The tracing capability of the REST shim is quite low. When troubleshooting the authentication you have to use a proxy application to allow "man-in-the-middle" troubleshooting. It will help far more when you could see what the shim is actually sending when doing its GET/POST/etc. It should also allow more of debug level trace for OAuth flows, at least when it comes to complex OAuth flows. When using mutual authentication it should also be able to trace the use of the client certificate of the configurable keystore.