OpenID Connect debugging

I’ve configured OpenID Connect to login and it’s working but I would like to see the details of the token so I can restrict access. Is there a way to have Gitea log the authentication results? I turned the log level up to Trace but it doesn’t add much detail.

I can’t see how to log it from Keycloak (my IDP) either.

Also, is there documentation for the authentication sources parameters? What is the “group claim value for restricted users” used for for example - what is a restricted user? How can I test that the user has a certain role in their list?