refactor: card title and layout tweaks

* New translations en.json (Serbian (Cyrillic))

* chore: apply bot suggestion

Co-authored-by: coderabbitai[bot] <136622811+coderabbitai[bot]@users.noreply.github.com>

---------

Co-authored-by: coderabbitai[bot] <136622811+coderabbitai[bot]@users.noreply.github.com>

.env.example

@@ -1,99 +1,174 @@
-# Base Configuration
+# This file is automatically generated by gen/gen_env.go. Do not edit manually.
 
-# The base URL where Tinyauth is accessible
-TINYAUTH_APPURL="https://auth.example.com"
-# Directory for static resources
-TINYAUTH_RESOURCESDIR="/data/resources"
-# Path to SQLite database file
-TINYAUTH_DATABASEPATH="/data/tinyauth.db"
-# Disable version heartbeat
-TINYAUTH_DISABLEANALYTICS="false"
-# Disable static resource serving
-TINYAUTH_DISABLERESOURCES="false"
-# Disable UI warning messages
-TINYAUTH_DISABLEUIWARNINGS="false"
+# Tinyauth example configuration
 
-# Logging Configuration
+# The base URL where the app is hosted.
+TINYAUTH_APPURL=
+# The directory where resources are stored.
+TINYAUTH_RESOURCESDIR="./resources"
+# The path to the database file.
+TINYAUTH_DATABASEPATH="./tinyauth.db"
+# Disable analytics.
+TINYAUTH_DISABLEANALYTICS=false
+# Disable resources server.
+TINYAUTH_DISABLERESOURCES=false
 
-# Log level: trace, debug, info, warn, error
-TINYAUTH_LOG_LEVEL="info"
-# Enable JSON formatted logs
-TINYAUTH_LOG_JSON="false"
-# Specific Log stream configurations
-# APP and HTTP log streams are enabled by default, and use the global log level unless overridden
-TINYAUTH_LOG_STREAMS_APP_ENABLED="true"
-TINYAUTH_LOG_STREAMS_APP_LEVEL="info"
-TINYAUTH_LOG_STREAMS_HTTP_ENABLED="true"
-TINYAUTH_LOG_STREAMS_HTTP_LEVEL="info"
-TINYAUTH_LOG_STREAMS_AUDIT_ENABLED="false"
-TINYAUTH_LOG_STREAMS_AUDIT_LEVEL="info"
+# server config
 
-# Server Configuration
-
-# Port to listen on
-TINYAUTH_SERVER_PORT="3000"
-# Interface to bind to (0.0.0.0 for all interfaces)
+# The port on which the server listens.
+TINYAUTH_SERVER_PORT=3000
+# The address on which the server listens.
 TINYAUTH_SERVER_ADDRESS="0.0.0.0"
-# Unix socket path (optional, overrides port/address if set)
-TINYAUTH_SERVER_SOCKETPATH=""
-# Comma-separated list of trusted proxy IPs/CIDRs
-TINYAUTH_SERVER_TRUSTEDPROXIES=""
+# The path to the Unix socket.
+TINYAUTH_SERVER_SOCKETPATH=
 
-# Authentication Configuration
+# auth config
 
-# Format: username:bcrypt_hash (use bcrypt to generate hash)
-TINYAUTH_AUTH_USERS="admin:$2a$10$example_bcrypt_hash_here"
-# Path to external users file (optional)
-TINYAUTH_AUTH_USERSFILE=""
-# Enable secure cookies (requires HTTPS)
-TINYAUTH_AUTH_SECURECOOKIE="true"
-# Session expiry in seconds (7200 = 2 hours)
-TINYAUTH_AUTH_SESSIONEXPIRY="7200"
-# Session maximum lifetime in seconds (0 = unlimited)
-TINYAUTH_AUTH_SESSIONMAXLIFETIME="0"
-# Login timeout in seconds (300 = 5 minutes)
-TINYAUTH_AUTH_LOGINTIMEOUT="300"
-# Maximum login retries before lockout
-TINYAUTH_AUTH_LOGINMAXRETRIES="5"
+# List of allowed IPs or CIDR ranges.
+TINYAUTH_AUTH_IP_ALLOW=
+# List of blocked IPs or CIDR ranges.
+TINYAUTH_AUTH_IP_BLOCK=
+# Comma-separated list of users (username:hashed_password).
+TINYAUTH_AUTH_USERS=
+# Path to the users file.
+TINYAUTH_AUTH_USERSFILE=
+# Enable secure cookies.
+TINYAUTH_AUTH_SECURECOOKIE=false
+# Session expiry time in seconds.
+TINYAUTH_AUTH_SESSIONEXPIRY=86400
+# Maximum session lifetime in seconds.
+TINYAUTH_AUTH_SESSIONMAXLIFETIME=0
+# Login timeout in seconds.
+TINYAUTH_AUTH_LOGINTIMEOUT=300
+# Maximum login retries.
+TINYAUTH_AUTH_LOGINMAXRETRIES=3
+# Comma-separated list of trusted proxy addresses.
+TINYAUTH_AUTH_TRUSTEDPROXIES=
 
-# OAuth Configuration
+# apps config
 
-# Regex pattern for allowed email addresses (e.g., /@example\.com$/)
-TINYAUTH_OAUTH_WHITELIST=""
-# Provider ID to auto-redirect to (skips login page)
-TINYAUTH_OAUTH_AUTOREDIRECT=""
-# OAuth Provider Configuration (replace MYPROVIDER with your provider name)
-TINYAUTH_OAUTH_PROVIDERS_MYPROVIDER_CLIENTID="your_client_id_here"
-TINYAUTH_OAUTH_PROVIDERS_MYPROVIDER_CLIENTSECRET="your_client_secret_here"
-TINYAUTH_OAUTH_PROVIDERS_MYPROVIDER_AUTHURL="https://provider.example.com/oauth/authorize"
-TINYAUTH_OAUTH_PROVIDERS_MYPROVIDER_TOKENURL="https://provider.example.com/oauth/token"
-TINYAUTH_OAUTH_PROVIDERS_MYPROVIDER_USERINFOURL="https://provider.example.com/oauth/userinfo"
-TINYAUTH_OAUTH_PROVIDERS_MYPROVIDER_REDIRECTURL="https://auth.example.com/oauth/callback/myprovider"
-TINYAUTH_OAUTH_PROVIDERS_MYPROVIDER_SCOPES="openid email profile"
-TINYAUTH_OAUTH_PROVIDERS_MYPROVIDER_NAME="My OAuth Provider"
-# Allow self-signed certificates
-TINYAUTH_OAUTH_PROVIDERS_MYPROVIDER_INSECURE="false"
+# The domain of the app.
+TINYAUTH_APPS_name_CONFIG_DOMAIN=
+# Comma-separated list of allowed users.
+TINYAUTH_APPS_name_USERS_ALLOW=
+# Comma-separated list of blocked users.
+TINYAUTH_APPS_name_USERS_BLOCK=
+# Comma-separated list of allowed OAuth groups.
+TINYAUTH_APPS_name_OAUTH_WHITELIST=
+# Comma-separated list of required OAuth groups.
+TINYAUTH_APPS_name_OAUTH_GROUPS=
+# List of allowed IPs or CIDR ranges.
+TINYAUTH_APPS_name_IP_ALLOW=
+# List of blocked IPs or CIDR ranges.
+TINYAUTH_APPS_name_IP_BLOCK=
+# List of IPs or CIDR ranges that bypass authentication.
+TINYAUTH_APPS_name_IP_BYPASS=
+# Custom headers to add to the response.
+TINYAUTH_APPS_name_RESPONSE_HEADERS=
+# Basic auth username.
+TINYAUTH_APPS_name_RESPONSE_BASICAUTH_USERNAME=
+# Basic auth password.
+TINYAUTH_APPS_name_RESPONSE_BASICAUTH_PASSWORD=
+# Path to the file containing the basic auth password.
+TINYAUTH_APPS_name_RESPONSE_BASICAUTH_PASSWORDFILE=
+# Comma-separated list of allowed paths.
+TINYAUTH_APPS_name_PATH_ALLOW=
+# Comma-separated list of blocked paths.
+TINYAUTH_APPS_name_PATH_BLOCK=
+# Comma-separated list of required LDAP groups.
+TINYAUTH_APPS_name_LDAP_GROUPS=
 
-# UI Customization
+# oauth config
 
-# Custom title for login page
+# Comma-separated list of allowed OAuth domains.
+TINYAUTH_OAUTH_WHITELIST=
+# The OAuth provider to use for automatic redirection.
+TINYAUTH_OAUTH_AUTOREDIRECT=
+# OAuth client ID.
+TINYAUTH_OAUTH_PROVIDERS_name_CLIENTID=
+# OAuth client secret.
+TINYAUTH_OAUTH_PROVIDERS_name_CLIENTSECRET=
+# Path to the file containing the OAuth client secret.
+TINYAUTH_OAUTH_PROVIDERS_name_CLIENTSECRETFILE=
+# OAuth scopes.
+TINYAUTH_OAUTH_PROVIDERS_name_SCOPES=
+# OAuth redirect URL.
+TINYAUTH_OAUTH_PROVIDERS_name_REDIRECTURL=
+# OAuth authorization URL.
+TINYAUTH_OAUTH_PROVIDERS_name_AUTHURL=
+# OAuth token URL.
+TINYAUTH_OAUTH_PROVIDERS_name_TOKENURL=
+# OAuth userinfo URL.
+TINYAUTH_OAUTH_PROVIDERS_name_USERINFOURL=
+# Allow insecure OAuth connections.
+TINYAUTH_OAUTH_PROVIDERS_name_INSECURE=false
+# Provider name in UI.
+TINYAUTH_OAUTH_PROVIDERS_name_NAME=
+
+# oidc config
+
+# Path to the private key file.
+TINYAUTH_OIDC_PRIVATEKEYPATH="./tinyauth_oidc_key"
+# Path to the public key file.
+TINYAUTH_OIDC_PUBLICKEYPATH="./tinyauth_oidc_key.pub"
+# OIDC client ID.
+TINYAUTH_OIDC_CLIENTS_name_CLIENTID=
+# OIDC client secret.
+TINYAUTH_OIDC_CLIENTS_name_CLIENTSECRET=
+# Path to the file containing the OIDC client secret.
+TINYAUTH_OIDC_CLIENTS_name_CLIENTSECRETFILE=
+# List of trusted redirect URIs.
+TINYAUTH_OIDC_CLIENTS_name_TRUSTEDREDIRECTURIS=
+# Client name in UI.
+TINYAUTH_OIDC_CLIENTS_name_NAME=
+
+# ui config
+
+# The title of the UI.
 TINYAUTH_UI_TITLE="Tinyauth"
-# Message shown on forgot password page
-TINYAUTH_UI_FORGOTPASSWORDMESSAGE="Contact your administrator to reset your password"
-# Background image URL for login page
-TINYAUTH_UI_BACKGROUNDIMAGE=""
+# Message displayed on the forgot password page.
+TINYAUTH_UI_FORGOTPASSWORDMESSAGE="You can change your password by changing the configuration."
+# Path to the background image.
+TINYAUTH_UI_BACKGROUNDIMAGE="/background.jpg"
+# Disable UI warnings.
+TINYAUTH_UI_DISABLEWARNINGS=false
 
-# LDAP Configuration
+# ldap config
 
-# LDAP server address
-TINYAUTH_LDAP_ADDRESS="ldap://ldap.example.com:389"
-# DN for binding to LDAP server
-TINYAUTH_LDAP_BINDDN="cn=readonly,dc=example,dc=com"
-# Password for bind DN
-TINYAUTH_LDAP_BINDPASSWORD="your_bind_password"
-# Base DN for user searches
-TINYAUTH_LDAP_BASEDN="dc=example,dc=com"
-# Search filter (%s will be replaced with username)
-TINYAUTH_LDAP_SEARCHFILTER="(&(uid=%s)(memberOf=cn=users,ou=groups,dc=example,dc=com))"
-# Allow insecure LDAP connections
-TINYAUTH_LDAP_INSECURE="false"
+# LDAP server address.
+TINYAUTH_LDAP_ADDRESS=
+# Bind DN for LDAP authentication.
+TINYAUTH_LDAP_BINDDN=
+# Bind password for LDAP authentication.
+TINYAUTH_LDAP_BINDPASSWORD=
+# Base DN for LDAP searches.
+TINYAUTH_LDAP_BASEDN=
+# Allow insecure LDAP connections.
+TINYAUTH_LDAP_INSECURE=false
+# LDAP search filter.
+TINYAUTH_LDAP_SEARCHFILTER="(uid=%s)"
+# Certificate for mTLS authentication.
+TINYAUTH_LDAP_AUTHCERT=
+# Certificate key for mTLS authentication.
+TINYAUTH_LDAP_AUTHKEY=
+# Cache duration for LDAP group membership in seconds.
+TINYAUTH_LDAP_GROUPCACHETTL=900
+
+# log config
+
+# Log level (trace, debug, info, warn, error).
+TINYAUTH_LOG_LEVEL="info"
+# Enable JSON formatted logs.
+TINYAUTH_LOG_JSON=false
+# Enable this log stream.
+TINYAUTH_LOG_STREAMS_HTTP_ENABLED=true
+# Log level for this stream. Use global if empty.
+TINYAUTH_LOG_STREAMS_HTTP_LEVEL=
+# Enable this log stream.
+TINYAUTH_LOG_STREAMS_APP_ENABLED=true
+# Log level for this stream. Use global if empty.
+TINYAUTH_LOG_STREAMS_APP_LEVEL=
+# Enable this log stream.
+TINYAUTH_LOG_STREAMS_AUDIT_ENABLED=false
+# Log level for this stream. Use global if empty.
+TINYAUTH_LOG_STREAMS_AUDIT_LEVEL=

.gitignore

@@ -39,3 +39,9 @@ __debug_*
 
 # infisical
 /.infisical.json
+
+# traefik data
+/traefik
+
+# generated markdown (for docs)
+/config.gen.md

CONTRIBUTING.md

@@ -1,24 +1,25 @@
 # Contributing
 
-Contributing is relatively easy, you just need to follow the steps below and you will be up and running with a development server in less than five minutes.
+Contributing to Tinyauth is straightforward. Follow the steps below to set up a development server.
 
 ## Requirements
 
 - Bun
-- Golang 1.24.0+
+- Golang v1.24.0 or later
 - Git
 - Docker
+- Make
 
-## Cloning the repository
+## Cloning the Repository
 
-You firstly need to clone the repository with:
+Start by cloning the repository:
 
 ```sh
 git clone https://github.com/steveiliop56/tinyauth
 cd tinyauth
 ```
 
-## Initialize submodules
+## Initialize Submodules
 
 The project uses Git submodules for some dependencies, so you need to initialize them with:
 
@@ -27,50 +28,58 @@ git submodule init
 git submodule update
 ```
 
-## Install requirements
+## Apply patches
 
-Although you will not need the requirements in your machine since the development will happen in Docker, I still recommend to install them because this way you will not have import errors. To install the Go requirements run:
+Some of the dependencies must be patched in order to work correctly with the project, you can apply the patches by running:
 
 ```sh
-go mod download
+git apply --directory paerser/ patches/nested_maps.diff
 ```
 
-You also need to download the frontend dependencies, this can be done like so:
+## Installing Requirements
+
+While development occurs within Docker, installing the requirements locally is recommended to avoid import errors. Install the Go dependencies:
+
+```sh
+go mod tidy
+```
+
+Frontend dependencies can be installed as follows:
 
 ```sh
 cd frontend/
 bun install
 ```
 
-## Apply patches
+## Create the `.env` file
 
-Some of the dependencies need to be patched in order to work correctly with the project, you can apply the patches by running:
+Configuration requires an environment file. Copy the `.env.example` file to `.env` and adjust the environment variables as needed.
 
-```sh
-git apply --directory paerser/ patches/nested_maps.diff
-```
+## Development Workflow
 
-## Create your `.env` file
-
-In order to configure the app you need to create an environment file, this can be done by copying the `.env.example` file to `.env` and modifying the environment variables to suit your needs.
-
-## Developing
-
-I have designed the development workflow to be entirely in Docker, this is because it will directly work with Traefik and you will not need to do any building in your host machine. The recommended development setup is to have a subdomain pointing to your machine like this:
+The development workflow is designed to run entirely within Docker, ensuring compatibility with Traefik and eliminating the need for local builds. A recommended setup involves pointing a subdomain to the local machine:
 
 ```
 *.dev.example.com -> 127.0.0.1
 dev.example.com -> 127.0.0.1
 ```
 
-> [!TIP]
-> You can use [sslip.io](https://sslip.io) as a domain if you don't have one to develop with.
+> [!NOTE]
+> A domain from [sslip.io](https://sslip.io) can be used if a custom domain is
+  unavailable. For example, set the Tinyauth domain to `tinyauth.127.0.0.1.sslip.io` and the whoami domain to `whoami.127.0.0.1.sslip.io`.
 
-Then you can just make sure the domains are correct in the development Docker compose file and run:
+Ensure the domains are correctly configured in the development Docker Compose file, then start the development environment:
 
 ```sh
-docker compose -f docker-compose.dev.yml up --build
+make dev
+```
+
+In case you need to build the binary locally, you can run:
+
+```sh
+make binary
 ```
 
 > [!NOTE]
-> I recommend copying the example `docker-compose.dev.yml` into a `docker-compose.test.yml` file, so as you don't accidentally commit any sensitive information.
+> Copying the example `docker-compose.dev.yml` file to `docker-compose.test.yml`
+  is recommended to prevent accidental commits of sensitive information. The make recipe will automatically use `docker-compose.test.yml` as well as `docker-compose.test.prod.yml` (for the `make prod` recipe) if it exists.

Dockerfile

@@ -1,5 +1,5 @@
 # Site builder
-FROM oven/bun:1.3.6-alpine AS frontend-builder
+FROM oven/bun:1.3.10-alpine AS frontend-builder
 
 WORKDIR /frontend
 

Dockerfile.distroless

@@ -1,5 +1,5 @@
 # Site builder
-FROM oven/bun:1.3.6-alpine AS frontend-builder
+FROM oven/bun:1.3.10-alpine AS frontend-builder
 
 WORKDIR /frontend
 

Makefile

@@ -10,7 +10,7 @@ BUILD_TIMESTAMP := $(shell date '+%Y-%m-%dT%H:%M:%S')
 BIN_NAME := tinyauth-$(GOARCH)
 
 # Development vars
-DEV_COMPOSE := $(shell test -f "docker-compose.test.yml" && echo "docker-compose.test.yml" || echo "docker-compose.yml" )
+DEV_COMPOSE := $(shell test -f "docker-compose.test.yml" && echo "docker-compose.test.yml" || echo "docker-compose.dev.yml" )
 PROD_COMPOSE := $(shell test -f "docker-compose.test.prod.yml" && echo "docker-compose.test.prod.yml" || echo "docker-compose.example.yml" )
 
 # Deps
@@ -60,18 +60,26 @@ test:
 	go test -v ./...
 
 # Development
-develop:
+dev:
 	docker compose -f $(DEV_COMPOSE) up --force-recreate --pull=always --remove-orphans --build
 
 # Development - Infisical
-develop-infisical:
+dev-infisical:
 	infisical run --env=dev -- docker compose -f $(DEV_COMPOSE) up --force-recreate --pull=always --remove-orphans --build
 
 # Production
 prod:
 	docker compose -f $(PROD_COMPOSE) up --force-recreate --pull=always --remove-orphans
 
+# Production - Infisical
+prod-infisical:
+	infisical run --env=dev -- docker compose -f $(PROD_COMPOSE) up --force-recreate --pull=always --remove-orphans
+
 # SQL
 .PHONY: sql
 sql:
 	sqlc generate
+
+# Go gen
+generate:
+	go run ./gen

README.md

@@ -21,6 +21,9 @@ Tinyauth is a simple authentication middleware that adds a simple login screen o
 > [!WARNING]
 > Tinyauth is in active development and configuration may change often. Please make sure to carefully read the release notes before updating.
 
+> [!NOTE]
+> This is the main development branch. For the latest stable release, see the [documentation](https://tinyauth.app) or the latest stable tag.
+
 ## Getting Started
 
 You can easily get started with Tinyauth by following the guide in the [documentation](https://tinyauth.app/docs/getting-started). There is also an available [docker compose](./docker-compose.example.yml) file that has Traefik, Whoami and Tinyauth to demonstrate its capabilities.

cmd/tinyauth/create_oidc_client.go

@@ -0,0 +1,72 @@
+package main
+
+import (
+	"errors"
+	"fmt"
+	"regexp"
+	"strings"
+
+	"github.com/google/uuid"
+	"github.com/steveiliop56/tinyauth/internal/utils"
+	"github.com/traefik/paerser/cli"
+)
+
+func createOidcClientCmd() *cli.Command {
+	return &cli.Command{
+		Name:          "create",
+		Description:   "Create a new OIDC Client",
+		Configuration: nil,
+		Resources:     nil,
+		AllowArg:      true,
+		Run: func(args []string) error {
+			if len(args) == 0 {
+				return errors.New("client name is required. use tinyauth oidc create <name>")
+			}
+
+			clientName := args[0]
+
+			match, err := regexp.MatchString("^[a-zA-Z0-9-]*$", clientName)
+
+			if !match || err != nil {
+				return errors.New("client name can only contain alphanumeric characters and hyphens")
+			}
+
+			uuid := uuid.New()
+			clientId := uuid.String()
+			clientSecret := "ta-" + utils.GenerateString(61)
+
+			uclientName := strings.ToUpper(clientName)
+			lclientName := strings.ToLower(clientName)
+
+			builder := strings.Builder{}
+
+			// header
+			fmt.Fprintf(&builder, "Created credentials for client %s\n\n", clientName)
+
+			// credentials
+			fmt.Fprintf(&builder, "Client Name: %s\n", clientName)
+			fmt.Fprintf(&builder, "Client ID: %s\n", clientId)
+			fmt.Fprintf(&builder, "Client Secret: %s\n\n", clientSecret)
+
+			// env variables
+			fmt.Fprint(&builder, "Environment variables:\n\n")
+			fmt.Fprintf(&builder, "TINYAUTH_OIDC_CLIENTS_%s_CLIENTID=%s\n", uclientName, clientId)
+			fmt.Fprintf(&builder, "TINYAUTH_OIDC_CLIENTS_%s_CLIENTSECRET=%s\n", uclientName, clientSecret)
+			fmt.Fprintf(&builder, "TINYAUTH_OIDC_CLIENTS_%s_NAME=%s\n\n", uclientName, utils.Capitalize(lclientName))
+
+			// cli flags
+			fmt.Fprint(&builder, "CLI flags:\n\n")
+			fmt.Fprintf(&builder, "--oidc.clients.%s.clientid=%s\n", lclientName, clientId)
+			fmt.Fprintf(&builder, "--oidc.clients.%s.clientsecret=%s\n", lclientName, clientSecret)
+			fmt.Fprintf(&builder, "--oidc.clients.%s.name=%s\n\n", lclientName, utils.Capitalize(lclientName))
+
+			// footer
+			fmt.Fprintln(&builder, "You can use either option to configure your OIDC client. Make sure to save these credentials as there is no way to regenerate them.")
+
+			// print
+			out := builder.String()
+			fmt.Print(out)
+			return nil
+		},
+	}
+}

cmd/tinyauth/healthcheck.go

@@ -28,14 +28,21 @@ func healthcheckCmd() *cli.Command {
 		Run: func(args []string) error {
 			tlog.NewSimpleLogger().Init()
 
-			appUrl := os.Getenv("TINYAUTH_APPURL")
+			appUrl := "http://127.0.0.1:3000"
+
+			srvAddr := os.Getenv("TINYAUTH_SERVER_ADDRESS")
+			srvPort := os.Getenv("TINYAUTH_SERVER_PORT")
+
+			if srvAddr != "" && srvPort != "" {
+				appUrl = fmt.Sprintf("http://%s:%s", srvAddr, srvPort)
+			}
 
 			if len(args) > 0 {
 				appUrl = args[0]
 			}
 
 			if appUrl == "" {
-				return errors.New("TINYAUTH_APPURL is not set and no argument was provided")
+				return errors.New("Could not determine app URL")
 			}
 
 			tlog.App.Info().Str("app_url", appUrl).Msg("Performing health check")

cmd/tinyauth/tinyauth.go

@@ -12,60 +12,8 @@ import (
 	"github.com/traefik/paerser/cli"
 )
 
-func NewTinyauthCmdConfiguration() *config.Config {
-	return &config.Config{
-		ResourcesDir: "./resources",
-		DatabasePath: "./tinyauth.db",
-		Server: config.ServerConfig{
-			Port:    3000,
-			Address: "0.0.0.0",
-		},
-		Auth: config.AuthConfig{
-			SessionExpiry:      86400, // 1 day
-			SessionMaxLifetime: 0,     // disabled
-			LoginTimeout:       300,   // 5 minutes
-			LoginMaxRetries:    3,
-		},
-		UI: config.UIConfig{
-			Title:                 "Tinyauth",
-			ForgotPasswordMessage: "You can change your password by changing the configuration.",
-			BackgroundImage:       "/background.jpg",
-		},
-		Ldap: config.LdapConfig{
-			Insecure:      false,
-			SearchFilter:  "(uid=%s)",
-			GroupCacheTTL: 900, // 15 minutes
-		},
-		Log: config.LogConfig{
-			Level: "info",
-			Json:  false,
-			Streams: config.LogStreams{
-				HTTP: config.LogStreamConfig{
-					Enabled: true,
-					Level:   "",
-				},
-				App: config.LogStreamConfig{
-					Enabled: true,
-					Level:   "",
-				},
-				Audit: config.LogStreamConfig{
-					Enabled: false,
-					Level:   "",
-				},
-			},
-		},
-		OIDC: config.OIDCConfig{
-			PrivateKeyPath: "./tinyauth_oidc_key",
-			PublicKeyPath:  "./tinyauth_oidc_key.pub",
-		},
-		Experimental: config.ExperimentalConfig{
-			ConfigFile: "",
-		},
-	}
-}
-
 func main() {
-	tConfig := NewTinyauthCmdConfiguration()
+	tConfig := config.NewDefaultConfiguration()
 
 	loaders := []cli.ResourceLoader{
 		&loaders.FileLoader{},
@@ -75,7 +23,7 @@ func main() {
 
 	cmdTinyauth := &cli.Command{
 		Name:          "tinyauth",
-		Description:   "The simplest way to protect your apps with a login screen.",
+		Description:   "The simplest way to protect your apps with a login screen",
 		Configuration: tConfig,
 		Resources:     loaders,
 		Run: func(_ []string) error {
@@ -83,13 +31,28 @@ func main() {
 		},
 	}
 
+	cmdUser := &cli.Command{
+		Name:        "user",
+		Description: "Manage Tinyauth users",
+	}
+
+	cmdTotp := &cli.Command{
+		Name:        "totp",
+		Description: "Manage Tinyauth TOTP users",
+	}
+
+	cmdOidc := &cli.Command{
+		Name:        "oidc",
+		Description: "Manage Tinyauth OIDC clients",
+	}
+
 	err := cmdTinyauth.AddCommand(versionCmd())
 
 	if err != nil {
 		log.Fatal().Err(err).Msg("Failed to add version command")
 	}
 
-	err = cmdTinyauth.AddCommand(verifyUserCmd())
+	err = cmdUser.AddCommand(verifyUserCmd())
 
 	if err != nil {
 		log.Fatal().Err(err).Msg("Failed to add verify command")
@@ -101,18 +64,42 @@ func main() {
 		log.Fatal().Err(err).Msg("Failed to add healthcheck command")
 	}
 
-	err = cmdTinyauth.AddCommand(generateTotpCmd())
+	err = cmdTotp.AddCommand(generateTotpCmd())
 
 	if err != nil {
 		log.Fatal().Err(err).Msg("Failed to add generate command")
 	}
 
-	err = cmdTinyauth.AddCommand(createUserCmd())
+	err = cmdUser.AddCommand(createUserCmd())
 
 	if err != nil {
 		log.Fatal().Err(err).Msg("Failed to add create command")
 	}
 
+	err = cmdOidc.AddCommand(createOidcClientCmd())
+
+	if err != nil {
+		log.Fatal().Err(err).Msg("Failed to add create command")
+	}
+
+	err = cmdTinyauth.AddCommand(cmdUser)
+
+	if err != nil {
+		log.Fatal().Err(err).Msg("Failed to add user command")
+	}
+
+	err = cmdTinyauth.AddCommand(cmdTotp)
+
+	if err != nil {
+		log.Fatal().Err(err).Msg("Failed to add totp command")
+	}
+
+	err = cmdTinyauth.AddCommand(cmdOidc)
+
+	if err != nil {
+		log.Fatal().Err(err).Msg("Failed to add oidc command")
+	}
+
 	err = cli.Execute(cmdTinyauth)
 
 	if err != nil {

cmd/tinyauth/verify_user.go

@@ -40,7 +40,7 @@ func verifyUserCmd() *cli.Command {
 
 	return &cli.Command{
 		Name:          "verify",
-		Description:   "Verify a user is set up correctly.",
+		Description:   "Verify a user is set up correctly",
 		Configuration: tCfg,
 		Resources:     loaders,
 		Run: func(_ []string) error {

cmd/tinyauth/version.go

@@ -11,7 +11,7 @@ import (
 func versionCmd() *cli.Command {
 	return &cli.Command{
 		Name:          "version",
-		Description:   "Print the version number of Tinyauth.",
+		Description:   "Print the version number of Tinyauth",
 		Configuration: nil,
 		Resources:     nil,
 		Run: func(_ []string) error {

config.example.yaml

@@ -1,102 +0,0 @@
-# Tinyauth Example Configuration
-
-# The base URL where Tinyauth is accessible
-appUrl: "https://auth.example.com"
-# Directory for static resources
-resourcesDir: "./resources"
-# Path to SQLite database file
-databasePath: "./tinyauth.db"
-# Disable usage analytics
-disableAnalytics: false
-# Disable static resource serving
-disableResources: false
-# Disable UI warning messages
-disableUIWarnings: false
-
-# Logging Configuration
-log:
-  # Log level: trace, debug, info, warn, error
-  level: "info"
-  json: false
-  streams:
-    app:
-      enabled: true
-      level: "warn"
-    http:
-      enabled: true
-      level: "debug"
-    audit:
-      enabled: false
-      level: "info"
-
-# Server Configuration
-server:
-  # Port to listen on
-  port: 3000
-  # Interface to bind to (0.0.0.0 for all interfaces)
-  address: "0.0.0.0"
-  # Unix socket path (optional, overrides port/address if set)
-  socketPath: ""
-  # Comma-separated list of trusted proxy IPs/CIDRs
-  trustedProxies: ""
-
-# Authentication Configuration
-auth:
-  # Format: username:bcrypt_hash (use bcrypt to generate hash)
-  users: "admin:$2a$10$example_bcrypt_hash_here"
-  # Path to external users file (optional)
-  usersFile: ""
-  # Enable secure cookies (requires HTTPS)
-  secureCookie: false
-  # Session expiry in seconds (3600 = 1 hour)
-  sessionExpiry: 3600
-  # Session maximum lifetime in seconds (0 = unlimited)
-  sessionMaxLifetime: 0
-  # Login timeout in seconds (300 = 5 minutes)
-  loginTimeout: 300
-  # Maximum login retries before lockout
-  loginMaxRetries: 3
-
-# OAuth Configuration
-oauth:
-  # Regex pattern for allowed email addresses (e.g., /@example\.com$/)
-  whitelist: ""
-  # Provider ID to auto-redirect to (skips login page)
-  autoRedirect: ""
-  # OAuth Provider Configuration (replace myprovider with your provider name)
-  providers:
-    myprovider:
-      clientId: "your_client_id_here"
-      clientSecret: "your_client_secret_here"
-      authUrl: "https://provider.example.com/oauth/authorize"
-      tokenUrl: "https://provider.example.com/oauth/token"
-      userInfoUrl: "https://provider.example.com/oauth/userinfo"
-      redirectUrl: "https://auth.example.com/api/oauth/callback/myprovider"
-      scopes: "openid email profile"
-      name: "My OAuth Provider"
-      # Allow insecure connections (self-signed certificates)
-      insecure: false
-
-# UI Customization
-ui:
-  # Custom title for login page
-  title: "Tinyauth"
-  # Message shown on forgot password page
-  forgotPasswordMessage: "Contact your administrator to reset your password"
-  # Background image URL for login page
-  backgroundImage: ""
-
-# LDAP Configuration (optional)
-ldap:
-  # LDAP server address
-  address: "ldap://ldap.example.com:389"
-  # DN for binding to LDAP server
-  bindDn: "cn=readonly,dc=example,dc=com"
-  # Password for bind DN
-  bindPassword: "your_bind_password"
-  # Base DN for user searches
-  baseDn: "dc=example,dc=com"
-  # Search filter (%s will be replaced with username)
-  searchFilter: "(&(uid=%s)(memberOf=cn=users,ou=groups,dc=example,dc=com))"
-  # Allow insecure LDAP connections
-  insecure: false

docker-compose.dev.yml

@@ -13,7 +13,7 @@ services:
     image: traefik/whoami:latest
     labels:
       traefik.enable: true
-      traefik.http.routers.whoami.rule: Host(`whoami.example.com`)
+      traefik.http.routers.whoami.rule: Host(`whoami.127.0.0.1.sslip.io`)
       traefik.http.routers.whoami.middlewares: tinyauth
 
   tinyauth-frontend:
@@ -27,7 +27,7 @@ services:
       - 5173:5173
     labels:
       traefik.enable: true
-      traefik.http.routers.tinyauth.rule: Host(`tinyauth.example.com`)
+      traefik.http.routers.tinyauth.rule: Host(`tinyauth.127.0.0.1.sslip.io`)
 
   tinyauth-backend:
     container_name: tinyauth-backend

frontend/.gitignore

@@ -22,3 +22,6 @@ dist-ssr
 *.njsproj
 *.sln
 *.sw?
+
+# Stats out
+stats.html

frontend/package.json

@@ -17,43 +17,45 @@
     "@radix-ui/react-select": "^2.2.6",
     "@radix-ui/react-separator": "^1.1.8",
     "@radix-ui/react-slot": "^1.2.4",
-    "@tailwindcss/vite": "^4.1.18",
-    "@tanstack/react-query": "^5.90.17",
-    "axios": "^1.13.2",
+    "@tailwindcss/vite": "^4.2.1",
+    "@tanstack/react-query": "^5.90.21",
+    "axios": "^1.13.5",
     "class-variance-authority": "^0.7.1",
     "clsx": "^2.1.1",
-    "i18next": "^25.7.4",
-    "i18next-browser-languagedetector": "^8.2.0",
+    "i18next": "^25.8.13",
+    "i18next-browser-languagedetector": "^8.2.1",
     "i18next-resources-to-backend": "^1.2.1",
     "input-otp": "^1.4.2",
-    "lucide-react": "^0.562.0",
+    "lucide-react": "^0.575.0",
     "next-themes": "^0.4.6",
-    "react": "^19.2.3",
-    "react-dom": "^19.2.3",
-    "react-hook-form": "^7.71.1",
-    "react-i18next": "^16.5.3",
+    "radix-ui": "^1.4.3",
+    "react": "^19.2.4",
+    "react-dom": "^19.2.4",
+    "react-hook-form": "^7.71.2",
+    "react-i18next": "^16.5.4",
     "react-markdown": "^10.1.0",
-    "react-router": "^7.12.0",
+    "react-router": "^7.13.1",
     "sonner": "^2.0.7",
-    "tailwind-merge": "^3.4.0",
-    "tailwindcss": "^4.1.18",
-    "zod": "^4.3.5"
+    "tailwind-merge": "^3.5.0",
+    "tailwindcss": "^4.2.1",
+    "zod": "^4.3.6"
   },
   "devDependencies": {
-    "@eslint/js": "^9.39.2",
-    "@tanstack/eslint-plugin-query": "^5.91.2",
-    "@types/node": "^25.0.9",
-    "@types/react": "^19.2.8",
+    "@eslint/js": "^10.0.1",
+    "@tanstack/eslint-plugin-query": "^5.91.4",
+    "@types/node": "^25.3.1",
+    "@types/react": "^19.2.14",
     "@types/react-dom": "^19.2.3",
-    "@vitejs/plugin-react": "^5.1.2",
-    "eslint": "^9.39.2",
+    "@vitejs/plugin-react": "^5.1.4",
+    "eslint": "^10.0.2",
     "eslint-plugin-react-hooks": "^7.0.1",
-    "eslint-plugin-react-refresh": "^0.4.26",
-    "globals": "^17.0.0",
-    "prettier": "3.8.0",
+    "eslint-plugin-react-refresh": "^0.5.2",
+    "globals": "^17.3.0",
+    "prettier": "3.8.1",
+    "rollup-plugin-visualizer": "^7.0.0",
     "tw-animate-css": "^1.4.0",
     "typescript": "~5.9.3",
-    "typescript-eslint": "^8.53.0",
+    "typescript-eslint": "^8.56.1",
     "vite": "^7.3.1"
   }
 }

frontend/src/components/auth/login-form.tsx

@@ -10,17 +10,17 @@ import {
   FormLabel,
   FormMessage,
 } from "../ui/form";
-import { Button } from "../ui/button";
 import { loginSchema, LoginSchema } from "@/schemas/login-schema";
 import z from "zod";
 
 interface Props {
   onSubmit: (data: LoginSchema) => void;
   loading?: boolean;
+  formId?: string;
 }
 
 export const LoginForm = (props: Props) => {
-  const { onSubmit, loading } = props;
+  const { onSubmit, loading, formId } = props;
   const { t } = useTranslation();
 
   z.config({
@@ -34,7 +34,7 @@ export const LoginForm = (props: Props) => {
 
   return (
     <Form {...form}>
-      <form onSubmit={form.handleSubmit(onSubmit)}>
+      <form id={formId} onSubmit={form.handleSubmit(onSubmit)}>
         <FormField
           control={form.control}
           name="username"
@@ -57,7 +57,7 @@ export const LoginForm = (props: Props) => {
           control={form.control}
           name="password"
           render={({ field }) => (
-            <FormItem className="mb-4 gap-0">
+            <FormItem className="gap-0">
               <div className="relative mb-1">
                 <FormLabel className="mb-2">{t("loginPassword")}</FormLabel>
                 <FormControl>
@@ -71,7 +71,7 @@ export const LoginForm = (props: Props) => {
                 </FormControl>
                 <a
                   href="/forgot-password"
-                  className="text-muted-foreground text-sm absolute right-0 bottom-[2.565rem]" // 2.565 is *just* perfect
+                  className="text-muted-foreground hover:text-muted-foreground/80 text-sm absolute right-0 bottom-[2.565rem]" // 2.565 is *just* perfect
                 >
                   {t("forgotPasswordTitle")}
                 </a>
@@ -80,9 +80,6 @@ export const LoginForm = (props: Props) => {
             </FormItem>
           )}
         />
-        <Button className="w-full" type="submit" loading={loading}>
-          {t("loginSubmit")}
-        </Button>
       </form>
     </Form>
   );

frontend/src/components/auth/totp-form.tsx

@@ -14,11 +14,10 @@ import z from "zod";
 interface Props {
   formId: string;
   onSubmit: (code: TotpSchema) => void;
-  loading?: boolean;
 }
 
 export const TotpForm = (props: Props) => {
-  const { formId, onSubmit, loading } = props;
+  const { formId, onSubmit } = props;
   const { t } = useTranslation();
 
   z.config({
@@ -30,6 +29,14 @@ export const TotpForm = (props: Props) => {
     resolver: zodResolver(totpSchema),
   });
 
+  const handleChange = (value: string) => {
+    form.setValue("code", value, { shouldDirty: true, shouldValidate: true });
+
+    if (value.length === 6) {
+      onSubmit({ code: value });
+    }
+  };
+
   return (
     <Form {...form}>
       <form id={formId} onSubmit={form.handleSubmit(onSubmit)}>
@@ -41,10 +48,10 @@ export const TotpForm = (props: Props) => {
               <FormControl>
                 <InputOTP
                   maxLength={6}
-                  disabled={loading}
                   {...field}
                   autoComplete="one-time-code"
                   autoFocus
+                  onChange={handleChange}
                 >
                   <InputOTPGroup>
                     <InputOTPSlot index={0} />

frontend/src/components/domain-warning/domain-warning.tsx

@@ -33,6 +33,7 @@ export const DomainWarning = (props: Props) => {
             i18nKey="domainWarningSubtitle"
             values={{ appUrl, currentUrl }}
             components={{ code: <code /> }}
+            shouldUnescape={true}
           />
         </CardDescription>
       </CardHeader>

frontend/src/components/layout/layout.tsx

@@ -14,18 +14,18 @@ const BaseLayout = ({ children }: { children: React.ReactNode }) => {
 
   return (
     <div
-      className="relative flex flex-col justify-center items-center min-h-svh"
+      className="flex flex-col justify-center items-center min-h-svh px-4"
       style={{
         backgroundImage: `url(${backgroundImage})`,
         backgroundSize: "cover",
         backgroundPosition: "center",
       }}
     >
-      <div className="absolute top-5 right-5 flex flex-row gap-2">
+      <div className="absolute top-4 right-4 flex flex-row gap-2">
         <ThemeToggle />
         <LanguageSelector />
       </div>
-      {children}
+      <div className="max-w-sm">{children}</div>
     </div>
   );
 };

frontend/src/components/ui/card.tsx

@@ -7,7 +7,7 @@ function Card({ className, ...props }: React.ComponentProps<"div">) {
     <div
       data-slot="card"
       className={cn(
-        "bg-card text-card-foreground flex flex-col gap-6 rounded-xl border py-6 shadow-sm",
+        "bg-card text-card-foreground flex flex-col gap-3 rounded-xl border py-6 shadow-sm",
         className,
       )}
       {...props}
@@ -20,7 +20,7 @@ function CardHeader({ className, ...props }: React.ComponentProps<"div">) {
     <div
       data-slot="card-header"
       className={cn(
-        "@container/card-header grid auto-rows-min grid-rows-[auto_auto] items-start gap-1.5 px-6 has-data-[slot=card-action]:grid-cols-[1fr_auto] [.border-b]:pb-6",
+        "@container/card-header grid auto-rows-min grid-rows-[auto_auto] items-start px-6 has-data-[slot=card-action]:grid-cols-[1fr_auto] [.border-b]:pb-6",
         className,
       )}
       {...props}
@@ -75,7 +75,7 @@ function CardFooter({ className, ...props }: React.ComponentProps<"div">) {
   return (
     <div
       data-slot="card-footer"
-      className={cn("flex items-center px-6 [.border-t]:pt-6", className)}
+      className={cn("flex items-center px-6 [.border-t]:pt-6 mt-2", className)}
       {...props}
     />
   );

frontend/src/components/ui/tooltip.tsx

@@ -0,0 +1,55 @@
+import * as React from "react"
+import { Tooltip as TooltipPrimitive } from "radix-ui"
+
+import { cn } from "@/lib/utils"
+
+function TooltipProvider({
+  delayDuration = 0,
+  ...props
+}: React.ComponentProps<typeof TooltipPrimitive.Provider>) {
+  return (
+    <TooltipPrimitive.Provider
+      data-slot="tooltip-provider"
+      delayDuration={delayDuration}
+      {...props}
+    />
+  )
+}
+
+function Tooltip({
+  ...props
+}: React.ComponentProps<typeof TooltipPrimitive.Root>) {
+  return <TooltipPrimitive.Root data-slot="tooltip" {...props} />
+}
+
+function TooltipTrigger({
+  ...props
+}: React.ComponentProps<typeof TooltipPrimitive.Trigger>) {
+  return <TooltipPrimitive.Trigger data-slot="tooltip-trigger" {...props} />
+}
+
+function TooltipContent({
+  className,
+  sideOffset = 0,
+  children,
+  ...props
+}: React.ComponentProps<typeof TooltipPrimitive.Content>) {
+  return (
+    <TooltipPrimitive.Portal>
+      <TooltipPrimitive.Content
+        data-slot="tooltip-content"
+        sideOffset={sideOffset}
+        className={cn(
+          "bg-foreground text-background animate-in fade-in-0 zoom-in-95 data-[state=closed]:animate-out data-[state=closed]:fade-out-0 data-[state=closed]:zoom-out-95 data-[side=bottom]:slide-in-from-top-2 data-[side=left]:slide-in-from-right-2 data-[side=right]:slide-in-from-left-2 data-[side=top]:slide-in-from-bottom-2 z-50 w-fit origin-(--radix-tooltip-content-transform-origin) rounded-md px-3 py-1.5 text-xs text-balance",
+          className
+        )}
+        {...props}
+      >
+        {children}
+        <TooltipPrimitive.Arrow className="bg-foreground fill-foreground z-50 size-2.5 translate-y-[calc(-50%_-_2px)] rotate-45 rounded-[2px]" />
+      </TooltipPrimitive.Content>
+    </TooltipPrimitive.Portal>
+  )
+}
+
+export { Tooltip, TooltipTrigger, TooltipContent, TooltipProvider }

frontend/src/index.css

@@ -160,7 +160,7 @@ code {
 }
 
 pre {
-  @apply bg-accent border border-border rounded-md p-2;
+  @apply bg-accent border border-border rounded-md p-2 whitespace-break-spaces;
 }
 
 .lead {

frontend/src/lib/hooks/redirect-uri.ts

@@ -0,0 +1,64 @@
+type IuseRedirectUri = {
+  url?: URL;
+  valid: boolean;
+  trusted: boolean;
+  allowedProto: boolean;
+  httpsDowngrade: boolean;
+};
+
+export const useRedirectUri = (
+  redirect_uri: string | null,
+  cookieDomain: string,
+): IuseRedirectUri => {
+  let isValid = false;
+  let isTrusted = false;
+  let isAllowedProto = false;
+  let isHttpsDowngrade = false;
+
+  if (!redirect_uri) {
+    return {
+      valid: isValid,
+      trusted: isTrusted,
+      allowedProto: isAllowedProto,
+      httpsDowngrade: isHttpsDowngrade,
+    };
+  }
+
+  let url: URL;
+
+  try {
+    url = new URL(redirect_uri);
+  } catch {
+    return {
+      valid: isValid,
+      trusted: isTrusted,
+      allowedProto: isAllowedProto,
+      httpsDowngrade: isHttpsDowngrade,
+    };
+  }
+
+  isValid = true;
+
+  if (
+    url.hostname == cookieDomain ||
+    url.hostname.endsWith(`.${cookieDomain}`)
+  ) {
+    isTrusted = true;
+  }
+
+  if (url.protocol == "http:" || url.protocol == "https:") {
+    isAllowedProto = true;
+  }
+
+  if (window.location.protocol == "https:" && url.protocol == "http:") {
+    isHttpsDowngrade = true;
+  }
+
+  return {
+    url,
+    valid: isValid,
+    trusted: isTrusted,
+    allowedProto: isAllowedProto,
+    httpsDowngrade: isHttpsDowngrade,
+  };
+};

frontend/src/lib/i18n/locales/af-ZA.json

@@ -51,6 +51,7 @@
     "forgotPasswordTitle": "Forgot your password?",
     "failedToFetchProvidersTitle": "Failed to load authentication providers. Please check your configuration.",
     "errorTitle": "An error occurred",
+    "errorSubtitleInfo": "The following error occurred while processing your request:",
     "errorSubtitle": "An error occurred while trying to perform this action. Please check the console for more information.",
     "forgotPasswordMessage": "You can reset your password by changing the `USERS` environment variable.",
     "fieldRequired": "This field is required",
@@ -58,5 +59,23 @@
     "domainWarningTitle": "Invalid Domain",
     "domainWarningSubtitle": "This instance is configured to be accessed from <code>{{appUrl}}</code>, but <code>{{currentUrl}}</code> is being used. If you proceed, you may encounter issues with authentication.",
     "ignoreTitle": "Ignore",
-    "goToCorrectDomainTitle": "Go to correct domain"
-}
+    "goToCorrectDomainTitle": "Go to correct domain",
+    "authorizeTitle": "Authorize",
+    "authorizeCardTitle": "Continue to {{app}}?",
+    "authorizeSubtitle": "Would you like to continue to this app? Please carefully review the permissions requested by the app.",
+    "authorizeSubtitleOAuth": "Would you like to continue to this app?",
+    "authorizeLoadingTitle": "Loading...",
+    "authorizeLoadingSubtitle": "Please wait while we load the client information.",
+    "authorizeSuccessTitle": "Authorized",
+    "authorizeSuccessSubtitle": "You will be redirected to the app in a few seconds.",
+    "authorizeErrorClientInfo": "An error occurred while loading the client information. Please try again later.",
+    "authorizeErrorMissingParams": "The following parameters are missing: {{missingParams}}",
+    "openidScopeName": "OpenID Connect",
+    "openidScopeDescription": "Allows the app to access your OpenID Connect information.",
+    "emailScopeName": "Email",
+    "emailScopeDescription": "Allows the app to access your email address.",
+    "profileScopeName": "Profile",
+    "profileScopeDescription": "Allows the app to access your profile information.",
+    "groupsScopeName": "Groups",
+    "groupsScopeDescription": "Allows the app to access your group information."
+}

frontend/src/lib/i18n/locales/ar-SA.json

@@ -51,6 +51,7 @@
     "forgotPasswordTitle": "نسيت كلمة المرور؟",
     "failedToFetchProvidersTitle": "Failed to load authentication providers. Please check your configuration.",
     "errorTitle": "حدث خطأ",
+    "errorSubtitleInfo": "The following error occurred while processing your request:",
     "errorSubtitle": "An error occurred while trying to perform this action. Please check the console for more information.",
     "forgotPasswordMessage": "You can reset your password by changing the `USERS` environment variable.",
     "fieldRequired": "This field is required",
@@ -58,5 +59,23 @@
     "domainWarningTitle": "Invalid Domain",
     "domainWarningSubtitle": "This instance is configured to be accessed from <code>{{appUrl}}</code>, but <code>{{currentUrl}}</code> is being used. If you proceed, you may encounter issues with authentication.",
     "ignoreTitle": "تجاهل",
-    "goToCorrectDomainTitle": "Go to correct domain"
-}
+    "goToCorrectDomainTitle": "Go to correct domain",
+    "authorizeTitle": "Authorize",
+    "authorizeCardTitle": "Continue to {{app}}?",
+    "authorizeSubtitle": "Would you like to continue to this app? Please carefully review the permissions requested by the app.",
+    "authorizeSubtitleOAuth": "Would you like to continue to this app?",
+    "authorizeLoadingTitle": "Loading...",
+    "authorizeLoadingSubtitle": "Please wait while we load the client information.",
+    "authorizeSuccessTitle": "Authorized",
+    "authorizeSuccessSubtitle": "You will be redirected to the app in a few seconds.",
+    "authorizeErrorClientInfo": "An error occurred while loading the client information. Please try again later.",
+    "authorizeErrorMissingParams": "The following parameters are missing: {{missingParams}}",
+    "openidScopeName": "OpenID Connect",
+    "openidScopeDescription": "Allows the app to access your OpenID Connect information.",
+    "emailScopeName": "Email",
+    "emailScopeDescription": "Allows the app to access your email address.",
+    "profileScopeName": "Profile",
+    "profileScopeDescription": "Allows the app to access your profile information.",
+    "groupsScopeName": "Groups",
+    "groupsScopeDescription": "Allows the app to access your group information."
+}

frontend/src/lib/i18n/locales/ca-ES.json

@@ -51,6 +51,7 @@
     "forgotPasswordTitle": "Forgot your password?",
     "failedToFetchProvidersTitle": "Failed to load authentication providers. Please check your configuration.",
     "errorTitle": "An error occurred",
+    "errorSubtitleInfo": "The following error occurred while processing your request:",
     "errorSubtitle": "An error occurred while trying to perform this action. Please check the console for more information.",
     "forgotPasswordMessage": "You can reset your password by changing the `USERS` environment variable.",
     "fieldRequired": "This field is required",
@@ -58,5 +59,23 @@
     "domainWarningTitle": "Invalid Domain",
     "domainWarningSubtitle": "This instance is configured to be accessed from <code>{{appUrl}}</code>, but <code>{{currentUrl}}</code> is being used. If you proceed, you may encounter issues with authentication.",
     "ignoreTitle": "Ignore",
-    "goToCorrectDomainTitle": "Go to correct domain"
-}
+    "goToCorrectDomainTitle": "Go to correct domain",
+    "authorizeTitle": "Authorize",
+    "authorizeCardTitle": "Continue to {{app}}?",
+    "authorizeSubtitle": "Would you like to continue to this app? Please carefully review the permissions requested by the app.",
+    "authorizeSubtitleOAuth": "Would you like to continue to this app?",
+    "authorizeLoadingTitle": "Loading...",
+    "authorizeLoadingSubtitle": "Please wait while we load the client information.",
+    "authorizeSuccessTitle": "Authorized",
+    "authorizeSuccessSubtitle": "You will be redirected to the app in a few seconds.",
+    "authorizeErrorClientInfo": "An error occurred while loading the client information. Please try again later.",
+    "authorizeErrorMissingParams": "The following parameters are missing: {{missingParams}}",
+    "openidScopeName": "OpenID Connect",
+    "openidScopeDescription": "Allows the app to access your OpenID Connect information.",
+    "emailScopeName": "Email",
+    "emailScopeDescription": "Allows the app to access your email address.",
+    "profileScopeName": "Profile",
+    "profileScopeDescription": "Allows the app to access your profile information.",
+    "groupsScopeName": "Groups",
+    "groupsScopeDescription": "Allows the app to access your group information."
+}

frontend/src/lib/i18n/locales/cs-CZ.json

@@ -14,7 +14,7 @@
     "loginOauthFailSubtitle": "Nepodařilo se získat OAuth URL",
     "loginOauthSuccessTitle": "Přesměrování",
     "loginOauthSuccessSubtitle": "Přesměrování k poskytovateli OAuth",
-    "loginOauthAutoRedirectTitle": "OAuth Auto Redirect",
+    "loginOauthAutoRedirectTitle": "Automatické přesměrování OAuth",
     "loginOauthAutoRedirectSubtitle": "You will be automatically redirected to your OAuth provider to authenticate.",
     "loginOauthAutoRedirectButton": "Redirect now",
     "continueTitle": "Pokračovat",
@@ -51,6 +51,7 @@
     "forgotPasswordTitle": "Zapomněli jste heslo?",
     "failedToFetchProvidersTitle": "Nepodařilo se načíst poskytovatele ověřování. Zkontrolujte prosím konfiguraci.",
     "errorTitle": "Došlo k chybě",
+    "errorSubtitleInfo": "The following error occurred while processing your request:",
     "errorSubtitle": "Nastala chyba při pokusu o provedení této akce. Pro více informací prosím zkontrolujte konzolu.",
     "forgotPasswordMessage": "Heslo můžete obnovit změnou proměnné `USERS`.",
     "fieldRequired": "Toto pole je povinné",
@@ -58,5 +59,23 @@
     "domainWarningTitle": "Invalid Domain",
     "domainWarningSubtitle": "This instance is configured to be accessed from <code>{{appUrl}}</code>, but <code>{{currentUrl}}</code> is being used. If you proceed, you may encounter issues with authentication.",
     "ignoreTitle": "Ignore",
-    "goToCorrectDomainTitle": "Go to correct domain"
-}
+    "goToCorrectDomainTitle": "Go to correct domain",
+    "authorizeTitle": "Authorize",
+    "authorizeCardTitle": "Continue to {{app}}?",
+    "authorizeSubtitle": "Would you like to continue to this app? Please carefully review the permissions requested by the app.",
+    "authorizeSubtitleOAuth": "Would you like to continue to this app?",
+    "authorizeLoadingTitle": "Loading...",
+    "authorizeLoadingSubtitle": "Please wait while we load the client information.",
+    "authorizeSuccessTitle": "Authorized",
+    "authorizeSuccessSubtitle": "You will be redirected to the app in a few seconds.",
+    "authorizeErrorClientInfo": "An error occurred while loading the client information. Please try again later.",
+    "authorizeErrorMissingParams": "The following parameters are missing: {{missingParams}}",
+    "openidScopeName": "OpenID Connect",
+    "openidScopeDescription": "Allows the app to access your OpenID Connect information.",
+    "emailScopeName": "Email",
+    "emailScopeDescription": "Allows the app to access your email address.",
+    "profileScopeName": "Profile",
+    "profileScopeDescription": "Allows the app to access your profile information.",
+    "groupsScopeName": "Groups",
+    "groupsScopeDescription": "Allows the app to access your group information."
+}

frontend/src/lib/i18n/locales/da-DK.json

@@ -51,6 +51,7 @@
     "forgotPasswordTitle": "Glemt din adgangskode?",
     "failedToFetchProvidersTitle": "Kunne ikke indlæse godkendelsesudbydere. Tjek venligst din konfiguration.",
     "errorTitle": "Der opstod en fejl",
+    "errorSubtitleInfo": "The following error occurred while processing your request:",
     "errorSubtitle": "Der opstod en fejl under forsøget på at udføre denne handling. Tjek venligst konsollen for mere information.",
     "forgotPasswordMessage": "You can reset your password by changing the `USERS` environment variable.",
     "fieldRequired": "This field is required",
@@ -58,5 +59,23 @@
     "domainWarningTitle": "Invalid Domain",
     "domainWarningSubtitle": "This instance is configured to be accessed from <code>{{appUrl}}</code>, but <code>{{currentUrl}}</code> is being used. If you proceed, you may encounter issues with authentication.",
     "ignoreTitle": "Ignore",
-    "goToCorrectDomainTitle": "Go to correct domain"
-}
+    "goToCorrectDomainTitle": "Go to correct domain",
+    "authorizeTitle": "Authorize",
+    "authorizeCardTitle": "Continue to {{app}}?",
+    "authorizeSubtitle": "Would you like to continue to this app? Please carefully review the permissions requested by the app.",
+    "authorizeSubtitleOAuth": "Would you like to continue to this app?",
+    "authorizeLoadingTitle": "Loading...",
+    "authorizeLoadingSubtitle": "Please wait while we load the client information.",
+    "authorizeSuccessTitle": "Authorized",
+    "authorizeSuccessSubtitle": "You will be redirected to the app in a few seconds.",
+    "authorizeErrorClientInfo": "An error occurred while loading the client information. Please try again later.",
+    "authorizeErrorMissingParams": "The following parameters are missing: {{missingParams}}",
+    "openidScopeName": "OpenID Connect",
+    "openidScopeDescription": "Allows the app to access your OpenID Connect information.",
+    "emailScopeName": "Email",
+    "emailScopeDescription": "Allows the app to access your email address.",
+    "profileScopeName": "Profile",
+    "profileScopeDescription": "Allows the app to access your profile information.",
+    "groupsScopeName": "Groups",
+    "groupsScopeDescription": "Allows the app to access your group information."
+}

frontend/src/lib/i18n/locales/de-DE.json

@@ -14,17 +14,17 @@
     "loginOauthFailSubtitle": "Fehler beim Abrufen der OAuth-URL",
     "loginOauthSuccessTitle": "Leite weiter",
     "loginOauthSuccessSubtitle": "Weiterleitung zu Ihrem OAuth-Provider",
-    "loginOauthAutoRedirectTitle": "OAuth Auto Redirect",
-    "loginOauthAutoRedirectSubtitle": "You will be automatically redirected to your OAuth provider to authenticate.",
-    "loginOauthAutoRedirectButton": "Redirect now",
+    "loginOauthAutoRedirectTitle": "Automatische OAuth-Weiterleitung",
+    "loginOauthAutoRedirectSubtitle": "Sie werden automatisch zu Ihrem OAuth-Anbieter weitergeleitet, um sich zu authentifizieren.",
+    "loginOauthAutoRedirectButton": "Jetzt weiterleiten",
     "continueTitle": "Weiter",
     "continueRedirectingTitle": "Leite weiter...",
     "continueRedirectingSubtitle": "Sie sollten in Kürze zur App weitergeleitet werden",
-    "continueRedirectManually": "Redirect me manually",
+    "continueRedirectManually": "Manuell weiterleiten",
     "continueInsecureRedirectTitle": "Unsichere Weiterleitung",
     "continueInsecureRedirectSubtitle": "Sie versuchen von <code>https</code> auf <code>http</code> weiterzuleiten, was unsicher ist. Sind Sie sicher, dass Sie fortfahren möchten?",
-    "continueUntrustedRedirectTitle": "Untrusted redirect",
-    "continueUntrustedRedirectSubtitle": "You are trying to redirect to a domain that does not match your configured domain (<code>{{cookieDomain}}</code>). Are you sure you want to continue?",
+    "continueUntrustedRedirectTitle": "Nicht vertrauenswürdige Weiterleitung",
+    "continueUntrustedRedirectSubtitle": "Sie versuchen auf eine Domain umzuleiten, die nicht mit Ihrer konfigurierten Domain übereinstimmt (<code>{{cookieDomain}}</code>). Sind Sie sicher, dass Sie fortfahren möchten?",
     "logoutFailTitle": "Abmelden fehlgeschlagen",
     "logoutFailSubtitle": "Bitte versuchen Sie es erneut",
     "logoutSuccessTitle": "Abgemeldet",
@@ -51,12 +51,31 @@
     "forgotPasswordTitle": "Passwort vergessen?",
     "failedToFetchProvidersTitle": "Fehler beim Laden der Authentifizierungsanbieter. Bitte überprüfen Sie Ihre Konfiguration.",
     "errorTitle": "Ein Fehler ist aufgetreten",
+    "errorSubtitleInfo": "The following error occurred while processing your request:",
     "errorSubtitle": "Beim Versuch, diese Aktion auszuführen, ist ein Fehler aufgetreten. Bitte überprüfen Sie die Konsole für weitere Informationen.",
     "forgotPasswordMessage": "Das Passwort kann durch Änderung der 'USERS' Variable zurückgesetzt werden.",
     "fieldRequired": "Dieses Feld ist notwendig",
     "invalidInput": "Ungültige Eingabe",
-    "domainWarningTitle": "Invalid Domain",
-    "domainWarningSubtitle": "This instance is configured to be accessed from <code>{{appUrl}}</code>, but <code>{{currentUrl}}</code> is being used. If you proceed, you may encounter issues with authentication.",
-    "ignoreTitle": "Ignore",
-    "goToCorrectDomainTitle": "Go to correct domain"
-}
+    "domainWarningTitle": "Ungültige Domain",
+    "domainWarningSubtitle": "Diese Instanz ist so konfiguriert, dass sie von <code>{{appUrl}}</code> aufgerufen werden kann, aber <code>{{currentUrl}}</code> wird verwendet. Wenn Sie fortfahren, können Probleme bei der Authentifizierung auftreten.",
+    "ignoreTitle": "Ignorieren",
+    "goToCorrectDomainTitle": "Zur korrekten Domain gehen",
+    "authorizeTitle": "Authorize",
+    "authorizeCardTitle": "Continue to {{app}}?",
+    "authorizeSubtitle": "Would you like to continue to this app? Please carefully review the permissions requested by the app.",
+    "authorizeSubtitleOAuth": "Would you like to continue to this app?",
+    "authorizeLoadingTitle": "Loading...",
+    "authorizeLoadingSubtitle": "Please wait while we load the client information.",
+    "authorizeSuccessTitle": "Authorized",
+    "authorizeSuccessSubtitle": "You will be redirected to the app in a few seconds.",
+    "authorizeErrorClientInfo": "An error occurred while loading the client information. Please try again later.",
+    "authorizeErrorMissingParams": "The following parameters are missing: {{missingParams}}",
+    "openidScopeName": "OpenID Connect",
+    "openidScopeDescription": "Allows the app to access your OpenID Connect information.",
+    "emailScopeName": "Email",
+    "emailScopeDescription": "Allows the app to access your email address.",
+    "profileScopeName": "Profile",
+    "profileScopeDescription": "Allows the app to access your profile information.",
+    "groupsScopeName": "Groups",
+    "groupsScopeDescription": "Allows the app to access your group information."
+}

frontend/src/lib/i18n/locales/el-GR.json

@@ -51,6 +51,7 @@
     "forgotPasswordTitle": "Ξεχάσατε το συνθηματικό σας;",
     "failedToFetchProvidersTitle": "Αποτυχία φόρτωσης παρόχων πιστοποίησης. Παρακαλώ ελέγξτε τις ρυθμίσεις σας.",
     "errorTitle": "Παρουσιάστηκε ένα σφάλμα",
+    "errorSubtitleInfo": "Το ακόλουθο σφάλμα προέκυψε κατά την επεξεργασία του αιτήματός σας:",
     "errorSubtitle": "Παρουσιάστηκε σφάλμα κατά την προσπάθεια εκτέλεσης αυτής της ενέργειας. Ελέγξτε την κονσόλα για περισσότερες πληροφορίες.",
     "forgotPasswordMessage": "Μπορείτε να επαναφέρετε τον κωδικό πρόσβασής σας αλλάζοντας τη μεταβλητή περιβάλλοντος `USERS`.",
     "fieldRequired": "Αυτό το πεδίο είναι υποχρεωτικό",
@@ -58,5 +59,23 @@
     "domainWarningTitle": "Μη έγκυρο domain",
     "domainWarningSubtitle": "Αυτή η εφαρμογή έχει ρυθμιστεί για πρόσβαση από <code>{{appUrl}}</code>, αλλά <code>{{currentUrl}}</code> χρησιμοποιείται. Αν συνεχίσετε, μπορεί να αντιμετωπίσετε προβλήματα με την ταυτοποίηση.",
     "ignoreTitle": "Παράβλεψη",
-    "goToCorrectDomainTitle": "Μεταβείτε στο σωστό domain"
-}
+    "goToCorrectDomainTitle": "Μεταβείτε στο σωστό domain",
+    "authorizeTitle": "Εξουσιοδότηση",
+    "authorizeCardTitle": "Συνέχεια στην εφαρμογή {{app}};",
+    "authorizeSubtitle": "Θα θέλατε να συνεχίσετε σε αυτή την εφαρμογή; Παρακαλώ ελέγξτε προσεκτικά τα δικαιώματα που ζητούνται από την εφαρμογή.",
+    "authorizeSubtitleOAuth": "Θα θέλατε να συνεχίσετε σε αυτή την εφαρμογή;",
+    "authorizeLoadingTitle": "Φόρτωση...",
+    "authorizeLoadingSubtitle": "Παρακαλώ περιμένετε όσο φορτώνουμε τις απαραίτητες πληροφορίες.",
+    "authorizeSuccessTitle": "Εξουσιοδοτημένος",
+    "authorizeSuccessSubtitle": "Θα μεταφερθείτε στην εφαρμογή σε λίγα δευτερόλεπτα.",
+    "authorizeErrorClientInfo": "Παρουσιάστηκε σφάλμα κατά τη φόρτωση των πληροφοριών. Παρακαλώ προσπαθήστε ξανά αργότερα.",
+    "authorizeErrorMissingParams": "Οι παρακάτω απαραίτητες πληροφορίες λείπουν από το αίτημά σας: {{missingParams}}",
+    "openidScopeName": "Σύνδεση OpenID",
+    "openidScopeDescription": "Επιτρέπει στην εφαρμογή την πρόσβαση στις πληροφορίες σύνδεσης OpenID.",
+    "emailScopeName": "Διεύθυνση ηλεκτρονικού ταχυδρομείου",
+    "emailScopeDescription": "Επιτρέπει στην εφαρμογή να έχει πρόσβαση στη διεύθυνση ηλεκτρονικού ταχυδρομείου σας.",
+    "profileScopeName": "Προφίλ",
+    "profileScopeDescription": "Επιτρέπει στην εφαρμογή να έχει πρόσβαση στις πληροφορίες του προφίλ σας.",
+    "groupsScopeName": "Ομάδες",
+    "groupsScopeDescription": "Επιτρέπει στην εφαρμογή την πρόσβαση στις πληροφορίες ομάδας σας."
+}

frontend/src/lib/i18n/locales/es-ES.json

@@ -51,6 +51,7 @@
     "forgotPasswordTitle": "¿Olvidó su contraseña?",
     "failedToFetchProvidersTitle": "Error al cargar los proveedores de autenticación. Por favor revise su configuración.",
     "errorTitle": "Ha ocurrido un error",
+    "errorSubtitleInfo": "The following error occurred while processing your request:",
     "errorSubtitle": "Ocurrió un error mientras se trataba de realizar esta acción. Por favor, revise la consola para más información.",
     "forgotPasswordMessage": "You can reset your password by changing the `USERS` environment variable.",
     "fieldRequired": "This field is required",
@@ -58,5 +59,23 @@
     "domainWarningTitle": "Invalid Domain",
     "domainWarningSubtitle": "This instance is configured to be accessed from <code>{{appUrl}}</code>, but <code>{{currentUrl}}</code> is being used. If you proceed, you may encounter issues with authentication.",
     "ignoreTitle": "Ignore",
-    "goToCorrectDomainTitle": "Go to correct domain"
-}
+    "goToCorrectDomainTitle": "Go to correct domain",
+    "authorizeTitle": "Authorize",
+    "authorizeCardTitle": "Continue to {{app}}?",
+    "authorizeSubtitle": "Would you like to continue to this app? Please carefully review the permissions requested by the app.",
+    "authorizeSubtitleOAuth": "Would you like to continue to this app?",
+    "authorizeLoadingTitle": "Loading...",
+    "authorizeLoadingSubtitle": "Please wait while we load the client information.",
+    "authorizeSuccessTitle": "Authorized",
+    "authorizeSuccessSubtitle": "You will be redirected to the app in a few seconds.",
+    "authorizeErrorClientInfo": "An error occurred while loading the client information. Please try again later.",
+    "authorizeErrorMissingParams": "The following parameters are missing: {{missingParams}}",
+    "openidScopeName": "OpenID Connect",
+    "openidScopeDescription": "Allows the app to access your OpenID Connect information.",
+    "emailScopeName": "Email",
+    "emailScopeDescription": "Allows the app to access your email address.",
+    "profileScopeName": "Profile",
+    "profileScopeDescription": "Allows the app to access your profile information.",
+    "groupsScopeName": "Groups",
+    "groupsScopeDescription": "Allows the app to access your group information."
+}

frontend/src/lib/i18n/locales/fi-FI.json

@@ -51,6 +51,7 @@
     "forgotPasswordTitle": "Unohditko salasanasi?",
     "failedToFetchProvidersTitle": "Todennuspalvelujen tarjoajien lataaminen epäonnistui. Tarkista määrityksesi.",
     "errorTitle": "Tapahtui virhe",
+    "errorSubtitleInfo": "The following error occurred while processing your request:",
     "errorSubtitle": "Tapahtui virhe yritettäessä suorittaa tämä toiminto. Ole hyvä ja tarkista konsoli saadaksesi lisätietoja.",
     "forgotPasswordMessage": "Voit nollata salasanasi vaihtamalla ympäristömuuttujan `USERS`.",
     "fieldRequired": "Tämä kenttä on pakollinen",
@@ -58,5 +59,23 @@
     "domainWarningTitle": "Virheellinen verkkotunnus",
     "domainWarningSubtitle": "Tämä instanssi on määritelty käyttämään osoitetta <code>{{appUrl}}</code>, mutta nykyinen osoite on <code>{{currentUrl}}</code>. Jos jatkat, saatat törmätä ongelmiin autentikoinnissa.",
     "ignoreTitle": "Jätä huomiotta",
-    "goToCorrectDomainTitle": "Siirry oikeaan verkkotunnukseen"
-}
+    "goToCorrectDomainTitle": "Siirry oikeaan verkkotunnukseen",
+    "authorizeTitle": "Authorize",
+    "authorizeCardTitle": "Continue to {{app}}?",
+    "authorizeSubtitle": "Would you like to continue to this app? Please carefully review the permissions requested by the app.",
+    "authorizeSubtitleOAuth": "Would you like to continue to this app?",
+    "authorizeLoadingTitle": "Loading...",
+    "authorizeLoadingSubtitle": "Please wait while we load the client information.",
+    "authorizeSuccessTitle": "Authorized",
+    "authorizeSuccessSubtitle": "You will be redirected to the app in a few seconds.",
+    "authorizeErrorClientInfo": "An error occurred while loading the client information. Please try again later.",
+    "authorizeErrorMissingParams": "The following parameters are missing: {{missingParams}}",
+    "openidScopeName": "OpenID Connect",
+    "openidScopeDescription": "Allows the app to access your OpenID Connect information.",
+    "emailScopeName": "Email",
+    "emailScopeDescription": "Allows the app to access your email address.",
+    "profileScopeName": "Profile",
+    "profileScopeDescription": "Allows the app to access your profile information.",
+    "groupsScopeName": "Groups",
+    "groupsScopeDescription": "Allows the app to access your group information."
+}

frontend/src/lib/i18n/locales/fr-FR.json

@@ -51,6 +51,7 @@
     "forgotPasswordTitle": "Mot de passe oublié ?",
     "failedToFetchProvidersTitle": "Échec du chargement des fournisseurs d'authentification. Veuillez vérifier votre configuration.",
     "errorTitle": "Une erreur est survenue",
+    "errorSubtitleInfo": "L'erreur suivante s'est produite lors du traitement de votre requête :",
     "errorSubtitle": "Une erreur est survenue lors de l'exécution de cette action. Veuillez consulter la console pour plus d'informations.",
     "forgotPasswordMessage": "Vous pouvez réinitialiser votre mot de passe en modifiant la variable d'environnement `USERS`.",
     "fieldRequired": "Ce champ est obligatoire",
@@ -58,5 +59,23 @@
     "domainWarningTitle": "Domaine invalide",
     "domainWarningSubtitle": "Cette instance est configurée pour être accédée depuis <code>{{appUrl}}</code>, mais <code>{{currentUrl}}</code> est utilisé. Si vous continuez, vous pourriez rencontrer des problèmes d'authentification.",
     "ignoreTitle": "Ignorer",
-    "goToCorrectDomainTitle": "Aller au bon domaine"
-}
+    "goToCorrectDomainTitle": "Aller au bon domaine",
+    "authorizeTitle": "Autoriser",
+    "authorizeCardTitle": "Continuer vers {{app}} ?",
+    "authorizeSubtitle": "Voulez-vous continuer vers cette application ? Veuillez examiner attentivement les autorisations demandées par l'application.",
+    "authorizeSubtitleOAuth": "Voulez-vous continuer vers cette application ?",
+    "authorizeLoadingTitle": "Chargement...",
+    "authorizeLoadingSubtitle": "Veuillez patienter pendant que nous chargeons les informations du client.",
+    "authorizeSuccessTitle": "Autorisé",
+    "authorizeSuccessSubtitle": "Vous allez être redirigé vers l'application dans quelques secondes.",
+    "authorizeErrorClientInfo": "Une erreur est survenue lors du chargement des informations du client. Veuillez réessayer plus tard.",
+    "authorizeErrorMissingParams": "Les paramètres suivants sont manquants : {{missingParams}}",
+    "openidScopeName": "Connexion OpenID",
+    "openidScopeDescription": "Allows the app to access your OpenID Connect information.",
+    "emailScopeName": "Email",
+    "emailScopeDescription": "Autorise l'application à accéder à votre adresse e-mail.",
+    "profileScopeName": "Profil",
+    "profileScopeDescription": "Autorise l'application à accéder aux informations de votre profil.",
+    "groupsScopeName": "Groupes",
+    "groupsScopeDescription": "Autorise une application à accéder aux informations de votre groupe."
+}

frontend/src/lib/i18n/locales/he-IL.json

@@ -51,6 +51,7 @@
     "forgotPasswordTitle": "Forgot your password?",
     "failedToFetchProvidersTitle": "Failed to load authentication providers. Please check your configuration.",
     "errorTitle": "An error occurred",
+    "errorSubtitleInfo": "The following error occurred while processing your request:",
     "errorSubtitle": "An error occurred while trying to perform this action. Please check the console for more information.",
     "forgotPasswordMessage": "You can reset your password by changing the `USERS` environment variable.",
     "fieldRequired": "This field is required",
@@ -58,5 +59,23 @@
     "domainWarningTitle": "Invalid Domain",
     "domainWarningSubtitle": "This instance is configured to be accessed from <code>{{appUrl}}</code>, but <code>{{currentUrl}}</code> is being used. If you proceed, you may encounter issues with authentication.",
     "ignoreTitle": "Ignore",
-    "goToCorrectDomainTitle": "Go to correct domain"
-}
+    "goToCorrectDomainTitle": "Go to correct domain",
+    "authorizeTitle": "Authorize",
+    "authorizeCardTitle": "Continue to {{app}}?",
+    "authorizeSubtitle": "Would you like to continue to this app? Please carefully review the permissions requested by the app.",
+    "authorizeSubtitleOAuth": "Would you like to continue to this app?",
+    "authorizeLoadingTitle": "Loading...",
+    "authorizeLoadingSubtitle": "Please wait while we load the client information.",
+    "authorizeSuccessTitle": "Authorized",
+    "authorizeSuccessSubtitle": "You will be redirected to the app in a few seconds.",
+    "authorizeErrorClientInfo": "An error occurred while loading the client information. Please try again later.",
+    "authorizeErrorMissingParams": "The following parameters are missing: {{missingParams}}",
+    "openidScopeName": "OpenID Connect",
+    "openidScopeDescription": "Allows the app to access your OpenID Connect information.",
+    "emailScopeName": "Email",
+    "emailScopeDescription": "Allows the app to access your email address.",
+    "profileScopeName": "Profile",
+    "profileScopeDescription": "Allows the app to access your profile information.",
+    "groupsScopeName": "Groups",
+    "groupsScopeDescription": "Allows the app to access your group information."
+}

frontend/src/lib/i18n/locales/hu-HU.json

@@ -1,42 +1,42 @@
 {
     "loginTitle": "Welcome back, login with",
-    "loginTitleSimple": "Welcome back, please login",
-    "loginDivider": "Or",
-    "loginUsername": "Username",
-    "loginPassword": "Password",
-    "loginSubmit": "Login",
-    "loginFailTitle": "Failed to log in",
-    "loginFailSubtitle": "Please check your username and password",
-    "loginFailRateLimit": "You failed to login too many times. Please try again later",
-    "loginSuccessTitle": "Logged in",
-    "loginSuccessSubtitle": "Welcome back!",
+    "loginTitleSimple": "Üdvözöljük, kérem jelentkezzen be",
+    "loginDivider": "Vagy",
+    "loginUsername": "Felhasználónév",
+    "loginPassword": "Jelszó",
+    "loginSubmit": "Bejelentkezés",
+    "loginFailTitle": "Sikertelen bejelentkezés",
+    "loginFailSubtitle": "Kérjük, ellenőrizze a felhasználónevét és jelszavát",
+    "loginFailRateLimit": "Túl sokszor próbálkoztál bejelentkezni. Próbáld újra később",
+    "loginSuccessTitle": "Bejelentkezve",
+    "loginSuccessSubtitle": "Üdvözöljük!",
     "loginOauthFailTitle": "An error occurred",
     "loginOauthFailSubtitle": "Failed to get OAuth URL",
-    "loginOauthSuccessTitle": "Redirecting",
+    "loginOauthSuccessTitle": "Átirányítás",
     "loginOauthSuccessSubtitle": "Redirecting to your OAuth provider",
     "loginOauthAutoRedirectTitle": "OAuth Auto Redirect",
     "loginOauthAutoRedirectSubtitle": "You will be automatically redirected to your OAuth provider to authenticate.",
     "loginOauthAutoRedirectButton": "Redirect now",
     "continueTitle": "Continue",
-    "continueRedirectingTitle": "Redirecting...",
+    "continueRedirectingTitle": "Átirányítás...",
     "continueRedirectingSubtitle": "You should be redirected to the app soon",
     "continueRedirectManually": "Redirect me manually",
     "continueInsecureRedirectTitle": "Insecure redirect",
     "continueInsecureRedirectSubtitle": "You are trying to redirect from <code>https</code> to <code>http</code> which is not secure. Are you sure you want to continue?",
     "continueUntrustedRedirectTitle": "Untrusted redirect",
     "continueUntrustedRedirectSubtitle": "You are trying to redirect to a domain that does not match your configured domain (<code>{{cookieDomain}}</code>). Are you sure you want to continue?",
-    "logoutFailTitle": "Failed to log out",
-    "logoutFailSubtitle": "Please try again",
-    "logoutSuccessTitle": "Logged out",
-    "logoutSuccessSubtitle": "You have been logged out",
-    "logoutTitle": "Logout",
+    "logoutFailTitle": "Sikertelen kijelentkezés",
+    "logoutFailSubtitle": "Próbálja újra",
+    "logoutSuccessTitle": "Kijelentkezve",
+    "logoutSuccessSubtitle": "Kijelentkeztél",
+    "logoutTitle": "Kijelentkezés",
     "logoutUsernameSubtitle": "You are currently logged in as <code>{{username}}</code>. Click the button below to logout.",
     "logoutOauthSubtitle": "You are currently logged in as <code>{{username}}</code> using the {{provider}} OAuth provider. Click the button below to logout.",
     "notFoundTitle": "Page not found",
     "notFoundSubtitle": "The page you are looking for does not exist.",
-    "notFoundButton": "Go home",
-    "totpFailTitle": "Failed to verify code",
-    "totpFailSubtitle": "Please check your code and try again",
+    "notFoundButton": "Ugrás a kezdőlapra",
+    "totpFailTitle": "Érvénytelen kód",
+    "totpFailSubtitle": "Kérjük ellenőrizze a kódot és próbálja újra",
     "totpSuccessTitle": "Verified",
     "totpSuccessSubtitle": "Redirecting to your app",
     "totpTitle": "Enter your TOTP code",
@@ -46,17 +46,36 @@
     "unauthorizedLoginSubtitle": "The user with username <code>{{username}}</code> is not authorized to login.",
     "unauthorizedGroupsSubtitle": "The user with username <code>{{username}}</code> is not in the groups required by the resource <code>{{resource}}</code>.",
     "unauthorizedIpSubtitle": "Your IP address <code>{{ip}}</code> is not authorized to access the resource <code>{{resource}}</code>.",
-    "unauthorizedButton": "Try again",
-    "cancelTitle": "Cancel",
-    "forgotPasswordTitle": "Forgot your password?",
+    "unauthorizedButton": "Próbálja újra",
+    "cancelTitle": "Mégse",
+    "forgotPasswordTitle": "Elfelejtette jelszavát?",
     "failedToFetchProvidersTitle": "Failed to load authentication providers. Please check your configuration.",
-    "errorTitle": "An error occurred",
+    "errorTitle": "Hiba történt",
+    "errorSubtitleInfo": "The following error occurred while processing your request:",
     "errorSubtitle": "An error occurred while trying to perform this action. Please check the console for more information.",
     "forgotPasswordMessage": "You can reset your password by changing the `USERS` environment variable.",
-    "fieldRequired": "This field is required",
+    "fieldRequired": "Ez egy kötelező mező",
     "invalidInput": "Invalid input",
     "domainWarningTitle": "Invalid Domain",
     "domainWarningSubtitle": "This instance is configured to be accessed from <code>{{appUrl}}</code>, but <code>{{currentUrl}}</code> is being used. If you proceed, you may encounter issues with authentication.",
     "ignoreTitle": "Ignore",
-    "goToCorrectDomainTitle": "Go to correct domain"
-}
+    "goToCorrectDomainTitle": "Go to correct domain",
+    "authorizeTitle": "Authorize",
+    "authorizeCardTitle": "Continue to {{app}}?",
+    "authorizeSubtitle": "Would you like to continue to this app? Please carefully review the permissions requested by the app.",
+    "authorizeSubtitleOAuth": "Would you like to continue to this app?",
+    "authorizeLoadingTitle": "Loading...",
+    "authorizeLoadingSubtitle": "Please wait while we load the client information.",
+    "authorizeSuccessTitle": "Authorized",
+    "authorizeSuccessSubtitle": "You will be redirected to the app in a few seconds.",
+    "authorizeErrorClientInfo": "An error occurred while loading the client information. Please try again later.",
+    "authorizeErrorMissingParams": "The following parameters are missing: {{missingParams}}",
+    "openidScopeName": "OpenID Connect",
+    "openidScopeDescription": "Allows the app to access your OpenID Connect information.",
+    "emailScopeName": "Email",
+    "emailScopeDescription": "Allows the app to access your email address.",
+    "profileScopeName": "Profile",
+    "profileScopeDescription": "Allows the app to access your profile information.",
+    "groupsScopeName": "Groups",
+    "groupsScopeDescription": "Allows the app to access your group information."
+}

frontend/src/lib/i18n/locales/it-IT.json

@@ -1,62 +1,81 @@
 {
-    "loginTitle": "Welcome back, login with",
-    "loginTitleSimple": "Welcome back, please login",
-    "loginDivider": "Or",
-    "loginUsername": "Username",
+    "loginTitle": "Bentornato, accedi con",
+    "loginTitleSimple": "Bentornato, accedi al tuo account",
+    "loginDivider": "Oppure",
+    "loginUsername": "Nome utente",
     "loginPassword": "Password",
-    "loginSubmit": "Login",
-    "loginFailTitle": "Failed to log in",
-    "loginFailSubtitle": "Please check your username and password",
-    "loginFailRateLimit": "You failed to login too many times. Please try again later",
-    "loginSuccessTitle": "Logged in",
-    "loginSuccessSubtitle": "Welcome back!",
-    "loginOauthFailTitle": "An error occurred",
-    "loginOauthFailSubtitle": "Failed to get OAuth URL",
-    "loginOauthSuccessTitle": "Redirecting",
-    "loginOauthSuccessSubtitle": "Redirecting to your OAuth provider",
-    "loginOauthAutoRedirectTitle": "OAuth Auto Redirect",
-    "loginOauthAutoRedirectSubtitle": "You will be automatically redirected to your OAuth provider to authenticate.",
-    "loginOauthAutoRedirectButton": "Redirect now",
-    "continueTitle": "Continue",
-    "continueRedirectingTitle": "Redirecting...",
-    "continueRedirectingSubtitle": "You should be redirected to the app soon",
-    "continueRedirectManually": "Redirect me manually",
-    "continueInsecureRedirectTitle": "Insecure redirect",
-    "continueInsecureRedirectSubtitle": "You are trying to redirect from <code>https</code> to <code>http</code> which is not secure. Are you sure you want to continue?",
-    "continueUntrustedRedirectTitle": "Untrusted redirect",
-    "continueUntrustedRedirectSubtitle": "You are trying to redirect to a domain that does not match your configured domain (<code>{{cookieDomain}}</code>). Are you sure you want to continue?",
-    "logoutFailTitle": "Failed to log out",
-    "logoutFailSubtitle": "Please try again",
-    "logoutSuccessTitle": "Logged out",
-    "logoutSuccessSubtitle": "You have been logged out",
-    "logoutTitle": "Logout",
-    "logoutUsernameSubtitle": "You are currently logged in as <code>{{username}}</code>. Click the button below to logout.",
-    "logoutOauthSubtitle": "You are currently logged in as <code>{{username}}</code> using the {{provider}} OAuth provider. Click the button below to logout.",
-    "notFoundTitle": "Page not found",
-    "notFoundSubtitle": "The page you are looking for does not exist.",
-    "notFoundButton": "Go home",
-    "totpFailTitle": "Failed to verify code",
-    "totpFailSubtitle": "Please check your code and try again",
-    "totpSuccessTitle": "Verified",
-    "totpSuccessSubtitle": "Redirecting to your app",
-    "totpTitle": "Enter your TOTP code",
-    "totpSubtitle": "Please enter the code from your authenticator app.",
-    "unauthorizedTitle": "Unauthorized",
-    "unauthorizedResourceSubtitle": "The user with username <code>{{username}}</code> is not authorized to access the resource <code>{{resource}}</code>.",
-    "unauthorizedLoginSubtitle": "The user with username <code>{{username}}</code> is not authorized to login.",
-    "unauthorizedGroupsSubtitle": "The user with username <code>{{username}}</code> is not in the groups required by the resource <code>{{resource}}</code>.",
-    "unauthorizedIpSubtitle": "Your IP address <code>{{ip}}</code> is not authorized to access the resource <code>{{resource}}</code>.",
-    "unauthorizedButton": "Try again",
-    "cancelTitle": "Cancel",
-    "forgotPasswordTitle": "Forgot your password?",
-    "failedToFetchProvidersTitle": "Failed to load authentication providers. Please check your configuration.",
-    "errorTitle": "An error occurred",
+    "loginSubmit": "Accesso",
+    "loginFailTitle": "Accesso non riuscito",
+    "loginFailSubtitle": "Verifica che il nome utente e la password siano corretti",
+    "loginFailRateLimit": "Hai effettuato troppi tentativi errati. Riprova più tardi",
+    "loginSuccessTitle": "Accesso effettuato",
+    "loginSuccessSubtitle": "Bentornato!",
+    "loginOauthFailTitle": "Si è verificato un errore",
+    "loginOauthFailSubtitle": "Impossibile ottenere l'URL di OAuth",
+    "loginOauthSuccessTitle": "Reindirizzamento",
+    "loginOauthSuccessSubtitle": "Reindirizzamento al tuo provider OAuth",
+    "loginOauthAutoRedirectTitle": "Reindirizzamento automatico OAuth",
+    "loginOauthAutoRedirectSubtitle": "Verrai automaticamente reindirizzato al tuo provider OAuth per l'autenticazione.",
+    "loginOauthAutoRedirectButton": "Reindirizza ora",
+    "continueTitle": "Prosegui",
+    "continueRedirectingTitle": "Reindirizzamento...",
+    "continueRedirectingSubtitle": "Dovresti essere reindirizzato all'app a breve",
+    "continueRedirectManually": "Reindirizzami manualmente",
+    "continueInsecureRedirectTitle": "Destinazione non sicura",
+    "continueInsecureRedirectSubtitle": "Stai tentando un reindirizzamento da <code>https</code> a <code>http</code>, il che non è sicuro. Vuoi continuare davvero?",
+    "continueUntrustedRedirectTitle": "Destinazione non attendibile",
+    "continueUntrustedRedirectSubtitle": "Stai tentando un reindirizzamento a un dominio che non corrisponde al dominio configurato (<code>{{cookieDomain}}</code>). Vuoi continuare davvero?",
+    "logoutFailTitle": "Disconnessione fallita",
+    "logoutFailSubtitle": "Riprova",
+    "logoutSuccessTitle": "Disconnessione effettuata",
+    "logoutSuccessSubtitle": "Sei stato disconnesso",
+    "logoutTitle": "Disconnessione",
+    "logoutUsernameSubtitle": "Hai effettuato l'accesso come <code>{{username}}</code>. Clicca sul pulsante qui sotto per disconnetterti.",
+    "logoutOauthSubtitle": "Hai effettuato l'accesso come <code>{{username}}</code> attraverso il provider OAuth {{provider}}. Clicca sul pulsante qui sotto per uscire.",
+    "notFoundTitle": "Pagina non trovata",
+    "notFoundSubtitle": "La pagina che stai cercando non esiste.",
+    "notFoundButton": "Vai alla home",
+    "totpFailTitle": "Errore nella verifica del codice",
+    "totpFailSubtitle": "Si prega di controllare il codice e riprovare",
+    "totpSuccessTitle": "Verificato",
+    "totpSuccessSubtitle": "Reindirizzamento alla tua app",
+    "totpTitle": "Inserisci il tuo codice TOTP",
+    "totpSubtitle": "Inserisci il codice dalla tua app di autenticazione.",
+    "unauthorizedTitle": "Non autorizzato",
+    "unauthorizedResourceSubtitle": "L'utente <code>{{username}}</code> non è autorizzato ad accedere alla risorsa <code>{{resource}}</code>.",
+    "unauthorizedLoginSubtitle": "L'utente <code>{{username}}</code> non è autorizzato a effettuare l'accesso.",
+    "unauthorizedGroupsSubtitle": "L'utente <code>{{username}}</code> non fa parte dei gruppi richiesti dalla risorsa <code>{{resource}}</code>.",
+    "unauthorizedIpSubtitle": "Il tuo indirizzo IP <code>{{ip}}</code> non è autorizzato ad accedere alla risorsa <code>{{resource}}</code>.",
+    "unauthorizedButton": "Riprova",
+    "cancelTitle": "Annulla",
+    "forgotPasswordTitle": "Password dimenticata?",
+    "failedToFetchProvidersTitle": "Impossibile caricare i provider di autenticazione. Si prega di controllare la configurazione.",
+    "errorTitle": "Si è verificato un errore",
+    "errorSubtitleInfo": "Si è verificato il seguente errore durante l'elaborazione della richiesta:",
     "errorSubtitle": "An error occurred while trying to perform this action. Please check the console for more information.",
-    "forgotPasswordMessage": "You can reset your password by changing the `USERS` environment variable.",
-    "fieldRequired": "This field is required",
-    "invalidInput": "Invalid input",
-    "domainWarningTitle": "Invalid Domain",
-    "domainWarningSubtitle": "This instance is configured to be accessed from <code>{{appUrl}}</code>, but <code>{{currentUrl}}</code> is being used. If you proceed, you may encounter issues with authentication.",
-    "ignoreTitle": "Ignore",
-    "goToCorrectDomainTitle": "Go to correct domain"
-}
+    "forgotPasswordMessage": "Puoi reimpostare la tua password modificando la variabile d'ambiente `USERS`.",
+    "fieldRequired": "Questo campo è obbligatorio",
+    "invalidInput": "Input non valido",
+    "domainWarningTitle": "Dominio non valido",
+    "domainWarningSubtitle": "Questa istanza è configurata per essere accessibile da <code>{{appUrl}}</code>, ma la stai visitando da <code>{{currentUrl}}</code>. Se procedi, potresti incorrere in problemi di autenticazione.",
+    "ignoreTitle": "Ignora",
+    "goToCorrectDomainTitle": "Vai al dominio corretto",
+    "authorizeTitle": "Autorizza",
+    "authorizeCardTitle": "Continuare su {{app}}?",
+    "authorizeSubtitle": "Vuoi continuare su quest'app? Verifica attentamente i permessi richiesti dall'app.",
+    "authorizeSubtitleOAuth": "Vuoi continuare su quest'app?",
+    "authorizeLoadingTitle": "Caricamento...",
+    "authorizeLoadingSubtitle": "Attendi il caricamento delle informazioni del client.",
+    "authorizeSuccessTitle": "Autorizzato",
+    "authorizeSuccessSubtitle": "Verrai reindirizzato all'app in pochi secondi.",
+    "authorizeErrorClientInfo": "Si è verificato un errore durante il caricamento delle informazioni del client. Riprova.",
+    "authorizeErrorMissingParams": "I seguenti parametri sono mancanti: {{missingParams}}",
+    "openidScopeName": "OpenID Connect",
+    "openidScopeDescription": "Permetti all'app di accedere alle tue informazioni OpenID Connect.",
+    "emailScopeName": "Email",
+    "emailScopeDescription": "Consenti all'app di accedere al tuo indirizzo email.",
+    "profileScopeName": "Profilo",
+    "profileScopeDescription": "Consenti all'app di accedere alle informazioni del tuo profilo.",
+    "groupsScopeName": "Gruppi",
+    "groupsScopeDescription": "Consenti all'app di accedere alle informazioni sui tuoi gruppi."
+}

frontend/src/lib/i18n/locales/ja-JP.json

@@ -51,6 +51,7 @@
     "forgotPasswordTitle": "Forgot your password?",
     "failedToFetchProvidersTitle": "Failed to load authentication providers. Please check your configuration.",
     "errorTitle": "An error occurred",
+    "errorSubtitleInfo": "The following error occurred while processing your request:",
     "errorSubtitle": "An error occurred while trying to perform this action. Please check the console for more information.",
     "forgotPasswordMessage": "You can reset your password by changing the `USERS` environment variable.",
     "fieldRequired": "This field is required",
@@ -58,5 +59,23 @@
     "domainWarningTitle": "Invalid Domain",
     "domainWarningSubtitle": "This instance is configured to be accessed from <code>{{appUrl}}</code>, but <code>{{currentUrl}}</code> is being used. If you proceed, you may encounter issues with authentication.",
     "ignoreTitle": "Ignore",
-    "goToCorrectDomainTitle": "Go to correct domain"
-}
+    "goToCorrectDomainTitle": "Go to correct domain",
+    "authorizeTitle": "Authorize",
+    "authorizeCardTitle": "Continue to {{app}}?",
+    "authorizeSubtitle": "Would you like to continue to this app? Please carefully review the permissions requested by the app.",
+    "authorizeSubtitleOAuth": "Would you like to continue to this app?",
+    "authorizeLoadingTitle": "Loading...",
+    "authorizeLoadingSubtitle": "Please wait while we load the client information.",
+    "authorizeSuccessTitle": "Authorized",
+    "authorizeSuccessSubtitle": "You will be redirected to the app in a few seconds.",
+    "authorizeErrorClientInfo": "An error occurred while loading the client information. Please try again later.",
+    "authorizeErrorMissingParams": "The following parameters are missing: {{missingParams}}",
+    "openidScopeName": "OpenID Connect",
+    "openidScopeDescription": "Allows the app to access your OpenID Connect information.",
+    "emailScopeName": "Email",
+    "emailScopeDescription": "Allows the app to access your email address.",
+    "profileScopeName": "Profile",
+    "profileScopeDescription": "Allows the app to access your profile information.",
+    "groupsScopeName": "Groups",
+    "groupsScopeDescription": "Allows the app to access your group information."
+}

frontend/src/lib/i18n/locales/ko-KR.json

@@ -51,6 +51,7 @@
     "forgotPasswordTitle": "Forgot your password?",
     "failedToFetchProvidersTitle": "Failed to load authentication providers. Please check your configuration.",
     "errorTitle": "An error occurred",
+    "errorSubtitleInfo": "The following error occurred while processing your request:",
     "errorSubtitle": "An error occurred while trying to perform this action. Please check the console for more information.",
     "forgotPasswordMessage": "You can reset your password by changing the `USERS` environment variable.",
     "fieldRequired": "This field is required",
@@ -58,5 +59,23 @@
     "domainWarningTitle": "Invalid Domain",
     "domainWarningSubtitle": "This instance is configured to be accessed from <code>{{appUrl}}</code>, but <code>{{currentUrl}}</code> is being used. If you proceed, you may encounter issues with authentication.",
     "ignoreTitle": "Ignore",
-    "goToCorrectDomainTitle": "Go to correct domain"
-}
+    "goToCorrectDomainTitle": "Go to correct domain",
+    "authorizeTitle": "Authorize",
+    "authorizeCardTitle": "Continue to {{app}}?",
+    "authorizeSubtitle": "Would you like to continue to this app? Please carefully review the permissions requested by the app.",
+    "authorizeSubtitleOAuth": "Would you like to continue to this app?",
+    "authorizeLoadingTitle": "Loading...",
+    "authorizeLoadingSubtitle": "Please wait while we load the client information.",
+    "authorizeSuccessTitle": "Authorized",
+    "authorizeSuccessSubtitle": "You will be redirected to the app in a few seconds.",
+    "authorizeErrorClientInfo": "An error occurred while loading the client information. Please try again later.",
+    "authorizeErrorMissingParams": "The following parameters are missing: {{missingParams}}",
+    "openidScopeName": "OpenID Connect",
+    "openidScopeDescription": "Allows the app to access your OpenID Connect information.",
+    "emailScopeName": "Email",
+    "emailScopeDescription": "Allows the app to access your email address.",
+    "profileScopeName": "Profile",
+    "profileScopeDescription": "Allows the app to access your profile information.",
+    "groupsScopeName": "Groups",
+    "groupsScopeDescription": "Allows the app to access your group information."
+}

frontend/src/lib/i18n/locales/nl-NL.json

@@ -1,37 +1,37 @@
 {
     "loginTitle": "Welkom terug, log in met",
-    "loginTitleSimple": "Welcome back, please login",
-    "loginDivider": "Or",
+    "loginTitleSimple": "Welkom terug, log in",
+    "loginDivider": "Of",
     "loginUsername": "Gebruikersnaam",
     "loginPassword": "Wachtwoord",
     "loginSubmit": "Log in",
     "loginFailTitle": "Mislukt om in te loggen",
     "loginFailSubtitle": "Controleer je gebruikersnaam en wachtwoord",
-    "loginFailRateLimit": "You failed to login too many times. Please try again later",
+    "loginFailRateLimit": "Inloggen is te vaak mislukt. Probeer het later opnieuw",
     "loginSuccessTitle": "Ingelogd",
     "loginSuccessSubtitle": "Welkom terug!",
-    "loginOauthFailTitle": "An error occurred",
+    "loginOauthFailTitle": "Er is een fout opgetreden",
     "loginOauthFailSubtitle": "Fout bij het ophalen van OAuth URL",
     "loginOauthSuccessTitle": "Omleiden",
     "loginOauthSuccessSubtitle": "Omleiden naar je OAuth provider",
-    "loginOauthAutoRedirectTitle": "OAuth Auto Redirect",
-    "loginOauthAutoRedirectSubtitle": "You will be automatically redirected to your OAuth provider to authenticate.",
-    "loginOauthAutoRedirectButton": "Redirect now",
+    "loginOauthAutoRedirectTitle": "OAuth automatische omleiding",
+    "loginOauthAutoRedirectSubtitle": "Je wordt automatisch omgeleid naar je OAuth provider om te authenticeren.",
+    "loginOauthAutoRedirectButton": "Nu omleiden",
     "continueTitle": "Ga verder",
     "continueRedirectingTitle": "Omleiden...",
     "continueRedirectingSubtitle": "Je wordt naar de app doorgestuurd",
-    "continueRedirectManually": "Redirect me manually",
+    "continueRedirectManually": "Stuur mij handmatig door",
     "continueInsecureRedirectTitle": "Onveilige doorverwijzing",
-    "continueInsecureRedirectSubtitle": "You are trying to redirect from <code>https</code> to <code>http</code> which is not secure. Are you sure you want to continue?",
-    "continueUntrustedRedirectTitle": "Untrusted redirect",
-    "continueUntrustedRedirectSubtitle": "You are trying to redirect to a domain that does not match your configured domain (<code>{{cookieDomain}}</code>). Are you sure you want to continue?",
+    "continueInsecureRedirectSubtitle": "Je probeert door te verwijzen van <code>https</code> naar <code>http</code> die niet veilig is. Weet je zeker dat je wilt doorgaan?",
+    "continueUntrustedRedirectTitle": "Niet-vertrouwde doorverwijzing",
+    "continueUntrustedRedirectSubtitle": "Je probeert door te sturen naar een domein dat niet overeenkomt met je geconfigureerde domein (<code>{{cookieDomain}}</code>). Weet je zeker dat je wilt doorgaan?",
     "logoutFailTitle": "Afmelden mislukt",
     "logoutFailSubtitle": "Probeer het opnieuw",
     "logoutSuccessTitle": "Afgemeld",
     "logoutSuccessSubtitle": "Je bent afgemeld",
     "logoutTitle": "Afmelden",
-    "logoutUsernameSubtitle": "You are currently logged in as <code>{{username}}</code>. Click the button below to logout.",
-    "logoutOauthSubtitle": "You are currently logged in as <code>{{username}}</code> using the {{provider}} OAuth provider. Click the button below to logout.",
+    "logoutUsernameSubtitle": "Je bent momenteel ingelogd als <code>{{username}}</code>. Klik op de onderstaande knop om uit te loggen.",
+    "logoutOauthSubtitle": "Je bent momenteel ingelogd als <code>{{username}}</code> met behulp van de {{provider}} OAuth provider. Klik op de onderstaande knop om uit te loggen.",
     "notFoundTitle": "Pagina niet gevonden",
     "notFoundSubtitle": "De pagina die je zoekt bestaat niet.",
     "notFoundButton": "Naar startpagina",
@@ -40,23 +40,42 @@
     "totpSuccessTitle": "Geverifiëerd",
     "totpSuccessSubtitle": "Omleiden naar je app",
     "totpTitle": "Voer je TOTP-code in",
-    "totpSubtitle": "Please enter the code from your authenticator app.",
+    "totpSubtitle": "Voer de code van je authenticator-app in.",
     "unauthorizedTitle": "Ongeautoriseerd",
-    "unauthorizedResourceSubtitle": "The user with username <code>{{username}}</code> is not authorized to access the resource <code>{{resource}}</code>.",
-    "unauthorizedLoginSubtitle": "The user with username <code>{{username}}</code> is not authorized to login.",
-    "unauthorizedGroupsSubtitle": "The user with username <code>{{username}}</code> is not in the groups required by the resource <code>{{resource}}</code>.",
-    "unauthorizedIpSubtitle": "Your IP address <code>{{ip}}</code> is not authorized to access the resource <code>{{resource}}</code>.",
+    "unauthorizedResourceSubtitle": "De gebruiker met gebruikersnaam <code>{{username}}</code> is niet gemachtigd om de bron <code>{{resource}}</code> te gebruiken.",
+    "unauthorizedLoginSubtitle": "De gebruiker met gebruikersnaam <code>{{username}}</code> is niet gemachtigd om in te loggen.",
+    "unauthorizedGroupsSubtitle": "De gebruiker met gebruikersnaam <code>{{username}}</code> maakt geen deel uit van de groepen die vereist zijn door de bron <code>{{resource}}</code>.",
+    "unauthorizedIpSubtitle": "Jouw IP-adres <code>{{ip}}</code> is niet gemachtigd om de bron <code>{{resource}}</code> te gebruiken.",
     "unauthorizedButton": "Opnieuw proberen",
-    "cancelTitle": "Cancel",
-    "forgotPasswordTitle": "Forgot your password?",
-    "failedToFetchProvidersTitle": "Failed to load authentication providers. Please check your configuration.",
-    "errorTitle": "An error occurred",
+    "cancelTitle": "Annuleren",
+    "forgotPasswordTitle": "Wachtwoord vergeten?",
+    "failedToFetchProvidersTitle": "Fout bij het laden van de authenticatie-providers. Controleer je configuratie.",
+    "errorTitle": "Er is een fout opgetreden",
+    "errorSubtitleInfo": "De volgende fout is opgetreden bij het verwerken van het verzoek:",
     "errorSubtitle": "An error occurred while trying to perform this action. Please check the console for more information.",
-    "forgotPasswordMessage": "You can reset your password by changing the `USERS` environment variable.",
-    "fieldRequired": "This field is required",
-    "invalidInput": "Invalid input",
-    "domainWarningTitle": "Invalid Domain",
-    "domainWarningSubtitle": "This instance is configured to be accessed from <code>{{appUrl}}</code>, but <code>{{currentUrl}}</code> is being used. If you proceed, you may encounter issues with authentication.",
-    "ignoreTitle": "Ignore",
-    "goToCorrectDomainTitle": "Go to correct domain"
-}
+    "forgotPasswordMessage": "Je kunt je wachtwoord opnieuw instellen door de `USERS` omgevingsvariabele te wijzigen.",
+    "fieldRequired": "Dit veld is verplicht",
+    "invalidInput": "Ongeldige invoer",
+    "domainWarningTitle": "Ongeldig domein",
+    "domainWarningSubtitle": "Deze instantie is geconfigureerd voor toegang tot <code>{{appUrl}}</code>, maar <code>{{currentUrl}}</code> wordt gebruikt. Als je doorgaat, kun je problemen ondervinden met authenticatie.",
+    "ignoreTitle": "Negeren",
+    "goToCorrectDomainTitle": "Ga naar het juiste domein",
+    "authorizeTitle": "Autoriseren",
+    "authorizeCardTitle": "Doorgaan naar {{app}}?",
+    "authorizeSubtitle": "Doorgaan naar deze app? Controleer de machtigingen die door de app worden gevraagd.",
+    "authorizeSubtitleOAuth": "Doorgaan naar deze app?",
+    "authorizeLoadingTitle": "Laden...",
+    "authorizeLoadingSubtitle": "Even geduld bij het laden van de cliëntinformatie.",
+    "authorizeSuccessTitle": "Geautoriseerd",
+    "authorizeSuccessSubtitle": "Je wordt binnen enkele seconden doorgestuurd naar de app.",
+    "authorizeErrorClientInfo": "Er is een fout opgetreden tijdens het laden van de cliëntinformatie. Probeer het later opnieuw.",
+    "authorizeErrorMissingParams": "De volgende parameters ontbreken: {{missingParams}}",
+    "openidScopeName": "OpenID Connect",
+    "openidScopeDescription": "Hiermee kan de app toegang krijgen tot jouw OpenID Connect-informatie.",
+    "emailScopeName": "E-mail",
+    "emailScopeDescription": "Hiermee kan de app toegang krijgen tot jouw e-mailadres.",
+    "profileScopeName": "Profiel",
+    "profileScopeDescription": "Hiermee kan de app toegang krijgen tot je profielinformatie.",
+    "groupsScopeName": "Groepen",
+    "groupsScopeDescription": "Hiermee kan de app toegang krijgen tot jouw groepsinformatie."
+}

frontend/src/lib/i18n/locales/no-NO.json

@@ -51,6 +51,7 @@
     "forgotPasswordTitle": "Forgot your password?",
     "failedToFetchProvidersTitle": "Failed to load authentication providers. Please check your configuration.",
     "errorTitle": "An error occurred",
+    "errorSubtitleInfo": "The following error occurred while processing your request:",
     "errorSubtitle": "An error occurred while trying to perform this action. Please check the console for more information.",
     "forgotPasswordMessage": "You can reset your password by changing the `USERS` environment variable.",
     "fieldRequired": "This field is required",
@@ -58,5 +59,23 @@
     "domainWarningTitle": "Invalid Domain",
     "domainWarningSubtitle": "This instance is configured to be accessed from <code>{{appUrl}}</code>, but <code>{{currentUrl}}</code> is being used. If you proceed, you may encounter issues with authentication.",
     "ignoreTitle": "Ignore",
-    "goToCorrectDomainTitle": "Go to correct domain"
-}
+    "goToCorrectDomainTitle": "Go to correct domain",
+    "authorizeTitle": "Authorize",
+    "authorizeCardTitle": "Continue to {{app}}?",
+    "authorizeSubtitle": "Would you like to continue to this app? Please carefully review the permissions requested by the app.",
+    "authorizeSubtitleOAuth": "Would you like to continue to this app?",
+    "authorizeLoadingTitle": "Loading...",
+    "authorizeLoadingSubtitle": "Please wait while we load the client information.",
+    "authorizeSuccessTitle": "Authorized",
+    "authorizeSuccessSubtitle": "You will be redirected to the app in a few seconds.",
+    "authorizeErrorClientInfo": "An error occurred while loading the client information. Please try again later.",
+    "authorizeErrorMissingParams": "The following parameters are missing: {{missingParams}}",
+    "openidScopeName": "OpenID Connect",
+    "openidScopeDescription": "Allows the app to access your OpenID Connect information.",
+    "emailScopeName": "Email",
+    "emailScopeDescription": "Allows the app to access your email address.",
+    "profileScopeName": "Profile",
+    "profileScopeDescription": "Allows the app to access your profile information.",
+    "groupsScopeName": "Groups",
+    "groupsScopeDescription": "Allows the app to access your group information."
+}

frontend/src/lib/i18n/locales/pl-PL.json

@@ -51,6 +51,7 @@
     "forgotPasswordTitle": "Nie pamiętasz hasła?",
     "failedToFetchProvidersTitle": "Nie udało się załadować dostawców uwierzytelniania. Sprawdź swoją konfigurację.",
     "errorTitle": "Wystąpił błąd",
+    "errorSubtitleInfo": "Podczas przetwarzania żądania wystąpił następujący błąd:",
     "errorSubtitle": "Wystąpił błąd podczas próby wykonania tej czynności. Sprawdź konsolę, aby uzyskać więcej informacji.",
     "forgotPasswordMessage": "Możesz zresetować hasło, zmieniając zmienną środowiskową `USERS`.",
     "fieldRequired": "To pole jest wymagane",
@@ -58,5 +59,23 @@
     "domainWarningTitle": "Nieprawidłowa domena",
     "domainWarningSubtitle": "Ta instancja jest skonfigurowana do uzyskania dostępu z <code>{{appUrl}}</code>, ale <code>{{currentUrl}}</code> jest w użyciu. Jeśli będziesz kontynuować, mogą wystąpić problemy z uwierzytelnianiem.",
     "ignoreTitle": "Zignoruj",
-    "goToCorrectDomainTitle": "Przejdź do prawidłowej domeny"
-}
+    "goToCorrectDomainTitle": "Przejdź do prawidłowej domeny",
+    "authorizeTitle": "Autoryzuj",
+    "authorizeCardTitle": "Kontynuować do {{app}}?",
+    "authorizeSubtitle": "Czy chcesz kontynuować do tej aplikacji? Uważnie zapoznaj się z uprawnieniami żądanymi przez aplikację.",
+    "authorizeSubtitleOAuth": "Czy chcesz kontynuować do tej aplikacji?",
+    "authorizeLoadingTitle": "Wczytywanie...",
+    "authorizeLoadingSubtitle": "Proszę czekać, aż załadujemy informacje o kliencie.",
+    "authorizeSuccessTitle": "Autoryzowano",
+    "authorizeSuccessSubtitle": "Za kilka sekund nastąpi przekierowanie do aplikacji.",
+    "authorizeErrorClientInfo": "Wystąpił błąd podczas ładowania informacji o kliencie. Spróbuj ponownie później.",
+    "authorizeErrorMissingParams": "Brakuje następujących parametrów: {{missingParams}}",
+    "openidScopeName": "OpenID Connect",
+    "openidScopeDescription": "Zezwala aplikacji na dostęp do informacji o OpenID Connect.",
+    "emailScopeName": "E-mail",
+    "emailScopeDescription": "Zezwala aplikacji na dostęp do adresów e-mail.",
+    "profileScopeName": "Profil",
+    "profileScopeDescription": "Zezwala aplikacji na dostęp do informacji o porfilu.",
+    "groupsScopeName": "Grupy",
+    "groupsScopeDescription": "Zezwala aplikacji na dostęp do informacji o grupie."
+}

frontend/src/lib/i18n/locales/pt-BR.json

@@ -51,6 +51,7 @@
     "forgotPasswordTitle": "Esqueceu sua senha?",
     "failedToFetchProvidersTitle": "Falha ao carregar provedores de autenticação. Verifique sua configuração.",
     "errorTitle": "Ocorreu um erro",
+    "errorSubtitleInfo": "The following error occurred while processing your request:",
     "errorSubtitle": "Ocorreu um erro ao tentar executar esta ação. Por favor, verifique o console para mais informações.",
     "forgotPasswordMessage": "Você pode redefinir sua senha alterando a variável de ambiente `USERS`.",
     "fieldRequired": "Este campo é obrigatório",
@@ -58,5 +59,23 @@
     "domainWarningTitle": "Domínio inválido",
     "domainWarningSubtitle": "Esta instância está configurada para ser acessada de <code>{{appUrl}}</code>, mas <code>{{currentUrl}}</code> está sendo usado. Se você continuar, você pode encontrar problemas com a autenticação.",
     "ignoreTitle": "Ignorar",
-    "goToCorrectDomainTitle": "Ir para o domínio correto"
-}
+    "goToCorrectDomainTitle": "Ir para o domínio correto",
+    "authorizeTitle": "Authorize",
+    "authorizeCardTitle": "Continue to {{app}}?",
+    "authorizeSubtitle": "Would you like to continue to this app? Please carefully review the permissions requested by the app.",
+    "authorizeSubtitleOAuth": "Would you like to continue to this app?",
+    "authorizeLoadingTitle": "Loading...",
+    "authorizeLoadingSubtitle": "Please wait while we load the client information.",
+    "authorizeSuccessTitle": "Authorized",
+    "authorizeSuccessSubtitle": "You will be redirected to the app in a few seconds.",
+    "authorizeErrorClientInfo": "An error occurred while loading the client information. Please try again later.",
+    "authorizeErrorMissingParams": "The following parameters are missing: {{missingParams}}",
+    "openidScopeName": "OpenID Connect",
+    "openidScopeDescription": "Allows the app to access your OpenID Connect information.",
+    "emailScopeName": "Email",
+    "emailScopeDescription": "Allows the app to access your email address.",
+    "profileScopeName": "Profile",
+    "profileScopeDescription": "Allows the app to access your profile information.",
+    "groupsScopeName": "Groups",
+    "groupsScopeDescription": "Allows the app to access your group information."
+}

frontend/src/lib/i18n/locales/pt-PT.json

@@ -1,62 +1,81 @@
 {
-    "loginTitle": "Welcome back, login with",
-    "loginTitleSimple": "Welcome back, please login",
-    "loginDivider": "Or",
-    "loginUsername": "Username",
-    "loginPassword": "Password",
-    "loginSubmit": "Login",
-    "loginFailTitle": "Failed to log in",
-    "loginFailSubtitle": "Please check your username and password",
-    "loginFailRateLimit": "You failed to login too many times. Please try again later",
-    "loginSuccessTitle": "Logged in",
-    "loginSuccessSubtitle": "Welcome back!",
-    "loginOauthFailTitle": "An error occurred",
-    "loginOauthFailSubtitle": "Failed to get OAuth URL",
-    "loginOauthSuccessTitle": "Redirecting",
-    "loginOauthSuccessSubtitle": "Redirecting to your OAuth provider",
-    "loginOauthAutoRedirectTitle": "OAuth Auto Redirect",
-    "loginOauthAutoRedirectSubtitle": "You will be automatically redirected to your OAuth provider to authenticate.",
-    "loginOauthAutoRedirectButton": "Redirect now",
-    "continueTitle": "Continue",
-    "continueRedirectingTitle": "Redirecting...",
-    "continueRedirectingSubtitle": "You should be redirected to the app soon",
-    "continueRedirectManually": "Redirect me manually",
-    "continueInsecureRedirectTitle": "Insecure redirect",
-    "continueInsecureRedirectSubtitle": "You are trying to redirect from <code>https</code> to <code>http</code> which is not secure. Are you sure you want to continue?",
-    "continueUntrustedRedirectTitle": "Untrusted redirect",
-    "continueUntrustedRedirectSubtitle": "You are trying to redirect to a domain that does not match your configured domain (<code>{{cookieDomain}}</code>). Are you sure you want to continue?",
-    "logoutFailTitle": "Failed to log out",
-    "logoutFailSubtitle": "Please try again",
-    "logoutSuccessTitle": "Logged out",
-    "logoutSuccessSubtitle": "You have been logged out",
-    "logoutTitle": "Logout",
-    "logoutUsernameSubtitle": "You are currently logged in as <code>{{username}}</code>. Click the button below to logout.",
-    "logoutOauthSubtitle": "You are currently logged in as <code>{{username}}</code> using the {{provider}} OAuth provider. Click the button below to logout.",
-    "notFoundTitle": "Page not found",
-    "notFoundSubtitle": "The page you are looking for does not exist.",
-    "notFoundButton": "Go home",
-    "totpFailTitle": "Failed to verify code",
-    "totpFailSubtitle": "Please check your code and try again",
-    "totpSuccessTitle": "Verified",
-    "totpSuccessSubtitle": "Redirecting to your app",
-    "totpTitle": "Enter your TOTP code",
-    "totpSubtitle": "Please enter the code from your authenticator app.",
-    "unauthorizedTitle": "Unauthorized",
-    "unauthorizedResourceSubtitle": "The user with username <code>{{username}}</code> is not authorized to access the resource <code>{{resource}}</code>.",
-    "unauthorizedLoginSubtitle": "The user with username <code>{{username}}</code> is not authorized to login.",
-    "unauthorizedGroupsSubtitle": "The user with username <code>{{username}}</code> is not in the groups required by the resource <code>{{resource}}</code>.",
-    "unauthorizedIpSubtitle": "Your IP address <code>{{ip}}</code> is not authorized to access the resource <code>{{resource}}</code>.",
-    "unauthorizedButton": "Try again",
-    "cancelTitle": "Cancel",
-    "forgotPasswordTitle": "Forgot your password?",
-    "failedToFetchProvidersTitle": "Failed to load authentication providers. Please check your configuration.",
-    "errorTitle": "An error occurred",
-    "errorSubtitle": "An error occurred while trying to perform this action. Please check the console for more information.",
-    "forgotPasswordMessage": "You can reset your password by changing the `USERS` environment variable.",
-    "fieldRequired": "This field is required",
-    "invalidInput": "Invalid input",
-    "domainWarningTitle": "Invalid Domain",
-    "domainWarningSubtitle": "This instance is configured to be accessed from <code>{{appUrl}}</code>, but <code>{{currentUrl}}</code> is being used. If you proceed, you may encounter issues with authentication.",
-    "ignoreTitle": "Ignore",
-    "goToCorrectDomainTitle": "Go to correct domain"
-}
+    "loginTitle": "Bem-vindo de volta, inicia sessão com",
+    "loginTitleSimple": "Bem-vindo de volta, inicia sessão",
+    "loginDivider": "Ou",
+    "loginUsername": "Nome de utilizador",
+    "loginPassword": "Palavra-passe",
+    "loginSubmit": "Iniciar sessão",
+    "loginFailTitle": "Falha ao iniciar sessão",
+    "loginFailSubtitle": "Verifica o nome de utilizador e a palavra-passe",
+    "loginFailRateLimit": "Falhaste o início de sessão demasiadas vezes. Tenta novamente mais tarde",
+    "loginSuccessTitle": "Sessão iniciada",
+    "loginSuccessSubtitle": "Bem-vindo de volta!",
+    "loginOauthFailTitle": "Ocorreu um erro",
+    "loginOauthFailSubtitle": "Não foi possível obter o URL OAuth",
+    "loginOauthSuccessTitle": "A redirecionar",
+    "loginOauthSuccessSubtitle": "A redirecionar para o teu fornecedor OAuth",
+    "loginOauthAutoRedirectTitle": "Redirecionamento automático OAuth",
+    "loginOauthAutoRedirectSubtitle": "Vais ser redirecionado automaticamente para o teu fornecedor OAuth para autenticação.",
+    "loginOauthAutoRedirectButton": "Redirecionar agora",
+    "continueTitle": "Continuar",
+    "continueRedirectingTitle": "A redirecionar...",
+    "continueRedirectingSubtitle": "Deverás ser redirecionado para a aplicação em breve",
+    "continueRedirectManually": "Redirecionar manualmente",
+    "continueInsecureRedirectTitle": "Redirecionamento inseguro",
+    "continueInsecureRedirectSubtitle": "Estás a tentar redirecionar de <code>https</code> para <code>http</code>, o que não é seguro. Tens a certeza de que queres continuar?",
+    "continueUntrustedRedirectTitle": "Redirecionamento não fidedigno",
+    "continueUntrustedRedirectSubtitle": "Estás a tentar redirecionar para um domínio que não corresponde ao domínio configurado (<code>{{cookieDomain}}</code>). Tens a certeza de que queres continuar?",
+    "logoutFailTitle": "Falha ao terminar sessão",
+    "logoutFailSubtitle": "Tenta novamente",
+    "logoutSuccessTitle": "Sessão terminada",
+    "logoutSuccessSubtitle": "Terminaste a sessão com sucesso",
+    "logoutTitle": "Terminar sessão",
+    "logoutUsernameSubtitle": "Estás com sessão iniciada como <code>{{username}}</code>. Clica no botão abaixo para terminar sessão.",
+    "logoutOauthSubtitle": "Estás com sessão iniciada como <code>{{username}}</code> através do fornecedor OAuth {{provider}}. Clica no botão abaixo para terminar sessão.",
+    "notFoundTitle": "Página não encontrada",
+    "notFoundSubtitle": "A página que procuras não existe.",
+    "notFoundButton": "Ir para o início",
+    "totpFailTitle": "Falha na verificação do código",
+    "totpFailSubtitle": "Verifica o código e tenta novamente",
+    "totpSuccessTitle": "Verificado",
+    "totpSuccessSubtitle": "A redirecionar para a tua aplicação",
+    "totpTitle": "Introduz o teu código TOTP",
+    "totpSubtitle": "Introduz o código da tua aplicação de autenticação.",
+    "unauthorizedTitle": "Não autorizado",
+    "unauthorizedResourceSubtitle": "O utilizador com o nome <code>{{username}}</code> não tem autorização para aceder ao recurso <code>{{resource}}</code>.",
+    "unauthorizedLoginSubtitle": "O utilizador com o nome <code>{{username}}</code> não tem autorização para iniciar sessão.",
+    "unauthorizedGroupsSubtitle": "O utilizador com o nome <code>{{username}}</code> não pertence aos grupos exigidos pelo recurso <code>{{resource}}</code>.",
+    "unauthorizedIpSubtitle": "O teu endereço IP <code>{{ip}}</code> não tem autorização para aceder ao recurso <code>{{resource}}</code>.",
+    "unauthorizedButton": "Tentar novamente",
+    "cancelTitle": "Cancelar",
+    "forgotPasswordTitle": "Esqueceste-te da palavra-passe?",
+    "failedToFetchProvidersTitle": "Falha ao carregar os fornecedores de autenticação. Verifica a configuração.",
+    "errorTitle": "Ocorreu um erro",
+    "errorSubtitleInfo": "The following error occurred while processing your request:",
+    "errorSubtitle": "Ocorreu um erro ao tentar executar esta ação. Consulta a consola para mais informações.",
+    "forgotPasswordMessage": "Podes redefinir a tua palavra-passe alterando a variável de ambiente `USERS`.",
+    "fieldRequired": "Este campo é obrigatório",
+    "invalidInput": "Entrada inválida",
+    "domainWarningTitle": "Domínio inválido",
+    "domainWarningSubtitle": "Esta instância está configurada para ser acedida a partir de <code>{{appUrl}}</code>, mas está a ser usado <code>{{currentUrl}}</code>. Se continuares, poderás ter problemas de autenticação.",
+    "ignoreTitle": "Ignorar",
+    "goToCorrectDomainTitle": "Ir para o domínio correto",
+    "authorizeTitle": "Authorize",
+    "authorizeCardTitle": "Continue to {{app}}?",
+    "authorizeSubtitle": "Would you like to continue to this app? Please carefully review the permissions requested by the app.",
+    "authorizeSubtitleOAuth": "Would you like to continue to this app?",
+    "authorizeLoadingTitle": "Loading...",
+    "authorizeLoadingSubtitle": "Please wait while we load the client information.",
+    "authorizeSuccessTitle": "Authorized",
+    "authorizeSuccessSubtitle": "You will be redirected to the app in a few seconds.",
+    "authorizeErrorClientInfo": "An error occurred while loading the client information. Please try again later.",
+    "authorizeErrorMissingParams": "The following parameters are missing: {{missingParams}}",
+    "openidScopeName": "OpenID Connect",
+    "openidScopeDescription": "Allows the app to access your OpenID Connect information.",
+    "emailScopeName": "Email",
+    "emailScopeDescription": "Allows the app to access your email address.",
+    "profileScopeName": "Profile",
+    "profileScopeDescription": "Allows the app to access your profile information.",
+    "groupsScopeName": "Groups",
+    "groupsScopeDescription": "Allows the app to access your group information."
+}

frontend/src/lib/i18n/locales/ro-RO.json

@@ -51,6 +51,7 @@
     "forgotPasswordTitle": "Forgot your password?",
     "failedToFetchProvidersTitle": "Failed to load authentication providers. Please check your configuration.",
     "errorTitle": "An error occurred",
+    "errorSubtitleInfo": "The following error occurred while processing your request:",
     "errorSubtitle": "An error occurred while trying to perform this action. Please check the console for more information.",
     "forgotPasswordMessage": "You can reset your password by changing the `USERS` environment variable.",
     "fieldRequired": "This field is required",
@@ -58,5 +59,23 @@
     "domainWarningTitle": "Invalid Domain",
     "domainWarningSubtitle": "This instance is configured to be accessed from <code>{{appUrl}}</code>, but <code>{{currentUrl}}</code> is being used. If you proceed, you may encounter issues with authentication.",
     "ignoreTitle": "Ignore",
-    "goToCorrectDomainTitle": "Go to correct domain"
-}
+    "goToCorrectDomainTitle": "Go to correct domain",
+    "authorizeTitle": "Authorize",
+    "authorizeCardTitle": "Continue to {{app}}?",
+    "authorizeSubtitle": "Would you like to continue to this app? Please carefully review the permissions requested by the app.",
+    "authorizeSubtitleOAuth": "Would you like to continue to this app?",
+    "authorizeLoadingTitle": "Loading...",
+    "authorizeLoadingSubtitle": "Please wait while we load the client information.",
+    "authorizeSuccessTitle": "Authorized",
+    "authorizeSuccessSubtitle": "You will be redirected to the app in a few seconds.",
+    "authorizeErrorClientInfo": "An error occurred while loading the client information. Please try again later.",
+    "authorizeErrorMissingParams": "The following parameters are missing: {{missingParams}}",
+    "openidScopeName": "OpenID Connect",
+    "openidScopeDescription": "Allows the app to access your OpenID Connect information.",
+    "emailScopeName": "Email",
+    "emailScopeDescription": "Allows the app to access your email address.",
+    "profileScopeName": "Profile",
+    "profileScopeDescription": "Allows the app to access your profile information.",
+    "groupsScopeName": "Groups",
+    "groupsScopeDescription": "Allows the app to access your group information."
+}

frontend/src/lib/i18n/locales/ru-RU.json

@@ -51,6 +51,7 @@
     "forgotPasswordTitle": "Забыли пароль?",
     "failedToFetchProvidersTitle": "Не удалось загрузить поставщика авторизации. Пожалуйста, проверьте конфигурацию.",
     "errorTitle": "Произошла ошибка",
+    "errorSubtitleInfo": "The following error occurred while processing your request:",
     "errorSubtitle": "Произошла ошибка при попытке выполнить это действие. Проверьте консоль для дополнительной информации.",
     "forgotPasswordMessage": "Вы можете сбросить свой пароль, изменив переменную окружения `USERS`.",
     "fieldRequired": "Это поле является обязательным",
@@ -58,5 +59,23 @@
     "domainWarningTitle": "Неверный домен",
     "domainWarningSubtitle": "Этот экземпляр настроен на доступ к нему из <code>{{appUrl}}</code>, но <code>{{currentUrl}}</code> в настоящее время используется. Если вы продолжите, то могут возникнуть проблемы с авторизацией.",
     "ignoreTitle": "Игнорировать",
-    "goToCorrectDomainTitle": "Перейти к правильному домену"
-}
+    "goToCorrectDomainTitle": "Перейти к правильному домену",
+    "authorizeTitle": "Authorize",
+    "authorizeCardTitle": "Continue to {{app}}?",
+    "authorizeSubtitle": "Would you like to continue to this app? Please carefully review the permissions requested by the app.",
+    "authorizeSubtitleOAuth": "Would you like to continue to this app?",
+    "authorizeLoadingTitle": "Loading...",
+    "authorizeLoadingSubtitle": "Please wait while we load the client information.",
+    "authorizeSuccessTitle": "Authorized",
+    "authorizeSuccessSubtitle": "You will be redirected to the app in a few seconds.",
+    "authorizeErrorClientInfo": "An error occurred while loading the client information. Please try again later.",
+    "authorizeErrorMissingParams": "The following parameters are missing: {{missingParams}}",
+    "openidScopeName": "OpenID Connect",
+    "openidScopeDescription": "Allows the app to access your OpenID Connect information.",
+    "emailScopeName": "Email",
+    "emailScopeDescription": "Allows the app to access your email address.",
+    "profileScopeName": "Profile",
+    "profileScopeDescription": "Allows the app to access your profile information.",
+    "groupsScopeName": "Groups",
+    "groupsScopeDescription": "Allows the app to access your group information."
+}

frontend/src/lib/i18n/locales/sr-SP.json

@@ -14,17 +14,17 @@
     "loginOauthFailSubtitle": "Неуспело преузимање OAuth адресе",
     "loginOauthSuccessTitle": "Преусмеравање",
     "loginOauthSuccessSubtitle": "Преусмеравање на вашег OAuth провајдера",
-    "loginOauthAutoRedirectTitle": "OAuth Auto Redirect",
-    "loginOauthAutoRedirectSubtitle": "You will be automatically redirected to your OAuth provider to authenticate.",
-    "loginOauthAutoRedirectButton": "Redirect now",
+    "loginOauthAutoRedirectTitle": "OAuth аутоматско преусмерење",
+    "loginOauthAutoRedirectSubtitle": "Бићете аутоматски преусмерени на вашег OAuth провајдера за аутентификацију.",
+    "loginOauthAutoRedirectButton": "Преусмери сада",
     "continueTitle": "Настави",
     "continueRedirectingTitle": "Преусмеравање...",
     "continueRedirectingSubtitle": "Требали би сте ускоро да будете преусмерени на апликацију",
-    "continueRedirectManually": "Redirect me manually",
+    "continueRedirectManually": "Преусмери ме ручно",
     "continueInsecureRedirectTitle": "Небезбедно преусмеравање",
     "continueInsecureRedirectSubtitle": "Покушавате да преусмерите са <code>https</code> на <code>http</code> што није безбедно. Да ли желите да наставите?",
-    "continueUntrustedRedirectTitle": "Untrusted redirect",
-    "continueUntrustedRedirectSubtitle": "You are trying to redirect to a domain that does not match your configured domain (<code>{{cookieDomain}}</code>). Are you sure you want to continue?",
+    "continueUntrustedRedirectTitle": "Неповерљиво преусмерење",
+    "continueUntrustedRedirectSubtitle": "Покушавате да преусмерите на домен који се не поклапа са вашим подешеним доменом (<code>{{cookieDomain}}</code>). Да ли заиста желите да наставите?",
     "logoutFailTitle": "Неуспешно одјављивање",
     "logoutFailSubtitle": "Молим вас покушајте поново",
     "logoutSuccessTitle": "Одјављени",
@@ -51,12 +51,31 @@
     "forgotPasswordTitle": "Заборавили сте лозинку?",
     "failedToFetchProvidersTitle": "Није успело учитавање провајдера аутентификације. Молим вас проверите ваша подешавања.",
     "errorTitle": "Појавила се грешка",
+    "errorSubtitleInfo": "Појавила се следећа грешка током обраде вашег захтева:",
     "errorSubtitle": "Појавила се грешка при покушају извршавања ове радње. Молим вас проверите конзолу за додатне информације.",
     "forgotPasswordMessage": "Можете поништити вашу лозинку променом `USERS` променљиве окружења.",
-    "fieldRequired": "This field is required",
-    "invalidInput": "Invalid input",
-    "domainWarningTitle": "Invalid Domain",
-    "domainWarningSubtitle": "This instance is configured to be accessed from <code>{{appUrl}}</code>, but <code>{{currentUrl}}</code> is being used. If you proceed, you may encounter issues with authentication.",
-    "ignoreTitle": "Ignore",
-    "goToCorrectDomainTitle": "Go to correct domain"
-}
+    "fieldRequired": "Ово поље је неопходно",
+    "invalidInput": "Неисправан унос",
+    "domainWarningTitle": "Неисправан домен",
+    "domainWarningSubtitle": "Ова инстанца је подешена да јој се приступа са <code>{{appUrl}}</code>, али се користи <code>{{currentUrl}}</code>. Ако наставите, можете искусити проблеме са аутентификацијом.",
+    "ignoreTitle": "Игнориши",
+    "goToCorrectDomainTitle": "Иди на исправан домен",
+    "authorizeTitle": "Ауторизуј",
+    "authorizeCardTitle": "Наставити на {{app}}?",
+    "authorizeSubtitle": "Да ли желите да наставите на ову апликацију? Пажљиво проверите дозволе које вам тражи апликација.",
+    "authorizeSubtitleOAuth": "Да ли желите да наставите на ову апликацију?",
+    "authorizeLoadingTitle": "Учитавање...",
+    "authorizeLoadingSubtitle": "Молим вас сачекајте док ми учитамо информације о клијенту.",
+    "authorizeSuccessTitle": "Ауторизован",
+    "authorizeSuccessSubtitle": "Бићете преусмерени на апликацију за неколико секунди.",
+    "authorizeErrorClientInfo": "Појавила се грешка током учитавања информација о клијенту. Молим вас покушајте поново касније.",
+    "authorizeErrorMissingParams": "Следећи параметри недостају: {{missingParams}}",
+    "openidScopeName": "OpenID повезивање",
+    "openidScopeDescription": "Омогућава апликацији да приступа информацији о вашој OpenID вези.",
+    "emailScopeName": "Е-пошта",
+    "emailScopeDescription": "Омогућава апликацији да приступа вашој адреси е-поште.",
+    "profileScopeName": "Профил",
+    "profileScopeDescription": "Омогућава апликацији да приступа информацијама о вашем профилу.",
+    "groupsScopeName": "Групе",
+    "groupsScopeDescription": "Омогућава апликацији да приступа информацијама о вашој групи."
+}

frontend/src/lib/i18n/locales/sv-SE.json

@@ -51,6 +51,7 @@
     "forgotPasswordTitle": "Forgot your password?",
     "failedToFetchProvidersTitle": "Failed to load authentication providers. Please check your configuration.",
     "errorTitle": "An error occurred",
+    "errorSubtitleInfo": "The following error occurred while processing your request:",
     "errorSubtitle": "An error occurred while trying to perform this action. Please check the console for more information.",
     "forgotPasswordMessage": "You can reset your password by changing the `USERS` environment variable.",
     "fieldRequired": "This field is required",
@@ -58,5 +59,23 @@
     "domainWarningTitle": "Invalid Domain",
     "domainWarningSubtitle": "This instance is configured to be accessed from <code>{{appUrl}}</code>, but <code>{{currentUrl}}</code> is being used. If you proceed, you may encounter issues with authentication.",
     "ignoreTitle": "Ignore",
-    "goToCorrectDomainTitle": "Go to correct domain"
-}
+    "goToCorrectDomainTitle": "Go to correct domain",
+    "authorizeTitle": "Authorize",
+    "authorizeCardTitle": "Continue to {{app}}?",
+    "authorizeSubtitle": "Would you like to continue to this app? Please carefully review the permissions requested by the app.",
+    "authorizeSubtitleOAuth": "Would you like to continue to this app?",
+    "authorizeLoadingTitle": "Loading...",
+    "authorizeLoadingSubtitle": "Please wait while we load the client information.",
+    "authorizeSuccessTitle": "Authorized",
+    "authorizeSuccessSubtitle": "You will be redirected to the app in a few seconds.",
+    "authorizeErrorClientInfo": "An error occurred while loading the client information. Please try again later.",
+    "authorizeErrorMissingParams": "The following parameters are missing: {{missingParams}}",
+    "openidScopeName": "OpenID Connect",
+    "openidScopeDescription": "Allows the app to access your OpenID Connect information.",
+    "emailScopeName": "Email",
+    "emailScopeDescription": "Allows the app to access your email address.",
+    "profileScopeName": "Profile",
+    "profileScopeDescription": "Allows the app to access your profile information.",
+    "groupsScopeName": "Groups",
+    "groupsScopeDescription": "Allows the app to access your group information."
+}

frontend/src/lib/i18n/locales/tr-TR.json

@@ -1,62 +1,81 @@
 {
-    "loginTitle": "Welcome back, login with",
-    "loginTitleSimple": "Welcome back, please login",
-    "loginDivider": "Or",
+    "loginTitle": "Tekrar Hoş Geldiniz, giriş yapın",
+    "loginTitleSimple": "Tekrar hoş geldiniz, lütfen giriş yapın",
+    "loginDivider": "Ya da",
     "loginUsername": "Kullanıcı Adı",
     "loginPassword": "Şifre",
     "loginSubmit": "Giriş Yap",
     "loginFailTitle": "Giriş yapılamadı",
-    "loginFailSubtitle": "Please check your username and password",
-    "loginFailRateLimit": "You failed to login too many times. Please try again later",
+    "loginFailSubtitle": "Lütfen kullanıcı adınızı ve şifrenizi kontrol edin",
+    "loginFailRateLimit": "Çok fazla kez giriş yapma girişiminde bulundunuz. Lütfen daha sonra tekrar deneyin",
     "loginSuccessTitle": "Giriş yapıldı",
     "loginSuccessSubtitle": "Tekrar hoş geldiniz!",
-    "loginOauthFailTitle": "An error occurred",
-    "loginOauthFailSubtitle": "Failed to get OAuth URL",
+    "loginOauthFailTitle": "Hata oluştu",
+    "loginOauthFailSubtitle": "OAuth URL'si alınamadı",
     "loginOauthSuccessTitle": "Yönlendiriliyor",
-    "loginOauthSuccessSubtitle": "Redirecting to your OAuth provider",
-    "loginOauthAutoRedirectTitle": "OAuth Auto Redirect",
-    "loginOauthAutoRedirectSubtitle": "You will be automatically redirected to your OAuth provider to authenticate.",
-    "loginOauthAutoRedirectButton": "Redirect now",
+    "loginOauthSuccessSubtitle": "OAuth sağlayıcınıza yönlendiriliyor",
+    "loginOauthAutoRedirectTitle": "OAuth Otomatik Yönlendirme",
+    "loginOauthAutoRedirectSubtitle": "Kimlik doğrulama işlemi için otomatik olarak OAuth sağlayıcınıza yönlendirileceksiniz.",
+    "loginOauthAutoRedirectButton": "Şimdi Yönlendir",
     "continueTitle": "Devam et",
     "continueRedirectingTitle": "Yönlendiriliyor...",
-    "continueRedirectingSubtitle": "You should be redirected to the app soon",
-    "continueRedirectManually": "Redirect me manually",
-    "continueInsecureRedirectTitle": "Insecure redirect",
-    "continueInsecureRedirectSubtitle": "You are trying to redirect from <code>https</code> to <code>http</code> which is not secure. Are you sure you want to continue?",
-    "continueUntrustedRedirectTitle": "Untrusted redirect",
-    "continueUntrustedRedirectSubtitle": "You are trying to redirect to a domain that does not match your configured domain (<code>{{cookieDomain}}</code>). Are you sure you want to continue?",
-    "logoutFailTitle": "Failed to log out",
+    "continueRedirectingSubtitle": "Kısa süre içinde uygulamaya yönlendirileceksiniz",
+    "continueRedirectManually": "Beni manuel olarak yönlendir",
+    "continueInsecureRedirectTitle": "Güvenli olmayan yönlendirme",
+    "continueInsecureRedirectSubtitle": "<code>http</code> adresinden <code>http</code> adresine yönlendirme yapmaya çalışıyorsunuz, bu güvenli değil. Devam etmek istediğinizden emin misiniz?",
+    "continueUntrustedRedirectTitle": "Güvenilmeyen yönlendirme",
+    "continueUntrustedRedirectSubtitle": "Yapılandırdığınız alan adıyla eşleşmeyen bir alana yönlendirme yapmaya çalışıyorsunuz (<code>{{cookieDomain}}</code>). Devam etmek istediğinize emin misiniz?",
+    "logoutFailTitle": "Çıkış Yapılamadı",
     "logoutFailSubtitle": "Lütfen tekrar deneyin",
     "logoutSuccessTitle": "Çıkış yapıldı",
-    "logoutSuccessSubtitle": "You have been logged out",
-    "logoutTitle": "Logout",
-    "logoutUsernameSubtitle": "You are currently logged in as <code>{{username}}</code>. Click the button below to logout.",
-    "logoutOauthSubtitle": "You are currently logged in as <code>{{username}}</code> using the {{provider}} OAuth provider. Click the button below to logout.",
+    "logoutSuccessSubtitle": "Çıkış yaptınız",
+    "logoutTitle": "Çıkış yap",
+    "logoutUsernameSubtitle": "<code>{{username}}</code> olarak giriş yapmış durumdasınız. Çıkış yapmak için aşağıdaki düğmeye tıklayın.",
+    "logoutOauthSubtitle": "Şu anda {{provider}} OAuth sağlayıcısını kullanarak <code>{{username}}</code> olarak oturum açmış durumdasınız. Oturumunuzu kapatmak için aşağıdaki düğmeye tıklayın.",
     "notFoundTitle": "Sayfa bulunamadı",
     "notFoundSubtitle": "Aradığınız sayfa mevcut değil.",
     "notFoundButton": "Ana sayfaya git",
     "totpFailTitle": "Kod doğrulanamadı",
-    "totpFailSubtitle": "Please check your code and try again",
+    "totpFailSubtitle": "Lütfen kodunuzu kontrol edin ve tekrar deneyin",
     "totpSuccessTitle": "Doğrulandı",
-    "totpSuccessSubtitle": "Redirecting to your app",
-    "totpTitle": "Enter your TOTP code",
-    "totpSubtitle": "Please enter the code from your authenticator app.",
-    "unauthorizedTitle": "Unauthorized",
-    "unauthorizedResourceSubtitle": "The user with username <code>{{username}}</code> is not authorized to access the resource <code>{{resource}}</code>.",
-    "unauthorizedLoginSubtitle": "The user with username <code>{{username}}</code> is not authorized to login.",
-    "unauthorizedGroupsSubtitle": "The user with username <code>{{username}}</code> is not in the groups required by the resource <code>{{resource}}</code>.",
-    "unauthorizedIpSubtitle": "Your IP address <code>{{ip}}</code> is not authorized to access the resource <code>{{resource}}</code>.",
-    "unauthorizedButton": "Try again",
+    "totpSuccessSubtitle": "Uygulamanıza yönlendiriliyor",
+    "totpTitle": "TOTP kodunuzu girin",
+    "totpSubtitle": "Lütfen kimlik doğrulama uygulamanızdan aldığınız kodu girin.",
+    "unauthorizedTitle": "Yetkisiz",
+    "unauthorizedResourceSubtitle": "Kullanıcı adı <code>{{username}}</code> olan kullanıcının <code>{{resource}}</code> kaynağına erişim yetkisi bulunmamaktadır.",
+    "unauthorizedLoginSubtitle": "Kullanıcı adı <code>{{username}}</code> olan kullanıcının oturum açma yetkisi yok.",
+    "unauthorizedGroupsSubtitle": "Kullanıcı adı <code>{{username}}</code> olan kullanıcı, <code>{{resource}}</code> kaynağının gerektirdiği gruplarda bulunmuyor.",
+    "unauthorizedIpSubtitle": "IP adresiniz <code>{{ip}}</code>, <code>{{resource}}</code> kaynağına erişim yetkisine sahip değil.",
+    "unauthorizedButton": "Tekrar deneyin",
     "cancelTitle": "İptal",
-    "forgotPasswordTitle": "Forgot your password?",
-    "failedToFetchProvidersTitle": "Failed to load authentication providers. Please check your configuration.",
-    "errorTitle": "An error occurred",
+    "forgotPasswordTitle": "Şifrenizi mi unuttunuz?",
+    "failedToFetchProvidersTitle": "Kimlik doğrulama sağlayıcıları yüklenemedi. Lütfen yapılandırmanızı kontrol edin.",
+    "errorTitle": "Bir hata oluştu",
+    "errorSubtitleInfo": "The following error occurred while processing your request:",
     "errorSubtitle": "An error occurred while trying to perform this action. Please check the console for more information.",
-    "forgotPasswordMessage": "You can reset your password by changing the `USERS` environment variable.",
-    "fieldRequired": "This field is required",
-    "invalidInput": "Invalid input",
-    "domainWarningTitle": "Invalid Domain",
-    "domainWarningSubtitle": "This instance is configured to be accessed from <code>{{appUrl}}</code>, but <code>{{currentUrl}}</code> is being used. If you proceed, you may encounter issues with authentication.",
-    "ignoreTitle": "Ignore",
-    "goToCorrectDomainTitle": "Go to correct domain"
-}
+    "forgotPasswordMessage": "Parolanızı `USERS` ortam değişkenini değiştirerek sıfırlayabilirsiniz.",
+    "fieldRequired": "Bu alan zorunludur",
+    "invalidInput": "Geçersiz girdi",
+    "domainWarningTitle": "Geçersiz alan adı",
+    "domainWarningSubtitle": "Bu örnek, <code>{{appUrl}}</code> adresinden erişilecek şekilde yapılandırılmıştır, ancak <code>{{currentUrl}}</code> kullanılmaktadır. Devam ederseniz, kimlik doğrulama ile ilgili sorunlarla karşılaşabilirsiniz.",
+    "ignoreTitle": "Yoksay",
+    "goToCorrectDomainTitle": "Doğru alana gidin",
+    "authorizeTitle": "Authorize",
+    "authorizeCardTitle": "Continue to {{app}}?",
+    "authorizeSubtitle": "Would you like to continue to this app? Please carefully review the permissions requested by the app.",
+    "authorizeSubtitleOAuth": "Would you like to continue to this app?",
+    "authorizeLoadingTitle": "Loading...",
+    "authorizeLoadingSubtitle": "Please wait while we load the client information.",
+    "authorizeSuccessTitle": "Authorized",
+    "authorizeSuccessSubtitle": "You will be redirected to the app in a few seconds.",
+    "authorizeErrorClientInfo": "An error occurred while loading the client information. Please try again later.",
+    "authorizeErrorMissingParams": "The following parameters are missing: {{missingParams}}",
+    "openidScopeName": "OpenID Connect",
+    "openidScopeDescription": "Allows the app to access your OpenID Connect information.",
+    "emailScopeName": "Email",
+    "emailScopeDescription": "Allows the app to access your email address.",
+    "profileScopeName": "Profile",
+    "profileScopeDescription": "Allows the app to access your profile information.",
+    "groupsScopeName": "Groups",
+    "groupsScopeDescription": "Allows the app to access your group information."
+}

frontend/src/lib/i18n/locales/uk-UA.json

@@ -1,62 +1,81 @@
 {
     "loginTitle": "З поверненням, увійдіть через",
-    "loginTitleSimple": "Welcome back, please login",
-    "loginDivider": "Or",
-    "loginUsername": "Username",
-    "loginPassword": "Password",
-    "loginSubmit": "Login",
-    "loginFailTitle": "Failed to log in",
-    "loginFailSubtitle": "Please check your username and password",
-    "loginFailRateLimit": "You failed to login too many times. Please try again later",
-    "loginSuccessTitle": "Logged in",
-    "loginSuccessSubtitle": "Welcome back!",
-    "loginOauthFailTitle": "An error occurred",
-    "loginOauthFailSubtitle": "Failed to get OAuth URL",
-    "loginOauthSuccessTitle": "Redirecting",
-    "loginOauthSuccessSubtitle": "Redirecting to your OAuth provider",
-    "loginOauthAutoRedirectTitle": "OAuth Auto Redirect",
-    "loginOauthAutoRedirectSubtitle": "You will be automatically redirected to your OAuth provider to authenticate.",
-    "loginOauthAutoRedirectButton": "Redirect now",
-    "continueTitle": "Continue",
-    "continueRedirectingTitle": "Redirecting...",
-    "continueRedirectingSubtitle": "You should be redirected to the app soon",
-    "continueRedirectManually": "Redirect me manually",
-    "continueInsecureRedirectTitle": "Insecure redirect",
-    "continueInsecureRedirectSubtitle": "You are trying to redirect from <code>https</code> to <code>http</code> which is not secure. Are you sure you want to continue?",
-    "continueUntrustedRedirectTitle": "Untrusted redirect",
-    "continueUntrustedRedirectSubtitle": "You are trying to redirect to a domain that does not match your configured domain (<code>{{cookieDomain}}</code>). Are you sure you want to continue?",
-    "logoutFailTitle": "Failed to log out",
-    "logoutFailSubtitle": "Please try again",
-    "logoutSuccessTitle": "Logged out",
-    "logoutSuccessSubtitle": "You have been logged out",
-    "logoutTitle": "Logout",
-    "logoutUsernameSubtitle": "You are currently logged in as <code>{{username}}</code>. Click the button below to logout.",
-    "logoutOauthSubtitle": "You are currently logged in as <code>{{username}}</code> using the {{provider}} OAuth provider. Click the button below to logout.",
-    "notFoundTitle": "Page not found",
-    "notFoundSubtitle": "The page you are looking for does not exist.",
-    "notFoundButton": "Go home",
-    "totpFailTitle": "Failed to verify code",
-    "totpFailSubtitle": "Please check your code and try again",
-    "totpSuccessTitle": "Verified",
-    "totpSuccessSubtitle": "Redirecting to your app",
-    "totpTitle": "Enter your TOTP code",
-    "totpSubtitle": "Please enter the code from your authenticator app.",
-    "unauthorizedTitle": "Unauthorized",
-    "unauthorizedResourceSubtitle": "The user with username <code>{{username}}</code> is not authorized to access the resource <code>{{resource}}</code>.",
-    "unauthorizedLoginSubtitle": "The user with username <code>{{username}}</code> is not authorized to login.",
-    "unauthorizedGroupsSubtitle": "The user with username <code>{{username}}</code> is not in the groups required by the resource <code>{{resource}}</code>.",
-    "unauthorizedIpSubtitle": "Your IP address <code>{{ip}}</code> is not authorized to access the resource <code>{{resource}}</code>.",
-    "unauthorizedButton": "Try again",
-    "cancelTitle": "Cancel",
-    "forgotPasswordTitle": "Forgot your password?",
-    "failedToFetchProvidersTitle": "Failed to load authentication providers. Please check your configuration.",
-    "errorTitle": "An error occurred",
+    "loginTitleSimple": "З поверненням, будь ласка, авторизуйтесь",
+    "loginDivider": "Або",
+    "loginUsername": "Ім'я користувача",
+    "loginPassword": "Пароль",
+    "loginSubmit": "Увійти",
+    "loginFailTitle": "Не вдалося авторизуватися",
+    "loginFailSubtitle": "Перевірте ім'я користувача та пароль",
+    "loginFailRateLimit": "Ви не змогли увійти занадто багато разів. Будь ласка, спробуйте ще раз пізніше",
+    "loginSuccessTitle": "Вхід здійснено",
+    "loginSuccessSubtitle": "З поверненням!",
+    "loginOauthFailTitle": "Виникла помилка",
+    "loginOauthFailSubtitle": "Не вдалося отримати OAuth URL",
+    "loginOauthSuccessTitle": "Перенаправляємо",
+    "loginOauthSuccessSubtitle": "Перенаправляємо до вашого провайдера OAuth",
+    "loginOauthAutoRedirectTitle": "Автоматичне переспрямування OAuth",
+    "loginOauthAutoRedirectSubtitle": "Ви будете автоматично перенаправлені до вашого провайдера OAuth для автентифікації.",
+    "loginOauthAutoRedirectButton": "Перейти зараз",
+    "continueTitle": "Продовжити",
+    "continueRedirectingTitle": "Перенаправлення...",
+    "continueRedirectingSubtitle": "Незабаром ви будете перенаправлені в додаток",
+    "continueRedirectManually": "Перенаправити мене вручну",
+    "continueInsecureRedirectTitle": "Небезпечне перенаправлення",
+    "continueInsecureRedirectSubtitle": "Ви намагаєтесь перенаправити з <code>https</code> на <code>http</code> який не є безпечним. Ви впевнені, що хочете продовжити?",
+    "continueUntrustedRedirectTitle": "Недовірене перенаправлення",
+    "continueUntrustedRedirectSubtitle": "Ви намагаєтесь перенаправити на домен, який не збігається з вашим налаштованим доменом (<code>{{cookieDomain}}</code>). Впевнені, що хочете продовжити?",
+    "logoutFailTitle": "Не вдалося вийти",
+    "logoutFailSubtitle": "Будь ласка, спробуйте знову",
+    "logoutSuccessTitle": "Ви вийшли",
+    "logoutSuccessSubtitle": "Ви вийшли з системи",
+    "logoutTitle": "Вийти",
+    "logoutUsernameSubtitle": "Зараз ви увійшли як <code>{{username}}</code>. Натисніть кнопку нижче для виходу.",
+    "logoutOauthSubtitle": "Наразі ви увійшли як <code>{{username}}</code> використовуючи провайдера {{provider}} OAuth. Натисніть кнопку нижче, щоб вийти.",
+    "notFoundTitle": "Сторінку не знайдено",
+    "notFoundSubtitle": "Сторінка, яку ви шукаєте, не існує.",
+    "notFoundButton": "На головну",
+    "totpFailTitle": "Не вдалося перевірити код",
+    "totpFailSubtitle": "Перевірте ваш код і спробуйте ще раз",
+    "totpSuccessTitle": "Перевірено",
+    "totpSuccessSubtitle": "Перенаправлення до вашого додатку",
+    "totpTitle": "Введіть ваш TOTP код",
+    "totpSubtitle": "Будь ласка, введіть код з вашого додатку для автентифікації.",
+    "unauthorizedTitle": "Доступ обмежено",
+    "unauthorizedResourceSubtitle": "Користувач з ім'ям користувача <code>{{username}}</code> не має права доступу до ресурсу <code>{{resource}}</code>.",
+    "unauthorizedLoginSubtitle": "Користувач з іменем <code>{{username}}</code> не авторизований для входу.",
+    "unauthorizedGroupsSubtitle": "Користувач з іменем <code>{{username}}</code> не входить до груп, що необхідні для ресурсу <code>{{resource}}</code>.",
+    "unauthorizedIpSubtitle": "Ваша IP-адреса <code>{{ip}}</code> не авторизована для доступу до ресурсу <code>{{resource}}</code>.",
+    "unauthorizedButton": "Спробуйте ще раз",
+    "cancelTitle": "Скасовувати",
+    "forgotPasswordTitle": "Забули пароль?",
+    "failedToFetchProvidersTitle": "Не вдалося завантажити провайдерів автентифікації. Будь ласка, перевірте вашу конфігурацію.",
+    "errorTitle": "Виникла помилка",
+    "errorSubtitleInfo": "The following error occurred while processing your request:",
     "errorSubtitle": "An error occurred while trying to perform this action. Please check the console for more information.",
-    "forgotPasswordMessage": "You can reset your password by changing the `USERS` environment variable.",
-    "fieldRequired": "This field is required",
-    "invalidInput": "Invalid input",
-    "domainWarningTitle": "Invalid Domain",
-    "domainWarningSubtitle": "This instance is configured to be accessed from <code>{{appUrl}}</code>, but <code>{{currentUrl}}</code> is being used. If you proceed, you may encounter issues with authentication.",
-    "ignoreTitle": "Ignore",
-    "goToCorrectDomainTitle": "Go to correct domain"
-}
+    "forgotPasswordMessage": "Ви можете скинути пароль, змінивши змінну середовища \"USERS\".",
+    "fieldRequired": "Це поле обов'язкове для заповнення",
+    "invalidInput": "Невірне введення",
+    "domainWarningTitle": "Невірний домен",
+    "domainWarningSubtitle": "Даний ресурс налаштований для доступу з <code>{{appUrl}}</code>, але використовується <code>{{currentUrl}}</code>. Якщо ви продовжите, можуть виникнути проблеми з автентифікацією.",
+    "ignoreTitle": "Ігнорувати",
+    "goToCorrectDomainTitle": "Перейти за коректним доменом",
+    "authorizeTitle": "Authorize",
+    "authorizeCardTitle": "Continue to {{app}}?",
+    "authorizeSubtitle": "Would you like to continue to this app? Please carefully review the permissions requested by the app.",
+    "authorizeSubtitleOAuth": "Would you like to continue to this app?",
+    "authorizeLoadingTitle": "Loading...",
+    "authorizeLoadingSubtitle": "Please wait while we load the client information.",
+    "authorizeSuccessTitle": "Authorized",
+    "authorizeSuccessSubtitle": "You will be redirected to the app in a few seconds.",
+    "authorizeErrorClientInfo": "An error occurred while loading the client information. Please try again later.",
+    "authorizeErrorMissingParams": "The following parameters are missing: {{missingParams}}",
+    "openidScopeName": "OpenID Connect",
+    "openidScopeDescription": "Allows the app to access your OpenID Connect information.",
+    "emailScopeName": "Email",
+    "emailScopeDescription": "Allows the app to access your email address.",
+    "profileScopeName": "Profile",
+    "profileScopeDescription": "Allows the app to access your profile information.",
+    "groupsScopeName": "Groups",
+    "groupsScopeDescription": "Allows the app to access your group information."
+}

frontend/src/lib/i18n/locales/vi-VN.json

@@ -51,6 +51,7 @@
     "forgotPasswordTitle": "Bạn quên mật khẩu?",
     "failedToFetchProvidersTitle": "Không tải được nhà cung cấp xác thực. Vui lòng kiểm tra cấu hình của bạn.",
     "errorTitle": "An error occurred",
+    "errorSubtitleInfo": "The following error occurred while processing your request:",
     "errorSubtitle": "Đã xảy ra lỗi khi thực hiện thao tác này. Vui lòng kiểm tra bảng điều khiển để biết thêm thông tin.",
     "forgotPasswordMessage": "You can reset your password by changing the `USERS` environment variable.",
     "fieldRequired": "This field is required",
@@ -58,5 +59,23 @@
     "domainWarningTitle": "Invalid Domain",
     "domainWarningSubtitle": "This instance is configured to be accessed from <code>{{appUrl}}</code>, but <code>{{currentUrl}}</code> is being used. If you proceed, you may encounter issues with authentication.",
     "ignoreTitle": "Ignore",
-    "goToCorrectDomainTitle": "Go to correct domain"
-}
+    "goToCorrectDomainTitle": "Go to correct domain",
+    "authorizeTitle": "Authorize",
+    "authorizeCardTitle": "Continue to {{app}}?",
+    "authorizeSubtitle": "Would you like to continue to this app? Please carefully review the permissions requested by the app.",
+    "authorizeSubtitleOAuth": "Would you like to continue to this app?",
+    "authorizeLoadingTitle": "Loading...",
+    "authorizeLoadingSubtitle": "Please wait while we load the client information.",
+    "authorizeSuccessTitle": "Authorized",
+    "authorizeSuccessSubtitle": "You will be redirected to the app in a few seconds.",
+    "authorizeErrorClientInfo": "An error occurred while loading the client information. Please try again later.",
+    "authorizeErrorMissingParams": "The following parameters are missing: {{missingParams}}",
+    "openidScopeName": "OpenID Connect",
+    "openidScopeDescription": "Allows the app to access your OpenID Connect information.",
+    "emailScopeName": "Email",
+    "emailScopeDescription": "Allows the app to access your email address.",
+    "profileScopeName": "Profile",
+    "profileScopeDescription": "Allows the app to access your profile information.",
+    "groupsScopeName": "Groups",
+    "groupsScopeDescription": "Allows the app to access your group information."
+}

frontend/src/lib/i18n/locales/zh-CN.json

@@ -51,6 +51,7 @@
     "forgotPasswordTitle": "忘记密码？",
     "failedToFetchProvidersTitle": "加载身份验证提供程序失败，请检查您的配置。",
     "errorTitle": "发生了错误",
+    "errorSubtitleInfo": "处理您的请求时发生了以下错误：",
     "errorSubtitle": "执行此操作时发生错误，请检查控制台以获取更多信息。",
     "forgotPasswordMessage": "您可以通过更改 `USERS ` 环境变量重置您的密码。",
     "fieldRequired": "必添字段",
@@ -58,5 +59,23 @@
     "domainWarningTitle": "无效域名",
     "domainWarningSubtitle": "当前实例配置的访问地址为 <code>{{appUrl}}</code>，但您正在使用 <code>{{currentUrl}}</code>。若继续操作，可能会遇到身份验证问题。",
     "ignoreTitle": "忽略",
-    "goToCorrectDomainTitle": "转到正确的域名"
-}
+    "goToCorrectDomainTitle": "转到正确的域名",
+    "authorizeTitle": "授权",
+    "authorizeCardTitle": "继续访问 {{app}}？",
+    "authorizeSubtitle": "您想继续使用此应用程序吗？请仔细查看该应用程序请求的权限",
+    "authorizeSubtitleOAuth": "您想要继续使用此应用吗？",
+    "authorizeLoadingTitle": "正在加载...",
+    "authorizeLoadingSubtitle": "正在加载客户端信息，请稍候。",
+    "authorizeSuccessTitle": "已授权",
+    "authorizeSuccessSubtitle": "您将在几秒钟内被重定向到应用程序。",
+    "authorizeErrorClientInfo": "加载客户端信息时发生错误。请稍后再试。",
+    "authorizeErrorMissingParams": "参数缺失：{{missingParams}}",
+    "openidScopeName": "OpenID 连接",
+    "openidScopeDescription": "允许应用访问您的 OpenID 连接信息。",
+    "emailScopeName": "邮箱",
+    "emailScopeDescription": "允许应用访问您的邮箱地址。",
+    "profileScopeName": "个人资料",
+    "profileScopeDescription": "允许应用访问您的个人信息。",
+    "groupsScopeName": "分组",
+    "groupsScopeDescription": "允许应用程序访问您的群组信息。"
+}

frontend/src/lib/i18n/locales/zh-TW.json

@@ -51,6 +51,7 @@
     "forgotPasswordTitle": "忘記密碼？",
     "failedToFetchProvidersTitle": "載入驗證供應商失敗。請檢查您的設定。",
     "errorTitle": "發生錯誤",
+    "errorSubtitleInfo": "處理您的請求時，發生了以下錯誤：",
     "errorSubtitle": "執行此操作時發生錯誤。請檢查主控台以獲取更多資訊。",
     "forgotPasswordMessage": "透過修改 `USERS` 環境變數，你可以重設你的密碼。",
     "fieldRequired": "此為必填欄位",
@@ -58,5 +59,23 @@
     "domainWarningTitle": "無效的網域",
     "domainWarningSubtitle": "此服務設定為透過 <code>{{appUrl}}</code> 存取，但目前使用的是 <code>{{currentUrl}}</code>。若繼續操作，可能會遇到驗證問題。",
     "ignoreTitle": "忽略",
-    "goToCorrectDomainTitle": "前往正確域名"
-}
+    "goToCorrectDomainTitle": "前往正確域名",
+    "authorizeTitle": "授權",
+    "authorizeCardTitle": "Continue to {{app}}?",
+    "authorizeSubtitle": "Would you like to continue to this app? Please carefully review the permissions requested by the app.",
+    "authorizeSubtitleOAuth": "Would you like to continue to this app?",
+    "authorizeLoadingTitle": "正在載入…",
+    "authorizeLoadingSubtitle": "正在加载客户端信息，请稍候。",
+    "authorizeSuccessTitle": "已授權",
+    "authorizeSuccessSubtitle": "幾秒鐘內您將會被重新導向至應用程式。",
+    "authorizeErrorClientInfo": "載入用戶端資訊時發生錯誤。請稍後再試。",
+    "authorizeErrorMissingParams": "下列參數遺失：{{missingParams}}",
+    "openidScopeName": "OpenID 連接",
+    "openidScopeDescription": "允許該應用程式存取您的 OpenID Connect 資訊。",
+    "emailScopeName": "電子郵件",
+    "emailScopeDescription": "允許該應用程式存取您的電子郵件地址。",
+    "profileScopeName": "個人檔案",
+    "profileScopeDescription": "允許該應用程式存取您的個人資料。",
+    "groupsScopeName": "群組",
+    "groupsScopeDescription": "允許該應用程式存取您的群組資訊。"
+}

frontend/src/lib/utils.ts

@@ -5,15 +5,6 @@ export function cn(...inputs: ClassValue[]) {
   return twMerge(clsx(inputs));
 }
 
-export const isValidUrl = (url: string) => {
-  try {
-    new URL(url);
-    return true;
-  } catch {
-    return false;
-  }
-};
-
 export const capitalize = (str: string) => {
   return str.charAt(0).toUpperCase() + str.slice(1);
 };

frontend/src/main.tsx

@@ -18,6 +18,7 @@ import { UserContextProvider } from "./context/user-context.tsx";
 import { Toaster } from "@/components/ui/sonner";
 import { ThemeProvider } from "./components/providers/theme-provider.tsx";
 import { AuthorizePage } from "./pages/authorize-page.tsx";
+import { TooltipProvider } from "@/components/ui/tooltip";
 
 const queryClient = new QueryClient();
 
@@ -26,28 +27,33 @@ createRoot(document.getElementById("root")!).render(
     <QueryClientProvider client={queryClient}>
       <AppContextProvider>
         <UserContextProvider>
-          <ThemeProvider defaultTheme="system" storageKey="tinyauth-theme">
-            <BrowserRouter>
-              <Routes>
-                <Route element={<Layout />} errorElement={<ErrorPage />}>
-                  <Route path="/" element={<App />} />
-                  <Route path="/login" element={<LoginPage />} />
-                  <Route path="/authorize" element={<AuthorizePage />} />
-                  <Route path="/logout" element={<LogoutPage />} />
-                  <Route path="/continue" element={<ContinuePage />} />
-                  <Route path="/totp" element={<TotpPage />} />
-                  <Route
-                    path="/forgot-password"
-                    element={<ForgotPasswordPage />}
-                  />
-                  <Route path="/unauthorized" element={<UnauthorizedPage />} />
-                  <Route path="/error" element={<ErrorPage />} />
-                  <Route path="*" element={<NotFoundPage />} />
-                </Route>
-              </Routes>
-            </BrowserRouter>
-            <Toaster />
-          </ThemeProvider>
+          <TooltipProvider>
+            <ThemeProvider defaultTheme="system" storageKey="tinyauth-theme">
+              <BrowserRouter>
+                <Routes>
+                  <Route element={<Layout />} errorElement={<ErrorPage />}>
+                    <Route path="/" element={<App />} />
+                    <Route path="/login" element={<LoginPage />} />
+                    <Route path="/authorize" element={<AuthorizePage />} />
+                    <Route path="/logout" element={<LogoutPage />} />
+                    <Route path="/continue" element={<ContinuePage />} />
+                    <Route path="/totp" element={<TotpPage />} />
+                    <Route
+                      path="/forgot-password"
+                      element={<ForgotPasswordPage />}
+                    />
+                    <Route
+                      path="/unauthorized"
+                      element={<UnauthorizedPage />}
+                    />
+                    <Route path="/error" element={<ErrorPage />} />
+                    <Route path="*" element={<NotFoundPage />} />
+                  </Route>
+                </Routes>
+              </BrowserRouter>
+              <Toaster />
+            </ThemeProvider>
+          </TooltipProvider>
         </UserContextProvider>
       </AppContextProvider>
     </QueryClientProvider>

frontend/src/pages/authorize-page.tsx

@@ -18,6 +18,11 @@ import { useOIDCParams } from "@/lib/hooks/oidc";
 import { useTranslation } from "react-i18next";
 import { TFunction } from "i18next";
 import { Mail, Shield, User, Users } from "lucide-react";
+import {
+  Tooltip,
+  TooltipContent,
+  TooltipTrigger,
+} from "@/components/ui/tooltip";
 
 type Scope = {
   id: string;
@@ -27,7 +32,7 @@ type Scope = {
 };
 
 const scopeMapIconProps = {
-  className: "stroke-card stroke-2.5",
+  className: "stroke-muted-foreground stroke-[1.75] h-4",
 };
 
 const createScopeMap = (t: TFunction<"translation", undefined>): Scope[] => {
@@ -124,13 +129,15 @@ export const AuthorizePage = () => {
 
   if (getClientInfo.isLoading) {
     return (
-      <Card className="min-w-xs sm:min-w-sm">
+      <Card className="gap-0">
         <CardHeader>
-          <CardTitle className="text-3xl">
+          <CardTitle className="text-xl">
             {t("authorizeLoadingTitle")}
           </CardTitle>
-          <CardDescription>{t("authorizeLoadingSubtitle")}</CardDescription>
         </CardHeader>
+        <CardContent>
+          <CardDescription>{t("authorizeLoadingSubtitle")}</CardDescription>
+        </CardContent>
       </Card>
     );
   }
@@ -145,41 +152,46 @@ export const AuthorizePage = () => {
   }
 
   return (
-    <Card className="min-w-xs sm:min-w-sm mx-4">
-      <CardHeader>
-        <CardTitle className="text-3xl">
-          {t("authorizeCardTitle", {
-            app: getClientInfo.data?.name || "Unknown",
-          })}
-        </CardTitle>
-        <CardDescription>
-          {scopes.includes("openid")
-            ? t("authorizeSubtitle")
-            : t("authorizeSubtitleOAuth")}
-        </CardDescription>
+    <Card>
+      <CardHeader className="mb-2">
+        <div className="flex flex-col gap-3 items-center justify-center">
+          <div className="bg-accent-foreground text-muted text-xl font-bold font-sans rounded-lg px-4 py-3">
+            {getClientInfo.data?.name.slice(0, 1)}
+          </div>
+          <CardTitle className="text-xl">
+            {t("authorizeCardTitle", {
+              app: getClientInfo.data?.name || "Unknown",
+            })}
+          </CardTitle>
+          <CardDescription className="text-sm max-w-sm text-center">
+            {scopes.includes("openid")
+              ? t("authorizeSubtitle")
+              : t("authorizeSubtitleOAuth")}
+          </CardDescription>
+        </div>
       </CardHeader>
-      {scopes.includes("openid") && (
-        <CardContent className="flex flex-col gap-4">
-          {scopes.map((id) => {
-            const scope = scopeMap.find((s) => s.id === id);
-            if (!scope) return null;
-            return (
-              <div key={scope.id} className="flex flex-row items-center gap-3">
-                <div className="p-2 flex flex-col items-center justify-center bg-card-foreground rounded-md">
-                  {scope.icon}
-                </div>
-                <div className="flex flex-col gap-0.5">
-                  <div className="text-md">{scope.name}</div>
-                  <div className="text-sm text-muted-foreground">
-                    {scope.description}
-                  </div>
-                </div>
-              </div>
-            );
-          })}
-        </CardContent>
-      )}
-      <CardFooter className="flex flex-col items-stretch gap-2">
+      <CardContent className="mb-2">
+        {scopes.includes("openid") && (
+          <div className="flex flex-wrap gap-2 items-center justify-center">
+            {scopes.map((id) => {
+              const scope = scopeMap.find((s) => s.id === id);
+              if (!scope) return null;
+              return (
+                <Tooltip key={scope.id}>
+                  <TooltipTrigger className="flex flex-row justify-center items-center gap-1 rounded-full bg-secondary font-light pl-2 pr-4 py-1 border-border border">
+                    <div>{scope.icon}</div>
+                    <div className="text-sm text-accent-foreground">
+                      {scope.name}
+                    </div>
+                  </TooltipTrigger>
+                  <TooltipContent>{scope.description}</TooltipContent>
+                </Tooltip>
+              );
+            })}
+          </div>
+        )}
+      </CardContent>
+      <CardFooter className="flex flex-col items-stretch gap-3">
         <Button
           onClick={() => authorizeMutation.mutate()}
           loading={authorizeMutation.isPending}

frontend/src/pages/continue-page.tsx

@@ -8,10 +8,10 @@ import {
 } from "@/components/ui/card";
 import { useAppContext } from "@/context/app-context";
 import { useUserContext } from "@/context/user-context";
-import { isValidUrl } from "@/lib/utils";
 import { Trans, useTranslation } from "react-i18next";
 import { Navigate, useLocation, useNavigate } from "react-router";
-import { useEffect, useState } from "react";
+import { useCallback, useEffect, useRef, useState } from "react";
+import { useRedirectUri } from "@/lib/hooks/redirect-uri";
 
 export const ContinuePage = () => {
   const { cookieDomain, disableUiWarnings } = useAppContext();
@@ -20,59 +20,55 @@ export const ContinuePage = () => {
   const { t } = useTranslation();
   const navigate = useNavigate();
 
-  const [loading, setLoading] = useState(false);
+  const [isLoading, setIsLoading] = useState(false);
   const [showRedirectButton, setShowRedirectButton] = useState(false);
+  const hasRedirected = useRef(false);
 
   const searchParams = new URLSearchParams(search);
   const redirectUri = searchParams.get("redirect_uri");
 
-  const isValidRedirectUri =
-    redirectUri !== null ? isValidUrl(redirectUri) : false;
-  const redirectUriObj = isValidRedirectUri
-    ? new URL(redirectUri as string)
-    : null;
-  const isTrustedRedirectUri =
-    redirectUriObj !== null
-      ? redirectUriObj.hostname === cookieDomain ||
-        redirectUriObj.hostname.endsWith(`.${cookieDomain}`)
-      : false;
-  const isAllowedRedirectProto =
-    redirectUriObj !== null
-      ? redirectUriObj.protocol === "https:" ||
-        redirectUriObj.protocol === "http:"
-      : false;
-  const isHttpsDowngrade =
-    redirectUriObj !== null
-      ? redirectUriObj.protocol === "http:" &&
-        window.location.protocol === "https:"
-      : false;
+  const { url, valid, trusted, allowedProto, httpsDowngrade } = useRedirectUri(
+    redirectUri,
+    cookieDomain,
+  );
 
-  const handleRedirect = () => {
-    setLoading(true);
-    window.location.assign(redirectUriObj!.toString());
-  };
+  const urlHref = url?.href;
 
-  useEffect(() => {
-    if (!isLoggedIn) {
+  const hasValidRedirect = valid && allowedProto;
+  const showUntrustedWarning =
+    hasValidRedirect && !trusted && !disableUiWarnings;
+  const showInsecureWarning =
+    hasValidRedirect && httpsDowngrade && !disableUiWarnings;
+  const shouldAutoRedirect =
+    isLoggedIn &&
+    hasValidRedirect &&
+    !showUntrustedWarning &&
+    !showInsecureWarning;
+
+  const redirectToTarget = useCallback(() => {
+    if (!urlHref || hasRedirected.current) {
       return;
     }
 
-    if (
-      (!isValidRedirectUri ||
-        !isAllowedRedirectProto ||
-        !isTrustedRedirectUri ||
-        isHttpsDowngrade) &&
-      !disableUiWarnings
-    ) {
+    hasRedirected.current = true;
+    window.location.assign(urlHref);
+  }, [urlHref]);
+
+  const handleRedirect = useCallback(() => {
+    setIsLoading(true);
+    redirectToTarget();
+  }, [redirectToTarget]);
+
+  useEffect(() => {
+    if (!shouldAutoRedirect) {
       return;
     }
 
     const auto = setTimeout(() => {
-      handleRedirect();
+      redirectToTarget();
     }, 100);
 
     const reveal = setTimeout(() => {
-      setLoading(false);
       setShowRedirectButton(true);
     }, 5000);
 
@@ -80,26 +76,26 @@ export const ContinuePage = () => {
       clearTimeout(auto);
       clearTimeout(reveal);
     };
-  });
+  }, [shouldAutoRedirect, redirectToTarget]);
 
   if (!isLoggedIn) {
     return (
       <Navigate
-        to={`/login?redirect_uri=${encodeURIComponent(redirectUri || "")}`}
+        to={`/login${redirectUri ? `?redirect_uri=${encodeURIComponent(redirectUri)}` : ""}`}
         replace
       />
     );
   }
 
-  if (!isValidRedirectUri || !isAllowedRedirectProto) {
+  if (!hasValidRedirect) {
     return <Navigate to="/logout" replace />;
   }
 
-  if (!isTrustedRedirectUri && !disableUiWarnings) {
+  if (showUntrustedWarning) {
     return (
-      <Card role="alert" aria-live="assertive" className="min-w-xs sm:min-w-sm">
+      <Card role="alert" aria-live="assertive">
         <CardHeader>
-          <CardTitle className="text-3xl">
+          <CardTitle className="text-xl">
             {t("continueUntrustedRedirectTitle")}
           </CardTitle>
           <CardDescription>
@@ -110,13 +106,14 @@ export const ContinuePage = () => {
                 code: <code />,
               }}
               values={{ cookieDomain }}
+              shouldUnescape={true}
             />
           </CardDescription>
         </CardHeader>
-        <CardFooter className="flex flex-col items-stretch gap-2">
+        <CardFooter className="flex flex-col items-stretch gap-3">
           <Button
             onClick={handleRedirect}
-            loading={loading}
+            loading={isLoading}
             variant="destructive"
           >
             {t("continueTitle")}
@@ -124,7 +121,7 @@ export const ContinuePage = () => {
           <Button
             onClick={() => navigate("/logout")}
             variant="outline"
-            disabled={loading}
+            disabled={isLoading}
           >
             {t("cancelTitle")}
           </Button>
@@ -133,9 +130,9 @@ export const ContinuePage = () => {
     );
   }
 
-  if (isHttpsDowngrade && !disableUiWarnings) {
+  if (showInsecureWarning) {
     return (
-      <Card role="alert" aria-live="assertive" className="min-w-xs sm:min-w-sm">
+      <Card role="alert" aria-live="assertive">
         <CardHeader>
           <CardTitle className="text-3xl">
             {t("continueInsecureRedirectTitle")}
@@ -150,14 +147,18 @@ export const ContinuePage = () => {
             />
           </CardDescription>
         </CardHeader>
-        <CardFooter className="flex flex-col items-stretch gap-2">
-          <Button onClick={handleRedirect} loading={loading} variant="warning">
+        <CardFooter className="flex flex-col items-stretch gap-3">
+          <Button
+            onClick={handleRedirect}
+            loading={isLoading}
+            variant="warning"
+          >
             {t("continueTitle")}
           </Button>
           <Button
             onClick={() => navigate("/logout")}
             variant="outline"
-            disabled={loading}
+            disabled={isLoading}
           >
             {t("cancelTitle")}
           </Button>
@@ -167,9 +168,9 @@ export const ContinuePage = () => {
   }
 
   return (
-    <Card className="min-w-xs sm:min-w-sm">
-      <CardHeader>
-        <CardTitle className="text-3xl">
+    <Card className="min-w-xs">
+      <CardHeader className="gap-1.5">
+        <CardTitle className="text-xl">
           {t("continueRedirectingTitle")}
         </CardTitle>
         <CardDescription>{t("continueRedirectingSubtitle")}</CardDescription>

frontend/src/pages/error-page.tsx

@@ -14,10 +14,10 @@ export const ErrorPage = () => {
   const error = searchParams.get("error") ?? "";
 
   return (
-    <Card className="min-w-xs sm:min-w-sm">
-      <CardHeader>
-        <CardTitle className="text-3xl">{t("errorTitle")}</CardTitle>
-        <CardDescription className="flex flex-col gap-1.5">
+    <Card className="min-w-xs">
+      <CardHeader className="gap-1.5">
+        <CardTitle className="text-xl">{t("errorTitle")}</CardTitle>
+        <CardDescription className="flex flex-col gap-3">
           {error ? (
             <>
               <p>{t("errorSubtitleInfo")}</p>

frontend/src/pages/forgot-password-page.tsx

@@ -1,5 +1,6 @@
 import {
   Card,
+  CardContent,
   CardDescription,
   CardHeader,
   CardTitle,
@@ -13,13 +14,19 @@ export const ForgotPasswordPage = () => {
   const { t } = useTranslation();
 
   return (
-    <Card className="min-w-xs sm:min-w-sm">
+    <Card>
       <CardHeader>
-        <CardTitle className="text-3xl">{t("forgotPasswordTitle")}</CardTitle>
-        <CardDescription>
-          <Markdown>{forgotPasswordMessage !== "" ? forgotPasswordMessage : t('forgotPasswordMessage')}</Markdown>
-        </CardDescription>
+        <CardTitle className="text-xl">{t("forgotPasswordTitle")}</CardTitle>
       </CardHeader>
+      <CardContent>
+        <CardDescription>
+          <Markdown>
+            {forgotPasswordMessage !== ""
+              ? forgotPasswordMessage
+              : t("forgotPasswordMessage")}
+          </Markdown>
+        </CardDescription>
+      </CardContent>
     </Card>
   );
 };

frontend/src/pages/login-page.tsx

@@ -22,7 +22,7 @@ import { useOIDCParams } from "@/lib/hooks/oidc";
 import { LoginSchema } from "@/schemas/login-schema";
 import { useMutation } from "@tanstack/react-query";
 import axios, { AxiosError } from "axios";
-import { useEffect, useRef, useState } from "react";
+import { useEffect, useId, useRef, useState } from "react";
 import { useTranslation } from "react-i18next";
 import { Navigate, useLocation } from "react-router";
 import { toast } from "sonner";
@@ -40,13 +40,16 @@ export const LoginPage = () => {
   const { providers, title, oauthAutoRedirect } = useAppContext();
   const { search } = useLocation();
   const { t } = useTranslation();
-  const [oauthAutoRedirectHandover, setOauthAutoRedirectHandover] =
-    useState(false);
+
   const [showRedirectButton, setShowRedirectButton] = useState(false);
 
+  const hasAutoRedirectedRef = useRef(false);
+
   const redirectTimer = useRef<number | null>(null);
   const redirectButtonTimer = useRef<number | null>(null);
 
+  const formId = useId();
+
   const searchParams = new URLSearchParams(search);
   const {
     values: props,
@@ -54,6 +57,11 @@ export const LoginPage = () => {
     compiled: compiledOIDCParams,
   } = useOIDCParams(searchParams);
 
+  const [isOauthAutoRedirect, setIsOauthAutoRedirect] = useState(
+    providers.find((provider) => provider.id === oauthAutoRedirect) !==
+      undefined && props.redirect_uri,
+  );
+
   const oauthProviders = providers.filter(
     (provider) => provider.id !== "local" && provider.id !== "ldap",
   );
@@ -62,10 +70,15 @@ export const LoginPage = () => {
       (provider) => provider.id === "local" || provider.id === "ldap",
     ) !== undefined;
 
-  const oauthMutation = useMutation({
+  const {
+    mutate: oauthMutate,
+    data: oauthData,
+    isPending: oauthIsPending,
+    variables: oauthVariables,
+  } = useMutation({
     mutationFn: (provider: string) =>
       axios.get(
-        `/api/oauth/url/${provider}?redirect_uri=${encodeURIComponent(props.redirect_uri)}`,
+        `/api/oauth/url/${provider}${props.redirect_uri ? `?redirect_uri=${encodeURIComponent(props.redirect_uri)}` : ""}`,
       ),
     mutationKey: ["oauth"],
     onSuccess: (data) => {
@@ -76,22 +89,28 @@ export const LoginPage = () => {
       redirectTimer.current = window.setTimeout(() => {
         window.location.replace(data.data.url);
       }, 500);
+
+      if (isOauthAutoRedirect) {
+        redirectButtonTimer.current = window.setTimeout(() => {
+          setShowRedirectButton(true);
+        }, 5000);
+      }
     },
     onError: () => {
-      setOauthAutoRedirectHandover(false);
+      setIsOauthAutoRedirect(false);
       toast.error(t("loginOauthFailTitle"), {
         description: t("loginOauthFailSubtitle"),
       });
     },
   });
 
-  const loginMutation = useMutation({
+  const { mutate: loginMutate, isPending: loginIsPending } = useMutation({
     mutationFn: (values: LoginSchema) => axios.post("/api/user/login", values),
     mutationKey: ["login"],
     onSuccess: (data) => {
       if (data.data.totpPending) {
         window.location.replace(
-          `/totp?redirect_uri=${encodeURIComponent(props.redirect_uri)}`,
+          `/totp${props.redirect_uri ? `?redirect_uri=${encodeURIComponent(props.redirect_uri)}` : ""}`,
         );
         return;
       }
@@ -106,7 +125,7 @@ export const LoginPage = () => {
           return;
         }
         window.location.replace(
-          `/continue?redirect_uri=${encodeURIComponent(props.redirect_uri)}`,
+          `/continue${props.redirect_uri ? `?redirect_uri=${encodeURIComponent(props.redirect_uri)}` : ""}`,
         );
       }, 500);
     },
@@ -122,34 +141,34 @@ export const LoginPage = () => {
 
   useEffect(() => {
     if (
-      providers.find((provider) => provider.id === oauthAutoRedirect) &&
       !isLoggedIn &&
-      props.redirect_uri !== ""
+      isOauthAutoRedirect &&
+      !hasAutoRedirectedRef.current &&
+      props.redirect_uri
     ) {
-      // Not sure of a better way to do this
-      // eslint-disable-next-line react-hooks/set-state-in-effect
-      setOauthAutoRedirectHandover(true);
-      oauthMutation.mutate(oauthAutoRedirect);
-      redirectButtonTimer.current = window.setTimeout(() => {
-        setShowRedirectButton(true);
-      }, 5000);
+      hasAutoRedirectedRef.current = true;
+      oauthMutate(oauthAutoRedirect);
     }
   }, [
-    providers,
     isLoggedIn,
-    props.redirect_uri,
+    oauthMutate,
+    hasAutoRedirectedRef,
     oauthAutoRedirect,
-    oauthMutation,
+    isOauthAutoRedirect,
+    props.redirect_uri,
   ]);
 
-  useEffect(
-    () => () => {
-      if (redirectTimer.current) clearTimeout(redirectTimer.current);
-      if (redirectButtonTimer.current)
+  useEffect(() => {
+    return () => {
+      if (redirectTimer.current) {
+        clearTimeout(redirectTimer.current);
+      }
+
+      if (redirectButtonTimer.current) {
         clearTimeout(redirectButtonTimer.current);
-    },
-    [],
-  );
+      }
+    };
+  }, [redirectTimer, redirectButtonTimer]);
 
   if (isLoggedIn && isOidc) {
     return <Navigate to={`/authorize?${compiledOIDCParams}`} replace />;
@@ -158,7 +177,7 @@ export const LoginPage = () => {
   if (isLoggedIn && props.redirect_uri !== "") {
     return (
       <Navigate
-        to={`/continue?redirect_uri=${encodeURIComponent(props.redirect_uri)}`}
+        to={`/continue${props.redirect_uri ? `?redirect_uri=${encodeURIComponent(props.redirect_uri)}` : ""}`}
         replace
       />
     );
@@ -168,11 +187,11 @@ export const LoginPage = () => {
     return <Navigate to="/logout" replace />;
   }
 
-  if (oauthAutoRedirectHandover) {
+  if (isOauthAutoRedirect) {
     return (
-      <Card className="min-w-xs sm:min-w-sm">
+      <Card>
         <CardHeader>
-          <CardTitle className="text-3xl">
+          <CardTitle className="text-xl">
             {t("loginOauthAutoRedirectTitle")}
           </CardTitle>
           <CardDescription>
@@ -183,7 +202,14 @@ export const LoginPage = () => {
           <CardFooter className="flex flex-col items-stretch">
             <Button
               onClick={() => {
-                window.location.replace(oauthMutation.data?.data.url);
+                if (oauthData?.data.url) {
+                  window.location.replace(oauthData.data.url);
+                } else {
+                  setIsOauthAutoRedirect(false);
+                  toast.error(t("loginOauthFailTitle"), {
+                    description: t("loginOauthFailSubtitle"),
+                  });
+                }
               }}
             >
               {t("loginOauthAutoRedirectButton")}
@@ -194,9 +220,9 @@ export const LoginPage = () => {
     );
   }
   return (
-    <Card className="min-w-xs sm:min-w-sm">
-      <CardHeader>
-        <CardTitle className="text-center text-3xl">{title}</CardTitle>
+    <Card className="md:min-w-sm">
+      <CardHeader className="gap-1.5">
+        <CardTitle className="text-center text-xl">{title}</CardTitle>
         {providers.length > 0 && (
           <CardDescription className="text-center">
             {oauthProviders.length !== 0
@@ -207,19 +233,16 @@ export const LoginPage = () => {
       </CardHeader>
       <CardContent className="flex flex-col gap-4">
         {oauthProviders.length !== 0 && (
-          <div className="flex flex-col gap-2 items-center justify-center">
+          <div className="flex flex-col gap-2.5 items-center justify-center">
             {oauthProviders.map((provider) => (
               <OAuthButton
                 key={provider.id}
                 title={provider.name}
                 icon={iconMap[provider.id] ?? <OAuthIcon />}
                 className="w-full"
-                onClick={() => oauthMutation.mutate(provider.id)}
-                loading={
-                  oauthMutation.isPending &&
-                  oauthMutation.variables === provider.id
-                }
-                disabled={oauthMutation.isPending || loginMutation.isPending}
+                onClick={() => oauthMutate(provider.id)}
+                loading={oauthIsPending && oauthVariables === provider.id}
+                disabled={oauthIsPending || loginIsPending}
               />
             ))}
           </div>
@@ -229,8 +252,9 @@ export const LoginPage = () => {
         )}
         {userAuthConfigured && (
           <LoginForm
-            onSubmit={(values) => loginMutation.mutate(values)}
-            loading={loginMutation.isPending || oauthMutation.isPending}
+            onSubmit={(values) => loginMutate(values)}
+            loading={loginIsPending || oauthIsPending}
+            formId={formId}
           />
         )}
         {providers.length == 0 && (
@@ -239,6 +263,16 @@ export const LoginPage = () => {
           </p>
         )}
       </CardContent>
+      <CardFooter>
+        <Button
+          className="w-full"
+          type="submit"
+          form={formId}
+          loading={loginIsPending || oauthIsPending}
+        >
+          {t("loginSubmit")}
+        </Button>
+      </CardFooter>
     </Card>
   );
 };

frontend/src/pages/logout-page.tsx

@@ -29,7 +29,7 @@ export const LogoutPage = () => {
       });
 
       redirectTimer.current = window.setTimeout(() => {
-        window.location.assign("/login");
+        window.location.replace("/login");
       }, 500);
     },
     onError: () => {
@@ -39,21 +39,22 @@ export const LogoutPage = () => {
     },
   });
 
-  useEffect(
-    () => () => {
-      if (redirectTimer.current) clearTimeout(redirectTimer.current);
-    },
-    [],
-  );
+  useEffect(() => {
+    return () => {
+      if (redirectTimer.current) {
+        clearTimeout(redirectTimer.current);
+      }
+    };
+  }, [redirectTimer]);
 
   if (!isLoggedIn) {
     return <Navigate to="/login" replace />;
   }
 
   return (
-    <Card className="min-w-xs sm:min-w-sm">
-      <CardHeader>
-        <CardTitle className="text-3xl">{t("logoutTitle")}</CardTitle>
+    <Card className="min-w-xs">
+      <CardHeader className="gap-1.5">
+        <CardTitle className="text-xl">{t("logoutTitle")}</CardTitle>
         <CardDescription>
           {provider !== "local" && provider !== "ldap" ? (
             <Trans
@@ -66,6 +67,7 @@ export const LogoutPage = () => {
                 username: email,
                 provider: oauthName,
               }}
+              shouldUnescape={true}
             />
           ) : (
             <Trans
@@ -77,6 +79,7 @@ export const LogoutPage = () => {
               values={{
                 username,
               }}
+              shouldUnescape={true}
             />
           )}
         </CardDescription>

frontend/src/pages/not-found-page.tsx

@@ -21,13 +21,15 @@ export const NotFoundPage = () => {
   };
 
   return (
-    <Card className="min-w-xs sm:min-w-sm">
-      <CardHeader>
-        <CardTitle className="text-3xl">{t("notFoundTitle")}</CardTitle>
+    <Card className="min-w-xs">
+      <CardHeader className="gap-1.5">
+        <CardTitle className="text-xl">{t("notFoundTitle")}</CardTitle>
         <CardDescription>{t("notFoundSubtitle")}</CardDescription>
       </CardHeader>
       <CardFooter className="flex flex-col items-stretch">
-        <Button onClick={handleRedirect} loading={loading}>{t("notFoundButton")}</Button>
+        <Button onClick={handleRedirect} loading={loading}>
+          {t("notFoundButton")}
+        </Button>
       </CardFooter>
     </Card>
   );

frontend/src/pages/totp-page.tsx

@@ -45,11 +45,11 @@ export const TotpPage = () => {
         if (isOidc) {
           window.location.replace(`/authorize?${compiledOIDCParams}`);
           return;
-        } else {
-          window.location.replace(
-            `/continue?redirect_uri=${encodeURIComponent(props.redirect_uri)}`,
-          );
         }
+
+        window.location.replace(
+          `/continue${props.redirect_uri ? `?redirect_uri=${encodeURIComponent(props.redirect_uri)}` : ""}`,
+        );
       }, 500);
     },
     onError: () => {
@@ -59,28 +59,28 @@ export const TotpPage = () => {
     },
   });
 
-  useEffect(
-    () => () => {
-      if (redirectTimer.current) clearTimeout(redirectTimer.current);
-    },
-    [],
-  );
+  useEffect(() => {
+    return () => {
+      if (redirectTimer.current) {
+        clearTimeout(redirectTimer.current);
+      }
+    };
+  }, [redirectTimer]);
 
   if (!totpPending) {
     return <Navigate to="/" replace />;
   }
 
   return (
-    <Card className="min-w-xs sm:min-w-sm">
-      <CardHeader>
-        <CardTitle className="text-3xl">{t("totpTitle")}</CardTitle>
+    <Card>
+      <CardHeader className="gap-1.5">
+        <CardTitle className="text-xl">{t("totpTitle")}</CardTitle>
         <CardDescription>{t("totpSubtitle")}</CardDescription>
       </CardHeader>
       <CardContent className="flex flex-col items-center">
         <TotpForm
           formId={formId}
           onSubmit={(values) => totpMutation.mutate(values)}
-          loading={totpMutation.isPending}
         />
       </CardContent>
       <CardFooter className="flex flex-col items-stretch">

frontend/src/pages/unauthorized-page.tsx

@@ -47,9 +47,9 @@ export const UnauthorizedPage = () => {
   }
 
   return (
-    <Card className="min-w-xs sm:min-w-sm">
-      <CardHeader>
-        <CardTitle className="text-3xl">{t("unauthorizedTitle")}</CardTitle>
+    <Card className="min-w-xs">
+      <CardHeader className="gap-1.5">
+        <CardTitle className="text-xl">{t("unauthorizedTitle")}</CardTitle>
         <CardDescription>
           <Trans
             i18nKey={i18nKey}

frontend/vite.config.ts

@@ -2,15 +2,42 @@ import { defineConfig } from "vite";
 import react from "@vitejs/plugin-react";
 import path from "path";
 import tailwindcss from "@tailwindcss/vite";
+import { visualizer } from "rollup-plugin-visualizer";
 
 // https://vite.dev/config/
 export default defineConfig({
-  plugins: [react(), tailwindcss()],
+  plugins: [react(), tailwindcss(), visualizer()],
   resolve: {
     alias: {
       "@": path.resolve(__dirname, "./src"),
     },
   },
+  build: {
+    rollupOptions: {
+      output: {
+        manualChunks: {
+          ui: [
+            "@radix-ui/react-dropdown-menu",
+            "@radix-ui/react-label",
+            "@radix-ui/react-select",
+            "@radix-ui/react-separator",
+            "@radix-ui/react-slot",
+            "input-otp",
+            "tailwindcss",
+            "tailwind-merge",
+            "sonner",
+            "lucide-react",
+          ],
+          i18n: [
+            "i18next",
+            "i18next-browser-languagedetector",
+            "i18next-resources-to-backend",
+          ],
+          util: ["zod", "axios", "react-hook-form"],
+        },
+      },
+    },
+  },
   server: {
     host: "0.0.0.0",
     proxy: {

gen/gen.go

@@ -0,0 +1,38 @@
+package main
+
+import (
+	"log/slog"
+	"reflect"
+)
+
+func main() {
+	slog.Info("generating example env file")
+	generateExampleEnv()
+	slog.Info("generating config reference markdown file")
+	generateMarkdown()
+}
+
+func walkAndBuild[T any](parent reflect.Type, parentValue reflect.Value,
+	parentPath string, entries *[]T,
+	buildEntry func(child reflect.StructField, childValue reflect.Value, parentPath string, entries *[]T),
+	buildMap func(child reflect.StructField, parentPath string, entries *[]T),
+	buildChildPath func(parentPath string, childName string) string,
+) {
+	for i := 0; i < parent.NumField(); i++ {
+		field := parent.Field(i)
+		fieldType := field.Type
+		fieldValue := parentValue.Field(i)
+
+		switch fieldType.Kind() {
+		case reflect.Struct:
+			childPath := buildChildPath(parentPath, field.Name)
+			walkAndBuild[T](fieldType, fieldValue, childPath, entries, buildEntry, buildMap, buildChildPath)
+		case reflect.Map:
+			buildMap(field, parentPath, entries)
+		case reflect.Bool, reflect.String, reflect.Slice, reflect.Int:
+			buildEntry(field, fieldValue, parentPath, entries)
+		default:
+			slog.Info("unknown type", "type", fieldType.Kind())
+		}
+	}
+}

gen/gen_env.go

@@ -0,0 +1,133 @@
+package main
+
+import (
+	"bytes"
+	"errors"
+	"fmt"
+	"io/fs"
+	"log/slog"
+	"os"
+	"reflect"
+	"strings"
+
+	"github.com/steveiliop56/tinyauth/internal/config"
+)
+
+type EnvEntry struct {
+	Name        string
+	Description string
+	Value       any
+}
+
+func generateExampleEnv() {
+	cfg := config.NewDefaultConfiguration()
+	entries := make([]EnvEntry, 0)
+
+	root := reflect.TypeOf(cfg).Elem()
+	rootValue := reflect.ValueOf(cfg).Elem()
+	rootPath := "TINYAUTH_"
+
+	walkAndBuild(root, rootValue, rootPath, &entries, buildEnvEntry, buildEnvMapEntry, buildEnvChildPath)
+	compiled := compileEnv(entries)
+
+	err := os.Remove(".env.example")
+	if err != nil && !errors.Is(err, fs.ErrNotExist) {
+		slog.Error("failed to remove example env file", "error", err)
+		os.Exit(1)
+	}
+
+	err = os.WriteFile(".env.example", compiled, 0644)
+	if err != nil {
+		slog.Error("failed to write example env file", "error", err)
+		os.Exit(1)
+	}
+}
+
+func buildEnvEntry(child reflect.StructField, childValue reflect.Value, parentPath string, entries *[]EnvEntry) {
+	desc := child.Tag.Get("description")
+	tag := child.Tag.Get("yaml")
+
+	if tag == "-" {
+		return
+	}
+
+	value := childValue.Interface()
+
+	entry := EnvEntry{
+		Name:        parentPath + strings.ToUpper(child.Name),
+		Description: desc,
+	}
+
+	switch childValue.Kind() {
+	case reflect.Slice:
+		sl, ok := value.([]string)
+		if !ok {
+			slog.Error("invalid default value", "value", value)
+			return
+		}
+		entry.Value = strings.Join(sl, ",")
+	case reflect.String:
+		st, ok := value.(string)
+		if !ok {
+			slog.Error("invalid default value", "value", value)
+			return
+		}
+		if st != "" {
+			entry.Value = fmt.Sprintf(`"%s"`, st)
+		} else {
+			entry.Value = ""
+		}
+	default:
+		entry.Value = value
+	}
+	*entries = append(*entries, entry)
+}
+
+func buildEnvMapEntry(child reflect.StructField, parentPath string, entries *[]EnvEntry) {
+	fieldType := child.Type
+
+	if fieldType.Key().Kind() != reflect.String {
+		slog.Info("unsupported map key type", "type", fieldType.Key().Kind())
+		return
+	}
+
+	mapPath := parentPath + strings.ToUpper(child.Name) + "_name_"
+	valueType := fieldType.Elem()
+
+	if valueType.Kind() == reflect.Struct {
+		zeroValue := reflect.New(valueType).Elem()
+		walkAndBuild(valueType, zeroValue, mapPath, entries, buildEnvEntry, buildEnvMapEntry, buildEnvChildPath)
+	}
+}
+
+func buildEnvChildPath(parent string, child string) string {
+	return parent + strings.ToUpper(child) + "_"
+}
+
+func compileEnv(entries []EnvEntry) []byte {
+	buffer := bytes.Buffer{}
+
+	buffer.WriteString("# This file is automatically generated by gen/gen_env.go. Do not edit manually.\n\n")
+	buffer.WriteString("# Tinyauth example configuration\n\n")
+
+	previousSection := ""
+
+	for _, entry := range entries {
+		if strings.Count(entry.Name, "_") > 1 {
+			section := strings.Split(strings.TrimPrefix(entry.Name, "TINYAUTH_"), "_")[0]
+			if section != previousSection {
+				buffer.WriteString("\n# " + strings.ToLower(section) + " config\n\n")
+				previousSection = section
+			}
+		}
+		buffer.WriteString("# ")
+		buffer.WriteString(entry.Description)
+		buffer.WriteString("\n")
+		buffer.WriteString(entry.Name)
+		buffer.WriteString("=")
+		fmt.Fprintf(&buffer, "%v", entry.Value)
+		buffer.WriteString("\n")
+	}
+
+	return buffer.Bytes()
+}

gen/gen_md.go

@@ -0,0 +1,128 @@
+package main
+
+import (
+	"bytes"
+	"errors"
+	"fmt"
+	"io/fs"
+	"log/slog"
+	"os"
+	"reflect"
+	"strings"
+
+	"github.com/steveiliop56/tinyauth/internal/config"
+)
+
+type MarkdownEntry struct {
+	Env         string
+	Flag        string
+	Description string
+	Default     any
+}
+
+func generateMarkdown() {
+	cfg := config.NewDefaultConfiguration()
+	entries := make([]MarkdownEntry, 0)
+
+	root := reflect.TypeOf(cfg).Elem()
+	rootValue := reflect.ValueOf(cfg).Elem()
+	rootPath := "tinyauth."
+
+	walkAndBuild(root, rootValue, rootPath, &entries, buildMdEntry, buildMdMapEntry, buildMdChildPath)
+	compiled := compileMd(entries)
+
+	err := os.Remove("config.gen.md")
+	if err != nil && !errors.Is(err, fs.ErrNotExist) {
+		slog.Error("failed to remove example env file", "error", err)
+		os.Exit(1)
+	}
+
+	err = os.WriteFile("config.gen.md", compiled, 0644)
+	if err != nil {
+		slog.Error("failed to write example env file", "error", err)
+		os.Exit(1)
+	}
+}
+
+func buildMdEntry(child reflect.StructField, childValue reflect.Value, parentPath string, entries *[]MarkdownEntry) {
+	desc := child.Tag.Get("description")
+	tag := child.Tag.Get("yaml")
+
+	if tag == "-" {
+		return
+	}
+
+	value := childValue.Interface()
+
+	entry := MarkdownEntry{
+		Env:         strings.ToUpper(strings.ReplaceAll(parentPath, ".", "_")) + strings.ToUpper(child.Name),
+		Flag:        fmt.Sprintf("--%s%s", strings.TrimPrefix(parentPath, "tinyauth."), strings.ToLower(child.Name)),
+		Description: desc,
+	}
+
+	switch childValue.Kind() {
+	case reflect.Slice:
+		sl, ok := value.([]string)
+		if !ok {
+			slog.Error("invalid default value", "value", value)
+			return
+		}
+		entry.Default = fmt.Sprintf("`%s`", strings.Join(sl, ","))
+	default:
+		entry.Default = fmt.Sprintf("`%v`", value)
+	}
+	*entries = append(*entries, entry)
+}
+
+func buildMdMapEntry(child reflect.StructField, parentPath string, entries *[]MarkdownEntry) {
+	fieldType := child.Type
+
+	if fieldType.Key().Kind() != reflect.String {
+		slog.Info("unsupported map key type", "type", fieldType.Key().Kind())
+		return
+	}
+
+	tag := child.Tag.Get("yaml")
+
+	if tag == "-" {
+		return
+	}
+
+	mapPath := parentPath + tag + ".[name]."
+	valueType := fieldType.Elem()
+
+	if valueType.Kind() == reflect.Struct {
+		zeroValue := reflect.New(valueType).Elem()
+		walkAndBuild(valueType, zeroValue, mapPath, entries, buildMdEntry, buildMdMapEntry, buildMdChildPath)
+	}
+}
+
+func buildMdChildPath(parent string, child string) string {
+	return parent + strings.ToLower(child) + "."
+}
+
+func compileMd(entries []MarkdownEntry) []byte {
+	buffer := bytes.Buffer{}
+
+	buffer.WriteString("<!--- This file is automatically generated by gen/gen_md.go. Do not edit manually. --->\n\n")
+	buffer.WriteString("# Tinyauth configuration reference\n\n")
+	buffer.WriteString("| Environment | Flag | Description | Default |\n")
+	buffer.WriteString("| - | - | - | - |\n")
+
+	previousSection := ""
+
+	for _, entry := range entries {
+		if strings.Count(entry.Env, "_") > 1 {
+			section := strings.Split(strings.TrimPrefix(entry.Env, "TINYAUTH_"), "_")[0]
+			if section != previousSection {
+				buffer.WriteString("\n## " + strings.ToLower(section) + "\n\n")
+				buffer.WriteString("| Environment | Flag | Description | Default |\n")
+				buffer.WriteString("| - | - | - | - |\n")
+				previousSection = section
+			}
+		}
+		fmt.Fprintf(&buffer, "| `%s` | `%s` | %s | %s |\n", entry.Env, entry.Flag, entry.Description, entry.Default)
+	}
+
+	return buffer.Bytes()
+}

go.mod

@@ -11,6 +11,7 @@ require (
 	github.com/charmbracelet/huh v0.8.0
 	github.com/docker/docker v28.5.2+incompatible
 	github.com/gin-gonic/gin v1.11.0
+	github.com/go-jose/go-jose/v4 v4.1.3
 	github.com/go-ldap/ldap/v3 v3.4.12
 	github.com/golang-migrate/migrate/v4 v4.19.1
 	github.com/google/go-querystring v1.2.0
@@ -20,11 +21,11 @@ require (
 	github.com/rs/zerolog v1.34.0
 	github.com/traefik/paerser v0.2.2
 	github.com/weppos/publicsuffix-go v0.50.2
-	golang.org/x/crypto v0.47.0
+	golang.org/x/crypto v0.48.0
 	golang.org/x/exp v0.0.0-20251023183803-a4bb9ffd2546
-	golang.org/x/oauth2 v0.34.0
+	golang.org/x/oauth2 v0.35.0
 	gotest.tools/v3 v3.5.2
-	modernc.org/sqlite v1.44.1
+	modernc.org/sqlite v1.46.1
 )
 
 require (
@@ -61,7 +62,6 @@ require (
 	github.com/gabriel-vasile/mimetype v1.4.10 // indirect
 	github.com/gin-contrib/sse v1.1.0 // indirect
 	github.com/go-asn1-ber/asn1-ber v1.5.8-0.20250403174932-29230038a667 // indirect
-	github.com/go-jose/go-jose/v4 v4.1.3 // indirect
 	github.com/go-logr/logr v1.4.3 // indirect
 	github.com/go-logr/stdr v1.2.2 // indirect
 	github.com/go-playground/locales v0.14.1 // indirect
@@ -113,11 +113,11 @@ require (
 	go.opentelemetry.io/otel/metric v1.37.0 // indirect
 	go.opentelemetry.io/otel/trace v1.37.0 // indirect
 	golang.org/x/arch v0.20.0 // indirect
-	golang.org/x/net v0.48.0 // indirect
+	golang.org/x/net v0.49.0 // indirect
 	golang.org/x/sync v0.19.0 // indirect
-	golang.org/x/sys v0.40.0 // indirect
-	golang.org/x/term v0.39.0 // indirect
-	golang.org/x/text v0.33.0 // indirect
+	golang.org/x/sys v0.41.0 // indirect
+	golang.org/x/term v0.40.0 // indirect
+	golang.org/x/text v0.34.0 // indirect
 	google.golang.org/protobuf v1.36.9 // indirect
 	gopkg.in/yaml.v3 v3.0.1 // indirect
 	modernc.org/libc v1.67.6 // indirect

go.sum

@@ -303,21 +303,21 @@ golang.org/x/arch v0.20.0/go.mod h1:bdwinDaKcfZUGpH09BB7ZmOfhalA8lQdzl62l8gGWsk=
 golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w=
 golang.org/x/crypto v0.0.0-20210921155107-089bfa567519/go.mod h1:GvvjBRRGRdwPK5ydBHafDWAxML/pGHZbMvKqRZ5+Abc=
 golang.org/x/crypto v0.3.0/go.mod h1:hebNnKkNXi2UzZN1eVRvBB7co0a+JxK6XbPiWVs/3J4=
-golang.org/x/crypto v0.47.0 h1:V6e3FRj+n4dbpw86FJ8Fv7XVOql7TEwpHapKoMJ/GO8=
-golang.org/x/crypto v0.47.0/go.mod h1:ff3Y9VzzKbwSSEzWqJsJVBnWmRwRSHt/6Op5n9bQc4A=
+golang.org/x/crypto v0.48.0 h1:/VRzVqiRSggnhY7gNRxPauEQ5Drw9haKdM0jqfcCFts=
+golang.org/x/crypto v0.48.0/go.mod h1:r0kV5h3qnFPlQnBSrULhlsRfryS2pmewsg+XfMgkVos=
 golang.org/x/exp v0.0.0-20251023183803-a4bb9ffd2546 h1:mgKeJMpvi0yx/sU5GsxQ7p6s2wtOnGAHZWCHUM4KGzY=
 golang.org/x/exp v0.0.0-20251023183803-a4bb9ffd2546/go.mod h1:j/pmGrbnkbPtQfxEe5D0VQhZC6qKbfKifgD0oM7sR70=
 golang.org/x/mod v0.6.0-dev.0.20220419223038-86c51ed26bb4/go.mod h1:jJ57K6gSWd91VN4djpZkiMVwK6gcyfeH4XE8wZrZaV4=
-golang.org/x/mod v0.31.0 h1:HaW9xtz0+kOcWKwli0ZXy79Ix+UW/vOfmWI5QVd2tgI=
-golang.org/x/mod v0.31.0/go.mod h1:43JraMp9cGx1Rx3AqioxrbrhNsLl2l/iNAvuBkrezpg=
+golang.org/x/mod v0.32.0 h1:9F4d3PHLljb6x//jOyokMv3eX+YDeepZSEo3mFJy93c=
+golang.org/x/mod v0.32.0/go.mod h1:SgipZ/3h2Ci89DlEtEXWUk/HteuRin+HHhN+WbNhguU=
 golang.org/x/net v0.0.0-20190620200207-3b0461eec859/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
 golang.org/x/net v0.0.0-20210226172049-e18ecbb05110/go.mod h1:m0MpNAwzfU5UDzcl9v0D8zg8gWTRqZa9RBIspLL5mdg=
 golang.org/x/net v0.0.0-20220722155237-a158d28d115b/go.mod h1:XRhObCWvk6IyKnWLug+ECip1KBveYUHfp+8e9klMJ9c=
 golang.org/x/net v0.2.0/go.mod h1:KqCZLdyyvdV855qA2rE3GC2aiw5xGR5TEjj8smXukLY=
-golang.org/x/net v0.48.0 h1:zyQRTTrjc33Lhh0fBgT/H3oZq9WuvRR5gPC70xpDiQU=
-golang.org/x/net v0.48.0/go.mod h1:+ndRgGjkh8FGtu1w1FGbEC31if4VrNVMuKTgcAAnQRY=
-golang.org/x/oauth2 v0.34.0 h1:hqK/t4AKgbqWkdkcAeI8XLmbK+4m4G5YeQRrmiotGlw=
-golang.org/x/oauth2 v0.34.0/go.mod h1:lzm5WQJQwKZ3nwavOZ3IS5Aulzxi68dUSgRHujetwEA=
+golang.org/x/net v0.49.0 h1:eeHFmOGUTtaaPSGNmjBKpbng9MulQsJURQUAfUwY++o=
+golang.org/x/net v0.49.0/go.mod h1:/ysNB2EvaqvesRkuLAyjI1ycPZlQHM3q01F02UY/MV8=
+golang.org/x/oauth2 v0.35.0 h1:Mv2mzuHuZuY2+bkyWXIHMfhNdJAdwW3FuWeCPYN5GVQ=
+golang.org/x/oauth2 v0.35.0/go.mod h1:lzm5WQJQwKZ3nwavOZ3IS5Aulzxi68dUSgRHujetwEA=
 golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20220722155255-886fb9371eb4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.19.0 h1:vV+1eWNmZ5geRlYjzm2adRgW2/mcpevXNg50YZtPCE4=
@@ -332,26 +332,26 @@ golang.org/x/sys v0.0.0-20220811171246-fbc7d0a398ab/go.mod h1:oPkhp1MJrh7nUepCBc
 golang.org/x/sys v0.2.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.6.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.12.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.40.0 h1:DBZZqJ2Rkml6QMQsZywtnjnnGvHza6BTfYFWY9kjEWQ=
-golang.org/x/sys v0.40.0/go.mod h1:OgkHotnGiDImocRcuBABYBEXf8A9a87e/uXjp9XT3ks=
+golang.org/x/sys v0.41.0 h1:Ivj+2Cp/ylzLiEU89QhWblYnOE9zerudt9Ftecq2C6k=
+golang.org/x/sys v0.41.0/go.mod h1:OgkHotnGiDImocRcuBABYBEXf8A9a87e/uXjp9XT3ks=
 golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo=
 golang.org/x/term v0.0.0-20210927222741-03fcf44c2211/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8=
 golang.org/x/term v0.2.0/go.mod h1:TVmDHMZPmdnySmBfhjOoOdhjzdE1h4u1VwSiw2l1Nuc=
-golang.org/x/term v0.39.0 h1:RclSuaJf32jOqZz74CkPA9qFuVTX7vhLlpfj/IGWlqY=
-golang.org/x/term v0.39.0/go.mod h1:yxzUCTP/U+FzoxfdKmLaA0RV1WgE0VY7hXBwKtY/4ww=
+golang.org/x/term v0.40.0 h1:36e4zGLqU4yhjlmxEaagx2KuYbJq3EwY8K943ZsHcvg=
+golang.org/x/term v0.40.0/go.mod h1:w2P8uVp06p2iyKKuvXIm7N/y0UCRt3UfJTfZ7oOpglM=
 golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
 golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
 golang.org/x/text v0.3.7/go.mod h1:u+2+/6zg+i71rQMx5EYifcz6MCKuco9NR6JIITiCfzQ=
 golang.org/x/text v0.4.0/go.mod h1:mrYo+phRRbMaCq/xk9113O4dZlRixOauAjOtrjsXDZ8=
-golang.org/x/text v0.33.0 h1:B3njUFyqtHDUI5jMn1YIr5B0IE2U0qck04r6d4KPAxE=
-golang.org/x/text v0.33.0/go.mod h1:LuMebE6+rBincTi9+xWTY8TztLzKHc/9C1uBCG27+q8=
+golang.org/x/text v0.34.0 h1:oL/Qq0Kdaqxa1KbNeMKwQq0reLCCaFtqu2eNuSeNHbk=
+golang.org/x/text v0.34.0/go.mod h1:homfLqTYRFyVYemLBFl5GgL/DWEiH5wcsQ5gSh1yziA=
 golang.org/x/time v0.12.0 h1:ScB/8o8olJvc+CQPWrK3fPZNfh7qgwCrY0zJmoEQLSE=
 golang.org/x/time v0.12.0/go.mod h1:CDIdPxbZBQxdj6cxyCIdrNogrJKMJ7pr37NYpMcMDSg=
 golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
 golang.org/x/tools v0.0.0-20191119224855-298f0cb1881e/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo=
 golang.org/x/tools v0.1.12/go.mod h1:hNGJHUnrk76NpqgfD5Aqm5Crs+Hm0VOH/i9J2+nxYbc=
-golang.org/x/tools v0.40.0 h1:yLkxfA+Qnul4cs9QA3KnlFu0lVmd8JJfoq+E41uSutA=
-golang.org/x/tools v0.40.0/go.mod h1:Ik/tzLRlbscWpqqMRjyWYDisX8bG13FrdXp3o4Sr9lc=
+golang.org/x/tools v0.41.0 h1:a9b8iMweWG+S0OBnlU36rzLp20z1Rp10w+IY2czHTQc=
+golang.org/x/tools v0.41.0/go.mod h1:XSY6eDqxVNiYgezAVqqCeihT4j1U2CCsqvH3WhQpnlg=
 golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 google.golang.org/genproto v0.0.0-20250603155806-513f23925822 h1:rHWScKit0gvAPuOnu87KpaYtjK5zBMLcULh7gxkCXu4=
 google.golang.org/genproto/googleapis/api v0.0.0-20250818200422-3122310a409c h1:AtEkQdl5b6zsybXcbz00j1LwNodDuH6hVifIaNqk7NQ=
@@ -395,8 +395,8 @@ modernc.org/opt v0.1.4 h1:2kNGMRiUjrp4LcaPuLY2PzUfqM/w9N23quVwhKt5Qm8=
 modernc.org/opt v0.1.4/go.mod h1:03fq9lsNfvkYSfxrfUhZCWPk1lm4cq4N+Bh//bEtgns=
 modernc.org/sortutil v1.2.1 h1:+xyoGf15mM3NMlPDnFqrteY07klSFxLElE2PVuWIJ7w=
 modernc.org/sortutil v1.2.1/go.mod h1:7ZI3a3REbai7gzCLcotuw9AC4VZVpYMjDzETGsSMqJE=
-modernc.org/sqlite v1.44.1 h1:qybx/rNpfQipX/t47OxbHmkkJuv2JWifCMH8SVUiDas=
-modernc.org/sqlite v1.44.1/go.mod h1:CzbrU2lSB1DKUusvwGz7rqEKIq+NUd8GWuBBZDs9/nA=
+modernc.org/sqlite v1.46.1 h1:eFJ2ShBLIEnUWlLy12raN0Z1plqmFX9Qe3rjQTKt6sU=
+modernc.org/sqlite v1.46.1/go.mod h1:CzbrU2lSB1DKUusvwGz7rqEKIq+NUd8GWuBBZDs9/nA=
 modernc.org/strutil v1.2.1 h1:UneZBkQA+DX2Rp35KcM69cSsNES9ly8mQWD71HKlOA0=
 modernc.org/strutil v1.2.1/go.mod h1:EHkiggD70koQxjVdSBM3JKM7k6L0FbGE5eymy9i3B9A=
 modernc.org/token v1.1.0 h1:Xl7Ap9dKaEs5kLoOQeQmPWevfnk/DM5qcLcYlA8ys6Y=

internal/bootstrap/app_bootstrap.go

@@ -22,6 +22,7 @@ import (
 type BootstrapApp struct {
 	config  config.Config
 	context struct {
+		appUrl              string
 		uuid                string
 		cookieDomain        string
 		sessionCookieName   string
@@ -42,10 +43,20 @@ func NewBootstrapApp(config config.Config) *BootstrapApp {
 }
 
 func (app *BootstrapApp) Setup() error {
+	// get app url
+	appUrl, err := url.Parse(app.config.AppURL)
+
+	if err != nil {
+		return err
+	}
+
+	app.context.appUrl = appUrl.Scheme + "://" + appUrl.Host
+
 	// validate session config
 	if app.config.Auth.SessionMaxLifetime != 0 && app.config.Auth.SessionMaxLifetime < app.config.Auth.SessionExpiry {
 		return fmt.Errorf("session max lifetime cannot be less than session expiry")
 	}
+
 	// Parse users
 	users, err := utils.GetUsers(app.config.Auth.Users, app.config.Auth.UsersFile)
 
@@ -62,16 +73,12 @@ func (app *BootstrapApp) Setup() error {
 		secret := utils.GetSecret(provider.ClientSecret, provider.ClientSecretFile)
 		provider.ClientSecret = secret
 		provider.ClientSecretFile = ""
-		app.context.oauthProviders[name] = provider
-	}
 
-	for id := range config.OverrideProviders {
-		if provider, exists := app.context.oauthProviders[id]; exists {
-			if provider.RedirectURL == "" {
-				provider.RedirectURL = app.config.AppURL + "/api/oauth/callback/" + id
-				app.context.oauthProviders[id] = provider
-			}
+		if provider.RedirectURL == "" {
+			provider.RedirectURL = app.context.appUrl + "/api/oauth/callback/" + name
 		}
+
+		app.context.oauthProviders[name] = provider
 	}
 
 	for id, provider := range app.context.oauthProviders {
@@ -92,7 +99,7 @@ func (app *BootstrapApp) Setup() error {
 	}
 
 	// Get cookie domain
-	cookieDomain, err := utils.GetCookieDomain(app.config.AppURL)
+	cookieDomain, err := utils.GetCookieDomain(app.context.appUrl)
 
 	if err != nil {
 		return err
@@ -101,7 +108,6 @@ func (app *BootstrapApp) Setup() error {
 	app.context.cookieDomain = cookieDomain
 
 	// Cookie names
-	appUrl, _ := url.Parse(app.config.AppURL) // Already validated
 	app.context.uuid = utils.GenerateUUID(appUrl.Hostname())
 	cookieId := strings.Split(app.context.uuid, "-")[0]
 	app.context.sessionCookieName = fmt.Sprintf("%s-%s", config.SessionCookieName, cookieId)

internal/bootstrap/router_bootstrap.go

@@ -21,8 +21,8 @@ func (app *BootstrapApp) setupRouter() (*gin.Engine, error) {
 	engine := gin.New()
 	engine.Use(gin.Recovery())
 
-	if len(app.config.Server.TrustedProxies) > 0 {
-		err := engine.SetTrustedProxies(app.config.Server.TrustedProxies)
+	if len(app.config.Auth.TrustedProxies) > 0 {
+		err := engine.SetTrustedProxies(app.config.Auth.TrustedProxies)
 
 		if err != nil {
 			return nil, fmt.Errorf("failed to set trusted proxies: %w", err)
@@ -71,7 +71,7 @@ func (app *BootstrapApp) setupRouter() (*gin.Engine, error) {
 		ForgotPasswordMessage: app.config.UI.ForgotPasswordMessage,
 		BackgroundImage:       app.config.UI.BackgroundImage,
 		OAuthAutoRedirect:     app.config.OAuth.AutoRedirect,
-		DisableUIWarnings:     app.config.DisableUIWarnings,
+		DisableUIWarnings:     app.config.UI.DisableWarnings,
 	}, apiRouter)
 
 	contextController.SetupRoutes()

internal/bootstrap/service_bootstrap.go

@@ -31,12 +31,13 @@ func (app *BootstrapApp) initServices(queries *repository.Queries) (Services, er
 
 	err := ldapService.Init()
 
-	if err == nil {
-		services.ldapService = ldapService
-	} else {
-		tlog.App.Warn().Err(err).Msg("Failed to initialize LDAP service, continuing without it")
+	if err != nil {
+		tlog.App.Warn().Err(err).Msg("Failed to setup LDAP service, starting without it")
+		ldapService.Unconfigure()
 	}
 
+	services.ldapService = ldapService
+
 	dockerService := service.NewDockerService()
 
 	err = dockerService.Init()

internal/config/config.go

@@ -1,5 +1,58 @@
 package config
 
+// Default configuration
+func NewDefaultConfiguration() *Config {
+	return &Config{
+		ResourcesDir: "./resources",
+		DatabasePath: "./tinyauth.db",
+		Server: ServerConfig{
+			Port:    3000,
+			Address: "0.0.0.0",
+		},
+		Auth: AuthConfig{
+			SessionExpiry:      86400, // 1 day
+			SessionMaxLifetime: 0,     // disabled
+			LoginTimeout:       300,   // 5 minutes
+			LoginMaxRetries:    3,
+		},
+		UI: UIConfig{
+			Title:                 "Tinyauth",
+			ForgotPasswordMessage: "You can change your password by changing the configuration.",
+			BackgroundImage:       "/background.jpg",
+		},
+		Ldap: LdapConfig{
+			Insecure:      false,
+			SearchFilter:  "(uid=%s)",
+			GroupCacheTTL: 900, // 15 minutes
+		},
+		Log: LogConfig{
+			Level: "info",
+			Json:  false,
+			Streams: LogStreams{
+				HTTP: LogStreamConfig{
+					Enabled: true,
+					Level:   "",
+				},
+				App: LogStreamConfig{
+					Enabled: true,
+					Level:   "",
+				},
+				Audit: LogStreamConfig{
+					Enabled: false,
+					Level:   "",
+				},
+			},
+		},
+		OIDC: OIDCConfig{
+			PrivateKeyPath: "./tinyauth_oidc_key",
+			PublicKeyPath:  "./tinyauth_oidc_key.pub",
+		},
+		Experimental: ExperimentalConfig{
+			ConfigFile: "",
+		},
+	}
+}
+
 // Version information, set at build time
 
 var Version = "development"
@@ -15,28 +68,26 @@ var RedirectCookieName = "tinyauth-redirect"
 // Main app config
 
 type Config struct {
-	AppURL            string             `description:"The base URL where the app is hosted." yaml:"appUrl"`
-	ResourcesDir      string             `description:"The directory where resources are stored." yaml:"resourcesDir"`
-	DatabasePath      string             `description:"The path to the database file." yaml:"databasePath"`
-	DisableAnalytics  bool               `description:"Disable analytics." yaml:"disableAnalytics"`
-	DisableResources  bool               `description:"Disable resources server." yaml:"disableResources"`
-	DisableUIWarnings bool               `description:"Disable UI warnings." yaml:"disableUIWarnings"`
-	Server            ServerConfig       `description:"Server configuration." yaml:"server"`
-	Auth              AuthConfig         `description:"Authentication configuration." yaml:"auth"`
-	Apps              map[string]App     `description:"Application ACLs configuration." yaml:"apps"`
-	OAuth             OAuthConfig        `description:"OAuth configuration." yaml:"oauth"`
-	OIDC              OIDCConfig         `description:"OIDC configuration." yaml:"oidc"`
-	UI                UIConfig           `description:"UI customization." yaml:"ui"`
-	Ldap              LdapConfig         `description:"LDAP configuration." yaml:"ldap"`
-	Experimental      ExperimentalConfig `description:"Experimental features, use with caution." yaml:"experimental"`
-	Log               LogConfig          `description:"Logging configuration." yaml:"log"`
+	AppURL           string             `description:"The base URL where the app is hosted." yaml:"appUrl"`
+	ResourcesDir     string             `description:"The directory where resources are stored." yaml:"resourcesDir"`
+	DatabasePath     string             `description:"The path to the database file." yaml:"databasePath"`
+	DisableAnalytics bool               `description:"Disable analytics." yaml:"disableAnalytics"`
+	DisableResources bool               `description:"Disable resources server." yaml:"disableResources"`
+	Server           ServerConfig       `description:"Server configuration." yaml:"server"`
+	Auth             AuthConfig         `description:"Authentication configuration." yaml:"auth"`
+	Apps             map[string]App     `description:"Application ACLs configuration." yaml:"apps"`
+	OAuth            OAuthConfig        `description:"OAuth configuration." yaml:"oauth"`
+	OIDC             OIDCConfig         `description:"OIDC configuration." yaml:"oidc"`
+	UI               UIConfig           `description:"UI customization." yaml:"ui"`
+	Ldap             LdapConfig         `description:"LDAP configuration." yaml:"ldap"`
+	Experimental     ExperimentalConfig `description:"Experimental features, use with caution." yaml:"experimental"`
+	Log              LogConfig          `description:"Logging configuration." yaml:"log"`
 }
 
 type ServerConfig struct {
-	Port           int      `description:"The port on which the server listens." yaml:"port"`
-	Address        string   `description:"The address on which the server listens." yaml:"address"`
-	SocketPath     string   `description:"The path to the Unix socket." yaml:"socketPath"`
-	TrustedProxies []string `description:"Comma-separated list of trusted proxy addresses." yaml:"trustedProxies"`
+	Port       int    `description:"The port on which the server listens." yaml:"port"`
+	Address    string `description:"The address on which the server listens." yaml:"address"`
+	SocketPath string `description:"The path to the Unix socket." yaml:"socketPath"`
 }
 
 type AuthConfig struct {
@@ -48,6 +99,7 @@ type AuthConfig struct {
 	SessionMaxLifetime int      `description:"Maximum session lifetime in seconds." yaml:"sessionMaxLifetime"`
 	LoginTimeout       int      `description:"Login timeout in seconds." yaml:"loginTimeout"`
 	LoginMaxRetries    int      `description:"Maximum login retries." yaml:"loginMaxRetries"`
+	TrustedProxies     []string `description:"Comma-separated list of trusted proxy addresses." yaml:"trustedProxies"`
 }
 
 type IPConfig struct {
@@ -71,6 +123,7 @@ type UIConfig struct {
 	Title                 string `description:"The title of the UI." yaml:"title"`
 	ForgotPasswordMessage string `description:"Message displayed on the forgot password page." yaml:"forgotPasswordMessage"`
 	BackgroundImage       string `description:"Path to the background image." yaml:"backgroundImage"`
+	DisableWarnings       bool   `description:"Disable UI warnings." yaml:"disableWarnings"`
 }
 
 type LdapConfig struct {
@@ -138,7 +191,7 @@ type OIDCClientConfig struct {
 	ClientID            string   `description:"OIDC client ID." yaml:"clientId"`
 	ClientSecret        string   `description:"OIDC client secret." yaml:"clientSecret"`
 	ClientSecretFile    string   `description:"Path to the file containing the OIDC client secret." yaml:"clientSecretFile"`
-	TrustedRedirectURIs []string `description:"List of trusted redirect URLs." yaml:"trustedRedirectUrls"`
+	TrustedRedirectURIs []string `description:"List of trusted redirect URIs." yaml:"trustedRedirectUris"`
 	Name                string   `description:"Client name in UI." yaml:"name"`
 }
 

internal/controller/oidc_controller.go

@@ -1,7 +1,6 @@
 package controller
 
 import (
-	"crypto/rand"
 	"errors"
 	"fmt"
 	"net/http"
@@ -33,6 +32,8 @@ type TokenRequest struct {
 	Code         string `form:"code" url:"code"`
 	RedirectURI  string `form:"redirect_uri" url:"redirect_uri"`
 	RefreshToken string `form:"refresh_token" url:"refresh_token"`
+	ClientSecret string `form:"client_secret" url:"client_secret"`
+	ClientID     string `form:"client_id" url:"client_id"`
 }
 
 type CallbackError struct {
@@ -49,6 +50,11 @@ type ClientRequest struct {
 	ClientID string `uri:"id" binding:"required"`
 }
 
+type ClientCredentials struct {
+	ClientID     string
+	ClientSecret string
+}
+
 func NewOIDCController(config OIDCControllerConfig, oidcService *service.OIDCService, router *gin.RouterGroup) *OIDCController {
 	return &OIDCController{
 		config: config,
@@ -97,6 +103,11 @@ func (controller *OIDCController) GetClientInfo(c *gin.Context) {
 }
 
 func (controller *OIDCController) Authorize(c *gin.Context) {
+	if !controller.oidc.IsConfigured() {
+		controller.authorizeError(c, errors.New("err_oidc_not_configured"), "OIDC not configured", "This instance is not configured for OIDC", "", "", "")
+		return
+	}
+
 	userContext, err := utils.GetContext(c)
 
 	if err != nil {
@@ -133,7 +144,7 @@ func (controller *OIDCController) Authorize(c *gin.Context) {
 
 	// WARNING: Since Tinyauth is stateless, we cannot have a sub that never changes. We will just create a uuid out of the username and client name which remains stable, but if username or client name changes then sub changes too.
 	sub := utils.GenerateUUID(fmt.Sprintf("%s:%s", userContext.Username, client.ID))
-	code := rand.Text()
+	code := utils.GenerateString(32)
 
 	// Before storing the code, delete old session
 	err = controller.oidc.DeleteOldSession(c, sub)
@@ -177,6 +188,14 @@ func (controller *OIDCController) Authorize(c *gin.Context) {
 }
 
 func (controller *OIDCController) Token(c *gin.Context) {
+	if !controller.oidc.IsConfigured() {
+		tlog.App.Warn().Msg("OIDC not configured")
+		c.JSON(404, gin.H{
+			"error": "not_found",
+		})
+		return
+	}
+
 	var req TokenRequest
 
 	err := c.Bind(&req)
@@ -197,29 +216,45 @@ func (controller *OIDCController) Token(c *gin.Context) {
 		return
 	}
 
-	rclientId, rclientSecret, ok := c.Request.BasicAuth()
-
-	if !ok {
-		tlog.App.Error().Msg("Missing authorization header")
-		c.Header("www-authenticate", "basic")
-		c.JSON(401, gin.H{
-			"error": "invalid_client",
-		})
-		return
+	// First we try form values
+	creds := ClientCredentials{
+		ClientID:     req.ClientID,
+		ClientSecret: req.ClientSecret,
 	}
 
-	client, ok := controller.oidc.GetClient(rclientId)
+	// If it fails, we try basic auth
+	if creds.ClientID == "" || creds.ClientSecret == "" {
+		tlog.App.Debug().Msg("Tried form values and they are empty, trying basic auth")
+
+		clientId, clientSecret, ok := c.Request.BasicAuth()
+
+		if !ok {
+			tlog.App.Error().Msg("Missing authorization header")
+			c.Header("www-authenticate", "basic")
+			c.JSON(401, gin.H{
+				"error": "invalid_client",
+			})
+			return
+		}
+
+		creds.ClientID = clientId
+		creds.ClientSecret = clientSecret
+	}
+
+	// END - we don't support other authentication methods
+
+	client, ok := controller.oidc.GetClient(creds.ClientID)
 
 	if !ok {
-		tlog.App.Warn().Str("client_id", rclientId).Msg("Client not found")
+		tlog.App.Warn().Str("client_id", creds.ClientID).Msg("Client not found")
 		c.JSON(400, gin.H{
 			"error": "invalid_client",
 		})
 		return
 	}
 
-	if client.ClientSecret != rclientSecret {
-		tlog.App.Warn().Str("client_id", rclientId).Msg("Invalid client secret")
+	if client.ClientSecret != creds.ClientSecret {
+		tlog.App.Warn().Str("client_id", creds.ClientID).Msg("Invalid client secret")
 		c.JSON(400, gin.H{
 			"error": "invalid_client",
 		})
@@ -273,7 +308,7 @@ func (controller *OIDCController) Token(c *gin.Context) {
 
 		tokenResponse = tokenRes
 	case "refresh_token":
-		tokenRes, err := controller.oidc.RefreshAccessToken(c, req.RefreshToken, rclientId)
+		tokenRes, err := controller.oidc.RefreshAccessToken(c, req.RefreshToken, creds.ClientID)
 
 		if err != nil {
 			if errors.Is(err, service.ErrTokenExpired) {
@@ -306,6 +341,14 @@ func (controller *OIDCController) Token(c *gin.Context) {
 }
 
 func (controller *OIDCController) Userinfo(c *gin.Context) {
+	if !controller.oidc.IsConfigured() {
+		tlog.App.Warn().Msg("OIDC not configured")
+		c.JSON(404, gin.H{
+			"error": "not_found",
+		})
+		return
+	}
+
 	authorization := c.GetHeader("Authorization")
 
 	tokenType, token, ok := strings.Cut(authorization, " ")

internal/controller/user_controller.go

@@ -2,7 +2,6 @@ package controller
 
 import (
 	"fmt"
-	"strings"
 	"time"
 
 	"github.com/steveiliop56/tinyauth/internal/repository"
@@ -114,8 +113,8 @@ func (controller *UserController) loginHandler(c *gin.Context) {
 
 			err := controller.auth.CreateSessionCookie(c, &repository.Session{
 				Username:    user.Username,
-				Name:        utils.Capitalize(req.Username),
-				Email:       fmt.Sprintf("%s@%s", strings.ToLower(req.Username), controller.config.CookieDomain),
+				Name:        utils.Capitalize(user.Username),
+				Email:       utils.CompileUserEmail(user.Username, controller.config.CookieDomain),
 				Provider:    "local",
 				TotpPending: true,
 			})
@@ -141,7 +140,7 @@ func (controller *UserController) loginHandler(c *gin.Context) {
 	sessionCookie := repository.Session{
 		Username: req.Username,
 		Name:     utils.Capitalize(req.Username),
-		Email:    fmt.Sprintf("%s@%s", strings.ToLower(req.Username), controller.config.CookieDomain),
+		Email:    utils.CompileUserEmail(req.Username, controller.config.CookieDomain),
 		Provider: "local",
 	}
 
@@ -255,7 +254,7 @@ func (controller *UserController) totpHandler(c *gin.Context) {
 	sessionCookie := repository.Session{
 		Username: user.Username,
 		Name:     utils.Capitalize(user.Username),
-		Email:    fmt.Sprintf("%s@%s", strings.ToLower(user.Username), controller.config.CookieDomain),
+		Email:    utils.CompileUserEmail(user.Username, controller.config.CookieDomain),
 		Provider: "local",
 	}
 

internal/controller/well_known_controller.go

@@ -58,9 +58,9 @@ func (controller *WellKnownController) OpenIDConnectConfiguration(c *gin.Context
 		GrantTypesSupported:               service.SupportedGrantTypes,
 		SubjectTypesSupported:             []string{"pairwise"},
 		IDTokenSigningAlgValuesSupported:  []string{"RS256"},
-		TokenEndpointAuthMethodsSupported: []string{"client_secret_basic"},
+		TokenEndpointAuthMethodsSupported: []string{"client_secret_basic", "client_secret_post"},
 		ClaimsSupported:                   []string{"sub", "updated_at", "name", "preferred_username", "email", "groups"},
-		ServiceDocumentation:              "https://tinyauth.app/docs/reference/openid",
+		ServiceDocumentation:              "https://tinyauth.app/docs/guides/oidc",
 	})
 }
 

internal/middleware/context_middleware.go

@@ -1,7 +1,6 @@
 package middleware
 
 import (
-	"fmt"
 	"slices"
 	"strings"
 	"time"
@@ -186,7 +185,7 @@ func (m *ContextMiddleware) Middleware() gin.HandlerFunc {
 			c.Set("context", &config.UserContext{
 				Username:    user.Username,
 				Name:        utils.Capitalize(user.Username),
-				Email:       fmt.Sprintf("%s@%s", strings.ToLower(user.Username), m.config.CookieDomain),
+				Email:       utils.CompileUserEmail(user.Username, m.config.CookieDomain),
 				Provider:    "local",
 				IsLoggedIn:  true,
 				TotpEnabled: user.TotpSecret != "",
@@ -208,7 +207,7 @@ func (m *ContextMiddleware) Middleware() gin.HandlerFunc {
 			c.Set("context", &config.UserContext{
 				Username:    basic.Username,
 				Name:        utils.Capitalize(basic.Username),
-				Email:       fmt.Sprintf("%s@%s", strings.ToLower(basic.Username), m.config.CookieDomain),
+				Email:       utils.CompileUserEmail(basic.Username, m.config.CookieDomain),
 				Provider:    "ldap",
 				IsLoggedIn:  true,
 				LdapGroups:  strings.Join(ldapUser.Groups, ","),

internal/service/auth_service.go

@@ -78,7 +78,7 @@ func (auth *AuthService) SearchUser(username string) config.UserSearch {
 		}
 	}
 
-	if auth.ldap != nil {
+	if auth.ldap.IsConfigured() {
 		userDN, err := auth.ldap.GetUserDN(username)
 
 		if err != nil {
@@ -105,7 +105,7 @@ func (auth *AuthService) VerifyUser(search config.UserSearch, password string) b
 		user := auth.GetLocalUser(search.Username)
 		return auth.CheckPassword(user, password)
 	case "ldap":
-		if auth.ldap != nil {
+		if auth.ldap.IsConfigured() {
 			err := auth.ldap.Bind(search.Username, password)
 			if err != nil {
 				tlog.App.Warn().Err(err).Str("username", search.Username).Msg("Failed to bind to LDAP")
@@ -141,7 +141,7 @@ func (auth *AuthService) GetLocalUser(username string) config.User {
 }
 
 func (auth *AuthService) GetLdapUser(userDN string) (config.LdapUser, error) {
-	if auth.ldap == nil {
+	if !auth.ldap.IsConfigured() {
 		return config.LdapUser{}, errors.New("LDAP service not initialized")
 	}
 
@@ -398,7 +398,7 @@ func (auth *AuthService) LocalAuthConfigured() bool {
 }
 
 func (auth *AuthService) LdapAuthConfigured() bool {
-	return auth.ldap != nil
+	return auth.ldap.IsConfigured()
 }
 
 func (auth *AuthService) IsUserAllowed(c *gin.Context, context config.UserContext, acls config.App) bool {

internal/service/ldap_service.go

@@ -24,10 +24,11 @@ type LdapServiceConfig struct {
 }
 
 type LdapService struct {
-	config LdapServiceConfig
-	conn   *ldapgo.Conn
-	mutex  sync.RWMutex
-	cert   *tls.Certificate
+	config       LdapServiceConfig
+	conn         *ldapgo.Conn
+	mutex        sync.RWMutex
+	cert         *tls.Certificate
+	isConfigured bool
 }
 
 func NewLdapService(config LdapServiceConfig) *LdapService {
@@ -36,7 +37,33 @@ func NewLdapService(config LdapServiceConfig) *LdapService {
 	}
 }
 
+func (ldap *LdapService) IsConfigured() bool {
+	return ldap.isConfigured
+}
+
+func (ldap *LdapService) Unconfigure() error {
+	if !ldap.isConfigured {
+		return nil
+	}
+
+	if ldap.conn != nil {
+		if err := ldap.conn.Close(); err != nil {
+			return fmt.Errorf("failed to close LDAP connection: %w", err)
+		}
+	}
+
+	ldap.isConfigured = false
+	return nil
+}
+
 func (ldap *LdapService) Init() error {
+	if ldap.config.Address == "" {
+		ldap.isConfigured = false
+		return nil
+	}
+
+	ldap.isConfigured = true
+
 	// Check whether authentication with client certificate is possible
 	if ldap.config.AuthCert != "" && ldap.config.AuthKey != "" {
 		cert, err := tls.LoadX509KeyPair(ldap.config.AuthCert, ldap.config.AuthKey)

internal/service/oidc_service.go

@@ -83,12 +83,13 @@ type OIDCServiceConfig struct {
 }
 
 type OIDCService struct {
-	config     OIDCServiceConfig
-	queries    *repository.Queries
-	clients    map[string]config.OIDCClientConfig
-	privateKey *rsa.PrivateKey
-	publicKey  crypto.PublicKey
-	issuer     string
+	config       OIDCServiceConfig
+	queries      *repository.Queries
+	clients      map[string]config.OIDCClientConfig
+	privateKey   *rsa.PrivateKey
+	publicKey    crypto.PublicKey
+	issuer       string
+	isConfigured bool
 }
 
 func NewOIDCService(config OIDCServiceConfig, queries *repository.Queries) *OIDCService {
@@ -98,9 +99,19 @@ func NewOIDCService(config OIDCServiceConfig, queries *repository.Queries) *OIDC
 	}
 }
 
-// TODO: A cleanup routine is needed to clean up expired tokens/code/userinfo
+func (service *OIDCService) IsConfigured() bool {
+	return service.isConfigured
+}
 
 func (service *OIDCService) Init() error {
+	// If not configured, skip init
+	if len(service.config.Clients) == 0 {
+		service.isConfigured = false
+		return nil
+	}
+
+	service.isConfigured = true
+
 	// Ensure issuer is https
 	uissuer, err := url.Parse(service.config.Issuer)
 
@@ -207,6 +218,7 @@ func (service *OIDCService) Init() error {
 		}
 		client.ClientSecretFile = ""
 		service.clients[id] = client
+		tlog.App.Info().Str("id", client.ID).Msg("Registered OIDC client")
 	}
 
 	return nil
@@ -391,8 +403,8 @@ func (service *OIDCService) GenerateAccessToken(c *gin.Context, client config.OI
 		return TokenResponse{}, err
 	}
 
-	accessToken := rand.Text()
-	refreshToken := rand.Text()
+	accessToken := utils.GenerateString(32)
+	refreshToken := utils.GenerateString(32)
 
 	tokenExpiresAt := time.Now().Add(time.Duration(service.config.SessionExpiry) * time.Second).Unix()
 
@@ -452,8 +464,8 @@ func (service *OIDCService) RefreshAccessToken(c *gin.Context, refreshToken stri
 		return TokenResponse{}, err
 	}
 
-	accessToken := rand.Text()
-	newRefreshToken := rand.Text()
+	accessToken := utils.GenerateString(32)
+	newRefreshToken := utils.GenerateString(32)
 
 	tokenExpiresAt := time.Now().Add(time.Duration(service.config.SessionExpiry) * time.Second).Unix()
 	refrshTokenExpiresAt := time.Now().Add(time.Duration(service.config.SessionExpiry*2) * time.Second).Unix()

internal/utils/security_utils.go

@@ -1,6 +1,7 @@
 package utils
 
 import (
+	"crypto/rand"
 	"encoding/base64"
 	"errors"
 	"net"
@@ -105,3 +106,9 @@ func GenerateUUID(str string) string {
 	uuid := uuid.NewSHA1(uuid.NameSpaceURL, []byte(str))
 	return uuid.String()
 }
+
+func GenerateString(length int) string {
+	src := make([]byte, length)
+	rand.Read(src)
+	return base64.RawURLEncoding.EncodeToString(src)[:length]
+}

internal/utils/string_utils_test.go

@@ -49,3 +49,11 @@ func TestCoalesceToString(t *testing.T) {
 	// Test with nil input
 	assert.Equal(t, "", utils.CoalesceToString(nil))
 }
+
+func TestCompileUserEmail(t *testing.T) {
+	// Test with valid email
+	assert.Equal(t, "user@example.com", utils.CompileUserEmail("user@example.com", "example.com"))
+
+	// Test with invalid email
+	assert.Equal(t, "user@example.com", utils.CompileUserEmail("user", "example.com"))
+}

internal/utils/user_utils.go

@@ -2,6 +2,8 @@ package utils
 
 import (
 	"errors"
+	"fmt"
+	"net/mail"
 	"strings"
 
 	"github.com/steveiliop56/tinyauth/internal/config"
@@ -90,3 +92,13 @@ func ParseUser(userStr string) (config.User, error) {
 
 	return user, nil
 }
+
+func CompileUserEmail(username string, domain string) string {
+	_, err := mail.ParseAddress(username)
+
+	if err != nil {
+		return fmt.Sprintf("%s@%s", strings.ToLower(username), domain)
+	}
+
+	return username
+}