or {}
     groups = userinfo.get("groups", [])
+
+    import logging as _logging, base64 as _b64, json as _json
+    _log = _logging.getLogger("shorefront.auth")
+    _log.warning("userinfo keys: %s | groups: %r", list(userinfo.keys()), groups)
+    _raw = token.get("id_token", "")
+    if _raw:
+        try:
+            _payload = _raw.split(".")[1]
+            _payload += "=" * (-len(_payload) % 4)
+            _id_claims = _json.loads(_b64.b64decode(_payload))
+            _log.warning("ID token claims: %s", _id_claims)
+        except Exception as _e:
+            _log.warning("Could not decode id_token: %s", _e)
+
     if FIREWALL_ADMINS_GROUP not in groups:
         raise HTTPException(status_code=status.HTTP_403_FORBIDDEN, detail="Not in firewall admins group")