refactor: rework oauth name database migration

cmd/root.go

@@ -27,11 +27,6 @@ var rootCmd = &cobra.Command{
 			log.Fatal().Err(err).Msg("Failed to parse config")
 		}
 
-		// Check if secrets have a file associated with them
-		conf.GithubClientSecret = utils.GetSecret(conf.GithubClientSecret, conf.GithubClientSecretFile)
-		conf.GoogleClientSecret = utils.GetSecret(conf.GoogleClientSecret, conf.GoogleClientSecretFile)
-		conf.GenericClientSecret = utils.GetSecret(conf.GenericClientSecret, conf.GenericClientSecretFile)
-
 		// Validate config
 		v := validator.New()
 
@@ -57,6 +52,7 @@ var rootCmd = &cobra.Command{
 }
 
 func Execute() {
+	rootCmd.FParseErrWhitelist.UnknownFlags = true
 	err := rootCmd.Execute()
 	if err != nil {
 		log.Fatal().Err(err).Msg("Failed to execute command")
@@ -80,21 +76,6 @@ func init() {
 		{"users", "", "Comma separated list of users in the format username:hash."},
 		{"users-file", "", "Path to a file containing users in the format username:hash."},
 		{"secure-cookie", false, "Send cookie over secure connection only."},
-		{"github-client-id", "", "Github OAuth client ID."},
-		{"github-client-secret", "", "Github OAuth client secret."},
-		{"github-client-secret-file", "", "Github OAuth client secret file."},
-		{"google-client-id", "", "Google OAuth client ID."},
-		{"google-client-secret", "", "Google OAuth client secret."},
-		{"google-client-secret-file", "", "Google OAuth client secret file."},
-		{"generic-client-id", "", "Generic OAuth client ID."},
-		{"generic-client-secret", "", "Generic OAuth client secret."},
-		{"generic-client-secret-file", "", "Generic OAuth client secret file."},
-		{"generic-scopes", "", "Generic OAuth scopes."},
-		{"generic-auth-url", "", "Generic OAuth auth URL."},
-		{"generic-token-url", "", "Generic OAuth token URL."},
-		{"generic-user-url", "", "Generic OAuth user info URL."},
-		{"generic-name", "Generic", "Generic OAuth provider name."},
-		{"generic-skip-ssl", false, "Skip SSL verification for the generic OAuth provider."},
 		{"oauth-whitelist", "", "Comma separated list of email addresses to whitelist when using OAuth."},
 		{"oauth-auto-redirect", "none", "Auto redirect to the specified OAuth provider if configured. (available providers: github, google, generic)"},
 		{"session-expiry", 86400, "Session (cookie) expiration time in seconds."},
@@ -112,7 +93,7 @@ func init() {
 		{"ldap-search-filter", "(uid=%s)", "LDAP search filter for user lookup."},
 		{"resources-dir", "/data/resources", "Path to a directory containing custom resources (e.g. background image)."},
 		{"database-path", "/data/tinyauth.db", "Path to the Sqlite database file."},
-		{"trusted-proxies", "", "Comma separated list of trusted proxies (IP addresses) for correct client IP detection and for header ACLs."},
+		{"trusted-proxies", "", "Comma separated list of trusted proxies (IP addresses or CIDRs) for correct client IP detection."},
 	}
 
 	for _, opt := range configOptions {

frontend/src/components/icons/microsoft.tsx

@@ -0,0 +1,18 @@
+import type { SVGProps } from "react";
+
+export function MicrosoftIcon(props: SVGProps<SVGSVGElement>) {
+  return (
+    <svg
+      xmlns="http://www.w3.org/2000/svg"
+      width="2em"
+      height="2em"
+      viewBox="0 0 256 256"
+      {...props}
+    >
+      <path fill="#f1511b" d="M121.666 121.666H0V0h121.666z"></path>
+      <path fill="#80cc28" d="M256 121.666H134.335V0H256z"></path>
+      <path fill="#00adef" d="M121.663 256.002H0V134.336h121.663z"></path>
+      <path fill="#fbbc09" d="M256 256.002H134.335V134.336H256z"></path>
+    </svg>
+  );
+}

frontend/src/components/icons/oauth.tsx

@@ -1,6 +1,6 @@
 import type { SVGProps } from "react";
 
-export function GenericIcon(props: SVGProps<SVGSVGElement>) {
+export function OAuthIcon(props: SVGProps<SVGSVGElement>) {
   return (
     <svg
       xmlns="http://www.w3.org/2000/svg"

frontend/src/components/icons/pocket-id.tsx

@@ -0,0 +1,20 @@
+import type { SVGProps } from "react";
+
+export function PocketIDIcon(props: SVGProps<SVGSVGElement>) {
+  return (
+    <svg
+      xmlns="http://www.w3.org/2000/svg"
+      xmlSpace="preserve"
+      width={512}
+      height={512}
+      viewBox="0 0 512 512"
+      {...props}
+    >
+      <circle cx="256" cy="256" r="256" />
+      <path
+        d="M268.6 102.4c64.4 0 116.8 52.4 116.8 116.7 0 25.3-8 49.4-23 69.6-14.8 19.9-35 34.3-58.4 41.7l-6.5 2-15.5-76.2 4.3-2c14-6.7 23-21.1 23-36.6 0-22.4-18.2-40.6-40.6-40.6S228 195.2 228 217.6c0 15.5 9 29.8 23 36.6l4.2 2-25 153.4h-69.5V102.4z"
+        className="fill-white"
+      />
+    </svg>
+  );
+}

frontend/src/components/icons/tailscale.tsx

@@ -0,0 +1,26 @@
+import type { SVGProps } from "react";
+
+export function TailscaleIcon(props: SVGProps<SVGSVGElement>) {
+  return (
+    <svg
+      xmlns="http://www.w3.org/2000/svg"
+      xmlSpace="preserve"
+      width={512}
+      height={512}
+      viewBox="0 0 512 512"
+      {...props}
+    >
+      <path
+        className="opacity-80"
+        fill="currentColor"
+        d="M65.6 318.1c35.3 0 63.9-28.6 63.9-63.9s-28.6-63.9-63.9-63.9S1.8 219 1.8 254.2s28.6 63.9 63.8 63.9m191.6 0c35.3 0 63.9-28.6 63.9-63.9s-28.6-63.9-63.9-63.9-63.9 28.6-63.9 63.9 28.6 63.9 63.9 63.9m0 193.9c35.3 0 63.9-28.6 63.9-63.9s-28.6-63.9-63.9-63.9-63.9 28.6-63.9 63.9 28.6 63.9 63.9 63.9m189.2-193.9c35.3 0 63.9-28.6 63.9-63.9s-28.6-63.9-63.9-63.9-63.9 28.6-63.9 63.9 28.6 63.9 63.9 63.9"
+      />
+
+      <path
+        d="M65.6 127.7c35.3 0 63.9-28.6 63.9-63.9S100.9 0 65.6 0 1.8 28.6 1.8 63.9s28.6 63.8 63.8 63.8m0 384.3c35.3 0 63.9-28.6 63.9-63.9s-28.6-63.9-63.9-63.9-63.8 28.7-63.8 63.9S30.4 512 65.6 512m191.6-384.3c35.3 0 63.9-28.6 63.9-63.9S292.5 0 257.2 0s-63.9 28.6-63.9 63.9 28.6 63.8 63.9 63.8m189.2 0c35.3 0 63.9-28.6 63.9-63.9S481.6 0 446.4 0c-35.3 0-63.9 28.6-63.9 63.9s28.6 63.8 63.9 63.8m0 384.3c35.3 0 63.9-28.6 63.9-63.9s-28.6-63.9-63.9-63.9-63.9 28.6-63.9 63.9 28.6 63.9 63.9 63.9"
+        className="opacity-20"
+        fill="currentColor"
+      />
+    </svg>
+  );
+}

frontend/src/lib/i18n/locales/en-US.json

@@ -14,6 +14,9 @@
     "loginOauthFailSubtitle": "Failed to get OAuth URL",
     "loginOauthSuccessTitle": "Redirecting",
     "loginOauthSuccessSubtitle": "Redirecting to your OAuth provider",
+    "loginOauthAutoRedirectTitle": "OAuth Auto Redirect",
+    "loginOauthAutoRedirectSubtitle": "You will be automatically redirected to your OAuth provider to authenticate.",
+    "loginOauthAutoRedirectButton": "Redirect now",
     "continueTitle": "Continue",
     "continueRedirectingTitle": "Redirecting...",
     "continueRedirectingSubtitle": "You should be redirected to the app soon",
@@ -21,7 +24,7 @@
     "continueInsecureRedirectTitle": "Insecure redirect",
     "continueInsecureRedirectSubtitle": "You are trying to redirect from <code>https</code> to <code>http</code> which is not secure. Are you sure you want to continue?",
     "continueUntrustedRedirectTitle": "Untrusted redirect",
-    "continueUntrustedRedirectSubtitle": "You are trying to redirect to a domain that does not match your configured domain (<code>{{rootDomain}}</code>). Are you sure you want to continue?",
+    "continueUntrustedRedirectSubtitle": "You are trying to redirect to a domain that does not match your configured domain (<code>{{cookieDomain}}</code>). Are you sure you want to continue?",
     "logoutFailTitle": "Failed to log out",
     "logoutFailSubtitle": "Please try again",
     "logoutSuccessTitle": "Logged out",

frontend/src/lib/i18n/locales/en.json

@@ -14,6 +14,9 @@
     "loginOauthFailSubtitle": "Failed to get OAuth URL",
     "loginOauthSuccessTitle": "Redirecting",
     "loginOauthSuccessSubtitle": "Redirecting to your OAuth provider",
+    "loginOauthAutoRedirectTitle": "OAuth Auto Redirect",
+    "loginOauthAutoRedirectSubtitle": "You will be automatically redirected to your OAuth provider to authenticate.",
+    "loginOauthAutoRedirectButton": "Redirect now",
     "continueTitle": "Continue",
     "continueRedirectingTitle": "Redirecting...",
     "continueRedirectingSubtitle": "You should be redirected to the app soon",
@@ -21,7 +24,7 @@
     "continueInsecureRedirectTitle": "Insecure redirect",
     "continueInsecureRedirectSubtitle": "You are trying to redirect from <code>https</code> to <code>http</code> which is not secure. Are you sure you want to continue?",
     "continueUntrustedRedirectTitle": "Untrusted redirect",
-    "continueUntrustedRedirectSubtitle": "You are trying to redirect to a domain that does not match your configured domain (<code>{{rootDomain}}</code>). Are you sure you want to continue?",
+    "continueUntrustedRedirectSubtitle": "You are trying to redirect to a domain that does not match your configured domain (<code>{{cookieDomain}}</code>). Are you sure you want to continue?",
     "logoutFailTitle": "Failed to log out",
     "logoutFailSubtitle": "Please try again",
     "logoutSuccessTitle": "Logged out",

frontend/src/pages/continue-page.tsx

@@ -14,7 +14,7 @@ import { Navigate, useLocation, useNavigate } from "react-router";
 import { useEffect, useState } from "react";
 
 export const ContinuePage = () => {
-  const { rootDomain } = useAppContext();
+  const { cookieDomain } = useAppContext();
   const { isLoggedIn } = useUserContext();
   const { search } = useLocation();
   const { t } = useTranslation();
@@ -33,8 +33,8 @@ export const ContinuePage = () => {
     : null;
   const isTrustedRedirectUri =
     redirectUriObj !== null
-      ? redirectUriObj.hostname === rootDomain ||
+      ? redirectUriObj.hostname === cookieDomain ||
-        redirectUriObj.hostname.endsWith(`.${rootDomain}`)
+        redirectUriObj.hostname.endsWith(`.${cookieDomain}`)
       : false;
   const isAllowedRedirectProto =
     redirectUriObj !== null
@@ -70,7 +70,7 @@ export const ContinuePage = () => {
     const reveal = setTimeout(() => {
       setLoading(false);
       setShowRedirectButton(true);
-    }, 1000);
+    }, 5000);
 
     return () => {
       clearTimeout(auto);
@@ -105,7 +105,7 @@ export const ContinuePage = () => {
               components={{
                 code: <code />,
               }}
-              values={{ rootDomain }}
+              values={{ cookieDomain }}
             />
           </CardDescription>
         </CardHeader>

frontend/src/pages/login-page.tsx

@@ -1,13 +1,18 @@
 import { LoginForm } from "@/components/auth/login-form";
-import { GenericIcon } from "@/components/icons/generic";
 import { GithubIcon } from "@/components/icons/github";
 import { GoogleIcon } from "@/components/icons/google";
+import { MicrosoftIcon } from "@/components/icons/microsoft";
+import { OAuthIcon } from "@/components/icons/oauth";
+import { PocketIDIcon } from "@/components/icons/pocket-id";
+import { TailscaleIcon } from "@/components/icons/tailscale";
+import { Button } from "@/components/ui/button";
 import {
   Card,
   CardHeader,
   CardTitle,
   CardDescription,
   CardContent,
+  CardFooter,
 } from "@/components/ui/card";
 import { OAuthButton } from "@/components/ui/oauth-button";
 import { SeperatorWithChildren } from "@/components/ui/separator";
@@ -17,28 +22,40 @@ import { useIsMounted } from "@/lib/hooks/use-is-mounted";
 import { LoginSchema } from "@/schemas/login-schema";
 import { useMutation } from "@tanstack/react-query";
 import axios, { AxiosError } from "axios";
-import { useEffect, useRef } from "react";
+import { useEffect, useRef, useState } from "react";
 import { useTranslation } from "react-i18next";
 import { Navigate, useLocation } from "react-router";
 import { toast } from "sonner";
 
+const iconMap: Record<string, React.ReactNode> = {
+  google: <GoogleIcon />,
+  github: <GithubIcon />,
+  tailscale: <TailscaleIcon />,
+  microsoft: <MicrosoftIcon />,
+  pocketid: <PocketIDIcon />,
+};
+
 export const LoginPage = () => {
   const { isLoggedIn } = useUserContext();
-  const { configuredProviders, title, oauthAutoRedirect, genericName } =
+  const { providers, title, oauthAutoRedirect } = useAppContext();
-    useAppContext();
   const { search } = useLocation();
   const { t } = useTranslation();
   const isMounted = useIsMounted();
+  const [oauthAutoRedirectHandover, setOauthAutoRedirectHandover] =
+    useState(false);
+  const [showRedirectButton, setShowRedirectButton] = useState(false);
 
   const redirectTimer = useRef<number | null>(null);
+  const redirectButtonTimer = useRef<number | null>(null);
 
   const searchParams = new URLSearchParams(search);
   const redirectUri = searchParams.get("redirect_uri");
 
-  const oauthConfigured =
+  const oauthProviders = providers.filter(
-    configuredProviders.filter((provider) => provider !== "username").length >
+    (provider) => provider.id !== "username",
-    0;
+  );
-  const userAuthConfigured = configuredProviders.includes("username");
+  const userAuthConfigured =
+    providers.find((provider) => provider.id === "username") !== undefined;
 
   const oauthMutation = useMutation({
     mutationFn: (provider: string) =>
@@ -56,6 +73,7 @@ export const LoginPage = () => {
       }, 500);
     },
     onError: () => {
+      setOauthAutoRedirectHandover(false);
       toast.error(t("loginOauthFailTitle"), {
         description: t("loginOauthFailSubtitle"),
       });
@@ -96,12 +114,16 @@ export const LoginPage = () => {
   useEffect(() => {
     if (isMounted()) {
       if (
-        oauthConfigured &&
+        oauthProviders.length !== 0 &&
-        configuredProviders.includes(oauthAutoRedirect) &&
+        providers.find((provider) => provider.id === oauthAutoRedirect) &&
         !isLoggedIn &&
         redirectUri
       ) {
+        setOauthAutoRedirectHandover(true);
         oauthMutation.mutate(oauthAutoRedirect);
+        redirectButtonTimer.current = window.setTimeout(() => {
+          setShowRedirectButton(true);
+        }, 5000);
       }
     }
   }, []);
@@ -109,6 +131,8 @@ export const LoginPage = () => {
   useEffect(
     () => () => {
       if (redirectTimer.current) clearTimeout(redirectTimer.current);
+      if (redirectButtonTimer.current)
+        clearTimeout(redirectButtonTimer.current);
     },
     [],
   );
@@ -126,61 +150,63 @@ export const LoginPage = () => {
     return <Navigate to="/logout" replace />;
   }
 
+  if (oauthAutoRedirectHandover) {
+    return (
+      <Card className="min-w-xs sm:min-w-sm">
+        <CardHeader>
+          <CardTitle className="text-3xl">
+            {t("loginOauthAutoRedirectTitle")}
+          </CardTitle>
+          <CardDescription>
+            {t("loginOauthAutoRedirectSubtitle")}
+          </CardDescription>
+        </CardHeader>
+        {showRedirectButton && (
+          <CardFooter className="flex flex-col items-stretch">
+            <Button
+              onClick={() => {
+                window.location.replace(oauthMutation.data?.data.url);
+              }}
+            >
+              {t("loginOauthAutoRedirectButton")}
+            </Button>
+          </CardFooter>
+        )}
+      </Card>
+    );
+  }
   return (
     <Card className="min-w-xs sm:min-w-sm">
       <CardHeader>
         <CardTitle className="text-center text-3xl">{title}</CardTitle>
-        {configuredProviders.length > 0 && (
+        {providers.length > 0 && (
           <CardDescription className="text-center">
-            {oauthConfigured ? t("loginTitle") : t("loginTitleSimple")}
+            {oauthProviders.length !== 0
+              ? t("loginTitle")
+              : t("loginTitleSimple")}
           </CardDescription>
         )}
       </CardHeader>
       <CardContent className="flex flex-col gap-4">
-        {oauthConfigured && (
+        {oauthProviders.length !== 0 && (
           <div className="flex flex-col gap-2 items-center justify-center">
-            {configuredProviders.includes("google") && (
+            {oauthProviders.map((provider) => (
               <OAuthButton
-                title="Google"
+                key={provider.id}
-                icon={<GoogleIcon />}
+                title={provider.name}
+                icon={iconMap[provider.id] ?? <OAuthIcon />}
                 className="w-full"
-                onClick={() => oauthMutation.mutate("google")}
+                onClick={() => oauthMutation.mutate(provider.id)}
                 loading={
                   oauthMutation.isPending &&
-                  oauthMutation.variables === "google"
+                  oauthMutation.variables === provider.id
                 }
                 disabled={oauthMutation.isPending || loginMutation.isPending}
               />
-            )}
+            ))}
-            {configuredProviders.includes("github") && (
-              <OAuthButton
-                title="Github"
-                icon={<GithubIcon />}
-                className="w-full"
-                onClick={() => oauthMutation.mutate("github")}
-                loading={
-                  oauthMutation.isPending &&
-                  oauthMutation.variables === "github"
-                }
-                disabled={oauthMutation.isPending || loginMutation.isPending}
-              />
-            )}
-            {configuredProviders.includes("generic") && (
-              <OAuthButton
-                title={genericName}
-                icon={<GenericIcon />}
-                className="w-full"
-                onClick={() => oauthMutation.mutate("generic")}
-                loading={
-                  oauthMutation.isPending &&
-                  oauthMutation.variables === "generic"
-                }
-                disabled={oauthMutation.isPending || loginMutation.isPending}
-              />
-            )}
           </div>
         )}
-        {userAuthConfigured && oauthConfigured && (
+        {userAuthConfigured && oauthProviders.length !== 0 && (
           <SeperatorWithChildren>{t("loginDivider")}</SeperatorWithChildren>
         )}
         {userAuthConfigured && (
@@ -189,7 +215,7 @@ export const LoginPage = () => {
             loading={loginMutation.isPending || oauthMutation.isPending}
           />
         )}
-        {configuredProviders.length == 0 && (
+        {providers.length == 0 && (
           <p className="text-center text-red-600 max-w-sm">
             {t("failedToFetchProvidersTitle")}
           </p>

frontend/src/pages/logout-page.tsx

@@ -6,9 +6,7 @@ import {
   CardHeader,
   CardTitle,
 } from "@/components/ui/card";
-import { useAppContext } from "@/context/app-context";
 import { useUserContext } from "@/context/user-context";
-import { capitalize } from "@/lib/utils";
 import { useMutation } from "@tanstack/react-query";
 import axios from "axios";
 import { useEffect, useRef } from "react";
@@ -17,8 +15,7 @@ import { Navigate } from "react-router";
 import { toast } from "sonner";
 
 export const LogoutPage = () => {
-  const { provider, username, isLoggedIn, email } = useUserContext();
+  const { provider, username, isLoggedIn, email, oauthName } = useUserContext();
-  const { genericName } = useAppContext();
   const { t } = useTranslation();
 
   const redirectTimer = useRef<number | null>(null);
@@ -67,8 +64,7 @@ export const LogoutPage = () => {
               }}
               values={{
                 username: email,
-                provider:
+                provider: oauthName,
-                  provider === "generic" ? genericName : capitalize(provider),
               }}
             />
           ) : (

frontend/src/schemas/app-context-schema.ts

@@ -1,14 +1,19 @@
 import { z } from "zod";
 
+export const providerSchema = z.object({
+  id: z.string(),
+  name: z.string(),
+  oauth: z.boolean(),
+});
+
 export const appContextSchema = z.object({
-  configuredProviders: z.array(z.string()),
+  providers: z.array(providerSchema),
   title: z.string(),
-  genericName: z.string(),
   appUrl: z.string(),
-  rootDomain: z.string(),
+  cookieDomain: z.string(),
   forgotPasswordMessage: z.string(),
-  oauthAutoRedirect: z.enum(["none", "github", "google", "generic"]),
   backgroundImage: z.string(),
+  oauthAutoRedirect: z.string(),
 });
 
 export type AppContextSchema = z.infer<typeof appContextSchema>;

frontend/src/schemas/user-context-schema.ts

@@ -8,6 +8,7 @@ export const userContextSchema = z.object({
   provider: z.string(),
   oauth: z.boolean(),
   totpPending: z.boolean(),
+  oauthName: z.string(),
 });
 
 export type UserContextSchema = z.infer<typeof userContextSchema>;

go.mod

@@ -1,6 +1,8 @@
 module tinyauth
 
-go 1.23.2
+go 1.24.0
+
+toolchain go1.24.3
 
 require (
 	github.com/cenkalti/backoff/v5 v5.0.3
@@ -15,7 +17,8 @@ require (
 	github.com/spf13/cobra v1.9.1
 	github.com/spf13/viper v1.20.1
 	github.com/traefik/paerser v0.2.2
-	golang.org/x/crypto v0.41.0
+	github.com/weppos/publicsuffix-go v0.50.0
+	golang.org/x/crypto v0.42.0
 	golang.org/x/exp v0.0.0-20250620022241-b7579e27df2b
 	gorm.io/gorm v1.30.1
 	gotest.tools/v3 v3.5.2
@@ -45,7 +48,7 @@ require (
 	go.opentelemetry.io/auto/sdk v1.1.0 // indirect
 	go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp v1.34.0 // indirect
 	go.opentelemetry.io/otel/sdk v1.34.0 // indirect
-	golang.org/x/term v0.34.0 // indirect
+	golang.org/x/term v0.35.0 // indirect
 	modernc.org/libc v1.66.3 // indirect
 	modernc.org/mathutil v1.7.1 // indirect
 	modernc.org/memory v1.11.0 // indirect
@@ -123,11 +126,11 @@ require (
 	go.uber.org/atomic v1.9.0 // indirect
 	go.uber.org/multierr v1.9.0 // indirect
 	golang.org/x/arch v0.13.0 // indirect
-	golang.org/x/net v0.42.0 // indirect
+	golang.org/x/net v0.44.0 // indirect
 	golang.org/x/oauth2 v0.30.0
-	golang.org/x/sync v0.16.0 // indirect
+	golang.org/x/sync v0.17.0 // indirect
-	golang.org/x/sys v0.35.0 // indirect
+	golang.org/x/sys v0.36.0 // indirect
-	golang.org/x/text v0.28.0 // indirect
+	golang.org/x/text v0.29.0 // indirect
 	google.golang.org/protobuf v1.36.3 // indirect
 	gopkg.in/yaml.v3 v3.0.1 // indirect
 )

go.sum

@@ -280,6 +280,8 @@ github.com/twitchyliquid64/golang-asm v0.15.1 h1:SU5vSMR7hnwNxj24w34ZyCi/FmDZTkS
 github.com/twitchyliquid64/golang-asm v0.15.1/go.mod h1:a1lVb/DtPvCB8fslRZhAngC2+aY1QWCk3Cedj/Gdt08=
 github.com/ugorji/go/codec v1.2.12 h1:9LC83zGrHhuUA9l16C9AHXAqEV/2wBQ4nkvumAE65EE=
 github.com/ugorji/go/codec v1.2.12/go.mod h1:UNopzCgEMSXjBc6AOMqYvWC1ktqTAfzJZUZgYf6w6lg=
+github.com/weppos/publicsuffix-go v0.50.0 h1:M178k6l8cnh9T1c1cStkhytVxdk5zPd6gGZf8ySIuVo=
+github.com/weppos/publicsuffix-go v0.50.0/go.mod h1:VXhClBYMlDrUsome4pOTpe68Ui0p6iQRAbyHQD1yKoU=
 github.com/xo/terminfo v0.0.0-20220910002029-abceb7e1c41e h1:JVG44RsyaB9T2KIHavMF/ppJZNG9ZpyihvCd0w101no=
 github.com/xo/terminfo v0.0.0-20220910002029-abceb7e1c41e/go.mod h1:RbqR21r5mrJuqunuUZ/Dhy/avygyECGrLceyNeo4LiM=
 github.com/yuin/goldmark v1.1.27/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74=
@@ -311,27 +313,27 @@ golang.org/x/arch v0.13.0/go.mod h1:FEVrYAQjsQXMVJ1nsMoVVXPZg6p2JE2mx8psSWTDQys=
 golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w=
 golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
 golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto=
-golang.org/x/crypto v0.41.0 h1:WKYxWedPGCTVVl5+WHSSrOBT0O8lx32+zxmHxijgXp4=
+golang.org/x/crypto v0.42.0 h1:chiH31gIWm57EkTXpwnqf8qeuMUi0yekh6mT2AvFlqI=
-golang.org/x/crypto v0.41.0/go.mod h1:pO5AFd7FA68rFak7rOAGVuygIISepHftHnr8dr6+sUc=
+golang.org/x/crypto v0.42.0/go.mod h1:4+rDnOTJhQCx2q7/j6rAN5XDw8kPjeaXEUR2eL94ix8=
 golang.org/x/exp v0.0.0-20250620022241-b7579e27df2b h1:M2rDM6z3Fhozi9O7NWsxAkg/yqS/lQJ6PmkyIV3YP+o=
 golang.org/x/exp v0.0.0-20250620022241-b7579e27df2b/go.mod h1:3//PLf8L/X+8b4vuAfHzxeRUl04Adcb341+IGKfnqS8=
 golang.org/x/mod v0.2.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
 golang.org/x/mod v0.3.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
-golang.org/x/mod v0.26.0 h1:EGMPT//Ezu+ylkCijjPc+f4Aih7sZvaAr+O3EHBxvZg=
+golang.org/x/mod v0.27.0 h1:kb+q2PyFnEADO2IEF935ehFUXlWiNjJWtRNgBLSfbxQ=
-golang.org/x/mod v0.26.0/go.mod h1:/j6NAhSk8iQ723BGAUyoAcn7SlD7s15Dp9Nd/SfeaFQ=
+golang.org/x/mod v0.27.0/go.mod h1:rWI627Fq0DEoudcK+MBkNkCe0EetEaDSwJJkCcjpazc=
 golang.org/x/net v0.0.0-20190404232315-eb5bcb51f2a3/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=
 golang.org/x/net v0.0.0-20190620200207-3b0461eec859/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
 golang.org/x/net v0.0.0-20200226121028-0de0cce0169b/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
 golang.org/x/net v0.0.0-20201021035429-f5854403a974/go.mod h1:sp8m0HH+o8qH0wwXwYZr8TS3Oi6o0r6Gce1SSxlDquU=
-golang.org/x/net v0.42.0 h1:jzkYrhi3YQWD6MLBJcsklgQsoAcw89EcZbJw8Z614hs=
+golang.org/x/net v0.44.0 h1:evd8IRDyfNBMBTTY5XRF1vaZlD+EmWx6x8PkhR04H/I=
-golang.org/x/net v0.42.0/go.mod h1:FF1RA5d3u7nAYA4z2TkclSCKh68eSXtiFwcWQpPXdt8=
+golang.org/x/net v0.44.0/go.mod h1:ECOoLqd5U3Lhyeyo/QDCEVQ4sNgYsqvCZ722XogGieY=
 golang.org/x/oauth2 v0.30.0 h1:dnDm7JmhM45NNpd8FDDeLhK6FwqbOf4MLCM9zb1BOHI=
 golang.org/x/oauth2 v0.30.0/go.mod h1:B++QgG3ZKulg6sRPGD/mqlHQs5rB3Ml9erfeDY7xKlU=
 golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20190911185100-cd5d95a43a6e/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20201020160332-67f06af15bc9/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
-golang.org/x/sync v0.16.0 h1:ycBJEhp9p4vXvUZNszeOq0kGTPghopOL8q0fq3vstxw=
+golang.org/x/sync v0.17.0 h1:l60nONMj9l5drqw6jlhIELNv9I0A4OFgRsG9k2oT9Ug=
-golang.org/x/sync v0.16.0/go.mod h1:1dzgHSNfp02xaA81J2MS99Qcpr2w7fw1gpm99rleRqA=
+golang.org/x/sync v0.17.0/go.mod h1:9KTHXmSnoGruLpwFjVSX0lNNA75CykiMECbovNTZqGI=
 golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20190412213103-97732733099d/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20200930185726-fdedc70b468f/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
@@ -339,22 +341,22 @@ golang.org/x/sys v0.0.0-20210809222454-d867a43fc93e/go.mod h1:oPkhp1MJrh7nUepCBc
 golang.org/x/sys v0.0.0-20220811171246-fbc7d0a398ab/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.6.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.12.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.35.0 h1:vz1N37gP5bs89s7He8XuIYXpyY0+QlsKmzipCbUtyxI=
+golang.org/x/sys v0.36.0 h1:KVRy2GtZBrk1cBYA7MKu5bEZFxQk4NIDV6RLVcC8o0k=
-golang.org/x/sys v0.35.0/go.mod h1:BJP2sWEmIv4KK5OTEluFJCKSidICx8ciO85XgH3Ak8k=
+golang.org/x/sys v0.36.0/go.mod h1:OgkHotnGiDImocRcuBABYBEXf8A9a87e/uXjp9XT3ks=
-golang.org/x/term v0.34.0 h1:O/2T7POpk0ZZ7MAzMeWFSg6S5IpWd/RXDlM9hgM3DR4=
+golang.org/x/term v0.35.0 h1:bZBVKBudEyhRcajGcNc3jIfWPqV4y/Kt2XcoigOWtDQ=
-golang.org/x/term v0.34.0/go.mod h1:5jC53AEywhIVebHgPVeg0mj8OD3VO9OzclacVrqpaAw=
+golang.org/x/term v0.35.0/go.mod h1:TPGtkTLesOwf2DE8CgVYiZinHAOuy5AYUYT1lENIZnA=
 golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
 golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
-golang.org/x/text v0.28.0 h1:rhazDwis8INMIwQ4tpjLDzUhx6RlXqZNPEM0huQojng=
+golang.org/x/text v0.29.0 h1:1neNs90w9YzJ9BocxfsQNHKuAT4pkghyXc4nhZ6sJvk=
-golang.org/x/text v0.28.0/go.mod h1:U8nCwOR8jO/marOQ0QbDiOngZVEBB7MAiitBuMjXiNU=
+golang.org/x/text v0.29.0/go.mod h1:7MhJOA9CD2qZyOKYazxdYMF85OwPdEr9jTtBpO7ydH4=
 golang.org/x/time v0.8.0 h1:9i3RxcPv3PZnitoVGMPDKZSq1xW1gK1Xy3ArNOGZfEg=
 golang.org/x/time v0.8.0/go.mod h1:3BpzKBy/shNhVucY/MWOyx10tF3SFh9QdLuxbVysPQM=
 golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
 golang.org/x/tools v0.0.0-20191119224855-298f0cb1881e/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo=
 golang.org/x/tools v0.0.0-20200619180055-7c47624df98f/go.mod h1:EkVYQZoAsY45+roYkvgYkIh4xh/qjgUK9TdY2XT94GE=
 golang.org/x/tools v0.0.0-20210106214847-113979e3529a/go.mod h1:emZCQorbCU4vsT4fOWvOPXz4eW1wZW4PmDk9uLelYpA=
-golang.org/x/tools v0.35.0 h1:mBffYraMEf7aa0sB+NuKnuCy8qI/9Bughn8dC2Gu5r0=
+golang.org/x/tools v0.36.0 h1:kWS0uv/zsvHEle1LbV5LE8QujrxB3wfQyxHfhOk0Qkg=
-golang.org/x/tools v0.35.0/go.mod h1:NKdj5HkL/73byiZSJjqJgKn3ep7KjFkBOkR/Hps3VPw=
+golang.org/x/tools v0.36.0/go.mod h1:WBDiHKJK8YgLHlcQPYQzNCkUxUypCaa5ZegCVutKm+s=
 golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 golang.org/x/xerrors v0.0.0-20191011141410-1b5146add898/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=

internal/assets/migrations/000002_oauth_name.down.sql

@@ -0,0 +1 @@
+ALTER TABLE "sessions" DROP COLUMN "oauth_name";

internal/assets/migrations/000002_oauth_name.up.sql

@@ -0,0 +1,10 @@
+ALTER TABLE "sessions" ADD COLUMN "oauth_name" TEXT;
+
+UPDATE "sessions"
+SET "oauth_name" = CASE
+  WHEN LOWER("provider") = 'github' THEN 'GitHub'
+  WHEN LOWER("provider") = 'google' THEN 'Google'
+  ELSE UPPER(SUBSTR("provider", 1, 1)) || SUBSTR("provider", 2)
+END
+WHERE "oauth_name" IS NULL AND "provider" IS NOT NULL;
+

internal/bootstrap/app_bootstrap.go

@@ -3,6 +3,7 @@ package bootstrap
 import (
 	"fmt"
 	"net/url"
+	"os"
 	"strings"
 	"tinyauth/internal/config"
 	"tinyauth/internal/controller"
@@ -45,8 +46,15 @@ func (app *BootstrapApp) Setup() error {
 		return err
 	}
 
-	// Get root domain
+	// Get OAuth configs
-	rootDomain, err := utils.GetRootDomain(app.Config.AppURL)
+	oauthProviders, err := utils.GetOAuthProvidersConfig(os.Environ(), os.Args, app.Config.AppURL)
+
+	if err != nil {
+		return err
+	}
+
+	// Get cookie domain
+	cookieDomain, err := utils.GetCookieDomain(app.Config.AppURL)
 
 	if err != nil {
 		return err
@@ -65,7 +73,7 @@ func (app *BootstrapApp) Setup() error {
 		OauthWhitelist:    app.Config.OAuthWhitelist,
 		SessionExpiry:     app.Config.SessionExpiry,
 		SecureCookie:      app.Config.SecureCookie,
-		RootDomain:        rootDomain,
+		CookieDomain:      cookieDomain,
 		LoginTimeout:      app.Config.LoginTimeout,
 		LoginMaxRetries:   app.Config.LoginMaxRetries,
 		SessionCookieName: sessionCookieName,
@@ -112,7 +120,7 @@ func (app *BootstrapApp) Setup() error {
 	// Create services
 	dockerService := service.NewDockerService()
 	authService := service.NewAuthService(authConfig, dockerService, ldapService, database)
-	oauthBrokerService := service.NewOAuthBrokerService(app.getOAuthBrokerConfig())
+	oauthBrokerService := service.NewOAuthBrokerService(oauthProviders)
 
 	// Initialize services
 	services := []Service{
@@ -132,13 +140,41 @@ func (app *BootstrapApp) Setup() error {
 	}
 
 	// Configured providers
-	var configuredProviders []string
+	babysit := map[string]string{
+		"google": "Google",
+		"github": "GitHub",
+	}
+	configuredProviders := make([]controller.Provider, 0)
 
-	if authService.UserAuthConfigured() || ldapService != nil {
+	for id, provider := range oauthProviders {
-		configuredProviders = append(configuredProviders, "username")
+		if id == "" {
+			continue
+		}
+
+		if provider.Name == "" {
+			if name, ok := babysit[id]; ok {
+				provider.Name = name
+			} else {
+				provider.Name = utils.Capitalize(id)
+			}
+		}
+
+		configuredProviders = append(configuredProviders, controller.Provider{
+			Name:  provider.Name,
+			ID:    id,
+			OAuth: true,
+		})
 	}
 
-	configuredProviders = append(configuredProviders, oauthBrokerService.GetConfiguredServices()...)
+	if authService.UserAuthConfigured() || ldapService != nil {
+		configuredProviders = append(configuredProviders, controller.Provider{
+			Name:  "Username",
+			ID:    "username",
+			OAuth: false,
+		})
+	}
+
+	log.Debug().Interface("providers", configuredProviders).Msg("Authentication providers")
 
 	if len(configuredProviders) == 0 {
 		return fmt.Errorf("no authentication providers configured")
@@ -156,7 +192,7 @@ func (app *BootstrapApp) Setup() error {
 	var middlewares []Middleware
 
 	contextMiddleware := middleware.NewContextMiddleware(middleware.ContextMiddlewareConfig{
-		RootDomain: rootDomain,
+		CookieDomain: cookieDomain,
 	}, authService, oauthBrokerService)
 
 	uiMiddleware := middleware.NewUIMiddleware()
@@ -179,11 +215,10 @@ func (app *BootstrapApp) Setup() error {
 
 	// Create controllers
 	contextController := controller.NewContextController(controller.ContextControllerConfig{
-		ConfiguredProviders:   configuredProviders,
+		Providers:             configuredProviders,
 		Title:                 app.Config.Title,
-		GenericName:           app.Config.GenericName,
 		AppURL:                app.Config.AppURL,
-		RootDomain:            rootDomain,
+		CookieDomain:          cookieDomain,
 		ForgotPasswordMessage: app.Config.ForgotPasswordMessage,
 		BackgroundImage:       app.Config.BackgroundImage,
 		OAuthAutoRedirect:     app.Config.OAuthAutoRedirect,
@@ -194,7 +229,7 @@ func (app *BootstrapApp) Setup() error {
 		SecureCookie:       app.Config.SecureCookie,
 		CSRFCookieName:     csrfCookieName,
 		RedirectCookieName: redirectCookieName,
-		RootDomain:         rootDomain,
+		CookieDomain:       cookieDomain,
 	}, apiRouter, authService, oauthBrokerService)
 
 	proxyController := controller.NewProxyController(controller.ProxyControllerConfig{
@@ -202,7 +237,7 @@ func (app *BootstrapApp) Setup() error {
 	}, apiRouter, dockerService, authService)
 
 	userController := controller.NewUserController(controller.UserControllerConfig{
-		RootDomain: rootDomain,
+		CookieDomain: cookieDomain,
 	}, apiRouter, authService)
 
 	resourcesController := controller.NewResourcesController(controller.ResourcesControllerConfig{
@@ -235,30 +270,3 @@ func (app *BootstrapApp) Setup() error {
 
 	return nil
 }
-
-// Temporary
-func (app *BootstrapApp) getOAuthBrokerConfig() map[string]config.OAuthServiceConfig {
-	return map[string]config.OAuthServiceConfig{
-		"google": {
-			ClientID:     app.Config.GoogleClientId,
-			ClientSecret: app.Config.GoogleClientSecret,
-			RedirectURL:  fmt.Sprintf("%s/api/oauth/callback/google", app.Config.AppURL),
-		},
-		"github": {
-			ClientID:     app.Config.GithubClientId,
-			ClientSecret: app.Config.GithubClientSecret,
-			RedirectURL:  fmt.Sprintf("%s/api/oauth/callback/github", app.Config.AppURL),
-		},
-		"generic": {
-			ClientID:           app.Config.GenericClientId,
-			ClientSecret:       app.Config.GenericClientSecret,
-			RedirectURL:        fmt.Sprintf("%s/api/oauth/callback/generic", app.Config.AppURL),
-			Scopes:             strings.Split(app.Config.GenericScopes, ","),
-			AuthURL:            app.Config.GenericAuthURL,
-			TokenURL:           app.Config.GenericTokenURL,
-			UserinfoURL:        app.Config.GenericUserURL,
-			InsecureSkipVerify: app.Config.GenericSkipSSL,
-		},
-	}
-
-}

internal/config/config.go

@@ -15,45 +15,30 @@ var RedirectCookieName = "tinyauth-redirect"
 // Main app config
 
 type Config struct {
-	Port                    int    `mapstructure:"port" validate:"required"`
+	Port                  int    `mapstructure:"port" validate:"required"`
-	Address                 string `validate:"required,ip4_addr" mapstructure:"address"`
+	Address               string `validate:"required,ip4_addr" mapstructure:"address"`
-	AppURL                  string `validate:"required,url" mapstructure:"app-url"`
+	AppURL                string `validate:"required,url" mapstructure:"app-url"`
-	Users                   string `mapstructure:"users"`
+	Users                 string `mapstructure:"users"`
-	UsersFile               string `mapstructure:"users-file"`
+	UsersFile             string `mapstructure:"users-file"`
-	SecureCookie            bool   `mapstructure:"secure-cookie"`
+	SecureCookie          bool   `mapstructure:"secure-cookie"`
-	GithubClientId          string `mapstructure:"github-client-id"`
+	OAuthWhitelist        string `mapstructure:"oauth-whitelist"`
-	GithubClientSecret      string `mapstructure:"github-client-secret"`
+	OAuthAutoRedirect     string `mapstructure:"oauth-auto-redirect"`
-	GithubClientSecretFile  string `mapstructure:"github-client-secret-file"`
+	SessionExpiry         int    `mapstructure:"session-expiry"`
-	GoogleClientId          string `mapstructure:"google-client-id"`
+	LogLevel              string `mapstructure:"log-level" validate:"oneof=trace debug info warn error fatal panic"`
-	GoogleClientSecret      string `mapstructure:"google-client-secret"`
+	Title                 string `mapstructure:"app-title"`
-	GoogleClientSecretFile  string `mapstructure:"google-client-secret-file"`
+	LoginTimeout          int    `mapstructure:"login-timeout"`
-	GenericClientId         string `mapstructure:"generic-client-id"`
+	LoginMaxRetries       int    `mapstructure:"login-max-retries"`
-	GenericClientSecret     string `mapstructure:"generic-client-secret"`
+	ForgotPasswordMessage string `mapstructure:"forgot-password-message"`
-	GenericClientSecretFile string `mapstructure:"generic-client-secret-file"`
+	BackgroundImage       string `mapstructure:"background-image" validate:"required"`
-	GenericScopes           string `mapstructure:"generic-scopes"`
+	LdapAddress           string `mapstructure:"ldap-address"`
-	GenericAuthURL          string `mapstructure:"generic-auth-url"`
+	LdapBindDN            string `mapstructure:"ldap-bind-dn"`
-	GenericTokenURL         string `mapstructure:"generic-token-url"`
+	LdapBindPassword      string `mapstructure:"ldap-bind-password"`
-	GenericUserURL          string `mapstructure:"generic-user-url"`
+	LdapBaseDN            string `mapstructure:"ldap-base-dn"`
-	GenericName             string `mapstructure:"generic-name"`
+	LdapInsecure          bool   `mapstructure:"ldap-insecure"`
-	GenericSkipSSL          bool   `mapstructure:"generic-skip-ssl"`
+	LdapSearchFilter      string `mapstructure:"ldap-search-filter"`
-	OAuthWhitelist          string `mapstructure:"oauth-whitelist"`
+	ResourcesDir          string `mapstructure:"resources-dir"`
-	OAuthAutoRedirect       string `mapstructure:"oauth-auto-redirect" validate:"oneof=none github google generic"`
+	DatabasePath          string `mapstructure:"database-path" validate:"required"`
-	SessionExpiry           int    `mapstructure:"session-expiry"`
+	TrustedProxies        string `mapstructure:"trusted-proxies"`
-	LogLevel                string `mapstructure:"log-level" validate:"oneof=trace debug info warn error fatal panic"`
-	Title                   string `mapstructure:"app-title"`
-	LoginTimeout            int    `mapstructure:"login-timeout"`
-	LoginMaxRetries         int    `mapstructure:"login-max-retries"`
-	ForgotPasswordMessage   string `mapstructure:"forgot-password-message"`
-	BackgroundImage         string `mapstructure:"background-image" validate:"required"`
-	LdapAddress             string `mapstructure:"ldap-address"`
-	LdapBindDN              string `mapstructure:"ldap-bind-dn"`
-	LdapBindPassword        string `mapstructure:"ldap-bind-password"`
-	LdapBaseDN              string `mapstructure:"ldap-base-dn"`
-	LdapInsecure            bool   `mapstructure:"ldap-insecure"`
-	LdapSearchFilter        string `mapstructure:"ldap-search-filter"`
-	ResourcesDir            string `mapstructure:"resources-dir"`
-	DatabasePath            string `mapstructure:"database-path" validate:"required"`
-	TrustedProxies          string `mapstructure:"trusted-proxies"`
 }
 
 // OAuth/OIDC config
@@ -66,14 +51,16 @@ type Claims struct {
 }
 
 type OAuthServiceConfig struct {
-	ClientID           string
+	ClientID           string   `key:"client-id"`
-	ClientSecret       string
+	ClientSecret       string   `key:"client-secret"`
-	Scopes             []string
+	ClientSecretFile   string   `key:"client-secret-file"`
-	RedirectURL        string
+	Scopes             []string `key:"scopes"`
-	AuthURL            string
+	RedirectURL        string   `key:"redirect-url"`
-	TokenURL           string
+	AuthURL            string   `key:"auth-url"`
-	UserinfoURL        string
+	TokenURL           string   `key:"token-url"`
-	InsecureSkipVerify bool
+	UserinfoURL        string   `key:"user-info-url"`
+	InsecureSkipVerify bool     `key:"insecure-skip-verify"`
+	Name               string   `key:"name"`
 }
 
 // User/session related stuff
@@ -97,6 +84,7 @@ type SessionCookie struct {
 	Provider    string
 	TotpPending bool
 	OAuthGroups string
+	OAuthName   string
 }
 
 type UserContext struct {
@@ -109,6 +97,7 @@ type UserContext struct {
 	TotpPending bool
 	OAuthGroups string
 	TotpEnabled bool
+	OAuthName   string
 }
 
 // API responses and queries
@@ -174,3 +163,9 @@ type AppPath struct {
 	Allow string
 	Block string
 }
+
+// Flags
+
+type Providers struct {
+	Providers map[string]OAuthServiceConfig
+}

internal/controller/context_controller.go

@@ -19,27 +19,32 @@ type UserContextResponse struct {
 	Provider    string `json:"provider"`
 	OAuth       bool   `json:"oauth"`
 	TotpPending bool   `json:"totpPending"`
+	OAuthName   string `json:"oauthName"`
 }
 
 type AppContextResponse struct {
-	Status                int      `json:"status"`
+	Status                int        `json:"status"`
-	Message               string   `json:"message"`
+	Message               string     `json:"message"`
-	ConfiguredProviders   []string `json:"configuredProviders"`
+	Providers             []Provider `json:"providers"`
-	Title                 string   `json:"title"`
+	Title                 string     `json:"title"`
-	GenericName           string   `json:"genericName"`
+	AppURL                string     `json:"appUrl"`
-	AppURL                string   `json:"appUrl"`
+	CookieDomain          string     `json:"cookieDomain"`
-	RootDomain            string   `json:"rootDomain"`
+	ForgotPasswordMessage string     `json:"forgotPasswordMessage"`
-	ForgotPasswordMessage string   `json:"forgotPasswordMessage"`
+	BackgroundImage       string     `json:"backgroundImage"`
-	BackgroundImage       string   `json:"backgroundImage"`
+	OAuthAutoRedirect     string     `json:"oauthAutoRedirect"`
-	OAuthAutoRedirect     string   `json:"oauthAutoRedirect"`
+}
+
+type Provider struct {
+	Name  string `json:"name"`
+	ID    string `json:"id"`
+	OAuth bool   `json:"oauth"`
 }
 
 type ContextControllerConfig struct {
-	ConfiguredProviders   []string
+	Providers             []Provider
 	Title                 string
-	GenericName           string
 	AppURL                string
-	RootDomain            string
+	CookieDomain          string
 	ForgotPasswordMessage string
 	BackgroundImage       string
 	OAuthAutoRedirect     string
@@ -76,6 +81,7 @@ func (controller *ContextController) userContextHandler(c *gin.Context) {
 		Provider:    context.Provider,
 		OAuth:       context.OAuth,
 		TotpPending: context.TotpPending,
+		OAuthName:   context.OAuthName,
 	}
 
 	if err != nil {
@@ -96,11 +102,10 @@ func (controller *ContextController) appContextHandler(c *gin.Context) {
 	c.JSON(200, AppContextResponse{
 		Status:                200,
 		Message:               "Success",
-		ConfiguredProviders:   controller.config.ConfiguredProviders,
+		Providers:             controller.config.Providers,
 		Title:                 controller.config.Title,
-		GenericName:           controller.config.GenericName,
 		AppURL:                fmt.Sprintf("%s://%s", appUrl.Scheme, appUrl.Host),
-		RootDomain:            controller.config.RootDomain,
+		CookieDomain:          controller.config.CookieDomain,
 		ForgotPasswordMessage: controller.config.ForgotPasswordMessage,
 		BackgroundImage:       controller.config.BackgroundImage,
 		OAuthAutoRedirect:     controller.config.OAuthAutoRedirect,

internal/controller/context_controller_test.go

@@ -12,11 +12,21 @@ import (
 )
 
 var controllerCfg = controller.ContextControllerConfig{
-	ConfiguredProviders:   []string{"github", "google", "generic"},
+	Providers: []controller.Provider{
+		{
+			Name:  "Username",
+			ID:    "username",
+			OAuth: false,
+		},
+		{
+			Name:  "Google",
+			ID:    "google",
+			OAuth: true,
+		},
+	},
 	Title:                 "Test App",
-	GenericName:           "Generic",
 	AppURL:                "http://localhost:8080",
-	RootDomain:            "localhost",
+	CookieDomain:          "localhost",
 	ForgotPasswordMessage: "Contact admin to reset your password.",
 	BackgroundImage:       "/assets/bg.jpg",
 	OAuthAutoRedirect:     "google",
@@ -58,11 +68,10 @@ func TestAppContextHandler(t *testing.T) {
 	expectedRes := controller.AppContextResponse{
 		Status:                200,
 		Message:               "Success",
-		ConfiguredProviders:   controllerCfg.ConfiguredProviders,
+		Providers:             controllerCfg.Providers,
 		Title:                 controllerCfg.Title,
-		GenericName:           controllerCfg.GenericName,
 		AppURL:                controllerCfg.AppURL,
-		RootDomain:            controllerCfg.RootDomain,
+		CookieDomain:          controllerCfg.CookieDomain,
 		ForgotPasswordMessage: controllerCfg.ForgotPasswordMessage,
 		BackgroundImage:       controllerCfg.BackgroundImage,
 		OAuthAutoRedirect:     controllerCfg.OAuthAutoRedirect,

internal/controller/oauth_controller.go

@@ -23,7 +23,7 @@ type OAuthControllerConfig struct {
 	RedirectCookieName string
 	SecureCookie       bool
 	AppURL             string
-	RootDomain         string
+	CookieDomain       string
 }
 
 type OAuthController struct {
@@ -74,13 +74,13 @@ func (controller *OAuthController) oauthURLHandler(c *gin.Context) {
 
 	state := service.GenerateState()
 	authURL := service.GetAuthURL(state)
-	c.SetCookie(controller.config.CSRFCookieName, state, int(time.Hour.Seconds()), "/", fmt.Sprintf(".%s", controller.config.RootDomain), controller.config.SecureCookie, true)
+	c.SetCookie(controller.config.CSRFCookieName, state, int(time.Hour.Seconds()), "/", fmt.Sprintf(".%s", controller.config.CookieDomain), controller.config.SecureCookie, true)
 
 	redirectURI := c.Query("redirect_uri")
 
-	if redirectURI != "" && utils.IsRedirectSafe(redirectURI, controller.config.RootDomain) {
+	if redirectURI != "" && utils.IsRedirectSafe(redirectURI, controller.config.CookieDomain) {
 		log.Debug().Msg("Setting redirect URI cookie")
-		c.SetCookie(controller.config.RedirectCookieName, redirectURI, int(time.Hour.Seconds()), "/", fmt.Sprintf(".%s", controller.config.RootDomain), controller.config.SecureCookie, true)
+		c.SetCookie(controller.config.RedirectCookieName, redirectURI, int(time.Hour.Seconds()), "/", fmt.Sprintf(".%s", controller.config.CookieDomain), controller.config.SecureCookie, true)
 	}
 
 	c.JSON(200, gin.H{
@@ -108,12 +108,12 @@ func (controller *OAuthController) oauthCallbackHandler(c *gin.Context) {
 
 	if err != nil || state != csrfCookie {
 		log.Warn().Err(err).Msg("CSRF token mismatch or cookie missing")
-		c.SetCookie(controller.config.CSRFCookieName, "", -1, "/", fmt.Sprintf(".%s", controller.config.RootDomain), controller.config.SecureCookie, true)
+		c.SetCookie(controller.config.CSRFCookieName, "", -1, "/", fmt.Sprintf(".%s", controller.config.CookieDomain), controller.config.SecureCookie, true)
 		c.Redirect(http.StatusTemporaryRedirect, fmt.Sprintf("%s/error", controller.config.AppURL))
 		return
 	}
 
-	c.SetCookie(controller.config.CSRFCookieName, "", -1, "/", fmt.Sprintf(".%s", controller.config.RootDomain), controller.config.SecureCookie, true)
+	c.SetCookie(controller.config.CSRFCookieName, "", -1, "/", fmt.Sprintf(".%s", controller.config.CookieDomain), controller.config.SecureCookie, true)
 
 	code := c.Query("code")
 	service, exists := controller.broker.GetService(req.Provider)
@@ -186,6 +186,7 @@ func (controller *OAuthController) oauthCallbackHandler(c *gin.Context) {
 		Email:       user.Email,
 		Provider:    req.Provider,
 		OAuthGroups: utils.CoalesceToString(user.Groups),
+		OAuthName:   service.GetName(),
 	})
 
 	if err != nil {
@@ -196,7 +197,7 @@ func (controller *OAuthController) oauthCallbackHandler(c *gin.Context) {
 
 	redirectURI, err := c.Cookie(controller.config.RedirectCookieName)
 
-	if err != nil || !utils.IsRedirectSafe(redirectURI, controller.config.RootDomain) {
+	if err != nil || !utils.IsRedirectSafe(redirectURI, controller.config.CookieDomain) {
 		log.Debug().Msg("No redirect URI cookie found, redirecting to app root")
 		c.Redirect(http.StatusTemporaryRedirect, controller.config.AppURL)
 		return
@@ -212,6 +213,6 @@ func (controller *OAuthController) oauthCallbackHandler(c *gin.Context) {
 		return
 	}
 
-	c.SetCookie(controller.config.RedirectCookieName, "", -1, "/", fmt.Sprintf(".%s", controller.config.RootDomain), controller.config.SecureCookie, true)
+	c.SetCookie(controller.config.RedirectCookieName, "", -1, "/", fmt.Sprintf(".%s", controller.config.CookieDomain), controller.config.SecureCookie, true)
 	c.Redirect(http.StatusTemporaryRedirect, fmt.Sprintf("%s/continue?%s", controller.config.AppURL, queries.Encode()))
 }

internal/controller/proxy_controller_test.go

@@ -50,7 +50,7 @@ func setupProxyController(t *testing.T, middlewares *[]gin.HandlerFunc) (*gin.En
 		OauthWhitelist:    "",
 		SessionExpiry:     3600,
 		SecureCookie:      false,
-		RootDomain:        "localhost",
+		CookieDomain:      "localhost",
 		LoginTimeout:      300,
 		LoginMaxRetries:   3,
 		SessionCookieName: "tinyauth-session",

internal/controller/resources_controller_test.go

@@ -24,6 +24,7 @@ func TestResourcesHandler(t *testing.T) {
 	// Create test data
 	err := os.Mkdir("/tmp/tinyauth", 0755)
 	assert.NilError(t, err)
+	defer os.RemoveAll("/tmp/tinyauth")
 
 	file, err := os.Create("/tmp/tinyauth/test.txt")
 	assert.NilError(t, err)

internal/controller/user_controller.go

@@ -22,7 +22,7 @@ type TotpRequest struct {
 }
 
 type UserControllerConfig struct {
-	RootDomain string
+	CookieDomain string
 }
 
 type UserController struct {
@@ -115,7 +115,7 @@ func (controller *UserController) loginHandler(c *gin.Context) {
 			err := controller.auth.CreateSessionCookie(c, &config.SessionCookie{
 				Username:    user.Username,
 				Name:        utils.Capitalize(req.Username),
-				Email:       fmt.Sprintf("%s@%s", strings.ToLower(req.Username), controller.config.RootDomain),
+				Email:       fmt.Sprintf("%s@%s", strings.ToLower(req.Username), controller.config.CookieDomain),
 				Provider:    "username",
 				TotpPending: true,
 			})
@@ -141,7 +141,7 @@ func (controller *UserController) loginHandler(c *gin.Context) {
 	err = controller.auth.CreateSessionCookie(c, &config.SessionCookie{
 		Username: req.Username,
 		Name:     utils.Capitalize(req.Username),
-		Email:    fmt.Sprintf("%s@%s", strings.ToLower(req.Username), controller.config.RootDomain),
+		Email:    fmt.Sprintf("%s@%s", strings.ToLower(req.Username), controller.config.CookieDomain),
 		Provider: "username",
 	})
 
@@ -246,7 +246,7 @@ func (controller *UserController) totpHandler(c *gin.Context) {
 	err = controller.auth.CreateSessionCookie(c, &config.SessionCookie{
 		Username: user.Username,
 		Name:     utils.Capitalize(user.Username),
-		Email:    fmt.Sprintf("%s@%s", strings.ToLower(user.Username), controller.config.RootDomain),
+		Email:    fmt.Sprintf("%s@%s", strings.ToLower(user.Username), controller.config.CookieDomain),
 		Provider: "username",
 	})
 

internal/controller/user_controller_test.go

@@ -58,7 +58,7 @@ func setupUserController(t *testing.T, middlewares *[]gin.HandlerFunc) (*gin.Eng
 		OauthWhitelist:    "",
 		SessionExpiry:     3600,
 		SecureCookie:      false,
-		RootDomain:        "localhost",
+		CookieDomain:      "localhost",
 		LoginTimeout:      300,
 		LoginMaxRetries:   3,
 		SessionCookieName: "tinyauth-session",
@@ -66,7 +66,7 @@ func setupUserController(t *testing.T, middlewares *[]gin.HandlerFunc) (*gin.Eng
 
 	// Controller
 	ctrl := controller.NewUserController(controller.UserControllerConfig{
-		RootDomain: "localhost",
+		CookieDomain: "localhost",
 	}, group, authService)
 	ctrl.SetupRoutes()
 

internal/middleware/context_middleware.go

@@ -12,7 +12,7 @@ import (
 )
 
 type ContextMiddlewareConfig struct {
-	RootDomain string
+	CookieDomain string
 }
 
 type ContextMiddleware struct {
@@ -95,6 +95,7 @@ func (m *ContextMiddleware) Middleware() gin.HandlerFunc {
 				Email:       cookie.Email,
 				Provider:    cookie.Provider,
 				OAuthGroups: cookie.OAuthGroups,
+				OAuthName:   cookie.OAuthName,
 				IsLoggedIn:  true,
 				OAuth:       true,
 			})
@@ -134,7 +135,7 @@ func (m *ContextMiddleware) Middleware() gin.HandlerFunc {
 			c.Set("context", &config.UserContext{
 				Username:    user.Username,
 				Name:        utils.Capitalize(user.Username),
-				Email:       fmt.Sprintf("%s@%s", strings.ToLower(user.Username), m.config.RootDomain),
+				Email:       fmt.Sprintf("%s@%s", strings.ToLower(user.Username), m.config.CookieDomain),
 				Provider:    "basic",
 				IsLoggedIn:  true,
 				TotpEnabled: user.TotpSecret != "",
@@ -146,7 +147,7 @@ func (m *ContextMiddleware) Middleware() gin.HandlerFunc {
 			c.Set("context", &config.UserContext{
 				Username:   basic.Username,
 				Name:       utils.Capitalize(basic.Username),
-				Email:      fmt.Sprintf("%s@%s", strings.ToLower(basic.Username), m.config.RootDomain),
+				Email:      fmt.Sprintf("%s@%s", strings.ToLower(basic.Username), m.config.CookieDomain),
 				Provider:   "basic",
 				IsLoggedIn: true,
 			})

internal/model/session_model.go

@@ -9,4 +9,5 @@ type Session struct {
 	TOTPPending bool   `gorm:"column:totp_pending"`
 	OAuthGroups string `gorm:"column:oauth_groups"`
 	Expiry      int64  `gorm:"column:expiry"`
+	OAuthName   string `gorm:"column:oauth_name"`
 }

internal/service/auth_service.go

@@ -28,7 +28,7 @@ type AuthServiceConfig struct {
 	OauthWhitelist    string
 	SessionExpiry     int
 	SecureCookie      bool
-	RootDomain        string
+	CookieDomain      string
 	LoginTimeout      int
 	LoginMaxRetries   int
 	SessionCookieName string
@@ -210,6 +210,7 @@ func (auth *AuthService) CreateSessionCookie(c *gin.Context, data *config.Sessio
 		TOTPPending: data.TotpPending,
 		OAuthGroups: data.OAuthGroups,
 		Expiry:      time.Now().Add(time.Duration(expiry) * time.Second).Unix(),
+		OAuthName:   data.OAuthName,
 	}
 
 	err = auth.database.Create(&session).Error
@@ -218,7 +219,7 @@ func (auth *AuthService) CreateSessionCookie(c *gin.Context, data *config.Sessio
 		return err
 	}
 
-	c.SetCookie(auth.config.SessionCookieName, session.UUID, expiry, "/", fmt.Sprintf(".%s", auth.config.RootDomain), auth.config.SecureCookie, true)
+	c.SetCookie(auth.config.SessionCookieName, session.UUID, expiry, "/", fmt.Sprintf(".%s", auth.config.CookieDomain), auth.config.SecureCookie, true)
 
 	return nil
 }
@@ -236,7 +237,7 @@ func (auth *AuthService) DeleteSessionCookie(c *gin.Context) error {
 		return res.Error
 	}
 
-	c.SetCookie(auth.config.SessionCookieName, "", -1, "/", fmt.Sprintf(".%s", auth.config.RootDomain), auth.config.SecureCookie, true)
+	c.SetCookie(auth.config.SessionCookieName, "", -1, "/", fmt.Sprintf(".%s", auth.config.CookieDomain), auth.config.SecureCookie, true)
 
 	return nil
 }
@@ -278,6 +279,7 @@ func (auth *AuthService) GetSessionCookie(c *gin.Context) (config.SessionCookie,
 		Provider:    session.Provider,
 		TotpPending: session.TOTPPending,
 		OAuthGroups: session.OAuthGroups,
+		OAuthName:   session.OAuthName,
 	}, nil
 }
 

internal/service/generic_oauth_service.go

@@ -22,6 +22,7 @@ type GenericOAuthService struct {
 	verifier           string
 	insecureSkipVerify bool
 	userinfoUrl        string
+	name               string
 }
 
 func NewGenericOAuthService(config config.OAuthServiceConfig) *GenericOAuthService {
@@ -38,6 +39,7 @@ func NewGenericOAuthService(config config.OAuthServiceConfig) *GenericOAuthServi
 		},
 		insecureSkipVerify: config.InsecureSkipVerify,
 		userinfoUrl:        config.UserinfoURL,
+		name:               config.Name,
 	}
 }
 
@@ -115,3 +117,7 @@ func (generic *GenericOAuthService) Userinfo() (config.Claims, error) {
 
 	return user, nil
 }
+
+func (generic *GenericOAuthService) GetName() string {
+	return generic.name
+}

internal/service/github_oauth_service.go

@@ -33,6 +33,7 @@ type GithubOAuthService struct {
 	context  context.Context
 	token    *oauth2.Token
 	verifier string
+	name     string
 }
 
 func NewGithubOAuthService(config config.OAuthServiceConfig) *GithubOAuthService {
@@ -44,6 +45,7 @@ func NewGithubOAuthService(config config.OAuthServiceConfig) *GithubOAuthService
 			Scopes:       GithubOAuthScopes,
 			Endpoint:     endpoints.GitHub,
 		},
+		name: config.Name,
 	}
 }
 
@@ -167,3 +169,7 @@ func (github *GithubOAuthService) Userinfo() (config.Claims, error) {
 
 	return user, nil
 }
+
+func (github *GithubOAuthService) GetName() string {
+	return github.name
+}

internal/service/google_oauth_service.go

@@ -28,6 +28,7 @@ type GoogleOAuthService struct {
 	context  context.Context
 	token    *oauth2.Token
 	verifier string
+	name     string
 }
 
 func NewGoogleOAuthService(config config.OAuthServiceConfig) *GoogleOAuthService {
@@ -39,6 +40,7 @@ func NewGoogleOAuthService(config config.OAuthServiceConfig) *GoogleOAuthService
 			Scopes:       GoogleOAuthScopes,
 			Endpoint:     endpoints.Google,
 		},
+		name: config.Name,
 	}
 }
 
@@ -111,3 +113,7 @@ func (google *GoogleOAuthService) Userinfo() (config.Claims, error) {
 
 	return user, nil
 }
+
+func (google *GoogleOAuthService) GetName() string {
+	return google.name
+}

internal/service/oauth_broker_service.go

@@ -14,6 +14,7 @@ type OAuthService interface {
 	GetAuthURL(state string) string
 	VerifyCode(code string) error
 	Userinfo() (config.Claims, error)
+	GetName() string
 }
 
 type OAuthBrokerService struct {

internal/utils/app_utils.go

@@ -6,32 +6,43 @@ import (
 	"net/url"
 	"strings"
 	"tinyauth/internal/config"
+	"tinyauth/internal/utils/decoders"
+
+	"maps"
 
 	"github.com/gin-gonic/gin"
-
 	"github.com/rs/zerolog"
+	"github.com/weppos/publicsuffix-go/publicsuffix"
 )
 
-// Get root domain parses a hostname and returns the upper domain (e.g. sub1.sub2.domain.com -> sub2.domain.com)
+// Get cookie domain parses a hostname and returns the upper domain (e.g. sub1.sub2.domain.com -> sub2.domain.com)
-func GetRootDomain(u string) (string, error) {
+func GetCookieDomain(u string) (string, error) {
-	appUrl, err := url.Parse(u)
+	parsed, err := url.Parse(u)
 	if err != nil {
 		return "", err
 	}
 
-	host := appUrl.Hostname()
+	host := parsed.Hostname()
 
 	if netIP := net.ParseIP(host); netIP != nil {
-		return "", errors.New("IP addresses are not allowed")
+		return "", errors.New("IP addresses not allowed")
 	}
 
-	urlParts := strings.Split(host, ".")
+	parts := strings.Split(host, ".")
 
-	if len(urlParts) < 3 {
+	if len(parts) < 3 {
-		return "", errors.New("invalid domain, must be at least second level domain")
+		return "", errors.New("invalid app url, must be at least second level domain")
 	}
 
-	return strings.Join(urlParts[1:], "."), nil
+	domain := strings.Join(parts[1:], ".")
+
+	_, err = publicsuffix.DomainFromListWithOptions(publicsuffix.DefaultList, domain, nil)
+
+	if err != nil {
+		return "", errors.New("domain in public suffix list, cannot set cookies")
+	}
+
+	return domain, nil
 }
 
 func ParseFileToLine(content string) string {
@@ -89,13 +100,13 @@ func IsRedirectSafe(redirectURL string, domain string) bool {
 		return false
 	}
 
-	upper, err := GetRootDomain(redirectURL)
+	cookieDomain, err := GetCookieDomain(redirectURL)
 
 	if err != nil {
 		return false
 	}
 
-	if upper != domain {
+	if cookieDomain != domain {
 		return false
 	}
 
@@ -122,3 +133,68 @@ func GetLogLevel(level string) zerolog.Level {
 		return zerolog.InfoLevel
 	}
 }
+
+func GetOAuthProvidersConfig(env []string, args []string, appUrl string) (map[string]config.OAuthServiceConfig, error) {
+	providers := make(map[string]config.OAuthServiceConfig)
+
+	// Get from environment variables
+	envMap := make(map[string]string)
+
+	for _, e := range env {
+		pair := strings.SplitN(e, "=", 2)
+		if len(pair) == 2 {
+			envMap[pair[0]] = pair[1]
+		}
+	}
+
+	envProviders, err := decoders.DecodeEnv(envMap)
+
+	if err != nil {
+		return nil, err
+	}
+
+	maps.Copy(providers, envProviders.Providers)
+
+	// Get from flags
+	flagsMap := make(map[string]string)
+
+	for _, arg := range args[1:] {
+		if strings.HasPrefix(arg, "--") {
+			pair := strings.SplitN(arg[2:], "=", 2)
+			if len(pair) == 2 {
+				flagsMap[pair[0]] = pair[1]
+			}
+		}
+	}
+
+	flagProviders, err := decoders.DecodeFlags(flagsMap)
+
+	if err != nil {
+		return nil, err
+	}
+
+	maps.Copy(providers, flagProviders.Providers)
+
+	// For every provider get correct secret from file if set
+	for name, provider := range providers {
+		secret := GetSecret(provider.ClientSecret, provider.ClientSecretFile)
+		provider.ClientSecret = secret
+		provider.ClientSecretFile = ""
+		providers[name] = provider
+	}
+
+	// If we have google/github providers and no redirect URL babysit them
+	babysitProviders := []string{"google", "github"}
+
+	for _, name := range babysitProviders {
+		if provider, exists := providers[name]; exists {
+			if provider.RedirectURL == "" {
+				provider.RedirectURL = appUrl + "/api/oauth/callback/" + name
+				providers[name] = provider
+			}
+		}
+	}
+
+	// Return combined providers
+	return providers, nil
+}

internal/utils/app_utils_test.go

@@ -1,6 +1,7 @@
 package utils_test
 
 import (
+	"os"
 	"testing"
 	"tinyauth/internal/config"
 	"tinyauth/internal/utils"
@@ -11,53 +12,58 @@ import (
 
 func TestGetRootDomain(t *testing.T) {
 	// Normal case
-	domain := "http://sub.example.com"
+	domain := "http://sub.tinyauth.app"
-	expected := "example.com"
+	expected := "tinyauth.app"
-	result, err := utils.GetRootDomain(domain)
+	result, err := utils.GetCookieDomain(domain)
 	assert.NilError(t, err)
 	assert.Equal(t, expected, result)
 
 	// Domain with multiple subdomains
-	domain = "http://b.c.example.com"
+	domain = "http://b.c.tinyauth.app"
-	expected = "c.example.com"
+	expected = "c.tinyauth.app"
-	result, err = utils.GetRootDomain(domain)
+	result, err = utils.GetCookieDomain(domain)
 	assert.NilError(t, err)
 	assert.Equal(t, expected, result)
 
 	// Domain with no subdomain
-	domain = "http://example.com"
+	domain = "http://tinyauth.app"
-	expected = "example.com"
+	expected = "tinyauth.app"
-	_, err = utils.GetRootDomain(domain)
+	_, err = utils.GetCookieDomain(domain)
-	assert.Error(t, err, "invalid domain, must be at least second level domain")
+	assert.Error(t, err, "invalid app url, must be at least second level domain")
 
 	// Invalid domain (only TLD)
 	domain = "com"
-	_, err = utils.GetRootDomain(domain)
+	_, err = utils.GetCookieDomain(domain)
-	assert.ErrorContains(t, err, "invalid domain")
+	assert.ErrorContains(t, err, "invalid app url, must be at least second level domain")
 
 	// IP address
 	domain = "http://10.10.10.10"
-	_, err = utils.GetRootDomain(domain)
+	_, err = utils.GetCookieDomain(domain)
-	assert.ErrorContains(t, err, "IP addresses are not allowed")
+	assert.ErrorContains(t, err, "IP addresses not allowed")
 
 	// Invalid URL
 	domain = "http://[::1]:namedport"
-	_, err = utils.GetRootDomain(domain)
+	_, err = utils.GetCookieDomain(domain)
 	assert.ErrorContains(t, err, "parse \"http://[::1]:namedport\": invalid port \":namedport\" after host")
 
 	// URL with scheme and path
-	domain = "https://sub.example.com/path"
+	domain = "https://sub.tinyauth.app/path"
-	expected = "example.com"
+	expected = "tinyauth.app"
-	result, err = utils.GetRootDomain(domain)
+	result, err = utils.GetCookieDomain(domain)
 	assert.NilError(t, err)
 	assert.Equal(t, expected, result)
 
 	// URL with port
-	domain = "http://sub.example.com:8080"
+	domain = "http://sub.tinyauth.app:8080"
-	expected = "example.com"
+	expected = "tinyauth.app"
-	result, err = utils.GetRootDomain(domain)
+	result, err = utils.GetCookieDomain(domain)
 	assert.NilError(t, err)
 	assert.Equal(t, expected, result)
+
+	// Domain managed by ICANN
+	domain = "http://example.co.uk"
+	_, err = utils.GetCookieDomain(domain)
+	assert.Error(t, err, "domain in public suffix list, cannot set cookies")
 }
 
 func TestParseFileToLine(t *testing.T) {
@@ -195,3 +201,71 @@ func TestIsRedirectSafe(t *testing.T) {
 	result = utils.IsRedirectSafe(redirectURL, domain)
 	assert.Equal(t, false, result)
 }
+
+func TestGetOAuthProvidersConfig(t *testing.T) {
+	env := []string{"PROVIDERS_CLIENT1_CLIENT_ID=client1-id", "PROVIDERS_CLIENT1_CLIENT_SECRET=client1-secret"}
+	args := []string{"/tinyauth/tinyauth", "--providers-client2-client-id=client2-id", "--providers-client2-client-secret=client2-secret"}
+
+	expected := map[string]config.OAuthServiceConfig{
+		"client1": {
+			ClientID:     "client1-id",
+			ClientSecret: "client1-secret",
+		},
+		"client2": {
+			ClientID:     "client2-id",
+			ClientSecret: "client2-secret",
+		},
+	}
+
+	result, err := utils.GetOAuthProvidersConfig(env, args, "")
+	assert.NilError(t, err)
+	assert.DeepEqual(t, expected, result)
+
+	// Case with no providers
+	env = []string{}
+	args = []string{"/tinyauth/tinyauth"}
+	expected = map[string]config.OAuthServiceConfig{}
+
+	result, err = utils.GetOAuthProvidersConfig(env, args, "")
+	assert.NilError(t, err)
+	assert.DeepEqual(t, expected, result)
+
+	// Case with secret from file
+	file, err := os.Create("/tmp/tinyauth_test_file")
+	assert.NilError(t, err)
+
+	_, err = file.WriteString("file content\n")
+	assert.NilError(t, err)
+
+	err = file.Close()
+	assert.NilError(t, err)
+	defer os.Remove("/tmp/tinyauth_test_file")
+
+	env = []string{"PROVIDERS_CLIENT1_CLIENT_ID=client1-id", "PROVIDERS_CLIENT1_CLIENT_SECRET_FILE=/tmp/tinyauth_test_file"}
+	args = []string{"/tinyauth/tinyauth"}
+	expected = map[string]config.OAuthServiceConfig{
+		"client1": {
+			ClientID:     "client1-id",
+			ClientSecret: "file content",
+		},
+	}
+
+	result, err = utils.GetOAuthProvidersConfig(env, args, "")
+	assert.NilError(t, err)
+	assert.DeepEqual(t, expected, result)
+
+	// Case with google provider and no redirect URL
+	env = []string{"PROVIDERS_GOOGLE_CLIENT_ID=google-id", "PROVIDERS_GOOGLE_CLIENT_SECRET=google-secret"}
+	args = []string{"/tinyauth/tinyauth"}
+	expected = map[string]config.OAuthServiceConfig{
+		"google": {
+			ClientID:     "google-id",
+			ClientSecret: "google-secret",
+			RedirectURL:  "http://app.url/api/oauth/callback/google",
+		},
+	}
+
+	result, err = utils.GetOAuthProvidersConfig(env, args, "http://app.url")
+	assert.NilError(t, err)
+	assert.DeepEqual(t, expected, result)
+}

internal/utils/decoders/decoders.go

@@ -0,0 +1,81 @@
+package decoders
+
+import (
+	"reflect"
+	"strings"
+	"tinyauth/internal/config"
+)
+
+func NormalizeKeys(keys map[string]string, rootName string, sep string) map[string]string {
+	normalized := make(map[string]string)
+	knownKeys := getKnownKeys()
+
+	for k, v := range keys {
+		var finalKey []string
+		var suffix string
+		var camelClientName string
+		var camelField string
+
+		finalKey = append(finalKey, rootName)
+		finalKey = append(finalKey, "providers")
+		cebabKey := strings.ToLower(k)
+
+		for _, known := range knownKeys {
+			if strings.HasSuffix(cebabKey, strings.ReplaceAll(known, "-", sep)) {
+				suffix = known
+				break
+			}
+		}
+
+		if suffix == "" {
+			continue
+		}
+
+		clientNameParts := strings.Split(strings.TrimPrefix(strings.TrimSuffix(cebabKey, sep+strings.ReplaceAll(suffix, "-", sep)), "providers"+sep), sep)
+
+		for i, p := range clientNameParts {
+			if i == 0 {
+				camelClientName += p
+				continue
+			}
+			if p == "" {
+				continue
+			}
+			camelClientName += strings.ToUpper(string([]rune(p)[0])) + string([]rune(p)[1:])
+		}
+
+		finalKey = append(finalKey, camelClientName)
+
+		filedParts := strings.Split(suffix, "-")
+
+		for i, p := range filedParts {
+			if i == 0 {
+				camelField += p
+				continue
+			}
+			if p == "" {
+				continue
+			}
+			camelField += strings.ToUpper(string([]rune(p)[0])) + string([]rune(p)[1:])
+		}
+
+		finalKey = append(finalKey, camelField)
+		normalized[strings.Join(finalKey, ".")] = v
+	}
+
+	return normalized
+}
+
+func getKnownKeys() []string {
+	var known []string
+
+	p := config.OAuthServiceConfig{}
+	v := reflect.ValueOf(p)
+	typeOfP := v.Type()
+
+	for field := range typeOfP.NumField() {
+		known = append(known, typeOfP.Field(field).Tag.Get("key"))
+	}
+
+	return known
+}

internal/utils/decoders/decoders_test.go

@@ -0,0 +1,44 @@
+package decoders_test
+
+import (
+	"testing"
+	"tinyauth/internal/utils/decoders"
+
+	"gotest.tools/v3/assert"
+)
+
+func TestNormalizeKeys(t *testing.T) {
+	// Test with env
+	test := map[string]string{
+		"PROVIDERS_CLIENT1_CLIENT_ID":                    "my-client-id",
+		"PROVIDERS_CLIENT1_CLIENT_SECRET":                "my-client-secret",
+		"PROVIDERS_MY_AWESOME_CLIENT_CLIENT_ID":          "my-awesome-client-id",
+		"PROVIDERS_MY_AWESOME_CLIENT_CLIENT_SECRET_FILE": "/path/to/secret",
+	}
+	expected := map[string]string{
+		"tinyauth.providers.client1.clientId":                 "my-client-id",
+		"tinyauth.providers.client1.clientSecret":             "my-client-secret",
+		"tinyauth.providers.myAwesomeClient.clientId":         "my-awesome-client-id",
+		"tinyauth.providers.myAwesomeClient.clientSecretFile": "/path/to/secret",
+	}
+
+	normalized := decoders.NormalizeKeys(test, "tinyauth", "_")
+	assert.DeepEqual(t, normalized, expected)
+
+	// Test with flags (assume -- is already stripped)
+	test = map[string]string{
+		"providers-client1-client-id":                    "my-client-id",
+		"providers-client1-client-secret":                "my-client-secret",
+		"providers-my-awesome-client-client-id":          "my-awesome-client-id",
+		"providers-my-awesome-client-client-secret-file": "/path/to/secret",
+	}
+	expected = map[string]string{
+		"tinyauth.providers.client1.clientId":                 "my-client-id",
+		"tinyauth.providers.client1.clientSecret":             "my-client-secret",
+		"tinyauth.providers.myAwesomeClient.clientId":         "my-awesome-client-id",
+		"tinyauth.providers.myAwesomeClient.clientSecretFile": "/path/to/secret",
+	}
+
+	normalized = decoders.NormalizeKeys(test, "tinyauth", "-")
+	assert.DeepEqual(t, normalized, expected)
+}

internal/utils/decoders/env_decoder.go

@@ -0,0 +1,20 @@
+package decoders
+
+import (
+	"tinyauth/internal/config"
+
+	"github.com/traefik/paerser/parser"
+)
+
+func DecodeEnv(env map[string]string) (config.Providers, error) {
+	normalized := NormalizeKeys(env, "tinyauth", "_")
+	var providers config.Providers
+
+	err := parser.Decode(normalized, &providers, "tinyauth", "tinyauth.providers")
+
+	if err != nil {
+		return config.Providers{}, err
+	}
+
+	return providers, nil
+}

internal/utils/decoders/env_decoder_test.go

@@ -0,0 +1,60 @@
+package decoders_test
+
+import (
+	"testing"
+	"tinyauth/internal/config"
+	"tinyauth/internal/utils/decoders"
+
+	"gotest.tools/v3/assert"
+)
+
+func TestDecodeEnv(t *testing.T) {
+	// Variables
+	expected := config.Providers{
+		Providers: map[string]config.OAuthServiceConfig{
+			"client1": {
+				ClientID:           "client1-id",
+				ClientSecret:       "client1-secret",
+				Scopes:             []string{"client1-scope1", "client1-scope2"},
+				RedirectURL:        "client1-redirect-url",
+				AuthURL:            "client1-auth-url",
+				UserinfoURL:        "client1-user-info-url",
+				Name:               "Client1",
+				InsecureSkipVerify: false,
+			},
+			"client2": {
+				ClientID:           "client2-id",
+				ClientSecret:       "client2-secret",
+				Scopes:             []string{"client2-scope1", "client2-scope2"},
+				RedirectURL:        "client2-redirect-url",
+				AuthURL:            "client2-auth-url",
+				UserinfoURL:        "client2-user-info-url",
+				Name:               "My Awesome Client2",
+				InsecureSkipVerify: false,
+			},
+		},
+	}
+	test := map[string]string{
+		"PROVIDERS_CLIENT1_CLIENT_ID":            "client1-id",
+		"PROVIDERS_CLIENT1_CLIENT_SECRET":        "client1-secret",
+		"PROVIDERS_CLIENT1_SCOPES":               "client1-scope1,client1-scope2",
+		"PROVIDERS_CLIENT1_REDIRECT_URL":         "client1-redirect-url",
+		"PROVIDERS_CLIENT1_AUTH_URL":             "client1-auth-url",
+		"PROVIDERS_CLIENT1_USER_INFO_URL":        "client1-user-info-url",
+		"PROVIDERS_CLIENT1_NAME":                 "Client1",
+		"PROVIDERS_CLIENT1_INSECURE_SKIP_VERIFY": "false",
+		"PROVIDERS_CLIENT2_CLIENT_ID":            "client2-id",
+		"PROVIDERS_CLIENT2_CLIENT_SECRET":        "client2-secret",
+		"PROVIDERS_CLIENT2_SCOPES":               "client2-scope1,client2-scope2",
+		"PROVIDERS_CLIENT2_REDIRECT_URL":         "client2-redirect-url",
+		"PROVIDERS_CLIENT2_AUTH_URL":             "client2-auth-url",
+		"PROVIDERS_CLIENT2_USER_INFO_URL":        "client2-user-info-url",
+		"PROVIDERS_CLIENT2_NAME":                 "My Awesome Client2",
+		"PROVIDERS_CLIENT2_INSECURE_SKIP_VERIFY": "false",
+	}
+
+	// Test
+	res, err := decoders.DecodeEnv(test)
+	assert.NilError(t, err)
+	assert.DeepEqual(t, expected, res)
+}

internal/utils/decoders/flags_decoder.go

@@ -0,0 +1,30 @@
+package decoders
+
+import (
+	"strings"
+	"tinyauth/internal/config"
+
+	"github.com/traefik/paerser/parser"
+)
+
+func DecodeFlags(flags map[string]string) (config.Providers, error) {
+	filtered := filterFlags(flags)
+	normalized := NormalizeKeys(filtered, "tinyauth", "-")
+	var providers config.Providers
+
+	err := parser.Decode(normalized, &providers, "tinyauth", "tinyauth.providers")
+
+	if err != nil {
+		return config.Providers{}, err
+	}
+
+	return providers, nil
+}
+
+func filterFlags(flags map[string]string) map[string]string {
+	filtered := make(map[string]string)
+	for k, v := range flags {
+		filtered[strings.TrimPrefix(k, "--")] = v
+	}
+	return filtered
+}

internal/utils/decoders/flags_decoder_test.go

@@ -0,0 +1,60 @@
+package decoders_test
+
+import (
+	"testing"
+	"tinyauth/internal/config"
+	"tinyauth/internal/utils/decoders"
+
+	"gotest.tools/v3/assert"
+)
+
+func TestDecodeFlags(t *testing.T) {
+	// Variables
+	expected := config.Providers{
+		Providers: map[string]config.OAuthServiceConfig{
+			"client1": {
+				ClientID:           "client1-id",
+				ClientSecret:       "client1-secret",
+				Scopes:             []string{"client1-scope1", "client1-scope2"},
+				RedirectURL:        "client1-redirect-url",
+				AuthURL:            "client1-auth-url",
+				UserinfoURL:        "client1-user-info-url",
+				Name:               "Client1",
+				InsecureSkipVerify: false,
+			},
+			"client2": {
+				ClientID:           "client2-id",
+				ClientSecret:       "client2-secret",
+				Scopes:             []string{"client2-scope1", "client2-scope2"},
+				RedirectURL:        "client2-redirect-url",
+				AuthURL:            "client2-auth-url",
+				UserinfoURL:        "client2-user-info-url",
+				Name:               "My Awesome Client2",
+				InsecureSkipVerify: false,
+			},
+		},
+	}
+	test := map[string]string{
+		"--providers-client1-client-id":            "client1-id",
+		"--providers-client1-client-secret":        "client1-secret",
+		"--providers-client1-scopes":               "client1-scope1,client1-scope2",
+		"--providers-client1-redirect-url":         "client1-redirect-url",
+		"--providers-client1-auth-url":             "client1-auth-url",
+		"--providers-client1-user-info-url":        "client1-user-info-url",
+		"--providers-client1-name":                 "Client1",
+		"--providers-client1-insecure-skip-verify": "false",
+		"--providers-client2-client-id":            "client2-id",
+		"--providers-client2-client-secret":        "client2-secret",
+		"--providers-client2-scopes":               "client2-scope1,client2-scope2",
+		"--providers-client2-redirect-url":         "client2-redirect-url",
+		"--providers-client2-auth-url":             "client2-auth-url",
+		"--providers-client2-user-info-url":        "client2-user-info-url",
+		"--providers-client2-name":                 "My Awesome Client2",
+		"--providers-client2-insecure-skip-verify": "false",
+	}
+
+	// Test
+	res, err := decoders.DecodeFlags(test)
+	assert.NilError(t, err)
+	assert.DeepEqual(t, expected, res)
+}

internal/utils/decoders/label_decoder_test.go

@@ -1,10 +1,11 @@
 package decoders_test
 
 import (
-	"reflect"
 	"testing"
 	"tinyauth/internal/config"
 	"tinyauth/internal/utils/decoders"
+
+	"gotest.tools/v3/assert"
 )
 
 func TestDecodeLabels(t *testing.T) {
@@ -62,12 +63,6 @@ func TestDecodeLabels(t *testing.T) {
 
 	// Test
 	result, err := decoders.DecodeLabels(test)
-
+	assert.NilError(t, err)
-	if err != nil {
+	assert.DeepEqual(t, expected, result)
-		t.Fatalf("Unexpected error: %v", err)
-	}
-
-	if reflect.DeepEqual(expected, result) == false {
-		t.Fatalf("Expected %v but got %v", expected, result)
-	}
 }