From ed97021c19e205c3a2d04e9c755d9dfe4404d708 Mon Sep 17 00:00:00 2001
From: Stavros <steveiliop56@gmail.com>
Date: Thu, 11 Jun 2026 18:18:21 +0300
Subject: [PATCH 1/4] chore: merge oidc-authorize branch

---
 frontend/src/components/language/language.tsx |   36 -
 frontend/src/components/layout/layout.tsx     |    8 +-
 .../quick-actions/quick-actions.tsx           |  208 +++
 .../components/theme-toggle/theme-toggle.tsx  |   40 -
 frontend/src/components/ui/scroll-area.tsx    |   56 +
 frontend/src/lib/hooks/login-for.ts           |   17 +
 frontend/src/lib/hooks/oidc.ts                |   76 --
 frontend/src/lib/hooks/redirect-uri.ts        |    4 +-
 frontend/src/lib/hooks/screen-params.ts       |   40 +
 frontend/src/lib/i18n/locales/en-US.json      |  195 +--
 frontend/src/lib/i18n/locales/en.json         |  195 +--
 frontend/src/main.tsx                         |    5 +-
 frontend/src/pages/authorize-page.tsx         |   72 +-
 frontend/src/pages/continue-page.tsx          |   21 +-
 frontend/src/pages/forgot-password-page.tsx   |   11 +-
 frontend/src/pages/login-page.tsx             |   75 +-
 frontend/src/pages/logout-page.tsx            |   13 +-
 frontend/src/pages/totp-page.tsx              |   30 +-
 frontend/src/schemas/oidc-schemas.ts          |    5 -
 frontend/vite.config.ts                       |    5 +
 go.mod                                        |    1 +
 go.sum                                        |    2 +
 internal/bootstrap/router_bootstrap.go        |    2 +-
 internal/controller/controller.go             |   10 +-
 internal/controller/oauth_controller.go       |   14 +-
 internal/controller/oidc_controller.go        |  245 +++-
 internal/controller/oidc_controller_test.go   | 1139 ++++++++---------
 internal/controller/proxy_controller.go       |    1 +
 internal/controller/proxy_controller_test.go  |   25 +-
 internal/middleware/ui_middleware.go          |    2 +-
 internal/service/auth_service.go              |   29 +-
 internal/service/oidc_service.go              |   68 +-
 32 files changed, 1475 insertions(+), 1175 deletions(-)
 delete mode 100644 frontend/src/components/language/language.tsx
 create mode 100644 frontend/src/components/quick-actions/quick-actions.tsx
 delete mode 100644 frontend/src/components/theme-toggle/theme-toggle.tsx
 create mode 100644 frontend/src/components/ui/scroll-area.tsx
 create mode 100644 frontend/src/lib/hooks/login-for.ts
 delete mode 100644 frontend/src/lib/hooks/oidc.ts
 create mode 100644 frontend/src/lib/hooks/screen-params.ts
 delete mode 100644 frontend/src/schemas/oidc-schemas.ts

diff --git a/frontend/src/components/language/language.tsx b/frontend/src/components/language/language.tsx
deleted file mode 100644
index 3f0bf57a..00000000
--- a/frontend/src/components/language/language.tsx
+++ /dev/null
@@ -1,36 +0,0 @@
-import { languages, SupportedLanguage } from "@/lib/i18n/locales";
-import {
-  Select,
-  SelectContent,
-  SelectItem,
-  SelectTrigger,
-  SelectValue,
-} from "../ui/select";
-import { useState } from "react";
-import i18n from "@/lib/i18n/i18n";
-
-export const LanguageSelector = () => {
-  const [language, setLanguage] = useState<SupportedLanguage>(
-    i18n.language as SupportedLanguage,
-  );
-
-  const handleSelect = (option: string) => {
-    setLanguage(option as SupportedLanguage);
-    i18n.changeLanguage(option as SupportedLanguage);
-  };
-
-  return (
-    <Select onValueChange={handleSelect} value={language}>
-      <SelectTrigger aria-label="Select language">
-        <SelectValue placeholder="Select language" />
-      </SelectTrigger>
-      <SelectContent>
-        {Object.entries(languages).map(([key, value]) => (
-          <SelectItem key={key} value={key}>
-            {value}
-          </SelectItem>
-        ))}
-      </SelectContent>
-    </Select>
-  );
-};
diff --git a/frontend/src/components/layout/layout.tsx b/frontend/src/components/layout/layout.tsx
index d59aadf3..e129092e 100644
--- a/frontend/src/components/layout/layout.tsx
+++ b/frontend/src/components/layout/layout.tsx
@@ -1,9 +1,8 @@
 import { useAppContext } from "@/context/app-context";
-import { LanguageSelector } from "../language/language";
 import { Outlet } from "react-router";
 import { useCallback, useEffect, useState } from "react";
 import { DomainWarning } from "../domain-warning/domain-warning";
-import { ThemeToggle } from "../theme-toggle/theme-toggle";
+import { QuickActions } from "../quick-actions/quick-actions";
 
 const BaseLayout = ({ children }: { children: React.ReactNode }) => {
   const { ui } = useAppContext();
@@ -21,9 +20,8 @@ const BaseLayout = ({ children }: { children: React.ReactNode }) => {
         backgroundPosition: "center",
       }}
     >
-      <div className="absolute top-4 right-4 flex flex-row gap-2">
-        <ThemeToggle />
-        <LanguageSelector />
+      <div className="absolute top-4 right-4">
+        <QuickActions />
       </div>
       <div className="max-w-sm md:min-w-sm min-w-xs">{children}</div>
     </div>
diff --git a/frontend/src/components/quick-actions/quick-actions.tsx b/frontend/src/components/quick-actions/quick-actions.tsx
new file mode 100644
index 00000000..1287ec6b
--- /dev/null
+++ b/frontend/src/components/quick-actions/quick-actions.tsx
@@ -0,0 +1,208 @@
+import { languages, SupportedLanguage } from "@/lib/i18n/locales";
+import {
+  DropdownMenu,
+  DropdownMenuContent,
+  DropdownMenuItem,
+  DropdownMenuLabel,
+  DropdownMenuPortal,
+  DropdownMenuSeparator,
+  DropdownMenuSub,
+  DropdownMenuSubContent,
+  DropdownMenuSubTrigger,
+  DropdownMenuTrigger,
+} from "../ui/dropdown-menu";
+import { useState } from "react";
+import i18n from "@/lib/i18n/i18n";
+import { useUserContext } from "@/context/user-context";
+import { ScrollArea } from "../ui/scroll-area";
+import { useTheme } from "../providers/theme-provider";
+import {
+  Check,
+  DoorOpenIcon,
+  Languages,
+  Monitor,
+  Moon,
+  Palette,
+  Settings,
+  Sun,
+} from "lucide-react";
+import { useTranslation } from "react-i18next";
+import { useLocation } from "react-router";
+import { useRef } from "react";
+import {
+  useScreenParams,
+  recompileScreenParams,
+} from "@/lib/hooks/screen-params";
+import { useMutation } from "@tanstack/react-query";
+import axios from "axios";
+import { toast } from "sonner";
+import { useEffect } from "react";
+
+function Avatar({ initial }: { initial: string }) {
+  return (
+    <span className="group relative grid size-10 place-items-center rounded-full">
+      <span className="absolute inset-0 overflow-hidden rounded-full bg-linear-to-b from-neutral-50 to-neutral-100 dark:from-neutral-700 dark:to-neutral-950 shadow-lg"></span>
+      <span className="relative text-sm font-semibold text-primary">
+        {initial}
+      </span>
+    </span>
+  );
+}
+
+export const QuickActions = () => {
+  const { auth } = useUserContext();
+  const { theme, setTheme } = useTheme();
+  const { t } = useTranslation();
+  const { search } = useLocation();
+
+  const [language, setLanguage] = useState<SupportedLanguage>(
+    i18n.language as SupportedLanguage,
+  );
+
+  const redirectTimer = useRef<number | null>(null);
+  const searchParams = new URLSearchParams(search);
+  const screenParams = useScreenParams(searchParams);
+  const compiledParams = recompileScreenParams(screenParams);
+
+  const logoutMutation = useMutation({
+    mutationFn: () => axios.post("/api/user/logout"),
+    mutationKey: ["logout"],
+    onSuccess: () => {
+      toast.success(t("logoutSuccessTitle"), {
+        description: t("logoutSuccessSubtitle"),
+      });
+
+      redirectTimer.current = window.setTimeout(() => {
+        window.location.replace(`/login${compiledParams}`);
+      }, 500);
+    },
+    onError: () => {
+      toast.error(t("logoutFailTitle"), {
+        description: t("logoutFailSubtitle"),
+      });
+    },
+  });
+
+  useEffect(() => {
+    return () => {
+      if (redirectTimer.current) {
+        clearTimeout(redirectTimer.current);
+      }
+    };
+  }, [redirectTimer]);
+
+  const initial = auth.authenticated
+    ? (auth.name[0] || "U").toUpperCase()
+    : null;
+
+  const handleSelect = (option: string) => {
+    setLanguage(option as SupportedLanguage);
+    i18n.changeLanguage(option as SupportedLanguage);
+  };
+
+  const themes = [
+    { key: "light", label: t("quickActionsThemeLight"), icon: Sun },
+    { key: "dark", label: t("quickActionsThemeDark"), icon: Moon },
+    { key: "system", label: t("quickActionsThemeSystem"), icon: Monitor },
+  ] as const;
+
+  return (
+    <DropdownMenu>
+      <DropdownMenuTrigger asChild>
+        <button
+          aria-label={t("quickActionsTitle")}
+          className="rounded-full transition-transform duration-200 will-change-transform hover:scale-105 hover:cursor-pointer focus:ring-0 focus:outline-3 focus:outline-ring/50"
+        >
+          {auth.authenticated ? (
+            <Avatar initial={initial!} />
+          ) : (
+            <span className="bg-card text-primary border-border size-10 flex items-center justify-center rounded-full border shadow-lg">
+              <Settings className="size-4" />
+            </span>
+          )}
+        </button>
+      </DropdownMenuTrigger>
+
+      <DropdownMenuContent
+        align="end"
+        sideOffset={8}
+        className="rounded-xl p-1"
+      >
+        {auth.authenticated && (
+          <>
+            <DropdownMenuLabel className="flex items-center gap-3 p-2">
+              <div className="bg-foreground text-background flex size-9 shrink-0 items-center justify-center rounded-full text-sm font-medium">
+                {initial}
+              </div>
+              <div className="flex min-w-0 flex-col">
+                <span className="truncate text-sm font-medium">
+                  {auth.name}
+                </span>
+                <span className="text-muted-foreground truncate text-xs font-normal">
+                  {auth.email}
+                </span>
+              </div>
+            </DropdownMenuLabel>
+
+            <DropdownMenuSeparator />
+          </>
+        )}
+
+        <DropdownMenuSub>
+          <DropdownMenuSubTrigger>
+            <Languages className="size-4" />
+            {t("quickActionsLanguage")}
+          </DropdownMenuSubTrigger>
+          <DropdownMenuPortal>
+            <DropdownMenuSubContent sideOffset={8} className="rounded-xl p-1">
+              <ScrollArea className="h-80">
+                {Object.entries(languages).map(([key, value]) => (
+                  <DropdownMenuItem
+                    key={key}
+                    onSelect={() => handleSelect(key)}
+                  >
+                    {value}
+                    {language === key && <Check className="size-4" />}
+                  </DropdownMenuItem>
+                ))}
+              </ScrollArea>
+            </DropdownMenuSubContent>
+          </DropdownMenuPortal>
+        </DropdownMenuSub>
+
+        <DropdownMenuSub>
+          <DropdownMenuSubTrigger>
+            <Palette className="size-4" />
+            {t("quickActionsTheme")}
+          </DropdownMenuSubTrigger>
+          <DropdownMenuPortal>
+            <DropdownMenuSubContent className="rounded-xl p-1" sideOffset={8}>
+              {themes.map(({ key, label, icon: Icon }) => (
+                <DropdownMenuItem key={key} onClick={() => setTheme(key)}>
+                  <span className="flex items-center gap-2">
+                    <Icon className="size-4" />
+                    {label}
+                  </span>
+                  {theme === key && <Check className="size-4" />}
+                </DropdownMenuItem>
+              ))}
+            </DropdownMenuSubContent>
+          </DropdownMenuPortal>
+        </DropdownMenuSub>
+
+        {auth.authenticated && (
+          <>
+            <DropdownMenuSeparator />
+            <DropdownMenuItem
+              onSelect={() => logoutMutation.mutate()}
+              className="text-destructive"
+            >
+              <DoorOpenIcon className="size-4" />
+              {t("quickActionsLogout")}
+            </DropdownMenuItem>
+          </>
+        )}
+      </DropdownMenuContent>
+    </DropdownMenu>
+  );
+};
diff --git a/frontend/src/components/theme-toggle/theme-toggle.tsx b/frontend/src/components/theme-toggle/theme-toggle.tsx
deleted file mode 100644
index c0791cfb..00000000
--- a/frontend/src/components/theme-toggle/theme-toggle.tsx
+++ /dev/null
@@ -1,40 +0,0 @@
-import { Moon, Sun } from "lucide-react";
-
-import { Button } from "@/components/ui/button";
-import {
-  DropdownMenu,
-  DropdownMenuContent,
-  DropdownMenuItem,
-  DropdownMenuTrigger,
-} from "@/components/ui/dropdown-menu";
-import { useTheme } from "@/components/providers/theme-provider";
-
-export function ThemeToggle() {
-  const { setTheme } = useTheme();
-
-  return (
-    <DropdownMenu>
-      <DropdownMenuTrigger asChild>
-        <Button
-          className="bg-card text-card-foreground hover:bg-card/90"
-          size="icon"
-        >
-          <Sun className="h-[1.2rem] w-[1.2rem] scale-100 rotate-0 transition-all dark:scale-0 dark:-rotate-90" />
-          <Moon className="absolute h-[1.2rem] w-[1.2rem] scale-0 rotate-90 transition-all dark:scale-100 dark:rotate-0" />
-          <span className="sr-only">Toggle theme</span>
-        </Button>
-      </DropdownMenuTrigger>
-      <DropdownMenuContent align="end">
-        <DropdownMenuItem onClick={() => setTheme("light")}>
-          Light
-        </DropdownMenuItem>
-        <DropdownMenuItem onClick={() => setTheme("dark")}>
-          Dark
-        </DropdownMenuItem>
-        <DropdownMenuItem onClick={() => setTheme("system")}>
-          System
-        </DropdownMenuItem>
-      </DropdownMenuContent>
-    </DropdownMenu>
-  );
-}
diff --git a/frontend/src/components/ui/scroll-area.tsx b/frontend/src/components/ui/scroll-area.tsx
new file mode 100644
index 00000000..e38a492f
--- /dev/null
+++ b/frontend/src/components/ui/scroll-area.tsx
@@ -0,0 +1,56 @@
+import * as React from "react"
+import { ScrollArea as ScrollAreaPrimitive } from "radix-ui"
+
+import { cn } from "@/lib/utils"
+
+function ScrollArea({
+  className,
+  children,
+  ...props
+}: React.ComponentProps<typeof ScrollAreaPrimitive.Root>) {
+  return (
+    <ScrollAreaPrimitive.Root
+      data-slot="scroll-area"
+      className={cn("relative", className)}
+      {...props}
+    >
+      <ScrollAreaPrimitive.Viewport
+        data-slot="scroll-area-viewport"
+        className="size-full rounded-[inherit] transition-[color,box-shadow] outline-none focus-visible:ring-[3px] focus-visible:ring-ring/50 focus-visible:outline-1"
+      >
+        {children}
+      </ScrollAreaPrimitive.Viewport>
+      <ScrollBar />
+      <ScrollAreaPrimitive.Corner />
+    </ScrollAreaPrimitive.Root>
+  )
+}
+
+function ScrollBar({
+  className,
+  orientation = "vertical",
+  ...props
+}: React.ComponentProps<typeof ScrollAreaPrimitive.ScrollAreaScrollbar>) {
+  return (
+    <ScrollAreaPrimitive.ScrollAreaScrollbar
+      data-slot="scroll-area-scrollbar"
+      orientation={orientation}
+      className={cn(
+        "flex touch-none p-px transition-colors select-none",
+        orientation === "vertical" &&
+          "h-full w-2.5 border-l border-l-transparent",
+        orientation === "horizontal" &&
+          "h-2.5 flex-col border-t border-t-transparent",
+        className
+      )}
+      {...props}
+    >
+      <ScrollAreaPrimitive.ScrollAreaThumb
+        data-slot="scroll-area-thumb"
+        className="relative flex-1 rounded-full bg-border"
+      />
+    </ScrollAreaPrimitive.ScrollAreaScrollbar>
+  )
+}
+
+export { ScrollArea, ScrollBar }
diff --git a/frontend/src/lib/hooks/login-for.ts b/frontend/src/lib/hooks/login-for.ts
new file mode 100644
index 00000000..8cf11579
--- /dev/null
+++ b/frontend/src/lib/hooks/login-for.ts
@@ -0,0 +1,17 @@
+type UseLoginForProps = {
+  login_for?: "oidc" | "app";
+  compiledParams: string;
+};
+
+export const useLoginFor = (props: UseLoginForProps): string => {
+  const { login_for, compiledParams } = props;
+
+  switch (login_for) {
+    case "oidc":
+      return "/oidc/authorize" + compiledParams;
+    case "app":
+      return "/continue" + compiledParams;
+    default:
+      return "/logout";
+  }
+};
diff --git a/frontend/src/lib/hooks/oidc.ts b/frontend/src/lib/hooks/oidc.ts
deleted file mode 100644
index 1341e8c2..00000000
--- a/frontend/src/lib/hooks/oidc.ts
+++ /dev/null
@@ -1,76 +0,0 @@
-import { z } from "zod";
-
-export const oidcParamsSchema = z.object({
-  scope: z.string().min(1),
-  response_type: z.string().min(1),
-  client_id: z.string().min(1),
-  redirect_uri: z.string().min(1),
-  state: z.string().optional(),
-  nonce: z.string().optional(),
-  code_challenge: z.string().optional(),
-  code_challenge_method: z.string().optional(),
-});
-
-function b64urlDecode(s: string): string {
-  const base64 = s.replace(/-/g, "+").replace(/_/g, "/");
-  return atob(base64.padEnd(base64.length + ((4 - (base64.length % 4)) % 4), "="));
-}
-
-function decodeRequestObject(jwt: string): Record<string, string> {
-  try {
-    // Must have exactly 3 parts: header, payload, signature
-    const parts = jwt.split(".");
-    if (parts.length !== 3) return {};
-
-    // Header must specify "alg": "none" and signature must be empty string
-    const header = JSON.parse(b64urlDecode(parts[0]));
-    if (!header || typeof header !== "object" || header.alg !== "none" || parts[2] !== "") return {};
-
-    const payload = JSON.parse(b64urlDecode(parts[1]));
-    if (!payload || typeof payload !== "object" || Array.isArray(payload)) return {};
-    const result: Record<string, string> = {};
-    for (const [k, v] of Object.entries(payload)) {
-      if (typeof v === "string") result[k] = v;
-    }
-    return result;
-  } catch {
-    return {};
-  }
-}
-
-export const useOIDCParams = (
-  params: URLSearchParams,
-): {
-  values: z.infer<typeof oidcParamsSchema>;
-  issues: string[];
-  isOidc: boolean;
-  compiled: string;
-} => {
-  const obj = Object.fromEntries(params.entries());
-
-  // RFC 9101 / OIDC Core 6.1: if `request` param present, decode JWT payload
-  // and merge claims over top-level params (JWT claims take precedence)
-  const requestJwt = params.get("request");
-  if (requestJwt) {
-    const claims = decodeRequestObject(requestJwt);
-    Object.assign(obj, claims);
-  }
-
-  const parsed = oidcParamsSchema.safeParse(obj);
-
-  if (parsed.success) {
-    return {
-      values: parsed.data,
-      issues: [],
-      isOidc: true,
-      compiled: new URLSearchParams(parsed.data).toString(),
-    };
-  }
-
-  return {
-    issues: parsed.error.issues.map((issue) => issue.path.toString()),
-    values: {} as z.infer<typeof oidcParamsSchema>,
-    isOidc: false,
-    compiled: "",
-  };
-};
diff --git a/frontend/src/lib/hooks/redirect-uri.ts b/frontend/src/lib/hooks/redirect-uri.ts
index 5211178a..aeeae0c5 100644
--- a/frontend/src/lib/hooks/redirect-uri.ts
+++ b/frontend/src/lib/hooks/redirect-uri.ts
@@ -7,7 +7,7 @@ type IuseRedirectUri = {
 };
 
 export const useRedirectUri = (
-  redirect_uri: string | null,
+  redirect_uri: string | undefined,
   cookieDomain: string,
 ): IuseRedirectUri => {
   let isValid = false;
@@ -15,7 +15,7 @@ export const useRedirectUri = (
   let isAllowedProto = false;
   let isHttpsDowngrade = false;
 
-  if (!redirect_uri) {
+  if (redirect_uri === undefined) {
     return {
       valid: isValid,
       trusted: isTrusted,
diff --git a/frontend/src/lib/hooks/screen-params.ts b/frontend/src/lib/hooks/screen-params.ts
new file mode 100644
index 00000000..921fa4b6
--- /dev/null
+++ b/frontend/src/lib/hooks/screen-params.ts
@@ -0,0 +1,40 @@
+import { z } from "zod";
+
+type ScreenParams = {
+  login_for?: "oidc" | "app";
+  redirect_uri?: string;
+  oidc_ticket?: string;
+  oidc_scope?: string;
+  oidc_name?: string;
+};
+
+const zodScreenParams = z.object({
+  login_for: z.enum(["oidc", "app"]).optional(),
+  redirect_uri: z.string().optional(),
+  oidc_ticket: z.string().optional(),
+  oidc_scope: z.string().optional(),
+  oidc_name: z.string().optional(),
+});
+
+export function useScreenParams(params: URLSearchParams): ScreenParams {
+  const paramsObj = Object.fromEntries(params.entries());
+  const parsed = zodScreenParams.safeParse(paramsObj);
+  if (!parsed.success) {
+    return {};
+  }
+  return parsed.data;
+}
+
+export function recompileScreenParams(params: ScreenParams): string {
+  const p = new URLSearchParams(
+    Object.fromEntries(
+      Object.entries(params).filter(([, v]) => v !== undefined),
+    ) as Record<string, string>,
+  ).toString();
+
+  if (p.length > 0) {
+    return "?" + p;
+  }
+
+  return "";
+}
diff --git a/frontend/src/lib/i18n/locales/en-US.json b/frontend/src/lib/i18n/locales/en-US.json
index a71696e2..dbe05c1a 100644
--- a/frontend/src/lib/i18n/locales/en-US.json
+++ b/frontend/src/lib/i18n/locales/en-US.json
@@ -1,96 +1,103 @@
 {
-    "loginTitle": "Welcome back, login with",
-    "loginTitleSimple": "Welcome back, please login",
-    "loginDivider": "Or",
-    "loginUsername": "Username",
-    "loginPassword": "Password",
-    "loginSubmit": "Login",
-    "loginFailTitle": "Failed to log in",
-    "loginFailSubtitle": "Please check your username and password",
-    "loginFailRateLimit": "You failed to login too many times. Please try again later",
-    "loginSuccessTitle": "Logged in",
-    "loginSuccessSubtitle": "Welcome back!",
-    "loginOauthFailTitle": "An error occurred",
-    "loginOauthFailSubtitle": "Failed to get OAuth URL",
-    "loginOauthSuccessTitle": "Redirecting",
-    "loginOauthSuccessSubtitle": "Redirecting to your OAuth provider",
-    "loginOauthAutoRedirectTitle": "OAuth Auto Redirect",
-    "loginOauthAutoRedirectSubtitle": "You will be automatically redirected to your OAuth provider to authenticate.",
-    "loginOauthAutoRedirectButton": "Redirect now",
-    "continueTitle": "Continue",
-    "continueRedirectingTitle": "Redirecting...",
-    "continueRedirectingSubtitle": "You should be redirected to the app soon",
-    "continueRedirectManually": "Redirect me manually",
-    "continueInsecureRedirectTitle": "Insecure redirect",
-    "continueInsecureRedirectSubtitle": "You are trying to redirect from <code>https</code> to <code>http</code> which is not secure. Are you sure you want to continue?",
-    "continueUntrustedRedirectTitle": "Untrusted redirect",
-    "continueUntrustedRedirectSubtitle": "You are trying to redirect to a domain that does not match your configured domain (<code>{{cookieDomain}}</code>). Are you sure you want to continue?",
-    "logoutFailTitle": "Failed to log out",
-    "logoutFailSubtitle": "Please try again",
-    "logoutSuccessTitle": "Logged out",
-    "logoutSuccessSubtitle": "You have been logged out",
-    "logoutTitle": "Logout",
-    "logoutUsernameSubtitle": "You are currently logged in as <code>{{username}}</code>. Click the button below to logout.",
-    "logoutOauthSubtitle": "You are currently logged in as <code>{{username}}</code> using the {{provider}} OAuth provider. Click the button below to logout.",
-    "notFoundTitle": "Page not found",
-    "notFoundSubtitle": "The page you are looking for does not exist.",
-    "notFoundButton": "Go home",
-    "totpFailTitle": "Failed to verify code",
-    "totpFailSubtitle": "Please check your code and try again",
-    "totpSuccessTitle": "Verified",
-    "totpSuccessSubtitle": "Redirecting to your app",
-    "totpTitle": "Enter your TOTP code",
-    "totpSubtitle": "Please enter the code from your authenticator app.",
-    "unauthorizedTitle": "Unauthorized",
-    "unauthorizedResourceSubtitle": "The user with username <code>{{username}}</code> is not authorized to access the resource <code>{{resource}}</code>.",
-    "unauthorizedLoginSubtitle": "The user with username <code>{{username}}</code> is not authorized to login.",
-    "unauthorizedGroupsSubtitle": "The user with username <code>{{username}}</code> is not in the groups required by the resource <code>{{resource}}</code>.",
-    "unauthorizedIpSubtitle": "Your IP address <code>{{ip}}</code> is not authorized to access the resource <code>{{resource}}</code>.",
-    "unauthorizedButton": "Try again",
-    "cancelTitle": "Cancel",
-    "forgotPasswordTitle": "Forgot your password?",
-    "failedToFetchProvidersTitle": "Failed to load authentication providers. Please check your configuration.",
-    "errorTitle": "An error occurred",
-    "errorSubtitleInfo": "The following error occurred while processing your request:",
-    "errorSubtitle": "An error occurred while trying to perform this action. Please check your browser console or the app logs for more information.",
-    "forgotPasswordMessage": "You can reset your password by changing the `USERS` environment variable.",
-    "fieldRequired": "This field is required",
-    "invalidInput": "Invalid input",
-    "domainWarningTitle": "Invalid Domain",
-    "domainWarningSubtitle": "You are accessing this instance from an incorrect domain. If you proceed, you may encounter issues with authentication.",
-    "domainWarningCurrent": "Current:",
-    "domainWarningExpected": "Expected:",
-    "ignoreTitle": "Ignore",
-    "goToCorrectDomainTitle": "Go to correct domain",
-    "authorizeTitle": "Authorize",
-    "authorizeCardTitle": "Continue to {{app}}?",
-    "authorizeSubtitle": "Would you like to continue to this app? Please carefully review the permissions requested by the app.",
-    "authorizeSubtitleOAuth": "Would you like to continue to this app?",
-    "authorizeLoadingTitle": "Loading...",
-    "authorizeLoadingSubtitle": "Please wait while we load the client information.",
-    "authorizeSuccessTitle": "Authorized",
-    "authorizeSuccessSubtitle": "You will be redirected to the app in a few seconds.",
-    "authorizeErrorClientInfo": "An error occurred while loading the client information. Please try again later.",
-    "authorizeErrorMissingParams": "The following parameters are missing: {{missingParams}}",
-    "openidScopeName": "OpenID Connect",
-    "openidScopeDescription": "Allows the app to access your OpenID Connect information.",
-    "emailScopeName": "Email",
-    "emailScopeDescription": "Allows the app to access your email address.",
-    "profileScopeName": "Profile",
-    "profileScopeDescription": "Allows the app to access your profile information.",
-    "groupsScopeName": "Groups",
-    "groupsScopeDescription": "Allows the app to access your group information.",
-    "backToLoginButton": "Back to login",
-    "phoneScopeName": "Phone",
-    "phoneScopeDescription": "Allows the app to access your phone number.",
-    "addressScopeName": "Address",
-    "addressScopeDescription": "Allows the app to access your address.",
-    "loginTailscaleTitle": "Continue with Tailscale",
-    "loginTailscaleDescription": "You appear to be accessing Tinyauth from an authorized Tailscale device. Would you like to continue with your Tailscale connection?",
-    "loginTailscaleDeviceName": "Device name:",
-    "loginTailscaleSubmit": "Continue with Tailscale",
-    "loginTailscaleOtherMethod": "Login with another method",
-    "loginTailscaleSuccess": "Successfully authenticated with Tailscale.",
-    "loginTailscaleFail": "Failed to authenticate with Tailscale. Please try again or use another login method.",
-    "logoutTailscaleSubtitle": "You are currently logged in with Tailscale on your device <code>{{deviceName}}</code>. Click the button below to logout."
+  "loginTitle": "Welcome back, login with",
+  "loginTitleSimple": "Welcome back, please login",
+  "loginDivider": "Or",
+  "loginUsername": "Username",
+  "loginPassword": "Password",
+  "loginSubmit": "Login",
+  "loginFailTitle": "Failed to log in",
+  "loginFailSubtitle": "Please check your username and password",
+  "loginFailRateLimit": "You failed to login too many times. Please try again later",
+  "loginSuccessTitle": "Logged in",
+  "loginSuccessSubtitle": "Welcome back!",
+  "loginOauthFailTitle": "An error occurred",
+  "loginOauthFailSubtitle": "Failed to get OAuth URL",
+  "loginOauthSuccessTitle": "Redirecting",
+  "loginOauthSuccessSubtitle": "Redirecting to your OAuth provider",
+  "loginOauthAutoRedirectTitle": "OAuth Auto Redirect",
+  "loginOauthAutoRedirectSubtitle": "You will be automatically redirected to your OAuth provider to authenticate.",
+  "loginOauthAutoRedirectButton": "Redirect now",
+  "continueTitle": "Continue",
+  "continueRedirectingTitle": "Redirecting...",
+  "continueRedirectingSubtitle": "You should be redirected to the app soon",
+  "continueRedirectManually": "Redirect me manually",
+  "continueInsecureRedirectTitle": "Insecure redirect",
+  "continueInsecureRedirectSubtitle": "You are trying to redirect from <code>https</code> to <code>http</code> which is not secure. Are you sure you want to continue?",
+  "continueUntrustedRedirectTitle": "Untrusted redirect",
+  "continueUntrustedRedirectSubtitle": "You are trying to redirect to a domain that does not match your configured domain (<code>{{cookieDomain}}</code>). Are you sure you want to continue?",
+  "logoutFailTitle": "Failed to log out",
+  "logoutFailSubtitle": "Please try again",
+  "logoutSuccessTitle": "Logged out",
+  "logoutSuccessSubtitle": "You have been logged out",
+  "logoutTitle": "Logout",
+  "logoutUsernameSubtitle": "You are currently logged in as <code>{{username}}</code>. Click the button below to logout.",
+  "logoutOauthSubtitle": "You are currently logged in as <code>{{username}}</code> using the {{provider}} OAuth provider. Click the button below to logout.",
+  "notFoundTitle": "Page not found",
+  "notFoundSubtitle": "The page you are looking for does not exist.",
+  "notFoundButton": "Go home",
+  "totpFailTitle": "Failed to verify code",
+  "totpFailSubtitle": "Please check your code and try again",
+  "totpSuccessTitle": "Verified",
+  "totpSuccessSubtitle": "Redirecting to your app",
+  "totpTitle": "Enter your TOTP code",
+  "totpSubtitle": "Please enter the code from your authenticator app.",
+  "unauthorizedTitle": "Unauthorized",
+  "unauthorizedResourceSubtitle": "The user with username <code>{{username}}</code> is not authorized to access the resource <code>{{resource}}</code>.",
+  "unauthorizedLoginSubtitle": "The user with username <code>{{username}}</code> is not authorized to login.",
+  "unauthorizedGroupsSubtitle": "The user with username <code>{{username}}</code> is not in the groups required by the resource <code>{{resource}}</code>.",
+  "unauthorizedIpSubtitle": "Your IP address <code>{{ip}}</code> is not authorized to access the resource <code>{{resource}}</code>.",
+  "unauthorizedButton": "Try again",
+  "cancelTitle": "Cancel",
+  "forgotPasswordTitle": "Forgot your password?",
+  "failedToFetchProvidersTitle": "Failed to load authentication providers. Please check your configuration.",
+  "errorTitle": "An error occurred",
+  "errorSubtitleInfo": "The following error occurred while processing your request:",
+  "errorSubtitle": "An error occurred while trying to perform this action. Please check your browser console or the app logs for more information.",
+  "forgotPasswordMessage": "You can reset your password by changing the `USERS` environment variable.",
+  "fieldRequired": "This field is required",
+  "invalidInput": "Invalid input",
+  "domainWarningTitle": "Invalid Domain",
+  "domainWarningSubtitle": "You are accessing this instance from an incorrect domain. If you proceed, you may encounter issues with authentication.",
+  "domainWarningCurrent": "Current:",
+  "domainWarningExpected": "Expected:",
+  "ignoreTitle": "Ignore",
+  "goToCorrectDomainTitle": "Go to correct domain",
+  "authorizeTitle": "Authorize",
+  "authorizeCardTitle": "Continue to {{app}}?",
+  "authorizeSubtitle": "Would you like to continue to this app? Please carefully review the permissions requested by the app.",
+  "authorizeSubtitleOAuth": "Would you like to continue to this app?",
+  "authorizeLoadingTitle": "Loading...",
+  "authorizeLoadingSubtitle": "Please wait while we load the client information.",
+  "authorizeSuccessTitle": "Authorized",
+  "authorizeSuccessSubtitle": "You will be redirected to the app in a few seconds.",
+  "authorizeErrorClientInfo": "An error occurred while loading the client information. Please try again later.",
+  "authorizeErrorInvalidParams": "The request is missing required parameters or has invalid parameters. Please check the URL and try again.",
+  "openidScopeName": "OpenID Connect",
+  "openidScopeDescription": "Allows the app to access your OpenID Connect information.",
+  "emailScopeName": "Email",
+  "emailScopeDescription": "Allows the app to access your email address.",
+  "profileScopeName": "Profile",
+  "profileScopeDescription": "Allows the app to access your profile information.",
+  "groupsScopeName": "Groups",
+  "groupsScopeDescription": "Allows the app to access your group information.",
+  "backToLoginButton": "Back to login",
+  "phoneScopeName": "Phone",
+  "phoneScopeDescription": "Allows the app to access your phone number.",
+  "addressScopeName": "Address",
+  "addressScopeDescription": "Allows the app to access your address.",
+  "loginTailscaleTitle": "Continue with Tailscale",
+  "loginTailscaleDescription": "You appear to be accessing Tinyauth from an authorized Tailscale device. Would you like to continue with your Tailscale connection?",
+  "loginTailscaleDeviceName": "Device name:",
+  "loginTailscaleSubmit": "Continue with Tailscale",
+  "loginTailscaleOtherMethod": "Login with another method",
+  "loginTailscaleSuccess": "Successfully authenticated with Tailscale.",
+  "loginTailscaleFail": "Failed to authenticate with Tailscale. Please try again or use another login method.",
+  "logoutTailscaleSubtitle": "You are currently logged in with Tailscale on your device <code>{{deviceName}}</code>. Click the button below to logout.",
+  "quickActionsLanguage": "Language",
+  "quickActionsTheme": "Theme",
+  "quickActionsThemeLight": "Light",
+  "quickActionsThemeDark": "Dark",
+  "quickActionsThemeSystem": "System",
+  "quickActionsLogout": "Logout",
+  "quickActionsTitle": "Quick Actions"
 }
diff --git a/frontend/src/lib/i18n/locales/en.json b/frontend/src/lib/i18n/locales/en.json
index a71696e2..dbe05c1a 100644
--- a/frontend/src/lib/i18n/locales/en.json
+++ b/frontend/src/lib/i18n/locales/en.json
@@ -1,96 +1,103 @@
 {
-    "loginTitle": "Welcome back, login with",
-    "loginTitleSimple": "Welcome back, please login",
-    "loginDivider": "Or",
-    "loginUsername": "Username",
-    "loginPassword": "Password",
-    "loginSubmit": "Login",
-    "loginFailTitle": "Failed to log in",
-    "loginFailSubtitle": "Please check your username and password",
-    "loginFailRateLimit": "You failed to login too many times. Please try again later",
-    "loginSuccessTitle": "Logged in",
-    "loginSuccessSubtitle": "Welcome back!",
-    "loginOauthFailTitle": "An error occurred",
-    "loginOauthFailSubtitle": "Failed to get OAuth URL",
-    "loginOauthSuccessTitle": "Redirecting",
-    "loginOauthSuccessSubtitle": "Redirecting to your OAuth provider",
-    "loginOauthAutoRedirectTitle": "OAuth Auto Redirect",
-    "loginOauthAutoRedirectSubtitle": "You will be automatically redirected to your OAuth provider to authenticate.",
-    "loginOauthAutoRedirectButton": "Redirect now",
-    "continueTitle": "Continue",
-    "continueRedirectingTitle": "Redirecting...",
-    "continueRedirectingSubtitle": "You should be redirected to the app soon",
-    "continueRedirectManually": "Redirect me manually",
-    "continueInsecureRedirectTitle": "Insecure redirect",
-    "continueInsecureRedirectSubtitle": "You are trying to redirect from <code>https</code> to <code>http</code> which is not secure. Are you sure you want to continue?",
-    "continueUntrustedRedirectTitle": "Untrusted redirect",
-    "continueUntrustedRedirectSubtitle": "You are trying to redirect to a domain that does not match your configured domain (<code>{{cookieDomain}}</code>). Are you sure you want to continue?",
-    "logoutFailTitle": "Failed to log out",
-    "logoutFailSubtitle": "Please try again",
-    "logoutSuccessTitle": "Logged out",
-    "logoutSuccessSubtitle": "You have been logged out",
-    "logoutTitle": "Logout",
-    "logoutUsernameSubtitle": "You are currently logged in as <code>{{username}}</code>. Click the button below to logout.",
-    "logoutOauthSubtitle": "You are currently logged in as <code>{{username}}</code> using the {{provider}} OAuth provider. Click the button below to logout.",
-    "notFoundTitle": "Page not found",
-    "notFoundSubtitle": "The page you are looking for does not exist.",
-    "notFoundButton": "Go home",
-    "totpFailTitle": "Failed to verify code",
-    "totpFailSubtitle": "Please check your code and try again",
-    "totpSuccessTitle": "Verified",
-    "totpSuccessSubtitle": "Redirecting to your app",
-    "totpTitle": "Enter your TOTP code",
-    "totpSubtitle": "Please enter the code from your authenticator app.",
-    "unauthorizedTitle": "Unauthorized",
-    "unauthorizedResourceSubtitle": "The user with username <code>{{username}}</code> is not authorized to access the resource <code>{{resource}}</code>.",
-    "unauthorizedLoginSubtitle": "The user with username <code>{{username}}</code> is not authorized to login.",
-    "unauthorizedGroupsSubtitle": "The user with username <code>{{username}}</code> is not in the groups required by the resource <code>{{resource}}</code>.",
-    "unauthorizedIpSubtitle": "Your IP address <code>{{ip}}</code> is not authorized to access the resource <code>{{resource}}</code>.",
-    "unauthorizedButton": "Try again",
-    "cancelTitle": "Cancel",
-    "forgotPasswordTitle": "Forgot your password?",
-    "failedToFetchProvidersTitle": "Failed to load authentication providers. Please check your configuration.",
-    "errorTitle": "An error occurred",
-    "errorSubtitleInfo": "The following error occurred while processing your request:",
-    "errorSubtitle": "An error occurred while trying to perform this action. Please check your browser console or the app logs for more information.",
-    "forgotPasswordMessage": "You can reset your password by changing the `USERS` environment variable.",
-    "fieldRequired": "This field is required",
-    "invalidInput": "Invalid input",
-    "domainWarningTitle": "Invalid Domain",
-    "domainWarningSubtitle": "You are accessing this instance from an incorrect domain. If you proceed, you may encounter issues with authentication.",
-    "domainWarningCurrent": "Current:",
-    "domainWarningExpected": "Expected:",
-    "ignoreTitle": "Ignore",
-    "goToCorrectDomainTitle": "Go to correct domain",
-    "authorizeTitle": "Authorize",
-    "authorizeCardTitle": "Continue to {{app}}?",
-    "authorizeSubtitle": "Would you like to continue to this app? Please carefully review the permissions requested by the app.",
-    "authorizeSubtitleOAuth": "Would you like to continue to this app?",
-    "authorizeLoadingTitle": "Loading...",
-    "authorizeLoadingSubtitle": "Please wait while we load the client information.",
-    "authorizeSuccessTitle": "Authorized",
-    "authorizeSuccessSubtitle": "You will be redirected to the app in a few seconds.",
-    "authorizeErrorClientInfo": "An error occurred while loading the client information. Please try again later.",
-    "authorizeErrorMissingParams": "The following parameters are missing: {{missingParams}}",
-    "openidScopeName": "OpenID Connect",
-    "openidScopeDescription": "Allows the app to access your OpenID Connect information.",
-    "emailScopeName": "Email",
-    "emailScopeDescription": "Allows the app to access your email address.",
-    "profileScopeName": "Profile",
-    "profileScopeDescription": "Allows the app to access your profile information.",
-    "groupsScopeName": "Groups",
-    "groupsScopeDescription": "Allows the app to access your group information.",
-    "backToLoginButton": "Back to login",
-    "phoneScopeName": "Phone",
-    "phoneScopeDescription": "Allows the app to access your phone number.",
-    "addressScopeName": "Address",
-    "addressScopeDescription": "Allows the app to access your address.",
-    "loginTailscaleTitle": "Continue with Tailscale",
-    "loginTailscaleDescription": "You appear to be accessing Tinyauth from an authorized Tailscale device. Would you like to continue with your Tailscale connection?",
-    "loginTailscaleDeviceName": "Device name:",
-    "loginTailscaleSubmit": "Continue with Tailscale",
-    "loginTailscaleOtherMethod": "Login with another method",
-    "loginTailscaleSuccess": "Successfully authenticated with Tailscale.",
-    "loginTailscaleFail": "Failed to authenticate with Tailscale. Please try again or use another login method.",
-    "logoutTailscaleSubtitle": "You are currently logged in with Tailscale on your device <code>{{deviceName}}</code>. Click the button below to logout."
+  "loginTitle": "Welcome back, login with",
+  "loginTitleSimple": "Welcome back, please login",
+  "loginDivider": "Or",
+  "loginUsername": "Username",
+  "loginPassword": "Password",
+  "loginSubmit": "Login",
+  "loginFailTitle": "Failed to log in",
+  "loginFailSubtitle": "Please check your username and password",
+  "loginFailRateLimit": "You failed to login too many times. Please try again later",
+  "loginSuccessTitle": "Logged in",
+  "loginSuccessSubtitle": "Welcome back!",
+  "loginOauthFailTitle": "An error occurred",
+  "loginOauthFailSubtitle": "Failed to get OAuth URL",
+  "loginOauthSuccessTitle": "Redirecting",
+  "loginOauthSuccessSubtitle": "Redirecting to your OAuth provider",
+  "loginOauthAutoRedirectTitle": "OAuth Auto Redirect",
+  "loginOauthAutoRedirectSubtitle": "You will be automatically redirected to your OAuth provider to authenticate.",
+  "loginOauthAutoRedirectButton": "Redirect now",
+  "continueTitle": "Continue",
+  "continueRedirectingTitle": "Redirecting...",
+  "continueRedirectingSubtitle": "You should be redirected to the app soon",
+  "continueRedirectManually": "Redirect me manually",
+  "continueInsecureRedirectTitle": "Insecure redirect",
+  "continueInsecureRedirectSubtitle": "You are trying to redirect from <code>https</code> to <code>http</code> which is not secure. Are you sure you want to continue?",
+  "continueUntrustedRedirectTitle": "Untrusted redirect",
+  "continueUntrustedRedirectSubtitle": "You are trying to redirect to a domain that does not match your configured domain (<code>{{cookieDomain}}</code>). Are you sure you want to continue?",
+  "logoutFailTitle": "Failed to log out",
+  "logoutFailSubtitle": "Please try again",
+  "logoutSuccessTitle": "Logged out",
+  "logoutSuccessSubtitle": "You have been logged out",
+  "logoutTitle": "Logout",
+  "logoutUsernameSubtitle": "You are currently logged in as <code>{{username}}</code>. Click the button below to logout.",
+  "logoutOauthSubtitle": "You are currently logged in as <code>{{username}}</code> using the {{provider}} OAuth provider. Click the button below to logout.",
+  "notFoundTitle": "Page not found",
+  "notFoundSubtitle": "The page you are looking for does not exist.",
+  "notFoundButton": "Go home",
+  "totpFailTitle": "Failed to verify code",
+  "totpFailSubtitle": "Please check your code and try again",
+  "totpSuccessTitle": "Verified",
+  "totpSuccessSubtitle": "Redirecting to your app",
+  "totpTitle": "Enter your TOTP code",
+  "totpSubtitle": "Please enter the code from your authenticator app.",
+  "unauthorizedTitle": "Unauthorized",
+  "unauthorizedResourceSubtitle": "The user with username <code>{{username}}</code> is not authorized to access the resource <code>{{resource}}</code>.",
+  "unauthorizedLoginSubtitle": "The user with username <code>{{username}}</code> is not authorized to login.",
+  "unauthorizedGroupsSubtitle": "The user with username <code>{{username}}</code> is not in the groups required by the resource <code>{{resource}}</code>.",
+  "unauthorizedIpSubtitle": "Your IP address <code>{{ip}}</code> is not authorized to access the resource <code>{{resource}}</code>.",
+  "unauthorizedButton": "Try again",
+  "cancelTitle": "Cancel",
+  "forgotPasswordTitle": "Forgot your password?",
+  "failedToFetchProvidersTitle": "Failed to load authentication providers. Please check your configuration.",
+  "errorTitle": "An error occurred",
+  "errorSubtitleInfo": "The following error occurred while processing your request:",
+  "errorSubtitle": "An error occurred while trying to perform this action. Please check your browser console or the app logs for more information.",
+  "forgotPasswordMessage": "You can reset your password by changing the `USERS` environment variable.",
+  "fieldRequired": "This field is required",
+  "invalidInput": "Invalid input",
+  "domainWarningTitle": "Invalid Domain",
+  "domainWarningSubtitle": "You are accessing this instance from an incorrect domain. If you proceed, you may encounter issues with authentication.",
+  "domainWarningCurrent": "Current:",
+  "domainWarningExpected": "Expected:",
+  "ignoreTitle": "Ignore",
+  "goToCorrectDomainTitle": "Go to correct domain",
+  "authorizeTitle": "Authorize",
+  "authorizeCardTitle": "Continue to {{app}}?",
+  "authorizeSubtitle": "Would you like to continue to this app? Please carefully review the permissions requested by the app.",
+  "authorizeSubtitleOAuth": "Would you like to continue to this app?",
+  "authorizeLoadingTitle": "Loading...",
+  "authorizeLoadingSubtitle": "Please wait while we load the client information.",
+  "authorizeSuccessTitle": "Authorized",
+  "authorizeSuccessSubtitle": "You will be redirected to the app in a few seconds.",
+  "authorizeErrorClientInfo": "An error occurred while loading the client information. Please try again later.",
+  "authorizeErrorInvalidParams": "The request is missing required parameters or has invalid parameters. Please check the URL and try again.",
+  "openidScopeName": "OpenID Connect",
+  "openidScopeDescription": "Allows the app to access your OpenID Connect information.",
+  "emailScopeName": "Email",
+  "emailScopeDescription": "Allows the app to access your email address.",
+  "profileScopeName": "Profile",
+  "profileScopeDescription": "Allows the app to access your profile information.",
+  "groupsScopeName": "Groups",
+  "groupsScopeDescription": "Allows the app to access your group information.",
+  "backToLoginButton": "Back to login",
+  "phoneScopeName": "Phone",
+  "phoneScopeDescription": "Allows the app to access your phone number.",
+  "addressScopeName": "Address",
+  "addressScopeDescription": "Allows the app to access your address.",
+  "loginTailscaleTitle": "Continue with Tailscale",
+  "loginTailscaleDescription": "You appear to be accessing Tinyauth from an authorized Tailscale device. Would you like to continue with your Tailscale connection?",
+  "loginTailscaleDeviceName": "Device name:",
+  "loginTailscaleSubmit": "Continue with Tailscale",
+  "loginTailscaleOtherMethod": "Login with another method",
+  "loginTailscaleSuccess": "Successfully authenticated with Tailscale.",
+  "loginTailscaleFail": "Failed to authenticate with Tailscale. Please try again or use another login method.",
+  "logoutTailscaleSubtitle": "You are currently logged in with Tailscale on your device <code>{{deviceName}}</code>. Click the button below to logout.",
+  "quickActionsLanguage": "Language",
+  "quickActionsTheme": "Theme",
+  "quickActionsThemeLight": "Light",
+  "quickActionsThemeDark": "Dark",
+  "quickActionsThemeSystem": "System",
+  "quickActionsLogout": "Logout",
+  "quickActionsTitle": "Quick Actions"
 }
diff --git a/frontend/src/main.tsx b/frontend/src/main.tsx
index 29b3e475..4af686d5 100644
--- a/frontend/src/main.tsx
+++ b/frontend/src/main.tsx
@@ -35,7 +35,10 @@ createRoot(document.getElementById("root")!).render(
                     <Route element={<Layout />} errorElement={<ErrorPage />}>
                       <Route path="/" element={<App />} />
                       <Route path="/login" element={<LoginPage />} />
-                      <Route path="/authorize" element={<AuthorizePage />} />
+                      <Route
+                        path="/oidc/authorize"
+                        element={<AuthorizePage />}
+                      />
                       <Route path="/logout" element={<LogoutPage />} />
                       <Route path="/continue" element={<ContinuePage />} />
                       <Route path="/totp" element={<TotpPage />} />
diff --git a/frontend/src/pages/authorize-page.tsx b/frontend/src/pages/authorize-page.tsx
index 91f8f9c9..3251c774 100644
--- a/frontend/src/pages/authorize-page.tsx
+++ b/frontend/src/pages/authorize-page.tsx
@@ -1,5 +1,5 @@
 import { useUserContext } from "@/context/user-context";
-import { useMutation, useQuery } from "@tanstack/react-query";
+import { useMutation } from "@tanstack/react-query";
 import { Navigate, useNavigate } from "react-router";
 import { useLocation } from "react-router";
 import {
@@ -10,11 +10,9 @@ import {
   CardFooter,
   CardContent,
 } from "@/components/ui/card";
-import { getOidcClientInfoSchema } from "@/schemas/oidc-schemas";
 import { Button } from "@/components/ui/button";
 import axios from "axios";
 import { toast } from "sonner";
-import { useOIDCParams } from "@/lib/hooks/oidc";
 import { useTranslation } from "react-i18next";
 import { TFunction } from "i18next";
 import { Mail, MapPin, Phone, Shield, User, Users } from "lucide-react";
@@ -23,6 +21,10 @@ import {
   TooltipContent,
   TooltipTrigger,
 } from "@/components/ui/tooltip";
+import {
+  recompileScreenParams,
+  useScreenParams,
+} from "@/lib/hooks/screen-params";
 
 type Scope = {
   id: string;
@@ -84,27 +86,17 @@ export const AuthorizePage = () => {
   const scopeMap = createScopeMap(t);
 
   const searchParams = new URLSearchParams(search);
-  const oidcParams = useOIDCParams(searchParams);
-
-  const getClientInfo = useQuery({
-    queryKey: ["client", oidcParams.values.client_id],
-    queryFn: async () => {
-      const res = await fetch(
-        `/api/oidc/clients/${encodeURIComponent(oidcParams.values.client_id)}`,
-      );
-      const data = await getOidcClientInfoSchema.parseAsync(await res.json());
-      return data;
-    },
-    enabled: oidcParams.isOidc,
-  });
+  const screenParams = useScreenParams(searchParams);
+  const isOidc = screenParams.login_for === "oidc";
+  const compiledParams = recompileScreenParams(screenParams);
 
   const authorizeMutation = useMutation({
     mutationFn: () => {
-      return axios.post("/api/oidc/authorize", {
-        ...oidcParams.values,
+      return axios.post("/api/oidc/authorize-complete", {
+        ticket: screenParams.oidc_ticket,
       });
     },
-    mutationKey: ["authorize", oidcParams.values.client_id],
+    mutationKey: ["authorize", screenParams.oidc_ticket],
     onSuccess: (data) => {
       toast.info(t("authorizeSuccessTitle"), {
         description: t("authorizeSuccessSubtitle"),
@@ -118,56 +110,36 @@ export const AuthorizePage = () => {
     },
   });
 
-  if (oidcParams.issues.length > 0) {
+  if (
+    !isOidc ||
+    screenParams.oidc_ticket === undefined ||
+    screenParams.oidc_scope === undefined
+  ) {
     return (
       <Navigate
-        to={`/error?error=${encodeURIComponent(t("authorizeErrorMissingParams", { missingParams: oidcParams.issues.join(", ") }))}`}
+        to={`/error?error=${encodeURIComponent(t("authorizeErrorInvalidParams"))}`}
         replace
       />
     );
   }
 
   if (!auth.authenticated) {
-    return <Navigate to={`/login?${oidcParams.compiled}`} replace />;
-  }
-
-  if (getClientInfo.isLoading) {
-    return (
-      <Card className="gap-0">
-        <CardHeader>
-          <CardTitle className="text-xl">
-            {t("authorizeLoadingTitle")}
-          </CardTitle>
-        </CardHeader>
-        <CardContent>
-          <CardDescription>{t("authorizeLoadingSubtitle")}</CardDescription>
-        </CardContent>
-      </Card>
-    );
-  }
-
-  if (getClientInfo.isError) {
-    return (
-      <Navigate
-        to={`/error?error=${encodeURIComponent(t("authorizeErrorClientInfo"))}`}
-        replace
-      />
-    );
+    return <Navigate to={`/login${compiledParams}`} replace />;
   }
 
   const scopes =
-    oidcParams.values.scope.split(" ").filter((s) => s.trim() !== "") || [];
+    screenParams.oidc_scope.split(" ").filter((s) => s.trim() !== "") || [];
 
   return (
     <Card>
       <CardHeader className="mb-2">
         <div className="flex flex-col gap-3 items-center justify-center text-center">
           <div className="bg-accent-foreground box-content text-muted text-xl font-bold font-sans rounded-lg size-8 p-2 flex items-center justify-center">
-            {getClientInfo.data?.name.slice(0, 1) || "U"}
+            {screenParams.oidc_name ? screenParams.oidc_name.slice(0, 1) : "U"}
           </div>
           <CardTitle className="text-xl">
             {t("authorizeCardTitle", {
-              app: getClientInfo.data?.name || "Unknown",
+              app: screenParams.oidc_name || "Unknown",
             })}
           </CardTitle>
           <CardDescription className="text-sm max-w-sm">
@@ -206,7 +178,7 @@ export const AuthorizePage = () => {
           {t("authorizeTitle")}
         </Button>
         <Button
-          onClick={() => navigate("/")}
+          onClick={() => navigate(`/logout${compiledParams}`)}
           disabled={authorizeMutation.isPending}
           variant="outline"
         >
diff --git a/frontend/src/pages/continue-page.tsx b/frontend/src/pages/continue-page.tsx
index 82846c64..3220ac99 100644
--- a/frontend/src/pages/continue-page.tsx
+++ b/frontend/src/pages/continue-page.tsx
@@ -12,6 +12,10 @@ import { Trans, useTranslation } from "react-i18next";
 import { Navigate, useLocation, useNavigate } from "react-router";
 import { useCallback, useEffect, useRef, useState } from "react";
 import { useRedirectUri } from "@/lib/hooks/redirect-uri";
+import {
+  recompileScreenParams,
+  useScreenParams,
+} from "@/lib/hooks/screen-params";
 
 export const ContinuePage = () => {
   const { app, ui } = useAppContext();
@@ -25,7 +29,10 @@ export const ContinuePage = () => {
   const hasRedirected = useRef(false);
 
   const searchParams = new URLSearchParams(search);
-  const redirectUri = searchParams.get("redirect_uri");
+  const screenParams = useScreenParams(searchParams);
+  const redirectUri = screenParams.redirect_uri;
+  const isAppLogin = screenParams.login_for === "app";
+  const recompiledParams = recompileScreenParams(screenParams);
 
   const { url, valid, trusted, allowedProto, httpsDowngrade } = useRedirectUri(
     redirectUri,
@@ -43,7 +50,8 @@ export const ContinuePage = () => {
     auth.authenticated &&
     hasValidRedirect &&
     !showUntrustedWarning &&
-    !showInsecureWarning;
+    !showInsecureWarning &&
+    isAppLogin;
 
   const redirectToTarget = useCallback(() => {
     if (!urlHref || hasRedirected.current) {
@@ -79,15 +87,10 @@ export const ContinuePage = () => {
   }, [shouldAutoRedirect, redirectToTarget]);
 
   if (!auth.authenticated) {
-    return (
-      <Navigate
-        to={`/login${redirectUri ? `?redirect_uri=${encodeURIComponent(redirectUri)}` : ""}`}
-        replace
-      />
-    );
+    return <Navigate to={`/login${recompiledParams}`} replace />;
   }
 
-  if (!hasValidRedirect) {
+  if (!hasValidRedirect || !isAppLogin) {
     return <Navigate to="/logout" replace />;
   }
 
diff --git a/frontend/src/pages/forgot-password-page.tsx b/frontend/src/pages/forgot-password-page.tsx
index 6438e353..58b80a3a 100644
--- a/frontend/src/pages/forgot-password-page.tsx
+++ b/frontend/src/pages/forgot-password-page.tsx
@@ -11,12 +11,18 @@ import { useAppContext } from "@/context/app-context";
 import { useTranslation } from "react-i18next";
 import Markdown from "react-markdown";
 import { useLocation } from "react-router";
+import {
+  recompileScreenParams,
+  useScreenParams,
+} from "@/lib/hooks/screen-params";
 
 export const ForgotPasswordPage = () => {
   const { ui } = useAppContext();
   const { t } = useTranslation();
   const { search } = useLocation();
   const searchParams = new URLSearchParams(search);
+  const screenParams = useScreenParams(searchParams);
+  const compiledParams = recompileScreenParams(screenParams);
 
   return (
     <Card>
@@ -37,10 +43,7 @@ export const ForgotPasswordPage = () => {
           className="w-full"
           variant="outline"
           onClick={() => {
-            const eparams = searchParams.toString();
-            window.location.replace(
-              `/login${eparams.length > 0 ? `?${eparams}` : ""}`,
-            );
+            window.location.replace(`/login${compiledParams}`);
           }}
         >
           {t("backToLoginButton")}
diff --git a/frontend/src/pages/login-page.tsx b/frontend/src/pages/login-page.tsx
index 3295a7ed..e6cb2a60 100644
--- a/frontend/src/pages/login-page.tsx
+++ b/frontend/src/pages/login-page.tsx
@@ -18,7 +18,6 @@ import { OAuthButton } from "@/components/ui/oauth-button";
 import { SeperatorWithChildren } from "@/components/ui/separator";
 import { useAppContext } from "@/context/app-context";
 import { useUserContext } from "@/context/user-context";
-import { useOIDCParams } from "@/lib/hooks/oidc";
 import { LoginSchema } from "@/schemas/login-schema";
 import { useMutation } from "@tanstack/react-query";
 import axios, { AxiosError } from "axios";
@@ -26,6 +25,11 @@ import { useEffect, useId, useRef, useState } from "react";
 import { useTranslation } from "react-i18next";
 import { Navigate, useLocation } from "react-router";
 import { toast } from "sonner";
+import {
+  recompileScreenParams,
+  useScreenParams,
+} from "@/lib/hooks/screen-params";
+import { useLoginFor } from "@/lib/hooks/login-for";
 
 const iconMap: Record<string, React.ReactNode> = {
   google: <GoogleIcon />,
@@ -46,7 +50,9 @@ export const LoginPage = () => {
   const { t } = useTranslation();
 
   const [showRedirectButton, setShowRedirectButton] = useState(false);
-  const [useTailscale, setUseTailscale] = useState(tailscale.nodeName !== undefined);
+  const [useTailscale, setUseTailscale] = useState(
+    tailscale.nodeName !== undefined,
+  );
 
   const hasAutoRedirectedRef = useRef(false);
 
@@ -56,17 +62,22 @@ export const LoginPage = () => {
   const formId = useId();
 
   const searchParams = new URLSearchParams(search);
-  const redirectUri = searchParams.get("redirect_uri") || undefined;
-  const oidcParams = useOIDCParams(searchParams);
+  const screenParams = useScreenParams(searchParams);
+  const compiledParams = recompileScreenParams(screenParams);
+  const loginForUrl = useLoginFor({
+    login_for: screenParams.login_for,
+    compiledParams,
+  });
 
   const [isOauthAutoRedirect, setIsOauthAutoRedirect] = useState(
     providers.find((provider) => provider.id === oauth.autoRedirect) !==
-      undefined && redirectUri !== undefined,
+      undefined && screenParams.redirect_uri !== undefined,
   );
 
   const oauthProviders = providers.filter(
     (provider) => provider.id !== "local" && provider.id !== "ldap",
   );
+
   const userAuthConfigured =
     providers.find(
       (provider) => provider.id === "local" || provider.id === "ldap",
@@ -79,16 +90,7 @@ export const LoginPage = () => {
     variables: oauthVariables,
   } = useMutation({
     mutationFn: (provider: string) => {
-      const getParams = function (): string {
-        if (oidcParams.isOidc) {
-          return `?${oidcParams.compiled}`;
-        }
-        if (redirectUri) {
-          return `?redirect_uri=${encodeURIComponent(redirectUri)}`;
-        }
-        return "";
-      };
-      return axios.get(`/api/oauth/url/${provider}${getParams()}`);
+      return axios.get(`/api/oauth/url/${provider}${compiledParams}`);
     },
     mutationKey: ["oauth"],
     onSuccess: (data) => {
@@ -119,13 +121,7 @@ export const LoginPage = () => {
     mutationKey: ["login"],
     onSuccess: (data) => {
       if (data.data.totpPending) {
-        if (oidcParams.isOidc) {
-          window.location.replace(`/totp?${oidcParams.compiled}`);
-          return;
-        }
-        window.location.replace(
-          `/totp${redirectUri ? `?redirect_uri=${encodeURIComponent(redirectUri)}` : ""}`,
-        );
+        window.location.replace(`/totp${compiledParams}`);
         return;
       }
 
@@ -134,13 +130,7 @@ export const LoginPage = () => {
       });
 
       redirectTimer.current = window.setTimeout(() => {
-        if (oidcParams.isOidc) {
-          window.location.replace(`/authorize?${oidcParams.compiled}`);
-          return;
-        }
-        window.location.replace(
-          `/continue${redirectUri ? `?redirect_uri=${encodeURIComponent(redirectUri)}` : ""}`,
-        );
+        window.location.replace(loginForUrl);
       }, 500);
     },
     onError: (error: AxiosError) => {
@@ -163,13 +153,7 @@ export const LoginPage = () => {
         });
 
         redirectTimer.current = window.setTimeout(() => {
-          if (oidcParams.isOidc) {
-            window.location.replace(`/authorize?${oidcParams.compiled}`);
-            return;
-          }
-          window.location.replace(
-            `/continue${redirectUri ? `?redirect_uri=${encodeURIComponent(redirectUri)}` : ""}`,
-          );
+          window.location.replace(loginForUrl);
         }, 500);
       },
       onError: () => {
@@ -184,7 +168,7 @@ export const LoginPage = () => {
       !auth.authenticated &&
       isOauthAutoRedirect &&
       !hasAutoRedirectedRef.current &&
-      redirectUri !== undefined
+      screenParams.login_for !== undefined
     ) {
       hasAutoRedirectedRef.current = true;
       oauthMutate(oauth.autoRedirect);
@@ -195,7 +179,7 @@ export const LoginPage = () => {
     hasAutoRedirectedRef,
     oauth.autoRedirect,
     isOauthAutoRedirect,
-    redirectUri,
+    screenParams.login_for,
   ]);
 
   useEffect(() => {
@@ -210,21 +194,8 @@ export const LoginPage = () => {
     };
   }, [redirectTimer, redirectButtonTimer]);
 
-  if (auth.authenticated && oidcParams.isOidc) {
-    return <Navigate to={`/authorize?${oidcParams.compiled}`} replace />;
-  }
-
-  if (auth.authenticated && redirectUri !== undefined) {
-    return (
-      <Navigate
-        to={`/continue${redirectUri ? `?redirect_uri=${encodeURIComponent(redirectUri)}` : ""}`}
-        replace
-      />
-    );
-  }
-
   if (auth.authenticated) {
-    return <Navigate to="/logout" replace />;
+    return <Navigate to={loginForUrl} replace />;
   }
 
   if (isOauthAutoRedirect) {
diff --git a/frontend/src/pages/logout-page.tsx b/frontend/src/pages/logout-page.tsx
index bd1704c0..71911c5b 100644
--- a/frontend/src/pages/logout-page.tsx
+++ b/frontend/src/pages/logout-page.tsx
@@ -15,12 +15,21 @@ import { Navigate } from "react-router";
 import { toast } from "sonner";
 import { type UseMutationResult } from "@tanstack/react-query";
 import { type AxiosResponse } from "axios";
+import { useLocation } from "react-router";
+import {
+  useScreenParams,
+  recompileScreenParams,
+} from "@/lib/hooks/screen-params";
 
 export const LogoutPage = () => {
   const { auth, oauth, tailscale } = useUserContext();
   const { t } = useTranslation();
+  const { search } = useLocation();
 
   const redirectTimer = useRef<number | null>(null);
+  const searchParams = new URLSearchParams(search);
+  const screenParams = useScreenParams(searchParams);
+  const compiledParams = recompileScreenParams(screenParams);
 
   const logoutMutation = useMutation({
     mutationFn: () => axios.post("/api/user/logout"),
@@ -31,7 +40,7 @@ export const LogoutPage = () => {
       });
 
       redirectTimer.current = window.setTimeout(() => {
-        window.location.replace("/login");
+        window.location.replace(`/login${compiledParams}`);
       }, 500);
     },
     onError: () => {
@@ -50,7 +59,7 @@ export const LogoutPage = () => {
   }, [redirectTimer]);
 
   if (!auth.authenticated) {
-    return <Navigate to="/login" replace />;
+    return <Navigate to={`/login${compiledParams}`} replace />;
   }
 
   if (oauth.active) {
diff --git a/frontend/src/pages/totp-page.tsx b/frontend/src/pages/totp-page.tsx
index 984cb8db..e66b4704 100644
--- a/frontend/src/pages/totp-page.tsx
+++ b/frontend/src/pages/totp-page.tsx
@@ -16,10 +16,14 @@ import { useEffect, useId, useRef } from "react";
 import { useTranslation } from "react-i18next";
 import { Navigate, useLocation } from "react-router";
 import { toast } from "sonner";
-import { useOIDCParams } from "@/lib/hooks/oidc";
+import {
+  recompileScreenParams,
+  useScreenParams,
+} from "@/lib/hooks/screen-params";
+import { useLoginFor } from "@/lib/hooks/login-for";
 
 export const TotpPage = () => {
-  const { totp } = useUserContext();
+  const { totp, auth } = useUserContext();
   const { t } = useTranslation();
   const { search } = useLocation();
   const formId = useId();
@@ -27,8 +31,12 @@ export const TotpPage = () => {
   const redirectTimer = useRef<number | null>(null);
 
   const searchParams = new URLSearchParams(search);
-  const redirectUri = searchParams.get("redirect_uri") || undefined;
-  const oidcParams = useOIDCParams(searchParams);
+  const screenParams = useScreenParams(searchParams);
+  const compiledParams = recompileScreenParams(screenParams);
+  const loginForUrl = useLoginFor({
+    login_for: screenParams.login_for,
+    compiledParams,
+  });
 
   const totpMutation = useMutation({
     mutationFn: (values: TotpSchema) => axios.post("/api/user/totp", values),
@@ -39,14 +47,7 @@ export const TotpPage = () => {
       });
 
       redirectTimer.current = window.setTimeout(() => {
-        if (oidcParams.isOidc) {
-          window.location.replace(`/authorize?${oidcParams.compiled}`);
-          return;
-        }
-
-        window.location.replace(
-          `/continue${redirectUri ? `?redirect_uri=${encodeURIComponent(redirectUri)}` : ""}`,
-        );
+        window.location.replace(loginForUrl);
       }, 500);
     },
     onError: () => {
@@ -65,7 +66,10 @@ export const TotpPage = () => {
   }, [redirectTimer]);
 
   if (!totp.pending) {
-    return <Navigate to="/" replace />;
+    if (auth.authenticated) {
+      return <Navigate to={loginForUrl} replace />;
+    }
+    return <Navigate to={`/login${compiledParams}`} replace />;
   }
 
   return (
diff --git a/frontend/src/schemas/oidc-schemas.ts b/frontend/src/schemas/oidc-schemas.ts
deleted file mode 100644
index 022bdfbf..00000000
--- a/frontend/src/schemas/oidc-schemas.ts
+++ /dev/null
@@ -1,5 +0,0 @@
-import { z } from "zod";
-
-export const getOidcClientInfoSchema = z.object({
-  name: z.string(),
-});
diff --git a/frontend/vite.config.ts b/frontend/vite.config.ts
index bdcdf3f2..cc5214a3 100644
--- a/frontend/vite.config.ts
+++ b/frontend/vite.config.ts
@@ -57,6 +57,11 @@ export default defineConfig({
         changeOrigin: true,
         rewrite: (path) => path.replace(/^\/robots.txt/, ""),
       },
+      "/authorize": {
+        target: "http://tinyauth-backend:3000/authorize",
+        changeOrigin: true,
+        rewrite: (path) => path.replace(/^\/authorize/, ""),
+      },
     },
     allowedHosts: true,
   },
diff --git a/go.mod b/go.mod
index e7c0d2d3..15056c92 100644
--- a/go.mod
+++ b/go.mod
@@ -9,6 +9,7 @@ require (
 	github.com/gin-gonic/gin v1.12.0
 	github.com/go-jose/go-jose/v4 v4.1.4
 	github.com/go-ldap/ldap/v3 v3.4.13
+	github.com/golang-jwt/jwt/v5 v5.3.1
 	github.com/golang-migrate/migrate/v4 v4.19.1
 	github.com/google/go-querystring v1.2.0
 	github.com/google/uuid v1.6.0
diff --git a/go.sum b/go.sum
index 9cd35e7f..bbbe5c53 100644
--- a/go.sum
+++ b/go.sum
@@ -216,6 +216,8 @@ github.com/goccy/go-yaml v1.19.2 h1:PmFC1S6h8ljIz6gMRBopkjP1TVT7xuwrButHID66PoM=
 github.com/goccy/go-yaml v1.19.2/go.mod h1:XBurs7gK8ATbW4ZPGKgcbrY1Br56PdM69F7LkFRi1kA=
 github.com/godbus/dbus/v5 v5.1.1-0.20230522191255-76236955d466 h1:sQspH8M4niEijh3PFscJRLDnkL547IeP7kpPe3uUhEg=
 github.com/godbus/dbus/v5 v5.1.1-0.20230522191255-76236955d466/go.mod h1:ZiQxhyQ+bbbfxUKVvjfO498oPYvtYhZzycal3G/NHmU=
+github.com/golang-jwt/jwt/v5 v5.3.1 h1:kYf81DTWFe7t+1VvL7eS+jKFVWaUnK9cB1qbwn63YCY=
+github.com/golang-jwt/jwt/v5 v5.3.1/go.mod h1:fxCRLWMO43lRc8nhHWY6LGqRcf+1gQWArsqaEUEa5bE=
 github.com/golang-migrate/migrate/v4 v4.19.1 h1:OCyb44lFuQfYXYLx1SCxPZQGU7mcaZ7gH9yH4jSFbBA=
 github.com/golang-migrate/migrate/v4 v4.19.1/go.mod h1:CTcgfjxhaUtsLipnLoQRWCrjYXycRz/g5+RWDuYgPrE=
 github.com/golang/groupcache v0.0.0-20241129210726-2c02b8208cf8 h1:f+oWsMOmNPc8JmEHVZIycC7hBoQxHH9pNKQORJNozsQ=
diff --git a/internal/bootstrap/router_bootstrap.go b/internal/bootstrap/router_bootstrap.go
index 034236ea..5244ab20 100644
--- a/internal/bootstrap/router_bootstrap.go
+++ b/internal/bootstrap/router_bootstrap.go
@@ -59,7 +59,7 @@ func (app *BootstrapApp) setupRouter() error {
 
 	controller.NewContextController(app.log, app.config, app.runtime, apiRouter)
 	controller.NewOAuthController(app.log, app.config, app.runtime, apiRouter, app.services.authService)
-	controller.NewOIDCController(app.log, app.services.oidcService, app.runtime, apiRouter)
+	controller.NewOIDCController(app.log, app.services.oidcService, app.runtime, apiRouter, &engine.RouterGroup)
 	controller.NewProxyController(app.log, app.runtime, apiRouter, app.services.accessControlService, app.services.authService, app.services.policyEngine)
 	controller.NewUserController(app.log, app.runtime, apiRouter, app.services.authService)
 	controller.NewResourcesController(app.config, &engine.RouterGroup)
diff --git a/internal/controller/controller.go b/internal/controller/controller.go
index a1ca59ba..8b6ab4f7 100644
--- a/internal/controller/controller.go
+++ b/internal/controller/controller.go
@@ -1,5 +1,12 @@
 package controller
 
+type FrontendLoginFor string
+
+const (
+	FrontendLoginForOIDC FrontendLoginFor = "oidc"
+	FrontendLoginForApp  FrontendLoginFor = "app"
+)
+
 type UnauthorizedQuery struct {
 	Username string `url:"username"`
 	Resource string `url:"resource"`
@@ -8,5 +15,6 @@ type UnauthorizedQuery struct {
 }
 
 type RedirectQuery struct {
-	RedirectURI string `url:"redirect_uri"`
+	RedirectURI string           `url:"redirect_uri"`
+	LoginFor    FrontendLoginFor `url:"login_for"`
 }
diff --git a/internal/controller/oauth_controller.go b/internal/controller/oauth_controller.go
index 18bed57c..788fedfa 100644
--- a/internal/controller/oauth_controller.go
+++ b/internal/controller/oauth_controller.go
@@ -61,7 +61,7 @@ func (controller *OAuthController) oauthURLHandler(c *gin.Context) {
 		return
 	}
 
-	var reqParams service.OAuthURLParams
+	var reqParams service.OAuthCallbackParams
 
 	err = c.BindQuery(&reqParams)
 
@@ -83,7 +83,7 @@ func (controller *OAuthController) oauthURLHandler(c *gin.Context) {
 		}
 	}
 
-	sessionId, _, err := controller.auth.NewOAuthSession(req.Provider, reqParams)
+	sessionId, err := controller.auth.NewOAuthSession(req.Provider, reqParams)
 
 	if err != nil {
 		controller.log.App.Error().Err(err).Msg("Failed to create new OAuth session")
@@ -272,13 +272,14 @@ func (controller *OAuthController) oauthCallbackHandler(c *gin.Context) {
 			c.Redirect(http.StatusTemporaryRedirect, fmt.Sprintf("%s/error", controller.runtime.AppURL))
 			return
 		}
-		c.Redirect(http.StatusTemporaryRedirect, fmt.Sprintf("%s/authorize?%s", controller.runtime.AppURL, queries.Encode()))
+		c.Redirect(http.StatusTemporaryRedirect, fmt.Sprintf("%s/oidc/authorize?%s", controller.runtime.AppURL, queries.Encode()))
 		return
 	}
 
 	if oauthPendingSession.CallbackParams.RedirectURI != "" {
 		queries, err := query.Values(RedirectQuery{
 			RedirectURI: oauthPendingSession.CallbackParams.RedirectURI,
+			LoginFor:    FrontendLoginForApp,
 		})
 
 		if err != nil {
@@ -294,11 +295,8 @@ func (controller *OAuthController) oauthCallbackHandler(c *gin.Context) {
 	c.Redirect(http.StatusTemporaryRedirect, controller.runtime.AppURL)
 }
 
-func (controller *OAuthController) isOidcRequest(params service.OAuthURLParams) bool {
-	return params.Scope != "" &&
-		params.ResponseType != "" &&
-		params.ClientID != "" &&
-		params.RedirectURI != ""
+func (controller *OAuthController) isOidcRequest(params service.OAuthCallbackParams) bool {
+	return params.LoginFor == string(FrontendLoginForOIDC)
 }
 
 func (controller *OAuthController) getCookieDomain() string {
diff --git a/internal/controller/oidc_controller.go b/internal/controller/oidc_controller.go
index eb916cba..5105f7d7 100644
--- a/internal/controller/oidc_controller.go
+++ b/internal/controller/oidc_controller.go
@@ -9,6 +9,7 @@ import (
 	"strings"
 
 	"github.com/gin-gonic/gin"
+	"github.com/gin-gonic/gin/binding"
 	"github.com/google/go-querystring/query"
 
 	"github.com/tinyauthapp/tinyauth/internal/model"
@@ -23,6 +24,7 @@ type authorizeErrorParams struct {
 	callback      string
 	callbackError string
 	state         string
+	json          bool
 }
 
 type OIDCController struct {
@@ -65,20 +67,34 @@ type ClientCredentials struct {
 	ClientSecret string
 }
 
+type AuthorizeScreenParams struct {
+	LoginFor   FrontendLoginFor `url:"login_for"`
+	OIDCTicket string           `url:"oidc_ticket"`
+	OIDCScope  string           `url:"oidc_scope"`
+	OIDCName   string           `url:"oidc_name"`
+}
+
+type AuthorizeCompleteRequest struct {
+	Ticket string `json:"ticket" binding:"required"`
+}
+
 func NewOIDCController(
 	log *logger.Logger,
 	oidcService *service.OIDCService,
 	runtimeConfig model.RuntimeConfig,
-	router *gin.RouterGroup) *OIDCController {
+	router *gin.RouterGroup,
+	mainRouter *gin.RouterGroup) *OIDCController {
 	controller := &OIDCController{
 		log:     log,
 		oidc:    oidcService,
 		runtime: runtimeConfig,
 	}
 
+	mainRouter.POST("/authorize", controller.authorize)
+	mainRouter.GET("/authorize", controller.authorize)
+
 	oidcGroup := router.Group("/oidc")
-	oidcGroup.GET("/clients/:id", controller.GetClientInfo)
-	oidcGroup.POST("/authorize", controller.Authorize)
+	oidcGroup.POST("/authorize-complete", controller.authorizeComplete)
 	oidcGroup.POST("/token", controller.Token)
 	oidcGroup.GET("/userinfo", controller.Userinfo)
 	oidcGroup.POST("/userinfo", controller.Userinfo)
@@ -86,24 +102,27 @@ func NewOIDCController(
 	return controller
 }
 
-func (controller *OIDCController) GetClientInfo(c *gin.Context) {
+// This endpoint does **not** return a code, it handles param validation, ticket creation
+// and then redirects to the frontend to handle the consent screen. It performs no destructive
+// actions (like logging out an existing session)
+func (controller *OIDCController) authorize(c *gin.Context) {
 	if controller.oidc == nil {
-		controller.log.App.Warn().Msg("Received OIDC client info request but OIDC server is not configured")
-		c.JSON(500, gin.H{
-			"status":  500,
-			"message": "OIDC not configured",
+		controller.authorizeError(c, authorizeErrorParams{
+			err:          errors.New("err_oidc_not_configured"),
+			reason:       "OIDC not configured",
+			reasonPublic: "This instance is not configured for OIDC",
 		})
 		return
 	}
 
-	var req ClientRequest
+	req, err := controller.resolveAuthorizeRequest(c)
 
-	err := c.BindUri(&req)
 	if err != nil {
-		controller.log.App.Error().Err(err).Msg("Failed to bind URI")
-		c.JSON(400, gin.H{
-			"status":  400,
-			"message": "Bad Request",
+		controller.log.App.Warn().Err(err).Msg("Failed to resolve authorize request")
+		controller.authorizeError(c, authorizeErrorParams{
+			err:          err,
+			reason:       "Failed to resolve authorize request",
+			reasonPublic: "The authorization request is invalid",
 		})
 		return
 	}
@@ -111,27 +130,71 @@ func (controller *OIDCController) GetClientInfo(c *gin.Context) {
 	client, ok := controller.oidc.GetClient(req.ClientID)
 
 	if !ok {
-		controller.log.App.Warn().Str("clientId", req.ClientID).Msg("Client not found")
-		c.JSON(404, gin.H{
-			"status":  404,
-			"message": "Client not found",
+		controller.authorizeError(c, authorizeErrorParams{
+			err:          fmt.Errorf("client not found: %s", req.ClientID),
+			reason:       "Client not found",
+			reasonPublic: "The client ID is invalid",
 		})
 		return
 	}
 
-	c.JSON(200, gin.H{
-		"status": 200,
-		"client": client.ClientID,
-		"name":   client.Name,
+	err = controller.oidc.ValidateAuthorizeParams(*req)
+
+	if err != nil {
+		controller.log.App.Warn().Err(err).Msg("Failed to validate authorize params")
+		if err.Error() != "invalid_request_uri" {
+			controller.authorizeError(c, authorizeErrorParams{
+				err:           err,
+				reason:        "Failed validate authorize params",
+				reasonPublic:  "Invalid request parameters",
+				callback:      req.RedirectURI,
+				callbackError: err.Error(),
+				state:         req.State,
+			})
+			return
+		}
+		controller.authorizeError(c, authorizeErrorParams{
+			err:          err,
+			reason:       "Redirect URI not trusted",
+			reasonPublic: "The provided redirect URI is not trusted",
+		})
+		return
+	}
+
+	ticket := controller.oidc.CreateAuthorizeRequestTicket(*req)
+
+	queries, err := query.Values(AuthorizeScreenParams{
+		LoginFor:   FrontendLoginForOIDC,
+		OIDCTicket: ticket,
+		OIDCScope:  req.Scope,
+		OIDCName:   client.Name,
 	})
+
+	if err != nil {
+		controller.authorizeError(c, authorizeErrorParams{
+			err:          err,
+			reason:       "Failed to compile authorize queries",
+			reasonPublic: "An internal error occured while processing your request",
+		})
+		return
+	}
+
+	redirectUrl := fmt.Sprintf("%s/oidc/authorize?%s", controller.oidc.GetIssuer(), queries.Encode())
+	c.Redirect(http.StatusFound, redirectUrl)
 }
 
-func (controller *OIDCController) Authorize(c *gin.Context) {
+// The actual **internal** endpoint that actually creates the code and session.
+// It is called by the frontend after the user has logged in and given consent.
+func (controller *OIDCController) authorizeComplete(c *gin.Context) {
 	if controller.oidc == nil {
+		// For this endpoint we return JSON errors since it's called
+		// by the frontend and not an external client, so there's
+		// no redirect_uri to send the user to in case of error
 		controller.authorizeError(c, authorizeErrorParams{
 			err:          errors.New("err_oidc_not_configured"),
 			reason:       "OIDC not configured",
 			reasonPublic: "This instance is not configured for OIDC",
+			json:         true,
 		})
 		return
 	}
@@ -143,6 +206,7 @@ func (controller *OIDCController) Authorize(c *gin.Context) {
 			err:          err,
 			reason:       "Failed to get user context",
 			reasonPublic: "User is not logged in or the session is invalid",
+			json:         true,
 		})
 		return
 	}
@@ -152,59 +216,42 @@ func (controller *OIDCController) Authorize(c *gin.Context) {
 			err:          errors.New("err user not logged in"),
 			reason:       "User not logged in",
 			reasonPublic: "The user is not logged in",
+			json:         true,
 		})
 		return
 	}
 
-	var req service.AuthorizeRequest
+	var req AuthorizeCompleteRequest
 
-	err = c.Bind(&req)
+	err = c.BindJSON(&req)
 
 	if err != nil {
 		controller.authorizeError(c, authorizeErrorParams{
 			err:          err,
 			reason:       "Failed to bind JSON",
 			reasonPublic: "The client provided an invalid authorization request",
+			json:         true,
 		})
 		return
 	}
 
-	_, ok := controller.oidc.GetClient(req.ClientID)
+	authorizeReq, ok := controller.oidc.GetAuthorizeRequestByTicket(req.Ticket)
 
 	if !ok {
 		controller.authorizeError(c, authorizeErrorParams{
-			err:          fmt.Errorf("client not found: %s", req.ClientID),
-			reason:       "Client not found",
-			reasonPublic: "The client ID is invalid",
+			err:          errors.New("authorize request not found for ticket"),
+			reason:       "Invalid or expired ticket",
+			reasonPublic: "The authorization request has expired or is invalid",
+			json:         true,
 		})
 		return
 	}
 
-	err = controller.oidc.ValidateAuthorizeParams(req)
-
-	if err != nil {
-		controller.log.App.Warn().Err(err).Msg("Failed to validate authorize params")
-		if err.Error() != "invalid_request_uri" {
-			controller.authorizeError(c, authorizeErrorParams{
-				err:           err,
-				reason:        "Failed validate authorize params",
-				reasonPublic:  "Invalid request parameters",
-				callback:      req.RedirectURI,
-				callbackError: err.Error(),
-				state:         req.State,
-			})
-			return
-		}
-		controller.authorizeError(c, authorizeErrorParams{
-			err:          err,
-			reason:       "Redirect URI not trusted",
-			reasonPublic: "The provided redirect URI is not trusted",
-		})
-		return
-	}
+	// We no longer need the ticket
+	controller.oidc.DeleteAuthorizeRequestTicket(req.Ticket)
 
 	// Create the sub to find and delete old sessions
-	sub := controller.oidc.CreateSub(*userContext, req.ClientID)
+	sub := controller.oidc.CreateSub(*userContext, authorizeReq.ClientID)
 
 	// Before storing the code, delete old session
 	err = controller.oidc.DeleteOldSession(c, sub)
@@ -213,19 +260,20 @@ func (controller *OIDCController) Authorize(c *gin.Context) {
 			err:           err,
 			reason:        "Failed to delete old sessions",
 			reasonPublic:  "Failed to delete old sessions",
-			callback:      req.RedirectURI,
+			callback:      authorizeReq.RedirectURI,
 			callbackError: "server_error",
-			state:         req.State,
+			state:         authorizeReq.State,
+			json:          true,
 		})
 		return
 	}
 
 	// Create the authorization code
-	code := controller.oidc.CreateCode(req, *userContext)
+	code := controller.oidc.CreateCode(*authorizeReq, *userContext)
 
 	queries, err := query.Values(AuthorizeCallback{
 		Code:  code,
-		State: req.State,
+		State: authorizeReq.State,
 	})
 
 	if err != nil {
@@ -233,16 +281,17 @@ func (controller *OIDCController) Authorize(c *gin.Context) {
 			err:           err,
 			reason:        "Failed to build query",
 			reasonPublic:  "Failed to build query",
-			callback:      req.RedirectURI,
+			callback:      authorizeReq.RedirectURI,
 			callbackError: "server_error",
-			state:         req.State,
+			state:         authorizeReq.State,
+			json:          true,
 		})
 		return
 	}
 
 	c.JSON(200, gin.H{
 		"status":       200,
-		"redirect_uri": fmt.Sprintf("%s?%s", req.RedirectURI, queries.Encode()),
+		"redirect_uri": fmt.Sprintf("%s?%s", authorizeReq.RedirectURI, queries.Encode()),
 	})
 }
 
@@ -533,14 +582,22 @@ func (controller *OIDCController) authorizeError(c *gin.Context, params authoriz
 		queries, err := query.Values(errorQueries)
 
 		if err != nil {
+			controller.log.App.Error().Err(err).Msg("Failed to build callback error query")
 			c.AbortWithStatus(http.StatusInternalServerError)
 			return
 		}
 
-		c.JSON(200, gin.H{
-			"status":       200,
-			"redirect_uri": fmt.Sprintf("%s?%s", params.callback, queries.Encode()),
-		})
+		redirectUrl := fmt.Sprintf("%s?%s", params.callback, queries.Encode())
+
+		if params.json {
+			c.JSON(200, gin.H{
+				"status":       200,
+				"redirect_uri": redirectUrl,
+			})
+			return
+		}
+
+		c.Redirect(http.StatusFound, redirectUrl)
 		return
 	}
 
@@ -551,6 +608,7 @@ func (controller *OIDCController) authorizeError(c *gin.Context, params authoriz
 	queries, err := query.Values(errorQueries)
 
 	if err != nil {
+		controller.log.App.Error().Err(err).Msg("Failed to build error query")
 		c.AbortWithStatus(http.StatusInternalServerError)
 		return
 	}
@@ -563,8 +621,61 @@ func (controller *OIDCController) authorizeError(c *gin.Context, params authoriz
 		redirectUrl = fmt.Sprintf("%s/error?%s", controller.runtime.AppURL, queries.Encode())
 	}
 
-	c.JSON(200, gin.H{
-		"status":       200,
-		"redirect_uri": redirectUrl,
-	})
+	if params.json {
+		c.JSON(200, gin.H{
+			"status":       200,
+			"redirect_uri": redirectUrl,
+		})
+		return
+	}
+
+	c.Redirect(http.StatusFound, redirectUrl)
+}
+
+func (controller *OIDCController) resolveAuthorizeRequest(c *gin.Context) (*service.AuthorizeRequest, error) {
+	// step 1: if we have a request object, decode it and ignore other params. If not, bind the params as usual
+	// we check both query and form parameters for the request object since this endpoint can be called with both GET and POST
+	requestObject, err := controller.resolveRequestObject(c)
+
+	if err != nil {
+		return nil, err
+	}
+
+	if requestObject != nil {
+		return requestObject, nil
+	}
+
+	// step 2: by default we assume normal GET query parameters
+	// step 3: if it's a POST request, we try form parameters
+	return controller.resolveNormalParams(c)
+}
+
+func (controller *OIDCController) resolveRequestObject(c *gin.Context) (*service.AuthorizeRequest, error) {
+	raw := c.Query("request")
+
+	if raw == "" && c.Request.Method == http.MethodPost {
+		raw = c.PostForm("request")
+	}
+
+	if raw == "" {
+		return nil, nil
+	}
+
+	return controller.oidc.DecodeAuthorizeJWT(raw)
+}
+
+func (controller *OIDCController) resolveNormalParams(c *gin.Context) (*service.AuthorizeRequest, error) {
+	var req service.AuthorizeRequest
+
+	bind := binding.Query
+
+	if c.Request.Method == http.MethodPost {
+		bind = binding.Form
+	}
+
+	if err := c.ShouldBindWith(&req, bind); err != nil {
+		return nil, err
+	}
+
+	return &req, nil
 }
diff --git a/internal/controller/oidc_controller_test.go b/internal/controller/oidc_controller_test.go
index 365431a3..d4a07baa 100644
--- a/internal/controller/oidc_controller_test.go
+++ b/internal/controller/oidc_controller_test.go
@@ -2,21 +2,22 @@ package controller_test
 
 import (
 	"context"
-	"crypto/sha256"
-	"encoding/base64"
 	"encoding/json"
+	"net/http"
 	"net/http/httptest"
 	"net/url"
 	"strings"
 	"testing"
+	"time"
 
 	"github.com/gin-gonic/gin"
-	"github.com/google/go-querystring/query"
+	"github.com/golang-jwt/jwt/v5"
 	"github.com/steveiliop56/ding"
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
 	"github.com/tinyauthapp/tinyauth/internal/controller"
 	"github.com/tinyauthapp/tinyauth/internal/model"
+	"github.com/tinyauthapp/tinyauth/internal/repository"
 	"github.com/tinyauthapp/tinyauth/internal/repository/memory"
 	"github.com/tinyauthapp/tinyauth/internal/service"
 	"github.com/tinyauthapp/tinyauth/internal/test"
@@ -29,834 +30,808 @@ func TestOIDCController(t *testing.T) {
 
 	cfg, runtime := test.CreateTestConfigs(t)
 
-	simpleCtx := func(c *gin.Context) {
+	ctx := context.TODO()
+	dg := ding.New(ctx)
+
+	store := memory.New()
+
+	oidcService, err := service.NewOIDCService(log, cfg, runtime, store, dg)
+	require.NoError(t, err)
+
+	// Middleware that injects an authenticated local user into the gin context,
+	// mimicking the context middleware that runs before the OIDC controller.
+	authedUser := func(c *gin.Context) {
 		c.Set("context", &model.UserContext{
 			Authenticated: true,
 			Provider:      model.ProviderLocal,
 			Local: &model.LocalContext{
 				BaseContext: model.BaseContext{
-					Username: "test",
+					Username: "testuser",
 					Name:     "Test User",
-					Email:    "test@example.com",
+					Email:    "testuser@example.com",
 				},
 			},
 		})
-		c.Next()
 	}
 
 	type testCase struct {
-		description string
-		middlewares []gin.HandlerFunc
-		run         func(t *testing.T, router *gin.Engine, recorder *httptest.ResponseRecorder)
+		description  string
+		middlewares  []gin.HandlerFunc
+		oidcDisabled bool
+		run          func(t *testing.T, router *gin.Engine, recorder *httptest.ResponseRecorder)
 	}
 
-	var tests []testCase
+	tests := []testCase{
+		// --- authorize ---
+		{
+			description:  "Authorize redirects to error screen when OIDC is not configured",
+			oidcDisabled: true,
+			run: func(t *testing.T, router *gin.Engine, recorder *httptest.ResponseRecorder) {
+				req := httptest.NewRequest("GET", "/authorize", nil)
+				router.ServeHTTP(recorder, req)
 
-	getTestByDescription := func(description string) (func(t *testing.T, router *gin.Engine, recorder *httptest.ResponseRecorder), bool) {
-		for _, test := range tests {
-			if test.description == description {
-				return test.run, true
-			}
-		}
-		return nil, false
-	}
+				assert.Equal(t, http.StatusFound, recorder.Code)
+				location := recorder.Header().Get("Location")
+				assert.Contains(t, location, runtime.AppURL+"/error")
+				assert.Contains(t, location, url.QueryEscape("This instance is not configured for OIDC"))
+			},
+		},
+		{
+			description: "Authorize redirects to error screen when query parameters are missing",
+			run: func(t *testing.T, router *gin.Engine, recorder *httptest.ResponseRecorder) {
+				req := httptest.NewRequest("GET", "/authorize", nil)
+				router.ServeHTTP(recorder, req)
+
+				assert.Equal(t, http.StatusFound, recorder.Code)
+				location := recorder.Header().Get("Location")
+				assert.Contains(t, location, oidcService.GetIssuer()+"/error")
+				assert.Contains(t, location, url.QueryEscape("The client ID is invalid"))
+			},
+		},
+		{
+			description: "Authorize redirects to error screen when client is unknown",
+			run: func(t *testing.T, router *gin.Engine, recorder *httptest.ResponseRecorder) {
+				q := url.Values{}
+				q.Set("scope", "openid")
+				q.Set("response_type", "code")
+				q.Set("client_id", "unknown-client")
+				q.Set("redirect_uri", "https://test.example.com/callback")
+
+				req := httptest.NewRequest("GET", "/authorize?"+q.Encode(), nil)
+				router.ServeHTTP(recorder, req)
 
-	tests = []testCase{
+				assert.Equal(t, http.StatusFound, recorder.Code)
+				location := recorder.Header().Get("Location")
+				assert.Contains(t, location, oidcService.GetIssuer()+"/error")
+				assert.Contains(t, location, url.QueryEscape("The client ID is invalid"))
+			},
+		},
 		{
-			description: "Ensure we can fetch the client",
-			middlewares: []gin.HandlerFunc{},
+			description: "Authorize redirects to error screen when redirect URI is not trusted",
 			run: func(t *testing.T, router *gin.Engine, recorder *httptest.ResponseRecorder) {
-				req := httptest.NewRequest("GET", "/api/oidc/clients/some-client-id", nil)
+				q := url.Values{}
+				q.Set("scope", "openid")
+				q.Set("response_type", "code")
+				q.Set("client_id", "some-client-id")
+				q.Set("redirect_uri", "https://evil.example.com/callback")
+
+				req := httptest.NewRequest("GET", "/authorize?"+q.Encode(), nil)
 				router.ServeHTTP(recorder, req)
-				assert.Equal(t, 200, recorder.Code)
+
+				assert.Equal(t, http.StatusFound, recorder.Code)
+				location := recorder.Header().Get("Location")
+				assert.Contains(t, location, oidcService.GetIssuer()+"/error")
+				assert.Contains(t, location, url.QueryEscape("The provided redirect URI is not trusted"))
 			},
 		},
 		{
-			description: "Ensure API fails on non-existent client ID",
-			middlewares: []gin.HandlerFunc{},
+			description: "Authorize redirects to callback with error when params are invalid",
 			run: func(t *testing.T, router *gin.Engine, recorder *httptest.ResponseRecorder) {
-				req := httptest.NewRequest("GET", "/api/oidc/clients/non-existent-client-id", nil)
+				q := url.Values{}
+				q.Set("scope", "openid")
+				q.Set("response_type", "token") // unsupported response type
+				q.Set("client_id", "some-client-id")
+				q.Set("redirect_uri", "https://test.example.com/callback")
+				q.Set("state", "state-123")
+
+				req := httptest.NewRequest("GET", "/authorize?"+q.Encode(), nil)
 				router.ServeHTTP(recorder, req)
-				assert.Equal(t, 404, recorder.Code)
+
+				assert.Equal(t, http.StatusFound, recorder.Code)
+				location := recorder.Header().Get("Location")
+				assert.True(t, strings.HasPrefix(location, "https://test.example.com/callback?"))
+				assert.Contains(t, location, "error=unsupported_response_type")
+				assert.Contains(t, location, "state=state-123")
 			},
 		},
 		{
-			description: "Ensure authorize fails with empty context",
-			middlewares: []gin.HandlerFunc{},
+			description: "Authorize redirects to consent screen on a valid request",
 			run: func(t *testing.T, router *gin.Engine, recorder *httptest.ResponseRecorder) {
-				req := httptest.NewRequest("POST", "/api/oidc/authorize", nil)
+				q := url.Values{}
+				q.Set("scope", "openid profile")
+				q.Set("response_type", "code")
+				q.Set("client_id", "some-client-id")
+				q.Set("redirect_uri", "https://test.example.com/callback")
+				q.Set("state", "state-123")
+
+				req := httptest.NewRequest("GET", "/authorize?"+q.Encode(), nil)
 				router.ServeHTTP(recorder, req)
 
-				var res map[string]any
-				err := json.Unmarshal(recorder.Body.Bytes(), &res)
+				assert.Equal(t, http.StatusFound, recorder.Code)
+				location := recorder.Header().Get("Location")
+				assert.True(t, strings.HasPrefix(location, oidcService.GetIssuer()+"/oidc/authorize?"))
+				assert.Contains(t, location, "login_for=oidc")
+				assert.Contains(t, location, "oidc_ticket=")
+				assert.Contains(t, location, "oidc_name="+url.QueryEscape("Test Client"))
+			},
+		},
+		{
+			description: "Authorize redirects to error screen when the request object is invalid",
+			run: func(t *testing.T, router *gin.Engine, recorder *httptest.ResponseRecorder) {
+				req := httptest.NewRequest("GET", "/authorize?request=not-a-valid-jwt", nil)
+				router.ServeHTTP(recorder, req)
+
+				assert.Equal(t, http.StatusFound, recorder.Code)
+				location := recorder.Header().Get("Location")
+				assert.Contains(t, location, oidcService.GetIssuer()+"/error")
+				assert.Contains(t, location, url.QueryEscape("The authorization request is invalid"))
+			},
+		},
+		{
+			description: "Authorize accepts a request object and redirects to the consent screen",
+			run: func(t *testing.T, router *gin.Engine, recorder *httptest.ResponseRecorder) {
+				token := jwt.NewWithClaims(jwt.SigningMethodNone, jwt.MapClaims{
+					"scope":         "openid profile",
+					"response_type": "code",
+					"client_id":     "some-client-id",
+					"redirect_uri":  "https://test.example.com/callback",
+					"state":         "state-123",
+				})
+				signed, err := token.SignedString(jwt.UnsafeAllowNoneSignatureType)
 				require.NoError(t, err)
 
-				assert.Equal(t, res["redirect_uri"], "https://tinyauth.example.com/error?error=User+is+not+logged+in+or+the+session+is+invalid")
+				q := url.Values{}
+				q.Set("request", signed)
+
+				req := httptest.NewRequest("GET", "/authorize?"+q.Encode(), nil)
+				router.ServeHTTP(recorder, req)
+
+				assert.Equal(t, http.StatusFound, recorder.Code)
+				location := recorder.Header().Get("Location")
+				assert.True(t, strings.HasPrefix(location, oidcService.GetIssuer()+"/oidc/authorize?"))
+				assert.Contains(t, location, "oidc_ticket=")
+			},
+		},
+
+		// --- authorize-complete ---
+		{
+			description: "Authorize complete returns a JSON error when the user context is missing",
+			run: func(t *testing.T, router *gin.Engine, recorder *httptest.ResponseRecorder) {
+				body, err := json.Marshal(controller.AuthorizeCompleteRequest{Ticket: "some-ticket"})
+				require.NoError(t, err)
+
+				req := httptest.NewRequest("POST", "/api/oidc/authorize-complete", strings.NewReader(string(body)))
+				req.Header.Set("Content-Type", "application/json")
+				router.ServeHTTP(recorder, req)
+
+				assert.Equal(t, http.StatusOK, recorder.Code)
+
+				var res map[string]any
+				require.NoError(t, json.Unmarshal(recorder.Body.Bytes(), &res))
+				redirectURI, ok := res["redirect_uri"].(string)
+				require.True(t, ok)
+				assert.Contains(t, redirectURI, oidcService.GetIssuer()+"/error")
 			},
 		},
 		{
-			description: "Ensure authorize fails with an invalid param",
+			description: "Authorize complete returns a JSON error when the user is not authenticated",
 			middlewares: []gin.HandlerFunc{
-				simpleCtx,
+				func(c *gin.Context) {
+					c.Set("context", &model.UserContext{
+						Authenticated: false,
+						Provider:      model.ProviderLocal,
+						Local: &model.LocalContext{
+							BaseContext: model.BaseContext{Username: "testuser"},
+						},
+					})
+				},
 			},
 			run: func(t *testing.T, router *gin.Engine, recorder *httptest.ResponseRecorder) {
-				reqBody := service.AuthorizeRequest{
-					Scope:        "openid",
-					ResponseType: "some_unsupported_response_type",
-					ClientID:     "some-client-id",
-					RedirectURI:  "https://test.example.com/callback",
-					State:        "some-state",
-					Nonce:        "some-nonce",
-				}
-				reqBodyBytes, err := json.Marshal(reqBody)
+				body, err := json.Marshal(controller.AuthorizeCompleteRequest{Ticket: "some-ticket"})
 				require.NoError(t, err)
 
-				req := httptest.NewRequest("POST", "/api/oidc/authorize", strings.NewReader(string(reqBodyBytes)))
+				req := httptest.NewRequest("POST", "/api/oidc/authorize-complete", strings.NewReader(string(body)))
 				req.Header.Set("Content-Type", "application/json")
 				router.ServeHTTP(recorder, req)
 
+				assert.Equal(t, http.StatusOK, recorder.Code)
+
 				var res map[string]any
-				err = json.Unmarshal(recorder.Body.Bytes(), &res)
+				require.NoError(t, json.Unmarshal(recorder.Body.Bytes(), &res))
+				redirectURI, ok := res["redirect_uri"].(string)
+				require.True(t, ok)
+				assert.Contains(t, redirectURI, oidcService.GetIssuer()+"/error")
+			},
+		},
+		{
+			description: "Authorize complete returns a JSON error when the ticket is invalid",
+			middlewares: []gin.HandlerFunc{authedUser},
+			run: func(t *testing.T, router *gin.Engine, recorder *httptest.ResponseRecorder) {
+				body, err := json.Marshal(controller.AuthorizeCompleteRequest{Ticket: "nonexistent-ticket"})
 				require.NoError(t, err)
 
-				assert.Equal(t, res["redirect_uri"], "https://test.example.com/callback?error=unsupported_response_type&error_description=Invalid+request+parameters&state=some-state")
+				req := httptest.NewRequest("POST", "/api/oidc/authorize-complete", strings.NewReader(string(body)))
+				req.Header.Set("Content-Type", "application/json")
+				router.ServeHTTP(recorder, req)
+
+				assert.Equal(t, http.StatusOK, recorder.Code)
+
+				var res map[string]any
+				require.NoError(t, json.Unmarshal(recorder.Body.Bytes(), &res))
+				redirectURI, ok := res["redirect_uri"].(string)
+				require.True(t, ok)
+				assert.Contains(t, redirectURI, oidcService.GetIssuer()+"/error")
 			},
 		},
 		{
-			description: "Ensure authorize succeeds with valid params",
-			middlewares: []gin.HandlerFunc{
-				simpleCtx,
-			},
+			description: "Authorize complete returns a redirect URI with a code on success",
+			middlewares: []gin.HandlerFunc{authedUser},
 			run: func(t *testing.T, router *gin.Engine, recorder *httptest.ResponseRecorder) {
-				reqBody := service.AuthorizeRequest{
-					Scope:        "openid",
+				ticket := oidcService.CreateAuthorizeRequestTicket(service.AuthorizeRequest{
+					Scope:        "openid profile",
 					ResponseType: "code",
 					ClientID:     "some-client-id",
 					RedirectURI:  "https://test.example.com/callback",
-					State:        "some-state",
-					Nonce:        "some-nonce",
-				}
-				reqBodyBytes, err := json.Marshal(reqBody)
+					State:        "state-123",
+				})
+
+				body, err := json.Marshal(controller.AuthorizeCompleteRequest{Ticket: ticket})
 				require.NoError(t, err)
 
-				req := httptest.NewRequest("POST", "/api/oidc/authorize", strings.NewReader(string(reqBodyBytes)))
+				req := httptest.NewRequest("POST", "/api/oidc/authorize-complete", strings.NewReader(string(body)))
 				req.Header.Set("Content-Type", "application/json")
 				router.ServeHTTP(recorder, req)
-				assert.Equal(t, 200, recorder.Code)
+
+				assert.Equal(t, http.StatusOK, recorder.Code)
 
 				var res map[string]any
-				err = json.Unmarshal(recorder.Body.Bytes(), &res)
-				require.NoError(t, err)
+				require.NoError(t, json.Unmarshal(recorder.Body.Bytes(), &res))
+				redirectURI, ok := res["redirect_uri"].(string)
+				require.True(t, ok)
+				assert.True(t, strings.HasPrefix(redirectURI, "https://test.example.com/callback?code="))
+				assert.Contains(t, redirectURI, "state=state-123")
+			},
+		},
 
-				redirectURI := res["redirect_uri"].(string)
-				url, err := url.Parse(redirectURI)
-				require.NoError(t, err)
+		// --- token ---
+		{
+			description:  "Token returns 500 when OIDC is not configured",
+			oidcDisabled: true,
+			run: func(t *testing.T, router *gin.Engine, recorder *httptest.ResponseRecorder) {
+				req := httptest.NewRequest("POST", "/api/oidc/token", nil)
+				router.ServeHTTP(recorder, req)
 
-				queryParams := url.Query()
-				assert.Equal(t, queryParams.Get("state"), "some-state")
+				assert.Equal(t, http.StatusInternalServerError, recorder.Code)
+				assert.Contains(t, recorder.Body.String(), "server_error")
+			},
+		},
+		{
+			description: "Token returns 400 when the grant type is missing",
+			run: func(t *testing.T, router *gin.Engine, recorder *httptest.ResponseRecorder) {
+				req := httptest.NewRequest("POST", "/api/oidc/token", strings.NewReader(""))
+				req.Header.Set("Content-Type", "application/x-www-form-urlencoded")
+				router.ServeHTTP(recorder, req)
 
-				code := queryParams.Get("code")
-				assert.NotEmpty(t, code)
+				assert.Equal(t, http.StatusBadRequest, recorder.Code)
+				assert.Contains(t, recorder.Body.String(), "invalid_request")
 			},
 		},
 		{
-			description: "Ensure token request fails with invalid grant",
-			middlewares: []gin.HandlerFunc{},
+			description: "Token returns 400 when the grant type is unsupported",
 			run: func(t *testing.T, router *gin.Engine, recorder *httptest.ResponseRecorder) {
-				reqBody := controller.TokenRequest{
-					GrantType:   "invalid_grant",
-					Code:        "",
-					RedirectURI: "https://test.example.com/callback",
-				}
-				reqBodyEncoded, err := query.Values(reqBody)
-				require.NoError(t, err)
+				form := url.Values{}
+				form.Set("grant_type", "password")
 
-				req := httptest.NewRequest("POST", "/api/oidc/token", strings.NewReader(reqBodyEncoded.Encode()))
+				req := httptest.NewRequest("POST", "/api/oidc/token", strings.NewReader(form.Encode()))
 				req.Header.Set("Content-Type", "application/x-www-form-urlencoded")
 				router.ServeHTTP(recorder, req)
 
-				var res map[string]any
-				err = json.Unmarshal(recorder.Body.Bytes(), &res)
-				require.NoError(t, err)
+				assert.Equal(t, http.StatusBadRequest, recorder.Code)
+				assert.Contains(t, recorder.Body.String(), "unsupported_grant_type")
+			},
+		},
+		{
+			description: "Token returns 400 and a challenge when client credentials are missing",
+			run: func(t *testing.T, router *gin.Engine, recorder *httptest.ResponseRecorder) {
+				form := url.Values{}
+				form.Set("grant_type", "authorization_code")
+
+				req := httptest.NewRequest("POST", "/api/oidc/token", strings.NewReader(form.Encode()))
+				req.Header.Set("Content-Type", "application/x-www-form-urlencoded")
+				router.ServeHTTP(recorder, req)
 
-				assert.Equal(t, res["error"], "unsupported_grant_type")
+				assert.Equal(t, http.StatusBadRequest, recorder.Code)
+				assert.Contains(t, recorder.Body.String(), "invalid_client")
+				assert.NotEmpty(t, recorder.Header().Get("www-authenticate"))
 			},
 		},
 		{
-			description: "Ensure token endpoint accepts basic auth",
-			middlewares: []gin.HandlerFunc{},
+			description: "Token returns 400 when the client is unknown",
 			run: func(t *testing.T, router *gin.Engine, recorder *httptest.ResponseRecorder) {
-				reqBody := controller.TokenRequest{
-					GrantType:   "authorization_code",
-					Code:        "some-code",
-					RedirectURI: "https://test.example.com/callback",
-				}
-				reqBodyEncoded, err := query.Values(reqBody)
-				require.NoError(t, err)
+				form := url.Values{}
+				form.Set("grant_type", "authorization_code")
+				form.Set("client_id", "unknown-client")
+				form.Set("client_secret", "whatever")
 
-				req := httptest.NewRequest("POST", "/api/oidc/token", strings.NewReader(reqBodyEncoded.Encode()))
+				req := httptest.NewRequest("POST", "/api/oidc/token", strings.NewReader(form.Encode()))
 				req.Header.Set("Content-Type", "application/x-www-form-urlencoded")
-				req.SetBasicAuth("some-client-id", "some-client-secret")
 				router.ServeHTTP(recorder, req)
 
-				assert.Empty(t, recorder.Header().Get("www-authenticate"))
+				assert.Equal(t, http.StatusBadRequest, recorder.Code)
+				assert.Contains(t, recorder.Body.String(), "invalid_client")
 			},
 		},
 		{
-			description: "Ensure token endpoint accepts form auth",
-			middlewares: []gin.HandlerFunc{},
+			description: "Token returns 400 when the client secret is wrong",
 			run: func(t *testing.T, router *gin.Engine, recorder *httptest.ResponseRecorder) {
 				form := url.Values{}
 				form.Set("grant_type", "authorization_code")
-				form.Set("code", "some-code")
-				form.Set("redirect_uri", "https://test.example.com/callback")
 				form.Set("client_id", "some-client-id")
-				form.Set("client_secret", "some-client-secret")
+				form.Set("client_secret", "wrong-secret")
 
 				req := httptest.NewRequest("POST", "/api/oidc/token", strings.NewReader(form.Encode()))
 				req.Header.Set("Content-Type", "application/x-www-form-urlencoded")
 				router.ServeHTTP(recorder, req)
 
-				assert.Empty(t, recorder.Header().Get("www-authenticate"))
+				assert.Equal(t, http.StatusBadRequest, recorder.Code)
+				assert.Contains(t, recorder.Body.String(), "invalid_client")
 			},
 		},
 		{
-			description: "Ensure token endpoint sets authenticate header when no auth is available",
-			middlewares: []gin.HandlerFunc{},
+			description: "Token returns 400 when the authorization code is unknown",
 			run: func(t *testing.T, router *gin.Engine, recorder *httptest.ResponseRecorder) {
-				reqBody := controller.TokenRequest{
-					GrantType:   "authorization_code",
-					Code:        "some-code",
-					RedirectURI: "https://test.example.com/callback",
-				}
-				reqBodyEncoded, err := query.Values(reqBody)
-				require.NoError(t, err)
+				form := url.Values{}
+				form.Set("grant_type", "authorization_code")
+				form.Set("client_id", "some-client-id")
+				form.Set("client_secret", "some-client-secret")
+				form.Set("code", "unknown-code")
+				form.Set("redirect_uri", "https://test.example.com/callback")
 
-				req := httptest.NewRequest("POST", "/api/oidc/token", strings.NewReader(reqBodyEncoded.Encode()))
+				req := httptest.NewRequest("POST", "/api/oidc/token", strings.NewReader(form.Encode()))
 				req.Header.Set("Content-Type", "application/x-www-form-urlencoded")
 				router.ServeHTTP(recorder, req)
 
-				authHeader := recorder.Header().Get("www-authenticate")
-				assert.Contains(t, authHeader, "Basic")
+				assert.Equal(t, http.StatusBadRequest, recorder.Code)
+				assert.Contains(t, recorder.Body.String(), "invalid_grant")
 			},
 		},
 		{
-			description: "Ensure we can get a token with a valid request",
-			middlewares: []gin.HandlerFunc{
-				simpleCtx,
-			},
+			description: "Token returns 400 when the redirect URI does not match the code",
 			run: func(t *testing.T, router *gin.Engine, recorder *httptest.ResponseRecorder) {
-				authorizeCodeTest, found := getTestByDescription("Ensure authorize succeeds with valid params")
-				assert.True(t, found, "Authorize test not found")
-				authorizeTestRecorder := httptest.NewRecorder()
-				authorizeCodeTest(t, router, authorizeTestRecorder)
+				code := oidcService.CreateCode(service.AuthorizeRequest{
+					Scope:        "openid",
+					ResponseType: "code",
+					ClientID:     "some-client-id",
+					RedirectURI:  "https://test.example.com/callback",
+				}, model.UserContext{
+					Authenticated: true,
+					Provider:      model.ProviderLocal,
+					Local:         &model.LocalContext{BaseContext: model.BaseContext{Username: "testuser"}},
+				})
 
-				var authorizeRes map[string]any
-				err := json.Unmarshal(authorizeTestRecorder.Body.Bytes(), &authorizeRes)
-				require.NoError(t, err)
+				form := url.Values{}
+				form.Set("grant_type", "authorization_code")
+				form.Set("client_id", "some-client-id")
+				form.Set("client_secret", "some-client-secret")
+				form.Set("code", code)
+				form.Set("redirect_uri", "https://test.example.com/different")
 
-				redirectURI := authorizeRes["redirect_uri"].(string)
-				url, err := url.Parse(redirectURI)
-				require.NoError(t, err)
+				req := httptest.NewRequest("POST", "/api/oidc/token", strings.NewReader(form.Encode()))
+				req.Header.Set("Content-Type", "application/x-www-form-urlencoded")
+				router.ServeHTTP(recorder, req)
 
-				queryParams := url.Query()
-				code := queryParams.Get("code")
-				assert.NotEmpty(t, code)
+				assert.Equal(t, http.StatusBadRequest, recorder.Code)
+				assert.Contains(t, recorder.Body.String(), "invalid_grant")
+			},
+		},
+		{
+			description: "Token exchanges an authorization code for tokens",
+			run: func(t *testing.T, router *gin.Engine, recorder *httptest.ResponseRecorder) {
+				code := oidcService.CreateCode(service.AuthorizeRequest{
+					Scope:        "openid profile email",
+					ResponseType: "code",
+					ClientID:     "some-client-id",
+					RedirectURI:  "https://test.example.com/callback",
+				}, model.UserContext{
+					Authenticated: true,
+					Provider:      model.ProviderLocal,
+					Local: &model.LocalContext{
+						BaseContext: model.BaseContext{
+							Username: "testuser",
+							Name:     "Test User",
+							Email:    "testuser@example.com",
+						},
+					},
+				})
 
-				reqBody := controller.TokenRequest{
-					GrantType:   "authorization_code",
-					Code:        code,
-					RedirectURI: "https://test.example.com/callback",
-				}
-				reqBodyEncoded, err := query.Values(reqBody)
-				require.NoError(t, err)
+				form := url.Values{}
+				form.Set("grant_type", "authorization_code")
+				form.Set("client_id", "some-client-id")
+				form.Set("client_secret", "some-client-secret")
+				form.Set("code", code)
+				form.Set("redirect_uri", "https://test.example.com/callback")
 
-				req := httptest.NewRequest("POST", "/api/oidc/token", strings.NewReader(reqBodyEncoded.Encode()))
+				req := httptest.NewRequest("POST", "/api/oidc/token", strings.NewReader(form.Encode()))
 				req.Header.Set("Content-Type", "application/x-www-form-urlencoded")
-				req.SetBasicAuth("some-client-id", "some-client-secret")
 				router.ServeHTTP(recorder, req)
 
-				assert.Equal(t, 200, recorder.Code)
+				assert.Equal(t, http.StatusOK, recorder.Code)
+				assert.Equal(t, "no-store", recorder.Header().Get("cache-control"))
+
+				var res service.TokenResponse
+				require.NoError(t, json.Unmarshal(recorder.Body.Bytes(), &res))
+				assert.NotEmpty(t, res.AccessToken)
+				assert.NotEmpty(t, res.RefreshToken)
+				assert.NotEmpty(t, res.IDToken)
+				assert.Equal(t, "Bearer", res.TokenType)
 			},
 		},
 		{
-			description: "Ensure we can renew the access token with the refresh token",
-			middlewares: []gin.HandlerFunc{
-				simpleCtx,
-			},
+			description: "Token deletes the session and returns invalid_grant when a code is reused",
 			run: func(t *testing.T, router *gin.Engine, recorder *httptest.ResponseRecorder) {
-				tokenTest, found := getTestByDescription("Ensure we can get a token with a valid request")
-				assert.True(t, found, "Token test not found")
-				tokenRecorder := httptest.NewRecorder()
-				tokenTest(t, router, tokenRecorder)
+				expiry := time.Now().Add(time.Hour).Unix()
+				sub := "reused-code-sub"
 
-				var tokenRes map[string]any
-				err := json.Unmarshal(tokenRecorder.Body.Bytes(), &tokenRes)
+				_, err := store.CreateOIDCSession(ctx, repository.CreateOIDCSessionParams{
+					Sub:                   sub,
+					AccessTokenHash:       "reused-access-hash",
+					RefreshTokenHash:      "reused-refresh-hash",
+					Scope:                 "openid",
+					ClientID:              "some-client-id",
+					TokenExpiresAt:        expiry,
+					RefreshTokenExpiresAt: expiry,
+					UserinfoJson:          "{}",
+				})
 				require.NoError(t, err)
 
-				_, ok := tokenRes["refresh_token"]
-				assert.True(t, ok, "Expected refresh token in response")
-				refreshToken := tokenRes["refresh_token"].(string)
-				assert.NotEmpty(t, refreshToken)
+				oidcService.MarkCodeAsUsed(oidcService.Hash("reused-code"), sub)
 
-				reqBody := controller.TokenRequest{
-					GrantType:    "refresh_token",
-					RefreshToken: refreshToken,
-					ClientID:     "some-client-id",
-					ClientSecret: "some-client-secret",
-				}
-				reqBodyEncoded, err := query.Values(reqBody)
-				require.NoError(t, err)
+				form := url.Values{}
+				form.Set("grant_type", "authorization_code")
+				form.Set("client_id", "some-client-id")
+				form.Set("client_secret", "some-client-secret")
+				form.Set("code", "reused-code")
+				form.Set("redirect_uri", "https://test.example.com/callback")
 
-				req := httptest.NewRequest("POST", "/api/oidc/token", strings.NewReader(reqBodyEncoded.Encode()))
+				req := httptest.NewRequest("POST", "/api/oidc/token", strings.NewReader(form.Encode()))
 				req.Header.Set("Content-Type", "application/x-www-form-urlencoded")
 				router.ServeHTTP(recorder, req)
 
-				assert.NotEmpty(t, recorder.Header().Get("cache-control"))
-				assert.NotEmpty(t, recorder.Header().Get("pragma"))
+				assert.Equal(t, http.StatusBadRequest, recorder.Code)
+				assert.Contains(t, recorder.Body.String(), "invalid_grant")
 
-				assert.Equal(t, 200, recorder.Code)
-				var refreshRes map[string]any
-				err = json.Unmarshal(recorder.Body.Bytes(), &refreshRes)
-				require.NoError(t, err)
-
-				_, ok = refreshRes["access_token"]
-				assert.True(t, ok, "Expected access token in refresh response")
-				assert.NotEqual(t, tokenRes["refresh_token"].(string), refreshRes["access_token"].(string))
-				assert.NotEqual(t, tokenRes["access_token"].(string), refreshRes["access_token"].(string))
+				// The session associated with the reused code should be revoked.
+				_, err = store.GetOIDCSessionBySub(ctx, sub)
+				assert.ErrorIs(t, err, repository.ErrNotFound)
 			},
 		},
 		{
-			description: "Ensure token endpoint deletes code after use",
-			middlewares: []gin.HandlerFunc{
-				simpleCtx,
-			},
+			description: "Token refreshes an access token using a refresh token",
 			run: func(t *testing.T, router *gin.Engine, recorder *httptest.ResponseRecorder) {
-				authorizeCodeTest, found := getTestByDescription("Ensure authorize succeeds with valid params")
-				assert.True(t, found, "Authorize test not found")
-				authorizeTestRecorder := httptest.NewRecorder()
-				authorizeCodeTest(t, router, authorizeTestRecorder)
+				expiry := time.Now().Add(time.Hour).Unix()
 
-				var authorizeRes map[string]any
-				err := json.Unmarshal(authorizeTestRecorder.Body.Bytes(), &authorizeRes)
+				_, err := store.CreateOIDCSession(ctx, repository.CreateOIDCSessionParams{
+					Sub:                   "refresh-sub",
+					AccessTokenHash:       "refresh-access-hash",
+					RefreshTokenHash:      oidcService.Hash("valid-refresh-token"),
+					Scope:                 "openid profile",
+					ClientID:              "some-client-id",
+					TokenExpiresAt:        expiry,
+					RefreshTokenExpiresAt: expiry,
+					UserinfoJson:          `{"sub":"refresh-sub"}`,
+				})
 				require.NoError(t, err)
 
-				redirectURI := authorizeRes["redirect_uri"].(string)
-				url, err := url.Parse(redirectURI)
-				require.NoError(t, err)
-
-				queryParams := url.Query()
-				code := queryParams.Get("code")
-				assert.NotEmpty(t, code)
-
-				reqBody := controller.TokenRequest{
-					GrantType:   "authorization_code",
-					Code:        code,
-					RedirectURI: "https://test.example.com/callback",
-				}
-				reqBodyEncoded, err := query.Values(reqBody)
-				require.NoError(t, err)
+				form := url.Values{}
+				form.Set("grant_type", "refresh_token")
+				form.Set("client_id", "some-client-id")
+				form.Set("client_secret", "some-client-secret")
+				form.Set("refresh_token", "valid-refresh-token")
 
-				req := httptest.NewRequest("POST", "/api/oidc/token", strings.NewReader(reqBodyEncoded.Encode()))
+				req := httptest.NewRequest("POST", "/api/oidc/token", strings.NewReader(form.Encode()))
 				req.Header.Set("Content-Type", "application/x-www-form-urlencoded")
-				req.SetBasicAuth("some-client-id", "some-client-secret")
 				router.ServeHTTP(recorder, req)
 
-				assert.Equal(t, 200, recorder.Code)
-
-				// Try to use the same code again
-				secondReq := httptest.NewRequest("POST", "/api/oidc/token", strings.NewReader(reqBodyEncoded.Encode()))
-				secondReq.Header.Set("Content-Type", "application/x-www-form-urlencoded")
-				secondReq.SetBasicAuth("some-client-id", "some-client-secret")
-				secondRecorder := httptest.NewRecorder()
-				router.ServeHTTP(secondRecorder, secondReq)
-
-				assert.Equal(t, 400, secondRecorder.Code)
+				assert.Equal(t, http.StatusOK, recorder.Code)
 
-				var secondRes map[string]any
-				err = json.Unmarshal(secondRecorder.Body.Bytes(), &secondRes)
-				require.NoError(t, err)
-
-				assert.Equal(t, "invalid_grant", secondRes["error"])
+				var res service.TokenResponse
+				require.NoError(t, json.Unmarshal(recorder.Body.Bytes(), &res))
+				assert.NotEmpty(t, res.AccessToken)
+				assert.NotEmpty(t, res.RefreshToken)
+				assert.NotEqual(t, "valid-refresh-token", res.RefreshToken)
 			},
 		},
 		{
-			description: "Ensure userinfo forbids access with invalid access token",
-			middlewares: []gin.HandlerFunc{},
+			description: "Token returns invalid_grant when the refresh token is expired",
 			run: func(t *testing.T, router *gin.Engine, recorder *httptest.ResponseRecorder) {
-				req := httptest.NewRequest("GET", "/api/oidc/userinfo", nil)
-				req.Header.Set("Authorization", "Bearer invalid-access-token")
+				past := time.Now().Add(-time.Hour).Unix()
+
+				_, err := store.CreateOIDCSession(ctx, repository.CreateOIDCSessionParams{
+					Sub:                   "expired-refresh-sub",
+					AccessTokenHash:       "expired-access-hash",
+					RefreshTokenHash:      oidcService.Hash("expired-refresh-token"),
+					Scope:                 "openid",
+					ClientID:              "some-client-id",
+					TokenExpiresAt:        past,
+					RefreshTokenExpiresAt: past,
+					UserinfoJson:          "{}",
+				})
+				require.NoError(t, err)
+
+				form := url.Values{}
+				form.Set("grant_type", "refresh_token")
+				form.Set("client_id", "some-client-id")
+				form.Set("client_secret", "some-client-secret")
+				form.Set("refresh_token", "expired-refresh-token")
+
+				req := httptest.NewRequest("POST", "/api/oidc/token", strings.NewReader(form.Encode()))
+				req.Header.Set("Content-Type", "application/x-www-form-urlencoded")
 				router.ServeHTTP(recorder, req)
-				assert.Equal(t, 401, recorder.Code)
+
+				assert.Equal(t, http.StatusBadRequest, recorder.Code)
+				assert.Contains(t, recorder.Body.String(), "invalid_grant")
 			},
 		},
 		{
-			description: "Ensure access token can be used to access protected resources",
-			middlewares: []gin.HandlerFunc{
-				simpleCtx,
-			},
+			description: "Token returns invalid_grant when the refresh token belongs to another client",
 			run: func(t *testing.T, router *gin.Engine, recorder *httptest.ResponseRecorder) {
-				tokenTest, found := getTestByDescription("Ensure we can get a token with a valid request")
-				assert.True(t, found, "Token test not found")
-				tokenRecorder := httptest.NewRecorder()
-				tokenTest(t, router, tokenRecorder)
+				expiry := time.Now().Add(time.Hour).Unix()
 
-				var tokenRes map[string]any
-				err := json.Unmarshal(tokenRecorder.Body.Bytes(), &tokenRes)
+				_, err := store.CreateOIDCSession(ctx, repository.CreateOIDCSessionParams{
+					Sub:                   "other-client-sub",
+					AccessTokenHash:       "other-client-access-hash",
+					RefreshTokenHash:      oidcService.Hash("other-client-refresh-token"),
+					Scope:                 "openid",
+					ClientID:              "other-client-id",
+					TokenExpiresAt:        expiry,
+					RefreshTokenExpiresAt: expiry,
+					UserinfoJson:          "{}",
+				})
 				require.NoError(t, err)
 
-				accessToken := tokenRes["access_token"].(string)
-				assert.NotEmpty(t, accessToken)
-
-				protectedReq := httptest.NewRequest("GET", "/api/oidc/userinfo", nil)
-				protectedReq.Header.Set("Authorization", "Bearer "+accessToken)
-				router.ServeHTTP(recorder, protectedReq)
-				assert.Equal(t, 200, recorder.Code)
-
-				var userInfoRes map[string]any
-				err = json.Unmarshal(recorder.Body.Bytes(), &userInfoRes)
-				require.NoError(t, err)
+				form := url.Values{}
+				form.Set("grant_type", "refresh_token")
+				form.Set("client_id", "some-client-id")
+				form.Set("client_secret", "some-client-secret")
+				form.Set("refresh_token", "other-client-refresh-token")
 
-				_, ok := userInfoRes["sub"]
-				assert.True(t, ok, "Expected sub claim in userinfo response")
+				req := httptest.NewRequest("POST", "/api/oidc/token", strings.NewReader(form.Encode()))
+				req.Header.Set("Content-Type", "application/x-www-form-urlencoded")
+				router.ServeHTTP(recorder, req)
 
-				// We should not have an email claim since we didn't request it in the scope
-				_, ok = userInfoRes["email"]
-				assert.False(t, ok, "Did not expect email claim in userinfo response")
+				assert.Equal(t, http.StatusBadRequest, recorder.Code)
+				assert.Contains(t, recorder.Body.String(), "invalid_grant")
 			},
 		},
 		{
-			description: "Ensure userinfo forbids access with no authorization header",
-			middlewares: []gin.HandlerFunc{},
+			description: "Token returns server_error when the refresh token is unknown",
 			run: func(t *testing.T, router *gin.Engine, recorder *httptest.ResponseRecorder) {
-				req := httptest.NewRequest("GET", "/api/oidc/userinfo", nil)
+				form := url.Values{}
+				form.Set("grant_type", "refresh_token")
+				form.Set("client_id", "some-client-id")
+				form.Set("client_secret", "some-client-secret")
+				form.Set("refresh_token", "nonexistent-refresh-token")
+
+				req := httptest.NewRequest("POST", "/api/oidc/token", strings.NewReader(form.Encode()))
+				req.Header.Set("Content-Type", "application/x-www-form-urlencoded")
 				router.ServeHTTP(recorder, req)
-				assert.Equal(t, 401, recorder.Code)
 
-				var res map[string]any
-				err := json.Unmarshal(recorder.Body.Bytes(), &res)
-				require.NoError(t, err)
-				assert.Equal(t, "invalid_request", res["error"])
+				assert.Equal(t, http.StatusBadRequest, recorder.Code)
+				assert.Contains(t, recorder.Body.String(), "server_error")
 			},
 		},
+
+		// --- userinfo ---
 		{
-			description: "Ensure userinfo forbids access with malformed authorization header",
-			middlewares: []gin.HandlerFunc{},
+			description:  "Userinfo returns 500 when OIDC is not configured",
+			oidcDisabled: true,
 			run: func(t *testing.T, router *gin.Engine, recorder *httptest.ResponseRecorder) {
 				req := httptest.NewRequest("GET", "/api/oidc/userinfo", nil)
-				req.Header.Set("Authorization", "Bearer")
 				router.ServeHTTP(recorder, req)
-				assert.Equal(t, 401, recorder.Code)
 
-				var res map[string]any
-				err := json.Unmarshal(recorder.Body.Bytes(), &res)
-				require.NoError(t, err)
-				assert.Equal(t, "invalid_request", res["error"])
+				assert.Equal(t, http.StatusInternalServerError, recorder.Code)
+				assert.Contains(t, recorder.Body.String(), "server_error")
 			},
 		},
 		{
-			description: "Ensure userinfo forbids access with invalid token type",
-			middlewares: []gin.HandlerFunc{},
+			description: "Userinfo returns 401 when the authorization header is malformed",
 			run: func(t *testing.T, router *gin.Engine, recorder *httptest.ResponseRecorder) {
 				req := httptest.NewRequest("GET", "/api/oidc/userinfo", nil)
-				req.Header.Set("Authorization", "Basic some-token")
+				req.Header.Set("Authorization", "malformedheader")
 				router.ServeHTTP(recorder, req)
-				assert.Equal(t, 401, recorder.Code)
 
-				var res map[string]any
-				err := json.Unmarshal(recorder.Body.Bytes(), &res)
-				require.NoError(t, err)
-				assert.Equal(t, "invalid_request", res["error"])
+				assert.Equal(t, http.StatusUnauthorized, recorder.Code)
+				assert.Contains(t, recorder.Body.String(), "invalid_request")
 			},
 		},
 		{
-			description: "Ensure userinfo forbids access with empty bearer token",
-			middlewares: []gin.HandlerFunc{},
+			description: "Userinfo returns 401 when the token type is not bearer",
 			run: func(t *testing.T, router *gin.Engine, recorder *httptest.ResponseRecorder) {
 				req := httptest.NewRequest("GET", "/api/oidc/userinfo", nil)
-				req.Header.Set("Authorization", "Bearer ")
+				req.Header.Set("Authorization", "Basic some-token")
 				router.ServeHTTP(recorder, req)
-				assert.Equal(t, 401, recorder.Code)
 
-				var res map[string]any
-				err := json.Unmarshal(recorder.Body.Bytes(), &res)
-				require.NoError(t, err)
-				assert.Equal(t, "invalid_grant", res["error"])
+				assert.Equal(t, http.StatusUnauthorized, recorder.Code)
+				assert.Contains(t, recorder.Body.String(), "invalid_request")
 			},
 		},
 		{
-			description: "Ensure userinfo POST rejects missing access token in body",
-			middlewares: []gin.HandlerFunc{},
+			description: "Userinfo returns 401 when there is no authorization header on a GET",
 			run: func(t *testing.T, router *gin.Engine, recorder *httptest.ResponseRecorder) {
-				req := httptest.NewRequest("POST", "/api/oidc/userinfo", strings.NewReader(""))
-				req.Header.Set("Content-Type", "application/x-www-form-urlencoded")
+				req := httptest.NewRequest("GET", "/api/oidc/userinfo", nil)
 				router.ServeHTTP(recorder, req)
-				assert.Equal(t, 401, recorder.Code)
 
-				var res map[string]any
-				err := json.Unmarshal(recorder.Body.Bytes(), &res)
-				require.NoError(t, err)
-				assert.Equal(t, "invalid_request", res["error"])
+				assert.Equal(t, http.StatusUnauthorized, recorder.Code)
+				assert.Contains(t, recorder.Body.String(), "invalid_request")
 			},
 		},
 		{
-			description: "Ensure userinfo POST rejects wrong content type",
-			middlewares: []gin.HandlerFunc{},
+			description: "Userinfo returns 400 when a POST has the wrong content type",
 			run: func(t *testing.T, router *gin.Engine, recorder *httptest.ResponseRecorder) {
-				req := httptest.NewRequest("POST", "/api/oidc/userinfo", strings.NewReader(`{"access_token":"some-token"}`))
+				req := httptest.NewRequest("POST", "/api/oidc/userinfo", strings.NewReader(`{"access_token":"x"}`))
 				req.Header.Set("Content-Type", "application/json")
 				router.ServeHTTP(recorder, req)
-				assert.Equal(t, 400, recorder.Code)
 
-				var res map[string]any
-				err := json.Unmarshal(recorder.Body.Bytes(), &res)
-				require.NoError(t, err)
-				assert.Equal(t, "invalid_request", res["error"])
+				assert.Equal(t, http.StatusBadRequest, recorder.Code)
+				assert.Contains(t, recorder.Body.String(), "invalid_request")
 			},
 		},
 		{
-			description: "Ensure userinfo accepts access token via POST body",
-			middlewares: []gin.HandlerFunc{
-				simpleCtx,
-			},
+			description: "Userinfo returns 401 when a POST has no access token",
 			run: func(t *testing.T, router *gin.Engine, recorder *httptest.ResponseRecorder) {
-				tokenTest, found := getTestByDescription("Ensure we can get a token with a valid request")
-				assert.True(t, found, "Token test not found")
-				tokenRecorder := httptest.NewRecorder()
-				tokenTest(t, router, tokenRecorder)
-
-				var tokenRes map[string]any
-				err := json.Unmarshal(tokenRecorder.Body.Bytes(), &tokenRes)
-				require.NoError(t, err)
-
-				accessToken := tokenRes["access_token"].(string)
-				assert.NotEmpty(t, accessToken)
-
-				body := url.Values{}
-				body.Set("access_token", accessToken)
-				req := httptest.NewRequest("POST", "/api/oidc/userinfo", strings.NewReader(body.Encode()))
+				req := httptest.NewRequest("POST", "/api/oidc/userinfo", strings.NewReader(""))
 				req.Header.Set("Content-Type", "application/x-www-form-urlencoded")
 				router.ServeHTTP(recorder, req)
-				assert.Equal(t, 200, recorder.Code)
-
-				var userInfoRes map[string]any
-				err = json.Unmarshal(recorder.Body.Bytes(), &userInfoRes)
-				require.NoError(t, err)
 
-				_, ok := userInfoRes["sub"]
-				assert.True(t, ok, "Expected sub claim in userinfo response")
+				assert.Equal(t, http.StatusUnauthorized, recorder.Code)
+				assert.Contains(t, recorder.Body.String(), "invalid_request")
 			},
 		},
 		{
-			description: "Ensure plain PKCE succeeds",
-			middlewares: []gin.HandlerFunc{
-				simpleCtx,
-			},
-			run: func(t *testing.T, router *gin.Engine, recorder *httptest.ResponseRecorder) {
-				reqBody := service.AuthorizeRequest{
-					Scope:         "openid",
-					ResponseType:  "code",
-					ClientID:      "some-client-id",
-					RedirectURI:   "https://test.example.com/callback",
-					State:         "some-state",
-					Nonce:         "some-nonce",
-					CodeChallenge: "some-challenge",
-					// Not setting a code challenge method should default to "plain"
-					CodeChallengeMethod: "",
-				}
-				reqBodyBytes, err := json.Marshal(reqBody)
-				require.NoError(t, err)
-
-				req := httptest.NewRequest("POST", "/api/oidc/authorize", strings.NewReader(string(reqBodyBytes)))
-				req.Header.Set("Content-Type", "application/json")
-				router.ServeHTTP(recorder, req)
-				assert.Equal(t, 200, recorder.Code)
-
-				var res map[string]any
-				err = json.Unmarshal(recorder.Body.Bytes(), &res)
-				require.NoError(t, err)
-
-				redirectURI := res["redirect_uri"].(string)
-				url, err := url.Parse(redirectURI)
-				require.NoError(t, err)
-
-				queryParams := url.Query()
-				assert.Equal(t, queryParams.Get("state"), "some-state")
-
-				code := queryParams.Get("code")
-				assert.NotEmpty(t, code)
-
-				// Now exchange the code for a token
-				recorder = httptest.NewRecorder()
-				tokenReqBody := controller.TokenRequest{
-					GrantType:    "authorization_code",
-					Code:         code,
-					RedirectURI:  "https://test.example.com/callback",
-					CodeVerifier: "some-challenge",
-				}
-				reqBodyEncoded, err := query.Values(tokenReqBody)
-				require.NoError(t, err)
-
-				req = httptest.NewRequest("POST", "/api/oidc/token", strings.NewReader(reqBodyEncoded.Encode()))
-				req.Header.Set("Content-Type", "application/x-www-form-urlencoded")
-				req.SetBasicAuth("some-client-id", "some-client-secret")
+			description: "Userinfo returns 401 when the token is unknown",
+			run: func(t *testing.T, router *gin.Engine, recorder *httptest.ResponseRecorder) {
+				req := httptest.NewRequest("GET", "/api/oidc/userinfo", nil)
+				req.Header.Set("Authorization", "Bearer unknown-token")
 				router.ServeHTTP(recorder, req)
 
-				assert.Equal(t, 200, recorder.Code)
+				assert.Equal(t, http.StatusUnauthorized, recorder.Code)
+				assert.Contains(t, recorder.Body.String(), "invalid_grant")
 			},
 		},
 		{
-			description: "Ensure S256 PKCE succeeds",
-			middlewares: []gin.HandlerFunc{
-				simpleCtx,
-			},
-			run: func(t *testing.T, router *gin.Engine, recorder *httptest.ResponseRecorder) {
-				hasher := sha256.New()
-				hasher.Write([]byte("some-challenge"))
-				codeChallenge := hasher.Sum(nil)
-				codeChallengeEncoded := base64.RawURLEncoding.EncodeToString(codeChallenge)
-				reqBody := service.AuthorizeRequest{
-					Scope:               "openid",
-					ResponseType:        "code",
-					ClientID:            "some-client-id",
-					RedirectURI:         "https://test.example.com/callback",
-					State:               "some-state",
-					Nonce:               "some-nonce",
-					CodeChallenge:       codeChallengeEncoded,
-					CodeChallengeMethod: "S256",
-				}
-				reqBodyBytes, err := json.Marshal(reqBody)
-				require.NoError(t, err)
-
-				req := httptest.NewRequest("POST", "/api/oidc/authorize", strings.NewReader(string(reqBodyBytes)))
-				req.Header.Set("Content-Type", "application/json")
-				router.ServeHTTP(recorder, req)
-				assert.Equal(t, 200, recorder.Code)
-
-				var res map[string]any
-				err = json.Unmarshal(recorder.Body.Bytes(), &res)
-				require.NoError(t, err)
-
-				redirectURI := res["redirect_uri"].(string)
-				url, err := url.Parse(redirectURI)
-				require.NoError(t, err)
-
-				queryParams := url.Query()
-				assert.Equal(t, queryParams.Get("state"), "some-state")
-
-				code := queryParams.Get("code")
-				assert.NotEmpty(t, code)
+			description: "Userinfo returns 401 when the session is missing the openid scope",
+			run: func(t *testing.T, router *gin.Engine, recorder *httptest.ResponseRecorder) {
+				expiry := time.Now().Add(time.Hour).Unix()
+				token := "no-openid-token"
 
-				// Now exchange the code for a token
-				recorder = httptest.NewRecorder()
-				tokenReqBody := controller.TokenRequest{
-					GrantType:    "authorization_code",
-					Code:         code,
-					RedirectURI:  "https://test.example.com/callback",
-					CodeVerifier: "some-challenge",
-				}
-				reqBodyEncoded, err := query.Values(tokenReqBody)
+				_, err := store.CreateOIDCSession(ctx, repository.CreateOIDCSessionParams{
+					Sub:                   "no-openid-sub",
+					AccessTokenHash:       oidcService.Hash(token),
+					RefreshTokenHash:      "no-openid-refresh-hash",
+					Scope:                 "profile email",
+					ClientID:              "some-client-id",
+					TokenExpiresAt:        expiry,
+					RefreshTokenExpiresAt: expiry,
+					UserinfoJson:          `{"sub":"no-openid-sub"}`,
+				})
 				require.NoError(t, err)
 
-				req = httptest.NewRequest("POST", "/api/oidc/token", strings.NewReader(reqBodyEncoded.Encode()))
-				req.Header.Set("Content-Type", "application/x-www-form-urlencoded")
-				req.SetBasicAuth("some-client-id", "some-client-secret")
+				req := httptest.NewRequest("GET", "/api/oidc/userinfo", nil)
+				req.Header.Set("Authorization", "Bearer "+token)
 				router.ServeHTTP(recorder, req)
 
-				assert.Equal(t, 200, recorder.Code)
+				assert.Equal(t, http.StatusUnauthorized, recorder.Code)
+				assert.Contains(t, recorder.Body.String(), "invalid_scope")
 			},
 		},
 		{
-			description: "Ensure request with invalid PKCE fails",
-			middlewares: []gin.HandlerFunc{
-				simpleCtx,
-			},
-			run: func(t *testing.T, router *gin.Engine, recorder *httptest.ResponseRecorder) {
-				hasher := sha256.New()
-				hasher.Write([]byte("some-challenge"))
-				codeChallenge := hasher.Sum(nil)
-				codeChallengeEncoded := base64.RawURLEncoding.EncodeToString(codeChallenge)
-				reqBody := service.AuthorizeRequest{
-					Scope:               "openid",
-					ResponseType:        "code",
-					ClientID:            "some-client-id",
-					RedirectURI:         "https://test.example.com/callback",
-					State:               "some-state",
-					Nonce:               "some-nonce",
-					CodeChallenge:       codeChallengeEncoded,
-					CodeChallengeMethod: "S256",
-				}
-				reqBodyBytes, err := json.Marshal(reqBody)
-				require.NoError(t, err)
-
-				req := httptest.NewRequest("POST", "/api/oidc/authorize", strings.NewReader(string(reqBodyBytes)))
-				req.Header.Set("Content-Type", "application/json")
-				router.ServeHTTP(recorder, req)
-				assert.Equal(t, 200, recorder.Code)
-
-				var res map[string]any
-				err = json.Unmarshal(recorder.Body.Bytes(), &res)
-				require.NoError(t, err)
-
-				redirectURI := res["redirect_uri"].(string)
-				url, err := url.Parse(redirectURI)
-				require.NoError(t, err)
-
-				queryParams := url.Query()
-				assert.Equal(t, queryParams.Get("state"), "some-state")
-
-				code := queryParams.Get("code")
-				assert.NotEmpty(t, code)
+			description: "Userinfo returns the user info for a valid bearer token",
+			run: func(t *testing.T, router *gin.Engine, recorder *httptest.ResponseRecorder) {
+				expiry := time.Now().Add(time.Hour).Unix()
+				token := "valid-userinfo-token"
 
-				// Now exchange the code for a token
-				recorder = httptest.NewRecorder()
-				tokenReqBody := controller.TokenRequest{
-					GrantType:    "authorization_code",
-					Code:         code,
-					RedirectURI:  "https://test.example.com/callback",
-					CodeVerifier: "some-challenge-1",
-				}
-				reqBodyEncoded, err := query.Values(tokenReqBody)
+				userinfo, err := json.Marshal(service.UserinfoResponse{
+					Sub:               "userinfo-sub",
+					Name:              "Test User",
+					PreferredUsername: "testuser",
+					Email:             "testuser@example.com",
+				})
 				require.NoError(t, err)
 
-				req = httptest.NewRequest("POST", "/api/oidc/token", strings.NewReader(reqBodyEncoded.Encode()))
-				req.Header.Set("Content-Type", "application/x-www-form-urlencoded")
-				req.SetBasicAuth("some-client-id", "some-client-secret")
-				router.ServeHTTP(recorder, req)
-
-				assert.Equal(t, 400, recorder.Code)
-			},
-		},
-		{
-			description: "Ensure request with invalid challenge method fails",
-			middlewares: []gin.HandlerFunc{
-				simpleCtx,
-			},
-			run: func(t *testing.T, router *gin.Engine, recorder *httptest.ResponseRecorder) {
-				hasher := sha256.New()
-				hasher.Write([]byte("some-challenge"))
-				codeChallenge := hasher.Sum(nil)
-				codeChallengeEncoded := base64.RawURLEncoding.EncodeToString(codeChallenge)
-				reqBody := service.AuthorizeRequest{
-					Scope:               "openid",
-					ResponseType:        "code",
-					ClientID:            "some-client-id",
-					RedirectURI:         "https://test.example.com/callback",
-					State:               "some-state",
-					Nonce:               "some-nonce",
-					CodeChallenge:       codeChallengeEncoded,
-					CodeChallengeMethod: "foo",
-				}
-				reqBodyBytes, err := json.Marshal(reqBody)
+				_, err = store.CreateOIDCSession(ctx, repository.CreateOIDCSessionParams{
+					Sub:                   "userinfo-sub",
+					AccessTokenHash:       oidcService.Hash(token),
+					RefreshTokenHash:      "valid-userinfo-refresh-hash",
+					Scope:                 "openid profile email",
+					ClientID:              "some-client-id",
+					TokenExpiresAt:        expiry,
+					RefreshTokenExpiresAt: expiry,
+					UserinfoJson:          string(userinfo),
+				})
 				require.NoError(t, err)
 
-				req := httptest.NewRequest("POST", "/api/oidc/authorize", strings.NewReader(string(reqBodyBytes)))
-				req.Header.Set("Content-Type", "application/json")
+				req := httptest.NewRequest("GET", "/api/oidc/userinfo", nil)
+				req.Header.Set("Authorization", "Bearer "+token)
 				router.ServeHTTP(recorder, req)
-				assert.Equal(t, 200, recorder.Code)
-
-				var res map[string]any
-				err = json.Unmarshal(recorder.Body.Bytes(), &res)
-				require.NoError(t, err)
 
-				redirectURI := res["redirect_uri"].(string)
-				url, err := url.Parse(redirectURI)
-				require.NoError(t, err)
+				assert.Equal(t, http.StatusOK, recorder.Code)
 
-				queryParams := url.Query()
-				error := queryParams.Get("error")
-				assert.NotEmpty(t, error)
+				var res service.UserinfoResponse
+				require.NoError(t, json.Unmarshal(recorder.Body.Bytes(), &res))
+				assert.Equal(t, "userinfo-sub", res.Sub)
+				assert.Equal(t, "Test User", res.Name)
+				assert.Equal(t, "testuser@example.com", res.Email)
+				assert.True(t, res.EmailVerified)
 			},
 		},
 		{
-			description: "Ensure access token gets invalidated on double code use",
-			middlewares: []gin.HandlerFunc{
-				simpleCtx,
-			},
+			description: "Userinfo returns the user info for a valid POST access token",
 			run: func(t *testing.T, router *gin.Engine, recorder *httptest.ResponseRecorder) {
-				authorizeCodeTest, found := getTestByDescription("Ensure authorize succeeds with valid params")
-				assert.True(t, found, "Authorize test not found")
-				authorizeCodeTest(t, router, recorder)
-
-				var res map[string]any
-				err := json.Unmarshal(recorder.Body.Bytes(), &res)
-				require.NoError(t, err)
+				expiry := time.Now().Add(time.Hour).Unix()
+				token := "valid-userinfo-post-token"
 
-				redirectURI := res["redirect_uri"].(string)
-				url, err := url.Parse(redirectURI)
+				userinfo, err := json.Marshal(service.UserinfoResponse{
+					Sub:   "userinfo-post-sub",
+					Email: "testuser@example.com",
+				})
 				require.NoError(t, err)
 
-				queryParams := url.Query()
-				code := queryParams.Get("code")
-				assert.NotEmpty(t, code)
-
-				reqBody := controller.TokenRequest{
-					GrantType:   "authorization_code",
-					Code:        code,
-					RedirectURI: "https://test.example.com/callback",
-				}
-				reqBodyEncoded, err := query.Values(reqBody)
+				_, err = store.CreateOIDCSession(ctx, repository.CreateOIDCSessionParams{
+					Sub:                   "userinfo-post-sub",
+					AccessTokenHash:       oidcService.Hash(token),
+					RefreshTokenHash:      "valid-userinfo-post-refresh-hash",
+					Scope:                 "openid email",
+					ClientID:              "some-client-id",
+					TokenExpiresAt:        expiry,
+					RefreshTokenExpiresAt: expiry,
+					UserinfoJson:          string(userinfo),
+				})
 				require.NoError(t, err)
 
-				req := httptest.NewRequest("POST", "/api/oidc/token", strings.NewReader(reqBodyEncoded.Encode()))
-				req.Header.Set("Content-Type", "application/x-www-form-urlencoded")
-				req.SetBasicAuth("some-client-id", "some-client-secret")
-				recorder = httptest.NewRecorder()
-				router.ServeHTTP(recorder, req)
-
-				assert.Equal(t, 200, recorder.Code)
-
-				err = json.Unmarshal(recorder.Body.Bytes(), &res)
-				require.NoError(t, err)
-
-				accessToken := res["access_token"].(string)
-				assert.NotEmpty(t, accessToken)
-
-				req = httptest.NewRequest("GET", "/api/oidc/userinfo", nil)
-				req.Header.Set("Authorization", "Bearer "+accessToken)
-				recorder = httptest.NewRecorder()
-				router.ServeHTTP(recorder, req)
-				assert.Equal(t, 200, recorder.Code)
+				form := url.Values{}
+				form.Set("access_token", token)
 
-				req = httptest.NewRequest("POST", "/api/oidc/token", strings.NewReader(reqBodyEncoded.Encode()))
+				req := httptest.NewRequest("POST", "/api/oidc/userinfo", strings.NewReader(form.Encode()))
 				req.Header.Set("Content-Type", "application/x-www-form-urlencoded")
-				req.SetBasicAuth("some-client-id", "some-client-secret")
-				recorder = httptest.NewRecorder()
 				router.ServeHTTP(recorder, req)
-				assert.Equal(t, 400, recorder.Code)
 
-				req = httptest.NewRequest("GET", "/api/oidc/userinfo", nil)
-				req.Header.Set("Authorization", "Bearer "+accessToken)
-				recorder = httptest.NewRecorder()
-				router.ServeHTTP(recorder, req)
-				assert.Equal(t, 401, recorder.Code)
+				assert.Equal(t, http.StatusOK, recorder.Code)
 
-				err = json.Unmarshal(recorder.Body.Bytes(), &res)
-				require.NoError(t, err)
-				assert.Equal(t, "invalid_grant", res["error"])
+				var res service.UserinfoResponse
+				require.NoError(t, json.Unmarshal(recorder.Body.Bytes(), &res))
+				assert.Equal(t, "userinfo-post-sub", res.Sub)
+				assert.Equal(t, "testuser@example.com", res.Email)
 			},
 		},
 	}
 
-	store := memory.New()
-
-	dg := ding.New(context.TODO())
-
-	oidcService, err := service.NewOIDCService(log, cfg, runtime, store, dg)
-	require.NoError(t, err)
-
 	for _, test := range tests {
 		t.Run(test.description, func(t *testing.T) {
 			router := gin.Default()
+			gin.SetMode(gin.TestMode)
 
 			for _, middleware := range test.middlewares {
 				router.Use(middleware)
 			}
 
 			group := router.Group("/api")
-			gin.SetMode(gin.TestMode)
 
-			controller.NewOIDCController(log, oidcService, runtime, group)
+			svc := oidcService
+			if test.oidcDisabled {
+				svc = nil
+			}
+
+			controller.NewOIDCController(log, svc, runtime, group, &router.RouterGroup)
 
 			recorder := httptest.NewRecorder()
 
diff --git a/internal/controller/proxy_controller.go b/internal/controller/proxy_controller.go
index 0e69867e..169391fc 100644
--- a/internal/controller/proxy_controller.go
+++ b/internal/controller/proxy_controller.go
@@ -275,6 +275,7 @@ func (controller *ProxyController) proxyHandler(c *gin.Context) {
 
 	queries, err := query.Values(RedirectQuery{
 		RedirectURI: fmt.Sprintf("%s://%s%s", proxyCtx.Proto, proxyCtx.Host, proxyCtx.Path),
+		LoginFor:    FrontendLoginForApp,
 	})
 
 	if err != nil {
diff --git a/internal/controller/proxy_controller_test.go b/internal/controller/proxy_controller_test.go
index b8c68bba..c6a358b4 100644
--- a/internal/controller/proxy_controller_test.go
+++ b/internal/controller/proxy_controller_test.go
@@ -3,6 +3,7 @@ package controller_test
 import (
 	"context"
 	"net/http/httptest"
+	"net/url"
 	"testing"
 
 	"github.com/gin-gonic/gin"
@@ -76,7 +77,9 @@ func TestProxyController(t *testing.T) {
 
 				assert.Equal(t, 307, recorder.Code)
 				location := recorder.Header().Get("Location")
-				assert.Equal(t, "https://tinyauth.example.com/login?redirect_uri=https%3A%2F%2Ftest.example.com%2F", location)
+				assert.Contains(t, location, url.QueryEscape("https://test.example.com/"))
+				assert.Contains(t, location, "login_for=app")
+				assert.Contains(t, location, "https://tinyauth.example.com/login")
 			},
 		},
 		{
@@ -89,7 +92,9 @@ func TestProxyController(t *testing.T) {
 				router.ServeHTTP(recorder, req)
 				assert.Equal(t, 401, recorder.Code)
 				location := recorder.Header().Get("x-tinyauth-location")
-				assert.Equal(t, "https://tinyauth.example.com/login?redirect_uri=https%3A%2F%2Ftest.example.com%2F", location)
+				assert.Contains(t, location, url.QueryEscape("https://test.example.com/"))
+				assert.Contains(t, location, "login_for=app")
+				assert.Contains(t, location, "https://tinyauth.example.com/login")
 			},
 		},
 		{
@@ -103,7 +108,9 @@ func TestProxyController(t *testing.T) {
 				router.ServeHTTP(recorder, req)
 				assert.Equal(t, 307, recorder.Code)
 				location := recorder.Header().Get("Location")
-				assert.Equal(t, "https://tinyauth.example.com/login?redirect_uri=https%3A%2F%2Ftest.example.com%2Fhello", location)
+				assert.Contains(t, location, url.QueryEscape("https://test.example.com/hello"))
+				assert.Contains(t, location, "login_for=app")
+				assert.Contains(t, location, "https://tinyauth.example.com/login")
 			},
 		},
 		{
@@ -119,7 +126,9 @@ func TestProxyController(t *testing.T) {
 
 				assert.Equal(t, 307, recorder.Code)
 				location := recorder.Header().Get("Location")
-				assert.Equal(t, "https://tinyauth.example.com/login?redirect_uri=https%3A%2F%2Ftest.example.com%2F", location)
+				assert.Contains(t, location, url.QueryEscape("https://test.example.com/"))
+				assert.Contains(t, location, "login_for=app")
+				assert.Contains(t, location, "https://tinyauth.example.com/login")
 			},
 		},
 		{
@@ -134,7 +143,9 @@ func TestProxyController(t *testing.T) {
 				router.ServeHTTP(recorder, req)
 				assert.Equal(t, 401, recorder.Code)
 				location := recorder.Header().Get("x-tinyauth-location")
-				assert.Equal(t, "https://tinyauth.example.com/login?redirect_uri=https%3A%2F%2Ftest.example.com%2F", location)
+				assert.Contains(t, location, url.QueryEscape("https://test.example.com/"))
+				assert.Contains(t, location, "login_for=app")
+				assert.Contains(t, location, "https://tinyauth.example.com/login")
 			},
 		},
 		{
@@ -150,7 +161,9 @@ func TestProxyController(t *testing.T) {
 				router.ServeHTTP(recorder, req)
 				assert.Equal(t, 307, recorder.Code)
 				location := recorder.Header().Get("Location")
-				assert.Equal(t, "https://tinyauth.example.com/login?redirect_uri=https%3A%2F%2Ftest.example.com%2Fhello", location)
+				assert.Contains(t, location, url.QueryEscape("https://test.example.com/"))
+				assert.Contains(t, location, "login_for=app")
+				assert.Contains(t, location, "https://tinyauth.example.com/login")
 			},
 		},
 		{
diff --git a/internal/middleware/ui_middleware.go b/internal/middleware/ui_middleware.go
index 2b8d6b8a..9f2bd297 100644
--- a/internal/middleware/ui_middleware.go
+++ b/internal/middleware/ui_middleware.go
@@ -38,7 +38,7 @@ func (m *UIMiddleware) Middleware() gin.HandlerFunc {
 		path := strings.TrimPrefix(c.Request.URL.Path, "/")
 
 		switch strings.SplitN(path, "/", 2)[0] {
-		case "api", "resources", ".well-known":
+		case "api", "resources", ".well-known", "authorize":
 			c.Next()
 			return
 		case "robots.txt":
diff --git a/internal/service/auth_service.go b/internal/service/auth_service.go
index 1034ed1e..ef3e9e08 100644
--- a/internal/service/auth_service.go
+++ b/internal/service/auth_service.go
@@ -30,17 +30,14 @@ var (
 	ErrUserNotFound = errors.New("user not found")
 )
 
-// slightly modified version of the AuthorizeRequest from the OIDC service to basically accept all
-// parameters and pass them to the authorize page if needed
-type OAuthURLParams struct {
-	Scope               string `form:"scope" url:"scope"`
-	ResponseType        string `form:"response_type" url:"response_type"`
-	ClientID            string `form:"client_id" url:"client_id"`
-	RedirectURI         string `form:"redirect_uri" url:"redirect_uri"`
-	State               string `form:"state" url:"state"`
-	Nonce               string `form:"nonce" url:"nonce"`
-	CodeChallenge       string `form:"code_challenge" url:"code_challenge"`
-	CodeChallengeMethod string `form:"code_challenge_method" url:"code_challenge_method"`
+// We either store params for redirecting to an app after OAuth login,
+// or for redirecting back to the authorize screen to continue OIDC
+type OAuthCallbackParams struct {
+	LoginFor    string `form:"login_for" url:"login_for"`
+	OIDCTicket  string `form:"oidc_ticket" url:"oidc_ticket"`
+	OIDCScope   string `form:"oidc_scope" url:"oidc_scope"`
+	OIDCName    string `form:"oidc_name" url:"oidc_name"`
+	RedirectURI string `form:"redirect_uri" url:"redirect_uri"`
 }
 
 type OAuthPendingSession struct {
@@ -49,7 +46,7 @@ type OAuthPendingSession struct {
 	Token          *oauth2.Token
 	Service        *OAuthServiceImpl
 	ExpiresAt      time.Time
-	CallbackParams OAuthURLParams
+	CallbackParams OAuthCallbackParams
 }
 
 type LoginAttempt struct {
@@ -516,17 +513,17 @@ func (auth *AuthService) LDAPAuthConfigured() bool {
 	return auth.ldap != nil
 }
 
-func (auth *AuthService) NewOAuthSession(serviceName string, params OAuthURLParams) (string, OAuthPendingSession, error) {
+func (auth *AuthService) NewOAuthSession(serviceName string, params OAuthCallbackParams) (string, error) {
 	service, ok := auth.oauthBroker.GetService(serviceName)
 
 	if !ok {
-		return "", OAuthPendingSession{}, fmt.Errorf("oauth service not found: %s", serviceName)
+		return "", fmt.Errorf("oauth service not found: %s", serviceName)
 	}
 
 	sessionId, err := uuid.NewRandom()
 
 	if err != nil {
-		return "", OAuthPendingSession{}, fmt.Errorf("failed to generate session ID: %w", err)
+		return "", fmt.Errorf("failed to generate session ID: %w", err)
 	}
 
 	state := service.NewRandom()
@@ -542,7 +539,7 @@ func (auth *AuthService) NewOAuthSession(serviceName string, params OAuthURLPara
 
 	auth.caches.oauth.Set(sessionId.String(), session, time.Minute*10)
 
-	return sessionId.String(), session, nil
+	return sessionId.String(), nil
 }
 
 func (auth *AuthService) GetOAuthURL(sessionId string) (string, error) {
diff --git a/internal/service/oidc_service.go b/internal/service/oidc_service.go
index 4c585248..cafb59d1 100644
--- a/internal/service/oidc_service.go
+++ b/internal/service/oidc_service.go
@@ -20,6 +20,7 @@ import (
 	"slices"
 
 	"github.com/go-jose/go-jose/v4"
+	"github.com/golang-jwt/jwt/v5"
 	"github.com/steveiliop56/ding"
 	"github.com/tinyauthapp/tinyauth/internal/model"
 	"github.com/tinyauthapp/tinyauth/internal/repository"
@@ -106,14 +107,15 @@ type TokenResponse struct {
 }
 
 type AuthorizeRequest struct {
-	Scope               string `json:"scope" binding:"required"`
-	ResponseType        string `json:"response_type" binding:"required"`
-	ClientID            string `json:"client_id" binding:"required"`
-	RedirectURI         string `json:"redirect_uri" binding:"required"`
-	State               string `json:"state"`
-	Nonce               string `json:"nonce"`
-	CodeChallenge       string `json:"code_challenge"`
-	CodeChallengeMethod string `json:"code_challenge_method"`
+	jwt.Claims
+	Scope               string `form:"scope" json:"scope" url:"scope"`
+	ResponseType        string `form:"response_type" json:"response_type" url:"response_type"`
+	ClientID            string `form:"client_id" json:"client_id" url:"client_id"`
+	RedirectURI         string `form:"redirect_uri" json:"redirect_uri" url:"redirect_uri"`
+	State               string `form:"state" json:"state" url:"state"`
+	Nonce               string `form:"nonce" json:"nonce" url:"nonce"`
+	CodeChallenge       string `form:"code_challenge" json:"code_challenge" url:"code_challenge"`
+	CodeChallengeMethod string `form:"code_challenge_method" json:"code_challenge_method" url:"code_challenge_method"`
 }
 
 type AuthorizeCodeEntry struct {
@@ -142,8 +144,9 @@ type OIDCService struct {
 	issuer     string
 
 	caches struct {
-		code     *CacheStore[AuthorizeCodeEntry]
-		usedCode *CacheStore[UsedCodeEntry]
+		code      *CacheStore[AuthorizeCodeEntry]
+		usedCode  *CacheStore[UsedCodeEntry]
+		authorize *CacheStore[AuthorizeRequest]
 	}
 }
 
@@ -311,8 +314,11 @@ func NewOIDCService(
 	// Create caches
 	codeCash := NewCacheStore[AuthorizeCodeEntry](256)
 	usedCode := NewCacheStore[UsedCodeEntry](256)
+	authorize := NewCacheStore[AuthorizeRequest](256)
+
 	service.caches.code = codeCash
 	service.caches.usedCode = usedCode
+	service.caches.authorize = authorize
 
 	// Start cache cleanup routine
 	dg.Go(func(ctx context.Context) {
@@ -324,6 +330,7 @@ func NewOIDCService(
 			case <-ticker.C:
 				service.caches.code.Sweep()
 				service.caches.usedCode.Sweep()
+				service.caches.authorize.Sweep()
 			case <-ctx.Done():
 				return
 			}
@@ -856,3 +863,44 @@ func (service *OIDCService) MarkCodeAsUsed(codeHash string, sub string) {
 func (service *OIDCService) DeleteSessionBySub(ctx context.Context, sub string) error {
 	return service.queries.DeleteOIDCSessionBySub(ctx, sub)
 }
+
+func (service *OIDCService) CreateAuthorizeRequestTicket(req AuthorizeRequest) string {
+	ticket := utils.GenerateString(32)
+
+	service.caches.authorize.Set(ticket, req, 10*time.Minute)
+
+	return ticket
+}
+
+func (service *OIDCService) GetAuthorizeRequestByTicket(ticket string) (*AuthorizeRequest, bool) {
+	entry, ok := service.caches.authorize.Get(ticket)
+
+	if !ok {
+		return nil, false
+	}
+
+	return &entry, true
+}
+
+func (service *OIDCService) DeleteAuthorizeRequestTicket(ticket string) {
+	service.caches.authorize.Delete(ticket)
+}
+
+// TODO: support signed request objects in the future
+func (service *OIDCService) DecodeAuthorizeJWT(tokenString string) (*AuthorizeRequest, error) {
+	var req AuthorizeRequest
+
+	token, _, err := jwt.NewParser().ParseUnverified(tokenString, &req)
+
+	if err != nil {
+		return nil, fmt.Errorf("failed to parse authorize request jwt: %w", err)
+	}
+
+	claims, ok := token.Claims.(*AuthorizeRequest)
+
+	if !ok {
+		return nil, errors.New("failed to parse claims from authorize request jwt")
+	}
+
+	return claims, nil
+}

From e4c5f14d8c08e5c4d0e2870f1debdb0fc92f2507 Mon Sep 17 00:00:00 2001
From: Stavros <steveiliop56@gmail.com>
Date: Thu, 11 Jun 2026 17:15:09 +0300
Subject: [PATCH 2/4] chore: init db migrations

---
 .env.example                                  |  2 +
 gen/sqlc-wrapper/sqlc_wrapper.go              | 53 +++++++-----
 .../postgres/000003_oidc_consent.up.sql       |  7 ++
 .../postgres/000003_oidc_consnet.down.sql     |  1 +
 .../sqlite/000011_oidc_consent.down.sql       |  1 +
 .../sqlite/000011_oidc_consent.up.sql         |  7 ++
 internal/repository/memory/memory_test.go     | 72 ++++++++++++++++
 internal/repository/memory/oidc_queries.go    | 44 ++++++++++
 internal/repository/memory/store.go           |  2 +
 internal/repository/models.go                 | 21 +++++
 internal/repository/postgres/models.go        | 12 +++
 .../repository/postgres/oidc_queries.sql.go   | 84 +++++++++++++++++++
 internal/repository/postgres/store.go         | 28 +++++++
 internal/repository/sqlite/models.go          | 12 +++
 .../repository/sqlite/oidc_queries.sql.go     | 84 +++++++++++++++++++
 internal/repository/sqlite/store.go           | 28 +++++++
 internal/repository/store.go                  |  6 ++
 sql/postgres/oidc_queries.sql                 | 25 ++++++
 sql/postgres/oidc_schemas.sql                 |  8 ++
 sql/sqlite/oidc_queries.sql                   | 25 ++++++
 sql/sqlite/oidc_schemas.sql                   |  8 ++
 21 files changed, 508 insertions(+), 22 deletions(-)
 create mode 100644 internal/assets/migrations/postgres/000003_oidc_consent.up.sql
 create mode 100644 internal/assets/migrations/postgres/000003_oidc_consnet.down.sql
 create mode 100644 internal/assets/migrations/sqlite/000011_oidc_consent.down.sql
 create mode 100644 internal/assets/migrations/sqlite/000011_oidc_consent.up.sql

diff --git a/.env.example b/.env.example
index 100b0e9d..4f1c3c31 100644
--- a/.env.example
+++ b/.env.example
@@ -206,6 +206,8 @@ TINYAUTH_LDAP_ADDRESS=
 TINYAUTH_LDAP_BINDDN=
 # Bind password for LDAP authentication.
 TINYAUTH_LDAP_BINDPASSWORD=
+# Path to the Bind password.
+TINYAUTH_LDAP_BINDPASSWORDFILE=
 # Base DN for LDAP searches.
 TINYAUTH_LDAP_BASEDN=
 # Allow insecure LDAP connections.
diff --git a/gen/sqlc-wrapper/sqlc_wrapper.go b/gen/sqlc-wrapper/sqlc_wrapper.go
index a7a75eb4..79576ec6 100644
--- a/gen/sqlc-wrapper/sqlc_wrapper.go
+++ b/gen/sqlc-wrapper/sqlc_wrapper.go
@@ -67,15 +67,24 @@ func run() error {
 		Overlay: map[string][]byte{outPath: stub},
 	}
 
-	driverTypePkg, err := loadOnePkg(cfg, *driverPkg)
+	repoPkgPath := parentPkg(*driverPkg)
+
+	pkgs, err := loadMultiplePkgs(cfg, *driverPkg, repoPkgPath)
+
 	if err != nil {
-		return fmt.Errorf("load driver package: %w", err)
+		return fmt.Errorf("load packages: %w", err)
 	}
 
-	repoPkgPath := parentPkg(*driverPkg)
-	repoTypePkg, err := loadOnePkg(cfg, repoPkgPath)
-	if err != nil {
-		return fmt.Errorf("load repo package: %w", err)
+	driverTypePkg, ok := pkgs[*driverPkg]
+
+	if !ok {
+		return fmt.Errorf("driver package %s not found in loaded packages", *driverPkg)
+	}
+
+	repoTypePkg, ok := pkgs[repoPkgPath]
+
+	if !ok {
+		return fmt.Errorf("repository package %s not found in loaded packages", repoPkgPath)
 	}
 
 	if err := validateStructShapes(driverTypePkg, repoTypePkg); err != nil {
@@ -106,25 +115,25 @@ func run() error {
 	return nil
 }
 
-// loadOnePkg loads a single package via cfg and returns its *types.Package,
-// or an error if the package fails to load or has type errors.
-func loadOnePkg(cfg *packages.Config, importPath string) (*types.Package, error) {
-	pkgs, err := packages.Load(cfg, importPath)
+// loadMultiplePkgs loads multiple packages via cfg and returns a map of import path → *types.Package,
+// or an error if any package fails to load or has type errors.
+func loadMultiplePkgs(cfg *packages.Config, importPaths ...string) (map[string]*types.Package, error) {
+	pkgs, err := packages.Load(cfg, importPaths...)
 	if err != nil {
-		return nil, fmt.Errorf("load %s: %w", importPath, err)
-	}
-	if len(pkgs) != 1 {
-		return nil, fmt.Errorf("expected 1 package for %s, got %d", importPath, len(pkgs))
-	}
-	pkg := pkgs[0]
-	if len(pkg.Errors) > 0 {
-		msgs := make([]string, len(pkg.Errors))
-		for i, e := range pkg.Errors {
-			msgs[i] = e.Error()
+		return nil, fmt.Errorf("load %v: %w", importPaths, err)
+	}
+	out := make(map[string]*types.Package)
+	for _, pkg := range pkgs {
+		if len(pkg.Errors) > 0 {
+			msgs := make([]string, len(pkg.Errors))
+			for i, e := range pkg.Errors {
+				msgs[i] = e.Error()
+			}
+			return nil, fmt.Errorf("package %s has errors:\n  %s", pkg.PkgPath, strings.Join(msgs, "\n  "))
 		}
-		return nil, fmt.Errorf("package %s has errors:\n  %s", importPath, strings.Join(msgs, "\n  "))
+		out[pkg.PkgPath] = pkg.Types
 	}
-	return pkg.Types, nil
+	return out, nil
 }
 
 // parentPkg returns the parent import path (everything before the last /).
diff --git a/internal/assets/migrations/postgres/000003_oidc_consent.up.sql b/internal/assets/migrations/postgres/000003_oidc_consent.up.sql
new file mode 100644
index 00000000..6aa84ed5
--- /dev/null
+++ b/internal/assets/migrations/postgres/000003_oidc_consent.up.sql
@@ -0,0 +1,7 @@
+CREATE TABLE IF NOT EXISTS "oidc_consent" (
+    "uuid" TEXT NOT NULL UNIQUE PRIMARY KEY,
+    "client_id" TEXT NOT NULL,
+    "scopes" TEXT NOT NULL,
+    "created_at" TIMESTAMP NOT NULL DEFAULT CURRENT_TIMESTAMP,
+    "updated_at" TIMESTAMP NOT NULL DEFAULT CURRENT_TIMESTAMP
+);
diff --git a/internal/assets/migrations/postgres/000003_oidc_consnet.down.sql b/internal/assets/migrations/postgres/000003_oidc_consnet.down.sql
new file mode 100644
index 00000000..2dae02be
--- /dev/null
+++ b/internal/assets/migrations/postgres/000003_oidc_consnet.down.sql
@@ -0,0 +1 @@
+DROP TABLE IF EXISTS "oidc_consent";
diff --git a/internal/assets/migrations/sqlite/000011_oidc_consent.down.sql b/internal/assets/migrations/sqlite/000011_oidc_consent.down.sql
new file mode 100644
index 00000000..2dae02be
--- /dev/null
+++ b/internal/assets/migrations/sqlite/000011_oidc_consent.down.sql
@@ -0,0 +1 @@
+DROP TABLE IF EXISTS "oidc_consent";
diff --git a/internal/assets/migrations/sqlite/000011_oidc_consent.up.sql b/internal/assets/migrations/sqlite/000011_oidc_consent.up.sql
new file mode 100644
index 00000000..0fc41cf8
--- /dev/null
+++ b/internal/assets/migrations/sqlite/000011_oidc_consent.up.sql
@@ -0,0 +1,7 @@
+CREATE TABLE IF NOT EXISTS "oidc_consent" (
+    "uuid" TEXT NOT NULL UNIQUE PRIMARY KEY,
+    "client_id" TEXT NOT NULL,
+    "scopes" TEXT NOT NULL,
+    "created_at" DATETIME NOT NULL DEFAULT CURRENT_TIMESTAMP,
+    "updated_at" DATETIME NOT NULL DEFAULT CURRENT_TIMESTAMP
+);
diff --git a/internal/repository/memory/memory_test.go b/internal/repository/memory/memory_test.go
index 558ed234..373d68f5 100644
--- a/internal/repository/memory/memory_test.go
+++ b/internal/repository/memory/memory_test.go
@@ -277,6 +277,78 @@ func TestMemoryStore(t *testing.T) {
 				assert.NoError(t, err)
 			},
 		},
+		{
+			description: "Create and get OIDC consent",
+			run: func(t *testing.T, s repository.Store) {
+				consent, err := s.CreateOIDCConsent(ctx, repository.CreateOIDCConsentParams{
+					UUID:     "uuid-1",
+					ClientID: "client-1",
+					Scopes:   "openid profile",
+				})
+				require.NoError(t, err)
+				assert.Equal(t, "uuid-1", consent.UUID)
+				assert.Equal(t, "client-1", consent.ClientID)
+				assert.Equal(t, "openid profile", consent.Scopes)
+
+				got, err := s.GetOIDCConsentByUUID(ctx, "uuid-1")
+				require.NoError(t, err)
+				assert.Equal(t, consent, got)
+			},
+		},
+		{
+			description: "Get OIDC consent by UUID not found",
+			run: func(t *testing.T, s repository.Store) {
+				_, err := s.GetOIDCConsentByUUID(ctx, "missing")
+				assert.ErrorIs(t, err, repository.ErrNotFound)
+			},
+		},
+		{
+			description: "Create OIDC consent unique UUID constraint",
+			run: func(t *testing.T, s repository.Store) {
+				_, err := s.CreateOIDCConsent(ctx, repository.CreateOIDCConsentParams{UUID: "uuid-1", ClientID: "client-1", Scopes: "openid"})
+				require.NoError(t, err)
+
+				_, err = s.CreateOIDCConsent(ctx, repository.CreateOIDCConsentParams{UUID: "uuid-1", ClientID: "client-2", Scopes: "profile"})
+				assert.ErrorContains(t, err, "UNIQUE constraint failed: oidc_consent.uuid")
+			},
+		},
+		{
+			description: "Update OIDC consent",
+			run: func(t *testing.T, s repository.Store) {
+				_, err := s.CreateOIDCConsent(ctx, repository.CreateOIDCConsentParams{UUID: "uuid-1", ClientID: "client-1", Scopes: "openid"})
+				require.NoError(t, err)
+
+				updated, err := s.UpdateOIDCConsent(ctx, repository.UpdateOIDCConsentParams{
+					UUID:   "uuid-1",
+					Scopes: "profile email",
+				})
+				require.NoError(t, err)
+				assert.Equal(t, "profile email", updated.Scopes)
+
+				got, err := s.GetOIDCConsentByUUID(ctx, "uuid-1")
+				require.NoError(t, err)
+				assert.Equal(t, updated, got)
+			},
+		},
+		{
+			description: "Update OIDC consent not found",
+			run: func(t *testing.T, s repository.Store) {
+				_, err := s.UpdateOIDCConsent(ctx, repository.UpdateOIDCConsentParams{UUID: "missing"})
+				assert.ErrorIs(t, err, repository.ErrNotFound)
+			},
+		},
+		{
+			description: "Delete OIDC consent by UUID",
+			run: func(t *testing.T, s repository.Store) {
+				_, err := s.CreateOIDCConsent(ctx, repository.CreateOIDCConsentParams{UUID: "uuid-1", ClientID: "client-1", Scopes: "openid"})
+				require.NoError(t, err)
+
+				require.NoError(t, s.DeleteOIDCConsentByUUID(ctx, "uuid-1"))
+
+				_, err = s.GetOIDCConsentByUUID(ctx, "uuid-1")
+				assert.ErrorIs(t, err, repository.ErrNotFound)
+			},
+		},
 	}
 
 	for _, test := range tests {
diff --git a/internal/repository/memory/oidc_queries.go b/internal/repository/memory/oidc_queries.go
index 1ee81c8b..70728978 100644
--- a/internal/repository/memory/oidc_queries.go
+++ b/internal/repository/memory/oidc_queries.go
@@ -94,3 +94,47 @@ func (s *Store) DeleteExpiredOIDCSessions(_ context.Context, arg repository.Dele
 	}
 	return nil
 }
+
+func (s *Store) CreateOIDCConsent(_ context.Context, arg repository.CreateOIDCConsentParams) (repository.OidcConsent, error) {
+	s.mu.Lock()
+	defer s.mu.Unlock()
+	if _, ok := s.oidcConsent[arg.UUID]; ok {
+		return repository.OidcConsent{}, fmt.Errorf("UNIQUE constraint failed: oidc_consent.uuid")
+	}
+	consent := repository.OidcConsent{
+		UUID:     arg.UUID,
+		ClientID: arg.ClientID,
+		Scopes:   arg.Scopes,
+	}
+	s.oidcConsent[arg.UUID] = consent
+	return consent, nil
+}
+
+func (s *Store) GetOIDCConsentByUUID(_ context.Context, uuid string) (repository.OidcConsent, error) {
+	s.mu.RLock()
+	defer s.mu.RUnlock()
+	consent, ok := s.oidcConsent[uuid]
+	if !ok {
+		return repository.OidcConsent{}, repository.ErrNotFound
+	}
+	return consent, nil
+}
+
+func (s *Store) UpdateOIDCConsent(_ context.Context, arg repository.UpdateOIDCConsentParams) (repository.OidcConsent, error) {
+	s.mu.Lock()
+	defer s.mu.Unlock()
+	consent, ok := s.oidcConsent[arg.UUID]
+	if !ok {
+		return repository.OidcConsent{}, repository.ErrNotFound
+	}
+	consent.Scopes = arg.Scopes
+	s.oidcConsent[arg.UUID] = consent
+	return consent, nil
+}
+
+func (s *Store) DeleteOIDCConsentByUUID(_ context.Context, uuid string) error {
+	s.mu.Lock()
+	defer s.mu.Unlock()
+	delete(s.oidcConsent, uuid)
+	return nil
+}
diff --git a/internal/repository/memory/store.go b/internal/repository/memory/store.go
index 684ddeb3..ec7fd8db 100644
--- a/internal/repository/memory/store.go
+++ b/internal/repository/memory/store.go
@@ -12,6 +12,7 @@ type Store struct {
 	mu           sync.RWMutex
 	sessions     map[string]repository.Session
 	oidcSessions map[string]repository.OidcSession
+	oidcConsent  map[string]repository.OidcConsent
 }
 
 // New returns a new empty in-memory Store.
@@ -19,5 +20,6 @@ func New() repository.Store {
 	return &Store{
 		sessions:     make(map[string]repository.Session),
 		oidcSessions: make(map[string]repository.OidcSession),
+		oidcConsent:  make(map[string]repository.OidcConsent),
 	}
 }
diff --git a/internal/repository/models.go b/internal/repository/models.go
index 39538a00..1d77a5fe 100644
--- a/internal/repository/models.go
+++ b/internal/repository/models.go
@@ -1,8 +1,18 @@
 package repository
 
+import "time"
+
 // Shared model and parameter types for all storage drivers.
 // sqlc-generated driver packages use these via the conversion layer in their store.go.
 
+type OidcConsent struct {
+	UUID      string
+	ClientID  string
+	Scopes    string
+	CreatedAt time.Time
+	UpdatedAt time.Time
+}
+
 type Session struct {
 	UUID        string
 	Username    string
@@ -84,3 +94,14 @@ type DeleteExpiredOIDCSessionsParams struct {
 	TokenExpiresAt        int64
 	RefreshTokenExpiresAt int64
 }
+
+type CreateOIDCConsentParams struct {
+	UUID     string
+	ClientID string
+	Scopes   string
+}
+
+type UpdateOIDCConsentParams struct {
+	Scopes string
+	UUID   string
+}
diff --git a/internal/repository/postgres/models.go b/internal/repository/postgres/models.go
index f957e1fd..a214908d 100644
--- a/internal/repository/postgres/models.go
+++ b/internal/repository/postgres/models.go
@@ -4,6 +4,18 @@
 
 package postgres
 
+import (
+	"time"
+)
+
+type OidcConsent struct {
+	UUID      string
+	ClientID  string
+	Scopes    string
+	CreatedAt time.Time
+	UpdatedAt time.Time
+}
+
 type OidcSession struct {
 	Sub                   string
 	AccessTokenHash       string
diff --git a/internal/repository/postgres/oidc_queries.sql.go b/internal/repository/postgres/oidc_queries.sql.go
index b5b9789c..363dacb2 100644
--- a/internal/repository/postgres/oidc_queries.sql.go
+++ b/internal/repository/postgres/oidc_queries.sql.go
@@ -9,6 +9,36 @@ import (
 	"context"
 )
 
+const createOIDCConsent = `-- name: CreateOIDCConsent :one
+INSERT INTO "oidc_consent" (
+    "uuid",
+    "client_id",
+    "scopes"
+) VALUES (
+    $1, $2, $3
+)
+RETURNING uuid, client_id, scopes, created_at, updated_at
+`
+
+type CreateOIDCConsentParams struct {
+	UUID     string
+	ClientID string
+	Scopes   string
+}
+
+func (q *Queries) CreateOIDCConsent(ctx context.Context, arg CreateOIDCConsentParams) (OidcConsent, error) {
+	row := q.db.QueryRowContext(ctx, createOIDCConsent, arg.UUID, arg.ClientID, arg.Scopes)
+	var i OidcConsent
+	err := row.Scan(
+		&i.UUID,
+		&i.ClientID,
+		&i.Scopes,
+		&i.CreatedAt,
+		&i.UpdatedAt,
+	)
+	return i, err
+}
+
 const createOIDCSession = `-- name: CreateOIDCSession :one
 INSERT INTO "oidc_sessions" (
     "sub",
@@ -80,6 +110,16 @@ func (q *Queries) DeleteExpiredOIDCSessions(ctx context.Context, arg DeleteExpir
 	return err
 }
 
+const deleteOIDCConsentByUUID = `-- name: DeleteOIDCConsentByUUID :exec
+DELETE FROM "oidc_consent"
+WHERE "uuid" = $1
+`
+
+func (q *Queries) DeleteOIDCConsentByUUID(ctx context.Context, uuid string) error {
+	_, err := q.db.ExecContext(ctx, deleteOIDCConsentByUUID, uuid)
+	return err
+}
+
 const deleteOIDCSessionBySub = `-- name: DeleteOIDCSessionBySub :exec
 DELETE FROM "oidc_sessions"
 WHERE "sub" = $1
@@ -90,6 +130,24 @@ func (q *Queries) DeleteOIDCSessionBySub(ctx context.Context, sub string) error
 	return err
 }
 
+const getOIDCConsentByUUID = `-- name: GetOIDCConsentByUUID :one
+SELECT uuid, client_id, scopes, created_at, updated_at FROM "oidc_consent"
+WHERE "uuid" = $1
+`
+
+func (q *Queries) GetOIDCConsentByUUID(ctx context.Context, uuid string) (OidcConsent, error) {
+	row := q.db.QueryRowContext(ctx, getOIDCConsentByUUID, uuid)
+	var i OidcConsent
+	err := row.Scan(
+		&i.UUID,
+		&i.ClientID,
+		&i.Scopes,
+		&i.CreatedAt,
+		&i.UpdatedAt,
+	)
+	return i, err
+}
+
 const getOIDCSessionByAccessTokenHash = `-- name: GetOIDCSessionByAccessTokenHash :one
 SELECT sub, access_token_hash, refresh_token_hash, scope, client_id, token_expires_at, refresh_token_expires_at, nonce, userinfo_json FROM "oidc_sessions"
 WHERE "access_token_hash" = $1
@@ -156,6 +214,32 @@ func (q *Queries) GetOIDCSessionBySub(ctx context.Context, sub string) (OidcSess
 	return i, err
 }
 
+const updateOIDCConsent = `-- name: UpdateOIDCConsent :one
+UPDATE "oidc_consent" SET
+    "scopes" = $1,
+    "updated_at" = CURRENT_TIMESTAMP
+WHERE "uuid" = $2
+RETURNING uuid, client_id, scopes, created_at, updated_at
+`
+
+type UpdateOIDCConsentParams struct {
+	Scopes string
+	UUID   string
+}
+
+func (q *Queries) UpdateOIDCConsent(ctx context.Context, arg UpdateOIDCConsentParams) (OidcConsent, error) {
+	row := q.db.QueryRowContext(ctx, updateOIDCConsent, arg.Scopes, arg.UUID)
+	var i OidcConsent
+	err := row.Scan(
+		&i.UUID,
+		&i.ClientID,
+		&i.Scopes,
+		&i.CreatedAt,
+		&i.UpdatedAt,
+	)
+	return i, err
+}
+
 const updateOIDCSession = `-- name: UpdateOIDCSession :one
 UPDATE "oidc_sessions" SET
     "access_token_hash" = $1,
diff --git a/internal/repository/postgres/store.go b/internal/repository/postgres/store.go
index b3e79c80..719b3118 100644
--- a/internal/repository/postgres/store.go
+++ b/internal/repository/postgres/store.go
@@ -32,6 +32,14 @@ func mapErr(err error) error {
 	return err
 }
 
+func (s *Store) CreateOIDCConsent(ctx context.Context, arg repository.CreateOIDCConsentParams) (repository.OidcConsent, error) {
+	r, err := s.q.CreateOIDCConsent(ctx, CreateOIDCConsentParams(arg))
+	if err != nil {
+		return repository.OidcConsent{}, mapErr(err)
+	}
+	return repository.OidcConsent(r), nil
+}
+
 func (s *Store) CreateOIDCSession(ctx context.Context, arg repository.CreateOIDCSessionParams) (repository.OidcSession, error) {
 	r, err := s.q.CreateOIDCSession(ctx, CreateOIDCSessionParams(arg))
 	if err != nil {
@@ -56,6 +64,10 @@ func (s *Store) DeleteExpiredSessions(ctx context.Context, expiry int64) error {
 	return mapErr(s.q.DeleteExpiredSessions(ctx, expiry))
 }
 
+func (s *Store) DeleteOIDCConsentByUUID(ctx context.Context, uuid string) error {
+	return mapErr(s.q.DeleteOIDCConsentByUUID(ctx, uuid))
+}
+
 func (s *Store) DeleteOIDCSessionBySub(ctx context.Context, sub string) error {
 	return mapErr(s.q.DeleteOIDCSessionBySub(ctx, sub))
 }
@@ -64,6 +76,14 @@ func (s *Store) DeleteSession(ctx context.Context, uuid string) error {
 	return mapErr(s.q.DeleteSession(ctx, uuid))
 }
 
+func (s *Store) GetOIDCConsentByUUID(ctx context.Context, uuid string) (repository.OidcConsent, error) {
+	r, err := s.q.GetOIDCConsentByUUID(ctx, uuid)
+	if err != nil {
+		return repository.OidcConsent{}, mapErr(err)
+	}
+	return repository.OidcConsent(r), nil
+}
+
 func (s *Store) GetOIDCSessionByAccessTokenHash(ctx context.Context, accessTokenHash string) (repository.OidcSession, error) {
 	r, err := s.q.GetOIDCSessionByAccessTokenHash(ctx, accessTokenHash)
 	if err != nil {
@@ -96,6 +116,14 @@ func (s *Store) GetSession(ctx context.Context, uuid string) (repository.Session
 	return repository.Session(r), nil
 }
 
+func (s *Store) UpdateOIDCConsent(ctx context.Context, arg repository.UpdateOIDCConsentParams) (repository.OidcConsent, error) {
+	r, err := s.q.UpdateOIDCConsent(ctx, UpdateOIDCConsentParams(arg))
+	if err != nil {
+		return repository.OidcConsent{}, mapErr(err)
+	}
+	return repository.OidcConsent(r), nil
+}
+
 func (s *Store) UpdateOIDCSession(ctx context.Context, arg repository.UpdateOIDCSessionParams) (repository.OidcSession, error) {
 	r, err := s.q.UpdateOIDCSession(ctx, UpdateOIDCSessionParams(arg))
 	if err != nil {
diff --git a/internal/repository/sqlite/models.go b/internal/repository/sqlite/models.go
index 2ced8a2b..ca4a524c 100644
--- a/internal/repository/sqlite/models.go
+++ b/internal/repository/sqlite/models.go
@@ -4,6 +4,18 @@
 
 package sqlite
 
+import (
+	"time"
+)
+
+type OidcConsent struct {
+	UUID      string
+	ClientID  string
+	Scopes    string
+	CreatedAt time.Time
+	UpdatedAt time.Time
+}
+
 type OidcSession struct {
 	Sub                   string
 	AccessTokenHash       string
diff --git a/internal/repository/sqlite/oidc_queries.sql.go b/internal/repository/sqlite/oidc_queries.sql.go
index a5aa08a8..7f7c267b 100644
--- a/internal/repository/sqlite/oidc_queries.sql.go
+++ b/internal/repository/sqlite/oidc_queries.sql.go
@@ -9,6 +9,36 @@ import (
 	"context"
 )
 
+const createOIDCConsent = `-- name: CreateOIDCConsent :one
+INSERT INTO "oidc_consent" (
+    "uuid",
+    "client_id",
+    "scopes"
+) VALUES (
+    ?, ?, ?
+)
+RETURNING uuid, client_id, scopes, created_at, updated_at
+`
+
+type CreateOIDCConsentParams struct {
+	UUID     string
+	ClientID string
+	Scopes   string
+}
+
+func (q *Queries) CreateOIDCConsent(ctx context.Context, arg CreateOIDCConsentParams) (OidcConsent, error) {
+	row := q.db.QueryRowContext(ctx, createOIDCConsent, arg.UUID, arg.ClientID, arg.Scopes)
+	var i OidcConsent
+	err := row.Scan(
+		&i.UUID,
+		&i.ClientID,
+		&i.Scopes,
+		&i.CreatedAt,
+		&i.UpdatedAt,
+	)
+	return i, err
+}
+
 const createOIDCSession = `-- name: CreateOIDCSession :one
 INSERT INTO "oidc_sessions" (
     "sub",
@@ -80,6 +110,16 @@ func (q *Queries) DeleteExpiredOIDCSessions(ctx context.Context, arg DeleteExpir
 	return err
 }
 
+const deleteOIDCConsentByUUID = `-- name: DeleteOIDCConsentByUUID :exec
+DELETE FROM "oidc_consent"
+WHERE "uuid" = ?
+`
+
+func (q *Queries) DeleteOIDCConsentByUUID(ctx context.Context, uuid string) error {
+	_, err := q.db.ExecContext(ctx, deleteOIDCConsentByUUID, uuid)
+	return err
+}
+
 const deleteOIDCSessionBySub = `-- name: DeleteOIDCSessionBySub :exec
 DELETE FROM "oidc_sessions"
 WHERE "sub" = ?
@@ -90,6 +130,24 @@ func (q *Queries) DeleteOIDCSessionBySub(ctx context.Context, sub string) error
 	return err
 }
 
+const getOIDCConsentByUUID = `-- name: GetOIDCConsentByUUID :one
+SELECT uuid, client_id, scopes, created_at, updated_at FROM "oidc_consent"
+WHERE "uuid" = ?
+`
+
+func (q *Queries) GetOIDCConsentByUUID(ctx context.Context, uuid string) (OidcConsent, error) {
+	row := q.db.QueryRowContext(ctx, getOIDCConsentByUUID, uuid)
+	var i OidcConsent
+	err := row.Scan(
+		&i.UUID,
+		&i.ClientID,
+		&i.Scopes,
+		&i.CreatedAt,
+		&i.UpdatedAt,
+	)
+	return i, err
+}
+
 const getOIDCSessionByAccessTokenHash = `-- name: GetOIDCSessionByAccessTokenHash :one
 SELECT sub, access_token_hash, refresh_token_hash, scope, client_id, token_expires_at, refresh_token_expires_at, nonce, userinfo_json FROM "oidc_sessions"
 WHERE "access_token_hash" = ?
@@ -156,6 +214,32 @@ func (q *Queries) GetOIDCSessionBySub(ctx context.Context, sub string) (OidcSess
 	return i, err
 }
 
+const updateOIDCConsent = `-- name: UpdateOIDCConsent :one
+UPDATE "oidc_consent" SET
+    "scopes" = ?,
+    "updated_at" = CURRENT_TIMESTAMP
+WHERE "uuid" = ?
+RETURNING uuid, client_id, scopes, created_at, updated_at
+`
+
+type UpdateOIDCConsentParams struct {
+	Scopes string
+	UUID   string
+}
+
+func (q *Queries) UpdateOIDCConsent(ctx context.Context, arg UpdateOIDCConsentParams) (OidcConsent, error) {
+	row := q.db.QueryRowContext(ctx, updateOIDCConsent, arg.Scopes, arg.UUID)
+	var i OidcConsent
+	err := row.Scan(
+		&i.UUID,
+		&i.ClientID,
+		&i.Scopes,
+		&i.CreatedAt,
+		&i.UpdatedAt,
+	)
+	return i, err
+}
+
 const updateOIDCSession = `-- name: UpdateOIDCSession :one
 UPDATE "oidc_sessions" SET
     "access_token_hash" = ?,
diff --git a/internal/repository/sqlite/store.go b/internal/repository/sqlite/store.go
index a567c871..a5ba2142 100644
--- a/internal/repository/sqlite/store.go
+++ b/internal/repository/sqlite/store.go
@@ -32,6 +32,14 @@ func mapErr(err error) error {
 	return err
 }
 
+func (s *Store) CreateOIDCConsent(ctx context.Context, arg repository.CreateOIDCConsentParams) (repository.OidcConsent, error) {
+	r, err := s.q.CreateOIDCConsent(ctx, CreateOIDCConsentParams(arg))
+	if err != nil {
+		return repository.OidcConsent{}, mapErr(err)
+	}
+	return repository.OidcConsent(r), nil
+}
+
 func (s *Store) CreateOIDCSession(ctx context.Context, arg repository.CreateOIDCSessionParams) (repository.OidcSession, error) {
 	r, err := s.q.CreateOIDCSession(ctx, CreateOIDCSessionParams(arg))
 	if err != nil {
@@ -56,6 +64,10 @@ func (s *Store) DeleteExpiredSessions(ctx context.Context, expiry int64) error {
 	return mapErr(s.q.DeleteExpiredSessions(ctx, expiry))
 }
 
+func (s *Store) DeleteOIDCConsentByUUID(ctx context.Context, uuid string) error {
+	return mapErr(s.q.DeleteOIDCConsentByUUID(ctx, uuid))
+}
+
 func (s *Store) DeleteOIDCSessionBySub(ctx context.Context, sub string) error {
 	return mapErr(s.q.DeleteOIDCSessionBySub(ctx, sub))
 }
@@ -64,6 +76,14 @@ func (s *Store) DeleteSession(ctx context.Context, uuid string) error {
 	return mapErr(s.q.DeleteSession(ctx, uuid))
 }
 
+func (s *Store) GetOIDCConsentByUUID(ctx context.Context, uuid string) (repository.OidcConsent, error) {
+	r, err := s.q.GetOIDCConsentByUUID(ctx, uuid)
+	if err != nil {
+		return repository.OidcConsent{}, mapErr(err)
+	}
+	return repository.OidcConsent(r), nil
+}
+
 func (s *Store) GetOIDCSessionByAccessTokenHash(ctx context.Context, accessTokenHash string) (repository.OidcSession, error) {
 	r, err := s.q.GetOIDCSessionByAccessTokenHash(ctx, accessTokenHash)
 	if err != nil {
@@ -96,6 +116,14 @@ func (s *Store) GetSession(ctx context.Context, uuid string) (repository.Session
 	return repository.Session(r), nil
 }
 
+func (s *Store) UpdateOIDCConsent(ctx context.Context, arg repository.UpdateOIDCConsentParams) (repository.OidcConsent, error) {
+	r, err := s.q.UpdateOIDCConsent(ctx, UpdateOIDCConsentParams(arg))
+	if err != nil {
+		return repository.OidcConsent{}, mapErr(err)
+	}
+	return repository.OidcConsent(r), nil
+}
+
 func (s *Store) UpdateOIDCSession(ctx context.Context, arg repository.UpdateOIDCSessionParams) (repository.OidcSession, error) {
 	r, err := s.q.UpdateOIDCSession(ctx, UpdateOIDCSessionParams(arg))
 	if err != nil {
diff --git a/internal/repository/store.go b/internal/repository/store.go
index abd70bd3..a36f12ee 100644
--- a/internal/repository/store.go
+++ b/internal/repository/store.go
@@ -27,4 +27,10 @@ type Store interface {
 	GetOIDCSessionByRefreshTokenHash(ctx context.Context, refreshTokenHash string) (OidcSession, error)
 	GetOIDCSessionBySub(ctx context.Context, sub string) (OidcSession, error)
 	UpdateOIDCSession(ctx context.Context, arg UpdateOIDCSessionParams) (OidcSession, error)
+
+	// OIDC consents
+	CreateOIDCConsent(ctx context.Context, arg CreateOIDCConsentParams) (OidcConsent, error)
+	DeleteOIDCConsentByUUID(ctx context.Context, uuid string) error
+	GetOIDCConsentByUUID(ctx context.Context, uuid string) (OidcConsent, error)
+	UpdateOIDCConsent(ctx context.Context, arg UpdateOIDCConsentParams) (OidcConsent, error)
 }
diff --git a/sql/postgres/oidc_queries.sql b/sql/postgres/oidc_queries.sql
index 3cd5ff99..4442ef33 100644
--- a/sql/postgres/oidc_queries.sql
+++ b/sql/postgres/oidc_queries.sql
@@ -46,3 +46,28 @@ UPDATE "oidc_sessions" SET
     "userinfo_json" = $8
 WHERE "sub" = $9
 RETURNING *;
+
+-- name: CreateOIDCConsent :one
+INSERT INTO "oidc_consent" (
+    "uuid",
+    "client_id",
+    "scopes"
+) VALUES (
+    $1, $2, $3
+)
+RETURNING *;
+
+-- name: GetOIDCConsentByUUID :one
+SELECT * FROM "oidc_consent"
+WHERE "uuid" = $1;
+
+-- name: UpdateOIDCConsent :one
+UPDATE "oidc_consent" SET
+    "scopes" = $1,
+    "updated_at" = CURRENT_TIMESTAMP
+WHERE "uuid" = $2
+RETURNING *;
+
+-- name: DeleteOIDCConsentByUUID :exec
+DELETE FROM "oidc_consent"
+WHERE "uuid" = $1;
diff --git a/sql/postgres/oidc_schemas.sql b/sql/postgres/oidc_schemas.sql
index 2376c1d4..62265023 100644
--- a/sql/postgres/oidc_schemas.sql
+++ b/sql/postgres/oidc_schemas.sql
@@ -9,3 +9,11 @@ CREATE TABLE IF NOT EXISTS "oidc_sessions" (
     "nonce" TEXT NOT NULL DEFAULT '',
     "userinfo_json" TEXT NOT NULL
 );
+
+CREATE TABLE IF NOT EXISTS "oidc_consent" (
+    "uuid" TEXT NOT NULL UNIQUE PRIMARY KEY,
+    "client_id" TEXT NOT NULL,
+    "scopes" TEXT NOT NULL,
+    "created_at" TIMESTAMP NOT NULL DEFAULT CURRENT_TIMESTAMP,
+    "updated_at" TIMESTAMP NOT NULL DEFAULT CURRENT_TIMESTAMP
+);
diff --git a/sql/sqlite/oidc_queries.sql b/sql/sqlite/oidc_queries.sql
index 49b33cff..5ec9ea44 100644
--- a/sql/sqlite/oidc_queries.sql
+++ b/sql/sqlite/oidc_queries.sql
@@ -46,3 +46,28 @@ UPDATE "oidc_sessions" SET
     "userinfo_json" = ?
 WHERE "sub" = ?
 RETURNING *;
+
+-- name: CreateOIDCConsent :one
+INSERT INTO "oidc_consent" (
+    "uuid",
+    "client_id",
+    "scopes"
+) VALUES (
+    ?, ?, ?
+)
+RETURNING *;
+
+-- name: GetOIDCConsentByUUID :one
+SELECT * FROM "oidc_consent"
+WHERE "uuid" = ?;
+
+-- name: UpdateOIDCConsent :one
+UPDATE "oidc_consent" SET
+    "scopes" = ?,
+    "updated_at" = CURRENT_TIMESTAMP
+WHERE "uuid" = ?
+RETURNING *;
+
+-- name: DeleteOIDCConsentByUUID :exec
+DELETE FROM "oidc_consent"
+WHERE "uuid" = ?;
diff --git a/sql/sqlite/oidc_schemas.sql b/sql/sqlite/oidc_schemas.sql
index 5a851033..e5d3a0d3 100644
--- a/sql/sqlite/oidc_schemas.sql
+++ b/sql/sqlite/oidc_schemas.sql
@@ -9,3 +9,11 @@ CREATE TABLE IF NOT EXISTS "oidc_sessions" (
     "nonce" TEXT NOT NULL DEFAULT "",
     "userinfo_json" TEXT NOT NULL
 );
+
+CREATE TABLE IF NOT EXISTS "oidc_consent" (
+    "uuid" TEXT NOT NULL UNIQUE PRIMARY KEY,
+    "client_id" TEXT NOT NULL,
+    "scopes" TEXT NOT NULL,
+    "created_at" DATETIME NOT NULL DEFAULT CURRENT_TIMESTAMP,
+    "updated_at" DATETIME NOT NULL DEFAULT CURRENT_TIMESTAMP
+);

From 24f166551e64cb99a160fdd595b490d3713db9a4 Mon Sep 17 00:00:00 2001
From: Stavros <steveiliop56@gmail.com>
Date: Thu, 11 Jun 2026 18:09:14 +0300
Subject: [PATCH 3/4] feat: add backend for oidc consent

---
 internal/bootstrap/app_bootstrap.go           |  7 +-
 internal/bootstrap/app_helpers.go             | 55 ++++++++++++++
 internal/bootstrap/router_bootstrap.go        |  4 +-
 internal/bootstrap/service_bootstrap.go       |  2 +-
 internal/controller/oauth_controller.go       | 35 ++++++---
 internal/controller/oidc_controller.go        | 72 ++++++++++++++++---
 internal/controller/oidc_controller_test.go   |  4 +-
 internal/controller/proxy_controller_test.go  |  4 +-
 internal/controller/user_controller.go        | 12 ++--
 internal/controller/user_controller_test.go   |  4 +-
 internal/middleware/context_middleware.go     |  4 +-
 .../middleware/context_middleware_test.go     |  4 +-
 internal/model/constants.go                   |  3 +-
 internal/model/runtime.go                     |  9 ++-
 internal/service/auth_service.go              | 53 +++++++-------
 internal/service/oidc_service.go              | 45 ++++++++++++
 internal/test/test.go                         |  9 +++
 17 files changed, 262 insertions(+), 64 deletions(-)
 create mode 100644 internal/bootstrap/app_helpers.go

diff --git a/internal/bootstrap/app_bootstrap.go b/internal/bootstrap/app_bootstrap.go
index 7fc0cb54..2180df2c 100644
--- a/internal/bootstrap/app_bootstrap.go
+++ b/internal/bootstrap/app_bootstrap.go
@@ -47,6 +47,7 @@ type Services struct {
 type BootstrapApp struct {
 	config    model.Config
 	runtime   model.RuntimeConfig
+	helpers   model.RuntimeHelpers
 	services  Services
 	log       *logger.Logger
 	ctx       context.Context
@@ -185,9 +186,8 @@ func (app *BootstrapApp) Setup() error {
 	cookieId := strings.Split(app.runtime.UUID, "-")[0] // first 8 characters of the uuid should be good enough
 
 	app.runtime.SessionCookieName = fmt.Sprintf("%s-%s", model.SessionCookieName, cookieId)
-	app.runtime.CSRFCookieName = fmt.Sprintf("%s-%s", model.CSRFCookieName, cookieId)
-	app.runtime.RedirectCookieName = fmt.Sprintf("%s-%s", model.RedirectCookieName, cookieId)
 	app.runtime.OAuthSessionCookieName = fmt.Sprintf("%s-%s", model.OAuthSessionCookieName, cookieId)
+	app.runtime.ConsentCookieName = fmt.Sprintf("%s-%s", model.ConsentCookieName, cookieId)
 
 	// database
 	store, err := app.SetupStore()
@@ -264,6 +264,9 @@ func (app *BootstrapApp) Setup() error {
 		app.runtime.TrustedDomains = append(app.runtime.TrustedDomains, "https://"+app.services.tailscaleService.GetHostname())
 	}
 
+	// runtime helpers
+	app.helpers.GetCookieDomain = app.getCookieDomain
+
 	// setup router
 	err = app.setupRouter()
 
diff --git a/internal/bootstrap/app_helpers.go b/internal/bootstrap/app_helpers.go
new file mode 100644
index 00000000..4be94753
--- /dev/null
+++ b/internal/bootstrap/app_helpers.go
@@ -0,0 +1,55 @@
+package bootstrap
+
+import (
+	"context"
+	"errors"
+	"fmt"
+
+	"github.com/tinyauthapp/tinyauth/internal/utils"
+)
+
+// Not really the best place for the helpers to be but it works because bootstrap app provides
+// them with everything they need
+
+func (app *BootstrapApp) getCookieDomain(ctx context.Context, ip string) (string, error) {
+	cookieDomain := app.runtime.CookieDomain
+
+	if app.isTailscaleRequest(ctx, ip) {
+		if app.services.tailscaleService == nil {
+			return "", errors.New("tailscale service is not configured")
+		}
+
+		tsCookieDomain, err := utils.GetCookieDomain(fmt.Sprintf("https://%s", app.services.tailscaleService.GetHostname()))
+
+		if err != nil {
+			return "", fmt.Errorf("failed to get cookie domain for tailscale user: %w", err)
+		}
+
+		cookieDomain = tsCookieDomain
+	}
+
+	if app.config.Auth.SubdomainsEnabled {
+		cookieDomain = "." + cookieDomain
+	}
+
+	return cookieDomain, nil
+}
+
+func (app *BootstrapApp) isTailscaleRequest(ctx context.Context, ip string) bool {
+	if app.services.tailscaleService == nil {
+		return false
+	}
+
+	whois, err := app.services.tailscaleService.Whois(ctx, ip)
+
+	if err != nil {
+		app.log.App.Error().Err(err).Msgf("Error performing Tailscale whois for IP %s: %v", ip, err)
+		return false
+	}
+
+	if whois == nil {
+		return false
+	}
+
+	return true
+}
diff --git a/internal/bootstrap/router_bootstrap.go b/internal/bootstrap/router_bootstrap.go
index 5244ab20..eb91fdd7 100644
--- a/internal/bootstrap/router_bootstrap.go
+++ b/internal/bootstrap/router_bootstrap.go
@@ -58,8 +58,8 @@ func (app *BootstrapApp) setupRouter() error {
 	apiRouter := engine.Group("/api")
 
 	controller.NewContextController(app.log, app.config, app.runtime, apiRouter)
-	controller.NewOAuthController(app.log, app.config, app.runtime, apiRouter, app.services.authService)
-	controller.NewOIDCController(app.log, app.services.oidcService, app.runtime, apiRouter, &engine.RouterGroup)
+	controller.NewOAuthController(app.log, app.config, app.runtime, app.helpers, apiRouter, app.services.authService)
+	controller.NewOIDCController(app.log, app.services.oidcService, app.runtime, app.helpers, app.config, apiRouter, &engine.RouterGroup)
 	controller.NewProxyController(app.log, app.runtime, apiRouter, app.services.accessControlService, app.services.authService, app.services.policyEngine)
 	controller.NewUserController(app.log, app.runtime, apiRouter, app.services.authService)
 	controller.NewResourcesController(app.config, &engine.RouterGroup)
diff --git a/internal/bootstrap/service_bootstrap.go b/internal/bootstrap/service_bootstrap.go
index bf94c5c4..452b6d8f 100644
--- a/internal/bootstrap/service_bootstrap.go
+++ b/internal/bootstrap/service_bootstrap.go
@@ -42,7 +42,7 @@ func (app *BootstrapApp) setupServices() error {
 	oauthBrokerService := service.NewOAuthBrokerService(app.log, app.runtime.OAuthProviders, app.ctx)
 	app.services.oauthBrokerService = oauthBrokerService
 
-	authService := service.NewAuthService(app.log, app.config, app.runtime, app.ctx, app.ding, app.services.ldapService, app.queries, app.services.oauthBrokerService, app.services.tailscaleService, app.services.policyEngine)
+	authService := service.NewAuthService(app.log, app.config, app.runtime, app.helpers, app.ctx, app.ding, app.services.ldapService, app.queries, app.services.oauthBrokerService, app.services.tailscaleService, app.services.policyEngine)
 	app.services.authService = authService
 
 	oidcService, err := service.NewOIDCService(app.log, app.config, app.runtime, app.queries, app.ding)
diff --git a/internal/controller/oauth_controller.go b/internal/controller/oauth_controller.go
index 788fedfa..84f83989 100644
--- a/internal/controller/oauth_controller.go
+++ b/internal/controller/oauth_controller.go
@@ -24,6 +24,7 @@ type OAuthController struct {
 	log     *logger.Logger
 	config  model.Config
 	runtime model.RuntimeConfig
+	helpers model.RuntimeHelpers
 	auth    *service.AuthService
 }
 
@@ -31,6 +32,7 @@ func NewOAuthController(
 	log *logger.Logger,
 	config model.Config,
 	runtimeConfig model.RuntimeConfig,
+	helpers model.RuntimeHelpers,
 	router *gin.RouterGroup,
 	auth *service.AuthService,
 ) *OAuthController {
@@ -38,6 +40,7 @@ func NewOAuthController(
 		log:     log,
 		config:  config,
 		runtime: runtimeConfig,
+		helpers: helpers,
 		auth:    auth,
 	}
 
@@ -105,7 +108,18 @@ func (controller *OAuthController) oauthURLHandler(c *gin.Context) {
 		return
 	}
 
-	c.SetCookie(controller.runtime.OAuthSessionCookieName, sessionId, int(time.Hour.Seconds()), "/", controller.getCookieDomain(), controller.config.Auth.SecureCookie, true)
+	cookieDomain, err := controller.helpers.GetCookieDomain(c, c.RemoteIP())
+
+	if err != nil {
+		controller.log.App.Error().Err(err).Msg("Failed to determine cookie domain")
+		c.JSON(500, gin.H{
+			"status":  500,
+			"message": "Internal Server Error",
+		})
+		return
+	}
+
+	c.SetCookie(controller.runtime.OAuthSessionCookieName, sessionId, int(time.Hour.Seconds()), "/", cookieDomain, controller.config.Auth.SecureCookie, true)
 
 	c.JSON(200, gin.H{
 		"status":  200,
@@ -135,7 +149,15 @@ func (controller *OAuthController) oauthCallbackHandler(c *gin.Context) {
 		return
 	}
 
-	c.SetCookie(controller.runtime.OAuthSessionCookieName, "", -1, "/", controller.getCookieDomain(), controller.config.Auth.SecureCookie, true)
+	cookieDomain, err := controller.helpers.GetCookieDomain(c, c.RemoteIP())
+
+	if err != nil {
+		controller.log.App.Error().Err(err).Msg("Failed to determine cookie domain")
+		c.Redirect(http.StatusTemporaryRedirect, fmt.Sprintf("%s/error", controller.runtime.AppURL))
+		return
+	}
+
+	c.SetCookie(controller.runtime.OAuthSessionCookieName, "", -1, "/", cookieDomain, controller.config.Auth.SecureCookie, true)
 
 	oauthPendingSession, err := controller.auth.GetOAuthPendingSession(sessionIdCookie)
 
@@ -252,7 +274,7 @@ func (controller *OAuthController) oauthCallbackHandler(c *gin.Context) {
 
 	controller.log.App.Debug().Msg("Creating session cookie for user")
 
-	cookie, err := controller.auth.CreateSession(c, sessionCookie)
+	cookie, err := controller.auth.CreateSession(c, sessionCookie, c.RemoteIP())
 
 	if err != nil {
 		controller.log.App.Error().Err(err).Msg("Failed to create session cookie")
@@ -298,10 +320,3 @@ func (controller *OAuthController) oauthCallbackHandler(c *gin.Context) {
 func (controller *OAuthController) isOidcRequest(params service.OAuthCallbackParams) bool {
 	return params.LoginFor == string(FrontendLoginForOIDC)
 }
-
-func (controller *OAuthController) getCookieDomain() string {
-	if controller.config.Auth.SubdomainsEnabled {
-		return "." + controller.runtime.CookieDomain
-	}
-	return controller.runtime.CookieDomain
-}
diff --git a/internal/controller/oidc_controller.go b/internal/controller/oidc_controller.go
index 5105f7d7..198e460d 100644
--- a/internal/controller/oidc_controller.go
+++ b/internal/controller/oidc_controller.go
@@ -1,12 +1,14 @@
 package controller
 
 import (
+	"database/sql"
 	"encoding/json"
 	"errors"
 	"fmt"
 	"net/http"
 	"slices"
 	"strings"
+	"time"
 
 	"github.com/gin-gonic/gin"
 	"github.com/gin-gonic/gin/binding"
@@ -31,6 +33,8 @@ type OIDCController struct {
 	log     *logger.Logger
 	oidc    *service.OIDCService
 	runtime model.RuntimeConfig
+	helpers model.RuntimeHelpers
+	config  model.Config
 }
 
 type AuthorizeCallback struct {
@@ -68,10 +72,11 @@ type ClientCredentials struct {
 }
 
 type AuthorizeScreenParams struct {
-	LoginFor   FrontendLoginFor `url:"login_for"`
-	OIDCTicket string           `url:"oidc_ticket"`
-	OIDCScope  string           `url:"oidc_scope"`
-	OIDCName   string           `url:"oidc_name"`
+	LoginFor        FrontendLoginFor `url:"login_for"`
+	OIDCTicket      string           `url:"oidc_ticket"`
+	OIDCScope       string           `url:"oidc_scope"`
+	OIDCName        string           `url:"oidc_name"`
+	OIDCShowConsent bool             `url:"oidc_show_consent"`
 }
 
 type AuthorizeCompleteRequest struct {
@@ -82,12 +87,16 @@ func NewOIDCController(
 	log *logger.Logger,
 	oidcService *service.OIDCService,
 	runtimeConfig model.RuntimeConfig,
+	helpers model.RuntimeHelpers,
+	config model.Config,
 	router *gin.RouterGroup,
 	mainRouter *gin.RouterGroup) *OIDCController {
 	controller := &OIDCController{
 		log:     log,
 		oidc:    oidcService,
 		runtime: runtimeConfig,
+		helpers: helpers,
+		config:  config,
 	}
 
 	mainRouter.POST("/authorize", controller.authorize)
@@ -163,11 +172,31 @@ func (controller *OIDCController) authorize(c *gin.Context) {
 
 	ticket := controller.oidc.CreateAuthorizeRequestTicket(*req)
 
+	// Check if we have consented before for this client and scope
+	consnetCookie, err := c.Cookie(controller.runtime.ConsentCookieName)
+
+	showConsent := true
+
+	if err == nil {
+		consentEntry, err := controller.oidc.GetConsentEntry(c, consnetCookie)
+
+		if err == nil && consentEntry != nil {
+			if consentEntry.ClientID == req.ClientID && consentEntry.Scopes == req.Scope {
+				showConsent = false
+			}
+		} else {
+			if !errors.Is(err, sql.ErrNoRows) {
+				controller.log.App.Error().Err(err).Msg("Failed to get consent entry for consent cookie")
+			}
+		}
+	}
+
 	queries, err := query.Values(AuthorizeScreenParams{
-		LoginFor:   FrontendLoginForOIDC,
-		OIDCTicket: ticket,
-		OIDCScope:  req.Scope,
-		OIDCName:   client.Name,
+		LoginFor:        FrontendLoginForOIDC,
+		OIDCTicket:      ticket,
+		OIDCScope:       req.Scope,
+		OIDCName:        client.Name,
+		OIDCShowConsent: showConsent,
 	})
 
 	if err != nil {
@@ -289,6 +318,33 @@ func (controller *OIDCController) authorizeComplete(c *gin.Context) {
 		return
 	}
 
+	// Just before returning let's set the consent cookie
+	consnetUUID, err := controller.oidc.CreateConsentEntry(c, authorizeReq.ClientID, authorizeReq.Scope)
+
+	// If we fail to create the consent entry, we don't want to block the authorization flow,
+	// but we log the error and move on without setting the cookie
+	if err == nil {
+		cookieDomain, err := controller.helpers.GetCookieDomain(c.Request.Context(), c.RemoteIP())
+
+		if err == nil {
+			cookie := &http.Cookie{
+				Name:     controller.runtime.ConsentCookieName,
+				Value:    consnetUUID,
+				Path:     "/",
+				Domain:   cookieDomain,
+				Expires:  time.Now().Add(365 * 24 * time.Hour), // set consent cookie for 1 year
+				Secure:   controller.config.Auth.SecureCookie,
+				HttpOnly: true,
+				SameSite: http.SameSiteLaxMode,
+			}
+			http.SetCookie(c.Writer, cookie)
+		} else {
+			controller.log.App.Error().Err(err).Msg("Failed to determine cookie domain for consent cookie")
+		}
+	} else {
+		controller.log.App.Error().Err(err).Msg("Failed to create consent entry")
+	}
+
 	c.JSON(200, gin.H{
 		"status":       200,
 		"redirect_uri": fmt.Sprintf("%s?%s", authorizeReq.RedirectURI, queries.Encode()),
diff --git a/internal/controller/oidc_controller_test.go b/internal/controller/oidc_controller_test.go
index d4a07baa..42d95462 100644
--- a/internal/controller/oidc_controller_test.go
+++ b/internal/controller/oidc_controller_test.go
@@ -30,6 +30,8 @@ func TestOIDCController(t *testing.T) {
 
 	cfg, runtime := test.CreateTestConfigs(t)
 
+	helpers := test.CreateTestHelpers()
+
 	ctx := context.TODO()
 	dg := ding.New(ctx)
 
@@ -831,7 +833,7 @@ func TestOIDCController(t *testing.T) {
 				svc = nil
 			}
 
-			controller.NewOIDCController(log, svc, runtime, group, &router.RouterGroup)
+			controller.NewOIDCController(log, svc, runtime, helpers, cfg, group, &router.RouterGroup)
 
 			recorder := httptest.NewRecorder()
 
diff --git a/internal/controller/proxy_controller_test.go b/internal/controller/proxy_controller_test.go
index c6a358b4..a6f71908 100644
--- a/internal/controller/proxy_controller_test.go
+++ b/internal/controller/proxy_controller_test.go
@@ -24,6 +24,8 @@ func TestProxyController(t *testing.T) {
 
 	cfg, runtime := test.CreateTestConfigs(t)
 
+	helpers := test.CreateTestHelpers()
+
 	const browserUserAgent = `
 	Mozilla/5.0 (Linux; Android 8.0.0; SM-G955U Build/R16NW) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/146.0.0.0 Mobile Safari/537.36`
 
@@ -395,7 +397,7 @@ func TestProxyController(t *testing.T) {
 		Log: log,
 	})
 
-	authService := service.NewAuthService(log, cfg, runtime, ctx, dg, nil, store, broker, nil, policyEngine)
+	authService := service.NewAuthService(log, cfg, runtime, helpers, ctx, dg, nil, store, broker, nil, policyEngine)
 
 	for _, test := range tests {
 		t.Run(test.description, func(t *testing.T) {
diff --git a/internal/controller/user_controller.go b/internal/controller/user_controller.go
index fd3159f7..9758c89c 100644
--- a/internal/controller/user_controller.go
+++ b/internal/controller/user_controller.go
@@ -150,7 +150,7 @@ func (controller *UserController) loginHandler(c *gin.Context) {
 				Email:       email,
 				Provider:    "local",
 				TotpPending: true,
-			})
+			}, c.RemoteIP())
 
 			if err != nil {
 				controller.log.App.Error().Err(err).Str("username", req.Username).Msg("Failed to create pending TOTP session")
@@ -195,7 +195,7 @@ func (controller *UserController) loginHandler(c *gin.Context) {
 		}
 	}
 
-	cookie, err := controller.auth.CreateSession(c, sessionCookie)
+	cookie, err := controller.auth.CreateSession(c, sessionCookie, c.RemoteIP())
 
 	if err != nil {
 		controller.log.App.Error().Err(err).Str("username", req.Username).Msg("Failed to create session cookie after successful login")
@@ -246,7 +246,7 @@ func (controller *UserController) logoutHandler(c *gin.Context) {
 		return
 	}
 
-	cookie, err := controller.auth.DeleteSession(c, uuid)
+	cookie, err := controller.auth.DeleteSession(c, uuid, c.RemoteIP())
 
 	if err != nil {
 		controller.log.App.Error().Err(err).Msg("Error deleting session on logout")
@@ -350,7 +350,7 @@ func (controller *UserController) totpHandler(c *gin.Context) {
 	uuid, err := c.Cookie(controller.runtime.SessionCookieName)
 
 	if err == nil {
-		_, err = controller.auth.DeleteSession(c, uuid)
+		_, err = controller.auth.DeleteSession(c, uuid, c.RemoteIP())
 		if err != nil {
 			controller.log.App.Error().Err(err).Msg("Failed to delete pending TOTP session after successful verification")
 		}
@@ -374,7 +374,7 @@ func (controller *UserController) totpHandler(c *gin.Context) {
 		sessionCookie.Email = user.Attributes.Email
 	}
 
-	cookie, err := controller.auth.CreateSession(c, sessionCookie)
+	cookie, err := controller.auth.CreateSession(c, sessionCookie, c.RemoteIP())
 
 	if err != nil {
 		controller.log.App.Error().Err(err).Str("username", context.GetUsername()).Msg("Failed to create session cookie after successful TOTP verification")
@@ -424,7 +424,7 @@ func (controller *UserController) tailscaleHandler(c *gin.Context) {
 		Provider: "tailscale",
 	}
 
-	cookie, err := controller.auth.CreateSession(c, sessionCookie)
+	cookie, err := controller.auth.CreateSession(c, sessionCookie, c.RemoteIP())
 
 	if err != nil {
 		controller.log.App.Error().Err(err).Str("username", context.GetUsername()).Msg("Failed to create session cookie after successful Tailscale login")
diff --git a/internal/controller/user_controller_test.go b/internal/controller/user_controller_test.go
index f3c0bed2..abb2aef5 100644
--- a/internal/controller/user_controller_test.go
+++ b/internal/controller/user_controller_test.go
@@ -29,6 +29,8 @@ func TestUserController(t *testing.T) {
 
 	cfg, runtime := test.CreateTestConfigs(t)
 
+	helpers := test.CreateTestHelpers()
+
 	totpCtx := func(c *gin.Context) {
 		c.Set("context", &model.UserContext{
 			Authenticated: false,
@@ -418,7 +420,7 @@ func TestUserController(t *testing.T) {
 	require.NoError(t, err)
 
 	broker := service.NewOAuthBrokerService(log, map[string]model.OAuthServiceConfig{}, ctx)
-	authService := service.NewAuthService(log, cfg, runtime, ctx, dg, nil, store, broker, nil, policyEngine)
+	authService := service.NewAuthService(log, cfg, runtime, helpers, ctx, dg, nil, store, broker, nil, policyEngine)
 
 	beforeEach := func() {
 		// Clear failed login attempts before each test
diff --git a/internal/middleware/context_middleware.go b/internal/middleware/context_middleware.go
index fc694ddf..d2042084 100644
--- a/internal/middleware/context_middleware.go
+++ b/internal/middleware/context_middleware.go
@@ -206,12 +206,12 @@ func (m *ContextMiddleware) cookieAuth(ctx context.Context, uuid string, ip stri
 		}
 
 		if !m.auth.IsEmailWhitelisted(userContext.OAuth.ID, userContext.OAuth.Email) {
-			m.auth.DeleteSession(ctx, uuid)
+			m.auth.DeleteSession(ctx, uuid, ip)
 			return nil, nil, fmt.Errorf("email from session cookie not whitelisted: %s", userContext.OAuth.Email)
 		}
 	}
 
-	cookie, err := m.auth.RefreshSession(ctx, uuid)
+	cookie, err := m.auth.RefreshSession(ctx, uuid, ip)
 
 	if err != nil {
 		return nil, nil, fmt.Errorf("error refreshing session: %w", err)
diff --git a/internal/middleware/context_middleware_test.go b/internal/middleware/context_middleware_test.go
index 50ededdb..547104aa 100644
--- a/internal/middleware/context_middleware_test.go
+++ b/internal/middleware/context_middleware_test.go
@@ -27,6 +27,8 @@ func TestContextMiddleware(t *testing.T) {
 
 	cfg, runtime := test.CreateTestConfigs(t)
 
+	helpers := test.CreateTestHelpers()
+
 	basicAuthHeader := func(username, password string) string {
 		return "Basic " + base64.StdEncoding.EncodeToString([]byte(username+":"+password))
 	}
@@ -258,7 +260,7 @@ func TestContextMiddleware(t *testing.T) {
 	require.NoError(t, err)
 
 	broker := service.NewOAuthBrokerService(log, map[string]model.OAuthServiceConfig{}, ctx)
-	authService := service.NewAuthService(log, cfg, runtime, ctx, dg, nil, store, broker, nil, policyEngine)
+	authService := service.NewAuthService(log, cfg, runtime, helpers, ctx, dg, nil, store, broker, nil, policyEngine)
 
 	contextMiddleware := middleware.NewContextMiddleware(log, runtime, authService, broker, nil)
 
diff --git a/internal/model/constants.go b/internal/model/constants.go
index d5885dcf..35ce2813 100644
--- a/internal/model/constants.go
+++ b/internal/model/constants.go
@@ -18,8 +18,7 @@ var OverrideProviders = map[string]string{
 }
 
 const SessionCookieName = "tinyauth-session"
-const CSRFCookieName = "tinyauth-csrf"
-const RedirectCookieName = "tinyauth-redirect"
 const OAuthSessionCookieName = "tinyauth-oauth"
+const ConsentCookieName = "tinyauth-consent"
 
 const GracefulShutdownTimeout = 5 // seconds
diff --git a/internal/model/runtime.go b/internal/model/runtime.go
index 9df20b85..7b067210 100644
--- a/internal/model/runtime.go
+++ b/internal/model/runtime.go
@@ -1,13 +1,14 @@
 package model
 
+import "context"
+
 type RuntimeConfig struct {
 	AppURL                 string
 	UUID                   string
 	CookieDomain           string
 	SessionCookieName      string
-	CSRFCookieName         string
-	RedirectCookieName     string
 	OAuthSessionCookieName string
+	ConsentCookieName      string
 	LocalUsers             []LocalUser
 	OAuthProviders         map[string]OAuthServiceConfig
 	OAuthWhitelist         []string
@@ -16,6 +17,10 @@ type RuntimeConfig struct {
 	TrustedDomains         []string
 }
 
+type RuntimeHelpers struct {
+	GetCookieDomain func(ctx context.Context, ip string) (string, error)
+}
+
 type Provider struct {
 	Name  string `json:"name"`
 	ID    string `json:"id"`
diff --git a/internal/service/auth_service.go b/internal/service/auth_service.go
index ef3e9e08..15be926a 100644
--- a/internal/service/auth_service.go
+++ b/internal/service/auth_service.go
@@ -59,6 +59,7 @@ type AuthService struct {
 	log     *logger.Logger
 	config  model.Config
 	runtime model.RuntimeConfig
+	helpers model.RuntimeHelpers
 	ctx     context.Context
 
 	ldap         *LdapService
@@ -86,6 +87,7 @@ func NewAuthService(
 	log *logger.Logger,
 	config model.Config,
 	runtime model.RuntimeConfig,
+	helpers model.RuntimeHelpers,
 	ctx context.Context,
 	dg *ding.Ding,
 	ldap *LdapService,
@@ -97,6 +99,7 @@ func NewAuthService(
 	service := &AuthService{
 		log:          log,
 		runtime:      runtime,
+		helpers:      helpers,
 		ctx:          ctx,
 		config:       config,
 		ldap:         ldap,
@@ -322,7 +325,7 @@ func (auth *AuthService) IsEmailWhitelisted(provider string, email string) bool
 	})
 }
 
-func (auth *AuthService) CreateSession(ctx context.Context, data repository.Session) (*http.Cookie, error) {
+func (auth *AuthService) CreateSession(ctx context.Context, data repository.Session, ip string) (*http.Cookie, error) {
 	if data.Provider == "tailscale" && auth.tailscale == nil {
 		return nil, fmt.Errorf("tailscale service not configured, cannot create session for tailscale user")
 	}
@@ -363,33 +366,17 @@ func (auth *AuthService) CreateSession(ctx context.Context, data repository.Sess
 		return nil, fmt.Errorf("failed to create session entry: %w", err)
 	}
 
-	if data.Provider == "tailscale" {
-		auth.log.App.Trace().Str("url", fmt.Sprintf("https://%s", auth.tailscale.GetHostname())).Msg("Extracting root domain from Tailscale hostname")
+	cookieDomain, err := auth.helpers.GetCookieDomain(ctx, ip)
 
-		tsCookieDomain, err := utils.GetCookieDomain(fmt.Sprintf("https://%s", auth.tailscale.GetHostname()))
-
-		if err != nil {
-			return nil, fmt.Errorf("failed to get cookie domain for tailscale user: %w", err)
-		}
-
-		return &http.Cookie{
-			Name:     auth.runtime.SessionCookieName,
-			Value:    session.UUID,
-			Path:     "/",
-			Domain:   fmt.Sprintf(".%s", tsCookieDomain),
-			Expires:  expiresAt,
-			MaxAge:   int(time.Until(expiresAt).Seconds()),
-			Secure:   auth.config.Auth.SecureCookie,
-			HttpOnly: true,
-			SameSite: http.SameSiteLaxMode,
-		}, nil
+	if err != nil {
+		return nil, fmt.Errorf("failed to determine cookie domain: %w", err)
 	}
 
 	return &http.Cookie{
 		Name:     auth.runtime.SessionCookieName,
 		Value:    session.UUID,
 		Path:     "/",
-		Domain:   fmt.Sprintf(".%s", auth.runtime.CookieDomain),
+		Domain:   cookieDomain,
 		Expires:  expiresAt,
 		MaxAge:   int(time.Until(expiresAt).Seconds()),
 		Secure:   auth.config.Auth.SecureCookie,
@@ -398,13 +385,17 @@ func (auth *AuthService) CreateSession(ctx context.Context, data repository.Sess
 	}, nil
 }
 
-func (auth *AuthService) RefreshSession(ctx context.Context, uuid string) (*http.Cookie, error) {
+func (auth *AuthService) RefreshSession(ctx context.Context, uuid string, ip string) (*http.Cookie, error) {
 	session, err := auth.queries.GetSession(ctx, uuid)
 
 	if err != nil {
 		return nil, fmt.Errorf("failed to retrieve session: %w", err)
 	}
 
+	if session.Provider == "tailscale" && auth.tailscale == nil {
+		return nil, fmt.Errorf("tailscale service not configured, cannot create session for tailscale user")
+	}
+
 	currentTime := time.Now().Unix()
 
 	var refreshThreshold int64
@@ -438,11 +429,17 @@ func (auth *AuthService) RefreshSession(ctx context.Context, uuid string) (*http
 		return nil, fmt.Errorf("failed to update session expiry: %w", err)
 	}
 
+	cookieDomain, err := auth.helpers.GetCookieDomain(ctx, ip)
+
+	if err != nil {
+		return nil, fmt.Errorf("failed to determine cookie domain: %w", err)
+	}
+
 	return &http.Cookie{
 		Name:     auth.runtime.SessionCookieName,
 		Value:    session.UUID,
 		Path:     "/",
-		Domain:   fmt.Sprintf(".%s", auth.runtime.CookieDomain),
+		Domain:   cookieDomain,
 		Expires:  time.Now().Add(time.Duration(newExpiry-currentTime) * time.Second),
 		MaxAge:   int(newExpiry - currentTime),
 		Secure:   auth.config.Auth.SecureCookie,
@@ -452,18 +449,24 @@ func (auth *AuthService) RefreshSession(ctx context.Context, uuid string) (*http
 
 }
 
-func (auth *AuthService) DeleteSession(ctx context.Context, uuid string) (*http.Cookie, error) {
+func (auth *AuthService) DeleteSession(ctx context.Context, uuid string, ip string) (*http.Cookie, error) {
 	err := auth.queries.DeleteSession(ctx, uuid)
 
 	if err != nil {
 		auth.log.App.Error().Err(err).Str("uuid", uuid).Msg("Failed to delete session from database")
 	}
 
+	cookieDomain, err := auth.helpers.GetCookieDomain(ctx, ip)
+
+	if err != nil {
+		return nil, fmt.Errorf("failed to determine cookie domain: %w", err)
+	}
+
 	return &http.Cookie{
 		Name:     auth.runtime.SessionCookieName,
 		Value:    "",
 		Path:     "/",
-		Domain:   fmt.Sprintf(".%s", auth.runtime.CookieDomain),
+		Domain:   cookieDomain,
 		Expires:  time.Now(),
 		MaxAge:   -1,
 		Secure:   auth.config.Auth.SecureCookie,
diff --git a/internal/service/oidc_service.go b/internal/service/oidc_service.go
index cafb59d1..f0e7c99f 100644
--- a/internal/service/oidc_service.go
+++ b/internal/service/oidc_service.go
@@ -21,6 +21,7 @@ import (
 
 	"github.com/go-jose/go-jose/v4"
 	"github.com/golang-jwt/jwt/v5"
+	"github.com/google/uuid"
 	"github.com/steveiliop56/ding"
 	"github.com/tinyauthapp/tinyauth/internal/model"
 	"github.com/tinyauthapp/tinyauth/internal/repository"
@@ -904,3 +905,47 @@ func (service *OIDCService) DecodeAuthorizeJWT(tokenString string) (*AuthorizeRe
 
 	return claims, nil
 }
+
+func (service *OIDCService) CreateConsentEntry(ctx context.Context, clientId string, scope string) (string, error) {
+	u := uuid.New()
+
+	entry := repository.CreateOIDCConsentParams{
+		UUID:     u.String(),
+		ClientID: clientId,
+		Scopes:   scope,
+	}
+
+	_, err := service.queries.CreateOIDCConsent(ctx, entry)
+
+	if err != nil {
+		return "", err
+	}
+
+	return entry.UUID, nil
+}
+
+func (service *OIDCService) GetConsentEntry(ctx context.Context, uuid string) (*repository.OidcConsent, error) {
+	entry, err := service.queries.GetOIDCConsentByUUID(ctx, uuid)
+
+	if err != nil {
+		if errors.Is(err, repository.ErrNotFound) {
+			return nil, nil
+		}
+		return nil, err
+	}
+
+	return &entry, nil
+}
+
+func (service *OIDCService) DeleteConsentEntry(ctx context.Context, uuid string) error {
+	return service.queries.DeleteOIDCConsentByUUID(ctx, uuid)
+}
+
+func (service *OIDCService) UpdateConsentEntry(ctx context.Context, uuid string, scopes string) error {
+	_, err := service.queries.UpdateOIDCConsent(ctx, repository.UpdateOIDCConsentParams{
+		UUID:   uuid,
+		Scopes: scopes,
+	})
+
+	return err
+}
diff --git a/internal/test/test.go b/internal/test/test.go
index 415591fa..589b111a 100644
--- a/internal/test/test.go
+++ b/internal/test/test.go
@@ -1,6 +1,7 @@
 package test
 
 import (
+	"context"
 	"path/filepath"
 	"testing"
 
@@ -133,3 +134,11 @@ func CreateTestConfigs(t *testing.T) (model.Config, model.RuntimeConfig) {
 
 	return config, runtime
 }
+
+func CreateTestHelpers() model.RuntimeHelpers {
+	return model.RuntimeHelpers{
+		GetCookieDomain: func(ctx context.Context, ip string) (string, error) {
+			return "example.com", nil
+		},
+	}
+}

From cd51263428dd7d7dda4465e578bc9a06158f2062 Mon Sep 17 00:00:00 2001
From: Stavros <steveiliop56@gmail.com>
Date: Thu, 11 Jun 2026 18:40:56 +0300
Subject: [PATCH 4/4] feat: add frontend

---
 frontend/src/lib/hooks/screen-params.ts |  2 +
 frontend/src/pages/authorize-page.tsx   | 82 +++++++++++++++++--------
 internal/bootstrap/router_bootstrap.go  |  4 +-
 internal/bootstrap/service_bootstrap.go |  2 +-
 internal/controller/oauth_controller.go |  4 +-
 internal/controller/oidc_controller.go  |  4 +-
 internal/service/auth_service.go        |  4 +-
 internal/test/test.go                   |  4 +-
 8 files changed, 71 insertions(+), 35 deletions(-)

diff --git a/frontend/src/lib/hooks/screen-params.ts b/frontend/src/lib/hooks/screen-params.ts
index 921fa4b6..d342d03a 100644
--- a/frontend/src/lib/hooks/screen-params.ts
+++ b/frontend/src/lib/hooks/screen-params.ts
@@ -6,6 +6,7 @@ type ScreenParams = {
   oidc_ticket?: string;
   oidc_scope?: string;
   oidc_name?: string;
+  oidc_show_consent?: boolean;
 };
 
 const zodScreenParams = z.object({
@@ -14,6 +15,7 @@ const zodScreenParams = z.object({
   oidc_ticket: z.string().optional(),
   oidc_scope: z.string().optional(),
   oidc_name: z.string().optional(),
+  oidc_show_consent: z.stringbool().optional(),
 });
 
 export function useScreenParams(params: URLSearchParams): ScreenParams {
diff --git a/frontend/src/pages/authorize-page.tsx b/frontend/src/pages/authorize-page.tsx
index 3251c774..5f721217 100644
--- a/frontend/src/pages/authorize-page.tsx
+++ b/frontend/src/pages/authorize-page.tsx
@@ -25,6 +25,7 @@ import {
   recompileScreenParams,
   useScreenParams,
 } from "@/lib/hooks/screen-params";
+import { useEffect } from "react";
 
 type Scope = {
   id: string;
@@ -90,25 +91,48 @@ export const AuthorizePage = () => {
   const isOidc = screenParams.login_for === "oidc";
   const compiledParams = recompileScreenParams(screenParams);
 
-  const authorizeMutation = useMutation({
-    mutationFn: () => {
-      return axios.post("/api/oidc/authorize-complete", {
-        ticket: screenParams.oidc_ticket,
-      });
-    },
-    mutationKey: ["authorize", screenParams.oidc_ticket],
-    onSuccess: (data) => {
-      toast.info(t("authorizeSuccessTitle"), {
-        description: t("authorizeSuccessSubtitle"),
-      });
-      window.location.replace(data.data.redirect_uri);
-    },
-    onError: (error) => {
-      window.location.replace(
-        `/error?error=${encodeURIComponent(error.message)}`,
-      );
-    },
-  });
+  const { mutate: authorizeMutate, isPending: authorizeIsPending } =
+    useMutation({
+      mutationFn: () => {
+        return axios.post("/api/oidc/authorize-complete", {
+          ticket: screenParams.oidc_ticket,
+        });
+      },
+      mutationKey: ["authorize", screenParams.oidc_ticket],
+      onSuccess: (data) => {
+        toast.info(t("authorizeSuccessTitle"), {
+          description: t("authorizeSuccessSubtitle"),
+        });
+        window.location.replace(data.data.redirect_uri);
+      },
+      onError: (error) => {
+        window.location.replace(
+          `/error?error=${encodeURIComponent(error.message)}`,
+        );
+      },
+    });
+
+  useEffect(() => {
+    if (
+      !isOidc ||
+      screenParams.oidc_ticket === undefined ||
+      screenParams.oidc_scope === undefined ||
+      !auth.authenticated
+    ) {
+      return;
+    }
+
+    if (screenParams.oidc_show_consent === false) {
+      authorizeMutate();
+    }
+  }, [
+    isOidc,
+    screenParams.oidc_ticket,
+    screenParams.oidc_scope,
+    screenParams.oidc_show_consent,
+    auth.authenticated,
+    authorizeMutate,
+  ]);
 
   if (
     !isOidc ||
@@ -130,6 +154,19 @@ export const AuthorizePage = () => {
   const scopes =
     screenParams.oidc_scope.split(" ").filter((s) => s.trim() !== "") || [];
 
+  if (screenParams.oidc_show_consent === false) {
+    return (
+      <Card>
+        <CardHeader className="gap-1.5">
+          <CardTitle className="text-xl">Authorizing</CardTitle>
+          <CardDescription>
+            You will soon be redirected to your application...
+          </CardDescription>
+        </CardHeader>
+      </Card>
+    );
+  }
+
   return (
     <Card>
       <CardHeader className="mb-2">
@@ -171,15 +208,12 @@ export const AuthorizePage = () => {
         </CardContent>
       )}
       <CardFooter className="flex flex-col items-stretch gap-3">
-        <Button
-          onClick={() => authorizeMutation.mutate()}
-          loading={authorizeMutation.isPending}
-        >
+        <Button onClick={() => authorizeMutate()} loading={authorizeIsPending}>
           {t("authorizeTitle")}
         </Button>
         <Button
           onClick={() => navigate(`/logout${compiledParams}`)}
-          disabled={authorizeMutation.isPending}
+          disabled={authorizeIsPending}
           variant="outline"
         >
           {t("cancelTitle")}
diff --git a/internal/bootstrap/router_bootstrap.go b/internal/bootstrap/router_bootstrap.go
index eb91fdd7..01b0e522 100644
--- a/internal/bootstrap/router_bootstrap.go
+++ b/internal/bootstrap/router_bootstrap.go
@@ -58,8 +58,8 @@ func (app *BootstrapApp) setupRouter() error {
 	apiRouter := engine.Group("/api")
 
 	controller.NewContextController(app.log, app.config, app.runtime, apiRouter)
-	controller.NewOAuthController(app.log, app.config, app.runtime, app.helpers, apiRouter, app.services.authService)
-	controller.NewOIDCController(app.log, app.services.oidcService, app.runtime, app.helpers, app.config, apiRouter, &engine.RouterGroup)
+	controller.NewOAuthController(app.log, app.config, app.runtime, &app.helpers, apiRouter, app.services.authService)
+	controller.NewOIDCController(app.log, app.services.oidcService, app.runtime, &app.helpers, app.config, apiRouter, &engine.RouterGroup)
 	controller.NewProxyController(app.log, app.runtime, apiRouter, app.services.accessControlService, app.services.authService, app.services.policyEngine)
 	controller.NewUserController(app.log, app.runtime, apiRouter, app.services.authService)
 	controller.NewResourcesController(app.config, &engine.RouterGroup)
diff --git a/internal/bootstrap/service_bootstrap.go b/internal/bootstrap/service_bootstrap.go
index 452b6d8f..15dd9bb5 100644
--- a/internal/bootstrap/service_bootstrap.go
+++ b/internal/bootstrap/service_bootstrap.go
@@ -42,7 +42,7 @@ func (app *BootstrapApp) setupServices() error {
 	oauthBrokerService := service.NewOAuthBrokerService(app.log, app.runtime.OAuthProviders, app.ctx)
 	app.services.oauthBrokerService = oauthBrokerService
 
-	authService := service.NewAuthService(app.log, app.config, app.runtime, app.helpers, app.ctx, app.ding, app.services.ldapService, app.queries, app.services.oauthBrokerService, app.services.tailscaleService, app.services.policyEngine)
+	authService := service.NewAuthService(app.log, app.config, app.runtime, &app.helpers, app.ctx, app.ding, app.services.ldapService, app.queries, app.services.oauthBrokerService, app.services.tailscaleService, app.services.policyEngine)
 	app.services.authService = authService
 
 	oidcService, err := service.NewOIDCService(app.log, app.config, app.runtime, app.queries, app.ding)
diff --git a/internal/controller/oauth_controller.go b/internal/controller/oauth_controller.go
index 84f83989..0620f008 100644
--- a/internal/controller/oauth_controller.go
+++ b/internal/controller/oauth_controller.go
@@ -24,7 +24,7 @@ type OAuthController struct {
 	log     *logger.Logger
 	config  model.Config
 	runtime model.RuntimeConfig
-	helpers model.RuntimeHelpers
+	helpers *model.RuntimeHelpers
 	auth    *service.AuthService
 }
 
@@ -32,7 +32,7 @@ func NewOAuthController(
 	log *logger.Logger,
 	config model.Config,
 	runtimeConfig model.RuntimeConfig,
-	helpers model.RuntimeHelpers,
+	helpers *model.RuntimeHelpers,
 	router *gin.RouterGroup,
 	auth *service.AuthService,
 ) *OAuthController {
diff --git a/internal/controller/oidc_controller.go b/internal/controller/oidc_controller.go
index 198e460d..b6744493 100644
--- a/internal/controller/oidc_controller.go
+++ b/internal/controller/oidc_controller.go
@@ -33,7 +33,7 @@ type OIDCController struct {
 	log     *logger.Logger
 	oidc    *service.OIDCService
 	runtime model.RuntimeConfig
-	helpers model.RuntimeHelpers
+	helpers *model.RuntimeHelpers
 	config  model.Config
 }
 
@@ -87,7 +87,7 @@ func NewOIDCController(
 	log *logger.Logger,
 	oidcService *service.OIDCService,
 	runtimeConfig model.RuntimeConfig,
-	helpers model.RuntimeHelpers,
+	helpers *model.RuntimeHelpers,
 	config model.Config,
 	router *gin.RouterGroup,
 	mainRouter *gin.RouterGroup) *OIDCController {
diff --git a/internal/service/auth_service.go b/internal/service/auth_service.go
index 15be926a..5dd06be0 100644
--- a/internal/service/auth_service.go
+++ b/internal/service/auth_service.go
@@ -59,7 +59,7 @@ type AuthService struct {
 	log     *logger.Logger
 	config  model.Config
 	runtime model.RuntimeConfig
-	helpers model.RuntimeHelpers
+	helpers *model.RuntimeHelpers
 	ctx     context.Context
 
 	ldap         *LdapService
@@ -87,7 +87,7 @@ func NewAuthService(
 	log *logger.Logger,
 	config model.Config,
 	runtime model.RuntimeConfig,
-	helpers model.RuntimeHelpers,
+	helpers *model.RuntimeHelpers,
 	ctx context.Context,
 	dg *ding.Ding,
 	ldap *LdapService,
diff --git a/internal/test/test.go b/internal/test/test.go
index 589b111a..f7d32a2a 100644
--- a/internal/test/test.go
+++ b/internal/test/test.go
@@ -135,8 +135,8 @@ func CreateTestConfigs(t *testing.T) (model.Config, model.RuntimeConfig) {
 	return config, runtime
 }
 
-func CreateTestHelpers() model.RuntimeHelpers {
-	return model.RuntimeHelpers{
+func CreateTestHelpers() *model.RuntimeHelpers {
+	return &model.RuntimeHelpers{
 		GetCookieDomain: func(ctx context.Context, ip string) (string, error) {
 			return "example.com", nil
 		},