diff --git a/cameleer3-server-app/src/main/java/com/cameleer3/server/app/security/JwtAuthenticationFilter.java b/cameleer3-server-app/src/main/java/com/cameleer3/server/app/security/JwtAuthenticationFilter.java
index a97f760a..66d4e231 100644
--- a/cameleer3-server-app/src/main/java/com/cameleer3/server/app/security/JwtAuthenticationFilter.java
+++ b/cameleer3-server-app/src/main/java/com/cameleer3/server/app/security/JwtAuthenticationFilter.java
@@ -111,7 +111,10 @@ public class JwtAuthenticationFilter extends OncePerRequestFilter {
      */
     private List<String> extractRolesFromScopes(Jwt jwt) {
         String scopeStr = jwt.getClaimAsString("scope");
+        log.info("OIDC access token scopes: '{}', subject={}, all claims={}",
+                scopeStr, jwt.getSubject(), jwt.getClaims().keySet());
         if (scopeStr == null || scopeStr.isBlank()) {
+            log.warn("OIDC token has no 'scope' claim — defaulting to VIEWER");
             return List.of("VIEWER");
         }
         for (String scope : scopeStr.split(" ")) {
@@ -120,6 +123,7 @@ public class JwtAuthenticationFilter extends OncePerRequestFilter {
             if ("OPERATOR".equals(normalized)) return List.of("OPERATOR");
             if ("VIEWER".equals(normalized)) return List.of("VIEWER");
         }
+        log.warn("OIDC scopes '{}' contain no recognized role — defaulting to VIEWER", scopeStr);
         return List.of("VIEWER");
     }
 
diff --git a/cameleer3-server-app/src/main/java/com/cameleer3/server/app/security/OidcAuthController.java b/cameleer3-server-app/src/main/java/com/cameleer3/server/app/security/OidcAuthController.java
index bb826a11..e1b88c25 100644
--- a/cameleer3-server-app/src/main/java/com/cameleer3/server/app/security/OidcAuthController.java
+++ b/cameleer3-server-app/src/main/java/com/cameleer3/server/app/security/OidcAuthController.java
@@ -173,6 +173,8 @@ public class OidcAuthController {
 
     private void syncOidcRoles(String userId, List<String> oidcRoles, OidcConfig config) {
         List<String> roleNames = !oidcRoles.isEmpty() ? oidcRoles : config.defaultRoles();
+        log.info("syncOidcRoles: userId={}, oidcRoles={}, defaultRoles={}, using={}",
+                userId, oidcRoles, config.defaultRoles(), roleNames);
 
         // Resolve desired role IDs from OIDC scopes
         Set<UUID> desired = new HashSet<>();
diff --git a/cameleer3-server-app/src/main/java/com/cameleer3/server/app/security/OidcTokenExchanger.java b/cameleer3-server-app/src/main/java/com/cameleer3/server/app/security/OidcTokenExchanger.java
index f811cfa8..44e9ed2d 100644
--- a/cameleer3-server-app/src/main/java/com/cameleer3/server/app/security/OidcTokenExchanger.java
+++ b/cameleer3-server-app/src/main/java/com/cameleer3/server/app/security/OidcTokenExchanger.java
@@ -111,7 +111,8 @@ public class OidcTokenExchanger {
 
         List<String> roles = extractRoles(claims, config.rolesClaim());
 
-        log.info("OIDC user authenticated: id={}, email={}", subject, email);
+        log.info("OIDC user authenticated: id={}, email={}, rolesClaim='{}', extractedRoles={}, allClaims={}",
+                subject, email, config.rolesClaim(), roles, claims.getClaims().keySet());
         return new OidcUserInfo(subject, email != null ? email : "", name != null ? name : "", roles, idTokenStr);
     }