feat: adapt frontend to oidc flow

refactor: implement oidc following tinyauth patterns
feat: implement basic oidc functionality
2026-03-01 20:32:03 +00:00 · 2026-01-24 15:52:22 +02:00 · 2026-01-24 14:31:03 +02:00 · 2026-01-22 22:30:23 +02:00 · 2026-01-21 20:12:32 +02:00 · 2026-01-21 18:54:00 +02:00
100 changed files with 1531 additions and 4010 deletions
--- a/.env.example
+++ b/.env.example
@@ -1,174 +1,99 @@
-# This file is automatically generated by gen/gen_env.go. Do not edit manually.
+# Base Configuration
-# Tinyauth example configuration
+# The base URL where Tinyauth is accessible
 TINYAUTH_APPURL="https://auth.example.com"
 # Directory for static resources
 TINYAUTH_RESOURCESDIR="/data/resources"
 # Path to SQLite database file
 TINYAUTH_DATABASEPATH="/data/tinyauth.db"
 # Disable version heartbeat
 TINYAUTH_DISABLEANALYTICS="false"
 # Disable static resource serving
 TINYAUTH_DISABLERESOURCES="false"
 # Disable UI warning messages
 TINYAUTH_DISABLEUIWARNINGS="false"
-# The base URL where the app is hosted.
+# Logging Configuration
 TINYAUTH_APPURL=
 # The directory where resources are stored.
 TINYAUTH_RESOURCESDIR="./resources"
 # The path to the database file.
 TINYAUTH_DATABASEPATH="./tinyauth.db"
 # Disable analytics.
 TINYAUTH_DISABLEANALYTICS=false
 # Disable resources server.
 TINYAUTH_DISABLERESOURCES=false
-# server config
+# Log level: trace, debug, info, warn, error
 # The port on which the server listens.
 TINYAUTH_SERVER_PORT=3000
 # The address on which the server listens.
 TINYAUTH_SERVER_ADDRESS="0.0.0.0"
 # The path to the Unix socket.
 TINYAUTH_SERVER_SOCKETPATH=
 # auth config
 # List of allowed IPs or CIDR ranges.
 TINYAUTH_AUTH_IP_ALLOW=
 # List of blocked IPs or CIDR ranges.
 TINYAUTH_AUTH_IP_BLOCK=
 # Comma-separated list of users (username:hashed_password).
 TINYAUTH_AUTH_USERS=
 # Path to the users file.
 TINYAUTH_AUTH_USERSFILE=
 # Enable secure cookies.
 TINYAUTH_AUTH_SECURECOOKIE=false
 # Session expiry time in seconds.
 TINYAUTH_AUTH_SESSIONEXPIRY=86400
 # Maximum session lifetime in seconds.
 TINYAUTH_AUTH_SESSIONMAXLIFETIME=0
 # Login timeout in seconds.
 TINYAUTH_AUTH_LOGINTIMEOUT=300
 # Maximum login retries.
 TINYAUTH_AUTH_LOGINMAXRETRIES=3
 # Comma-separated list of trusted proxy addresses.
 TINYAUTH_AUTH_TRUSTEDPROXIES=
 # apps config
 # The domain of the app.
 TINYAUTH_APPS_name_CONFIG_DOMAIN=
 # Comma-separated list of allowed users.
 TINYAUTH_APPS_name_USERS_ALLOW=
 # Comma-separated list of blocked users.
 TINYAUTH_APPS_name_USERS_BLOCK=
 # Comma-separated list of allowed OAuth groups.
 TINYAUTH_APPS_name_OAUTH_WHITELIST=
 # Comma-separated list of required OAuth groups.
 TINYAUTH_APPS_name_OAUTH_GROUPS=
 # List of allowed IPs or CIDR ranges.
 TINYAUTH_APPS_name_IP_ALLOW=
 # List of blocked IPs or CIDR ranges.
 TINYAUTH_APPS_name_IP_BLOCK=
 # List of IPs or CIDR ranges that bypass authentication.
 TINYAUTH_APPS_name_IP_BYPASS=
 # Custom headers to add to the response.
 TINYAUTH_APPS_name_RESPONSE_HEADERS=
 # Basic auth username.
 TINYAUTH_APPS_name_RESPONSE_BASICAUTH_USERNAME=
 # Basic auth password.
 TINYAUTH_APPS_name_RESPONSE_BASICAUTH_PASSWORD=
 # Path to the file containing the basic auth password.
 TINYAUTH_APPS_name_RESPONSE_BASICAUTH_PASSWORDFILE=
 # Comma-separated list of allowed paths.
 TINYAUTH_APPS_name_PATH_ALLOW=
 # Comma-separated list of blocked paths.
 TINYAUTH_APPS_name_PATH_BLOCK=
 # Comma-separated list of required LDAP groups.
 TINYAUTH_APPS_name_LDAP_GROUPS=
 # oauth config
 # Comma-separated list of allowed OAuth domains.
 TINYAUTH_OAUTH_WHITELIST=
 # The OAuth provider to use for automatic redirection.
 TINYAUTH_OAUTH_AUTOREDIRECT=
 # OAuth client ID.
 TINYAUTH_OAUTH_PROVIDERS_name_CLIENTID=
 # OAuth client secret.
 TINYAUTH_OAUTH_PROVIDERS_name_CLIENTSECRET=
 # Path to the file containing the OAuth client secret.
 TINYAUTH_OAUTH_PROVIDERS_name_CLIENTSECRETFILE=
 # OAuth scopes.
 TINYAUTH_OAUTH_PROVIDERS_name_SCOPES=
 # OAuth redirect URL.
 TINYAUTH_OAUTH_PROVIDERS_name_REDIRECTURL=
 # OAuth authorization URL.
 TINYAUTH_OAUTH_PROVIDERS_name_AUTHURL=
 # OAuth token URL.
 TINYAUTH_OAUTH_PROVIDERS_name_TOKENURL=
 # OAuth userinfo URL.
 TINYAUTH_OAUTH_PROVIDERS_name_USERINFOURL=
 # Allow insecure OAuth connections.
 TINYAUTH_OAUTH_PROVIDERS_name_INSECURE=false
 # Provider name in UI.
 TINYAUTH_OAUTH_PROVIDERS_name_NAME=
 # oidc config
 # Path to the private key file.
 TINYAUTH_OIDC_PRIVATEKEYPATH="./tinyauth_oidc_key"
 # Path to the public key file.
 TINYAUTH_OIDC_PUBLICKEYPATH="./tinyauth_oidc_key.pub"
 # OIDC client ID.
 TINYAUTH_OIDC_CLIENTS_name_CLIENTID=
 # OIDC client secret.
 TINYAUTH_OIDC_CLIENTS_name_CLIENTSECRET=
 # Path to the file containing the OIDC client secret.
 TINYAUTH_OIDC_CLIENTS_name_CLIENTSECRETFILE=
 # List of trusted redirect URIs.
 TINYAUTH_OIDC_CLIENTS_name_TRUSTEDREDIRECTURIS=
 # Client name in UI.
 TINYAUTH_OIDC_CLIENTS_name_NAME=
 # ui config
 # The title of the UI.
 TINYAUTH_UI_TITLE="Tinyauth"
 # Message displayed on the forgot password page.
 TINYAUTH_UI_FORGOTPASSWORDMESSAGE="You can change your password by changing the configuration."
 # Path to the background image.
 TINYAUTH_UI_BACKGROUNDIMAGE="/background.jpg"
 # Disable UI warnings.
 TINYAUTH_UI_DISABLEWARNINGS=false
 # ldap config
 # LDAP server address.
 TINYAUTH_LDAP_ADDRESS=
 # Bind DN for LDAP authentication.
 TINYAUTH_LDAP_BINDDN=
 # Bind password for LDAP authentication.
 TINYAUTH_LDAP_BINDPASSWORD=
 # Base DN for LDAP searches.
 TINYAUTH_LDAP_BASEDN=
 # Allow insecure LDAP connections.
 TINYAUTH_LDAP_INSECURE=false
 # LDAP search filter.
 TINYAUTH_LDAP_SEARCHFILTER="(uid=%s)"
 # Certificate for mTLS authentication.
 TINYAUTH_LDAP_AUTHCERT=
 # Certificate key for mTLS authentication.
 TINYAUTH_LDAP_AUTHKEY=
 # Cache duration for LDAP group membership in seconds.
 TINYAUTH_LDAP_GROUPCACHETTL=900
 # log config
 # Log level (trace, debug, info, warn, error).
 TINYAUTH_LOG_LEVEL="info"
-# Enable JSON formatted logs.
+# Enable JSON formatted logs
-TINYAUTH_LOG_JSON=false
+TINYAUTH_LOG_JSON="false"
-# Enable this log stream.
+# Specific Log stream configurations
-TINYAUTH_LOG_STREAMS_HTTP_ENABLED=true
+# APP and HTTP log streams are enabled by default, and use the global log level unless overridden
-# Log level for this stream. Use global if empty.
+TINYAUTH_LOG_STREAMS_APP_ENABLED="true"
-TINYAUTH_LOG_STREAMS_HTTP_LEVEL=
+TINYAUTH_LOG_STREAMS_APP_LEVEL="info"
-# Enable this log stream.
+TINYAUTH_LOG_STREAMS_HTTP_ENABLED="true"
-TINYAUTH_LOG_STREAMS_APP_ENABLED=true
+TINYAUTH_LOG_STREAMS_HTTP_LEVEL="info"
-# Log level for this stream. Use global if empty.
+TINYAUTH_LOG_STREAMS_AUDIT_ENABLED="false"
-TINYAUTH_LOG_STREAMS_APP_LEVEL=
+TINYAUTH_LOG_STREAMS_AUDIT_LEVEL="info"
-# Enable this log stream.
+
-TINYAUTH_LOG_STREAMS_AUDIT_ENABLED=false
+# Server Configuration
-# Log level for this stream. Use global if empty.
+
-TINYAUTH_LOG_STREAMS_AUDIT_LEVEL=
+# Port to listen on
 TINYAUTH_SERVER_PORT="3000"
 # Interface to bind to (0.0.0.0 for all interfaces)
 TINYAUTH_SERVER_ADDRESS="0.0.0.0"
 # Unix socket path (optional, overrides port/address if set)
 TINYAUTH_SERVER_SOCKETPATH=""
 # Comma-separated list of trusted proxy IPs/CIDRs
 TINYAUTH_SERVER_TRUSTEDPROXIES=""
 # Authentication Configuration
 # Format: username:bcrypt_hash (use bcrypt to generate hash)
 TINYAUTH_AUTH_USERS="admin:$2a$10$example_bcrypt_hash_here"
 # Path to external users file (optional)
 TINYAUTH_AUTH_USERSFILE=""
 # Enable secure cookies (requires HTTPS)
 TINYAUTH_AUTH_SECURECOOKIE="true"
 # Session expiry in seconds (7200 = 2 hours)
 TINYAUTH_AUTH_SESSIONEXPIRY="7200"
 # Session maximum lifetime in seconds (0 = unlimited)
 TINYAUTH_AUTH_SESSIONMAXLIFETIME="0"
 # Login timeout in seconds (300 = 5 minutes)
 TINYAUTH_AUTH_LOGINTIMEOUT="300"
 # Maximum login retries before lockout
 TINYAUTH_AUTH_LOGINMAXRETRIES="5"
 # OAuth Configuration
 # Regex pattern for allowed email addresses (e.g., /@example\.com$/)
 TINYAUTH_OAUTH_WHITELIST=""
 # Provider ID to auto-redirect to (skips login page)
 TINYAUTH_OAUTH_AUTOREDIRECT=""
 # OAuth Provider Configuration (replace MYPROVIDER with your provider name)
 TINYAUTH_OAUTH_PROVIDERS_MYPROVIDER_CLIENTID="your_client_id_here"
 TINYAUTH_OAUTH_PROVIDERS_MYPROVIDER_CLIENTSECRET="your_client_secret_here"
 TINYAUTH_OAUTH_PROVIDERS_MYPROVIDER_AUTHURL="https://provider.example.com/oauth/authorize"
 TINYAUTH_OAUTH_PROVIDERS_MYPROVIDER_TOKENURL="https://provider.example.com/oauth/token"
 TINYAUTH_OAUTH_PROVIDERS_MYPROVIDER_USERINFOURL="https://provider.example.com/oauth/userinfo"
 TINYAUTH_OAUTH_PROVIDERS_MYPROVIDER_REDIRECTURL="https://auth.example.com/oauth/callback/myprovider"
 TINYAUTH_OAUTH_PROVIDERS_MYPROVIDER_SCOPES="openid email profile"
 TINYAUTH_OAUTH_PROVIDERS_MYPROVIDER_NAME="My OAuth Provider"
 # Allow self-signed certificates
 TINYAUTH_OAUTH_PROVIDERS_MYPROVIDER_INSECURE="false"
 # UI Customization
 # Custom title for login page
 TINYAUTH_UI_TITLE="Tinyauth"
 # Message shown on forgot password page
 TINYAUTH_UI_FORGOTPASSWORDMESSAGE="Contact your administrator to reset your password"
 # Background image URL for login page
 TINYAUTH_UI_BACKGROUNDIMAGE=""
 # LDAP Configuration
 # LDAP server address
 TINYAUTH_LDAP_ADDRESS="ldap://ldap.example.com:389"
 # DN for binding to LDAP server
 TINYAUTH_LDAP_BINDDN="cn=readonly,dc=example,dc=com"
 # Password for bind DN
 TINYAUTH_LDAP_BINDPASSWORD="your_bind_password"
 # Base DN for user searches
 TINYAUTH_LDAP_BASEDN="dc=example,dc=com"
 # Search filter (%s will be replaced with username)
 TINYAUTH_LDAP_SEARCHFILTER="(&(uid=%s)(memberOf=cn=users,ou=groups,dc=example,dc=com))"
 # Allow insecure LDAP connections
 TINYAUTH_LDAP_INSECURE="false"
--- a/.gitignore
+++ b/.gitignore
@@ -39,9 +39,3 @@ __debug_*
 # infisical
 /.infisical.json
 # traefik data
 /traefik
 # generated markdown (for docs)
 /config.gen.md
--- a/CONTRIBUTING.md
+++ b/CONTRIBUTING.md
@@ -1,25 +1,24 @@
 # Contributing
-Contributing to Tinyauth is straightforward. Follow the steps below to set up a development server.
+Contributing is relatively easy, you just need to follow the steps below and you will be up and running with a development server in less than five minutes.
 ## Requirements
 - Bun
- Golang v1.24.0 or later
+- Golang 1.24.0+
 - Git
 - Docker
 - Make
-## Cloning the Repository
+## Cloning the repository
-Start by cloning the repository:
+You firstly need to clone the repository with:
 ```sh
 git clone https://github.com/steveiliop56/tinyauth
 cd tinyauth
 ```
-## Initialize Submodules
+## Initialize submodules
 The project uses Git submodules for some dependencies, so you need to initialize them with:
@@ -28,58 +27,50 @@ git submodule init
 git submodule update
 ```
-## Apply patches
+## Install requirements
-Some of the dependencies must be patched in order to work correctly with the project, you can apply the patches by running:
+Although you will not need the requirements in your machine since the development will happen in Docker, I still recommend to install them because this way you will not have import errors. To install the Go requirements run:
 ```sh
-git apply --directory paerser/ patches/nested_maps.diff
+go mod download
 ```
-## Installing Requirements
+You also need to download the frontend dependencies, this can be done like so:
 While development occurs within Docker, installing the requirements locally is recommended to avoid import errors. Install the Go dependencies:
 ```sh
 go mod tidy
 ```
 Frontend dependencies can be installed as follows:
 ```sh
 cd frontend/
 bun install
 ```
-## Create the `.env` file
+## Apply patches
-Configuration requires an environment file. Copy the `.env.example` file to `.env` and adjust the environment variables as needed.
+Some of the dependencies need to be patched in order to work correctly with the project, you can apply the patches by running:
-## Development Workflow
+```sh
 git apply --directory paerser/ patches/nested_maps.diff
 ```
-The development workflow is designed to run entirely within Docker, ensuring compatibility with Traefik and eliminating the need for local builds. A recommended setup involves pointing a subdomain to the local machine:
+## Create your `.env` file
 In order to configure the app you need to create an environment file, this can be done by copying the `.env.example` file to `.env` and modifying the environment variables to suit your needs.
 ## Developing
 I have designed the development workflow to be entirely in Docker, this is because it will directly work with Traefik and you will not need to do any building in your host machine. The recommended development setup is to have a subdomain pointing to your machine like this:
 ```
 *.dev.example.com -> 127.0.0.1
 dev.example.com -> 127.0.0.1
 ```
-> [!NOTE]
+> [!TIP]
-> A domain from [sslip.io](https://sslip.io) can be used if a custom domain is
+> You can use [sslip.io](https://sslip.io) as a domain if you don't have one to develop with.
  unavailable. For example, set the Tinyauth domain to `tinyauth.127.0.0.1.sslip.io` and the whoami domain to `whoami.127.0.0.1.sslip.io`.
-Ensure the domains are correctly configured in the development Docker Compose file, then start the development environment:
+Then you can just make sure the domains are correct in the development Docker compose file and run:
 ```sh
-make dev
+docker compose -f docker-compose.dev.yml up --build
 ```
 In case you need to build the binary locally, you can run:
 ```sh
 make binary
 ```
 > [!NOTE]
-> Copying the example `docker-compose.dev.yml` file to `docker-compose.test.yml`
+> I recommend copying the example `docker-compose.dev.yml` into a `docker-compose.test.yml` file, so as you don't accidentally commit any sensitive information.
  is recommended to prevent accidental commits of sensitive information. The make recipe will automatically use `docker-compose.test.yml` as well as `docker-compose.test.prod.yml` (for the `make prod` recipe) if it exists.
--- a/2
+++ b/2
@@ -1,5 +1,5 @@
 # Site builder
-FROM oven/bun:1.3.10-alpine AS frontend-builder
+FROM oven/bun:1.3.6-alpine AS frontend-builder
 WORKDIR /frontend
--- a/Dockerfile.distroless
+++ b/Dockerfile.distroless
@@ -1,5 +1,5 @@
 # Site builder
-FROM oven/bun:1.3.10-alpine AS frontend-builder
+FROM oven/bun:1.3.6-alpine AS frontend-builder
 WORKDIR /frontend
--- a/22
+++ b/22
@@ -10,7 +10,7 @@ BUILD_TIMESTAMP := $(shell date '+%Y-%m-%dT%H:%M:%S')
 BIN_NAME := tinyauth-$(GOARCH)
 # Development vars
-DEV_COMPOSE := $(shell test -f "docker-compose.test.yml" && echo "docker-compose.test.yml" || echo "docker-compose.dev.yml" )
+DEV_COMPOSE := $(shell test -f "docker-compose.test.yml" && echo "docker-compose.test.yml" || echo "docker-compose.yml" )
 PROD_COMPOSE := $(shell test -f "docker-compose.test.prod.yml" && echo "docker-compose.test.prod.yml" || echo "docker-compose.example.yml" )
 # Deps
@@ -18,10 +18,6 @@ deps:
 	bun install --cwd frontend
 	go mod download
 # Clean data
 clean-data:
 	rm -rf data/
 # Clean web UI build
 clean-webui:
 	rm -rf internal/assets/dist
@@ -60,26 +56,18 @@ test:
 	go test -v ./...
 # Development
-dev:
+develop:
-	docker compose -f $(DEV_COMPOSE) up --force-recreate --pull=always --remove-orphans --build
+	docker compose -f $(DEV_COMPOSE) up --force-recreate --pull=always --remove-orphans
 # Development - Infisical
-dev-infisical:
+develop-infisical:
-	infisical run --env=dev -- docker compose -f $(DEV_COMPOSE) up --force-recreate --pull=always --remove-orphans --build
+	infisical run --env=dev -- docker compose -f $(DEV_COMPOSE) up --force-recreate --pull=always --remove-orphans
 # Production
 prod:
 	docker compose -f $(PROD_COMPOSE) up --force-recreate --pull=always --remove-orphans
 # Production - Infisical
 prod-infisical:
 	infisical run --env=dev -- docker compose -f $(PROD_COMPOSE) up --force-recreate --pull=always --remove-orphans
 # SQL
 .PHONY: sql
 sql:
 	sqlc generate
 # Go gen
 generate:
 	go run ./gen
--- a/README.md
+++ b/README.md
@@ -21,9 +21,6 @@ Tinyauth is a simple authentication middleware that adds a simple login screen o
 > [!WARNING]
 > Tinyauth is in active development and configuration may change often. Please make sure to carefully read the release notes before updating.
 > [!NOTE]
 > This is the main development branch. For the latest stable release, see the [documentation](https://tinyauth.app) or the latest stable tag.
 ## Getting Started
 You can easily get started with Tinyauth by following the guide in the [documentation](https://tinyauth.app/docs/getting-started). There is also an available [docker compose](./docker-compose.example.yml) file that has Traefik, Whoami and Tinyauth to demonstrate its capabilities.
--- a/assets/screenshot.png
+++ b/assets/screenshot.png
--- a/cmd/tinyauth/create_user.go
+++ b/cmd/tinyauth/create_user.go
--- a/cmd/tinyauth/create_oidc_client.go
+++ b/cmd/tinyauth/create_oidc_client.go
@@ -1,72 +0,0 @@
 package main
 import (
 	"errors"
 	"fmt"
 	"regexp"
 	"strings"
 	"github.com/google/uuid"
 	"github.com/steveiliop56/tinyauth/internal/utils"
 	"github.com/traefik/paerser/cli"
 )
 func createOidcClientCmd() *cli.Command {
 	return &cli.Command{
 		Name:          "create",
 		Description:   "Create a new OIDC Client",
 		Configuration: nil,
 		Resources:     nil,
 		AllowArg:      true,
 		Run: func(args []string) error {
 			if len(args) == 0 {
 				return errors.New("client name is required. use tinyauth oidc create <name>")
 			}
 			clientName := args[0]
 			match, err := regexp.MatchString("^[a-zA-Z0-9-]*$", clientName)
 			if !match || err != nil {
 				return errors.New("client name can only contain alphanumeric characters and hyphens")
 			}
 			uuid := uuid.New()
 			clientId := uuid.String()
 			clientSecret := "ta-" + utils.GenerateString(61)
 			uclientName := strings.ToUpper(clientName)
 			lclientName := strings.ToLower(clientName)
 			builder := strings.Builder{}
 			// header
 			fmt.Fprintf(&builder, "Created credentials for client %s\n\n", clientName)
 			// credentials
 			fmt.Fprintf(&builder, "Client Name: %s\n", clientName)
 			fmt.Fprintf(&builder, "Client ID: %s\n", clientId)
 			fmt.Fprintf(&builder, "Client Secret: %s\n\n", clientSecret)
 			// env variables
 			fmt.Fprint(&builder, "Environment variables:\n\n")
 			fmt.Fprintf(&builder, "TINYAUTH_OIDC_CLIENTS_%s_CLIENTID=%s\n", uclientName, clientId)
 			fmt.Fprintf(&builder, "TINYAUTH_OIDC_CLIENTS_%s_CLIENTSECRET=%s\n", uclientName, clientSecret)
 			fmt.Fprintf(&builder, "TINYAUTH_OIDC_CLIENTS_%s_NAME=%s\n\n", uclientName, utils.Capitalize(lclientName))
 			// cli flags
 			fmt.Fprint(&builder, "CLI flags:\n\n")
 			fmt.Fprintf(&builder, "--oidc.clients.%s.clientid=%s\n", lclientName, clientId)
 			fmt.Fprintf(&builder, "--oidc.clients.%s.clientsecret=%s\n", lclientName, clientSecret)
 			fmt.Fprintf(&builder, "--oidc.clients.%s.name=%s\n\n", lclientName, utils.Capitalize(lclientName))
 			// footer
 			fmt.Fprintln(&builder, "You can use either option to configure your OIDC client. Make sure to save these credentials as there is no way to regenerate them.")
 			// print
 			out := builder.String()
 			fmt.Print(out)
 			return nil
 		},
 	}
 }
--- a/cmd/tinyauth/generate_totp.go
+++ b/cmd/tinyauth/generate_totp.go
--- a/cmd/tinyauth/healthcheck.go
+++ b/cmd/tinyauth/healthcheck.go
@@ -28,21 +28,14 @@ func healthcheckCmd() *cli.Command {
 		Run: func(args []string) error {
 			tlog.NewSimpleLogger().Init()
-			appUrl := "http://127.0.0.1:3000"
+			appUrl := os.Getenv("TINYAUTH_APPURL")
 			srvAddr := os.Getenv("TINYAUTH_SERVER_ADDRESS")
 			srvPort := os.Getenv("TINYAUTH_SERVER_PORT")
 			if srvAddr != "" && srvPort != "" {
 				appUrl = fmt.Sprintf("http://%s:%s", srvAddr, srvPort)
 			}
 			if len(args) > 0 {
 				appUrl = args[0]
 			}
 			if appUrl == "" {
-				return errors.New("Could not determine app URL")
+				return errors.New("TINYAUTH_APPURL is not set and no argument was provided")
 			}
 			tlog.App.Info().Str("app_url", appUrl).Msg("Performing health check")
--- a/cmd/tinyauth/tinyauth.go
+++ b/cmd/tinyauth/tinyauth.go
@@ -12,8 +12,60 @@ import (
 	"github.com/traefik/paerser/cli"
 )
 func NewTinyauthCmdConfiguration() *config.Config {
 	return &config.Config{
 		ResourcesDir: "./resources",
 		DatabasePath: "./tinyauth.db",
 		Server: config.ServerConfig{
 			Port:    3000,
 			Address: "0.0.0.0",
 		},
 		Auth: config.AuthConfig{
 			SessionExpiry:      86400, // 1 day
 			SessionMaxLifetime: 0,     // disabled
 			LoginTimeout:       300,   // 5 minutes
 			LoginMaxRetries:    3,
 		},
 		UI: config.UIConfig{
 			Title:                 "Tinyauth",
 			ForgotPasswordMessage: "You can change your password by changing the configuration.",
 			BackgroundImage:       "/background.jpg",
 		},
 		Ldap: config.LdapConfig{
 			Insecure:      false,
 			SearchFilter:  "(uid=%s)",
 			GroupCacheTTL: 900, // 15 minutes
 		},
 		Log: config.LogConfig{
 			Level: "info",
 			Json:  false,
 			Streams: config.LogStreams{
 				HTTP: config.LogStreamConfig{
 					Enabled: true,
 					Level:   "",
 				},
 				App: config.LogStreamConfig{
 					Enabled: true,
 					Level:   "",
 				},
 				Audit: config.LogStreamConfig{
 					Enabled: false,
 					Level:   "",
 				},
 			},
 		},
 		OIDC: config.OIDCConfig{
 			PrivateKeyPath: "./tinyauth_oidc_key",
 			PublicKeyPath:  "./tinyauth_oidc_key.pub",
 		},
 		Experimental: config.ExperimentalConfig{
 			ConfigFile: "",
 		},
 	}
 }
 func main() {
-	tConfig := config.NewDefaultConfiguration()
+	tConfig := NewTinyauthCmdConfiguration()
 	loaders := []cli.ResourceLoader{
 		&loaders.FileLoader{},
@@ -23,7 +75,7 @@ func main() {
 	cmdTinyauth := &cli.Command{
 		Name:          "tinyauth",
-		Description:   "The simplest way to protect your apps with a login screen",
+		Description:   "The simplest way to protect your apps with a login screen.",
 		Configuration: tConfig,
 		Resources:     loaders,
 		Run: func(_ []string) error {
@@ -31,28 +83,13 @@ func main() {
 		},
 	}
 	cmdUser := &cli.Command{
 		Name:        "user",
 		Description: "Manage Tinyauth users",
 	}
 	cmdTotp := &cli.Command{
 		Name:        "totp",
 		Description: "Manage Tinyauth TOTP users",
 	}
 	cmdOidc := &cli.Command{
 		Name:        "oidc",
 		Description: "Manage Tinyauth OIDC clients",
 	}
 	err := cmdTinyauth.AddCommand(versionCmd())
 	if err != nil {
 		log.Fatal().Err(err).Msg("Failed to add version command")
 	}
-	err = cmdUser.AddCommand(verifyUserCmd())
+	err = cmdTinyauth.AddCommand(verifyUserCmd())
 	if err != nil {
 		log.Fatal().Err(err).Msg("Failed to add verify command")
@@ -64,42 +101,18 @@ func main() {
 		log.Fatal().Err(err).Msg("Failed to add healthcheck command")
 	}
-	err = cmdTotp.AddCommand(generateTotpCmd())
+	err = cmdTinyauth.AddCommand(generateTotpCmd())
 	if err != nil {
 		log.Fatal().Err(err).Msg("Failed to add generate command")
 	}
-	err = cmdUser.AddCommand(createUserCmd())
+	err = cmdTinyauth.AddCommand(createUserCmd())
 	if err != nil {
 		log.Fatal().Err(err).Msg("Failed to add create command")
 	}
 	err = cmdOidc.AddCommand(createOidcClientCmd())
 	if err != nil {
 		log.Fatal().Err(err).Msg("Failed to add create command")
 	}
 	err = cmdTinyauth.AddCommand(cmdUser)
 	if err != nil {
 		log.Fatal().Err(err).Msg("Failed to add user command")
 	}
 	err = cmdTinyauth.AddCommand(cmdTotp)
 	if err != nil {
 		log.Fatal().Err(err).Msg("Failed to add totp command")
 	}
 	err = cmdTinyauth.AddCommand(cmdOidc)
 	if err != nil {
 		log.Fatal().Err(err).Msg("Failed to add oidc command")
 	}
 	err = cli.Execute(cmdTinyauth)
 	if err != nil {
--- a/cmd/tinyauth/verify_user.go
+++ b/cmd/tinyauth/verify_user.go
@@ -40,7 +40,7 @@ func verifyUserCmd() *cli.Command {
 	return &cli.Command{
 		Name:          "verify",
-		Description:   "Verify a user is set up correctly",
+		Description:   "Verify a user is set up correctly.",
 		Configuration: tCfg,
 		Resources:     loaders,
 		Run: func(_ []string) error {
--- a/cmd/tinyauth/version.go
+++ b/cmd/tinyauth/version.go
@@ -11,7 +11,7 @@ import (
 func versionCmd() *cli.Command {
 	return &cli.Command{
 		Name:          "version",
-		Description:   "Print the version number of Tinyauth",
+		Description:   "Print the version number of Tinyauth.",
 		Configuration: nil,
 		Resources:     nil,
 		Run: func(_ []string) error {
--- a/config.example.yaml
+++ b/config.example.yaml
@@ -0,0 +1,102 @@
 # Tinyauth Example Configuration
 # The base URL where Tinyauth is accessible
 appUrl: "https://auth.example.com"
 # Directory for static resources
 resourcesDir: "./resources"
 # Path to SQLite database file
 databasePath: "./tinyauth.db"
 # Disable usage analytics
 disableAnalytics: false
 # Disable static resource serving
 disableResources: false
 # Disable UI warning messages
 disableUIWarnings: false
 # Logging Configuration
 log:
  # Log level: trace, debug, info, warn, error
  level: "info"
  json: false
  streams:
    app:
      enabled: true
      level: "warn"
    http:
      enabled: true
      level: "debug"
    audit:
      enabled: false
      level: "info"
 # Server Configuration
 server:
  # Port to listen on
  port: 3000
  # Interface to bind to (0.0.0.0 for all interfaces)
  address: "0.0.0.0"
  # Unix socket path (optional, overrides port/address if set)
  socketPath: ""
  # Comma-separated list of trusted proxy IPs/CIDRs
  trustedProxies: ""
 # Authentication Configuration
 auth:
  # Format: username:bcrypt_hash (use bcrypt to generate hash)
  users: "admin:$2a$10$example_bcrypt_hash_here"
  # Path to external users file (optional)
  usersFile: ""
  # Enable secure cookies (requires HTTPS)
  secureCookie: false
  # Session expiry in seconds (3600 = 1 hour)
  sessionExpiry: 3600
  # Session maximum lifetime in seconds (0 = unlimited)
  sessionMaxLifetime: 0
  # Login timeout in seconds (300 = 5 minutes)
  loginTimeout: 300
  # Maximum login retries before lockout
  loginMaxRetries: 3
 # OAuth Configuration
 oauth:
  # Regex pattern for allowed email addresses (e.g., /@example\.com$/)
  whitelist: ""
  # Provider ID to auto-redirect to (skips login page)
  autoRedirect: ""
  # OAuth Provider Configuration (replace myprovider with your provider name)
  providers:
    myprovider:
      clientId: "your_client_id_here"
      clientSecret: "your_client_secret_here"
      authUrl: "https://provider.example.com/oauth/authorize"
      tokenUrl: "https://provider.example.com/oauth/token"
      userInfoUrl: "https://provider.example.com/oauth/userinfo"
      redirectUrl: "https://auth.example.com/api/oauth/callback/myprovider"
      scopes: "openid email profile"
      name: "My OAuth Provider"
      # Allow insecure connections (self-signed certificates)
      insecure: false
 # UI Customization
 ui:
  # Custom title for login page
  title: "Tinyauth"
  # Message shown on forgot password page
  forgotPasswordMessage: "Contact your administrator to reset your password"
  # Background image URL for login page
  backgroundImage: ""
 # LDAP Configuration (optional)
 ldap:
  # LDAP server address
  address: "ldap://ldap.example.com:389"
  # DN for binding to LDAP server
  bindDn: "cn=readonly,dc=example,dc=com"
  # Password for bind DN
  bindPassword: "your_bind_password"
  # Base DN for user searches
  baseDn: "dc=example,dc=com"
  # Search filter (%s will be replaced with username)
  searchFilter: "(&(uid=%s)(memberOf=cn=users,ou=groups,dc=example,dc=com))"
  # Allow insecure LDAP connections
  insecure: false
--- a/docker-compose.dev.yml
+++ b/docker-compose.dev.yml
@@ -13,7 +13,7 @@ services:
    image: traefik/whoami:latest
    labels:
      traefik.enable: true
-      traefik.http.routers.whoami.rule: Host(`whoami.127.0.0.1.sslip.io`)
+      traefik.http.routers.whoami.rule: Host(`whoami.example.com`)
      traefik.http.routers.whoami.middlewares: tinyauth
  tinyauth-frontend:
@@ -27,7 +27,7 @@ services:
      - 5173:5173
    labels:
      traefik.enable: true
-      traefik.http.routers.tinyauth.rule: Host(`tinyauth.127.0.0.1.sslip.io`)
+      traefik.http.routers.tinyauth.rule: Host(`tinyauth.example.com`)
  tinyauth-backend:
    container_name: tinyauth-backend
--- a/frontend/.gitignore
+++ b/frontend/.gitignore
@@ -22,6 +22,3 @@ dist-ssr
 *.njsproj
 *.sln
 *.sw?
 # Stats out
 stats.html
--- a/frontend/bun.lock
+++ b/frontend/bun.lock
--- a/frontend/package.json
+++ b/frontend/package.json
@@ -17,45 +17,43 @@
    "@radix-ui/react-select": "^2.2.6",
    "@radix-ui/react-separator": "^1.1.8",
    "@radix-ui/react-slot": "^1.2.4",
-    "@tailwindcss/vite": "^4.2.1",
+    "@tailwindcss/vite": "^4.1.18",
-    "@tanstack/react-query": "^5.90.21",
+    "@tanstack/react-query": "^5.90.17",
-    "axios": "^1.13.5",
+    "axios": "^1.13.2",
    "class-variance-authority": "^0.7.1",
    "clsx": "^2.1.1",
-    "i18next": "^25.8.13",
+    "i18next": "^25.7.4",
-    "i18next-browser-languagedetector": "^8.2.1",
+    "i18next-browser-languagedetector": "^8.2.0",
    "i18next-resources-to-backend": "^1.2.1",
    "input-otp": "^1.4.2",
-    "lucide-react": "^0.575.0",
+    "lucide-react": "^0.562.0",
    "next-themes": "^0.4.6",
-    "radix-ui": "^1.4.3",
+    "react": "^19.2.3",
-    "react": "^19.2.4",
+    "react-dom": "^19.2.3",
-    "react-dom": "^19.2.4",
+    "react-hook-form": "^7.71.1",
-    "react-hook-form": "^7.71.2",
+    "react-i18next": "^16.5.3",
    "react-i18next": "^16.5.4",
    "react-markdown": "^10.1.0",
-    "react-router": "^7.13.1",
+    "react-router": "^7.12.0",
    "sonner": "^2.0.7",
-    "tailwind-merge": "^3.5.0",
+    "tailwind-merge": "^3.4.0",
-    "tailwindcss": "^4.2.1",
+    "tailwindcss": "^4.1.18",
-    "zod": "^4.3.6"
+    "zod": "^4.3.5"
  },
  "devDependencies": {
-    "@eslint/js": "^10.0.1",
+    "@eslint/js": "^9.39.2",
-    "@tanstack/eslint-plugin-query": "^5.91.4",
+    "@tanstack/eslint-plugin-query": "^5.91.2",
-    "@types/node": "^25.3.2",
+    "@types/node": "^25.0.9",
-    "@types/react": "^19.2.14",
+    "@types/react": "^19.2.8",
    "@types/react-dom": "^19.2.3",
-    "@vitejs/plugin-react": "^5.1.4",
+    "@vitejs/plugin-react": "^5.1.2",
-    "eslint": "^10.0.2",
+    "eslint": "^9.39.2",
    "eslint-plugin-react-hooks": "^7.0.1",
-    "eslint-plugin-react-refresh": "^0.5.2",
+    "eslint-plugin-react-refresh": "^0.4.26",
-    "globals": "^17.3.0",
+    "globals": "^17.0.0",
-    "prettier": "3.8.1",
+    "prettier": "3.8.0",
    "rollup-plugin-visualizer": "^7.0.0",
    "tw-animate-css": "^1.4.0",
    "typescript": "~5.9.3",
-    "typescript-eslint": "^8.56.1",
+    "typescript-eslint": "^8.53.0",
    "vite": "^7.3.1"
  }
 }
--- a/frontend/src/components/auth/login-form.tsx
+++ b/frontend/src/components/auth/login-form.tsx
@@ -10,17 +10,17 @@ import {
  FormLabel,
  FormMessage,
 } from "../ui/form";
 import { Button } from "../ui/button";
 import { loginSchema, LoginSchema } from "@/schemas/login-schema";
 import z from "zod";
 interface Props {
  onSubmit: (data: LoginSchema) => void;
  loading?: boolean;
  formId?: string;
 }
 export const LoginForm = (props: Props) => {
-  const { onSubmit, loading, formId } = props;
+  const { onSubmit, loading } = props;
  const { t } = useTranslation();
  z.config({
@@ -34,7 +34,7 @@ export const LoginForm = (props: Props) => {
  return (
    <Form {...form}>
-      <form id={formId} onSubmit={form.handleSubmit(onSubmit)}>
+      <form onSubmit={form.handleSubmit(onSubmit)}>
        <FormField
          control={form.control}
          name="username"
@@ -57,7 +57,7 @@ export const LoginForm = (props: Props) => {
          control={form.control}
          name="password"
          render={({ field }) => (
-            <FormItem className="gap-0">
+            <FormItem className="mb-4 gap-0">
              <div className="relative mb-1">
                <FormLabel className="mb-2">{t("loginPassword")}</FormLabel>
                <FormControl>
@@ -71,7 +71,7 @@ export const LoginForm = (props: Props) => {
                </FormControl>
                <a
                  href="/forgot-password"
-                  className="text-muted-foreground hover:text-muted-foreground/80 text-sm absolute right-0 bottom-[2.565rem]" // 2.565 is *just* perfect
+                  className="text-muted-foreground text-sm absolute right-0 bottom-[2.565rem]" // 2.565 is *just* perfect
                >
                  {t("forgotPasswordTitle")}
                </a>
@@ -80,6 +80,9 @@ export const LoginForm = (props: Props) => {
            </FormItem>
          )}
        />
        <Button className="w-full" type="submit" loading={loading}>
          {t("loginSubmit")}
        </Button>
      </form>
    </Form>
  );
--- a/frontend/src/components/auth/totp-form.tsx
+++ b/frontend/src/components/auth/totp-form.tsx
@@ -14,10 +14,11 @@ import z from "zod";
 interface Props {
  formId: string;
  onSubmit: (code: TotpSchema) => void;
  loading?: boolean;
 }
 export const TotpForm = (props: Props) => {
-  const { formId, onSubmit } = props;
+  const { formId, onSubmit, loading } = props;
  const { t } = useTranslation();
  z.config({
@@ -29,14 +30,6 @@ export const TotpForm = (props: Props) => {
    resolver: zodResolver(totpSchema),
  });
  const handleChange = (value: string) => {
    form.setValue("code", value, { shouldDirty: true, shouldValidate: true });
    if (value.length === 6) {
      onSubmit({ code: value });
    }
  };
  return (
    <Form {...form}>
      <form id={formId} onSubmit={form.handleSubmit(onSubmit)}>
@@ -48,10 +41,10 @@ export const TotpForm = (props: Props) => {
              <FormControl>
                <InputOTP
                  maxLength={6}
                  disabled={loading}
                  {...field}
                  autoComplete="one-time-code"
                  autoFocus
                  onChange={handleChange}
                >
                  <InputOTPGroup>
                    <InputOTPSlot index={0} />
--- a/frontend/src/components/domain-warning/domain-warning.tsx
+++ b/frontend/src/components/domain-warning/domain-warning.tsx
@@ -1,12 +1,12 @@
 import {
  Card,
-  CardContent,
+  CardDescription,
  CardFooter,
  CardHeader,
  CardTitle,
 } from "../ui/card";
 import { Button } from "../ui/button";
-import { useTranslation } from "react-i18next";
+import { Trans, useTranslation } from "react-i18next";
 import { useLocation } from "react-router";
 interface Props {
@@ -21,39 +21,35 @@ export const DomainWarning = (props: Props) => {
  const { search } = useLocation();
  const searchParams = new URLSearchParams(search);
  const redirectUri = searchParams.get("redirect_uri");
  return (
-    <Card role="alert" aria-live="assertive">
+    <Card role="alert" aria-live="assertive" className="min-w-xs sm:min-w-sm">
      <CardHeader>
-        <CardTitle className="text-xl">{t("domainWarningTitle")}</CardTitle>
+        <CardTitle className="text-3xl">{t("domainWarningTitle")}</CardTitle>
        <CardDescription>
          <Trans
            t={t}
            i18nKey="domainWarningSubtitle"
            values={{ appUrl, currentUrl }}
            components={{ code: <code /> }}
          />
        </CardDescription>
      </CardHeader>
-      <CardContent className="flex flex-col gap-3 text-sm mb-1.25">
+      <CardFooter className="flex flex-col items-stretch gap-2">
-        <p className="text-muted-foreground">{t("domainWarningSubtitle")}</p>
+        <Button onClick={onClick} variant="warning">
-        <pre>
+          {t("ignoreTitle")}
-          <span className="text-muted-foreground">
+        </Button>
            {t("domainWarningExpected")}&nbsp;
            <span className="text-primary">{appUrl}</span>
          </span>
        </pre>
        <pre>
          <span className="text-muted-foreground">
            {t("domainWarningCurrent")}&nbsp;
            <span className="text-primary">{currentUrl}</span>
          </span>
        </pre>
      </CardContent>
      <CardFooter className="flex flex-col items-stretch gap-3">
        <Button
          onClick={() =>
-            window.location.assign(`${appUrl}/login?${searchParams.toString()}`)
+            window.location.assign(
              `${appUrl}/login?redirect_uri=${encodeURIComponent(redirectUri || "")}`,
            )
          }
          variant="outline"
        >
          {t("goToCorrectDomainTitle")}
        </Button>
        <Button onClick={onClick} variant="warning">
          {t("ignoreTitle")}
        </Button>
      </CardFooter>
    </Card>
  );
--- a/frontend/src/components/layout/layout.tsx
+++ b/frontend/src/components/layout/layout.tsx
@@ -14,18 +14,18 @@ const BaseLayout = ({ children }: { children: React.ReactNode }) => {
  return (
    <div
-      className="flex flex-col justify-center items-center min-h-svh px-4"
+      className="relative flex flex-col justify-center items-center min-h-svh"
      style={{
        backgroundImage: `url(${backgroundImage})`,
        backgroundSize: "cover",
        backgroundPosition: "center",
      }}
    >
-      <div className="absolute top-4 right-4 flex flex-row gap-2">
+      <div className="absolute top-5 right-5 flex flex-row gap-2">
        <ThemeToggle />
        <LanguageSelector />
      </div>
-      <div className="max-w-sm md:min-w-sm min-w-xs">{children}</div>
+      {children}
    </div>
  );
 };
--- a/frontend/src/components/ui/card.tsx
+++ b/frontend/src/components/ui/card.tsx
@@ -7,7 +7,7 @@ function Card({ className, ...props }: React.ComponentProps<"div">) {
    <div
      data-slot="card"
      className={cn(
-        "bg-card text-card-foreground flex flex-col gap-3 rounded-xl border py-6 shadow-sm",
+        "bg-card text-card-foreground flex flex-col gap-6 rounded-xl border py-6 shadow-sm",
        className,
      )}
      {...props}
@@ -20,7 +20,7 @@ function CardHeader({ className, ...props }: React.ComponentProps<"div">) {
    <div
      data-slot="card-header"
      className={cn(
-        "@container/card-header grid auto-rows-min grid-rows-[auto_auto] items-start px-6 has-data-[slot=card-action]:grid-cols-[1fr_auto] [.border-b]:pb-6",
+        "@container/card-header grid auto-rows-min grid-rows-[auto_auto] items-start gap-1.5 px-6 has-data-[slot=card-action]:grid-cols-[1fr_auto] [.border-b]:pb-6",
        className,
      )}
      {...props}
@@ -75,7 +75,7 @@ function CardFooter({ className, ...props }: React.ComponentProps<"div">) {
  return (
    <div
      data-slot="card-footer"
-      className={cn("flex items-center px-6 [.border-t]:pt-6 mt-2", className)}
+      className={cn("flex items-center px-6 [.border-t]:pt-6", className)}
      {...props}
    />
  );
--- a/frontend/src/components/ui/tooltip.tsx
+++ b/frontend/src/components/ui/tooltip.tsx
@@ -1,55 +0,0 @@
 import * as React from "react"
 import { Tooltip as TooltipPrimitive } from "radix-ui"
 import { cn } from "@/lib/utils"
 function TooltipProvider({
  delayDuration = 0,
  ...props
 }: React.ComponentProps<typeof TooltipPrimitive.Provider>) {
  return (
    <TooltipPrimitive.Provider
      data-slot="tooltip-provider"
      delayDuration={delayDuration}
      {...props}
    />
  )
 }
 function Tooltip({
  ...props
 }: React.ComponentProps<typeof TooltipPrimitive.Root>) {
  return <TooltipPrimitive.Root data-slot="tooltip" {...props} />
 }
 function TooltipTrigger({
  ...props
 }: React.ComponentProps<typeof TooltipPrimitive.Trigger>) {
  return <TooltipPrimitive.Trigger data-slot="tooltip-trigger" {...props} />
 }
 function TooltipContent({
  className,
  sideOffset = 0,
  children,
  ...props
 }: React.ComponentProps<typeof TooltipPrimitive.Content>) {
  return (
    <TooltipPrimitive.Portal>
      <TooltipPrimitive.Content
        data-slot="tooltip-content"
        sideOffset={sideOffset}
        className={cn(
          "bg-foreground text-background animate-in fade-in-0 zoom-in-95 data-[state=closed]:animate-out data-[state=closed]:fade-out-0 data-[state=closed]:zoom-out-95 data-[side=bottom]:slide-in-from-top-2 data-[side=left]:slide-in-from-right-2 data-[side=right]:slide-in-from-left-2 data-[side=top]:slide-in-from-bottom-2 z-50 w-fit origin-(--radix-tooltip-content-transform-origin) rounded-md px-3 py-1.5 text-xs text-balance",
          className
        )}
        {...props}
      >
        {children}
        <TooltipPrimitive.Arrow className="bg-foreground fill-foreground z-50 size-2.5 translate-y-[calc(-50%_-_2px)] rotate-45 rounded-[2px]" />
      </TooltipPrimitive.Content>
    </TooltipPrimitive.Portal>
  )
 }
 export { Tooltip, TooltipTrigger, TooltipContent, TooltipProvider }
--- a/frontend/src/index.css
+++ b/frontend/src/index.css
@@ -160,7 +160,7 @@ code {
 }
 pre {
-  @apply bg-accent border border-border rounded-md p-2 whitespace-break-spaces break-all;
+  @apply bg-accent border border-border rounded-md p-2;
 }
 .lead {
--- a/frontend/src/lib/hooks/redirect-uri.ts
+++ b/frontend/src/lib/hooks/redirect-uri.ts
@@ -1,64 +0,0 @@
 type IuseRedirectUri = {
  url?: URL;
  valid: boolean;
  trusted: boolean;
  allowedProto: boolean;
  httpsDowngrade: boolean;
 };
 export const useRedirectUri = (
  redirect_uri: string | null,
  cookieDomain: string,
 ): IuseRedirectUri => {
  let isValid = false;
  let isTrusted = false;
  let isAllowedProto = false;
  let isHttpsDowngrade = false;
  if (!redirect_uri) {
    return {
      valid: isValid,
      trusted: isTrusted,
      allowedProto: isAllowedProto,
      httpsDowngrade: isHttpsDowngrade,
    };
  }
  let url: URL;
  try {
    url = new URL(redirect_uri);
  } catch {
    return {
      valid: isValid,
      trusted: isTrusted,
      allowedProto: isAllowedProto,
      httpsDowngrade: isHttpsDowngrade,
    };
  }
  isValid = true;
  if (
    url.hostname == cookieDomain ||
    url.hostname.endsWith(`.${cookieDomain}`)
  ) {
    isTrusted = true;
  }
  if (url.protocol == "http:" || url.protocol == "https:") {
    isAllowedProto = true;
  }
  if (window.location.protocol == "https:" && url.protocol == "http:") {
    isHttpsDowngrade = true;
  }
  return {
    url,
    valid: isValid,
    trusted: isTrusted,
    allowedProto: isAllowedProto,
    httpsDowngrade: isHttpsDowngrade,
  };
 };
--- a/frontend/src/lib/i18n/locales/af-ZA.json
+++ b/frontend/src/lib/i18n/locales/af-ZA.json
@@ -51,33 +51,12 @@
    "forgotPasswordTitle": "Forgot your password?",
    "failedToFetchProvidersTitle": "Failed to load authentication providers. Please check your configuration.",
    "errorTitle": "An error occurred",
    "errorSubtitleInfo": "The following error occurred while processing your request:",
    "errorSubtitle": "An error occurred while trying to perform this action. Please check the console for more information.",
    "forgotPasswordMessage": "You can reset your password by changing the `USERS` environment variable.",
    "fieldRequired": "This field is required",
    "invalidInput": "Invalid input",
    "domainWarningTitle": "Invalid Domain",
    "domainWarningSubtitle": "This instance is configured to be accessed from <code>{{appUrl}}</code>, but <code>{{currentUrl}}</code> is being used. If you proceed, you may encounter issues with authentication.",
    "domainWarningCurrent": "Current:",
    "domainWarningExpected": "Expected:",
    "ignoreTitle": "Ignore",
-    "goToCorrectDomainTitle": "Go to correct domain",
+    "goToCorrectDomainTitle": "Go to correct domain"
-    "authorizeTitle": "Authorize",
+}
    "authorizeCardTitle": "Continue to {{app}}?",
    "authorizeSubtitle": "Would you like to continue to this app? Please carefully review the permissions requested by the app.",
    "authorizeSubtitleOAuth": "Would you like to continue to this app?",
    "authorizeLoadingTitle": "Loading...",
    "authorizeLoadingSubtitle": "Please wait while we load the client information.",
    "authorizeSuccessTitle": "Authorized",
    "authorizeSuccessSubtitle": "You will be redirected to the app in a few seconds.",
    "authorizeErrorClientInfo": "An error occurred while loading the client information. Please try again later.",
    "authorizeErrorMissingParams": "The following parameters are missing: {{missingParams}}",
    "openidScopeName": "OpenID Connect",
    "openidScopeDescription": "Allows the app to access your OpenID Connect information.",
    "emailScopeName": "Email",
    "emailScopeDescription": "Allows the app to access your email address.",
    "profileScopeName": "Profile",
    "profileScopeDescription": "Allows the app to access your profile information.",
    "groupsScopeName": "Groups",
    "groupsScopeDescription": "Allows the app to access your group information."
 }
--- a/frontend/src/lib/i18n/locales/ar-SA.json
+++ b/frontend/src/lib/i18n/locales/ar-SA.json
@@ -51,33 +51,12 @@
    "forgotPasswordTitle": "نسيت كلمة المرور؟",
    "failedToFetchProvidersTitle": "Failed to load authentication providers. Please check your configuration.",
    "errorTitle": "حدث خطأ",
    "errorSubtitleInfo": "The following error occurred while processing your request:",
    "errorSubtitle": "An error occurred while trying to perform this action. Please check the console for more information.",
    "forgotPasswordMessage": "You can reset your password by changing the `USERS` environment variable.",
    "fieldRequired": "This field is required",
    "invalidInput": "Invalid input",
    "domainWarningTitle": "Invalid Domain",
    "domainWarningSubtitle": "This instance is configured to be accessed from <code>{{appUrl}}</code>, but <code>{{currentUrl}}</code> is being used. If you proceed, you may encounter issues with authentication.",
    "domainWarningCurrent": "Current:",
    "domainWarningExpected": "Expected:",
    "ignoreTitle": "تجاهل",
-    "goToCorrectDomainTitle": "Go to correct domain",
+    "goToCorrectDomainTitle": "Go to correct domain"
-    "authorizeTitle": "Authorize",
+}
    "authorizeCardTitle": "Continue to {{app}}?",
    "authorizeSubtitle": "Would you like to continue to this app? Please carefully review the permissions requested by the app.",
    "authorizeSubtitleOAuth": "Would you like to continue to this app?",
    "authorizeLoadingTitle": "Loading...",
    "authorizeLoadingSubtitle": "Please wait while we load the client information.",
    "authorizeSuccessTitle": "Authorized",
    "authorizeSuccessSubtitle": "You will be redirected to the app in a few seconds.",
    "authorizeErrorClientInfo": "An error occurred while loading the client information. Please try again later.",
    "authorizeErrorMissingParams": "The following parameters are missing: {{missingParams}}",
    "openidScopeName": "OpenID Connect",
    "openidScopeDescription": "Allows the app to access your OpenID Connect information.",
    "emailScopeName": "Email",
    "emailScopeDescription": "Allows the app to access your email address.",
    "profileScopeName": "Profile",
    "profileScopeDescription": "Allows the app to access your profile information.",
    "groupsScopeName": "Groups",
    "groupsScopeDescription": "Allows the app to access your group information."
 }
--- a/frontend/src/lib/i18n/locales/ca-ES.json
+++ b/frontend/src/lib/i18n/locales/ca-ES.json
@@ -51,33 +51,12 @@
    "forgotPasswordTitle": "Forgot your password?",
    "failedToFetchProvidersTitle": "Failed to load authentication providers. Please check your configuration.",
    "errorTitle": "An error occurred",
    "errorSubtitleInfo": "The following error occurred while processing your request:",
    "errorSubtitle": "An error occurred while trying to perform this action. Please check the console for more information.",
    "forgotPasswordMessage": "You can reset your password by changing the `USERS` environment variable.",
    "fieldRequired": "This field is required",
    "invalidInput": "Invalid input",
    "domainWarningTitle": "Invalid Domain",
    "domainWarningSubtitle": "This instance is configured to be accessed from <code>{{appUrl}}</code>, but <code>{{currentUrl}}</code> is being used. If you proceed, you may encounter issues with authentication.",
    "domainWarningCurrent": "Current:",
    "domainWarningExpected": "Expected:",
    "ignoreTitle": "Ignore",
-    "goToCorrectDomainTitle": "Go to correct domain",
+    "goToCorrectDomainTitle": "Go to correct domain"
-    "authorizeTitle": "Authorize",
+}
    "authorizeCardTitle": "Continue to {{app}}?",
    "authorizeSubtitle": "Would you like to continue to this app? Please carefully review the permissions requested by the app.",
    "authorizeSubtitleOAuth": "Would you like to continue to this app?",
    "authorizeLoadingTitle": "Loading...",
    "authorizeLoadingSubtitle": "Please wait while we load the client information.",
    "authorizeSuccessTitle": "Authorized",
    "authorizeSuccessSubtitle": "You will be redirected to the app in a few seconds.",
    "authorizeErrorClientInfo": "An error occurred while loading the client information. Please try again later.",
    "authorizeErrorMissingParams": "The following parameters are missing: {{missingParams}}",
    "openidScopeName": "OpenID Connect",
    "openidScopeDescription": "Allows the app to access your OpenID Connect information.",
    "emailScopeName": "Email",
    "emailScopeDescription": "Allows the app to access your email address.",
    "profileScopeName": "Profile",
    "profileScopeDescription": "Allows the app to access your profile information.",
    "groupsScopeName": "Groups",
    "groupsScopeDescription": "Allows the app to access your group information."
 }
--- a/frontend/src/lib/i18n/locales/cs-CZ.json
+++ b/frontend/src/lib/i18n/locales/cs-CZ.json
@@ -14,7 +14,7 @@
    "loginOauthFailSubtitle": "Nepodařilo se získat OAuth URL",
    "loginOauthSuccessTitle": "Přesměrování",
    "loginOauthSuccessSubtitle": "Přesměrování k poskytovateli OAuth",
-    "loginOauthAutoRedirectTitle": "Automatické přesměrování OAuth",
+    "loginOauthAutoRedirectTitle": "OAuth Auto Redirect",
    "loginOauthAutoRedirectSubtitle": "You will be automatically redirected to your OAuth provider to authenticate.",
    "loginOauthAutoRedirectButton": "Redirect now",
    "continueTitle": "Pokračovat",
@@ -51,33 +51,12 @@
    "forgotPasswordTitle": "Zapomněli jste heslo?",
    "failedToFetchProvidersTitle": "Nepodařilo se načíst poskytovatele ověřování. Zkontrolujte prosím konfiguraci.",
    "errorTitle": "Došlo k chybě",
    "errorSubtitleInfo": "The following error occurred while processing your request:",
    "errorSubtitle": "Nastala chyba při pokusu o provedení této akce. Pro více informací prosím zkontrolujte konzolu.",
    "forgotPasswordMessage": "Heslo můžete obnovit změnou proměnné `USERS`.",
    "fieldRequired": "Toto pole je povinné",
    "invalidInput": "Neplatný údaj",
    "domainWarningTitle": "Invalid Domain",
    "domainWarningSubtitle": "This instance is configured to be accessed from <code>{{appUrl}}</code>, but <code>{{currentUrl}}</code> is being used. If you proceed, you may encounter issues with authentication.",
    "domainWarningCurrent": "Current:",
    "domainWarningExpected": "Expected:",
    "ignoreTitle": "Ignore",
-    "goToCorrectDomainTitle": "Go to correct domain",
+    "goToCorrectDomainTitle": "Go to correct domain"
-    "authorizeTitle": "Authorize",
+}
    "authorizeCardTitle": "Continue to {{app}}?",
    "authorizeSubtitle": "Would you like to continue to this app? Please carefully review the permissions requested by the app.",
    "authorizeSubtitleOAuth": "Would you like to continue to this app?",
    "authorizeLoadingTitle": "Loading...",
    "authorizeLoadingSubtitle": "Please wait while we load the client information.",
    "authorizeSuccessTitle": "Authorized",
    "authorizeSuccessSubtitle": "You will be redirected to the app in a few seconds.",
    "authorizeErrorClientInfo": "An error occurred while loading the client information. Please try again later.",
    "authorizeErrorMissingParams": "The following parameters are missing: {{missingParams}}",
    "openidScopeName": "OpenID Connect",
    "openidScopeDescription": "Allows the app to access your OpenID Connect information.",
    "emailScopeName": "Email",
    "emailScopeDescription": "Allows the app to access your email address.",
    "profileScopeName": "Profile",
    "profileScopeDescription": "Allows the app to access your profile information.",
    "groupsScopeName": "Groups",
    "groupsScopeDescription": "Allows the app to access your group information."
 }
--- a/frontend/src/lib/i18n/locales/da-DK.json
+++ b/frontend/src/lib/i18n/locales/da-DK.json
@@ -51,33 +51,12 @@
    "forgotPasswordTitle": "Glemt din adgangskode?",
    "failedToFetchProvidersTitle": "Kunne ikke indlæse godkendelsesudbydere. Tjek venligst din konfiguration.",
    "errorTitle": "Der opstod en fejl",
    "errorSubtitleInfo": "The following error occurred while processing your request:",
    "errorSubtitle": "Der opstod en fejl under forsøget på at udføre denne handling. Tjek venligst konsollen for mere information.",
    "forgotPasswordMessage": "You can reset your password by changing the `USERS` environment variable.",
    "fieldRequired": "This field is required",
    "invalidInput": "Invalid input",
    "domainWarningTitle": "Invalid Domain",
    "domainWarningSubtitle": "This instance is configured to be accessed from <code>{{appUrl}}</code>, but <code>{{currentUrl}}</code> is being used. If you proceed, you may encounter issues with authentication.",
    "domainWarningCurrent": "Current:",
    "domainWarningExpected": "Expected:",
    "ignoreTitle": "Ignore",
-    "goToCorrectDomainTitle": "Go to correct domain",
+    "goToCorrectDomainTitle": "Go to correct domain"
-    "authorizeTitle": "Authorize",
+}
    "authorizeCardTitle": "Continue to {{app}}?",
    "authorizeSubtitle": "Would you like to continue to this app? Please carefully review the permissions requested by the app.",
    "authorizeSubtitleOAuth": "Would you like to continue to this app?",
    "authorizeLoadingTitle": "Loading...",
    "authorizeLoadingSubtitle": "Please wait while we load the client information.",
    "authorizeSuccessTitle": "Authorized",
    "authorizeSuccessSubtitle": "You will be redirected to the app in a few seconds.",
    "authorizeErrorClientInfo": "An error occurred while loading the client information. Please try again later.",
    "authorizeErrorMissingParams": "The following parameters are missing: {{missingParams}}",
    "openidScopeName": "OpenID Connect",
    "openidScopeDescription": "Allows the app to access your OpenID Connect information.",
    "emailScopeName": "Email",
    "emailScopeDescription": "Allows the app to access your email address.",
    "profileScopeName": "Profile",
    "profileScopeDescription": "Allows the app to access your profile information.",
    "groupsScopeName": "Groups",
    "groupsScopeDescription": "Allows the app to access your group information."
 }
--- a/frontend/src/lib/i18n/locales/de-DE.json
+++ b/frontend/src/lib/i18n/locales/de-DE.json
@@ -14,17 +14,17 @@
    "loginOauthFailSubtitle": "Fehler beim Abrufen der OAuth-URL",
    "loginOauthSuccessTitle": "Leite weiter",
    "loginOauthSuccessSubtitle": "Weiterleitung zu Ihrem OAuth-Provider",
-    "loginOauthAutoRedirectTitle": "Automatische OAuth-Weiterleitung",
+    "loginOauthAutoRedirectTitle": "OAuth Auto Redirect",
-    "loginOauthAutoRedirectSubtitle": "Sie werden automatisch zu Ihrem OAuth-Anbieter weitergeleitet, um sich zu authentifizieren.",
+    "loginOauthAutoRedirectSubtitle": "You will be automatically redirected to your OAuth provider to authenticate.",
-    "loginOauthAutoRedirectButton": "Jetzt weiterleiten",
+    "loginOauthAutoRedirectButton": "Redirect now",
    "continueTitle": "Weiter",
    "continueRedirectingTitle": "Leite weiter...",
    "continueRedirectingSubtitle": "Sie sollten in Kürze zur App weitergeleitet werden",
-    "continueRedirectManually": "Manuell weiterleiten",
+    "continueRedirectManually": "Redirect me manually",
    "continueInsecureRedirectTitle": "Unsichere Weiterleitung",
    "continueInsecureRedirectSubtitle": "Sie versuchen von <code>https</code> auf <code>http</code> weiterzuleiten, was unsicher ist. Sind Sie sicher, dass Sie fortfahren möchten?",
-    "continueUntrustedRedirectTitle": "Nicht vertrauenswürdige Weiterleitung",
+    "continueUntrustedRedirectTitle": "Untrusted redirect",
-    "continueUntrustedRedirectSubtitle": "Sie versuchen auf eine Domain umzuleiten, die nicht mit Ihrer konfigurierten Domain übereinstimmt (<code>{{cookieDomain}}</code>). Sind Sie sicher, dass Sie fortfahren möchten?",
+    "continueUntrustedRedirectSubtitle": "You are trying to redirect to a domain that does not match your configured domain (<code>{{cookieDomain}}</code>). Are you sure you want to continue?",
    "logoutFailTitle": "Abmelden fehlgeschlagen",
    "logoutFailSubtitle": "Bitte versuchen Sie es erneut",
    "logoutSuccessTitle": "Abgemeldet",
@@ -51,33 +51,12 @@
    "forgotPasswordTitle": "Passwort vergessen?",
    "failedToFetchProvidersTitle": "Fehler beim Laden der Authentifizierungsanbieter. Bitte überprüfen Sie Ihre Konfiguration.",
    "errorTitle": "Ein Fehler ist aufgetreten",
    "errorSubtitleInfo": "The following error occurred while processing your request:",
    "errorSubtitle": "Beim Versuch, diese Aktion auszuführen, ist ein Fehler aufgetreten. Bitte überprüfen Sie die Konsole für weitere Informationen.",
    "forgotPasswordMessage": "Das Passwort kann durch Änderung der 'USERS' Variable zurückgesetzt werden.",
    "fieldRequired": "Dieses Feld ist notwendig",
    "invalidInput": "Ungültige Eingabe",
-    "domainWarningTitle": "Ungültige Domain",
+    "domainWarningTitle": "Invalid Domain",
-    "domainWarningSubtitle": "Diese Instanz ist so konfiguriert, dass sie von <code>{{appUrl}}</code> aufgerufen werden kann, aber <code>{{currentUrl}}</code> wird verwendet. Wenn Sie fortfahren, können Probleme bei der Authentifizierung auftreten.",
+    "domainWarningSubtitle": "This instance is configured to be accessed from <code>{{appUrl}}</code>, but <code>{{currentUrl}}</code> is being used. If you proceed, you may encounter issues with authentication.",
-    "domainWarningCurrent": "Current:",
+    "ignoreTitle": "Ignore",
-    "domainWarningExpected": "Expected:",
+    "goToCorrectDomainTitle": "Go to correct domain"
-    "ignoreTitle": "Ignorieren",
+}
    "goToCorrectDomainTitle": "Zur korrekten Domain gehen",
    "authorizeTitle": "Authorize",
    "authorizeCardTitle": "Continue to {{app}}?",
    "authorizeSubtitle": "Would you like to continue to this app? Please carefully review the permissions requested by the app.",
    "authorizeSubtitleOAuth": "Would you like to continue to this app?",
    "authorizeLoadingTitle": "Loading...",
    "authorizeLoadingSubtitle": "Please wait while we load the client information.",
    "authorizeSuccessTitle": "Authorized",
    "authorizeSuccessSubtitle": "You will be redirected to the app in a few seconds.",
    "authorizeErrorClientInfo": "An error occurred while loading the client information. Please try again later.",
    "authorizeErrorMissingParams": "The following parameters are missing: {{missingParams}}",
    "openidScopeName": "OpenID Connect",
    "openidScopeDescription": "Allows the app to access your OpenID Connect information.",
    "emailScopeName": "Email",
    "emailScopeDescription": "Allows the app to access your email address.",
    "profileScopeName": "Profile",
    "profileScopeDescription": "Allows the app to access your profile information.",
    "groupsScopeName": "Groups",
    "groupsScopeDescription": "Allows the app to access your group information."
 }
--- a/frontend/src/lib/i18n/locales/el-GR.json
+++ b/frontend/src/lib/i18n/locales/el-GR.json
@@ -1,9 +1,9 @@
 {
    "loginTitle": "Καλώς ήρθατε, συνδεθείτε με",
-    "loginTitleSimple": "Καλώς ήρθατε, παρακαλώ συνδεθείτε",
+    "loginTitleSimple": "Καλώς ορίσατε, παρακαλώ συνδεθείτε",
    "loginDivider": "Ή",
    "loginUsername": "Όνομα Χρήστη",
-    "loginPassword": "Κωδικόs πρόσβασης",
+    "loginPassword": "Κωδικός",
    "loginSubmit": "Είσοδος",
    "loginFailTitle": "Αποτυχία σύνδεσης",
    "loginFailSubtitle": "Παρακαλώ ελέγξτε το όνομα χρήστη και τον κωδικό πρόσβασης",
@@ -19,7 +19,7 @@
    "loginOauthAutoRedirectButton": "Ανακατεύθυνση τώρα",
    "continueTitle": "Συνέχεια",
    "continueRedirectingTitle": "Ανακατεύθυνση...",
-    "continueRedirectingSubtitle": "Θα μεταφερθείτε σύντομα στην εφαρμογή σας",
+    "continueRedirectingSubtitle": "Θα πρέπει να μεταφερθείτε σύντομα στην εφαρμογή σας",
    "continueRedirectManually": "Χειροκίνητη ανακατεύθυνση",
    "continueInsecureRedirectTitle": "Μη ασφαλής ανακατεύθυνση",
    "continueInsecureRedirectSubtitle": "Προσπαθείτε να ανακατευθύνετε από <code>https</code> σε <code>http</code> το οποίο δεν είναι ασφαλές. Είστε σίγουροι ότι θέλετε να συνεχίσετε;",
@@ -41,7 +41,7 @@
    "totpSuccessSubtitle": "Ανακατεύθυνση στην εφαρμογή σας",
    "totpTitle": "Εισάγετε τον κωδικό TOTP",
    "totpSubtitle": "Παρακαλώ εισάγετε τον κωδικό από την εφαρμογή ελέγχου ταυτότητας.",
-    "unauthorizedTitle": "Σφάλμα μη εξουσιοδότησης",
+    "unauthorizedTitle": "Μη εξουσιοδοτημένο",
    "unauthorizedResourceSubtitle": "Ο χρήστης με όνομα χρήστη <code>{{username}}</code> δεν έχει άδεια πρόσβασης στον πόρο <code>{{resource}}</code>.",
    "unauthorizedLoginSubtitle": "Ο χρήστης με όνομα χρήστη <code>{{username}}</code> δεν είναι εξουσιοδοτημένος να συνδεθεί.",
    "unauthorizedGroupsSubtitle": "Ο χρήστης με όνομα χρήστη <code>{{username}}</code> δεν είναι στις ομάδες που απαιτούνται από τον πόρο <code>{{resource}}</code>.",
@@ -51,33 +51,12 @@
    "forgotPasswordTitle": "Ξεχάσατε το συνθηματικό σας;",
    "failedToFetchProvidersTitle": "Αποτυχία φόρτωσης παρόχων πιστοποίησης. Παρακαλώ ελέγξτε τις ρυθμίσεις σας.",
    "errorTitle": "Παρουσιάστηκε ένα σφάλμα",
    "errorSubtitleInfo": "Το ακόλουθο σφάλμα προέκυψε κατά την επεξεργασία του αιτήματός σας:",
    "errorSubtitle": "Παρουσιάστηκε σφάλμα κατά την προσπάθεια εκτέλεσης αυτής της ενέργειας. Ελέγξτε την κονσόλα για περισσότερες πληροφορίες.",
    "forgotPasswordMessage": "Μπορείτε να επαναφέρετε τον κωδικό πρόσβασής σας αλλάζοντας τη μεταβλητή περιβάλλοντος `USERS`.",
    "fieldRequired": "Αυτό το πεδίο είναι υποχρεωτικό",
    "invalidInput": "Μη έγκυρη καταχώρηση",
    "domainWarningTitle": "Μη έγκυρο domain",
-    "domainWarningSubtitle": "Έχετε επισκεφθεί αυτή την εφαρμογή από λανθασμένο domain. Αν προχωρήσετε, ενδέχεται να αντιμετωπίσετε προβλήματα με τον έλεγχο ταυτότητας.",
+    "domainWarningSubtitle": "Αυτή η εφαρμογή έχει ρυθμιστεί για πρόσβαση από <code>{{appUrl}}</code>, αλλά <code>{{currentUrl}}</code> χρησιμοποιείται. Αν συνεχίσετε, μπορεί να αντιμετωπίσετε προβλήματα με την ταυτοποίηση.",
    "domainWarningCurrent": "Τρέχον:",
    "domainWarningExpected": "Αναμένεται:",
    "ignoreTitle": "Παράβλεψη",
-    "goToCorrectDomainTitle": "Μεταβείτε στο σωστό domain",
+    "goToCorrectDomainTitle": "Μεταβείτε στο σωστό domain"
-    "authorizeTitle": "Εξουσιοδότηση",
+}
    "authorizeCardTitle": "Συνέχεια στην εφαρμογή {{app}};",
    "authorizeSubtitle": "Θα θέλατε να συνεχίσετε σε αυτή την εφαρμογή; Παρακαλώ ελέγξτε προσεκτικά τα δικαιώματα που ζητούνται από την εφαρμογή.",
    "authorizeSubtitleOAuth": "Θα θέλατε να συνεχίσετε σε αυτή την εφαρμογή;",
    "authorizeLoadingTitle": "Φόρτωση...",
    "authorizeLoadingSubtitle": "Παρακαλώ περιμένετε όσο φορτώνουμε τις απαραίτητες πληροφορίες.",
    "authorizeSuccessTitle": "Εξουσιοδοτημένος",
    "authorizeSuccessSubtitle": "Θα μεταφερθείτε στην εφαρμογή σε λίγα δευτερόλεπτα.",
    "authorizeErrorClientInfo": "Παρουσιάστηκε σφάλμα κατά τη φόρτωση των πληροφοριών. Παρακαλώ προσπαθήστε ξανά αργότερα.",
    "authorizeErrorMissingParams": "Οι παρακάτω απαραίτητες πληροφορίες λείπουν από το αίτημά σας: {{missingParams}}",
    "openidScopeName": "Σύνδεση OpenID",
    "openidScopeDescription": "Επιτρέπει στην εφαρμογή την πρόσβαση στις πληροφορίες σύνδεσης OpenID.",
    "emailScopeName": "Ηλεκτρονικό ταχυδρομείο",
    "emailScopeDescription": "Επιτρέπει στην εφαρμογή να έχει πρόσβαση στη διεύθυνση ηλεκτρονικού ταχυδρομείου σας.",
    "profileScopeName": "Προφίλ",
    "profileScopeDescription": "Επιτρέπει στην εφαρμογή να έχει πρόσβαση στις πληροφορίες του προφίλ σας.",
    "groupsScopeName": "Ομάδες",
    "groupsScopeDescription": "Επιτρέπει στην εφαρμογή την πρόσβαση στις πληροφορίες ομάδας σας."
 }
--- a/frontend/src/lib/i18n/locales/en-US.json
+++ b/frontend/src/lib/i18n/locales/en-US.json
@@ -51,33 +51,12 @@
    "forgotPasswordTitle": "Forgot your password?",
    "failedToFetchProvidersTitle": "Failed to load authentication providers. Please check your configuration.",
    "errorTitle": "An error occurred",
-    "errorSubtitleInfo": "The following error occurred while processing your request:",
+    "errorSubtitle": "An error occurred while trying to perform this action. Please check the console for more information.",
    "errorSubtitle": "An error occurred while trying to perform this action. Please check your browser console or the app logs for more information.",
    "forgotPasswordMessage": "You can reset your password by changing the `USERS` environment variable.",
    "fieldRequired": "This field is required",
    "invalidInput": "Invalid input",
    "domainWarningTitle": "Invalid Domain",
-    "domainWarningSubtitle": "You are accessing this instance from an incorrect domain. If you proceed, you may encounter issues with authentication.",
+    "domainWarningSubtitle": "This instance is configured to be accessed from <code>{{appUrl}}</code>, but <code>{{currentUrl}}</code> is being used. If you proceed, you may encounter issues with authentication.",
    "domainWarningCurrent": "Current:",
    "domainWarningExpected": "Expected:",
    "ignoreTitle": "Ignore",
-    "goToCorrectDomainTitle": "Go to correct domain",
+    "goToCorrectDomainTitle": "Go to correct domain"
-    "authorizeTitle": "Authorize",
+}
    "authorizeCardTitle": "Continue to {{app}}?",
    "authorizeSubtitle": "Would you like to continue to this app? Please carefully review the permissions requested by the app.",
    "authorizeSubtitleOAuth": "Would you like to continue to this app?",
    "authorizeLoadingTitle": "Loading...",
    "authorizeLoadingSubtitle": "Please wait while we load the client information.",
    "authorizeSuccessTitle": "Authorized",
    "authorizeSuccessSubtitle": "You will be redirected to the app in a few seconds.",
    "authorizeErrorClientInfo": "An error occurred while loading the client information. Please try again later.",
    "authorizeErrorMissingParams": "The following parameters are missing: {{missingParams}}",
    "openidScopeName": "OpenID Connect",
    "openidScopeDescription": "Allows the app to access your OpenID Connect information.",
    "emailScopeName": "Email",
    "emailScopeDescription": "Allows the app to access your email address.",
    "profileScopeName": "Profile",
    "profileScopeDescription": "Allows the app to access your profile information.",
    "groupsScopeName": "Groups",
    "groupsScopeDescription": "Allows the app to access your group information."
 }
--- a/frontend/src/lib/i18n/locales/en.json
+++ b/frontend/src/lib/i18n/locales/en.json
@@ -51,33 +51,12 @@
    "forgotPasswordTitle": "Forgot your password?",
    "failedToFetchProvidersTitle": "Failed to load authentication providers. Please check your configuration.",
    "errorTitle": "An error occurred",
-    "errorSubtitleInfo": "The following error occurred while processing your request:",
+    "errorSubtitle": "An error occurred while trying to perform this action. Please check the console for more information.",
    "errorSubtitle": "An error occurred while trying to perform this action. Please check your browser console or the app logs for more information.",
    "forgotPasswordMessage": "You can reset your password by changing the `USERS` environment variable.",
    "fieldRequired": "This field is required",
    "invalidInput": "Invalid input",
    "domainWarningTitle": "Invalid Domain",
-    "domainWarningSubtitle": "You are accessing this instance from an incorrect domain. If you proceed, you may encounter issues with authentication.",
+    "domainWarningSubtitle": "This instance is configured to be accessed from <code>{{appUrl}}</code>, but <code>{{currentUrl}}</code> is being used. If you proceed, you may encounter issues with authentication.",
    "domainWarningCurrent": "Current:",
    "domainWarningExpected": "Expected:",
    "ignoreTitle": "Ignore",
-    "goToCorrectDomainTitle": "Go to correct domain",
+    "goToCorrectDomainTitle": "Go to correct domain"
-    "authorizeTitle": "Authorize",
+}
    "authorizeCardTitle": "Continue to {{app}}?",
    "authorizeSubtitle": "Would you like to continue to this app? Please carefully review the permissions requested by the app.",
    "authorizeSubtitleOAuth": "Would you like to continue to this app?",
    "authorizeLoadingTitle": "Loading...",
    "authorizeLoadingSubtitle": "Please wait while we load the client information.",
    "authorizeSuccessTitle": "Authorized",
    "authorizeSuccessSubtitle": "You will be redirected to the app in a few seconds.",
    "authorizeErrorClientInfo": "An error occurred while loading the client information. Please try again later.",
    "authorizeErrorMissingParams": "The following parameters are missing: {{missingParams}}",
    "openidScopeName": "OpenID Connect",
    "openidScopeDescription": "Allows the app to access your OpenID Connect information.",
    "emailScopeName": "Email",
    "emailScopeDescription": "Allows the app to access your email address.",
    "profileScopeName": "Profile",
    "profileScopeDescription": "Allows the app to access your profile information.",
    "groupsScopeName": "Groups",
    "groupsScopeDescription": "Allows the app to access your group information."
 }
--- a/frontend/src/lib/i18n/locales/es-ES.json
+++ b/frontend/src/lib/i18n/locales/es-ES.json
@@ -51,33 +51,12 @@
    "forgotPasswordTitle": "¿Olvidó su contraseña?",
    "failedToFetchProvidersTitle": "Error al cargar los proveedores de autenticación. Por favor revise su configuración.",
    "errorTitle": "Ha ocurrido un error",
    "errorSubtitleInfo": "The following error occurred while processing your request:",
    "errorSubtitle": "Ocurrió un error mientras se trataba de realizar esta acción. Por favor, revise la consola para más información.",
    "forgotPasswordMessage": "You can reset your password by changing the `USERS` environment variable.",
    "fieldRequired": "This field is required",
    "invalidInput": "Invalid input",
    "domainWarningTitle": "Invalid Domain",
    "domainWarningSubtitle": "This instance is configured to be accessed from <code>{{appUrl}}</code>, but <code>{{currentUrl}}</code> is being used. If you proceed, you may encounter issues with authentication.",
    "domainWarningCurrent": "Current:",
    "domainWarningExpected": "Expected:",
    "ignoreTitle": "Ignore",
-    "goToCorrectDomainTitle": "Go to correct domain",
+    "goToCorrectDomainTitle": "Go to correct domain"
-    "authorizeTitle": "Authorize",
+}
    "authorizeCardTitle": "Continue to {{app}}?",
    "authorizeSubtitle": "Would you like to continue to this app? Please carefully review the permissions requested by the app.",
    "authorizeSubtitleOAuth": "Would you like to continue to this app?",
    "authorizeLoadingTitle": "Loading...",
    "authorizeLoadingSubtitle": "Please wait while we load the client information.",
    "authorizeSuccessTitle": "Authorized",
    "authorizeSuccessSubtitle": "You will be redirected to the app in a few seconds.",
    "authorizeErrorClientInfo": "An error occurred while loading the client information. Please try again later.",
    "authorizeErrorMissingParams": "The following parameters are missing: {{missingParams}}",
    "openidScopeName": "OpenID Connect",
    "openidScopeDescription": "Allows the app to access your OpenID Connect information.",
    "emailScopeName": "Email",
    "emailScopeDescription": "Allows the app to access your email address.",
    "profileScopeName": "Profile",
    "profileScopeDescription": "Allows the app to access your profile information.",
    "groupsScopeName": "Groups",
    "groupsScopeDescription": "Allows the app to access your group information."
 }
--- a/frontend/src/lib/i18n/locales/fi-FI.json
+++ b/frontend/src/lib/i18n/locales/fi-FI.json
@@ -51,33 +51,12 @@
    "forgotPasswordTitle": "Unohditko salasanasi?",
    "failedToFetchProvidersTitle": "Todennuspalvelujen tarjoajien lataaminen epäonnistui. Tarkista määrityksesi.",
    "errorTitle": "Tapahtui virhe",
    "errorSubtitleInfo": "The following error occurred while processing your request:",
    "errorSubtitle": "Tapahtui virhe yritettäessä suorittaa tämä toiminto. Ole hyvä ja tarkista konsoli saadaksesi lisätietoja.",
    "forgotPasswordMessage": "Voit nollata salasanasi vaihtamalla ympäristömuuttujan `USERS`.",
    "fieldRequired": "Tämä kenttä on pakollinen",
    "invalidInput": "Virheellinen syöte",
    "domainWarningTitle": "Virheellinen verkkotunnus",
    "domainWarningSubtitle": "Tämä instanssi on määritelty käyttämään osoitetta <code>{{appUrl}}</code>, mutta nykyinen osoite on <code>{{currentUrl}}</code>. Jos jatkat, saatat törmätä ongelmiin autentikoinnissa.",
    "domainWarningCurrent": "Current:",
    "domainWarningExpected": "Expected:",
    "ignoreTitle": "Jätä huomiotta",
-    "goToCorrectDomainTitle": "Siirry oikeaan verkkotunnukseen",
+    "goToCorrectDomainTitle": "Siirry oikeaan verkkotunnukseen"
-    "authorizeTitle": "Authorize",
+}
    "authorizeCardTitle": "Continue to {{app}}?",
    "authorizeSubtitle": "Would you like to continue to this app? Please carefully review the permissions requested by the app.",
    "authorizeSubtitleOAuth": "Would you like to continue to this app?",
    "authorizeLoadingTitle": "Loading...",
    "authorizeLoadingSubtitle": "Please wait while we load the client information.",
    "authorizeSuccessTitle": "Authorized",
    "authorizeSuccessSubtitle": "You will be redirected to the app in a few seconds.",
    "authorizeErrorClientInfo": "An error occurred while loading the client information. Please try again later.",
    "authorizeErrorMissingParams": "The following parameters are missing: {{missingParams}}",
    "openidScopeName": "OpenID Connect",
    "openidScopeDescription": "Allows the app to access your OpenID Connect information.",
    "emailScopeName": "Email",
    "emailScopeDescription": "Allows the app to access your email address.",
    "profileScopeName": "Profile",
    "profileScopeDescription": "Allows the app to access your profile information.",
    "groupsScopeName": "Groups",
    "groupsScopeDescription": "Allows the app to access your group information."
 }
--- a/frontend/src/lib/i18n/locales/fr-FR.json
+++ b/frontend/src/lib/i18n/locales/fr-FR.json
@@ -51,33 +51,12 @@
    "forgotPasswordTitle": "Mot de passe oublié ?",
    "failedToFetchProvidersTitle": "Échec du chargement des fournisseurs d'authentification. Veuillez vérifier votre configuration.",
    "errorTitle": "Une erreur est survenue",
    "errorSubtitleInfo": "L'erreur suivante s'est produite lors du traitement de votre requête :",
    "errorSubtitle": "Une erreur est survenue lors de l'exécution de cette action. Veuillez consulter la console pour plus d'informations.",
    "forgotPasswordMessage": "Vous pouvez réinitialiser votre mot de passe en modifiant la variable d'environnement `USERS`.",
    "fieldRequired": "Ce champ est obligatoire",
    "invalidInput": "Saisie non valide",
    "domainWarningTitle": "Domaine invalide",
    "domainWarningSubtitle": "Cette instance est configurée pour être accédée depuis <code>{{appUrl}}</code>, mais <code>{{currentUrl}}</code> est utilisé. Si vous continuez, vous pourriez rencontrer des problèmes d'authentification.",
    "domainWarningCurrent": "Current:",
    "domainWarningExpected": "Expected:",
    "ignoreTitle": "Ignorer",
-    "goToCorrectDomainTitle": "Aller au bon domaine",
+    "goToCorrectDomainTitle": "Aller au bon domaine"
-    "authorizeTitle": "Autoriser",
+}
    "authorizeCardTitle": "Continuer vers {{app}} ?",
    "authorizeSubtitle": "Voulez-vous continuer vers cette application ? Veuillez examiner attentivement les autorisations demandées par l'application.",
    "authorizeSubtitleOAuth": "Voulez-vous continuer vers cette application ?",
    "authorizeLoadingTitle": "Chargement...",
    "authorizeLoadingSubtitle": "Veuillez patienter pendant que nous chargeons les informations du client.",
    "authorizeSuccessTitle": "Autorisé",
    "authorizeSuccessSubtitle": "Vous allez être redirigé vers l'application dans quelques secondes.",
    "authorizeErrorClientInfo": "Une erreur est survenue lors du chargement des informations du client. Veuillez réessayer plus tard.",
    "authorizeErrorMissingParams": "Les paramètres suivants sont manquants : {{missingParams}}",
    "openidScopeName": "Connexion OpenID",
    "openidScopeDescription": "Autorise l'application à accéder à vos informations \"OpenID Connect\".",
    "emailScopeName": "Email",
    "emailScopeDescription": "Autorise l'application à accéder à votre adresse e-mail.",
    "profileScopeName": "Profil",
    "profileScopeDescription": "Autorise l'application à accéder aux informations de votre profil.",
    "groupsScopeName": "Groupes",
    "groupsScopeDescription": "Autorise une application à accéder aux informations de votre groupe."
 }
--- a/frontend/src/lib/i18n/locales/he-IL.json
+++ b/frontend/src/lib/i18n/locales/he-IL.json
@@ -51,33 +51,12 @@
    "forgotPasswordTitle": "Forgot your password?",
    "failedToFetchProvidersTitle": "Failed to load authentication providers. Please check your configuration.",
    "errorTitle": "An error occurred",
    "errorSubtitleInfo": "The following error occurred while processing your request:",
    "errorSubtitle": "An error occurred while trying to perform this action. Please check the console for more information.",
    "forgotPasswordMessage": "You can reset your password by changing the `USERS` environment variable.",
    "fieldRequired": "This field is required",
    "invalidInput": "Invalid input",
    "domainWarningTitle": "Invalid Domain",
    "domainWarningSubtitle": "This instance is configured to be accessed from <code>{{appUrl}}</code>, but <code>{{currentUrl}}</code> is being used. If you proceed, you may encounter issues with authentication.",
    "domainWarningCurrent": "Current:",
    "domainWarningExpected": "Expected:",
    "ignoreTitle": "Ignore",
-    "goToCorrectDomainTitle": "Go to correct domain",
+    "goToCorrectDomainTitle": "Go to correct domain"
-    "authorizeTitle": "Authorize",
+}
    "authorizeCardTitle": "Continue to {{app}}?",
    "authorizeSubtitle": "Would you like to continue to this app? Please carefully review the permissions requested by the app.",
    "authorizeSubtitleOAuth": "Would you like to continue to this app?",
    "authorizeLoadingTitle": "Loading...",
    "authorizeLoadingSubtitle": "Please wait while we load the client information.",
    "authorizeSuccessTitle": "Authorized",
    "authorizeSuccessSubtitle": "You will be redirected to the app in a few seconds.",
    "authorizeErrorClientInfo": "An error occurred while loading the client information. Please try again later.",
    "authorizeErrorMissingParams": "The following parameters are missing: {{missingParams}}",
    "openidScopeName": "OpenID Connect",
    "openidScopeDescription": "Allows the app to access your OpenID Connect information.",
    "emailScopeName": "Email",
    "emailScopeDescription": "Allows the app to access your email address.",
    "profileScopeName": "Profile",
    "profileScopeDescription": "Allows the app to access your profile information.",
    "groupsScopeName": "Groups",
    "groupsScopeDescription": "Allows the app to access your group information."
 }
--- a/frontend/src/lib/i18n/locales/hu-HU.json
+++ b/frontend/src/lib/i18n/locales/hu-HU.json
@@ -1,42 +1,42 @@
 {
    "loginTitle": "Welcome back, login with",
-    "loginTitleSimple": "Üdvözöljük, kérem jelentkezzen be",
+    "loginTitleSimple": "Welcome back, please login",
-    "loginDivider": "Vagy",
+    "loginDivider": "Or",
-    "loginUsername": "Felhasználónév",
+    "loginUsername": "Username",
-    "loginPassword": "Jelszó",
+    "loginPassword": "Password",
-    "loginSubmit": "Bejelentkezés",
+    "loginSubmit": "Login",
-    "loginFailTitle": "Sikertelen bejelentkezés",
+    "loginFailTitle": "Failed to log in",
-    "loginFailSubtitle": "Kérjük, ellenőrizze a felhasználónevét és jelszavát",
+    "loginFailSubtitle": "Please check your username and password",
-    "loginFailRateLimit": "Túl sokszor próbálkoztál bejelentkezni. Próbáld újra később",
+    "loginFailRateLimit": "You failed to login too many times. Please try again later",
-    "loginSuccessTitle": "Bejelentkezve",
+    "loginSuccessTitle": "Logged in",
-    "loginSuccessSubtitle": "Üdvözöljük!",
+    "loginSuccessSubtitle": "Welcome back!",
    "loginOauthFailTitle": "An error occurred",
    "loginOauthFailSubtitle": "Failed to get OAuth URL",
-    "loginOauthSuccessTitle": "Átirányítás",
+    "loginOauthSuccessTitle": "Redirecting",
    "loginOauthSuccessSubtitle": "Redirecting to your OAuth provider",
    "loginOauthAutoRedirectTitle": "OAuth Auto Redirect",
    "loginOauthAutoRedirectSubtitle": "You will be automatically redirected to your OAuth provider to authenticate.",
    "loginOauthAutoRedirectButton": "Redirect now",
    "continueTitle": "Continue",
-    "continueRedirectingTitle": "Átirányítás...",
+    "continueRedirectingTitle": "Redirecting...",
    "continueRedirectingSubtitle": "You should be redirected to the app soon",
    "continueRedirectManually": "Redirect me manually",
    "continueInsecureRedirectTitle": "Insecure redirect",
    "continueInsecureRedirectSubtitle": "You are trying to redirect from <code>https</code> to <code>http</code> which is not secure. Are you sure you want to continue?",
    "continueUntrustedRedirectTitle": "Untrusted redirect",
    "continueUntrustedRedirectSubtitle": "You are trying to redirect to a domain that does not match your configured domain (<code>{{cookieDomain}}</code>). Are you sure you want to continue?",
-    "logoutFailTitle": "Sikertelen kijelentkezés",
+    "logoutFailTitle": "Failed to log out",
-    "logoutFailSubtitle": "Próbálja újra",
+    "logoutFailSubtitle": "Please try again",
-    "logoutSuccessTitle": "Kijelentkezve",
+    "logoutSuccessTitle": "Logged out",
-    "logoutSuccessSubtitle": "Kijelentkeztél",
+    "logoutSuccessSubtitle": "You have been logged out",
-    "logoutTitle": "Kijelentkezés",
+    "logoutTitle": "Logout",
    "logoutUsernameSubtitle": "You are currently logged in as <code>{{username}}</code>. Click the button below to logout.",
    "logoutOauthSubtitle": "You are currently logged in as <code>{{username}}</code> using the {{provider}} OAuth provider. Click the button below to logout.",
    "notFoundTitle": "Page not found",
    "notFoundSubtitle": "The page you are looking for does not exist.",
-    "notFoundButton": "Ugrás a kezdőlapra",
+    "notFoundButton": "Go home",
-    "totpFailTitle": "Érvénytelen kód",
+    "totpFailTitle": "Failed to verify code",
-    "totpFailSubtitle": "Kérjük ellenőrizze a kódot és próbálja újra",
+    "totpFailSubtitle": "Please check your code and try again",
    "totpSuccessTitle": "Verified",
    "totpSuccessSubtitle": "Redirecting to your app",
    "totpTitle": "Enter your TOTP code",
@@ -46,38 +46,17 @@
    "unauthorizedLoginSubtitle": "The user with username <code>{{username}}</code> is not authorized to login.",
    "unauthorizedGroupsSubtitle": "The user with username <code>{{username}}</code> is not in the groups required by the resource <code>{{resource}}</code>.",
    "unauthorizedIpSubtitle": "Your IP address <code>{{ip}}</code> is not authorized to access the resource <code>{{resource}}</code>.",
-    "unauthorizedButton": "Próbálja újra",
+    "unauthorizedButton": "Try again",
-    "cancelTitle": "Mégse",
+    "cancelTitle": "Cancel",
-    "forgotPasswordTitle": "Elfelejtette jelszavát?",
+    "forgotPasswordTitle": "Forgot your password?",
    "failedToFetchProvidersTitle": "Failed to load authentication providers. Please check your configuration.",
-    "errorTitle": "Hiba történt",
+    "errorTitle": "An error occurred",
    "errorSubtitleInfo": "The following error occurred while processing your request:",
    "errorSubtitle": "An error occurred while trying to perform this action. Please check the console for more information.",
    "forgotPasswordMessage": "You can reset your password by changing the `USERS` environment variable.",
-    "fieldRequired": "Ez egy kötelező mező",
+    "fieldRequired": "This field is required",
    "invalidInput": "Invalid input",
    "domainWarningTitle": "Invalid Domain",
    "domainWarningSubtitle": "This instance is configured to be accessed from <code>{{appUrl}}</code>, but <code>{{currentUrl}}</code> is being used. If you proceed, you may encounter issues with authentication.",
    "domainWarningCurrent": "Current:",
    "domainWarningExpected": "Expected:",
    "ignoreTitle": "Ignore",
-    "goToCorrectDomainTitle": "Go to correct domain",
+    "goToCorrectDomainTitle": "Go to correct domain"
-    "authorizeTitle": "Authorize",
+}
    "authorizeCardTitle": "Continue to {{app}}?",
    "authorizeSubtitle": "Would you like to continue to this app? Please carefully review the permissions requested by the app.",
    "authorizeSubtitleOAuth": "Would you like to continue to this app?",
    "authorizeLoadingTitle": "Loading...",
    "authorizeLoadingSubtitle": "Please wait while we load the client information.",
    "authorizeSuccessTitle": "Authorized",
    "authorizeSuccessSubtitle": "You will be redirected to the app in a few seconds.",
    "authorizeErrorClientInfo": "An error occurred while loading the client information. Please try again later.",
    "authorizeErrorMissingParams": "The following parameters are missing: {{missingParams}}",
    "openidScopeName": "OpenID Connect",
    "openidScopeDescription": "Allows the app to access your OpenID Connect information.",
    "emailScopeName": "Email",
    "emailScopeDescription": "Allows the app to access your email address.",
    "profileScopeName": "Profile",
    "profileScopeDescription": "Allows the app to access your profile information.",
    "groupsScopeName": "Groups",
    "groupsScopeDescription": "Allows the app to access your group information."
 }
--- a/frontend/src/lib/i18n/locales/it-IT.json
+++ b/frontend/src/lib/i18n/locales/it-IT.json
@@ -1,83 +1,62 @@
 {
-    "loginTitle": "Bentornato, accedi con",
+    "loginTitle": "Welcome back, login with",
-    "loginTitleSimple": "Bentornato, accedi al tuo account",
+    "loginTitleSimple": "Welcome back, please login",
-    "loginDivider": "Oppure",
+    "loginDivider": "Or",
-    "loginUsername": "Nome utente",
+    "loginUsername": "Username",
    "loginPassword": "Password",
-    "loginSubmit": "Accesso",
+    "loginSubmit": "Login",
-    "loginFailTitle": "Accesso non riuscito",
+    "loginFailTitle": "Failed to log in",
-    "loginFailSubtitle": "Verifica che il nome utente e la password siano corretti",
+    "loginFailSubtitle": "Please check your username and password",
-    "loginFailRateLimit": "Hai effettuato troppi tentativi errati. Riprova più tardi",
+    "loginFailRateLimit": "You failed to login too many times. Please try again later",
-    "loginSuccessTitle": "Accesso effettuato",
+    "loginSuccessTitle": "Logged in",
-    "loginSuccessSubtitle": "Bentornato!",
+    "loginSuccessSubtitle": "Welcome back!",
-    "loginOauthFailTitle": "Si è verificato un errore",
+    "loginOauthFailTitle": "An error occurred",
-    "loginOauthFailSubtitle": "Impossibile ottenere l'URL di OAuth",
+    "loginOauthFailSubtitle": "Failed to get OAuth URL",
-    "loginOauthSuccessTitle": "Reindirizzamento",
+    "loginOauthSuccessTitle": "Redirecting",
-    "loginOauthSuccessSubtitle": "Reindirizzamento al tuo provider OAuth",
+    "loginOauthSuccessSubtitle": "Redirecting to your OAuth provider",
-    "loginOauthAutoRedirectTitle": "Reindirizzamento automatico OAuth",
+    "loginOauthAutoRedirectTitle": "OAuth Auto Redirect",
-    "loginOauthAutoRedirectSubtitle": "Verrai automaticamente reindirizzato al tuo provider OAuth per l'autenticazione.",
+    "loginOauthAutoRedirectSubtitle": "You will be automatically redirected to your OAuth provider to authenticate.",
-    "loginOauthAutoRedirectButton": "Reindirizza ora",
+    "loginOauthAutoRedirectButton": "Redirect now",
-    "continueTitle": "Prosegui",
+    "continueTitle": "Continue",
-    "continueRedirectingTitle": "Reindirizzamento...",
+    "continueRedirectingTitle": "Redirecting...",
-    "continueRedirectingSubtitle": "Dovresti essere reindirizzato all'app a breve",
+    "continueRedirectingSubtitle": "You should be redirected to the app soon",
-    "continueRedirectManually": "Reindirizzami manualmente",
+    "continueRedirectManually": "Redirect me manually",
-    "continueInsecureRedirectTitle": "Destinazione non sicura",
+    "continueInsecureRedirectTitle": "Insecure redirect",
-    "continueInsecureRedirectSubtitle": "Stai tentando un reindirizzamento da <code>https</code> a <code>http</code>, il che non è sicuro. Vuoi continuare davvero?",
+    "continueInsecureRedirectSubtitle": "You are trying to redirect from <code>https</code> to <code>http</code> which is not secure. Are you sure you want to continue?",
-    "continueUntrustedRedirectTitle": "Destinazione non attendibile",
+    "continueUntrustedRedirectTitle": "Untrusted redirect",
-    "continueUntrustedRedirectSubtitle": "Stai tentando un reindirizzamento a un dominio che non corrisponde al dominio configurato (<code>{{cookieDomain}}</code>). Vuoi continuare davvero?",
+    "continueUntrustedRedirectSubtitle": "You are trying to redirect to a domain that does not match your configured domain (<code>{{cookieDomain}}</code>). Are you sure you want to continue?",
-    "logoutFailTitle": "Disconnessione fallita",
+    "logoutFailTitle": "Failed to log out",
-    "logoutFailSubtitle": "Riprova",
+    "logoutFailSubtitle": "Please try again",
-    "logoutSuccessTitle": "Disconnessione effettuata",
+    "logoutSuccessTitle": "Logged out",
-    "logoutSuccessSubtitle": "Sei stato disconnesso",
+    "logoutSuccessSubtitle": "You have been logged out",
-    "logoutTitle": "Disconnessione",
+    "logoutTitle": "Logout",
-    "logoutUsernameSubtitle": "Hai effettuato l'accesso come <code>{{username}}</code>. Clicca sul pulsante qui sotto per disconnetterti.",
+    "logoutUsernameSubtitle": "You are currently logged in as <code>{{username}}</code>. Click the button below to logout.",
-    "logoutOauthSubtitle": "Hai effettuato l'accesso come <code>{{username}}</code> attraverso il provider OAuth {{provider}}. Clicca sul pulsante qui sotto per uscire.",
+    "logoutOauthSubtitle": "You are currently logged in as <code>{{username}}</code> using the {{provider}} OAuth provider. Click the button below to logout.",
-    "notFoundTitle": "Pagina non trovata",
+    "notFoundTitle": "Page not found",
-    "notFoundSubtitle": "La pagina che stai cercando non esiste.",
+    "notFoundSubtitle": "The page you are looking for does not exist.",
-    "notFoundButton": "Vai alla home",
+    "notFoundButton": "Go home",
-    "totpFailTitle": "Errore nella verifica del codice",
+    "totpFailTitle": "Failed to verify code",
-    "totpFailSubtitle": "Si prega di controllare il codice e riprovare",
+    "totpFailSubtitle": "Please check your code and try again",
-    "totpSuccessTitle": "Verificato",
+    "totpSuccessTitle": "Verified",
-    "totpSuccessSubtitle": "Reindirizzamento alla tua app",
+    "totpSuccessSubtitle": "Redirecting to your app",
-    "totpTitle": "Inserisci il tuo codice TOTP",
+    "totpTitle": "Enter your TOTP code",
-    "totpSubtitle": "Inserisci il codice dalla tua app di autenticazione.",
+    "totpSubtitle": "Please enter the code from your authenticator app.",
-    "unauthorizedTitle": "Non autorizzato",
+    "unauthorizedTitle": "Unauthorized",
-    "unauthorizedResourceSubtitle": "L'utente <code>{{username}}</code> non è autorizzato ad accedere alla risorsa <code>{{resource}}</code>.",
+    "unauthorizedResourceSubtitle": "The user with username <code>{{username}}</code> is not authorized to access the resource <code>{{resource}}</code>.",
-    "unauthorizedLoginSubtitle": "L'utente <code>{{username}}</code> non è autorizzato a effettuare l'accesso.",
+    "unauthorizedLoginSubtitle": "The user with username <code>{{username}}</code> is not authorized to login.",
-    "unauthorizedGroupsSubtitle": "L'utente <code>{{username}}</code> non fa parte dei gruppi richiesti dalla risorsa <code>{{resource}}</code>.",
+    "unauthorizedGroupsSubtitle": "The user with username <code>{{username}}</code> is not in the groups required by the resource <code>{{resource}}</code>.",
-    "unauthorizedIpSubtitle": "Il tuo indirizzo IP <code>{{ip}}</code> non è autorizzato ad accedere alla risorsa <code>{{resource}}</code>.",
+    "unauthorizedIpSubtitle": "Your IP address <code>{{ip}}</code> is not authorized to access the resource <code>{{resource}}</code>.",
-    "unauthorizedButton": "Riprova",
+    "unauthorizedButton": "Try again",
-    "cancelTitle": "Annulla",
+    "cancelTitle": "Cancel",
-    "forgotPasswordTitle": "Password dimenticata?",
+    "forgotPasswordTitle": "Forgot your password?",
-    "failedToFetchProvidersTitle": "Impossibile caricare i provider di autenticazione. Si prega di controllare la configurazione.",
+    "failedToFetchProvidersTitle": "Failed to load authentication providers. Please check your configuration.",
-    "errorTitle": "Si è verificato un errore",
+    "errorTitle": "An error occurred",
    "errorSubtitleInfo": "Si è verificato il seguente errore durante l'elaborazione della richiesta:",
    "errorSubtitle": "An error occurred while trying to perform this action. Please check the console for more information.",
-    "forgotPasswordMessage": "Puoi reimpostare la tua password modificando la variabile d'ambiente `USERS`.",
+    "forgotPasswordMessage": "You can reset your password by changing the `USERS` environment variable.",
-    "fieldRequired": "Questo campo è obbligatorio",
+    "fieldRequired": "This field is required",
-    "invalidInput": "Input non valido",
+    "invalidInput": "Invalid input",
-    "domainWarningTitle": "Dominio non valido",
+    "domainWarningTitle": "Invalid Domain",
-    "domainWarningSubtitle": "Questa istanza è configurata per essere accessibile da <code>{{appUrl}}</code>, ma la stai visitando da <code>{{currentUrl}}</code>. Se procedi, potresti incorrere in problemi di autenticazione.",
+    "domainWarningSubtitle": "This instance is configured to be accessed from <code>{{appUrl}}</code>, but <code>{{currentUrl}}</code> is being used. If you proceed, you may encounter issues with authentication.",
-    "domainWarningCurrent": "Current:",
+    "ignoreTitle": "Ignore",
-    "domainWarningExpected": "Expected:",
+    "goToCorrectDomainTitle": "Go to correct domain"
-    "ignoreTitle": "Ignora",
+}
    "goToCorrectDomainTitle": "Vai al dominio corretto",
    "authorizeTitle": "Autorizza",
    "authorizeCardTitle": "Continuare su {{app}}?",
    "authorizeSubtitle": "Vuoi continuare su quest'app? Verifica attentamente i permessi richiesti dall'app.",
    "authorizeSubtitleOAuth": "Vuoi continuare su quest'app?",
    "authorizeLoadingTitle": "Caricamento...",
    "authorizeLoadingSubtitle": "Attendi il caricamento delle informazioni del client.",
    "authorizeSuccessTitle": "Autorizzato",
    "authorizeSuccessSubtitle": "Verrai reindirizzato all'app in pochi secondi.",
    "authorizeErrorClientInfo": "Si è verificato un errore durante il caricamento delle informazioni del client. Riprova.",
    "authorizeErrorMissingParams": "I seguenti parametri sono mancanti: {{missingParams}}",
    "openidScopeName": "OpenID Connect",
    "openidScopeDescription": "Permetti all'app di accedere alle tue informazioni OpenID Connect.",
    "emailScopeName": "Email",
    "emailScopeDescription": "Consenti all'app di accedere al tuo indirizzo email.",
    "profileScopeName": "Profilo",
    "profileScopeDescription": "Consenti all'app di accedere alle informazioni del tuo profilo.",
    "groupsScopeName": "Gruppi",
    "groupsScopeDescription": "Consenti all'app di accedere alle informazioni sui tuoi gruppi."
 }
--- a/frontend/src/lib/i18n/locales/ja-JP.json
+++ b/frontend/src/lib/i18n/locales/ja-JP.json
@@ -51,33 +51,12 @@
    "forgotPasswordTitle": "Forgot your password?",
    "failedToFetchProvidersTitle": "Failed to load authentication providers. Please check your configuration.",
    "errorTitle": "An error occurred",
    "errorSubtitleInfo": "The following error occurred while processing your request:",
    "errorSubtitle": "An error occurred while trying to perform this action. Please check the console for more information.",
    "forgotPasswordMessage": "You can reset your password by changing the `USERS` environment variable.",
    "fieldRequired": "This field is required",
    "invalidInput": "Invalid input",
    "domainWarningTitle": "Invalid Domain",
    "domainWarningSubtitle": "This instance is configured to be accessed from <code>{{appUrl}}</code>, but <code>{{currentUrl}}</code> is being used. If you proceed, you may encounter issues with authentication.",
    "domainWarningCurrent": "Current:",
    "domainWarningExpected": "Expected:",
    "ignoreTitle": "Ignore",
-    "goToCorrectDomainTitle": "Go to correct domain",
+    "goToCorrectDomainTitle": "Go to correct domain"
-    "authorizeTitle": "Authorize",
+}
    "authorizeCardTitle": "Continue to {{app}}?",
    "authorizeSubtitle": "Would you like to continue to this app? Please carefully review the permissions requested by the app.",
    "authorizeSubtitleOAuth": "Would you like to continue to this app?",
    "authorizeLoadingTitle": "Loading...",
    "authorizeLoadingSubtitle": "Please wait while we load the client information.",
    "authorizeSuccessTitle": "Authorized",
    "authorizeSuccessSubtitle": "You will be redirected to the app in a few seconds.",
    "authorizeErrorClientInfo": "An error occurred while loading the client information. Please try again later.",
    "authorizeErrorMissingParams": "The following parameters are missing: {{missingParams}}",
    "openidScopeName": "OpenID Connect",
    "openidScopeDescription": "Allows the app to access your OpenID Connect information.",
    "emailScopeName": "Email",
    "emailScopeDescription": "Allows the app to access your email address.",
    "profileScopeName": "Profile",
    "profileScopeDescription": "Allows the app to access your profile information.",
    "groupsScopeName": "Groups",
    "groupsScopeDescription": "Allows the app to access your group information."
 }
--- a/frontend/src/lib/i18n/locales/ko-KR.json
+++ b/frontend/src/lib/i18n/locales/ko-KR.json
@@ -51,33 +51,12 @@
    "forgotPasswordTitle": "Forgot your password?",
    "failedToFetchProvidersTitle": "Failed to load authentication providers. Please check your configuration.",
    "errorTitle": "An error occurred",
    "errorSubtitleInfo": "The following error occurred while processing your request:",
    "errorSubtitle": "An error occurred while trying to perform this action. Please check the console for more information.",
    "forgotPasswordMessage": "You can reset your password by changing the `USERS` environment variable.",
    "fieldRequired": "This field is required",
    "invalidInput": "Invalid input",
    "domainWarningTitle": "Invalid Domain",
    "domainWarningSubtitle": "This instance is configured to be accessed from <code>{{appUrl}}</code>, but <code>{{currentUrl}}</code> is being used. If you proceed, you may encounter issues with authentication.",
    "domainWarningCurrent": "Current:",
    "domainWarningExpected": "Expected:",
    "ignoreTitle": "Ignore",
-    "goToCorrectDomainTitle": "Go to correct domain",
+    "goToCorrectDomainTitle": "Go to correct domain"
-    "authorizeTitle": "Authorize",
+}
    "authorizeCardTitle": "Continue to {{app}}?",
    "authorizeSubtitle": "Would you like to continue to this app? Please carefully review the permissions requested by the app.",
    "authorizeSubtitleOAuth": "Would you like to continue to this app?",
    "authorizeLoadingTitle": "Loading...",
    "authorizeLoadingSubtitle": "Please wait while we load the client information.",
    "authorizeSuccessTitle": "Authorized",
    "authorizeSuccessSubtitle": "You will be redirected to the app in a few seconds.",
    "authorizeErrorClientInfo": "An error occurred while loading the client information. Please try again later.",
    "authorizeErrorMissingParams": "The following parameters are missing: {{missingParams}}",
    "openidScopeName": "OpenID Connect",
    "openidScopeDescription": "Allows the app to access your OpenID Connect information.",
    "emailScopeName": "Email",
    "emailScopeDescription": "Allows the app to access your email address.",
    "profileScopeName": "Profile",
    "profileScopeDescription": "Allows the app to access your profile information.",
    "groupsScopeName": "Groups",
    "groupsScopeDescription": "Allows the app to access your group information."
 }
--- a/frontend/src/lib/i18n/locales/nl-NL.json
+++ b/frontend/src/lib/i18n/locales/nl-NL.json
@@ -1,37 +1,37 @@
 {
    "loginTitle": "Welkom terug, log in met",
-    "loginTitleSimple": "Welkom terug, log in",
+    "loginTitleSimple": "Welcome back, please login",
-    "loginDivider": "Of",
+    "loginDivider": "Or",
    "loginUsername": "Gebruikersnaam",
    "loginPassword": "Wachtwoord",
    "loginSubmit": "Log in",
    "loginFailTitle": "Mislukt om in te loggen",
    "loginFailSubtitle": "Controleer je gebruikersnaam en wachtwoord",
-    "loginFailRateLimit": "Inloggen is te vaak mislukt. Probeer het later opnieuw",
+    "loginFailRateLimit": "You failed to login too many times. Please try again later",
    "loginSuccessTitle": "Ingelogd",
    "loginSuccessSubtitle": "Welkom terug!",
-    "loginOauthFailTitle": "Er is een fout opgetreden",
+    "loginOauthFailTitle": "An error occurred",
    "loginOauthFailSubtitle": "Fout bij het ophalen van OAuth URL",
    "loginOauthSuccessTitle": "Omleiden",
    "loginOauthSuccessSubtitle": "Omleiden naar je OAuth provider",
-    "loginOauthAutoRedirectTitle": "OAuth automatische omleiding",
+    "loginOauthAutoRedirectTitle": "OAuth Auto Redirect",
-    "loginOauthAutoRedirectSubtitle": "Je wordt automatisch omgeleid naar je OAuth provider om te authenticeren.",
+    "loginOauthAutoRedirectSubtitle": "You will be automatically redirected to your OAuth provider to authenticate.",
-    "loginOauthAutoRedirectButton": "Nu omleiden",
+    "loginOauthAutoRedirectButton": "Redirect now",
    "continueTitle": "Ga verder",
    "continueRedirectingTitle": "Omleiden...",
    "continueRedirectingSubtitle": "Je wordt naar de app doorgestuurd",
-    "continueRedirectManually": "Stuur mij handmatig door",
+    "continueRedirectManually": "Redirect me manually",
    "continueInsecureRedirectTitle": "Onveilige doorverwijzing",
-    "continueInsecureRedirectSubtitle": "Je probeert door te verwijzen van <code>https</code> naar <code>http</code> die niet veilig is. Weet je zeker dat je wilt doorgaan?",
+    "continueInsecureRedirectSubtitle": "You are trying to redirect from <code>https</code> to <code>http</code> which is not secure. Are you sure you want to continue?",
-    "continueUntrustedRedirectTitle": "Niet-vertrouwde doorverwijzing",
+    "continueUntrustedRedirectTitle": "Untrusted redirect",
-    "continueUntrustedRedirectSubtitle": "Je probeert door te sturen naar een domein dat niet overeenkomt met je geconfigureerde domein (<code>{{cookieDomain}}</code>). Weet je zeker dat je wilt doorgaan?",
+    "continueUntrustedRedirectSubtitle": "You are trying to redirect to a domain that does not match your configured domain (<code>{{cookieDomain}}</code>). Are you sure you want to continue?",
    "logoutFailTitle": "Afmelden mislukt",
    "logoutFailSubtitle": "Probeer het opnieuw",
    "logoutSuccessTitle": "Afgemeld",
    "logoutSuccessSubtitle": "Je bent afgemeld",
    "logoutTitle": "Afmelden",
-    "logoutUsernameSubtitle": "Je bent momenteel ingelogd als <code>{{username}}</code>. Klik op de onderstaande knop om uit te loggen.",
+    "logoutUsernameSubtitle": "You are currently logged in as <code>{{username}}</code>. Click the button below to logout.",
-    "logoutOauthSubtitle": "Je bent momenteel ingelogd als <code>{{username}}</code> met behulp van de {{provider}} OAuth provider. Klik op de onderstaande knop om uit te loggen.",
+    "logoutOauthSubtitle": "You are currently logged in as <code>{{username}}</code> using the {{provider}} OAuth provider. Click the button below to logout.",
    "notFoundTitle": "Pagina niet gevonden",
    "notFoundSubtitle": "De pagina die je zoekt bestaat niet.",
    "notFoundButton": "Naar startpagina",
@@ -40,44 +40,23 @@
    "totpSuccessTitle": "Geverifiëerd",
    "totpSuccessSubtitle": "Omleiden naar je app",
    "totpTitle": "Voer je TOTP-code in",
-    "totpSubtitle": "Voer de code van je authenticator-app in.",
+    "totpSubtitle": "Please enter the code from your authenticator app.",
    "unauthorizedTitle": "Ongeautoriseerd",
-    "unauthorizedResourceSubtitle": "De gebruiker met gebruikersnaam <code>{{username}}</code> is niet gemachtigd om de bron <code>{{resource}}</code> te gebruiken.",
+    "unauthorizedResourceSubtitle": "The user with username <code>{{username}}</code> is not authorized to access the resource <code>{{resource}}</code>.",
-    "unauthorizedLoginSubtitle": "De gebruiker met gebruikersnaam <code>{{username}}</code> is niet gemachtigd om in te loggen.",
+    "unauthorizedLoginSubtitle": "The user with username <code>{{username}}</code> is not authorized to login.",
-    "unauthorizedGroupsSubtitle": "De gebruiker met gebruikersnaam <code>{{username}}</code> maakt geen deel uit van de groepen die vereist zijn door de bron <code>{{resource}}</code>.",
+    "unauthorizedGroupsSubtitle": "The user with username <code>{{username}}</code> is not in the groups required by the resource <code>{{resource}}</code>.",
-    "unauthorizedIpSubtitle": "Jouw IP-adres <code>{{ip}}</code> is niet gemachtigd om de bron <code>{{resource}}</code> te gebruiken.",
+    "unauthorizedIpSubtitle": "Your IP address <code>{{ip}}</code> is not authorized to access the resource <code>{{resource}}</code>.",
    "unauthorizedButton": "Opnieuw proberen",
-    "cancelTitle": "Annuleren",
+    "cancelTitle": "Cancel",
-    "forgotPasswordTitle": "Wachtwoord vergeten?",
+    "forgotPasswordTitle": "Forgot your password?",
-    "failedToFetchProvidersTitle": "Fout bij het laden van de authenticatie-providers. Controleer je configuratie.",
+    "failedToFetchProvidersTitle": "Failed to load authentication providers. Please check your configuration.",
-    "errorTitle": "Er is een fout opgetreden",
+    "errorTitle": "An error occurred",
    "errorSubtitleInfo": "De volgende fout is opgetreden bij het verwerken van het verzoek:",
    "errorSubtitle": "An error occurred while trying to perform this action. Please check the console for more information.",
-    "forgotPasswordMessage": "Je kunt je wachtwoord opnieuw instellen door de `USERS` omgevingsvariabele te wijzigen.",
+    "forgotPasswordMessage": "You can reset your password by changing the `USERS` environment variable.",
-    "fieldRequired": "Dit veld is verplicht",
+    "fieldRequired": "This field is required",
-    "invalidInput": "Ongeldige invoer",
+    "invalidInput": "Invalid input",
-    "domainWarningTitle": "Ongeldig domein",
+    "domainWarningTitle": "Invalid Domain",
-    "domainWarningSubtitle": "Deze instantie is geconfigureerd voor toegang tot <code>{{appUrl}}</code>, maar <code>{{currentUrl}}</code> wordt gebruikt. Als je doorgaat, kun je problemen ondervinden met authenticatie.",
+    "domainWarningSubtitle": "This instance is configured to be accessed from <code>{{appUrl}}</code>, but <code>{{currentUrl}}</code> is being used. If you proceed, you may encounter issues with authentication.",
-    "domainWarningCurrent": "Current:",
+    "ignoreTitle": "Ignore",
-    "domainWarningExpected": "Expected:",
+    "goToCorrectDomainTitle": "Go to correct domain"
-    "ignoreTitle": "Negeren",
+}
    "goToCorrectDomainTitle": "Ga naar het juiste domein",
    "authorizeTitle": "Autoriseren",
    "authorizeCardTitle": "Doorgaan naar {{app}}?",
    "authorizeSubtitle": "Doorgaan naar deze app? Controleer de machtigingen die door de app worden gevraagd.",
    "authorizeSubtitleOAuth": "Doorgaan naar deze app?",
    "authorizeLoadingTitle": "Laden...",
    "authorizeLoadingSubtitle": "Even geduld bij het laden van de cliëntinformatie.",
    "authorizeSuccessTitle": "Geautoriseerd",
    "authorizeSuccessSubtitle": "Je wordt binnen enkele seconden doorgestuurd naar de app.",
    "authorizeErrorClientInfo": "Er is een fout opgetreden tijdens het laden van de cliëntinformatie. Probeer het later opnieuw.",
    "authorizeErrorMissingParams": "De volgende parameters ontbreken: {{missingParams}}",
    "openidScopeName": "OpenID Connect",
    "openidScopeDescription": "Hiermee kan de app toegang krijgen tot jouw OpenID Connect-informatie.",
    "emailScopeName": "E-mail",
    "emailScopeDescription": "Hiermee kan de app toegang krijgen tot jouw e-mailadres.",
    "profileScopeName": "Profiel",
    "profileScopeDescription": "Hiermee kan de app toegang krijgen tot je profielinformatie.",
    "groupsScopeName": "Groepen",
    "groupsScopeDescription": "Hiermee kan de app toegang krijgen tot jouw groepsinformatie."
 }
--- a/frontend/src/lib/i18n/locales/no-NO.json
+++ b/frontend/src/lib/i18n/locales/no-NO.json
@@ -51,33 +51,12 @@
    "forgotPasswordTitle": "Forgot your password?",
    "failedToFetchProvidersTitle": "Failed to load authentication providers. Please check your configuration.",
    "errorTitle": "An error occurred",
    "errorSubtitleInfo": "The following error occurred while processing your request:",
    "errorSubtitle": "An error occurred while trying to perform this action. Please check the console for more information.",
    "forgotPasswordMessage": "You can reset your password by changing the `USERS` environment variable.",
    "fieldRequired": "This field is required",
    "invalidInput": "Invalid input",
    "domainWarningTitle": "Invalid Domain",
    "domainWarningSubtitle": "This instance is configured to be accessed from <code>{{appUrl}}</code>, but <code>{{currentUrl}}</code> is being used. If you proceed, you may encounter issues with authentication.",
    "domainWarningCurrent": "Current:",
    "domainWarningExpected": "Expected:",
    "ignoreTitle": "Ignore",
-    "goToCorrectDomainTitle": "Go to correct domain",
+    "goToCorrectDomainTitle": "Go to correct domain"
-    "authorizeTitle": "Authorize",
+}
    "authorizeCardTitle": "Continue to {{app}}?",
    "authorizeSubtitle": "Would you like to continue to this app? Please carefully review the permissions requested by the app.",
    "authorizeSubtitleOAuth": "Would you like to continue to this app?",
    "authorizeLoadingTitle": "Loading...",
    "authorizeLoadingSubtitle": "Please wait while we load the client information.",
    "authorizeSuccessTitle": "Authorized",
    "authorizeSuccessSubtitle": "You will be redirected to the app in a few seconds.",
    "authorizeErrorClientInfo": "An error occurred while loading the client information. Please try again later.",
    "authorizeErrorMissingParams": "The following parameters are missing: {{missingParams}}",
    "openidScopeName": "OpenID Connect",
    "openidScopeDescription": "Allows the app to access your OpenID Connect information.",
    "emailScopeName": "Email",
    "emailScopeDescription": "Allows the app to access your email address.",
    "profileScopeName": "Profile",
    "profileScopeDescription": "Allows the app to access your profile information.",
    "groupsScopeName": "Groups",
    "groupsScopeDescription": "Allows the app to access your group information."
 }
--- a/frontend/src/lib/i18n/locales/pl-PL.json
+++ b/frontend/src/lib/i18n/locales/pl-PL.json
@@ -51,33 +51,12 @@
    "forgotPasswordTitle": "Nie pamiętasz hasła?",
    "failedToFetchProvidersTitle": "Nie udało się załadować dostawców uwierzytelniania. Sprawdź swoją konfigurację.",
    "errorTitle": "Wystąpił błąd",
    "errorSubtitleInfo": "Podczas przetwarzania żądania wystąpił następujący błąd:",
    "errorSubtitle": "Wystąpił błąd podczas próby wykonania tej czynności. Sprawdź konsolę, aby uzyskać więcej informacji.",
    "forgotPasswordMessage": "Możesz zresetować hasło, zmieniając zmienną środowiskową `USERS`.",
    "fieldRequired": "To pole jest wymagane",
    "invalidInput": "Nieprawidłowe dane wejściowe",
    "domainWarningTitle": "Nieprawidłowa domena",
    "domainWarningSubtitle": "Ta instancja jest skonfigurowana do uzyskania dostępu z <code>{{appUrl}}</code>, ale <code>{{currentUrl}}</code> jest w użyciu. Jeśli będziesz kontynuować, mogą wystąpić problemy z uwierzytelnianiem.",
    "domainWarningCurrent": "Current:",
    "domainWarningExpected": "Expected:",
    "ignoreTitle": "Zignoruj",
-    "goToCorrectDomainTitle": "Przejdź do prawidłowej domeny",
+    "goToCorrectDomainTitle": "Przejdź do prawidłowej domeny"
-    "authorizeTitle": "Autoryzuj",
+}
    "authorizeCardTitle": "Kontynuować do {{app}}?",
    "authorizeSubtitle": "Czy chcesz kontynuować do tej aplikacji? Uważnie zapoznaj się z uprawnieniami żądanymi przez aplikację.",
    "authorizeSubtitleOAuth": "Czy chcesz kontynuować do tej aplikacji?",
    "authorizeLoadingTitle": "Wczytywanie...",
    "authorizeLoadingSubtitle": "Proszę czekać, aż załadujemy informacje o kliencie.",
    "authorizeSuccessTitle": "Autoryzowano",
    "authorizeSuccessSubtitle": "Za kilka sekund nastąpi przekierowanie do aplikacji.",
    "authorizeErrorClientInfo": "Wystąpił błąd podczas ładowania informacji o kliencie. Spróbuj ponownie później.",
    "authorizeErrorMissingParams": "Brakuje następujących parametrów: {{missingParams}}",
    "openidScopeName": "OpenID Connect",
    "openidScopeDescription": "Zezwala aplikacji na dostęp do informacji o OpenID Connect.",
    "emailScopeName": "E-mail",
    "emailScopeDescription": "Zezwala aplikacji na dostęp do adresów e-mail.",
    "profileScopeName": "Profil",
    "profileScopeDescription": "Zezwala aplikacji na dostęp do informacji o porfilu.",
    "groupsScopeName": "Grupy",
    "groupsScopeDescription": "Zezwala aplikacji na dostęp do informacji o grupie."
 }
--- a/frontend/src/lib/i18n/locales/pt-BR.json
+++ b/frontend/src/lib/i18n/locales/pt-BR.json
@@ -51,33 +51,12 @@
    "forgotPasswordTitle": "Esqueceu sua senha?",
    "failedToFetchProvidersTitle": "Falha ao carregar provedores de autenticação. Verifique sua configuração.",
    "errorTitle": "Ocorreu um erro",
    "errorSubtitleInfo": "The following error occurred while processing your request:",
    "errorSubtitle": "Ocorreu um erro ao tentar executar esta ação. Por favor, verifique o console para mais informações.",
    "forgotPasswordMessage": "Você pode redefinir sua senha alterando a variável de ambiente `USERS`.",
    "fieldRequired": "Este campo é obrigatório",
    "invalidInput": "Entrada Inválida",
    "domainWarningTitle": "Domínio inválido",
    "domainWarningSubtitle": "Esta instância está configurada para ser acessada de <code>{{appUrl}}</code>, mas <code>{{currentUrl}}</code> está sendo usado. Se você continuar, você pode encontrar problemas com a autenticação.",
    "domainWarningCurrent": "Current:",
    "domainWarningExpected": "Expected:",
    "ignoreTitle": "Ignorar",
-    "goToCorrectDomainTitle": "Ir para o domínio correto",
+    "goToCorrectDomainTitle": "Ir para o domínio correto"
-    "authorizeTitle": "Authorize",
+}
    "authorizeCardTitle": "Continue to {{app}}?",
    "authorizeSubtitle": "Would you like to continue to this app? Please carefully review the permissions requested by the app.",
    "authorizeSubtitleOAuth": "Would you like to continue to this app?",
    "authorizeLoadingTitle": "Loading...",
    "authorizeLoadingSubtitle": "Please wait while we load the client information.",
    "authorizeSuccessTitle": "Authorized",
    "authorizeSuccessSubtitle": "You will be redirected to the app in a few seconds.",
    "authorizeErrorClientInfo": "An error occurred while loading the client information. Please try again later.",
    "authorizeErrorMissingParams": "The following parameters are missing: {{missingParams}}",
    "openidScopeName": "OpenID Connect",
    "openidScopeDescription": "Allows the app to access your OpenID Connect information.",
    "emailScopeName": "Email",
    "emailScopeDescription": "Allows the app to access your email address.",
    "profileScopeName": "Profile",
    "profileScopeDescription": "Allows the app to access your profile information.",
    "groupsScopeName": "Groups",
    "groupsScopeDescription": "Allows the app to access your group information."
 }
--- a/frontend/src/lib/i18n/locales/pt-PT.json
+++ b/frontend/src/lib/i18n/locales/pt-PT.json
@@ -1,83 +1,62 @@
 {
-    "loginTitle": "Bem-vindo de volta, inicia sessão com",
+    "loginTitle": "Welcome back, login with",
-    "loginTitleSimple": "Bem-vindo de volta, inicia sessão",
+    "loginTitleSimple": "Welcome back, please login",
-    "loginDivider": "Ou",
+    "loginDivider": "Or",
-    "loginUsername": "Nome de utilizador",
+    "loginUsername": "Username",
-    "loginPassword": "Palavra-passe",
+    "loginPassword": "Password",
-    "loginSubmit": "Iniciar sessão",
+    "loginSubmit": "Login",
-    "loginFailTitle": "Falha ao iniciar sessão",
+    "loginFailTitle": "Failed to log in",
-    "loginFailSubtitle": "Verifica o nome de utilizador e a palavra-passe",
+    "loginFailSubtitle": "Please check your username and password",
-    "loginFailRateLimit": "Falhaste o início de sessão demasiadas vezes. Tenta novamente mais tarde",
+    "loginFailRateLimit": "You failed to login too many times. Please try again later",
-    "loginSuccessTitle": "Sessão iniciada",
+    "loginSuccessTitle": "Logged in",
-    "loginSuccessSubtitle": "Bem-vindo de volta!",
+    "loginSuccessSubtitle": "Welcome back!",
-    "loginOauthFailTitle": "Ocorreu um erro",
+    "loginOauthFailTitle": "An error occurred",
-    "loginOauthFailSubtitle": "Não foi possível obter o URL OAuth",
+    "loginOauthFailSubtitle": "Failed to get OAuth URL",
-    "loginOauthSuccessTitle": "A redirecionar",
+    "loginOauthSuccessTitle": "Redirecting",
-    "loginOauthSuccessSubtitle": "A redirecionar para o teu fornecedor OAuth",
+    "loginOauthSuccessSubtitle": "Redirecting to your OAuth provider",
-    "loginOauthAutoRedirectTitle": "Redirecionamento automático OAuth",
+    "loginOauthAutoRedirectTitle": "OAuth Auto Redirect",
-    "loginOauthAutoRedirectSubtitle": "Vais ser redirecionado automaticamente para o teu fornecedor OAuth para autenticação.",
+    "loginOauthAutoRedirectSubtitle": "You will be automatically redirected to your OAuth provider to authenticate.",
-    "loginOauthAutoRedirectButton": "Redirecionar agora",
+    "loginOauthAutoRedirectButton": "Redirect now",
-    "continueTitle": "Continuar",
+    "continueTitle": "Continue",
-    "continueRedirectingTitle": "A redirecionar...",
+    "continueRedirectingTitle": "Redirecting...",
-    "continueRedirectingSubtitle": "Deverás ser redirecionado para a aplicação em breve",
+    "continueRedirectingSubtitle": "You should be redirected to the app soon",
-    "continueRedirectManually": "Redirecionar manualmente",
+    "continueRedirectManually": "Redirect me manually",
-    "continueInsecureRedirectTitle": "Redirecionamento inseguro",
+    "continueInsecureRedirectTitle": "Insecure redirect",
-    "continueInsecureRedirectSubtitle": "Estás a tentar redirecionar de <code>https</code> para <code>http</code>, o que não é seguro. Tens a certeza de que queres continuar?",
+    "continueInsecureRedirectSubtitle": "You are trying to redirect from <code>https</code> to <code>http</code> which is not secure. Are you sure you want to continue?",
-    "continueUntrustedRedirectTitle": "Redirecionamento não fidedigno",
+    "continueUntrustedRedirectTitle": "Untrusted redirect",
-    "continueUntrustedRedirectSubtitle": "Estás a tentar redirecionar para um domínio que não corresponde ao domínio configurado (<code>{{cookieDomain}}</code>). Tens a certeza de que queres continuar?",
+    "continueUntrustedRedirectSubtitle": "You are trying to redirect to a domain that does not match your configured domain (<code>{{cookieDomain}}</code>). Are you sure you want to continue?",
-    "logoutFailTitle": "Falha ao terminar sessão",
+    "logoutFailTitle": "Failed to log out",
-    "logoutFailSubtitle": "Tenta novamente",
+    "logoutFailSubtitle": "Please try again",
-    "logoutSuccessTitle": "Sessão terminada",
+    "logoutSuccessTitle": "Logged out",
-    "logoutSuccessSubtitle": "Terminaste a sessão com sucesso",
+    "logoutSuccessSubtitle": "You have been logged out",
-    "logoutTitle": "Terminar sessão",
+    "logoutTitle": "Logout",
-    "logoutUsernameSubtitle": "Estás com sessão iniciada como <code>{{username}}</code>. Clica no botão abaixo para terminar sessão.",
+    "logoutUsernameSubtitle": "You are currently logged in as <code>{{username}}</code>. Click the button below to logout.",
-    "logoutOauthSubtitle": "Estás com sessão iniciada como <code>{{username}}</code> através do fornecedor OAuth {{provider}}. Clica no botão abaixo para terminar sessão.",
+    "logoutOauthSubtitle": "You are currently logged in as <code>{{username}}</code> using the {{provider}} OAuth provider. Click the button below to logout.",
-    "notFoundTitle": "Página não encontrada",
+    "notFoundTitle": "Page not found",
-    "notFoundSubtitle": "A página que procuras não existe.",
+    "notFoundSubtitle": "The page you are looking for does not exist.",
-    "notFoundButton": "Ir para o início",
+    "notFoundButton": "Go home",
-    "totpFailTitle": "Falha na verificação do código",
+    "totpFailTitle": "Failed to verify code",
-    "totpFailSubtitle": "Verifica o código e tenta novamente",
+    "totpFailSubtitle": "Please check your code and try again",
-    "totpSuccessTitle": "Verificado",
+    "totpSuccessTitle": "Verified",
-    "totpSuccessSubtitle": "A redirecionar para a tua aplicação",
+    "totpSuccessSubtitle": "Redirecting to your app",
-    "totpTitle": "Introduz o teu código TOTP",
+    "totpTitle": "Enter your TOTP code",
-    "totpSubtitle": "Introduz o código da tua aplicação de autenticação.",
+    "totpSubtitle": "Please enter the code from your authenticator app.",
-    "unauthorizedTitle": "Não autorizado",
+    "unauthorizedTitle": "Unauthorized",
-    "unauthorizedResourceSubtitle": "O utilizador com o nome <code>{{username}}</code> não tem autorização para aceder ao recurso <code>{{resource}}</code>.",
+    "unauthorizedResourceSubtitle": "The user with username <code>{{username}}</code> is not authorized to access the resource <code>{{resource}}</code>.",
-    "unauthorizedLoginSubtitle": "O utilizador com o nome <code>{{username}}</code> não tem autorização para iniciar sessão.",
+    "unauthorizedLoginSubtitle": "The user with username <code>{{username}}</code> is not authorized to login.",
-    "unauthorizedGroupsSubtitle": "O utilizador com o nome <code>{{username}}</code> não pertence aos grupos exigidos pelo recurso <code>{{resource}}</code>.",
+    "unauthorizedGroupsSubtitle": "The user with username <code>{{username}}</code> is not in the groups required by the resource <code>{{resource}}</code>.",
-    "unauthorizedIpSubtitle": "O teu endereço IP <code>{{ip}}</code> não tem autorização para aceder ao recurso <code>{{resource}}</code>.",
+    "unauthorizedIpSubtitle": "Your IP address <code>{{ip}}</code> is not authorized to access the resource <code>{{resource}}</code>.",
-    "unauthorizedButton": "Tentar novamente",
+    "unauthorizedButton": "Try again",
-    "cancelTitle": "Cancelar",
+    "cancelTitle": "Cancel",
-    "forgotPasswordTitle": "Esqueceste-te da palavra-passe?",
+    "forgotPasswordTitle": "Forgot your password?",
-    "failedToFetchProvidersTitle": "Falha ao carregar os fornecedores de autenticação. Verifica a configuração.",
+    "failedToFetchProvidersTitle": "Failed to load authentication providers. Please check your configuration.",
-    "errorTitle": "Ocorreu um erro",
+    "errorTitle": "An error occurred",
-    "errorSubtitleInfo": "The following error occurred while processing your request:",
+    "errorSubtitle": "An error occurred while trying to perform this action. Please check the console for more information.",
-    "errorSubtitle": "Ocorreu um erro ao tentar executar esta ação. Consulta a consola para mais informações.",
+    "forgotPasswordMessage": "You can reset your password by changing the `USERS` environment variable.",
-    "forgotPasswordMessage": "Podes redefinir a tua palavra-passe alterando a variável de ambiente `USERS`.",
+    "fieldRequired": "This field is required",
-    "fieldRequired": "Este campo é obrigatório",
+    "invalidInput": "Invalid input",
-    "invalidInput": "Entrada inválida",
+    "domainWarningTitle": "Invalid Domain",
-    "domainWarningTitle": "Domínio inválido",
+    "domainWarningSubtitle": "This instance is configured to be accessed from <code>{{appUrl}}</code>, but <code>{{currentUrl}}</code> is being used. If you proceed, you may encounter issues with authentication.",
-    "domainWarningSubtitle": "Esta instância está configurada para ser acedida a partir de <code>{{appUrl}}</code>, mas está a ser usado <code>{{currentUrl}}</code>. Se continuares, poderás ter problemas de autenticação.",
+    "ignoreTitle": "Ignore",
-    "domainWarningCurrent": "Current:",
+    "goToCorrectDomainTitle": "Go to correct domain"
-    "domainWarningExpected": "Expected:",
+}
    "ignoreTitle": "Ignorar",
    "goToCorrectDomainTitle": "Ir para o domínio correto",
    "authorizeTitle": "Authorize",
    "authorizeCardTitle": "Continue to {{app}}?",
    "authorizeSubtitle": "Would you like to continue to this app? Please carefully review the permissions requested by the app.",
    "authorizeSubtitleOAuth": "Would you like to continue to this app?",
    "authorizeLoadingTitle": "Loading...",
    "authorizeLoadingSubtitle": "Please wait while we load the client information.",
    "authorizeSuccessTitle": "Authorized",
    "authorizeSuccessSubtitle": "You will be redirected to the app in a few seconds.",
    "authorizeErrorClientInfo": "An error occurred while loading the client information. Please try again later.",
    "authorizeErrorMissingParams": "The following parameters are missing: {{missingParams}}",
    "openidScopeName": "OpenID Connect",
    "openidScopeDescription": "Allows the app to access your OpenID Connect information.",
    "emailScopeName": "Email",
    "emailScopeDescription": "Allows the app to access your email address.",
    "profileScopeName": "Profile",
    "profileScopeDescription": "Allows the app to access your profile information.",
    "groupsScopeName": "Groups",
    "groupsScopeDescription": "Allows the app to access your group information."
 }
--- a/frontend/src/lib/i18n/locales/ro-RO.json
+++ b/frontend/src/lib/i18n/locales/ro-RO.json
@@ -51,33 +51,12 @@
    "forgotPasswordTitle": "Forgot your password?",
    "failedToFetchProvidersTitle": "Failed to load authentication providers. Please check your configuration.",
    "errorTitle": "An error occurred",
    "errorSubtitleInfo": "The following error occurred while processing your request:",
    "errorSubtitle": "An error occurred while trying to perform this action. Please check the console for more information.",
    "forgotPasswordMessage": "You can reset your password by changing the `USERS` environment variable.",
    "fieldRequired": "This field is required",
    "invalidInput": "Invalid input",
    "domainWarningTitle": "Invalid Domain",
    "domainWarningSubtitle": "This instance is configured to be accessed from <code>{{appUrl}}</code>, but <code>{{currentUrl}}</code> is being used. If you proceed, you may encounter issues with authentication.",
    "domainWarningCurrent": "Current:",
    "domainWarningExpected": "Expected:",
    "ignoreTitle": "Ignore",
-    "goToCorrectDomainTitle": "Go to correct domain",
+    "goToCorrectDomainTitle": "Go to correct domain"
-    "authorizeTitle": "Authorize",
+}
    "authorizeCardTitle": "Continue to {{app}}?",
    "authorizeSubtitle": "Would you like to continue to this app? Please carefully review the permissions requested by the app.",
    "authorizeSubtitleOAuth": "Would you like to continue to this app?",
    "authorizeLoadingTitle": "Loading...",
    "authorizeLoadingSubtitle": "Please wait while we load the client information.",
    "authorizeSuccessTitle": "Authorized",
    "authorizeSuccessSubtitle": "You will be redirected to the app in a few seconds.",
    "authorizeErrorClientInfo": "An error occurred while loading the client information. Please try again later.",
    "authorizeErrorMissingParams": "The following parameters are missing: {{missingParams}}",
    "openidScopeName": "OpenID Connect",
    "openidScopeDescription": "Allows the app to access your OpenID Connect information.",
    "emailScopeName": "Email",
    "emailScopeDescription": "Allows the app to access your email address.",
    "profileScopeName": "Profile",
    "profileScopeDescription": "Allows the app to access your profile information.",
    "groupsScopeName": "Groups",
    "groupsScopeDescription": "Allows the app to access your group information."
 }
--- a/frontend/src/lib/i18n/locales/ru-RU.json
+++ b/frontend/src/lib/i18n/locales/ru-RU.json
@@ -51,33 +51,12 @@
    "forgotPasswordTitle": "Забыли пароль?",
    "failedToFetchProvidersTitle": "Не удалось загрузить поставщика авторизации. Пожалуйста, проверьте конфигурацию.",
    "errorTitle": "Произошла ошибка",
    "errorSubtitleInfo": "The following error occurred while processing your request:",
    "errorSubtitle": "Произошла ошибка при попытке выполнить это действие. Проверьте консоль для дополнительной информации.",
    "forgotPasswordMessage": "Вы можете сбросить свой пароль, изменив переменную окружения `USERS`.",
    "fieldRequired": "Это поле является обязательным",
    "invalidInput": "Недопустимый ввод",
    "domainWarningTitle": "Неверный домен",
    "domainWarningSubtitle": "Этот экземпляр настроен на доступ к нему из <code>{{appUrl}}</code>, но <code>{{currentUrl}}</code> в настоящее время используется. Если вы продолжите, то могут возникнуть проблемы с авторизацией.",
    "domainWarningCurrent": "Current:",
    "domainWarningExpected": "Expected:",
    "ignoreTitle": "Игнорировать",
-    "goToCorrectDomainTitle": "Перейти к правильному домену",
+    "goToCorrectDomainTitle": "Перейти к правильному домену"
-    "authorizeTitle": "Authorize",
+}
    "authorizeCardTitle": "Continue to {{app}}?",
    "authorizeSubtitle": "Would you like to continue to this app? Please carefully review the permissions requested by the app.",
    "authorizeSubtitleOAuth": "Would you like to continue to this app?",
    "authorizeLoadingTitle": "Loading...",
    "authorizeLoadingSubtitle": "Please wait while we load the client information.",
    "authorizeSuccessTitle": "Authorized",
    "authorizeSuccessSubtitle": "You will be redirected to the app in a few seconds.",
    "authorizeErrorClientInfo": "An error occurred while loading the client information. Please try again later.",
    "authorizeErrorMissingParams": "The following parameters are missing: {{missingParams}}",
    "openidScopeName": "OpenID Connect",
    "openidScopeDescription": "Allows the app to access your OpenID Connect information.",
    "emailScopeName": "Email",
    "emailScopeDescription": "Allows the app to access your email address.",
    "profileScopeName": "Profile",
    "profileScopeDescription": "Allows the app to access your profile information.",
    "groupsScopeName": "Groups",
    "groupsScopeDescription": "Allows the app to access your group information."
 }
--- a/frontend/src/lib/i18n/locales/sr-SP.json
+++ b/frontend/src/lib/i18n/locales/sr-SP.json
@@ -14,17 +14,17 @@
    "loginOauthFailSubtitle": "Неуспело преузимање OAuth адресе",
    "loginOauthSuccessTitle": "Преусмеравање",
    "loginOauthSuccessSubtitle": "Преусмеравање на вашег OAuth провајдера",
-    "loginOauthAutoRedirectTitle": "OAuth аутоматско преусмерење",
+    "loginOauthAutoRedirectTitle": "OAuth Auto Redirect",
-    "loginOauthAutoRedirectSubtitle": "Бићете аутоматски преусмерени на вашег OAuth провајдера за аутентификацију.",
+    "loginOauthAutoRedirectSubtitle": "You will be automatically redirected to your OAuth provider to authenticate.",
-    "loginOauthAutoRedirectButton": "Преусмери сада",
+    "loginOauthAutoRedirectButton": "Redirect now",
    "continueTitle": "Настави",
    "continueRedirectingTitle": "Преусмеравање...",
    "continueRedirectingSubtitle": "Требали би сте ускоро да будете преусмерени на апликацију",
-    "continueRedirectManually": "Преусмери ме ручно",
+    "continueRedirectManually": "Redirect me manually",
    "continueInsecureRedirectTitle": "Небезбедно преусмеравање",
    "continueInsecureRedirectSubtitle": "Покушавате да преусмерите са <code>https</code> на <code>http</code> што није безбедно. Да ли желите да наставите?",
-    "continueUntrustedRedirectTitle": "Неповерљиво преусмерење",
+    "continueUntrustedRedirectTitle": "Untrusted redirect",
-    "continueUntrustedRedirectSubtitle": "Покушавате да преусмерите на домен који се не поклапа са вашим подешеним доменом (<code>{{cookieDomain}}</code>). Да ли заиста желите да наставите?",
+    "continueUntrustedRedirectSubtitle": "You are trying to redirect to a domain that does not match your configured domain (<code>{{cookieDomain}}</code>). Are you sure you want to continue?",
    "logoutFailTitle": "Неуспешно одјављивање",
    "logoutFailSubtitle": "Молим вас покушајте поново",
    "logoutSuccessTitle": "Одјављени",
@@ -51,33 +51,12 @@
    "forgotPasswordTitle": "Заборавили сте лозинку?",
    "failedToFetchProvidersTitle": "Није успело учитавање провајдера аутентификације. Молим вас проверите ваша подешавања.",
    "errorTitle": "Појавила се грешка",
    "errorSubtitleInfo": "Појавила се следећа грешка током обраде вашег захтева:",
    "errorSubtitle": "Појавила се грешка при покушају извршавања ове радње. Молим вас проверите конзолу за додатне информације.",
    "forgotPasswordMessage": "Можете поништити вашу лозинку променом `USERS` променљиве окружења.",
-    "fieldRequired": "Ово поље је неопходно",
+    "fieldRequired": "This field is required",
-    "invalidInput": "Неисправан унос",
+    "invalidInput": "Invalid input",
-    "domainWarningTitle": "Неисправан домен",
+    "domainWarningTitle": "Invalid Domain",
-    "domainWarningSubtitle": "Ова инстанца је подешена да јој се приступа са <code>{{appUrl}}</code>, али се користи <code>{{currentUrl}}</code>. Ако наставите, можете искусити проблеме са аутентификацијом.",
+    "domainWarningSubtitle": "This instance is configured to be accessed from <code>{{appUrl}}</code>, but <code>{{currentUrl}}</code> is being used. If you proceed, you may encounter issues with authentication.",
-    "domainWarningCurrent": "Current:",
+    "ignoreTitle": "Ignore",
-    "domainWarningExpected": "Expected:",
+    "goToCorrectDomainTitle": "Go to correct domain"
-    "ignoreTitle": "Игнориши",
+}
    "goToCorrectDomainTitle": "Иди на исправан домен",
    "authorizeTitle": "Ауторизуј",
    "authorizeCardTitle": "Наставити на {{app}}?",
    "authorizeSubtitle": "Да ли желите да наставите на ову апликацију? Пажљиво проверите дозволе које вам тражи апликација.",
    "authorizeSubtitleOAuth": "Да ли желите да наставите на ову апликацију?",
    "authorizeLoadingTitle": "Учитавање...",
    "authorizeLoadingSubtitle": "Молим вас сачекајте док ми учитамо информације о клијенту.",
    "authorizeSuccessTitle": "Ауторизован",
    "authorizeSuccessSubtitle": "Бићете преусмерени на апликацију за неколико секунди.",
    "authorizeErrorClientInfo": "Појавила се грешка током учитавања информација о клијенту. Молим вас покушајте поново касније.",
    "authorizeErrorMissingParams": "Следећи параметри недостају: {{missingParams}}",
    "openidScopeName": "OpenID повезивање",
    "openidScopeDescription": "Омогућава апликацији да приступа информацији о вашој OpenID вези.",
    "emailScopeName": "Е-пошта",
    "emailScopeDescription": "Омогућава апликацији да приступа вашој адреси е-поште.",
    "profileScopeName": "Профил",
    "profileScopeDescription": "Омогућава апликацији да приступа информацијама о вашем профилу.",
    "groupsScopeName": "Групе",
    "groupsScopeDescription": "Омогућава апликацији да приступа информацијама о вашој групи."
 }
--- a/frontend/src/lib/i18n/locales/sv-SE.json
+++ b/frontend/src/lib/i18n/locales/sv-SE.json
@@ -51,33 +51,12 @@
    "forgotPasswordTitle": "Forgot your password?",
    "failedToFetchProvidersTitle": "Failed to load authentication providers. Please check your configuration.",
    "errorTitle": "An error occurred",
    "errorSubtitleInfo": "The following error occurred while processing your request:",
    "errorSubtitle": "An error occurred while trying to perform this action. Please check the console for more information.",
    "forgotPasswordMessage": "You can reset your password by changing the `USERS` environment variable.",
    "fieldRequired": "This field is required",
    "invalidInput": "Invalid input",
    "domainWarningTitle": "Invalid Domain",
    "domainWarningSubtitle": "This instance is configured to be accessed from <code>{{appUrl}}</code>, but <code>{{currentUrl}}</code> is being used. If you proceed, you may encounter issues with authentication.",
    "domainWarningCurrent": "Current:",
    "domainWarningExpected": "Expected:",
    "ignoreTitle": "Ignore",
-    "goToCorrectDomainTitle": "Go to correct domain",
+    "goToCorrectDomainTitle": "Go to correct domain"
-    "authorizeTitle": "Authorize",
+}
    "authorizeCardTitle": "Continue to {{app}}?",
    "authorizeSubtitle": "Would you like to continue to this app? Please carefully review the permissions requested by the app.",
    "authorizeSubtitleOAuth": "Would you like to continue to this app?",
    "authorizeLoadingTitle": "Loading...",
    "authorizeLoadingSubtitle": "Please wait while we load the client information.",
    "authorizeSuccessTitle": "Authorized",
    "authorizeSuccessSubtitle": "You will be redirected to the app in a few seconds.",
    "authorizeErrorClientInfo": "An error occurred while loading the client information. Please try again later.",
    "authorizeErrorMissingParams": "The following parameters are missing: {{missingParams}}",
    "openidScopeName": "OpenID Connect",
    "openidScopeDescription": "Allows the app to access your OpenID Connect information.",
    "emailScopeName": "Email",
    "emailScopeDescription": "Allows the app to access your email address.",
    "profileScopeName": "Profile",
    "profileScopeDescription": "Allows the app to access your profile information.",
    "groupsScopeName": "Groups",
    "groupsScopeDescription": "Allows the app to access your group information."
 }
--- a/frontend/src/lib/i18n/locales/tr-TR.json
+++ b/frontend/src/lib/i18n/locales/tr-TR.json
@@ -1,83 +1,62 @@
 {
-    "loginTitle": "Tekrar Hoş Geldiniz, giriş yapın",
+    "loginTitle": "Welcome back, login with",
-    "loginTitleSimple": "Tekrar hoş geldiniz, lütfen giriş yapın",
+    "loginTitleSimple": "Welcome back, please login",
-    "loginDivider": "Ya da",
+    "loginDivider": "Or",
    "loginUsername": "Kullanıcı Adı",
    "loginPassword": "Şifre",
    "loginSubmit": "Giriş Yap",
    "loginFailTitle": "Giriş yapılamadı",
-    "loginFailSubtitle": "Lütfen kullanıcı adınızı ve şifrenizi kontrol edin",
+    "loginFailSubtitle": "Please check your username and password",
-    "loginFailRateLimit": "Çok fazla kez giriş yapma girişiminde bulundunuz. Lütfen daha sonra tekrar deneyin",
+    "loginFailRateLimit": "You failed to login too many times. Please try again later",
    "loginSuccessTitle": "Giriş yapıldı",
    "loginSuccessSubtitle": "Tekrar hoş geldiniz!",
-    "loginOauthFailTitle": "Hata oluştu",
+    "loginOauthFailTitle": "An error occurred",
-    "loginOauthFailSubtitle": "OAuth URL'si alınamadı",
+    "loginOauthFailSubtitle": "Failed to get OAuth URL",
    "loginOauthSuccessTitle": "Yönlendiriliyor",
-    "loginOauthSuccessSubtitle": "OAuth sağlayıcınıza yönlendiriliyor",
+    "loginOauthSuccessSubtitle": "Redirecting to your OAuth provider",
-    "loginOauthAutoRedirectTitle": "OAuth Otomatik Yönlendirme",
+    "loginOauthAutoRedirectTitle": "OAuth Auto Redirect",
-    "loginOauthAutoRedirectSubtitle": "Kimlik doğrulama işlemi için otomatik olarak OAuth sağlayıcınıza yönlendirileceksiniz.",
+    "loginOauthAutoRedirectSubtitle": "You will be automatically redirected to your OAuth provider to authenticate.",
-    "loginOauthAutoRedirectButton": "Şimdi Yönlendir",
+    "loginOauthAutoRedirectButton": "Redirect now",
    "continueTitle": "Devam et",
    "continueRedirectingTitle": "Yönlendiriliyor...",
-    "continueRedirectingSubtitle": "Kısa süre içinde uygulamaya yönlendirileceksiniz",
+    "continueRedirectingSubtitle": "You should be redirected to the app soon",
-    "continueRedirectManually": "Beni manuel olarak yönlendir",
+    "continueRedirectManually": "Redirect me manually",
-    "continueInsecureRedirectTitle": "Güvenli olmayan yönlendirme",
+    "continueInsecureRedirectTitle": "Insecure redirect",
-    "continueInsecureRedirectSubtitle": "<code>http</code> adresinden <code>http</code> adresine yönlendirme yapmaya çalışıyorsunuz, bu güvenli değil. Devam etmek istediğinizden emin misiniz?",
+    "continueInsecureRedirectSubtitle": "You are trying to redirect from <code>https</code> to <code>http</code> which is not secure. Are you sure you want to continue?",
-    "continueUntrustedRedirectTitle": "Güvenilmeyen yönlendirme",
+    "continueUntrustedRedirectTitle": "Untrusted redirect",
-    "continueUntrustedRedirectSubtitle": "Yapılandırdığınız alan adıyla eşleşmeyen bir alana yönlendirme yapmaya çalışıyorsunuz (<code>{{cookieDomain}}</code>). Devam etmek istediğinize emin misiniz?",
+    "continueUntrustedRedirectSubtitle": "You are trying to redirect to a domain that does not match your configured domain (<code>{{cookieDomain}}</code>). Are you sure you want to continue?",
-    "logoutFailTitle": "Çıkış Yapılamadı",
+    "logoutFailTitle": "Failed to log out",
    "logoutFailSubtitle": "Lütfen tekrar deneyin",
    "logoutSuccessTitle": "Çıkış yapıldı",
-    "logoutSuccessSubtitle": "Çıkış yaptınız",
+    "logoutSuccessSubtitle": "You have been logged out",
-    "logoutTitle": "Çıkış yap",
+    "logoutTitle": "Logout",
-    "logoutUsernameSubtitle": "<code>{{username}}</code> olarak giriş yapmış durumdasınız. Çıkış yapmak için aşağıdaki düğmeye tıklayın.",
+    "logoutUsernameSubtitle": "You are currently logged in as <code>{{username}}</code>. Click the button below to logout.",
-    "logoutOauthSubtitle": "Şu anda {{provider}} OAuth sağlayıcısını kullanarak <code>{{username}}</code> olarak oturum açmış durumdasınız. Oturumunuzu kapatmak için aşağıdaki düğmeye tıklayın.",
+    "logoutOauthSubtitle": "You are currently logged in as <code>{{username}}</code> using the {{provider}} OAuth provider. Click the button below to logout.",
    "notFoundTitle": "Sayfa bulunamadı",
    "notFoundSubtitle": "Aradığınız sayfa mevcut değil.",
    "notFoundButton": "Ana sayfaya git",
    "totpFailTitle": "Kod doğrulanamadı",
-    "totpFailSubtitle": "Lütfen kodunuzu kontrol edin ve tekrar deneyin",
+    "totpFailSubtitle": "Please check your code and try again",
    "totpSuccessTitle": "Doğrulandı",
-    "totpSuccessSubtitle": "Uygulamanıza yönlendiriliyor",
+    "totpSuccessSubtitle": "Redirecting to your app",
-    "totpTitle": "TOTP kodunuzu girin",
+    "totpTitle": "Enter your TOTP code",
-    "totpSubtitle": "Lütfen kimlik doğrulama uygulamanızdan aldığınız kodu girin.",
+    "totpSubtitle": "Please enter the code from your authenticator app.",
-    "unauthorizedTitle": "Yetkisiz",
+    "unauthorizedTitle": "Unauthorized",
-    "unauthorizedResourceSubtitle": "Kullanıcı adı <code>{{username}}</code> olan kullanıcının <code>{{resource}}</code> kaynağına erişim yetkisi bulunmamaktadır.",
+    "unauthorizedResourceSubtitle": "The user with username <code>{{username}}</code> is not authorized to access the resource <code>{{resource}}</code>.",
-    "unauthorizedLoginSubtitle": "Kullanıcı adı <code>{{username}}</code> olan kullanıcının oturum açma yetkisi yok.",
+    "unauthorizedLoginSubtitle": "The user with username <code>{{username}}</code> is not authorized to login.",
-    "unauthorizedGroupsSubtitle": "Kullanıcı adı <code>{{username}}</code> olan kullanıcı, <code>{{resource}}</code> kaynağının gerektirdiği gruplarda bulunmuyor.",
+    "unauthorizedGroupsSubtitle": "The user with username <code>{{username}}</code> is not in the groups required by the resource <code>{{resource}}</code>.",
-    "unauthorizedIpSubtitle": "IP adresiniz <code>{{ip}}</code>, <code>{{resource}}</code> kaynağına erişim yetkisine sahip değil.",
+    "unauthorizedIpSubtitle": "Your IP address <code>{{ip}}</code> is not authorized to access the resource <code>{{resource}}</code>.",
-    "unauthorizedButton": "Tekrar deneyin",
+    "unauthorizedButton": "Try again",
    "cancelTitle": "İptal",
-    "forgotPasswordTitle": "Şifrenizi mi unuttunuz?",
+    "forgotPasswordTitle": "Forgot your password?",
-    "failedToFetchProvidersTitle": "Kimlik doğrulama sağlayıcıları yüklenemedi. Lütfen yapılandırmanızı kontrol edin.",
+    "failedToFetchProvidersTitle": "Failed to load authentication providers. Please check your configuration.",
-    "errorTitle": "Bir hata oluştu",
+    "errorTitle": "An error occurred",
    "errorSubtitleInfo": "The following error occurred while processing your request:",
    "errorSubtitle": "An error occurred while trying to perform this action. Please check the console for more information.",
-    "forgotPasswordMessage": "Parolanızı `USERS` ortam değişkenini değiştirerek sıfırlayabilirsiniz.",
+    "forgotPasswordMessage": "You can reset your password by changing the `USERS` environment variable.",
-    "fieldRequired": "Bu alan zorunludur",
+    "fieldRequired": "This field is required",
-    "invalidInput": "Geçersiz girdi",
+    "invalidInput": "Invalid input",
-    "domainWarningTitle": "Geçersiz alan adı",
+    "domainWarningTitle": "Invalid Domain",
-    "domainWarningSubtitle": "Bu örnek, <code>{{appUrl}}</code> adresinden erişilecek şekilde yapılandırılmıştır, ancak <code>{{currentUrl}}</code> kullanılmaktadır. Devam ederseniz, kimlik doğrulama ile ilgili sorunlarla karşılaşabilirsiniz.",
+    "domainWarningSubtitle": "This instance is configured to be accessed from <code>{{appUrl}}</code>, but <code>{{currentUrl}}</code> is being used. If you proceed, you may encounter issues with authentication.",
-    "domainWarningCurrent": "Current:",
+    "ignoreTitle": "Ignore",
-    "domainWarningExpected": "Expected:",
+    "goToCorrectDomainTitle": "Go to correct domain"
-    "ignoreTitle": "Yoksay",
+}
    "goToCorrectDomainTitle": "Doğru alana gidin",
    "authorizeTitle": "Authorize",
    "authorizeCardTitle": "Continue to {{app}}?",
    "authorizeSubtitle": "Would you like to continue to this app? Please carefully review the permissions requested by the app.",
    "authorizeSubtitleOAuth": "Would you like to continue to this app?",
    "authorizeLoadingTitle": "Loading...",
    "authorizeLoadingSubtitle": "Please wait while we load the client information.",
    "authorizeSuccessTitle": "Authorized",
    "authorizeSuccessSubtitle": "You will be redirected to the app in a few seconds.",
    "authorizeErrorClientInfo": "An error occurred while loading the client information. Please try again later.",
    "authorizeErrorMissingParams": "The following parameters are missing: {{missingParams}}",
    "openidScopeName": "OpenID Connect",
    "openidScopeDescription": "Allows the app to access your OpenID Connect information.",
    "emailScopeName": "Email",
    "emailScopeDescription": "Allows the app to access your email address.",
    "profileScopeName": "Profile",
    "profileScopeDescription": "Allows the app to access your profile information.",
    "groupsScopeName": "Groups",
    "groupsScopeDescription": "Allows the app to access your group information."
 }
--- a/frontend/src/lib/i18n/locales/uk-UA.json
+++ b/frontend/src/lib/i18n/locales/uk-UA.json
@@ -1,83 +1,62 @@
 {
    "loginTitle": "З поверненням, увійдіть через",
-    "loginTitleSimple": "З поверненням, будь ласка, авторизуйтесь",
+    "loginTitleSimple": "Welcome back, please login",
-    "loginDivider": "Або",
+    "loginDivider": "Or",
-    "loginUsername": "Ім'я користувача",
+    "loginUsername": "Username",
-    "loginPassword": "Пароль",
+    "loginPassword": "Password",
-    "loginSubmit": "Увійти",
+    "loginSubmit": "Login",
-    "loginFailTitle": "Не вдалося авторизуватися",
+    "loginFailTitle": "Failed to log in",
-    "loginFailSubtitle": "Перевірте ім'я користувача та пароль",
+    "loginFailSubtitle": "Please check your username and password",
-    "loginFailRateLimit": "Ви не змогли увійти занадто багато разів. Будь ласка, спробуйте ще раз пізніше",
+    "loginFailRateLimit": "You failed to login too many times. Please try again later",
-    "loginSuccessTitle": "Вхід здійснено",
+    "loginSuccessTitle": "Logged in",
-    "loginSuccessSubtitle": "З поверненням!",
+    "loginSuccessSubtitle": "Welcome back!",
-    "loginOauthFailTitle": "Виникла помилка",
+    "loginOauthFailTitle": "An error occurred",
-    "loginOauthFailSubtitle": "Не вдалося отримати OAuth URL",
+    "loginOauthFailSubtitle": "Failed to get OAuth URL",
-    "loginOauthSuccessTitle": "Перенаправляємо",
+    "loginOauthSuccessTitle": "Redirecting",
-    "loginOauthSuccessSubtitle": "Перенаправляємо до вашого провайдера OAuth",
+    "loginOauthSuccessSubtitle": "Redirecting to your OAuth provider",
-    "loginOauthAutoRedirectTitle": "Автоматичне переспрямування OAuth",
+    "loginOauthAutoRedirectTitle": "OAuth Auto Redirect",
-    "loginOauthAutoRedirectSubtitle": "Ви будете автоматично перенаправлені до вашого провайдера OAuth для автентифікації.",
+    "loginOauthAutoRedirectSubtitle": "You will be automatically redirected to your OAuth provider to authenticate.",
-    "loginOauthAutoRedirectButton": "Перейти зараз",
+    "loginOauthAutoRedirectButton": "Redirect now",
-    "continueTitle": "Продовжити",
+    "continueTitle": "Continue",
-    "continueRedirectingTitle": "Перенаправлення...",
+    "continueRedirectingTitle": "Redirecting...",
-    "continueRedirectingSubtitle": "Незабаром ви будете перенаправлені в додаток",
+    "continueRedirectingSubtitle": "You should be redirected to the app soon",
-    "continueRedirectManually": "Перенаправити мене вручну",
+    "continueRedirectManually": "Redirect me manually",
-    "continueInsecureRedirectTitle": "Небезпечне перенаправлення",
+    "continueInsecureRedirectTitle": "Insecure redirect",
-    "continueInsecureRedirectSubtitle": "Ви намагаєтесь перенаправити з <code>https</code> на <code>http</code> який не є безпечним. Ви впевнені, що хочете продовжити?",
+    "continueInsecureRedirectSubtitle": "You are trying to redirect from <code>https</code> to <code>http</code> which is not secure. Are you sure you want to continue?",
-    "continueUntrustedRedirectTitle": "Недовірене перенаправлення",
+    "continueUntrustedRedirectTitle": "Untrusted redirect",
-    "continueUntrustedRedirectSubtitle": "Ви намагаєтесь перенаправити на домен, який не збігається з вашим налаштованим доменом (<code>{{cookieDomain}}</code>). Впевнені, що хочете продовжити?",
+    "continueUntrustedRedirectSubtitle": "You are trying to redirect to a domain that does not match your configured domain (<code>{{cookieDomain}}</code>). Are you sure you want to continue?",
-    "logoutFailTitle": "Не вдалося вийти",
+    "logoutFailTitle": "Failed to log out",
-    "logoutFailSubtitle": "Будь ласка, спробуйте знову",
+    "logoutFailSubtitle": "Please try again",
-    "logoutSuccessTitle": "Ви вийшли",
+    "logoutSuccessTitle": "Logged out",
-    "logoutSuccessSubtitle": "Ви вийшли з системи",
+    "logoutSuccessSubtitle": "You have been logged out",
-    "logoutTitle": "Вийти",
+    "logoutTitle": "Logout",
-    "logoutUsernameSubtitle": "Зараз ви увійшли як <code>{{username}}</code>. Натисніть кнопку нижче для виходу.",
+    "logoutUsernameSubtitle": "You are currently logged in as <code>{{username}}</code>. Click the button below to logout.",
-    "logoutOauthSubtitle": "Наразі ви увійшли як <code>{{username}}</code> використовуючи провайдера {{provider}} OAuth. Натисніть кнопку нижче, щоб вийти.",
+    "logoutOauthSubtitle": "You are currently logged in as <code>{{username}}</code> using the {{provider}} OAuth provider. Click the button below to logout.",
-    "notFoundTitle": "Сторінку не знайдено",
+    "notFoundTitle": "Page not found",
-    "notFoundSubtitle": "Сторінка, яку ви шукаєте, не існує.",
+    "notFoundSubtitle": "The page you are looking for does not exist.",
-    "notFoundButton": "На головну",
+    "notFoundButton": "Go home",
-    "totpFailTitle": "Не вдалося перевірити код",
+    "totpFailTitle": "Failed to verify code",
-    "totpFailSubtitle": "Перевірте ваш код і спробуйте ще раз",
+    "totpFailSubtitle": "Please check your code and try again",
-    "totpSuccessTitle": "Перевірено",
+    "totpSuccessTitle": "Verified",
-    "totpSuccessSubtitle": "Перенаправлення до вашого додатку",
+    "totpSuccessSubtitle": "Redirecting to your app",
-    "totpTitle": "Введіть ваш TOTP код",
+    "totpTitle": "Enter your TOTP code",
-    "totpSubtitle": "Будь ласка, введіть код з вашого додатку для автентифікації.",
+    "totpSubtitle": "Please enter the code from your authenticator app.",
-    "unauthorizedTitle": "Доступ обмежено",
+    "unauthorizedTitle": "Unauthorized",
-    "unauthorizedResourceSubtitle": "Користувач з ім'ям користувача <code>{{username}}</code> не має права доступу до ресурсу <code>{{resource}}</code>.",
+    "unauthorizedResourceSubtitle": "The user with username <code>{{username}}</code> is not authorized to access the resource <code>{{resource}}</code>.",
-    "unauthorizedLoginSubtitle": "Користувач з іменем <code>{{username}}</code> не авторизований для входу.",
+    "unauthorizedLoginSubtitle": "The user with username <code>{{username}}</code> is not authorized to login.",
-    "unauthorizedGroupsSubtitle": "Користувач з іменем <code>{{username}}</code> не входить до груп, що необхідні для ресурсу <code>{{resource}}</code>.",
+    "unauthorizedGroupsSubtitle": "The user with username <code>{{username}}</code> is not in the groups required by the resource <code>{{resource}}</code>.",
-    "unauthorizedIpSubtitle": "Ваша IP-адреса <code>{{ip}}</code> не авторизована для доступу до ресурсу <code>{{resource}}</code>.",
+    "unauthorizedIpSubtitle": "Your IP address <code>{{ip}}</code> is not authorized to access the resource <code>{{resource}}</code>.",
-    "unauthorizedButton": "Спробуйте ще раз",
+    "unauthorizedButton": "Try again",
-    "cancelTitle": "Скасовувати",
+    "cancelTitle": "Cancel",
-    "forgotPasswordTitle": "Забули пароль?",
+    "forgotPasswordTitle": "Forgot your password?",
-    "failedToFetchProvidersTitle": "Не вдалося завантажити провайдерів автентифікації. Будь ласка, перевірте вашу конфігурацію.",
+    "failedToFetchProvidersTitle": "Failed to load authentication providers. Please check your configuration.",
-    "errorTitle": "Виникла помилка",
+    "errorTitle": "An error occurred",
    "errorSubtitleInfo": "Під час обробки запиту сталась помилка:",
    "errorSubtitle": "An error occurred while trying to perform this action. Please check the console for more information.",
-    "forgotPasswordMessage": "Ви можете скинути пароль, змінивши змінну середовища \"USERS\".",
+    "forgotPasswordMessage": "You can reset your password by changing the `USERS` environment variable.",
-    "fieldRequired": "Це поле обов'язкове для заповнення",
+    "fieldRequired": "This field is required",
-    "invalidInput": "Невірне введення",
+    "invalidInput": "Invalid input",
-    "domainWarningTitle": "Невірний домен",
+    "domainWarningTitle": "Invalid Domain",
-    "domainWarningSubtitle": "Даний ресурс налаштований для доступу з <code>{{appUrl}}</code>, але використовується <code>{{currentUrl}}</code>. Якщо ви продовжите, можуть виникнути проблеми з автентифікацією.",
+    "domainWarningSubtitle": "This instance is configured to be accessed from <code>{{appUrl}}</code>, but <code>{{currentUrl}}</code> is being used. If you proceed, you may encounter issues with authentication.",
-    "domainWarningCurrent": "Current:",
+    "ignoreTitle": "Ignore",
-    "domainWarningExpected": "Expected:",
+    "goToCorrectDomainTitle": "Go to correct domain"
-    "ignoreTitle": "Ігнорувати",
+}
    "goToCorrectDomainTitle": "Перейти за коректним доменом",
    "authorizeTitle": "Авторизуватись",
    "authorizeCardTitle": "Перейти до {{app}}?",
    "authorizeSubtitle": "Чи хочете ви продовжити роботу з цим додатком? Будь ласка, уважно перегляньте дозволи, які вимагає додаток.",
    "authorizeSubtitleOAuth": "Бажаєте продовжити роботу з цим додатком?",
    "authorizeLoadingTitle": "Завантаження...",
    "authorizeLoadingSubtitle": "Будь ласка, зачекайте, поки ми завантажуємо клієнтську інформацію.",
    "authorizeSuccessTitle": "Авторизовано",
    "authorizeSuccessSubtitle": "Вас буде перенаправлено до програми за декілька секунд.",
    "authorizeErrorClientInfo": "Під час завантаження даних клієнта сталася помилка. Будь ласка, спробуйте ще раз пізніше.",
    "authorizeErrorMissingParams": "Відсутні наступні параметри: {{missingParams}}",
    "openidScopeName": "OpenID Connect",
    "openidScopeDescription": "Дозволяє програмі отримувати доступ до вашої інформації OpenID Connect.",
    "emailScopeName": "Електронна пошта",
    "emailScopeDescription": "Дозволяє програмі отримувати доступ до вашої адреси електронної пошти.",
    "profileScopeName": "Профіль",
    "profileScopeDescription": "Дозволяє програмі отримувати доступ до інформації вашого профілю.",
    "groupsScopeName": "Групи",
    "groupsScopeDescription": "Дозволяє програмі отримувати доступ до інформації про групу."
 }
--- a/frontend/src/lib/i18n/locales/vi-VN.json
+++ b/frontend/src/lib/i18n/locales/vi-VN.json
@@ -51,33 +51,12 @@
    "forgotPasswordTitle": "Bạn quên mật khẩu?",
    "failedToFetchProvidersTitle": "Không tải được nhà cung cấp xác thực. Vui lòng kiểm tra cấu hình của bạn.",
    "errorTitle": "An error occurred",
    "errorSubtitleInfo": "The following error occurred while processing your request:",
    "errorSubtitle": "Đã xảy ra lỗi khi thực hiện thao tác này. Vui lòng kiểm tra bảng điều khiển để biết thêm thông tin.",
    "forgotPasswordMessage": "You can reset your password by changing the `USERS` environment variable.",
    "fieldRequired": "This field is required",
    "invalidInput": "Invalid input",
    "domainWarningTitle": "Invalid Domain",
    "domainWarningSubtitle": "This instance is configured to be accessed from <code>{{appUrl}}</code>, but <code>{{currentUrl}}</code> is being used. If you proceed, you may encounter issues with authentication.",
    "domainWarningCurrent": "Current:",
    "domainWarningExpected": "Expected:",
    "ignoreTitle": "Ignore",
-    "goToCorrectDomainTitle": "Go to correct domain",
+    "goToCorrectDomainTitle": "Go to correct domain"
-    "authorizeTitle": "Authorize",
+}
    "authorizeCardTitle": "Continue to {{app}}?",
    "authorizeSubtitle": "Would you like to continue to this app? Please carefully review the permissions requested by the app.",
    "authorizeSubtitleOAuth": "Would you like to continue to this app?",
    "authorizeLoadingTitle": "Loading...",
    "authorizeLoadingSubtitle": "Please wait while we load the client information.",
    "authorizeSuccessTitle": "Authorized",
    "authorizeSuccessSubtitle": "You will be redirected to the app in a few seconds.",
    "authorizeErrorClientInfo": "An error occurred while loading the client information. Please try again later.",
    "authorizeErrorMissingParams": "The following parameters are missing: {{missingParams}}",
    "openidScopeName": "OpenID Connect",
    "openidScopeDescription": "Allows the app to access your OpenID Connect information.",
    "emailScopeName": "Email",
    "emailScopeDescription": "Allows the app to access your email address.",
    "profileScopeName": "Profile",
    "profileScopeDescription": "Allows the app to access your profile information.",
    "groupsScopeName": "Groups",
    "groupsScopeDescription": "Allows the app to access your group information."
 }
--- a/frontend/src/lib/i18n/locales/zh-CN.json
+++ b/frontend/src/lib/i18n/locales/zh-CN.json
@@ -51,33 +51,12 @@
    "forgotPasswordTitle": "忘记密码？",
    "failedToFetchProvidersTitle": "加载身份验证提供程序失败，请检查您的配置。",
    "errorTitle": "发生了错误",
    "errorSubtitleInfo": "处理您的请求时发生了以下错误：",
    "errorSubtitle": "执行此操作时发生错误，请检查控制台以获取更多信息。",
    "forgotPasswordMessage": "您可以通过更改 `USERS ` 环境变量重置您的密码。",
    "fieldRequired": "必添字段",
    "invalidInput": "无效的输入",
    "domainWarningTitle": "无效域名",
    "domainWarningSubtitle": "当前实例配置的访问地址为 <code>{{appUrl}}</code>，但您正在使用 <code>{{currentUrl}}</code>。若继续操作，可能会遇到身份验证问题。",
    "domainWarningCurrent": "Current:",
    "domainWarningExpected": "Expected:",
    "ignoreTitle": "忽略",
-    "goToCorrectDomainTitle": "转到正确的域名",
+    "goToCorrectDomainTitle": "转到正确的域名"
-    "authorizeTitle": "授权",
+}
    "authorizeCardTitle": "继续访问 {{app}}？",
    "authorizeSubtitle": "您想继续使用此应用程序吗？请仔细查看该应用程序请求的权限",
    "authorizeSubtitleOAuth": "您想要继续使用此应用吗？",
    "authorizeLoadingTitle": "正在加载...",
    "authorizeLoadingSubtitle": "正在加载客户端信息，请稍候。",
    "authorizeSuccessTitle": "已授权",
    "authorizeSuccessSubtitle": "您将在几秒钟内被重定向到应用程序。",
    "authorizeErrorClientInfo": "加载客户端信息时发生错误。请稍后再试。",
    "authorizeErrorMissingParams": "参数缺失：{{missingParams}}",
    "openidScopeName": "OpenID 连接",
    "openidScopeDescription": "允许应用访问您的 OpenID 连接信息。",
    "emailScopeName": "邮箱",
    "emailScopeDescription": "允许应用访问您的邮箱地址。",
    "profileScopeName": "个人资料",
    "profileScopeDescription": "允许应用访问您的个人信息。",
    "groupsScopeName": "分组",
    "groupsScopeDescription": "允许应用程序访问您的群组信息。"
 }
--- a/frontend/src/lib/i18n/locales/zh-TW.json
+++ b/frontend/src/lib/i18n/locales/zh-TW.json
@@ -51,33 +51,12 @@
    "forgotPasswordTitle": "忘記密碼？",
    "failedToFetchProvidersTitle": "載入驗證供應商失敗。請檢查您的設定。",
    "errorTitle": "發生錯誤",
    "errorSubtitleInfo": "處理您的請求時，發生了以下錯誤：",
    "errorSubtitle": "執行此操作時發生錯誤。請檢查主控台以獲取更多資訊。",
    "forgotPasswordMessage": "透過修改 `USERS` 環境變數，你可以重設你的密碼。",
    "fieldRequired": "此為必填欄位",
    "invalidInput": "無效的輸入",
    "domainWarningTitle": "無效的網域",
    "domainWarningSubtitle": "此服務設定為透過 <code>{{appUrl}}</code> 存取，但目前使用的是 <code>{{currentUrl}}</code>。若繼續操作，可能會遇到驗證問題。",
    "domainWarningCurrent": "Current:",
    "domainWarningExpected": "Expected:",
    "ignoreTitle": "忽略",
-    "goToCorrectDomainTitle": "前往正確域名",
+    "goToCorrectDomainTitle": "前往正確域名"
-    "authorizeTitle": "授權",
+}
    "authorizeCardTitle": "Continue to {{app}}?",
    "authorizeSubtitle": "Would you like to continue to this app? Please carefully review the permissions requested by the app.",
    "authorizeSubtitleOAuth": "Would you like to continue to this app?",
    "authorizeLoadingTitle": "正在載入…",
    "authorizeLoadingSubtitle": "正在加载客户端信息，请稍候。",
    "authorizeSuccessTitle": "已授權",
    "authorizeSuccessSubtitle": "幾秒鐘內您將會被重新導向至應用程式。",
    "authorizeErrorClientInfo": "載入用戶端資訊時發生錯誤。請稍後再試。",
    "authorizeErrorMissingParams": "下列參數遺失：{{missingParams}}",
    "openidScopeName": "OpenID 連接",
    "openidScopeDescription": "允許該應用程式存取您的 OpenID Connect 資訊。",
    "emailScopeName": "電子郵件",
    "emailScopeDescription": "允許該應用程式存取您的電子郵件地址。",
    "profileScopeName": "個人檔案",
    "profileScopeDescription": "允許該應用程式存取您的個人資料。",
    "groupsScopeName": "群組",
    "groupsScopeDescription": "允許該應用程式存取您的群組資訊。"
 }
--- a/frontend/src/lib/utils.ts
+++ b/frontend/src/lib/utils.ts
@@ -5,6 +5,15 @@ export function cn(...inputs: ClassValue[]) {
  return twMerge(clsx(inputs));
 }
 export const isValidUrl = (url: string) => {
  try {
    new URL(url);
    return true;
  } catch {
    return false;
  }
 };
 export const capitalize = (str: string) => {
  return str.charAt(0).toUpperCase() + str.slice(1);
 };
--- a/frontend/src/main.tsx
+++ b/frontend/src/main.tsx
@@ -18,7 +18,6 @@ import { UserContextProvider } from "./context/user-context.tsx";
 import { Toaster } from "@/components/ui/sonner";
 import { ThemeProvider } from "./components/providers/theme-provider.tsx";
 import { AuthorizePage } from "./pages/authorize-page.tsx";
 import { TooltipProvider } from "@/components/ui/tooltip";
 const queryClient = new QueryClient();
@@ -27,33 +26,28 @@ createRoot(document.getElementById("root")!).render(
    <QueryClientProvider client={queryClient}>
      <AppContextProvider>
        <UserContextProvider>
-          <TooltipProvider>
+          <ThemeProvider defaultTheme="system" storageKey="tinyauth-theme">
-            <ThemeProvider defaultTheme="system" storageKey="tinyauth-theme">
+            <BrowserRouter>
-              <BrowserRouter>
+              <Routes>
-                <Routes>
+                <Route element={<Layout />} errorElement={<ErrorPage />}>
-                  <Route element={<Layout />} errorElement={<ErrorPage />}>
+                  <Route path="/" element={<App />} />
-                    <Route path="/" element={<App />} />
+                  <Route path="/login" element={<LoginPage />} />
-                    <Route path="/login" element={<LoginPage />} />
+                  <Route path="/authorize" element={<AuthorizePage />} />
-                    <Route path="/authorize" element={<AuthorizePage />} />
+                  <Route path="/logout" element={<LogoutPage />} />
-                    <Route path="/logout" element={<LogoutPage />} />
+                  <Route path="/continue" element={<ContinuePage />} />
-                    <Route path="/continue" element={<ContinuePage />} />
+                  <Route path="/totp" element={<TotpPage />} />
-                    <Route path="/totp" element={<TotpPage />} />
+                  <Route
-                    <Route
+                    path="/forgot-password"
-                      path="/forgot-password"
+                    element={<ForgotPasswordPage />}
-                      element={<ForgotPasswordPage />}
+                  />
-                    />
+                  <Route path="/unauthorized" element={<UnauthorizedPage />} />
-                    <Route
+                  <Route path="/error" element={<ErrorPage />} />
-                      path="/unauthorized"
+                  <Route path="*" element={<NotFoundPage />} />
-                      element={<UnauthorizedPage />}
+                </Route>
-                    />
+              </Routes>
-                    <Route path="/error" element={<ErrorPage />} />
+            </BrowserRouter>
-                    <Route path="*" element={<NotFoundPage />} />
+            <Toaster />
-                  </Route>
+          </ThemeProvider>
                </Routes>
              </BrowserRouter>
              <Toaster />
            </ThemeProvider>
          </TooltipProvider>
        </UserContextProvider>
      </AppContextProvider>
    </QueryClientProvider>
--- a/frontend/src/pages/authorize-page.tsx
+++ b/frontend/src/pages/authorize-page.tsx
@@ -8,86 +8,32 @@ import {
  CardTitle,
  CardDescription,
  CardFooter,
  CardContent,
 } from "@/components/ui/card";
-import { getOidcClientInfoSchema } from "@/schemas/oidc-schemas";
+import { getOidcClientInfoScehma } from "@/schemas/oidc-schemas";
 import { Button } from "@/components/ui/button";
 import axios from "axios";
 import { toast } from "sonner";
 import { useOIDCParams } from "@/lib/hooks/oidc";
 import { useTranslation } from "react-i18next";
 import { TFunction } from "i18next";
 import { Mail, Shield, User, Users } from "lucide-react";
 import {
  Tooltip,
  TooltipContent,
  TooltipTrigger,
 } from "@/components/ui/tooltip";
 type Scope = {
  id: string;
  name: string;
  description: string;
  icon: React.ReactNode;
 };
 const scopeMapIconProps = {
  className: "stroke-muted-foreground stroke-[1.75] h-4",
 };
 const createScopeMap = (t: TFunction<"translation", undefined>): Scope[] => {
  return [
    {
      id: "openid",
      name: t("openidScopeName"),
      description: t("openidScopeDescription"),
      icon: <Shield {...scopeMapIconProps} />,
    },
    {
      id: "email",
      name: t("emailScopeName"),
      description: t("emailScopeDescription"),
      icon: <Mail {...scopeMapIconProps} />,
    },
    {
      id: "profile",
      name: t("profileScopeName"),
      description: t("profileScopeDescription"),
      icon: <User {...scopeMapIconProps} />,
    },
    {
      id: "groups",
      name: t("groupsScopeName"),
      description: t("groupsScopeDescription"),
      icon: <Users {...scopeMapIconProps} />,
    },
  ];
 };
 export const AuthorizePage = () => {
  const { isLoggedIn } = useUserContext();
  const { search } = useLocation();
  const { t } = useTranslation();
  const navigate = useNavigate();
  const scopeMap = createScopeMap(t);
  const searchParams = new URLSearchParams(search);
  const {
    values: props,
    missingParams,
    isOidc,
    compiled: compiledOIDCParams,
  } = useOIDCParams(searchParams);
  const scopes = props.scope ? props.scope.split(" ").filter(Boolean) : [];
  const getClientInfo = useQuery({
    queryKey: ["client", props.client_id],
    queryFn: async () => {
      const res = await fetch(`/api/oidc/clients/${props.client_id}`);
-      const data = await getOidcClientInfoSchema.parseAsync(await res.json());
+      const data = await getOidcClientInfoScehma.parseAsync(await res.json());
      return data;
    },
    enabled: isOidc,
  });
  const authorizeMutation = useMutation({
@@ -102,8 +48,8 @@ export const AuthorizePage = () => {
    },
    mutationKey: ["authorize", props.client_id],
    onSuccess: (data) => {
-      toast.info(t("authorizeSuccessTitle"), {
+      toast.info("Authorized", {
-        description: t("authorizeSuccessSubtitle"),
+        description: "You will be soon redirected to your application",
      });
      window.location.replace(data.data.redirect_uri);
    },
@@ -114,30 +60,28 @@ export const AuthorizePage = () => {
    },
  });
  if (!isLoggedIn) {
    return <Navigate to={`/login?${compiledOIDCParams}`} replace />;
  }
  if (missingParams.length > 0) {
    return (
      <Navigate
-        to={`/error?error=${encodeURIComponent(t("authorizeErrorMissingParams", { missingParams: missingParams.join(", ") }))}`}
+        to={`/error?error=${encodeURIComponent(`Missing parameters: ${missingParams.join(", ")}`)}`}
        replace
      />
    );
  }
  if (!isLoggedIn) {
    return <Navigate to={`/login?${compiledOIDCParams}`} replace />;
  }
  if (getClientInfo.isLoading) {
    return (
-      <Card className="gap-0">
+      <Card className="min-w-xs sm:min-w-sm">
        <CardHeader>
-          <CardTitle className="text-xl">
+          <CardTitle className="text-3xl">Loading...</CardTitle>
-            {t("authorizeLoadingTitle")}
+          <CardDescription>
-          </CardTitle>
+            Please wait while we load the client information.
          </CardDescription>
        </CardHeader>
        <CardContent>
          <CardDescription>{t("authorizeLoadingSubtitle")}</CardDescription>
        </CardContent>
      </Card>
    );
  }
@@ -145,65 +89,36 @@ export const AuthorizePage = () => {
  if (getClientInfo.isError) {
    return (
      <Navigate
-        to={`/error?error=${encodeURIComponent(t("authorizeErrorClientInfo"))}`}
+        to={`/error?error=${encodeURIComponent(`Failed to load client information`)}`}
        replace
      />
    );
  }
  return (
-    <Card>
+    <Card className="min-w-xs sm:min-w-sm">
-      <CardHeader className="mb-2">
+      <CardHeader>
-        <div className="flex flex-col gap-3 items-center justify-center text-center">
+        <CardTitle className="text-3xl">
-          <div className="bg-accent-foreground text-muted text-xl font-bold font-sans rounded-lg px-4 py-3">
+          Continue to {getClientInfo.data?.name || "Unknown"}?
-            {getClientInfo.data?.name.slice(0, 1)}
+        </CardTitle>
-          </div>
+        <CardDescription>
-          <CardTitle className="text-xl">
+          Would you like to continue to this app? Please keep in mind that this
-            {t("authorizeCardTitle", {
+          app will have access to your email and other information.
-              app: getClientInfo.data?.name || "Unknown",
+        </CardDescription>
            })}
          </CardTitle>
          <CardDescription className="text-sm max-w-sm">
            {scopes.includes("openid")
              ? t("authorizeSubtitle")
              : t("authorizeSubtitleOAuth")}
          </CardDescription>
        </div>
      </CardHeader>
-      <CardContent className="mb-2">
+      <CardFooter className="flex flex-col items-stretch gap-2">
        {scopes.includes("openid") && (
          <div className="flex flex-wrap gap-2 items-center justify-center">
            {scopes.map((id) => {
              const scope = scopeMap.find((s) => s.id === id);
              if (!scope) return null;
              return (
                <Tooltip key={scope.id}>
                  <TooltipTrigger className="flex flex-row justify-center items-center gap-1 rounded-full bg-secondary font-light pl-2 pr-4 py-1 border-border border">
                    <div>{scope.icon}</div>
                    <div className="text-sm text-accent-foreground">
                      {scope.name}
                    </div>
                  </TooltipTrigger>
                  <TooltipContent>{scope.description}</TooltipContent>
                </Tooltip>
              );
            })}
          </div>
        )}
      </CardContent>
      <CardFooter className="flex flex-col items-stretch gap-3">
        <Button
          onClick={() => authorizeMutation.mutate()}
          loading={authorizeMutation.isPending}
        >
-          {t("authorizeTitle")}
+          Authorize
        </Button>
        <Button
          onClick={() => navigate("/")}
          disabled={authorizeMutation.isPending}
          variant="outline"
        >
-          {t("cancelTitle")}
+          Cancel
        </Button>
      </CardFooter>
    </Card>
--- a/frontend/src/pages/continue-page.tsx
+++ b/frontend/src/pages/continue-page.tsx
@@ -8,10 +8,10 @@ import {
 } from "@/components/ui/card";
 import { useAppContext } from "@/context/app-context";
 import { useUserContext } from "@/context/user-context";
 import { isValidUrl } from "@/lib/utils";
 import { Trans, useTranslation } from "react-i18next";
 import { Navigate, useLocation, useNavigate } from "react-router";
-import { useCallback, useEffect, useRef, useState } from "react";
+import { useEffect, useState } from "react";
 import { useRedirectUri } from "@/lib/hooks/redirect-uri";
 export const ContinuePage = () => {
  const { cookieDomain, disableUiWarnings } = useAppContext();
@@ -20,55 +20,59 @@ export const ContinuePage = () => {
  const { t } = useTranslation();
  const navigate = useNavigate();
-  const [isLoading, setIsLoading] = useState(false);
+  const [loading, setLoading] = useState(false);
  const [showRedirectButton, setShowRedirectButton] = useState(false);
  const hasRedirected = useRef(false);
  const searchParams = new URLSearchParams(search);
  const redirectUri = searchParams.get("redirect_uri");
-  const { url, valid, trusted, allowedProto, httpsDowngrade } = useRedirectUri(
+  const isValidRedirectUri =
-    redirectUri,
+    redirectUri !== null ? isValidUrl(redirectUri) : false;
-    cookieDomain,
+  const redirectUriObj = isValidRedirectUri
-  );
+    ? new URL(redirectUri as string)
    : null;
  const isTrustedRedirectUri =
    redirectUriObj !== null
      ? redirectUriObj.hostname === cookieDomain ||
        redirectUriObj.hostname.endsWith(`.${cookieDomain}`)
      : false;
  const isAllowedRedirectProto =
    redirectUriObj !== null
      ? redirectUriObj.protocol === "https:" ||
        redirectUriObj.protocol === "http:"
      : false;
  const isHttpsDowngrade =
    redirectUriObj !== null
      ? redirectUriObj.protocol === "http:" &&
        window.location.protocol === "https:"
      : false;
-  const urlHref = url?.href;
+  const handleRedirect = () => {
    setLoading(true);
    window.location.assign(redirectUriObj!.toString());
  };
-  const hasValidRedirect = valid && allowedProto;
+  useEffect(() => {
-  const showUntrustedWarning =
+    if (!isLoggedIn) {
    hasValidRedirect && !trusted && !disableUiWarnings;
  const showInsecureWarning =
    hasValidRedirect && httpsDowngrade && !disableUiWarnings;
  const shouldAutoRedirect =
    isLoggedIn &&
    hasValidRedirect &&
    !showUntrustedWarning &&
    !showInsecureWarning;
  const redirectToTarget = useCallback(() => {
    if (!urlHref || hasRedirected.current) {
      return;
    }
-    hasRedirected.current = true;
+    if (
-    window.location.assign(urlHref);
+      (!isValidRedirectUri ||
-  }, [urlHref]);
+        !isAllowedRedirectProto ||
-
+        !isTrustedRedirectUri ||
-  const handleRedirect = useCallback(() => {
+        isHttpsDowngrade) &&
-    setIsLoading(true);
+      !disableUiWarnings
-    redirectToTarget();
+    ) {
  }, [redirectToTarget]);
  useEffect(() => {
    if (!shouldAutoRedirect) {
      return;
    }
    const auto = setTimeout(() => {
-      redirectToTarget();
+      handleRedirect();
    }, 100);
    const reveal = setTimeout(() => {
      setLoading(false);
      setShowRedirectButton(true);
    }, 5000);
@@ -76,26 +80,26 @@ export const ContinuePage = () => {
      clearTimeout(auto);
      clearTimeout(reveal);
    };
-  }, [shouldAutoRedirect, redirectToTarget]);
+  });
  if (!isLoggedIn) {
    return (
      <Navigate
-        to={`/login${redirectUri ? `?redirect_uri=${encodeURIComponent(redirectUri)}` : ""}`}
+        to={`/login?redirect_uri=${encodeURIComponent(redirectUri || "")}`}
        replace
      />
    );
  }
-  if (!hasValidRedirect) {
+  if (!isValidRedirectUri || !isAllowedRedirectProto) {
    return <Navigate to="/logout" replace />;
  }
-  if (showUntrustedWarning) {
+  if (!isTrustedRedirectUri && !disableUiWarnings) {
    return (
-      <Card role="alert" aria-live="assertive">
+      <Card role="alert" aria-live="assertive" className="min-w-xs sm:min-w-sm">
-        <CardHeader className="gap-1.5">
+        <CardHeader>
-          <CardTitle className="text-xl">
+          <CardTitle className="text-3xl">
            {t("continueUntrustedRedirectTitle")}
          </CardTitle>
          <CardDescription>
@@ -106,14 +110,13 @@ export const ContinuePage = () => {
                code: <code />,
              }}
              values={{ cookieDomain }}
              shouldUnescape={true}
            />
          </CardDescription>
        </CardHeader>
-        <CardFooter className="flex flex-col items-stretch gap-3">
+        <CardFooter className="flex flex-col items-stretch gap-2">
          <Button
            onClick={handleRedirect}
-            loading={isLoading}
+            loading={loading}
            variant="destructive"
          >
            {t("continueTitle")}
@@ -121,7 +124,7 @@ export const ContinuePage = () => {
          <Button
            onClick={() => navigate("/logout")}
            variant="outline"
-            disabled={isLoading}
+            disabled={loading}
          >
            {t("cancelTitle")}
          </Button>
@@ -130,11 +133,11 @@ export const ContinuePage = () => {
    );
  }
-  if (showInsecureWarning) {
+  if (isHttpsDowngrade && !disableUiWarnings) {
    return (
-      <Card role="alert" aria-live="assertive">
+      <Card role="alert" aria-live="assertive" className="min-w-xs sm:min-w-sm">
-        <CardHeader className="gap-1.5">
+        <CardHeader>
-          <CardTitle className="text-xl">
+          <CardTitle className="text-3xl">
            {t("continueInsecureRedirectTitle")}
          </CardTitle>
          <CardDescription>
@@ -147,18 +150,14 @@ export const ContinuePage = () => {
            />
          </CardDescription>
        </CardHeader>
-        <CardFooter className="flex flex-col items-stretch gap-3">
+        <CardFooter className="flex flex-col items-stretch gap-2">
-          <Button
+          <Button onClick={handleRedirect} loading={loading} variant="warning">
            onClick={handleRedirect}
            loading={isLoading}
            variant="warning"
          >
            {t("continueTitle")}
          </Button>
          <Button
            onClick={() => navigate("/logout")}
            variant="outline"
-            disabled={isLoading}
+            disabled={loading}
          >
            {t("cancelTitle")}
          </Button>
@@ -168,16 +167,16 @@ export const ContinuePage = () => {
  }
  return (
-    <Card>
+    <Card className="min-w-xs sm:min-w-sm">
-      <CardHeader className="gap-1.5">
+      <CardHeader>
-        <CardTitle className="text-xl">
+        <CardTitle className="text-3xl">
          {t("continueRedirectingTitle")}
        </CardTitle>
        <CardDescription>{t("continueRedirectingSubtitle")}</CardDescription>
      </CardHeader>
      {showRedirectButton && (
-        <CardFooter>
+        <CardFooter className="flex flex-col items-stretch">
-          <Button className="w-full" onClick={handleRedirect}>
+          <Button onClick={handleRedirect}>
            {t("continueRedirectManually")}
          </Button>
        </CardFooter>
--- a/frontend/src/pages/error-page.tsx
+++ b/frontend/src/pages/error-page.tsx
@@ -14,13 +14,13 @@ export const ErrorPage = () => {
  const error = searchParams.get("error") ?? "";
  return (
-    <Card>
+    <Card className="min-w-xs sm:min-w-sm">
-      <CardHeader className="gap-1.5">
+      <CardHeader>
-        <CardTitle className="text-xl">{t("errorTitle")}</CardTitle>
+        <CardTitle className="text-3xl">{t("errorTitle")}</CardTitle>
-        <CardDescription className="flex flex-col gap-3">
+        <CardDescription className="flex flex-col gap-1.5">
          {error ? (
            <>
-              <p>{t("errorSubtitleInfo")}</p>
+              <p>The following error occured while processing your request:</p>
              <pre>{error}</pre>
            </>
          ) : (
--- a/frontend/src/pages/forgot-password-page.tsx
+++ b/frontend/src/pages/forgot-password-page.tsx
@@ -1,47 +1,25 @@
 import {
  Card,
  CardContent,
  CardDescription,
  CardFooter,
  CardHeader,
  CardTitle,
 } from "@/components/ui/card";
 import { Button } from "@/components/ui/button";
 import { useAppContext } from "@/context/app-context";
 import { useTranslation } from "react-i18next";
 import Markdown from "react-markdown";
 import { useNavigate } from "react-router";
 export const ForgotPasswordPage = () => {
  const { forgotPasswordMessage } = useAppContext();
  const { t } = useTranslation();
  const navigate = useNavigate();
  return (
-    <Card>
+    <Card className="min-w-xs sm:min-w-sm">
      <CardHeader>
-        <CardTitle className="text-xl">{t("forgotPasswordTitle")}</CardTitle>
+        <CardTitle className="text-3xl">{t("forgotPasswordTitle")}</CardTitle>
      </CardHeader>
      <CardContent>
        <CardDescription>
-          <Markdown>
+          <Markdown>{forgotPasswordMessage !== "" ? forgotPasswordMessage : t('forgotPasswordMessage')}</Markdown>
            {forgotPasswordMessage !== ""
              ? forgotPasswordMessage
              : t("forgotPasswordMessage")}
          </Markdown>
        </CardDescription>
-      </CardContent>
+      </CardHeader>
      <CardFooter>
        <Button
          className="w-full"
          variant="outline"
          onClick={() => {
            navigate("/login");
          }}
        >
          {t("notFoundButton")}
        </Button>
      </CardFooter>
    </Card>
  );
 };
--- a/frontend/src/pages/login-page.tsx
+++ b/frontend/src/pages/login-page.tsx
@@ -22,7 +22,7 @@ import { useOIDCParams } from "@/lib/hooks/oidc";
 import { LoginSchema } from "@/schemas/login-schema";
 import { useMutation } from "@tanstack/react-query";
 import axios, { AxiosError } from "axios";
-import { useEffect, useId, useRef, useState } from "react";
+import { useEffect, useRef, useState } from "react";
 import { useTranslation } from "react-i18next";
 import { Navigate, useLocation } from "react-router";
 import { toast } from "sonner";
@@ -40,16 +40,13 @@ export const LoginPage = () => {
  const { providers, title, oauthAutoRedirect } = useAppContext();
  const { search } = useLocation();
  const { t } = useTranslation();
-
+  const [oauthAutoRedirectHandover, setOauthAutoRedirectHandover] =
    useState(false);
  const [showRedirectButton, setShowRedirectButton] = useState(false);
  const hasAutoRedirectedRef = useRef(false);
  const redirectTimer = useRef<number | null>(null);
  const redirectButtonTimer = useRef<number | null>(null);
  const formId = useId();
  const searchParams = new URLSearchParams(search);
  const {
    values: props,
@@ -57,11 +54,6 @@ export const LoginPage = () => {
    compiled: compiledOIDCParams,
  } = useOIDCParams(searchParams);
  const [isOauthAutoRedirect, setIsOauthAutoRedirect] = useState(
    providers.find((provider) => provider.id === oauthAutoRedirect) !==
      undefined && props.redirect_uri,
  );
  const oauthProviders = providers.filter(
    (provider) => provider.id !== "local" && provider.id !== "ldap",
  );
@@ -70,15 +62,10 @@ export const LoginPage = () => {
      (provider) => provider.id === "local" || provider.id === "ldap",
    ) !== undefined;
-  const {
+  const oauthMutation = useMutation({
    mutate: oauthMutate,
    data: oauthData,
    isPending: oauthIsPending,
    variables: oauthVariables,
  } = useMutation({
    mutationFn: (provider: string) =>
      axios.get(
-        `/api/oauth/url/${provider}${props.redirect_uri ? `?redirect_uri=${encodeURIComponent(props.redirect_uri)}` : ""}`,
+        `/api/oauth/url/${provider}?redirect_uri=${encodeURIComponent(props.redirect_uri)}`,
      ),
    mutationKey: ["oauth"],
    onSuccess: (data) => {
@@ -89,29 +76,21 @@ export const LoginPage = () => {
      redirectTimer.current = window.setTimeout(() => {
        window.location.replace(data.data.url);
      }, 500);
      if (isOauthAutoRedirect) {
        redirectButtonTimer.current = window.setTimeout(() => {
          setShowRedirectButton(true);
        }, 5000);
      }
    },
    onError: () => {
-      setIsOauthAutoRedirect(false);
+      setOauthAutoRedirectHandover(false);
      toast.error(t("loginOauthFailTitle"), {
        description: t("loginOauthFailSubtitle"),
      });
    },
  });
-  const { mutate: loginMutate, isPending: loginIsPending } = useMutation({
+  const loginMutation = useMutation({
    mutationFn: (values: LoginSchema) => axios.post("/api/user/login", values),
    mutationKey: ["login"],
    onSuccess: (data) => {
      if (data.data.totpPending) {
-        window.location.replace(
+        window.location.replace(`/totp?${compiledOIDCParams}`);
          `/totp${props.redirect_uri ? `?redirect_uri=${encodeURIComponent(props.redirect_uri)}` : ""}`,
        );
        return;
      }
@@ -125,7 +104,7 @@ export const LoginPage = () => {
          return;
        }
        window.location.replace(
-          `/continue${props.redirect_uri ? `?redirect_uri=${encodeURIComponent(props.redirect_uri)}` : ""}`,
+          `/continue?redirect_uri=${encodeURIComponent(props.redirect_uri)}`,
        );
      }, 500);
    },
@@ -141,43 +120,39 @@ export const LoginPage = () => {
  useEffect(() => {
    if (
      providers.find((provider) => provider.id === oauthAutoRedirect) &&
      !isLoggedIn &&
-      isOauthAutoRedirect &&
+      props.redirect_uri !== ""
      !hasAutoRedirectedRef.current &&
      props.redirect_uri
    ) {
-      hasAutoRedirectedRef.current = true;
+      // Not sure of a better way to do this
-      oauthMutate(oauthAutoRedirect);
+      // eslint-disable-next-line react-hooks/set-state-in-effect
      setOauthAutoRedirectHandover(true);
      oauthMutation.mutate(oauthAutoRedirect);
      redirectButtonTimer.current = window.setTimeout(() => {
        setShowRedirectButton(true);
      }, 5000);
    }
  }, [
    providers,
    isLoggedIn,
    oauthMutate,
    hasAutoRedirectedRef,
    oauthAutoRedirect,
    isOauthAutoRedirect,
    props.redirect_uri,
    oauthAutoRedirect,
    oauthMutation,
  ]);
-  useEffect(() => {
+  useEffect(
-    return () => {
+    () => () => {
-      if (redirectTimer.current) {
+      if (redirectTimer.current) clearTimeout(redirectTimer.current);
-        clearTimeout(redirectTimer.current);
+      if (redirectButtonTimer.current)
      }
      if (redirectButtonTimer.current) {
        clearTimeout(redirectButtonTimer.current);
-      }
+    },
-    };
+    [],
-  }, [redirectTimer, redirectButtonTimer]);
+  );
  if (isLoggedIn && isOidc) {
    return <Navigate to={`/authorize?${compiledOIDCParams}`} replace />;
  }
  if (isLoggedIn && props.redirect_uri !== "") {
    return (
      <Navigate
-        to={`/continue${props.redirect_uri ? `?redirect_uri=${encodeURIComponent(props.redirect_uri)}` : ""}`}
+        to={`/continue?redirect_uri=${encodeURIComponent(props.redirect_uri)}`}
        replace
      />
    );
@@ -187,11 +162,11 @@ export const LoginPage = () => {
    return <Navigate to="/logout" replace />;
  }
-  if (isOauthAutoRedirect) {
+  if (oauthAutoRedirectHandover) {
    return (
-      <Card>
+      <Card className="min-w-xs sm:min-w-sm">
        <CardHeader>
-          <CardTitle className="text-xl">
+          <CardTitle className="text-3xl">
            {t("loginOauthAutoRedirectTitle")}
          </CardTitle>
          <CardDescription>
@@ -202,14 +177,7 @@ export const LoginPage = () => {
          <CardFooter className="flex flex-col items-stretch">
            <Button
              onClick={() => {
-                if (oauthData?.data.url) {
+                window.location.replace(oauthMutation.data?.data.url);
                  window.location.replace(oauthData.data.url);
                } else {
                  setIsOauthAutoRedirect(false);
                  toast.error(t("loginOauthFailTitle"), {
                    description: t("loginOauthFailSubtitle"),
                  });
                }
              }}
            >
              {t("loginOauthAutoRedirectButton")}
@@ -220,9 +188,9 @@ export const LoginPage = () => {
    );
  }
  return (
-    <Card>
+    <Card className="min-w-xs sm:min-w-sm">
-      <CardHeader className="gap-1.5">
+      <CardHeader>
-        <CardTitle className="text-center text-xl">{title}</CardTitle>
+        <CardTitle className="text-center text-3xl">{title}</CardTitle>
        {providers.length > 0 && (
          <CardDescription className="text-center">
            {oauthProviders.length !== 0
@@ -233,16 +201,19 @@ export const LoginPage = () => {
      </CardHeader>
      <CardContent className="flex flex-col gap-4">
        {oauthProviders.length !== 0 && (
-          <div className="flex flex-col gap-2.5 items-center justify-center">
+          <div className="flex flex-col gap-2 items-center justify-center">
            {oauthProviders.map((provider) => (
              <OAuthButton
                key={provider.id}
                title={provider.name}
                icon={iconMap[provider.id] ?? <OAuthIcon />}
                className="w-full"
-                onClick={() => oauthMutate(provider.id)}
+                onClick={() => oauthMutation.mutate(provider.id)}
-                loading={oauthIsPending && oauthVariables === provider.id}
+                loading={
-                disabled={oauthIsPending || loginIsPending}
+                  oauthMutation.isPending &&
                  oauthMutation.variables === provider.id
                }
                disabled={oauthMutation.isPending || loginMutation.isPending}
              />
            ))}
          </div>
@@ -252,9 +223,8 @@ export const LoginPage = () => {
        )}
        {userAuthConfigured && (
          <LoginForm
-            onSubmit={(values) => loginMutate(values)}
+            onSubmit={(values) => loginMutation.mutate(values)}
-            loading={loginIsPending || oauthIsPending}
+            loading={loginMutation.isPending || oauthMutation.isPending}
            formId={formId}
          />
        )}
        {providers.length == 0 && (
@@ -263,18 +233,6 @@ export const LoginPage = () => {
          </p>
        )}
      </CardContent>
      <CardFooter>
        {userAuthConfigured && (
          <Button
            className="w-full"
            type="submit"
            form={formId}
            loading={loginIsPending || oauthIsPending}
          >
            {t("loginSubmit")}
          </Button>
        )}
      </CardFooter>
    </Card>
  );
 };
--- a/frontend/src/pages/logout-page.tsx
+++ b/frontend/src/pages/logout-page.tsx
@@ -29,7 +29,7 @@ export const LogoutPage = () => {
      });
      redirectTimer.current = window.setTimeout(() => {
-        window.location.replace("/login");
+        window.location.assign("/login");
      }, 500);
    },
    onError: () => {
@@ -39,22 +39,21 @@ export const LogoutPage = () => {
    },
  });
-  useEffect(() => {
+  useEffect(
-    return () => {
+    () => () => {
-      if (redirectTimer.current) {
+      if (redirectTimer.current) clearTimeout(redirectTimer.current);
-        clearTimeout(redirectTimer.current);
+    },
-      }
+    [],
-    };
+  );
  }, [redirectTimer]);
  if (!isLoggedIn) {
    return <Navigate to="/login" replace />;
  }
  return (
-    <Card>
+    <Card className="min-w-xs sm:min-w-sm">
-      <CardHeader className="gap-1.5">
+      <CardHeader>
-        <CardTitle className="text-xl">{t("logoutTitle")}</CardTitle>
+        <CardTitle className="text-3xl">{t("logoutTitle")}</CardTitle>
        <CardDescription>
          {provider !== "local" && provider !== "ldap" ? (
            <Trans
@@ -67,7 +66,6 @@ export const LogoutPage = () => {
                username: email,
                provider: oauthName,
              }}
              shouldUnescape={true}
            />
          ) : (
            <Trans
@@ -79,15 +77,12 @@ export const LogoutPage = () => {
              values={{
                username,
              }}
              shouldUnescape={true}
            />
          )}
        </CardDescription>
      </CardHeader>
-      <CardFooter>
+      <CardFooter className="flex flex-col items-stretch">
        <Button
          className="w-full"
          variant="outline"
          loading={logoutMutation.isPending}
          onClick={() => logoutMutation.mutate()}
        >
--- a/frontend/src/pages/not-found-page.tsx
+++ b/frontend/src/pages/not-found-page.tsx
@@ -21,20 +21,13 @@ export const NotFoundPage = () => {
  };
  return (
-    <Card>
+    <Card className="min-w-xs sm:min-w-sm">
-      <CardHeader className="gap-1.5">
+      <CardHeader>
-        <CardTitle className="text-xl">{t("notFoundTitle")}</CardTitle>
+        <CardTitle className="text-3xl">{t("notFoundTitle")}</CardTitle>
        <CardDescription>{t("notFoundSubtitle")}</CardDescription>
      </CardHeader>
-      <CardFooter>
+      <CardFooter className="flex flex-col items-stretch">
-        <Button
+        <Button onClick={handleRedirect} loading={loading}>{t("notFoundButton")}</Button>
          variant="outline"
          className="w-full"
          onClick={handleRedirect}
          loading={loading}
        >
          {t("notFoundButton")}
        </Button>
      </CardFooter>
    </Card>
  );
--- a/frontend/src/pages/totp-page.tsx
+++ b/frontend/src/pages/totp-page.tsx
@@ -45,11 +45,11 @@ export const TotpPage = () => {
        if (isOidc) {
          window.location.replace(`/authorize?${compiledOIDCParams}`);
          return;
        } else {
          window.location.replace(
            `/continue?redirect_uri=${encodeURIComponent(props.redirect_uri)}`,
          );
        }
        window.location.replace(
          `/continue${props.redirect_uri ? `?redirect_uri=${encodeURIComponent(props.redirect_uri)}` : ""}`,
        );
      }, 500);
    },
    onError: () => {
@@ -59,37 +59,32 @@ export const TotpPage = () => {
    },
  });
-  useEffect(() => {
+  useEffect(
-    return () => {
+    () => () => {
-      if (redirectTimer.current) {
+      if (redirectTimer.current) clearTimeout(redirectTimer.current);
-        clearTimeout(redirectTimer.current);
+    },
-      }
+    [],
-    };
+  );
  }, [redirectTimer]);
  if (!totpPending) {
    return <Navigate to="/" replace />;
  }
  return (
-    <Card>
+    <Card className="min-w-xs sm:min-w-sm">
-      <CardHeader className="gap-1.5">
+      <CardHeader>
-        <CardTitle className="text-xl">{t("totpTitle")}</CardTitle>
+        <CardTitle className="text-3xl">{t("totpTitle")}</CardTitle>
        <CardDescription>{t("totpSubtitle")}</CardDescription>
      </CardHeader>
      <CardContent className="flex flex-col items-center">
        <TotpForm
          formId={formId}
          onSubmit={(values) => totpMutation.mutate(values)}
          loading={totpMutation.isPending}
        />
      </CardContent>
-      <CardFooter>
+      <CardFooter className="flex flex-col items-stretch">
-        <Button
+        <Button form={formId} type="submit" loading={totpMutation.isPending}>
          className="w-full"
          form={formId}
          type="submit"
          loading={totpMutation.isPending}
        >
          {t("continueTitle")}
        </Button>
      </CardFooter>
--- a/frontend/src/pages/unauthorized-page.tsx
+++ b/frontend/src/pages/unauthorized-page.tsx
@@ -47,9 +47,9 @@ export const UnauthorizedPage = () => {
  }
  return (
-    <Card>
+    <Card className="min-w-xs sm:min-w-sm">
-      <CardHeader className="gap-1.5">
+      <CardHeader>
-        <CardTitle className="text-xl">{t("unauthorizedTitle")}</CardTitle>
+        <CardTitle className="text-3xl">{t("unauthorizedTitle")}</CardTitle>
        <CardDescription>
          <Trans
            i18nKey={i18nKey}
@@ -65,13 +65,8 @@ export const UnauthorizedPage = () => {
          />
        </CardDescription>
      </CardHeader>
-      <CardFooter>
+      <CardFooter className="flex flex-col items-stretch">
-        <Button
+        <Button onClick={handleRedirect} loading={loading}>
          variant="outline"
          className="w-full"
          onClick={handleRedirect}
          loading={loading}
        >
          {t("unauthorizedButton")}
        </Button>
      </CardFooter>
--- a/frontend/src/schemas/oidc-schemas.ts
+++ b/frontend/src/schemas/oidc-schemas.ts
@@ -1,5 +1,5 @@
 import { z } from "zod";
-export const getOidcClientInfoSchema = z.object({
+export const getOidcClientInfoScehma = z.object({
  name: z.string(),
 });
--- a/frontend/vite.config.ts
+++ b/frontend/vite.config.ts
@@ -2,42 +2,15 @@ import { defineConfig } from "vite";
 import react from "@vitejs/plugin-react";
 import path from "path";
 import tailwindcss from "@tailwindcss/vite";
 import { visualizer } from "rollup-plugin-visualizer";
 // https://vite.dev/config/
 export default defineConfig({
-  plugins: [react(), tailwindcss(), visualizer()],
+  plugins: [react(), tailwindcss()],
  resolve: {
    alias: {
      "@": path.resolve(__dirname, "./src"),
    },
  },
  build: {
    rollupOptions: {
      output: {
        manualChunks: {
          ui: [
            "@radix-ui/react-dropdown-menu",
            "@radix-ui/react-label",
            "@radix-ui/react-select",
            "@radix-ui/react-separator",
            "@radix-ui/react-slot",
            "input-otp",
            "tailwindcss",
            "tailwind-merge",
            "sonner",
            "lucide-react",
          ],
          i18n: [
            "i18next",
            "i18next-browser-languagedetector",
            "i18next-resources-to-backend",
          ],
          util: ["zod", "axios", "react-hook-form"],
        },
      },
    },
  },
  server: {
    host: "0.0.0.0",
    proxy: {
@@ -51,11 +24,6 @@ export default defineConfig({
        changeOrigin: true,
        rewrite: (path) => path.replace(/^\/resources/, ""),
      },
      "/.well-known": {
        target: "http://tinyauth-backend:3000/.well-known",
        changeOrigin: true,
        rewrite: (path) => path.replace(/^\/\.well-known/, ""),
      },
    },
    allowedHosts: true,
  },
--- a/gen/gen.go
+++ b/gen/gen.go
@@ -1,38 +0,0 @@
 package main
 import (
 	"log/slog"
 	"reflect"
 )
 func main() {
 	slog.Info("generating example env file")
 	generateExampleEnv()
 	slog.Info("generating config reference markdown file")
 	generateMarkdown()
 }
 func walkAndBuild[T any](parent reflect.Type, parentValue reflect.Value,
 	parentPath string, entries *[]T,
 	buildEntry func(child reflect.StructField, childValue reflect.Value, parentPath string, entries *[]T),
 	buildMap func(child reflect.StructField, parentPath string, entries *[]T),
 	buildChildPath func(parentPath string, childName string) string,
 ) {
 	for i := 0; i < parent.NumField(); i++ {
 		field := parent.Field(i)
 		fieldType := field.Type
 		fieldValue := parentValue.Field(i)
 		switch fieldType.Kind() {
 		case reflect.Struct:
 			childPath := buildChildPath(parentPath, field.Name)
 			walkAndBuild[T](fieldType, fieldValue, childPath, entries, buildEntry, buildMap, buildChildPath)
 		case reflect.Map:
 			buildMap(field, parentPath, entries)
 		case reflect.Bool, reflect.String, reflect.Slice, reflect.Int:
 			buildEntry(field, fieldValue, parentPath, entries)
 		default:
 			slog.Info("unknown type", "type", fieldType.Kind())
 		}
 	}
 }
--- a/gen/gen_env.go
+++ b/gen/gen_env.go
@@ -1,133 +0,0 @@
 package main
 import (
 	"bytes"
 	"errors"
 	"fmt"
 	"io/fs"
 	"log/slog"
 	"os"
 	"reflect"
 	"strings"
 	"github.com/steveiliop56/tinyauth/internal/config"
 )
 type EnvEntry struct {
 	Name        string
 	Description string
 	Value       any
 }
 func generateExampleEnv() {
 	cfg := config.NewDefaultConfiguration()
 	entries := make([]EnvEntry, 0)
 	root := reflect.TypeOf(cfg).Elem()
 	rootValue := reflect.ValueOf(cfg).Elem()
 	rootPath := "TINYAUTH_"
 	walkAndBuild(root, rootValue, rootPath, &entries, buildEnvEntry, buildEnvMapEntry, buildEnvChildPath)
 	compiled := compileEnv(entries)
 	err := os.Remove(".env.example")
 	if err != nil && !errors.Is(err, fs.ErrNotExist) {
 		slog.Error("failed to remove example env file", "error", err)
 		os.Exit(1)
 	}
 	err = os.WriteFile(".env.example", compiled, 0644)
 	if err != nil {
 		slog.Error("failed to write example env file", "error", err)
 		os.Exit(1)
 	}
 }
 func buildEnvEntry(child reflect.StructField, childValue reflect.Value, parentPath string, entries *[]EnvEntry) {
 	desc := child.Tag.Get("description")
 	tag := child.Tag.Get("yaml")
 	if tag == "-" {
 		return
 	}
 	value := childValue.Interface()
 	entry := EnvEntry{
 		Name:        parentPath + strings.ToUpper(child.Name),
 		Description: desc,
 	}
 	switch childValue.Kind() {
 	case reflect.Slice:
 		sl, ok := value.([]string)
 		if !ok {
 			slog.Error("invalid default value", "value", value)
 			return
 		}
 		entry.Value = strings.Join(sl, ",")
 	case reflect.String:
 		st, ok := value.(string)
 		if !ok {
 			slog.Error("invalid default value", "value", value)
 			return
 		}
 		if st != "" {
 			entry.Value = fmt.Sprintf(`"%s"`, st)
 		} else {
 			entry.Value = ""
 		}
 	default:
 		entry.Value = value
 	}
 	*entries = append(*entries, entry)
 }
 func buildEnvMapEntry(child reflect.StructField, parentPath string, entries *[]EnvEntry) {
 	fieldType := child.Type
 	if fieldType.Key().Kind() != reflect.String {
 		slog.Info("unsupported map key type", "type", fieldType.Key().Kind())
 		return
 	}
 	mapPath := parentPath + strings.ToUpper(child.Name) + "_name_"
 	valueType := fieldType.Elem()
 	if valueType.Kind() == reflect.Struct {
 		zeroValue := reflect.New(valueType).Elem()
 		walkAndBuild(valueType, zeroValue, mapPath, entries, buildEnvEntry, buildEnvMapEntry, buildEnvChildPath)
 	}
 }
 func buildEnvChildPath(parent string, child string) string {
 	return parent + strings.ToUpper(child) + "_"
 }
 func compileEnv(entries []EnvEntry) []byte {
 	buffer := bytes.Buffer{}
 	buffer.WriteString("# This file is automatically generated by gen/gen_env.go. Do not edit manually.\n\n")
 	buffer.WriteString("# Tinyauth example configuration\n\n")
 	previousSection := ""
 	for _, entry := range entries {
 		if strings.Count(entry.Name, "_") > 1 {
 			section := strings.Split(strings.TrimPrefix(entry.Name, "TINYAUTH_"), "_")[0]
 			if section != previousSection {
 				buffer.WriteString("\n# " + strings.ToLower(section) + " config\n\n")
 				previousSection = section
 			}
 		}
 		buffer.WriteString("# ")
 		buffer.WriteString(entry.Description)
 		buffer.WriteString("\n")
 		buffer.WriteString(entry.Name)
 		buffer.WriteString("=")
 		fmt.Fprintf(&buffer, "%v", entry.Value)
 		buffer.WriteString("\n")
 	}
 	return buffer.Bytes()
 }
--- a/gen/gen_md.go
+++ b/gen/gen_md.go
@@ -1,128 +0,0 @@
 package main
 import (
 	"bytes"
 	"errors"
 	"fmt"
 	"io/fs"
 	"log/slog"
 	"os"
 	"reflect"
 	"strings"
 	"github.com/steveiliop56/tinyauth/internal/config"
 )
 type MarkdownEntry struct {
 	Env         string
 	Flag        string
 	Description string
 	Default     any
 }
 func generateMarkdown() {
 	cfg := config.NewDefaultConfiguration()
 	entries := make([]MarkdownEntry, 0)
 	root := reflect.TypeOf(cfg).Elem()
 	rootValue := reflect.ValueOf(cfg).Elem()
 	rootPath := "tinyauth."
 	walkAndBuild(root, rootValue, rootPath, &entries, buildMdEntry, buildMdMapEntry, buildMdChildPath)
 	compiled := compileMd(entries)
 	err := os.Remove("config.gen.md")
 	if err != nil && !errors.Is(err, fs.ErrNotExist) {
 		slog.Error("failed to remove example env file", "error", err)
 		os.Exit(1)
 	}
 	err = os.WriteFile("config.gen.md", compiled, 0644)
 	if err != nil {
 		slog.Error("failed to write example env file", "error", err)
 		os.Exit(1)
 	}
 }
 func buildMdEntry(child reflect.StructField, childValue reflect.Value, parentPath string, entries *[]MarkdownEntry) {
 	desc := child.Tag.Get("description")
 	tag := child.Tag.Get("yaml")
 	if tag == "-" {
 		return
 	}
 	value := childValue.Interface()
 	entry := MarkdownEntry{
 		Env:         strings.ToUpper(strings.ReplaceAll(parentPath, ".", "_")) + strings.ToUpper(child.Name),
 		Flag:        fmt.Sprintf("--%s%s", strings.TrimPrefix(parentPath, "tinyauth."), strings.ToLower(child.Name)),
 		Description: desc,
 	}
 	switch childValue.Kind() {
 	case reflect.Slice:
 		sl, ok := value.([]string)
 		if !ok {
 			slog.Error("invalid default value", "value", value)
 			return
 		}
 		entry.Default = fmt.Sprintf("`%s`", strings.Join(sl, ","))
 	default:
 		entry.Default = fmt.Sprintf("`%v`", value)
 	}
 	*entries = append(*entries, entry)
 }
 func buildMdMapEntry(child reflect.StructField, parentPath string, entries *[]MarkdownEntry) {
 	fieldType := child.Type
 	if fieldType.Key().Kind() != reflect.String {
 		slog.Info("unsupported map key type", "type", fieldType.Key().Kind())
 		return
 	}
 	tag := child.Tag.Get("yaml")
 	if tag == "-" {
 		return
 	}
 	mapPath := parentPath + tag + ".[name]."
 	valueType := fieldType.Elem()
 	if valueType.Kind() == reflect.Struct {
 		zeroValue := reflect.New(valueType).Elem()
 		walkAndBuild(valueType, zeroValue, mapPath, entries, buildMdEntry, buildMdMapEntry, buildMdChildPath)
 	}
 }
 func buildMdChildPath(parent string, child string) string {
 	return parent + strings.ToLower(child) + "."
 }
 func compileMd(entries []MarkdownEntry) []byte {
 	buffer := bytes.Buffer{}
 	buffer.WriteString("<!--- This file is automatically generated by gen/gen_md.go. Do not edit manually. --->\n\n")
 	buffer.WriteString("# Tinyauth configuration reference\n\n")
 	buffer.WriteString("| Environment | Flag | Description | Default |\n")
 	buffer.WriteString("| - | - | - | - |\n")
 	previousSection := ""
 	for _, entry := range entries {
 		if strings.Count(entry.Env, "_") > 1 {
 			section := strings.Split(strings.TrimPrefix(entry.Env, "TINYAUTH_"), "_")[0]
 			if section != previousSection {
 				buffer.WriteString("\n## " + strings.ToLower(section) + "\n\n")
 				buffer.WriteString("| Environment | Flag | Description | Default |\n")
 				buffer.WriteString("| - | - | - | - |\n")
 				previousSection = section
 			}
 		}
 		fmt.Fprintf(&buffer, "| `%s` | `%s` | %s | %s |\n", entry.Env, entry.Flag, entry.Description, entry.Default)
 	}
 	return buffer.Bytes()
 }
--- a/go.mod
+++ b/go.mod
@@ -11,7 +11,6 @@ require (
 	github.com/charmbracelet/huh v0.8.0
 	github.com/docker/docker v28.5.2+incompatible
 	github.com/gin-gonic/gin v1.11.0
 	github.com/go-jose/go-jose/v4 v4.1.3
 	github.com/go-ldap/ldap/v3 v3.4.12
 	github.com/golang-migrate/migrate/v4 v4.19.1
 	github.com/google/go-querystring v1.2.0
@@ -21,11 +20,11 @@ require (
 	github.com/rs/zerolog v1.34.0
 	github.com/traefik/paerser v0.2.2
 	github.com/weppos/publicsuffix-go v0.50.2
-	golang.org/x/crypto v0.48.0
+	golang.org/x/crypto v0.47.0
 	golang.org/x/exp v0.0.0-20251023183803-a4bb9ffd2546
-	golang.org/x/oauth2 v0.35.0
+	golang.org/x/oauth2 v0.34.0
 	gotest.tools/v3 v3.5.2
-	modernc.org/sqlite v1.46.1
+	modernc.org/sqlite v1.44.1
 )
 require (
@@ -113,11 +112,11 @@ require (
 	go.opentelemetry.io/otel/metric v1.37.0 // indirect
 	go.opentelemetry.io/otel/trace v1.37.0 // indirect
 	golang.org/x/arch v0.20.0 // indirect
-	golang.org/x/net v0.49.0 // indirect
+	golang.org/x/net v0.48.0 // indirect
 	golang.org/x/sync v0.19.0 // indirect
-	golang.org/x/sys v0.41.0 // indirect
+	golang.org/x/sys v0.40.0 // indirect
-	golang.org/x/term v0.40.0 // indirect
+	golang.org/x/term v0.39.0 // indirect
-	golang.org/x/text v0.34.0 // indirect
+	golang.org/x/text v0.33.0 // indirect
 	google.golang.org/protobuf v1.36.9 // indirect
 	gopkg.in/yaml.v3 v3.0.1 // indirect
 	modernc.org/libc v1.67.6 // indirect
--- a/go.sum
+++ b/go.sum
@@ -103,8 +103,6 @@ github.com/gin-gonic/gin v1.11.0 h1:OW/6PLjyusp2PPXtyxKHU0RbX6I/l28FTdDlae5ueWk=
 github.com/gin-gonic/gin v1.11.0/go.mod h1:+iq/FyxlGzII0KHiBGjuNn4UNENUlKbGlNmc+W50Dls=
 github.com/go-asn1-ber/asn1-ber v1.5.8-0.20250403174932-29230038a667 h1:BP4M0CvQ4S3TGls2FvczZtj5Re/2ZzkV9VwqPHH/3Bo=
 github.com/go-asn1-ber/asn1-ber v1.5.8-0.20250403174932-29230038a667/go.mod h1:hEBeB/ic+5LoWskz+yKT7vGhhPYkProFKoKdwZRWMe0=
 github.com/go-jose/go-jose/v4 v4.1.3 h1:CVLmWDhDVRa6Mi/IgCgaopNosCaHz7zrMeF9MlZRkrs=
 github.com/go-jose/go-jose/v4 v4.1.3/go.mod h1:x4oUasVrzR7071A4TnHLGSPpNOm2a21K9Kf04k1rs08=
 github.com/go-ldap/ldap/v3 v3.4.12 h1:1b81mv7MagXZ7+1r7cLTWmyuTqVqdwbtJSjC0DAp9s4=
 github.com/go-ldap/ldap/v3 v3.4.12/go.mod h1:+SPAGcTtOfmGsCb3h1RFiq4xpp4N636G75OEace8lNo=
 github.com/go-logr/logr v1.2.2/go.mod h1:jdQByPbusPIv2/zmleS9BjJVeZ6kBagPoEUsqbVz/1A=
@@ -303,21 +301,21 @@ golang.org/x/arch v0.20.0/go.mod h1:bdwinDaKcfZUGpH09BB7ZmOfhalA8lQdzl62l8gGWsk=
 golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w=
 golang.org/x/crypto v0.0.0-20210921155107-089bfa567519/go.mod h1:GvvjBRRGRdwPK5ydBHafDWAxML/pGHZbMvKqRZ5+Abc=
 golang.org/x/crypto v0.3.0/go.mod h1:hebNnKkNXi2UzZN1eVRvBB7co0a+JxK6XbPiWVs/3J4=
-golang.org/x/crypto v0.48.0 h1:/VRzVqiRSggnhY7gNRxPauEQ5Drw9haKdM0jqfcCFts=
+golang.org/x/crypto v0.47.0 h1:V6e3FRj+n4dbpw86FJ8Fv7XVOql7TEwpHapKoMJ/GO8=
-golang.org/x/crypto v0.48.0/go.mod h1:r0kV5h3qnFPlQnBSrULhlsRfryS2pmewsg+XfMgkVos=
+golang.org/x/crypto v0.47.0/go.mod h1:ff3Y9VzzKbwSSEzWqJsJVBnWmRwRSHt/6Op5n9bQc4A=
 golang.org/x/exp v0.0.0-20251023183803-a4bb9ffd2546 h1:mgKeJMpvi0yx/sU5GsxQ7p6s2wtOnGAHZWCHUM4KGzY=
 golang.org/x/exp v0.0.0-20251023183803-a4bb9ffd2546/go.mod h1:j/pmGrbnkbPtQfxEe5D0VQhZC6qKbfKifgD0oM7sR70=
 golang.org/x/mod v0.6.0-dev.0.20220419223038-86c51ed26bb4/go.mod h1:jJ57K6gSWd91VN4djpZkiMVwK6gcyfeH4XE8wZrZaV4=
-golang.org/x/mod v0.32.0 h1:9F4d3PHLljb6x//jOyokMv3eX+YDeepZSEo3mFJy93c=
+golang.org/x/mod v0.31.0 h1:HaW9xtz0+kOcWKwli0ZXy79Ix+UW/vOfmWI5QVd2tgI=
-golang.org/x/mod v0.32.0/go.mod h1:SgipZ/3h2Ci89DlEtEXWUk/HteuRin+HHhN+WbNhguU=
+golang.org/x/mod v0.31.0/go.mod h1:43JraMp9cGx1Rx3AqioxrbrhNsLl2l/iNAvuBkrezpg=
 golang.org/x/net v0.0.0-20190620200207-3b0461eec859/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
 golang.org/x/net v0.0.0-20210226172049-e18ecbb05110/go.mod h1:m0MpNAwzfU5UDzcl9v0D8zg8gWTRqZa9RBIspLL5mdg=
 golang.org/x/net v0.0.0-20220722155237-a158d28d115b/go.mod h1:XRhObCWvk6IyKnWLug+ECip1KBveYUHfp+8e9klMJ9c=
 golang.org/x/net v0.2.0/go.mod h1:KqCZLdyyvdV855qA2rE3GC2aiw5xGR5TEjj8smXukLY=
-golang.org/x/net v0.49.0 h1:eeHFmOGUTtaaPSGNmjBKpbng9MulQsJURQUAfUwY++o=
+golang.org/x/net v0.48.0 h1:zyQRTTrjc33Lhh0fBgT/H3oZq9WuvRR5gPC70xpDiQU=
-golang.org/x/net v0.49.0/go.mod h1:/ysNB2EvaqvesRkuLAyjI1ycPZlQHM3q01F02UY/MV8=
+golang.org/x/net v0.48.0/go.mod h1:+ndRgGjkh8FGtu1w1FGbEC31if4VrNVMuKTgcAAnQRY=
-golang.org/x/oauth2 v0.35.0 h1:Mv2mzuHuZuY2+bkyWXIHMfhNdJAdwW3FuWeCPYN5GVQ=
+golang.org/x/oauth2 v0.34.0 h1:hqK/t4AKgbqWkdkcAeI8XLmbK+4m4G5YeQRrmiotGlw=
-golang.org/x/oauth2 v0.35.0/go.mod h1:lzm5WQJQwKZ3nwavOZ3IS5Aulzxi68dUSgRHujetwEA=
+golang.org/x/oauth2 v0.34.0/go.mod h1:lzm5WQJQwKZ3nwavOZ3IS5Aulzxi68dUSgRHujetwEA=
 golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20220722155255-886fb9371eb4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.19.0 h1:vV+1eWNmZ5geRlYjzm2adRgW2/mcpevXNg50YZtPCE4=
@@ -332,26 +330,26 @@ golang.org/x/sys v0.0.0-20220811171246-fbc7d0a398ab/go.mod h1:oPkhp1MJrh7nUepCBc
 golang.org/x/sys v0.2.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.6.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.12.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.41.0 h1:Ivj+2Cp/ylzLiEU89QhWblYnOE9zerudt9Ftecq2C6k=
+golang.org/x/sys v0.40.0 h1:DBZZqJ2Rkml6QMQsZywtnjnnGvHza6BTfYFWY9kjEWQ=
-golang.org/x/sys v0.41.0/go.mod h1:OgkHotnGiDImocRcuBABYBEXf8A9a87e/uXjp9XT3ks=
+golang.org/x/sys v0.40.0/go.mod h1:OgkHotnGiDImocRcuBABYBEXf8A9a87e/uXjp9XT3ks=
 golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo=
 golang.org/x/term v0.0.0-20210927222741-03fcf44c2211/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8=
 golang.org/x/term v0.2.0/go.mod h1:TVmDHMZPmdnySmBfhjOoOdhjzdE1h4u1VwSiw2l1Nuc=
-golang.org/x/term v0.40.0 h1:36e4zGLqU4yhjlmxEaagx2KuYbJq3EwY8K943ZsHcvg=
+golang.org/x/term v0.39.0 h1:RclSuaJf32jOqZz74CkPA9qFuVTX7vhLlpfj/IGWlqY=
-golang.org/x/term v0.40.0/go.mod h1:w2P8uVp06p2iyKKuvXIm7N/y0UCRt3UfJTfZ7oOpglM=
+golang.org/x/term v0.39.0/go.mod h1:yxzUCTP/U+FzoxfdKmLaA0RV1WgE0VY7hXBwKtY/4ww=
 golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
 golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
 golang.org/x/text v0.3.7/go.mod h1:u+2+/6zg+i71rQMx5EYifcz6MCKuco9NR6JIITiCfzQ=
 golang.org/x/text v0.4.0/go.mod h1:mrYo+phRRbMaCq/xk9113O4dZlRixOauAjOtrjsXDZ8=
-golang.org/x/text v0.34.0 h1:oL/Qq0Kdaqxa1KbNeMKwQq0reLCCaFtqu2eNuSeNHbk=
+golang.org/x/text v0.33.0 h1:B3njUFyqtHDUI5jMn1YIr5B0IE2U0qck04r6d4KPAxE=
-golang.org/x/text v0.34.0/go.mod h1:homfLqTYRFyVYemLBFl5GgL/DWEiH5wcsQ5gSh1yziA=
+golang.org/x/text v0.33.0/go.mod h1:LuMebE6+rBincTi9+xWTY8TztLzKHc/9C1uBCG27+q8=
 golang.org/x/time v0.12.0 h1:ScB/8o8olJvc+CQPWrK3fPZNfh7qgwCrY0zJmoEQLSE=
 golang.org/x/time v0.12.0/go.mod h1:CDIdPxbZBQxdj6cxyCIdrNogrJKMJ7pr37NYpMcMDSg=
 golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
 golang.org/x/tools v0.0.0-20191119224855-298f0cb1881e/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo=
 golang.org/x/tools v0.1.12/go.mod h1:hNGJHUnrk76NpqgfD5Aqm5Crs+Hm0VOH/i9J2+nxYbc=
-golang.org/x/tools v0.41.0 h1:a9b8iMweWG+S0OBnlU36rzLp20z1Rp10w+IY2czHTQc=
+golang.org/x/tools v0.40.0 h1:yLkxfA+Qnul4cs9QA3KnlFu0lVmd8JJfoq+E41uSutA=
-golang.org/x/tools v0.41.0/go.mod h1:XSY6eDqxVNiYgezAVqqCeihT4j1U2CCsqvH3WhQpnlg=
+golang.org/x/tools v0.40.0/go.mod h1:Ik/tzLRlbscWpqqMRjyWYDisX8bG13FrdXp3o4Sr9lc=
 golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 google.golang.org/genproto v0.0.0-20250603155806-513f23925822 h1:rHWScKit0gvAPuOnu87KpaYtjK5zBMLcULh7gxkCXu4=
 google.golang.org/genproto/googleapis/api v0.0.0-20250818200422-3122310a409c h1:AtEkQdl5b6zsybXcbz00j1LwNodDuH6hVifIaNqk7NQ=
@@ -395,8 +393,8 @@ modernc.org/opt v0.1.4 h1:2kNGMRiUjrp4LcaPuLY2PzUfqM/w9N23quVwhKt5Qm8=
 modernc.org/opt v0.1.4/go.mod h1:03fq9lsNfvkYSfxrfUhZCWPk1lm4cq4N+Bh//bEtgns=
 modernc.org/sortutil v1.2.1 h1:+xyoGf15mM3NMlPDnFqrteY07klSFxLElE2PVuWIJ7w=
 modernc.org/sortutil v1.2.1/go.mod h1:7ZI3a3REbai7gzCLcotuw9AC4VZVpYMjDzETGsSMqJE=
-modernc.org/sqlite v1.46.1 h1:eFJ2ShBLIEnUWlLy12raN0Z1plqmFX9Qe3rjQTKt6sU=
+modernc.org/sqlite v1.44.1 h1:qybx/rNpfQipX/t47OxbHmkkJuv2JWifCMH8SVUiDas=
-modernc.org/sqlite v1.46.1/go.mod h1:CzbrU2lSB1DKUusvwGz7rqEKIq+NUd8GWuBBZDs9/nA=
+modernc.org/sqlite v1.44.1/go.mod h1:CzbrU2lSB1DKUusvwGz7rqEKIq+NUd8GWuBBZDs9/nA=
 modernc.org/strutil v1.2.1 h1:UneZBkQA+DX2Rp35KcM69cSsNES9ly8mQWD71HKlOA0=
 modernc.org/strutil v1.2.1/go.mod h1:EHkiggD70koQxjVdSBM3JKM7k6L0FbGE5eymy9i3B9A=
 modernc.org/token v1.1.0 h1:Xl7Ap9dKaEs5kLoOQeQmPWevfnk/DM5qcLcYlA8ys6Y=
--- a/internal/assets/migrations/000005_oidc_session.up.sql
+++ b/internal/assets/migrations/000005_oidc_session.up.sql
@@ -1,6 +1,6 @@
 CREATE TABLE IF NOT EXISTS "oidc_codes" (
    "sub" TEXT NOT NULL UNIQUE,
-    "code_hash" TEXT NOT NULL PRIMARY KEY UNIQUE,
+    "code" TEXT NOT NULL PRIMARY KEY UNIQUE,
    "scope" TEXT NOT NULL,
    "redirect_uri" TEXT NOT NULL,
    "client_id" TEXT NOT NULL,
@@ -9,12 +9,10 @@ CREATE TABLE IF NOT EXISTS "oidc_codes" (
 CREATE TABLE IF NOT EXISTS "oidc_tokens" (
    "sub" TEXT NOT NULL UNIQUE,
-    "access_token_hash" TEXT NOT NULL PRIMARY KEY UNIQUE,
+    "access_token" TEXT NOT NULL PRIMARY KEY UNIQUE,
    "refresh_token_hash" TEXT NOT NULL,
    "scope" TEXT NOT NULL,
    "client_id" TEXT NOT NULL,
-    "token_expires_at" INTEGER NOT NULL,
+    "expires_at" INTEGER NOT NULL
    "refresh_token_expires_at" INTEGER NOT NULL
 );
 CREATE TABLE IF NOT EXISTS "oidc_userinfo" (
--- a/internal/bootstrap/app_bootstrap.go
+++ b/internal/bootstrap/app_bootstrap.go
@@ -22,7 +22,6 @@ import (
 type BootstrapApp struct {
 	config  config.Config
 	context struct {
 		appUrl              string
 		uuid                string
 		cookieDomain        string
 		sessionCookieName   string
@@ -43,20 +42,10 @@ func NewBootstrapApp(config config.Config) *BootstrapApp {
 }
 func (app *BootstrapApp) Setup() error {
 	// get app url
 	appUrl, err := url.Parse(app.config.AppURL)
 	if err != nil {
 		return err
 	}
 	app.context.appUrl = appUrl.Scheme + "://" + appUrl.Host
 	// validate session config
 	if app.config.Auth.SessionMaxLifetime != 0 && app.config.Auth.SessionMaxLifetime < app.config.Auth.SessionExpiry {
 		return fmt.Errorf("session max lifetime cannot be less than session expiry")
 	}
 	// Parse users
 	users, err := utils.GetUsers(app.config.Auth.Users, app.config.Auth.UsersFile)
@@ -73,14 +62,18 @@ func (app *BootstrapApp) Setup() error {
 		secret := utils.GetSecret(provider.ClientSecret, provider.ClientSecretFile)
 		provider.ClientSecret = secret
 		provider.ClientSecretFile = ""
 		if provider.RedirectURL == "" {
 			provider.RedirectURL = app.context.appUrl + "/api/oauth/callback/" + name
 		}
 		app.context.oauthProviders[name] = provider
 	}
 	for id := range config.OverrideProviders {
 		if provider, exists := app.context.oauthProviders[id]; exists {
 			if provider.RedirectURL == "" {
 				provider.RedirectURL = app.config.AppURL + "/api/oauth/callback/" + id
 				app.context.oauthProviders[id] = provider
 			}
 		}
 	}
 	for id, provider := range app.context.oauthProviders {
 		if provider.Name == "" {
 			if name, ok := config.OverrideProviders[id]; ok {
@@ -99,7 +92,7 @@ func (app *BootstrapApp) Setup() error {
 	}
 	// Get cookie domain
-	cookieDomain, err := utils.GetCookieDomain(app.context.appUrl)
+	cookieDomain, err := utils.GetCookieDomain(app.config.AppURL)
 	if err != nil {
 		return err
@@ -108,6 +101,7 @@ func (app *BootstrapApp) Setup() error {
 	app.context.cookieDomain = cookieDomain
 	// Cookie names
 	appUrl, _ := url.Parse(app.config.AppURL) // Already validated
 	app.context.uuid = utils.GenerateUUID(appUrl.Hostname())
 	cookieId := strings.Split(app.context.uuid, "-")[0]
 	app.context.sessionCookieName = fmt.Sprintf("%s-%s", config.SessionCookieName, cookieId)
@@ -253,7 +247,7 @@ func (app *BootstrapApp) heartbeat() {
 	heartbeatURL := config.ApiServer + "/v1/instances/heartbeat"
-	for range ticker.C {
+	for ; true; <-ticker.C {
 		tlog.App.Debug().Msg("Sending heartbeat")
 		req, err := http.NewRequest(http.MethodPost, heartbeatURL, bytes.NewReader(bodyJson))
@@ -285,7 +279,7 @@ func (app *BootstrapApp) dbCleanup(queries *repository.Queries) {
 	defer ticker.Stop()
 	ctx := context.Background()
-	for range ticker.C {
+	for ; true; <-ticker.C {
 		tlog.App.Debug().Msg("Cleaning up old database sessions")
 		err := queries.DeleteExpiredSessions(ctx, time.Now().Unix())
 		if err != nil {
--- a/internal/bootstrap/router_bootstrap.go
+++ b/internal/bootstrap/router_bootstrap.go
@@ -21,8 +21,8 @@ func (app *BootstrapApp) setupRouter() (*gin.Engine, error) {
 	engine := gin.New()
 	engine.Use(gin.Recovery())
-	if len(app.config.Auth.TrustedProxies) > 0 {
+	if len(app.config.Server.TrustedProxies) > 0 {
-		err := engine.SetTrustedProxies(app.config.Auth.TrustedProxies)
+		err := engine.SetTrustedProxies(app.config.Server.TrustedProxies)
 		if err != nil {
 			return nil, fmt.Errorf("failed to set trusted proxies: %w", err)
@@ -71,7 +71,7 @@ func (app *BootstrapApp) setupRouter() (*gin.Engine, error) {
 		ForgotPasswordMessage: app.config.UI.ForgotPasswordMessage,
 		BackgroundImage:       app.config.UI.BackgroundImage,
 		OAuthAutoRedirect:     app.config.OAuth.AutoRedirect,
-		DisableUIWarnings:     app.config.UI.DisableWarnings,
+		DisableUIWarnings:     app.config.DisableUIWarnings,
 	}, apiRouter)
 	contextController.SetupRoutes()
@@ -113,9 +113,5 @@ func (app *BootstrapApp) setupRouter() (*gin.Engine, error) {
 	healthController.SetupRoutes()
 	wellknownController := controller.NewWellKnownController(controller.WellKnownControllerConfig{}, app.services.oidcService, engine)
 	wellknownController.SetupRoutes()
 	return engine, nil
 }
--- a/internal/bootstrap/service_bootstrap.go
+++ b/internal/bootstrap/service_bootstrap.go
@@ -31,13 +31,12 @@ func (app *BootstrapApp) initServices(queries *repository.Queries) (Services, er
 	err := ldapService.Init()
-	if err != nil {
+	if err == nil {
-		tlog.App.Warn().Err(err).Msg("Failed to setup LDAP service, starting without it")
+		services.ldapService = ldapService
-		ldapService.Unconfigure()
+	} else {
 		tlog.App.Warn().Err(err).Msg("Failed to initialize LDAP service, continuing without it")
 	}
 	services.ldapService = ldapService
 	dockerService := service.NewDockerService()
 	err = dockerService.Init()
@@ -95,7 +94,6 @@ func (app *BootstrapApp) initServices(queries *repository.Queries) (Services, er
 		PrivateKeyPath: app.config.OIDC.PrivateKeyPath,
 		PublicKeyPath:  app.config.OIDC.PublicKeyPath,
 		Issuer:         app.config.AppURL,
 		SessionExpiry:  app.config.Auth.SessionExpiry,
 	}, queries)
 	err = oidcService.Init()
--- a/internal/config/config.go
+++ b/internal/config/config.go
@@ -1,58 +1,5 @@
 package config
 // Default configuration
 func NewDefaultConfiguration() *Config {
 	return &Config{
 		ResourcesDir: "./resources",
 		DatabasePath: "./tinyauth.db",
 		Server: ServerConfig{
 			Port:    3000,
 			Address: "0.0.0.0",
 		},
 		Auth: AuthConfig{
 			SessionExpiry:      86400, // 1 day
 			SessionMaxLifetime: 0,     // disabled
 			LoginTimeout:       300,   // 5 minutes
 			LoginMaxRetries:    3,
 		},
 		UI: UIConfig{
 			Title:                 "Tinyauth",
 			ForgotPasswordMessage: "You can change your password by changing the configuration.",
 			BackgroundImage:       "/background.jpg",
 		},
 		Ldap: LdapConfig{
 			Insecure:      false,
 			SearchFilter:  "(uid=%s)",
 			GroupCacheTTL: 900, // 15 minutes
 		},
 		Log: LogConfig{
 			Level: "info",
 			Json:  false,
 			Streams: LogStreams{
 				HTTP: LogStreamConfig{
 					Enabled: true,
 					Level:   "",
 				},
 				App: LogStreamConfig{
 					Enabled: true,
 					Level:   "",
 				},
 				Audit: LogStreamConfig{
 					Enabled: false,
 					Level:   "",
 				},
 			},
 		},
 		OIDC: OIDCConfig{
 			PrivateKeyPath: "./tinyauth_oidc_key",
 			PublicKeyPath:  "./tinyauth_oidc_key.pub",
 		},
 		Experimental: ExperimentalConfig{
 			ConfigFile: "",
 		},
 	}
 }
 // Version information, set at build time
 var Version = "development"
@@ -68,26 +15,28 @@ var RedirectCookieName = "tinyauth-redirect"
 // Main app config
 type Config struct {
-	AppURL           string             `description:"The base URL where the app is hosted." yaml:"appUrl"`
+	AppURL            string             `description:"The base URL where the app is hosted." yaml:"appUrl"`
-	ResourcesDir     string             `description:"The directory where resources are stored." yaml:"resourcesDir"`
+	ResourcesDir      string             `description:"The directory where resources are stored." yaml:"resourcesDir"`
-	DatabasePath     string             `description:"The path to the database file." yaml:"databasePath"`
+	DatabasePath      string             `description:"The path to the database file." yaml:"databasePath"`
-	DisableAnalytics bool               `description:"Disable analytics." yaml:"disableAnalytics"`
+	DisableAnalytics  bool               `description:"Disable analytics." yaml:"disableAnalytics"`
-	DisableResources bool               `description:"Disable resources server." yaml:"disableResources"`
+	DisableResources  bool               `description:"Disable resources server." yaml:"disableResources"`
-	Server           ServerConfig       `description:"Server configuration." yaml:"server"`
+	DisableUIWarnings bool               `description:"Disable UI warnings." yaml:"disableUIWarnings"`
-	Auth             AuthConfig         `description:"Authentication configuration." yaml:"auth"`
+	Server            ServerConfig       `description:"Server configuration." yaml:"server"`
-	Apps             map[string]App     `description:"Application ACLs configuration." yaml:"apps"`
+	Auth              AuthConfig         `description:"Authentication configuration." yaml:"auth"`
-	OAuth            OAuthConfig        `description:"OAuth configuration." yaml:"oauth"`
+	Apps              map[string]App     `description:"Application ACLs configuration." yaml:"apps"`
-	OIDC             OIDCConfig         `description:"OIDC configuration." yaml:"oidc"`
+	OAuth             OAuthConfig        `description:"OAuth configuration." yaml:"oauth"`
-	UI               UIConfig           `description:"UI customization." yaml:"ui"`
+	OIDC              OIDCConfig         `description:"OIDC configuration." yaml:"oidc"`
-	Ldap             LdapConfig         `description:"LDAP configuration." yaml:"ldap"`
+	UI                UIConfig           `description:"UI customization." yaml:"ui"`
-	Experimental     ExperimentalConfig `description:"Experimental features, use with caution." yaml:"experimental"`
+	Ldap              LdapConfig         `description:"LDAP configuration." yaml:"ldap"`
-	Log              LogConfig          `description:"Logging configuration." yaml:"log"`
+	Experimental      ExperimentalConfig `description:"Experimental features, use with caution." yaml:"experimental"`
 	Log               LogConfig          `description:"Logging configuration." yaml:"log"`
 }
 type ServerConfig struct {
-	Port       int    `description:"The port on which the server listens." yaml:"port"`
+	Port           int      `description:"The port on which the server listens." yaml:"port"`
-	Address    string `description:"The address on which the server listens." yaml:"address"`
+	Address        string   `description:"The address on which the server listens." yaml:"address"`
-	SocketPath string `description:"The path to the Unix socket." yaml:"socketPath"`
+	SocketPath     string   `description:"The path to the Unix socket." yaml:"socketPath"`
 	TrustedProxies []string `description:"Comma-separated list of trusted proxy addresses." yaml:"trustedProxies"`
 }
 type AuthConfig struct {
@@ -99,7 +48,6 @@ type AuthConfig struct {
 	SessionMaxLifetime int      `description:"Maximum session lifetime in seconds." yaml:"sessionMaxLifetime"`
 	LoginTimeout       int      `description:"Login timeout in seconds." yaml:"loginTimeout"`
 	LoginMaxRetries    int      `description:"Maximum login retries." yaml:"loginMaxRetries"`
 	TrustedProxies     []string `description:"Comma-separated list of trusted proxy addresses." yaml:"trustedProxies"`
 }
 type IPConfig struct {
@@ -123,7 +71,6 @@ type UIConfig struct {
 	Title                 string `description:"The title of the UI." yaml:"title"`
 	ForgotPasswordMessage string `description:"Message displayed on the forgot password page." yaml:"forgotPasswordMessage"`
 	BackgroundImage       string `description:"Path to the background image." yaml:"backgroundImage"`
 	DisableWarnings       bool   `description:"Disable UI warnings." yaml:"disableWarnings"`
 }
 type LdapConfig struct {
@@ -191,7 +138,7 @@ type OIDCClientConfig struct {
 	ClientID            string   `description:"OIDC client ID." yaml:"clientId"`
 	ClientSecret        string   `description:"OIDC client secret." yaml:"clientSecret"`
 	ClientSecretFile    string   `description:"Path to the file containing the OIDC client secret." yaml:"clientSecretFile"`
-	TrustedRedirectURIs []string `description:"List of trusted redirect URIs." yaml:"trustedRedirectUris"`
+	TrustedRedirectURIs []string `description:"List of trusted redirect URLs." yaml:"trustedRedirectUrls"`
 	Name                string   `description:"Client name in UI." yaml:"name"`
 }
--- a/internal/controller/context_controller_test.go
+++ b/internal/controller/context_controller_test.go
@@ -13,7 +13,7 @@ import (
 	"gotest.tools/v3/assert"
 )
-var contextControllerCfg = controller.ContextControllerConfig{
+var controllerCfg = controller.ContextControllerConfig{
 	Providers: []controller.Provider{
 		{
 			Name:  "Local",
@@ -35,7 +35,7 @@ var contextControllerCfg = controller.ContextControllerConfig{
 	DisableUIWarnings:     false,
 }
-var contextCtrlTestContext = config.UserContext{
+var userContext = config.UserContext{
 	Username:    "testuser",
 	Name:        "testuser",
 	Email:       "test@example.com",
@@ -65,7 +65,7 @@ func setupContextController(middlewares *[]gin.HandlerFunc) (*gin.Engine, *httpt
 	group := router.Group("/api")
-	ctrl := controller.NewContextController(contextControllerCfg, group)
+	ctrl := controller.NewContextController(controllerCfg, group)
 	ctrl.SetupRoutes()
 	return router, recorder
@@ -75,14 +75,14 @@ func TestAppContextHandler(t *testing.T) {
 	expectedRes := controller.AppContextResponse{
 		Status:                200,
 		Message:               "Success",
-		Providers:             contextControllerCfg.Providers,
+		Providers:             controllerCfg.Providers,
-		Title:                 contextControllerCfg.Title,
+		Title:                 controllerCfg.Title,
-		AppURL:                contextControllerCfg.AppURL,
+		AppURL:                controllerCfg.AppURL,
-		CookieDomain:          contextControllerCfg.CookieDomain,
+		CookieDomain:          controllerCfg.CookieDomain,
-		ForgotPasswordMessage: contextControllerCfg.ForgotPasswordMessage,
+		ForgotPasswordMessage: controllerCfg.ForgotPasswordMessage,
-		BackgroundImage:       contextControllerCfg.BackgroundImage,
+		BackgroundImage:       controllerCfg.BackgroundImage,
-		OAuthAutoRedirect:     contextControllerCfg.OAuthAutoRedirect,
+		OAuthAutoRedirect:     controllerCfg.OAuthAutoRedirect,
-		DisableUIWarnings:     contextControllerCfg.DisableUIWarnings,
+		DisableUIWarnings:     controllerCfg.DisableUIWarnings,
 	}
 	router, recorder := setupContextController(nil)
@@ -103,20 +103,20 @@ func TestUserContextHandler(t *testing.T) {
 	expectedRes := controller.UserContextResponse{
 		Status:      200,
 		Message:     "Success",
-		IsLoggedIn:  contextCtrlTestContext.IsLoggedIn,
+		IsLoggedIn:  userContext.IsLoggedIn,
-		Username:    contextCtrlTestContext.Username,
+		Username:    userContext.Username,
-		Name:        contextCtrlTestContext.Name,
+		Name:        userContext.Name,
-		Email:       contextCtrlTestContext.Email,
+		Email:       userContext.Email,
-		Provider:    contextCtrlTestContext.Provider,
+		Provider:    userContext.Provider,
-		OAuth:       contextCtrlTestContext.OAuth,
+		OAuth:       userContext.OAuth,
-		TotpPending: contextCtrlTestContext.TotpPending,
+		TotpPending: userContext.TotpPending,
-		OAuthName:   contextCtrlTestContext.OAuthName,
+		OAuthName:   userContext.OAuthName,
 	}
 	// Test with context
 	router, recorder := setupContextController(&[]gin.HandlerFunc{
 		func(c *gin.Context) {
-			c.Set("context", &contextCtrlTestContext)
+			c.Set("context", &userContext)
 			c.Next()
 		},
 	})
--- a/internal/controller/oidc_controller.go
+++ b/internal/controller/oidc_controller.go
@@ -1,6 +1,7 @@
 package controller
 import (
 	"crypto/rand"
 	"errors"
 	"fmt"
 	"net/http"
@@ -28,12 +29,9 @@ type AuthorizeCallback struct {
 }
 type TokenRequest struct {
-	GrantType    string `form:"grant_type" binding:"required" url:"grant_type"`
+	GrantType   string `form:"grant_type" binding:"required"`
-	Code         string `form:"code" url:"code"`
+	Code        string `form:"code" binding:"required"`
-	RedirectURI  string `form:"redirect_uri" url:"redirect_uri"`
+	RedirectURI string `form:"redirect_uri" binding:"required"`
 	RefreshToken string `form:"refresh_token" url:"refresh_token"`
 	ClientSecret string `form:"client_secret" url:"client_secret"`
 	ClientID     string `form:"client_id" url:"client_id"`
 }
 type CallbackError struct {
@@ -50,11 +48,6 @@ type ClientRequest struct {
 	ClientID string `uri:"id" binding:"required"`
 }
 type ClientCredentials struct {
 	ClientID     string
 	ClientSecret string
 }
 func NewOIDCController(config OIDCControllerConfig, oidcService *service.OIDCService, router *gin.RouterGroup) *OIDCController {
 	return &OIDCController{
 		config: config,
@@ -103,11 +96,6 @@ func (controller *OIDCController) GetClientInfo(c *gin.Context) {
 }
 func (controller *OIDCController) Authorize(c *gin.Context) {
 	if !controller.oidc.IsConfigured() {
 		controller.authorizeError(c, errors.New("err_oidc_not_configured"), "OIDC not configured", "This instance is not configured for OIDC", "", "", "")
 		return
 	}
 	userContext, err := utils.GetContext(c)
 	if err != nil {
@@ -123,7 +111,7 @@ func (controller *OIDCController) Authorize(c *gin.Context) {
 		return
 	}
-	client, ok := controller.oidc.GetClient(req.ClientID)
+	_, ok := controller.oidc.GetClient(req.ClientID)
 	if !ok {
 		controller.authorizeError(c, err, "Client not found", "The client ID is invalid", "", "", "")
@@ -142,16 +130,9 @@ func (controller *OIDCController) Authorize(c *gin.Context) {
 		return
 	}
-	// WARNING: Since Tinyauth is stateless, we cannot have a sub that never changes. We will just create a uuid out of the username and client name which remains stable, but if username or client name changes then sub changes too.
+	// WARNING: Since Tinyauth is stateless, we cannot have a sub that never changes. We will just create a uuid out of the username which remains stable, but if username changes then sub changes too.
-	sub := utils.GenerateUUID(fmt.Sprintf("%s:%s", userContext.Username, client.ID))
+	sub := utils.GenerateUUID(userContext.Username)
-	code := utils.GenerateString(32)
+	code := rand.Text()
 	// Before storing the code, delete old session
 	err = controller.oidc.DeleteOldSession(c, sub)
 	if err != nil {
 		controller.authorizeError(c, err, "Failed to delete old sessions", "Failed to delete old sessions", req.RedirectURI, "server_error", req.State)
 		return
 	}
 	err = controller.oidc.StoreCode(c, sub, code, req)
@@ -160,15 +141,13 @@ func (controller *OIDCController) Authorize(c *gin.Context) {
 		return
 	}
-	// We also need a snapshot of the user that authorized this (skip if no openid scope)
+	// We also need a snapshot of the user that authorized this
-	if slices.Contains(strings.Fields(req.Scope), "openid") {
+	err = controller.oidc.StoreUserinfo(c, sub, userContext, req)
 		err = controller.oidc.StoreUserinfo(c, sub, userContext, req)
-		if err != nil {
+	if err != nil {
-			tlog.App.Error().Err(err).Msg("Failed to insert user info into database")
+		tlog.App.Error().Err(err).Msg("Failed to insert user info into database")
-			controller.authorizeError(c, err, "Failed to store user info", "Failed to store user info", req.RedirectURI, "server_error", req.State)
+		controller.authorizeError(c, err, "Failed to store user info", "Failed to store user info", req.RedirectURI, "server_error", req.State)
-			return
+		return
 		}
 	}
 	queries, err := query.Values(AuthorizeCallback{
@@ -188,10 +167,30 @@ func (controller *OIDCController) Authorize(c *gin.Context) {
 }
 func (controller *OIDCController) Token(c *gin.Context) {
-	if !controller.oidc.IsConfigured() {
+	rclientId, rclientSecret, ok := c.Request.BasicAuth()
-		tlog.App.Warn().Msg("OIDC not configured")
+
-		c.JSON(404, gin.H{
+	if !ok {
-			"error": "not_found",
+		tlog.App.Error().Msg("Missing authorization header")
 		c.JSON(400, gin.H{
 			"error": "invalid_request",
 		})
 		return
 	}
 	client, ok := controller.oidc.GetClient(rclientId)
 	if !ok {
 		tlog.App.Warn().Str("client_id", rclientId).Msg("Client not found")
 		c.JSON(400, gin.H{
 			"error": "access_denied",
 		})
 		return
 	}
 	if client.ClientSecret != rclientSecret {
 		tlog.App.Warn().Str("client_id", rclientId).Msg("Invalid client secret")
 		c.JSON(400, gin.H{
 			"error": "access_denied",
 		})
 		return
 	}
@@ -216,139 +215,61 @@ func (controller *OIDCController) Token(c *gin.Context) {
 		return
 	}
-	// First we try form values
+	entry, err := controller.oidc.GetCodeEntry(c, req.Code)
-	creds := ClientCredentials{
+	if err != nil {
-		ClientID:     req.ClientID,
+		if errors.Is(err, service.ErrCodeExpired) {
-		ClientSecret: req.ClientSecret,
+			tlog.App.Warn().Str("code", req.Code).Msg("Code expired")
-	}
+			c.JSON(400, gin.H{
-
+				"error": "access_denied",
 	// If it fails, we try basic auth
 	if creds.ClientID == "" || creds.ClientSecret == "" {
 		tlog.App.Debug().Msg("Tried form values and they are empty, trying basic auth")
 		clientId, clientSecret, ok := c.Request.BasicAuth()
 		if !ok {
 			tlog.App.Error().Msg("Missing authorization header")
 			c.Header("www-authenticate", "basic")
 			c.JSON(401, gin.H{
 				"error": "invalid_client",
 			})
 			return
 		}
-
+		if errors.Is(err, service.ErrCodeNotFound) {
-		creds.ClientID = clientId
+			tlog.App.Warn().Str("code", req.Code).Msg("Code not found")
-		creds.ClientSecret = clientSecret
+			c.JSON(400, gin.H{
-	}
+				"error": "access_denied",
-
+			})
-	// END - we don't support other authentication methods
+			return
-
+		}
-	client, ok := controller.oidc.GetClient(creds.ClientID)
+		tlog.App.Warn().Err(err).Msg("Failed to get OIDC code entry")
 	if !ok {
 		tlog.App.Warn().Str("client_id", creds.ClientID).Msg("Client not found")
 		c.JSON(400, gin.H{
-			"error": "invalid_client",
+			"error": "server_error",
 		})
 		return
 	}
-	if client.ClientSecret != creds.ClientSecret {
+	if entry.RedirectURI != req.RedirectURI {
-		tlog.App.Warn().Str("client_id", creds.ClientID).Msg("Invalid client secret")
+		tlog.App.Warn().Str("redirect_uri", req.RedirectURI).Msg("Redirect URI mismatch")
 		c.JSON(400, gin.H{
-			"error": "invalid_client",
+			"error": "invalid_request_uri",
 		})
 		return
 	}
-	var tokenResponse service.TokenResponse
+	accessToken, err := controller.oidc.GenerateAccessToken(c, client, entry.Sub, entry.Scope)
-	switch req.GrantType {
+	if err != nil {
-	case "authorization_code":
+		tlog.App.Error().Err(err).Msg("Failed to generate access token")
-		entry, err := controller.oidc.GetCodeEntry(c, controller.oidc.Hash(req.Code))
+		c.JSON(400, gin.H{
-		if err != nil {
+			"error": "server_error",
-			if errors.Is(err, service.ErrCodeNotFound) {
+		})
-				tlog.App.Warn().Msg("Code not found")
+		return
 				c.JSON(400, gin.H{
 					"error": "invalid_grant",
 				})
 				return
 			}
 			if errors.Is(err, service.ErrCodeExpired) {
 				tlog.App.Warn().Msg("Code expired")
 				c.JSON(400, gin.H{
 					"error": "invalid_grant",
 				})
 				return
 			}
 			tlog.App.Warn().Err(err).Msg("Failed to get OIDC code entry")
 			c.JSON(400, gin.H{
 				"error": "server_error",
 			})
 			return
 		}
 		if entry.RedirectURI != req.RedirectURI {
 			tlog.App.Warn().Str("redirect_uri", req.RedirectURI).Msg("Redirect URI mismatch")
 			c.JSON(400, gin.H{
 				"error": "invalid_grant",
 			})
 			return
 		}
 		tokenRes, err := controller.oidc.GenerateAccessToken(c, client, entry.Sub, entry.Scope)
 		if err != nil {
 			tlog.App.Error().Err(err).Msg("Failed to generate access token")
 			c.JSON(400, gin.H{
 				"error": "server_error",
 			})
 			return
 		}
 		tokenResponse = tokenRes
 	case "refresh_token":
 		tokenRes, err := controller.oidc.RefreshAccessToken(c, req.RefreshToken, creds.ClientID)
 		if err != nil {
 			if errors.Is(err, service.ErrTokenExpired) {
 				tlog.App.Error().Err(err).Msg("Refresh token expired")
 				c.JSON(401, gin.H{
 					"error": "invalid_grant",
 				})
 				return
 			}
 			if errors.Is(err, service.ErrInvalidClient) {
 				tlog.App.Error().Err(err).Msg("Invalid client")
 				c.JSON(401, gin.H{
 					"error": "invalid_grant",
 				})
 				return
 			}
 			tlog.App.Error().Err(err).Msg("Failed to refresh access token")
 			c.JSON(400, gin.H{
 				"error": "server_error",
 			})
 			return
 		}
 		tokenResponse = tokenRes
 	}
-	c.JSON(200, tokenResponse)
+	err = controller.oidc.DeleteCodeEntry(c, entry.Code)
 	if err != nil {
 		tlog.App.Error().Err(err).Msg("Failed to delete code in database")
 		c.JSON(400, gin.H{
 			"error": "server_error",
 		})
 		return
 	}
 	c.JSON(200, accessToken)
 }
 func (controller *OIDCController) Userinfo(c *gin.Context) {
 	if !controller.oidc.IsConfigured() {
 		tlog.App.Warn().Msg("OIDC not configured")
 		c.JSON(404, gin.H{
 			"error": "not_found",
 		})
 		return
 	}
 	authorization := c.GetHeader("Authorization")
 	tokenType, token, ok := strings.Cut(authorization, " ")
@@ -356,7 +277,7 @@ func (controller *OIDCController) Userinfo(c *gin.Context) {
 	if !ok {
 		tlog.App.Warn().Msg("OIDC userinfo accessed without authorization header")
 		c.JSON(401, gin.H{
-			"error": "invalid_grant",
+			"error": "invalid_request",
 		})
 		return
 	}
@@ -364,18 +285,18 @@ func (controller *OIDCController) Userinfo(c *gin.Context) {
 	if strings.ToLower(tokenType) != "bearer" {
 		tlog.App.Warn().Msg("OIDC userinfo accessed with invalid token type")
 		c.JSON(401, gin.H{
-			"error": "invalid_grant",
+			"error": "invalid_request",
 		})
 		return
 	}
-	entry, err := controller.oidc.GetAccessToken(c, controller.oidc.Hash(token))
+	entry, err := controller.oidc.GetAccessToken(c, token)
 	if err != nil {
 		if err == service.ErrTokenNotFound {
 			tlog.App.Warn().Msg("OIDC userinfo accessed with invalid token")
 			c.JSON(401, gin.H{
-				"error": "invalid_grant",
+				"error": "invalid_request",
 			})
 			return
 		}
@@ -387,15 +308,6 @@ func (controller *OIDCController) Userinfo(c *gin.Context) {
 		return
 	}
 	// If we don't have the openid scope, return an error
 	if !slices.Contains(strings.Split(entry.Scope, ","), "openid") {
 		tlog.App.Warn().Msg("OIDC userinfo accessed without openid scope")
 		c.JSON(401, gin.H{
 			"error": "invalid_scope",
 		})
 		return
 	}
 	user, err := controller.oidc.GetUserinfo(c, entry.Sub)
 	if err != nil {
@@ -406,6 +318,15 @@ func (controller *OIDCController) Userinfo(c *gin.Context) {
 		return
 	}
 	// If we don't have the openid scope, return an error
 	if !slices.Contains(strings.Split(entry.Scope, ","), "openid") {
 		tlog.App.Warn().Msg("OIDC userinfo accessed without openid scope")
 		c.JSON(401, gin.H{
 			"error": "invalid_request",
 		})
 		return
 	}
 	c.JSON(200, controller.oidc.CompileUserinfo(user, entry.Scope))
 }
@@ -434,7 +355,7 @@ func (controller *OIDCController) authorizeError(c *gin.Context, err error, reas
 		c.JSON(200, gin.H{
 			"status":       200,
-			"redirect_uri": fmt.Sprintf("%s?%s", callback, queries.Encode()),
+			"redirect_uri": fmt.Sprintf("%s/?%s", callback, queries.Encode()),
 		})
 		return
 	}
--- a/internal/controller/oidc_controller_test.go
+++ b/internal/controller/oidc_controller_test.go
@@ -1,281 +0,0 @@
 package controller_test
 import (
 	"encoding/json"
 	"fmt"
 	"net/http"
 	"net/http/httptest"
 	"net/url"
 	"strings"
 	"testing"
 	"github.com/gin-gonic/gin"
 	"github.com/google/go-querystring/query"
 	"github.com/steveiliop56/tinyauth/internal/bootstrap"
 	"github.com/steveiliop56/tinyauth/internal/config"
 	"github.com/steveiliop56/tinyauth/internal/controller"
 	"github.com/steveiliop56/tinyauth/internal/repository"
 	"github.com/steveiliop56/tinyauth/internal/service"
 	"github.com/steveiliop56/tinyauth/internal/utils/tlog"
 	"gotest.tools/v3/assert"
 )
 var oidcServiceConfig = service.OIDCServiceConfig{
 	Clients: map[string]config.OIDCClientConfig{
 		"client1": {
 			ClientID:         "some-client-id",
 			ClientSecret:     "some-client-secret",
 			ClientSecretFile: "",
 			TrustedRedirectURIs: []string{
 				"https://example.com/oauth/callback",
 			},
 			Name: "Client 1",
 		},
 	},
 	PrivateKeyPath: "/tmp/tinyauth_oidc_key",
 	PublicKeyPath:  "/tmp/tinyauth_oidc_key.pub",
 	Issuer:         "https://example.com",
 	SessionExpiry:  3600,
 }
 var oidcCtrlTestContext = config.UserContext{
 	Username:    "test",
 	Name:        "Test",
 	Email:       "test@example.com",
 	IsLoggedIn:  true,
 	IsBasicAuth: false,
 	OAuth:       false,
 	Provider:    "ldap", // ldap in order to test the groups
 	TotpPending: false,
 	OAuthGroups: "",
 	TotpEnabled: false,
 	OAuthName:   "",
 	OAuthSub:    "",
 	LdapGroups:  "test1,test2",
 }
 // Test is not amazing, but it will confirm the OIDC server works
 func TestOIDCController(t *testing.T) {
 	tlog.NewSimpleLogger().Init()
 	// Create an app instance
 	app := bootstrap.NewBootstrapApp(config.Config{})
 	// Get db
 	db, err := app.SetupDatabase("/tmp/tinyauth.db")
 	assert.NilError(t, err)
 	// Create queries
 	queries := repository.New(db)
 	// Create a new OIDC Servicee
 	oidcService := service.NewOIDCService(oidcServiceConfig, queries)
 	err = oidcService.Init()
 	assert.NilError(t, err)
 	// Create test router
 	gin.SetMode(gin.TestMode)
 	router := gin.Default()
 	router.Use(func(c *gin.Context) {
 		c.Set("context", &oidcCtrlTestContext)
 		c.Next()
 	})
 	group := router.Group("/api")
 	// Register oidc controller
 	oidcController := controller.NewOIDCController(controller.OIDCControllerConfig{}, oidcService, group)
 	oidcController.SetupRoutes()
 	// Get redirect URL test
 	recorder := httptest.NewRecorder()
 	marshalled, err := json.Marshal(service.AuthorizeRequest{
 		Scope:        "openid profile email groups",
 		ResponseType: "code",
 		ClientID:     "some-client-id",
 		RedirectURI:  "https://example.com/oauth/callback",
 		State:        "some-state",
 	})
 	assert.NilError(t, err)
 	req, err := http.NewRequest("POST", "/api/oidc/authorize", strings.NewReader(string(marshalled)))
 	assert.NilError(t, err)
 	router.ServeHTTP(recorder, req)
 	assert.Equal(t, http.StatusOK, recorder.Code)
 	resJson := map[string]any{}
 	err = json.Unmarshal(recorder.Body.Bytes(), &resJson)
 	assert.NilError(t, err)
 	redirect_uri, ok := resJson["redirect_uri"].(string)
 	assert.Assert(t, ok)
 	u, err := url.Parse(redirect_uri)
 	assert.NilError(t, err)
 	m, err := url.ParseQuery(u.RawQuery)
 	assert.NilError(t, err)
 	assert.Equal(t, m["state"][0], "some-state")
 	code := m["code"][0]
 	// Exchange code for token
 	recorder = httptest.NewRecorder()
 	params, err := query.Values(controller.TokenRequest{
 		GrantType:   "authorization_code",
 		Code:        code,
 		RedirectURI: "https://example.com/oauth/callback",
 	})
 	assert.NilError(t, err)
 	req, err = http.NewRequest("POST", "/api/oidc/token", strings.NewReader(params.Encode()))
 	assert.NilError(t, err)
 	req.Header.Set("content-type", "application/x-www-form-urlencoded")
 	req.SetBasicAuth("some-client-id", "some-client-secret")
 	router.ServeHTTP(recorder, req)
 	assert.Equal(t, http.StatusOK, recorder.Code)
 	resJson = map[string]any{}
 	err = json.Unmarshal(recorder.Body.Bytes(), &resJson)
 	assert.NilError(t, err)
 	accessToken, ok := resJson["access_token"].(string)
 	assert.Assert(t, ok)
 	_, ok = resJson["id_token"].(string)
 	assert.Assert(t, ok)
 	refreshToken, ok := resJson["refresh_token"].(string)
 	assert.Assert(t, ok)
 	expires_in, ok := resJson["expires_in"].(float64)
 	assert.Assert(t, ok)
 	assert.Equal(t, expires_in, float64(oidcServiceConfig.SessionExpiry))
 	// Ensure code is expired
 	recorder = httptest.NewRecorder()
 	params, err = query.Values(controller.TokenRequest{
 		GrantType:   "authorization_code",
 		Code:        code,
 		RedirectURI: "https://example.com/oauth/callback",
 	})
 	assert.NilError(t, err)
 	req, err = http.NewRequest("POST", "/api/oidc/token", strings.NewReader(params.Encode()))
 	assert.NilError(t, err)
 	req.Header.Set("content-type", "application/x-www-form-urlencoded")
 	req.SetBasicAuth("some-client-id", "some-client-secret")
 	router.ServeHTTP(recorder, req)
 	assert.Equal(t, http.StatusBadRequest, recorder.Code)
 	// Test userinfo
 	recorder = httptest.NewRecorder()
 	req, err = http.NewRequest("GET", "/api/oidc/userinfo", nil)
 	assert.NilError(t, err)
 	req.Header.Set("authorization", fmt.Sprintf("Bearer %s", accessToken))
 	router.ServeHTTP(recorder, req)
 	assert.Equal(t, http.StatusOK, recorder.Code)
 	resJson = map[string]any{}
 	err = json.Unmarshal(recorder.Body.Bytes(), &resJson)
 	assert.NilError(t, err)
 	_, ok = resJson["sub"].(string)
 	assert.Assert(t, ok)
 	name, ok := resJson["name"].(string)
 	assert.Assert(t, ok)
 	assert.Equal(t, name, oidcCtrlTestContext.Name)
 	email, ok := resJson["email"].(string)
 	assert.Assert(t, ok)
 	assert.Equal(t, email, oidcCtrlTestContext.Email)
 	preferred_username, ok := resJson["preferred_username"].(string)
 	assert.Assert(t, ok)
 	assert.Equal(t, preferred_username, oidcCtrlTestContext.Username)
 	// Not sure why this is failing, will look into it later
 	igroups, ok := resJson["groups"].([]any)
 	assert.Assert(t, ok)
 	groups := make([]string, len(igroups))
 	for i, group := range igroups {
 		groups[i], ok = group.(string)
 		assert.Assert(t, ok)
 	}
 	assert.DeepEqual(t, strings.Split(oidcCtrlTestContext.LdapGroups, ","), groups)
 	// Test refresh token
 	recorder = httptest.NewRecorder()
 	params, err = query.Values(controller.TokenRequest{
 		GrantType:    "refresh_token",
 		RefreshToken: refreshToken,
 	})
 	assert.NilError(t, err)
 	req, err = http.NewRequest("POST", "/api/oidc/token", strings.NewReader(params.Encode()))
 	assert.NilError(t, err)
 	req.Header.Set("Content-Type", "application/x-www-form-urlencoded")
 	req.SetBasicAuth("some-client-id", "some-client-secret")
 	router.ServeHTTP(recorder, req)
 	assert.Equal(t, http.StatusOK, recorder.Code)
 	resJson = map[string]any{}
 	err = json.Unmarshal(recorder.Body.Bytes(), &resJson)
 	assert.NilError(t, err)
 	newToken, ok := resJson["access_token"].(string)
 	assert.Assert(t, ok)
 	assert.Assert(t, newToken != accessToken)
 	// Ensure old token is invalid
 	recorder = httptest.NewRecorder()
 	req, err = http.NewRequest("GET", "/api/oidc/userinfo", nil)
 	assert.NilError(t, err)
 	req.Header.Set("authorization", fmt.Sprintf("Bearer %s", accessToken))
 	router.ServeHTTP(recorder, req)
 	assert.Equal(t, http.StatusUnauthorized, recorder.Code)
 	// Test new token
 	recorder = httptest.NewRecorder()
 	req, err = http.NewRequest("GET", "/api/oidc/userinfo", nil)
 	assert.NilError(t, err)
 	req.Header.Set("authorization", fmt.Sprintf("Bearer %s", newToken))
 	router.ServeHTTP(recorder, req)
 	assert.Equal(t, http.StatusOK, recorder.Code)
 }
--- a/internal/controller/user_controller.go
+++ b/internal/controller/user_controller.go
@@ -2,6 +2,7 @@ package controller
 import (
 	"fmt"
 	"strings"
 	"time"
 	"github.com/steveiliop56/tinyauth/internal/repository"
@@ -113,8 +114,8 @@ func (controller *UserController) loginHandler(c *gin.Context) {
 			err := controller.auth.CreateSessionCookie(c, &repository.Session{
 				Username:    user.Username,
-				Name:        utils.Capitalize(user.Username),
+				Name:        utils.Capitalize(req.Username),
-				Email:       utils.CompileUserEmail(user.Username, controller.config.CookieDomain),
+				Email:       fmt.Sprintf("%s@%s", strings.ToLower(req.Username), controller.config.CookieDomain),
 				Provider:    "local",
 				TotpPending: true,
 			})
@@ -140,7 +141,7 @@ func (controller *UserController) loginHandler(c *gin.Context) {
 	sessionCookie := repository.Session{
 		Username: req.Username,
 		Name:     utils.Capitalize(req.Username),
-		Email:    utils.CompileUserEmail(req.Username, controller.config.CookieDomain),
+		Email:    fmt.Sprintf("%s@%s", strings.ToLower(req.Username), controller.config.CookieDomain),
 		Provider: "local",
 	}
@@ -254,7 +255,7 @@ func (controller *UserController) totpHandler(c *gin.Context) {
 	sessionCookie := repository.Session{
 		Username: user.Username,
 		Name:     utils.Capitalize(user.Username),
-		Email:    utils.CompileUserEmail(user.Username, controller.config.CookieDomain),
+		Email:    fmt.Sprintf("%s@%s", strings.ToLower(user.Username), controller.config.CookieDomain),
 		Provider: "local",
 	}
--- a/internal/controller/well_known_controller.go
+++ b/internal/controller/well_known_controller.go
@@ -1,85 +0,0 @@
 package controller
 import (
 	"fmt"
 	"net/http"
 	"github.com/gin-gonic/gin"
 	"github.com/steveiliop56/tinyauth/internal/service"
 )
 type OpenIDConnectConfiguration struct {
 	Issuer                            string   `json:"issuer"`
 	AuthorizationEndpoint             string   `json:"authorization_endpoint"`
 	TokenEndpoint                     string   `json:"token_endpoint"`
 	UserinfoEndpoint                  string   `json:"userinfo_endpoint"`
 	JwksUri                           string   `json:"jwks_uri"`
 	ScopesSupported                   []string `json:"scopes_supported"`
 	ResponseTypesSupported            []string `json:"response_types_supported"`
 	GrantTypesSupported               []string `json:"grant_types_supported"`
 	SubjectTypesSupported             []string `json:"subject_types_supported"`
 	IDTokenSigningAlgValuesSupported  []string `json:"id_token_signing_alg_values_supported"`
 	TokenEndpointAuthMethodsSupported []string `json:"token_endpoint_auth_methods_supported"`
 	ClaimsSupported                   []string `json:"claims_supported"`
 	ServiceDocumentation              string   `json:"service_documentation"`
 }
 type WellKnownControllerConfig struct{}
 type WellKnownController struct {
 	config WellKnownControllerConfig
 	engine *gin.Engine
 	oidc   *service.OIDCService
 }
 func NewWellKnownController(config WellKnownControllerConfig, oidc *service.OIDCService, engine *gin.Engine) *WellKnownController {
 	return &WellKnownController{
 		config: config,
 		oidc:   oidc,
 		engine: engine,
 	}
 }
 func (controller *WellKnownController) SetupRoutes() {
 	controller.engine.GET("/.well-known/openid-configuration", controller.OpenIDConnectConfiguration)
 	controller.engine.GET("/.well-known/jwks.json", controller.JWKS)
 }
 func (controller *WellKnownController) OpenIDConnectConfiguration(c *gin.Context) {
 	issuer := controller.oidc.GetIssuer()
 	c.JSON(200, OpenIDConnectConfiguration{
 		Issuer:                            issuer,
 		AuthorizationEndpoint:             fmt.Sprintf("%s/authorize", issuer),
 		TokenEndpoint:                     fmt.Sprintf("%s/api/oidc/token", issuer),
 		UserinfoEndpoint:                  fmt.Sprintf("%s/api/oidc/userinfo", issuer),
 		JwksUri:                           fmt.Sprintf("%s/.well-known/jwks.json", issuer),
 		ScopesSupported:                   service.SupportedScopes,
 		ResponseTypesSupported:            service.SupportedResponseTypes,
 		GrantTypesSupported:               service.SupportedGrantTypes,
 		SubjectTypesSupported:             []string{"pairwise"},
 		IDTokenSigningAlgValuesSupported:  []string{"RS256"},
 		TokenEndpointAuthMethodsSupported: []string{"client_secret_basic", "client_secret_post"},
 		ClaimsSupported:                   []string{"sub", "updated_at", "name", "preferred_username", "email", "groups"},
 		ServiceDocumentation:              "https://tinyauth.app/docs/guides/oidc",
 	})
 }
 func (controller *WellKnownController) JWKS(c *gin.Context) {
 	jwks, err := controller.oidc.GetJWK()
 	if err != nil {
 		c.JSON(500, gin.H{
 			"status":  "500",
 			"message": "failed to get JWK",
 		})
 		return
 	}
 	c.Header("content-type", "application/json")
 	c.Writer.WriteString(`{"keys":[`)
 	c.Writer.Write(jwks)
 	c.Writer.WriteString(`]}`)
 	c.Status(http.StatusOK)
 }
--- a/internal/middleware/context_middleware.go
+++ b/internal/middleware/context_middleware.go
@@ -1,6 +1,7 @@
 package middleware
 import (
 	"fmt"
 	"slices"
 	"strings"
 	"time"
@@ -41,7 +42,7 @@ func (m *ContextMiddleware) Middleware() gin.HandlerFunc {
 	return func(c *gin.Context) {
 		// There is no point in trying to get credentials if it's an OIDC endpoint
 		path := c.Request.URL.Path
-		if slices.Contains(OIDCIgnorePaths, strings.TrimSuffix(path, "/")) {
+		if slices.Contains(OIDCIgnorePaths, path) {
 			c.Next()
 			return
 		}
@@ -185,7 +186,7 @@ func (m *ContextMiddleware) Middleware() gin.HandlerFunc {
 			c.Set("context", &config.UserContext{
 				Username:    user.Username,
 				Name:        utils.Capitalize(user.Username),
-				Email:       utils.CompileUserEmail(user.Username, m.config.CookieDomain),
+				Email:       fmt.Sprintf("%s@%s", strings.ToLower(user.Username), m.config.CookieDomain),
 				Provider:    "local",
 				IsLoggedIn:  true,
 				TotpEnabled: user.TotpSecret != "",
@@ -207,7 +208,7 @@ func (m *ContextMiddleware) Middleware() gin.HandlerFunc {
 			c.Set("context", &config.UserContext{
 				Username:    basic.Username,
 				Name:        utils.Capitalize(basic.Username),
-				Email:       utils.CompileUserEmail(basic.Username, m.config.CookieDomain),
+				Email:       fmt.Sprintf("%s@%s", strings.ToLower(basic.Username), m.config.CookieDomain),
 				Provider:    "ldap",
 				IsLoggedIn:  true,
 				LdapGroups:  strings.Join(ldapUser.Groups, ","),
--- a/internal/middleware/ui_middleware.go
+++ b/internal/middleware/ui_middleware.go
@@ -9,7 +9,6 @@ import (
 	"time"
 	"github.com/steveiliop56/tinyauth/internal/assets"
 	"github.com/steveiliop56/tinyauth/internal/utils/tlog"
 	"github.com/gin-gonic/gin"
 )
@@ -40,10 +39,11 @@ func (m *UIMiddleware) Middleware() gin.HandlerFunc {
 	return func(c *gin.Context) {
 		path := strings.TrimPrefix(c.Request.URL.Path, "/")
 		tlog.App.Debug().Str("path", path).Msg("path")
 		switch strings.SplitN(path, "/", 2)[0] {
-		case "api", "resources", ".well-known":
+		case "api":
 			c.Next()
 			return
 		case "resources":
 			c.Next()
 			return
 		default:
--- a/internal/repository/models.go
+++ b/internal/repository/models.go
@@ -6,7 +6,7 @@ package repository
 type OidcCode struct {
 	Sub         string
-	CodeHash    string
+	Code        string
 	Scope       string
 	RedirectURI string
 	ClientID    string
@@ -14,13 +14,11 @@ type OidcCode struct {
 }
 type OidcToken struct {
-	Sub                   string
+	Sub         string
-	AccessTokenHash       string
+	AccessToken string
-	RefreshTokenHash      string
+	Scope       string
-	Scope                 string
+	ClientID    string
-	ClientID              string
+	ExpiresAt   int64
 	TokenExpiresAt        int64
 	RefreshTokenExpiresAt int64
 }
 type OidcUserinfo struct {
--- a/internal/repository/oidc_queries.sql.go
+++ b/internal/repository/oidc_queries.sql.go
@@ -12,7 +12,7 @@ import (
 const createOidcCode = `-- name: CreateOidcCode :one
 INSERT INTO "oidc_codes" (
    "sub",
-    "code_hash",
+    "code",
    "scope",
    "redirect_uri",
    "client_id",
@@ -20,12 +20,12 @@ INSERT INTO "oidc_codes" (
 ) VALUES (
    ?, ?, ?, ?, ?, ?
 )
-RETURNING sub, code_hash, scope, redirect_uri, client_id, expires_at
+RETURNING sub, code, scope, redirect_uri, client_id, expires_at
 `
 type CreateOidcCodeParams struct {
 	Sub         string
-	CodeHash    string
+	Code        string
 	Scope       string
 	RedirectURI string
 	ClientID    string
@@ -35,7 +35,7 @@ type CreateOidcCodeParams struct {
 func (q *Queries) CreateOidcCode(ctx context.Context, arg CreateOidcCodeParams) (OidcCode, error) {
 	row := q.db.QueryRowContext(ctx, createOidcCode,
 		arg.Sub,
-		arg.CodeHash,
+		arg.Code,
 		arg.Scope,
 		arg.RedirectURI,
 		arg.ClientID,
@@ -44,7 +44,7 @@ func (q *Queries) CreateOidcCode(ctx context.Context, arg CreateOidcCodeParams)
 	var i OidcCode
 	err := row.Scan(
 		&i.Sub,
-		&i.CodeHash,
+		&i.Code,
 		&i.Scope,
 		&i.RedirectURI,
 		&i.ClientID,
@@ -56,47 +56,39 @@ func (q *Queries) CreateOidcCode(ctx context.Context, arg CreateOidcCodeParams)
 const createOidcToken = `-- name: CreateOidcToken :one
 INSERT INTO "oidc_tokens" (
    "sub",
-    "access_token_hash",
+    "access_token",
    "refresh_token_hash",
    "scope",
    "client_id",
-    "token_expires_at",
+    "expires_at"
    "refresh_token_expires_at"
 ) VALUES (
-    ?, ?, ?, ?, ?, ?, ?
+    ?, ?, ?, ?, ?
 )
-RETURNING sub, access_token_hash, refresh_token_hash, scope, client_id, token_expires_at, refresh_token_expires_at
+RETURNING sub, access_token, scope, client_id, expires_at
 `
 type CreateOidcTokenParams struct {
-	Sub                   string
+	Sub         string
-	AccessTokenHash       string
+	AccessToken string
-	RefreshTokenHash      string
+	Scope       string
-	Scope                 string
+	ClientID    string
-	ClientID              string
+	ExpiresAt   int64
 	TokenExpiresAt        int64
 	RefreshTokenExpiresAt int64
 }
 func (q *Queries) CreateOidcToken(ctx context.Context, arg CreateOidcTokenParams) (OidcToken, error) {
 	row := q.db.QueryRowContext(ctx, createOidcToken,
 		arg.Sub,
-		arg.AccessTokenHash,
+		arg.AccessToken,
 		arg.RefreshTokenHash,
 		arg.Scope,
 		arg.ClientID,
-		arg.TokenExpiresAt,
+		arg.ExpiresAt,
 		arg.RefreshTokenExpiresAt,
 	)
 	var i OidcToken
 	err := row.Scan(
 		&i.Sub,
-		&i.AccessTokenHash,
+		&i.AccessToken,
 		&i.RefreshTokenHash,
 		&i.Scope,
 		&i.ClientID,
-		&i.TokenExpiresAt,
+		&i.ExpiresAt,
 		&i.RefreshTokenExpiresAt,
 	)
 	return i, err
 }
@@ -145,121 +137,23 @@ func (q *Queries) CreateOidcUserInfo(ctx context.Context, arg CreateOidcUserInfo
 	return i, err
 }
 const deleteExpiredOidcCodes = `-- name: DeleteExpiredOidcCodes :many
 DELETE FROM "oidc_codes"
 WHERE "expires_at" < ?
 RETURNING sub, code_hash, scope, redirect_uri, client_id, expires_at
 `
 func (q *Queries) DeleteExpiredOidcCodes(ctx context.Context, expiresAt int64) ([]OidcCode, error) {
 	rows, err := q.db.QueryContext(ctx, deleteExpiredOidcCodes, expiresAt)
 	if err != nil {
 		return nil, err
 	}
 	defer rows.Close()
 	var items []OidcCode
 	for rows.Next() {
 		var i OidcCode
 		if err := rows.Scan(
 			&i.Sub,
 			&i.CodeHash,
 			&i.Scope,
 			&i.RedirectURI,
 			&i.ClientID,
 			&i.ExpiresAt,
 		); err != nil {
 			return nil, err
 		}
 		items = append(items, i)
 	}
 	if err := rows.Close(); err != nil {
 		return nil, err
 	}
 	if err := rows.Err(); err != nil {
 		return nil, err
 	}
 	return items, nil
 }
 const deleteExpiredOidcTokens = `-- name: DeleteExpiredOidcTokens :many
 DELETE FROM "oidc_tokens"
 WHERE "token_expires_at" < ? AND "refresh_token_expires_at" < ?
 RETURNING sub, access_token_hash, refresh_token_hash, scope, client_id, token_expires_at, refresh_token_expires_at
 `
 type DeleteExpiredOidcTokensParams struct {
 	TokenExpiresAt        int64
 	RefreshTokenExpiresAt int64
 }
 func (q *Queries) DeleteExpiredOidcTokens(ctx context.Context, arg DeleteExpiredOidcTokensParams) ([]OidcToken, error) {
 	rows, err := q.db.QueryContext(ctx, deleteExpiredOidcTokens, arg.TokenExpiresAt, arg.RefreshTokenExpiresAt)
 	if err != nil {
 		return nil, err
 	}
 	defer rows.Close()
 	var items []OidcToken
 	for rows.Next() {
 		var i OidcToken
 		if err := rows.Scan(
 			&i.Sub,
 			&i.AccessTokenHash,
 			&i.RefreshTokenHash,
 			&i.Scope,
 			&i.ClientID,
 			&i.TokenExpiresAt,
 			&i.RefreshTokenExpiresAt,
 		); err != nil {
 			return nil, err
 		}
 		items = append(items, i)
 	}
 	if err := rows.Close(); err != nil {
 		return nil, err
 	}
 	if err := rows.Err(); err != nil {
 		return nil, err
 	}
 	return items, nil
 }
 const deleteOidcCode = `-- name: DeleteOidcCode :exec
 DELETE FROM "oidc_codes"
-WHERE "code_hash" = ?
+WHERE "code" = ?
 `
-func (q *Queries) DeleteOidcCode(ctx context.Context, codeHash string) error {
+func (q *Queries) DeleteOidcCode(ctx context.Context, code string) error {
-	_, err := q.db.ExecContext(ctx, deleteOidcCode, codeHash)
+	_, err := q.db.ExecContext(ctx, deleteOidcCode, code)
 	return err
 }
 const deleteOidcCodeBySub = `-- name: DeleteOidcCodeBySub :exec
 DELETE FROM "oidc_codes"
 WHERE "sub" = ?
 `
 func (q *Queries) DeleteOidcCodeBySub(ctx context.Context, sub string) error {
 	_, err := q.db.ExecContext(ctx, deleteOidcCodeBySub, sub)
 	return err
 }
 const deleteOidcToken = `-- name: DeleteOidcToken :exec
 DELETE FROM "oidc_tokens"
-WHERE "access_token_hash" = ?
+WHERE "access_token" = ?
 `
-func (q *Queries) DeleteOidcToken(ctx context.Context, accessTokenHash string) error {
+func (q *Queries) DeleteOidcToken(ctx context.Context, accessToken string) error {
-	_, err := q.db.ExecContext(ctx, deleteOidcToken, accessTokenHash)
+	_, err := q.db.ExecContext(ctx, deleteOidcToken, accessToken)
 	return err
 }
 const deleteOidcTokenBySub = `-- name: DeleteOidcTokenBySub :exec
 DELETE FROM "oidc_tokens"
 WHERE "sub" = ?
 `
 func (q *Queries) DeleteOidcTokenBySub(ctx context.Context, sub string) error {
 	_, err := q.db.ExecContext(ctx, deleteOidcTokenBySub, sub)
 	return err
 }
@@ -274,75 +168,16 @@ func (q *Queries) DeleteOidcUserInfo(ctx context.Context, sub string) error {
 }
 const getOidcCode = `-- name: GetOidcCode :one
-DELETE FROM "oidc_codes"
+SELECT sub, code, scope, redirect_uri, client_id, expires_at FROM "oidc_codes"
-WHERE "code_hash" = ?
+WHERE "code" = ?
 RETURNING sub, code_hash, scope, redirect_uri, client_id, expires_at
 `
-func (q *Queries) GetOidcCode(ctx context.Context, codeHash string) (OidcCode, error) {
+func (q *Queries) GetOidcCode(ctx context.Context, code string) (OidcCode, error) {
-	row := q.db.QueryRowContext(ctx, getOidcCode, codeHash)
+	row := q.db.QueryRowContext(ctx, getOidcCode, code)
 	var i OidcCode
 	err := row.Scan(
 		&i.Sub,
-		&i.CodeHash,
+		&i.Code,
 		&i.Scope,
 		&i.RedirectURI,
 		&i.ClientID,
 		&i.ExpiresAt,
 	)
 	return i, err
 }
 const getOidcCodeBySub = `-- name: GetOidcCodeBySub :one
 DELETE FROM "oidc_codes"
 WHERE "sub" = ?
 RETURNING sub, code_hash, scope, redirect_uri, client_id, expires_at
 `
 func (q *Queries) GetOidcCodeBySub(ctx context.Context, sub string) (OidcCode, error) {
 	row := q.db.QueryRowContext(ctx, getOidcCodeBySub, sub)
 	var i OidcCode
 	err := row.Scan(
 		&i.Sub,
 		&i.CodeHash,
 		&i.Scope,
 		&i.RedirectURI,
 		&i.ClientID,
 		&i.ExpiresAt,
 	)
 	return i, err
 }
 const getOidcCodeBySubUnsafe = `-- name: GetOidcCodeBySubUnsafe :one
 SELECT sub, code_hash, scope, redirect_uri, client_id, expires_at FROM "oidc_codes"
 WHERE "sub" = ?
 `
 func (q *Queries) GetOidcCodeBySubUnsafe(ctx context.Context, sub string) (OidcCode, error) {
 	row := q.db.QueryRowContext(ctx, getOidcCodeBySubUnsafe, sub)
 	var i OidcCode
 	err := row.Scan(
 		&i.Sub,
 		&i.CodeHash,
 		&i.Scope,
 		&i.RedirectURI,
 		&i.ClientID,
 		&i.ExpiresAt,
 	)
 	return i, err
 }
 const getOidcCodeUnsafe = `-- name: GetOidcCodeUnsafe :one
 SELECT sub, code_hash, scope, redirect_uri, client_id, expires_at FROM "oidc_codes"
 WHERE "code_hash" = ?
 `
 func (q *Queries) GetOidcCodeUnsafe(ctx context.Context, codeHash string) (OidcCode, error) {
 	row := q.db.QueryRowContext(ctx, getOidcCodeUnsafe, codeHash)
 	var i OidcCode
 	err := row.Scan(
 		&i.Sub,
 		&i.CodeHash,
 		&i.Scope,
 		&i.RedirectURI,
 		&i.ClientID,
@@ -352,61 +187,19 @@ func (q *Queries) GetOidcCodeUnsafe(ctx context.Context, codeHash string) (OidcC
 }
 const getOidcToken = `-- name: GetOidcToken :one
-SELECT sub, access_token_hash, refresh_token_hash, scope, client_id, token_expires_at, refresh_token_expires_at FROM "oidc_tokens"
+SELECT sub, access_token, scope, client_id, expires_at FROM "oidc_tokens"
-WHERE "access_token_hash" = ?
+WHERE "access_token" = ?
 `
-func (q *Queries) GetOidcToken(ctx context.Context, accessTokenHash string) (OidcToken, error) {
+func (q *Queries) GetOidcToken(ctx context.Context, accessToken string) (OidcToken, error) {
-	row := q.db.QueryRowContext(ctx, getOidcToken, accessTokenHash)
+	row := q.db.QueryRowContext(ctx, getOidcToken, accessToken)
 	var i OidcToken
 	err := row.Scan(
 		&i.Sub,
-		&i.AccessTokenHash,
+		&i.AccessToken,
 		&i.RefreshTokenHash,
 		&i.Scope,
 		&i.ClientID,
-		&i.TokenExpiresAt,
+		&i.ExpiresAt,
 		&i.RefreshTokenExpiresAt,
 	)
 	return i, err
 }
 const getOidcTokenByRefreshToken = `-- name: GetOidcTokenByRefreshToken :one
 SELECT sub, access_token_hash, refresh_token_hash, scope, client_id, token_expires_at, refresh_token_expires_at FROM "oidc_tokens"
 WHERE "refresh_token_hash" = ?
 `
 func (q *Queries) GetOidcTokenByRefreshToken(ctx context.Context, refreshTokenHash string) (OidcToken, error) {
 	row := q.db.QueryRowContext(ctx, getOidcTokenByRefreshToken, refreshTokenHash)
 	var i OidcToken
 	err := row.Scan(
 		&i.Sub,
 		&i.AccessTokenHash,
 		&i.RefreshTokenHash,
 		&i.Scope,
 		&i.ClientID,
 		&i.TokenExpiresAt,
 		&i.RefreshTokenExpiresAt,
 	)
 	return i, err
 }
 const getOidcTokenBySub = `-- name: GetOidcTokenBySub :one
 SELECT sub, access_token_hash, refresh_token_hash, scope, client_id, token_expires_at, refresh_token_expires_at FROM "oidc_tokens"
 WHERE "sub" = ?
 `
 func (q *Queries) GetOidcTokenBySub(ctx context.Context, sub string) (OidcToken, error) {
 	row := q.db.QueryRowContext(ctx, getOidcTokenBySub, sub)
 	var i OidcToken
 	err := row.Scan(
 		&i.Sub,
 		&i.AccessTokenHash,
 		&i.RefreshTokenHash,
 		&i.Scope,
 		&i.ClientID,
 		&i.TokenExpiresAt,
 		&i.RefreshTokenExpiresAt,
 	)
 	return i, err
 }
@@ -429,42 +222,3 @@ func (q *Queries) GetOidcUserInfo(ctx context.Context, sub string) (OidcUserinfo
 	)
 	return i, err
 }
 const updateOidcTokenByRefreshToken = `-- name: UpdateOidcTokenByRefreshToken :one
 UPDATE "oidc_tokens" SET
    "access_token_hash" = ?,
    "refresh_token_hash" = ?,
    "token_expires_at" = ?,
    "refresh_token_expires_at" = ?
 WHERE "refresh_token_hash" = ?
 RETURNING sub, access_token_hash, refresh_token_hash, scope, client_id, token_expires_at, refresh_token_expires_at
 `
 type UpdateOidcTokenByRefreshTokenParams struct {
 	AccessTokenHash       string
 	RefreshTokenHash      string
 	TokenExpiresAt        int64
 	RefreshTokenExpiresAt int64
 	RefreshTokenHash_2    string
 }
 func (q *Queries) UpdateOidcTokenByRefreshToken(ctx context.Context, arg UpdateOidcTokenByRefreshTokenParams) (OidcToken, error) {
 	row := q.db.QueryRowContext(ctx, updateOidcTokenByRefreshToken,
 		arg.AccessTokenHash,
 		arg.RefreshTokenHash,
 		arg.TokenExpiresAt,
 		arg.RefreshTokenExpiresAt,
 		arg.RefreshTokenHash_2,
 	)
 	var i OidcToken
 	err := row.Scan(
 		&i.Sub,
 		&i.AccessTokenHash,
 		&i.RefreshTokenHash,
 		&i.Scope,
 		&i.ClientID,
 		&i.TokenExpiresAt,
 		&i.RefreshTokenExpiresAt,
 	)
 	return i, err
 }
--- a/internal/service/auth_service.go
+++ b/internal/service/auth_service.go
@@ -78,7 +78,7 @@ func (auth *AuthService) SearchUser(username string) config.UserSearch {
 		}
 	}
-	if auth.ldap.IsConfigured() {
+	if auth.ldap != nil {
 		userDN, err := auth.ldap.GetUserDN(username)
 		if err != nil {
@@ -105,7 +105,7 @@ func (auth *AuthService) VerifyUser(search config.UserSearch, password string) b
 		user := auth.GetLocalUser(search.Username)
 		return auth.CheckPassword(user, password)
 	case "ldap":
-		if auth.ldap.IsConfigured() {
+		if auth.ldap != nil {
 			err := auth.ldap.Bind(search.Username, password)
 			if err != nil {
 				tlog.App.Warn().Err(err).Str("username", search.Username).Msg("Failed to bind to LDAP")
@@ -141,7 +141,7 @@ func (auth *AuthService) GetLocalUser(username string) config.User {
 }
 func (auth *AuthService) GetLdapUser(userDN string) (config.LdapUser, error) {
-	if !auth.ldap.IsConfigured() {
+	if auth.ldap == nil {
 		return config.LdapUser{}, errors.New("LDAP service not initialized")
 	}
@@ -398,7 +398,7 @@ func (auth *AuthService) LocalAuthConfigured() bool {
 }
 func (auth *AuthService) LdapAuthConfigured() bool {
-	return auth.ldap.IsConfigured()
+	return auth.ldap != nil
 }
 func (auth *AuthService) IsUserAllowed(c *gin.Context, context config.UserContext, acls config.App) bool {
--- a/internal/service/ldap_service.go
+++ b/internal/service/ldap_service.go
@@ -24,11 +24,10 @@ type LdapServiceConfig struct {
 }
 type LdapService struct {
-	config       LdapServiceConfig
+	config LdapServiceConfig
-	conn         *ldapgo.Conn
+	conn   *ldapgo.Conn
-	mutex        sync.RWMutex
+	mutex  sync.RWMutex
-	cert         *tls.Certificate
+	cert   *tls.Certificate
 	isConfigured bool
 }
 func NewLdapService(config LdapServiceConfig) *LdapService {
@@ -37,33 +36,7 @@ func NewLdapService(config LdapServiceConfig) *LdapService {
 	}
 }
 func (ldap *LdapService) IsConfigured() bool {
 	return ldap.isConfigured
 }
 func (ldap *LdapService) Unconfigure() error {
 	if !ldap.isConfigured {
 		return nil
 	}
 	if ldap.conn != nil {
 		if err := ldap.conn.Close(); err != nil {
 			return fmt.Errorf("failed to close LDAP connection: %w", err)
 		}
 	}
 	ldap.isConfigured = false
 	return nil
 }
 func (ldap *LdapService) Init() error {
 	if ldap.config.Address == "" {
 		ldap.isConfigured = false
 		return nil
 	}
 	ldap.isConfigured = true
 	// Check whether authentication with client certificate is possible
 	if ldap.config.AuthCert != "" && ldap.config.AuthKey != "" {
 		cert, err := tls.LoadX509KeyPair(ldap.config.AuthCert, ldap.config.AuthKey)
--- a/internal/service/oidc_service.go
+++ b/internal/service/oidc_service.go
@@ -1,14 +1,11 @@
 package service
 import (
 	"context"
 	"crypto"
 	"crypto/rand"
 	"crypto/rsa"
 	"crypto/sha256"
 	"crypto/x509"
 	"database/sql"
 	"encoding/json"
 	"encoding/pem"
 	"errors"
 	"fmt"
@@ -18,18 +15,20 @@ import (
 	"time"
 	"github.com/gin-gonic/gin"
 	"github.com/go-jose/go-jose/v4"
 	"github.com/steveiliop56/tinyauth/internal/config"
 	"github.com/steveiliop56/tinyauth/internal/repository"
 	"github.com/steveiliop56/tinyauth/internal/utils"
 	"github.com/steveiliop56/tinyauth/internal/utils/tlog"
 	"golang.org/x/exp/slices"
 	// Should probably switch to another package but for now this works
 	"golang.org/x/oauth2/jws"
 )
 var (
 	SupportedScopes        = []string{"openid", "profile", "email", "groups"}
 	SupportedResponseTypes = []string{"code"}
-	SupportedGrantTypes    = []string{"authorization_code", "refresh_token"}
+	SupportedGrantTypes    = []string{"authorization_code"}
 )
 var (
@@ -37,17 +36,8 @@ var (
 	ErrCodeNotFound  = errors.New("code_not_found")
 	ErrTokenNotFound = errors.New("token_not_found")
 	ErrTokenExpired  = errors.New("token_expired")
 	ErrInvalidClient = errors.New("invalid_client")
 )
 type ClaimSet struct {
 	Iss string `json:"iss"`
 	Aud string `json:"aud"`
 	Sub string `json:"sub"`
 	Iat int64  `json:"iat"`
 	Exp int64  `json:"exp"`
 }
 type UserinfoResponse struct {
 	Sub               string   `json:"sub"`
 	Name              string   `json:"name"`
@@ -58,12 +48,11 @@ type UserinfoResponse struct {
 }
 type TokenResponse struct {
-	AccessToken  string `json:"access_token"`
+	AccessToken string `json:"access_token"`
-	RefreshToken string `json:"refresh_token"`
+	TokenType   string `json:"token_type"`
-	TokenType    string `json:"token_type"`
+	ExpiresIn   int64  `json:"expires_in"`
-	ExpiresIn    int64  `json:"expires_in"`
+	IDToken     string `json:"id_token"`
-	IDToken      string `json:"id_token"`
+	Scope       string `json:"scope"`
 	Scope        string `json:"scope"`
 }
 type AuthorizeRequest struct {
@@ -79,17 +68,15 @@ type OIDCServiceConfig struct {
 	PrivateKeyPath string
 	PublicKeyPath  string
 	Issuer         string
 	SessionExpiry  int
 }
 type OIDCService struct {
-	config       OIDCServiceConfig
+	config     OIDCServiceConfig
-	queries      *repository.Queries
+	queries    *repository.Queries
-	clients      map[string]config.OIDCClientConfig
+	clients    map[string]config.OIDCClientConfig
-	privateKey   *rsa.PrivateKey
+	privateKey *rsa.PrivateKey
-	publicKey    crypto.PublicKey
+	publicKey  crypto.PublicKey
-	issuer       string
+	issuer     string
 	isConfigured bool
 }
 func NewOIDCService(config OIDCServiceConfig, queries *repository.Queries) *OIDCService {
@@ -99,19 +86,9 @@ func NewOIDCService(config OIDCServiceConfig, queries *repository.Queries) *OIDC
 	}
 }
-func (service *OIDCService) IsConfigured() bool {
+// TODO: A cleanup routine is needed to clean up expired tokens/code/userinfo
 	return service.isConfigured
 }
 func (service *OIDCService) Init() error {
 	// If not configured, skip init
 	if len(service.config.Clients) == 0 {
 		service.isConfigured = false
 		return nil
 	}
 	service.isConfigured = true
 	// Ensure issuer is https
 	uissuer, err := url.Parse(service.config.Issuer)
@@ -145,9 +122,6 @@ func (service *OIDCService) Init() error {
 			return err
 		}
 		der := x509.MarshalPKCS1PrivateKey(privateKey)
 		if der == nil {
 			return errors.New("failed to marshal private key")
 		}
 		encoded := pem.EncodeToMemory(&pem.Block{
 			Type:  "RSA PRIVATE KEY",
 			Bytes: der,
@@ -159,9 +133,6 @@ func (service *OIDCService) Init() error {
 		service.privateKey = privateKey
 	} else {
 		block, _ := pem.Decode(fprivateKey)
 		if block == nil {
 			return errors.New("failed to decode private key")
 		}
 		privateKey, err = x509.ParsePKCS1PrivateKey(block.Bytes)
 		if err != nil {
 			return err
@@ -178,9 +149,6 @@ func (service *OIDCService) Init() error {
 	if errors.Is(err, os.ErrNotExist) {
 		publicKey := service.privateKey.Public()
 		der := x509.MarshalPKCS1PublicKey(publicKey.(*rsa.PublicKey))
 		if der == nil {
 			return errors.New("failed to marshal public key")
 		}
 		encoded := pem.EncodeToMemory(&pem.Block{
 			Type:  "RSA PUBLIC KEY",
 			Bytes: der,
@@ -192,9 +160,6 @@ func (service *OIDCService) Init() error {
 		service.publicKey = publicKey
 	} else {
 		block, _ := pem.Decode(fpublicKey)
 		if block == nil {
 			return errors.New("failed to decode public key")
 		}
 		publicKey, err := x509.ParsePKCS1PublicKey(block.Bytes)
 		if err != nil {
 			return err
@@ -218,14 +183,13 @@ func (service *OIDCService) Init() error {
 		}
 		client.ClientSecretFile = ""
 		service.clients[id] = client
 		tlog.App.Info().Str("id", client.ID).Msg("Registered OIDC client")
 	}
 	return nil
 }
 func (service *OIDCService) GetIssuer() string {
-	return service.issuer
+	return service.config.Issuer
 }
 func (service *OIDCService) GetClient(id string) (config.OIDCClientConfig, bool) {
@@ -281,8 +245,8 @@ func (service *OIDCService) StoreCode(c *gin.Context, sub string, code string, r
 	// Insert the code into the database
 	_, err := service.queries.CreateOidcCode(c, repository.CreateOidcCodeParams{
-		Sub:      sub,
+		Sub:  sub,
-		CodeHash: service.Hash(code),
+		Code: code,
 		// Here it's safe to split and trust the output since, we validated the scopes before
 		Scope:       strings.Join(service.filterScopes(strings.Split(req.Scope, " ")), ","),
 		RedirectURI: req.RedirectURI,
@@ -318,14 +282,14 @@ func (service *OIDCService) StoreUserinfo(c *gin.Context, sub string, userContex
 func (service *OIDCService) ValidateGrantType(grantType string) error {
 	if !slices.Contains(SupportedGrantTypes, grantType) {
-		return errors.New("unsupported_grant_type")
+		return errors.New("unsupported_response_type")
 	}
 	return nil
 }
-func (service *OIDCService) GetCodeEntry(c *gin.Context, codeHash string) (repository.OidcCode, error) {
+func (service *OIDCService) GetCodeEntry(c *gin.Context, code string) (repository.OidcCode, error) {
-	oidcCode, err := service.queries.GetOidcCode(c, codeHash)
+	oidcCode, err := service.queries.GetOidcCode(c, code)
 	if err != nil {
 		if errors.Is(err, sql.ErrNoRows) {
@@ -335,7 +299,7 @@ func (service *OIDCService) GetCodeEntry(c *gin.Context, codeHash string) (repos
 	}
 	if time.Now().Unix() > oidcCode.ExpiresAt {
-		err = service.queries.DeleteOidcCode(c, codeHash)
+		err = service.queries.DeleteOidcCode(c, code)
 		if err != nil {
 			return repository.OidcCode{}, err
 		}
@@ -351,23 +315,11 @@ func (service *OIDCService) GetCodeEntry(c *gin.Context, codeHash string) (repos
 func (service *OIDCService) generateIDToken(client config.OIDCClientConfig, sub string) (string, error) {
 	createdAt := time.Now().Unix()
 	expiresAt := time.Now().Add(time.Duration(service.config.SessionExpiry) * time.Second).Unix()
-	signer, err := jose.NewSigner(jose.SigningKey{
+	// TODO: This should probably be user-configured if refresh logic does not exist
-		Algorithm: jose.RS256,
+	expiresAt := time.Now().Add(time.Duration(1) * time.Hour).Unix()
 		Key:       service.privateKey,
 	}, &jose.SignerOptions{
 		ExtraHeaders: map[jose.HeaderKey]any{
 			"typ": "jwt",
 			"jku": fmt.Sprintf("%s/.well-known/jwks.json", service.issuer),
 		},
 	})
-	if err != nil {
+	claims := jws.ClaimSet{
 		return "", err
 	}
 	claims := ClaimSet{
 		Iss: service.issuer,
 		Aud: client.ClientID,
 		Sub: sub,
@@ -375,19 +327,12 @@ func (service *OIDCService) generateIDToken(client config.OIDCClientConfig, sub
 		Exp: expiresAt,
 	}
-	payload, err := json.Marshal(claims)
+	header := jws.Header{
-
+		Algorithm: "RS256",
-	if err != nil {
+		Typ:       "JWT",
 		return "", err
 	}
-	object, err := signer.Sign(payload)
+	token, err := jws.Encode(&header, &claims, service.privateKey)
 	if err != nil {
 		return "", err
 	}
 	token, err := object.CompactSerialize()
 	if err != nil {
 		return "", err
@@ -403,31 +348,22 @@ func (service *OIDCService) GenerateAccessToken(c *gin.Context, client config.OI
 		return TokenResponse{}, err
 	}
-	accessToken := utils.GenerateString(32)
+	accessToken := rand.Text()
-	refreshToken := utils.GenerateString(32)
+	expiresAt := time.Now().Add(time.Duration(1) * time.Hour).Unix()
 	tokenExpiresAt := time.Now().Add(time.Duration(service.config.SessionExpiry) * time.Second).Unix()
 	// Refresh token lives double the time of an access token but can't be used to access userinfo
 	refrshTokenExpiresAt := time.Now().Add(time.Duration(service.config.SessionExpiry*2) * time.Second).Unix()
 	tokenResponse := TokenResponse{
-		AccessToken:  accessToken,
+		AccessToken: accessToken,
-		RefreshToken: refreshToken,
+		TokenType:   "Bearer",
-		TokenType:    "Bearer",
+		ExpiresIn:   int64(time.Hour.Seconds()),
-		ExpiresIn:    int64(service.config.SessionExpiry),
+		IDToken:     idToken,
-		IDToken:      idToken,
+		Scope:       strings.ReplaceAll(scope, ",", " "),
 		Scope:        strings.ReplaceAll(scope, ",", " "),
 	}
 	_, err = service.queries.CreateOidcToken(c, repository.CreateOidcTokenParams{
-		Sub:                   sub,
+		Sub:         sub,
-		AccessTokenHash:       service.Hash(accessToken),
+		AccessToken: accessToken,
-		RefreshTokenHash:      service.Hash(refreshToken),
+		Scope:       scope,
-		ClientID:              client.ClientID,
+		ExpiresAt:   expiresAt,
 		Scope:                 scope,
 		TokenExpiresAt:        tokenExpiresAt,
 		RefreshTokenExpiresAt: refrshTokenExpiresAt,
 	})
 	if err != nil {
@@ -437,77 +373,20 @@ func (service *OIDCService) GenerateAccessToken(c *gin.Context, client config.OI
 	return tokenResponse, nil
 }
-func (service *OIDCService) RefreshAccessToken(c *gin.Context, refreshToken string, reqClientId string) (TokenResponse, error) {
+func (service *OIDCService) DeleteCodeEntry(c *gin.Context, code string) error {
-	entry, err := service.queries.GetOidcTokenByRefreshToken(c, service.Hash(refreshToken))
+	return service.queries.DeleteOidcCode(c, code)
 	if err != nil {
 		if err == sql.ErrNoRows {
 			return TokenResponse{}, ErrTokenNotFound
 		}
 		return TokenResponse{}, err
 	}
 	if entry.RefreshTokenExpiresAt < time.Now().Unix() {
 		return TokenResponse{}, ErrTokenExpired
 	}
 	// Ensure the client ID in the request matches the client ID in the token
 	if entry.ClientID != reqClientId {
 		return TokenResponse{}, ErrInvalidClient
 	}
 	idToken, err := service.generateIDToken(config.OIDCClientConfig{
 		ClientID: entry.ClientID,
 	}, entry.Sub)
 	if err != nil {
 		return TokenResponse{}, err
 	}
 	accessToken := utils.GenerateString(32)
 	newRefreshToken := utils.GenerateString(32)
 	tokenExpiresAt := time.Now().Add(time.Duration(service.config.SessionExpiry) * time.Second).Unix()
 	refrshTokenExpiresAt := time.Now().Add(time.Duration(service.config.SessionExpiry*2) * time.Second).Unix()
 	tokenResponse := TokenResponse{
 		AccessToken:  accessToken,
 		RefreshToken: newRefreshToken,
 		TokenType:    "Bearer",
 		ExpiresIn:    int64(service.config.SessionExpiry),
 		IDToken:      idToken,
 		Scope:        strings.ReplaceAll(entry.Scope, ",", " "),
 	}
 	_, err = service.queries.UpdateOidcTokenByRefreshToken(c, repository.UpdateOidcTokenByRefreshTokenParams{
 		AccessTokenHash:       service.Hash(accessToken),
 		RefreshTokenHash:      service.Hash(newRefreshToken),
 		TokenExpiresAt:        tokenExpiresAt,
 		RefreshTokenExpiresAt: refrshTokenExpiresAt,
 		RefreshTokenHash_2:    service.Hash(refreshToken), // that's the selector, it's not stored in the db
 	})
 	if err != nil {
 		return TokenResponse{}, err
 	}
 	return tokenResponse, nil
 }
 func (service *OIDCService) DeleteCodeEntry(c *gin.Context, codeHash string) error {
 	return service.queries.DeleteOidcCode(c, codeHash)
 }
 func (service *OIDCService) DeleteUserinfo(c *gin.Context, sub string) error {
 	return service.queries.DeleteOidcUserInfo(c, sub)
 }
-func (service *OIDCService) DeleteToken(c *gin.Context, tokenHash string) error {
+func (service *OIDCService) DeleteToken(c *gin.Context, token string) error {
-	return service.queries.DeleteOidcToken(c, tokenHash)
+	return service.queries.DeleteOidcToken(c, token)
 }
-func (service *OIDCService) GetAccessToken(c *gin.Context, tokenHash string) (repository.OidcToken, error) {
+func (service *OIDCService) GetAccessToken(c *gin.Context, token string) (repository.OidcToken, error) {
-	entry, err := service.queries.GetOidcToken(c, tokenHash)
+	entry, err := service.queries.GetOidcToken(c, token)
 	if err != nil {
 		if err == sql.ErrNoRows {
@@ -516,17 +395,14 @@ func (service *OIDCService) GetAccessToken(c *gin.Context, tokenHash string) (re
 		return repository.OidcToken{}, err
 	}
-	if entry.TokenExpiresAt < time.Now().Unix() {
+	if entry.ExpiresAt < time.Now().Unix() {
-		// If refresh token is expired, delete the token and userinfo since there is no way for the client to access anything anymore
+		err := service.DeleteToken(c, token)
-		if entry.RefreshTokenExpiresAt < time.Now().Unix() {
+		if err != nil {
-			err := service.DeleteToken(c, tokenHash)
+			return repository.OidcToken{}, err
-			if err != nil {
+		}
-				return repository.OidcToken{}, err
+		err = service.DeleteUserinfo(c, entry.Sub)
-			}
+		if err != nil {
-			err = service.DeleteUserinfo(c, entry.Sub)
+			return repository.OidcToken{}, err
 			if err != nil {
 				return repository.OidcToken{}, err
 			}
 		}
 		return repository.OidcToken{}, ErrTokenExpired
 	}
@@ -555,99 +431,8 @@ func (service *OIDCService) CompileUserinfo(user repository.OidcUserinfo, scope
 	}
 	if slices.Contains(scopes, "groups") {
-		if user.Groups != "" {
+		userInfo.Groups = strings.Split(user.Groups, ",")
 			userInfo.Groups = strings.Split(user.Groups, ",")
 		} else {
 			userInfo.Groups = []string{}
 		}
 	}
 	return userInfo
 }
 func (service *OIDCService) Hash(token string) string {
 	hasher := sha256.New()
 	hasher.Write([]byte(token))
 	return fmt.Sprintf("%x", hasher.Sum(nil))
 }
 func (service *OIDCService) DeleteOldSession(ctx context.Context, sub string) error {
 	err := service.queries.DeleteOidcCodeBySub(ctx, sub)
 	if err != nil && !errors.Is(err, sql.ErrNoRows) {
 		return err
 	}
 	err = service.queries.DeleteOidcTokenBySub(ctx, sub)
 	if err != nil && !errors.Is(err, sql.ErrNoRows) {
 		return err
 	}
 	err = service.queries.DeleteOidcUserInfo(ctx, sub)
 	if err != nil && !errors.Is(err, sql.ErrNoRows) {
 		return err
 	}
 	return nil
 }
 // Cleanup routine - Resource heavy due to the linked tables
 func (service *OIDCService) Cleanup() {
 	// We need a context for the routine
 	ctx := context.Background()
 	ticker := time.NewTicker(time.Duration(30) * time.Minute)
 	defer ticker.Stop()
 	for range ticker.C {
 		currentTime := time.Now().Unix()
 		// For the OIDC tokens, if they are expired we delete the userinfo and codes
 		expiredTokens, err := service.queries.DeleteExpiredOidcTokens(ctx, repository.DeleteExpiredOidcTokensParams{
 			TokenExpiresAt:        currentTime,
 			RefreshTokenExpiresAt: currentTime,
 		})
 		if err != nil {
 			tlog.App.Warn().Err(err).Msg("Failed to delete expired tokens")
 		}
 		for _, expiredToken := range expiredTokens {
 			err := service.DeleteOldSession(ctx, expiredToken.Sub)
 			if err != nil {
 				tlog.App.Warn().Err(err).Msg("Failed to delete old session")
 			}
 		}
 		// For expired codes, we need to get the sub, check if tokens are expired and if they are remove everything
 		expiredCodes, err := service.queries.DeleteExpiredOidcCodes(ctx, currentTime)
 		if err != nil {
 			tlog.App.Warn().Err(err).Msg("Failed to delete expired codes")
 		}
 		for _, expiredCode := range expiredCodes {
 			token, err := service.queries.GetOidcTokenBySub(ctx, expiredCode.Sub)
 			if err != nil {
 				if err == sql.ErrNoRows {
 					continue
 				}
 				tlog.App.Warn().Err(err).Msg("Failed to get OIDC token by sub")
 			}
 			if token.TokenExpiresAt < currentTime && token.RefreshTokenExpiresAt < currentTime {
 				err := service.DeleteOldSession(ctx, expiredCode.Sub)
 				if err != nil {
 					tlog.App.Warn().Err(err).Msg("Failed to delete session")
 				}
 			}
 		}
 	}
 }
 func (service *OIDCService) GetJWK() ([]byte, error) {
 	jwk := jose.JSONWebKey{
 		Key:       service.privateKey,
 		Algorithm: string(jose.RS256),
 		Use:       "sig",
 	}
 	return jwk.Public().MarshalJSON()
 }
--- a/internal/utils/security_utils.go
+++ b/internal/utils/security_utils.go
@@ -4,6 +4,8 @@ import (
 	"crypto/rand"
 	"encoding/base64"
 	"errors"
 	"math"
 	"math/big"
 	"net"
 	"regexp"
 	"strings"
@@ -107,8 +109,27 @@ func GenerateUUID(str string) string {
 	return uuid.String()
 }
-func GenerateString(length int) string {
+// These could definitely be improved A LOT but at least they are cryptographically secure
-	src := make([]byte, length)
+func GetRandomString(length int) (string, error) {
-	rand.Read(src)
+	if length < 1 {
-	return base64.RawURLEncoding.EncodeToString(src)[:length]
+		return "", errors.New("length must be greater than 0")
 	}
 	b := make([]byte, length)
 	_, err := rand.Read(b)
 	if err != nil {
 		return "", err
 	}
 	state := base64.RawURLEncoding.EncodeToString(b)
 	return state[:length], nil
 }
 func GetRandomInt(length int) (int64, error) {
 	if length < 1 {
 		return 0, errors.New("length must be greater than 0")
 	}
 	a, err := rand.Int(rand.Reader, big.NewInt(int64(math.Pow(10, float64(length)))))
 	if err != nil {
 		return 0, err
 	}
 	return a.Int64(), nil
 }
--- a/internal/utils/security_utils_test.go
+++ b/internal/utils/security_utils_test.go
@@ -2,6 +2,7 @@ package utils_test
 import (
 	"os"
 	"strconv"
 	"testing"
 	"github.com/steveiliop56/tinyauth/internal/utils"
@@ -147,3 +148,25 @@ func TestGenerateUUID(t *testing.T) {
 	id3 := utils.GenerateUUID("differentstring")
 	assert.Assert(t, id1 != id3)
 }
 func TestGetRandomString(t *testing.T) {
 	// Test with normal length
 	state, err := utils.GetRandomString(16)
 	assert.NilError(t, err)
 	assert.Equal(t, 16, len(state))
 	// Test with zero length
 	state, err = utils.GetRandomString(0)
 	assert.Error(t, err, "length must be greater than 0")
 }
 func TestGetRandomInt(t *testing.T) {
 	// Test with normal length
 	state, err := utils.GetRandomInt(16)
 	assert.NilError(t, err)
 	assert.Equal(t, 16, len(strconv.Itoa(int(state))))
 	// Test with zero length
 	state, err = utils.GetRandomInt(0)
 	assert.Error(t, err, "length must be greater than 0")
 }
--- a/internal/utils/string_utils_test.go
+++ b/internal/utils/string_utils_test.go
@@ -49,11 +49,3 @@ func TestCoalesceToString(t *testing.T) {
 	// Test with nil input
 	assert.Equal(t, "", utils.CoalesceToString(nil))
 }
 func TestCompileUserEmail(t *testing.T) {
 	// Test with valid email
 	assert.Equal(t, "user@example.com", utils.CompileUserEmail("user@example.com", "example.com"))
 	// Test with invalid email
 	assert.Equal(t, "user@example.com", utils.CompileUserEmail("user", "example.com"))
 }
--- a/internal/utils/user_utils.go
+++ b/internal/utils/user_utils.go
@@ -2,8 +2,6 @@ package utils
 import (
 	"errors"
 	"fmt"
 	"net/mail"
 	"strings"
 	"github.com/steveiliop56/tinyauth/internal/config"
@@ -92,13 +90,3 @@ func ParseUser(userStr string) (config.User, error) {
 	return user, nil
 }
 func CompileUserEmail(username string, domain string) string {
 	_, err := mail.ParseAddress(username)
 	if err != nil {
 		return fmt.Sprintf("%s@%s", strings.ToLower(username), domain)
 	}
 	return username
 }
--- a/sql/oidc_queries.sql
+++ b/sql/oidc_queries.sql
@@ -1,7 +1,7 @@
 -- name: CreateOidcCode :one
 INSERT INTO "oidc_codes" (
    "sub",
-    "code_hash",
+    "code",
    "scope",
    "redirect_uri",
    "client_id",
@@ -11,75 +11,33 @@ INSERT INTO "oidc_codes" (
 )
 RETURNING *;
 -- name: GetOidcCodeUnsafe :one
 SELECT * FROM "oidc_codes"
 WHERE "code_hash" = ?;
 -- name: GetOidcCode :one
 DELETE FROM "oidc_codes"
 WHERE "code_hash" = ?
 RETURNING *;
 -- name: GetOidcCodeBySubUnsafe :one
 SELECT * FROM "oidc_codes"
 WHERE "sub" = ?;
 -- name: GetOidcCodeBySub :one
 DELETE FROM "oidc_codes"
 WHERE "sub" = ?
 RETURNING *;
 -- name: DeleteOidcCode :exec
 DELETE FROM "oidc_codes"
-WHERE "code_hash" = ?;
+WHERE "code" = ?;
-- name: DeleteOidcCodeBySub :exec
+-- name: GetOidcCode :one
-DELETE FROM "oidc_codes"
+SELECT * FROM "oidc_codes"
-WHERE "sub" = ?;
+WHERE "code" = ?;
 -- name: CreateOidcToken :one
 INSERT INTO "oidc_tokens" (
    "sub",
-    "access_token_hash",
+    "access_token",
    "refresh_token_hash",
    "scope",
    "client_id",
-    "token_expires_at",
+    "expires_at"
    "refresh_token_expires_at"
 ) VALUES (
-    ?, ?, ?, ?, ?, ?, ?
+    ?, ?, ?, ?, ?
 )
 RETURNING *;
-- name: UpdateOidcTokenByRefreshToken :one
+-- name: DeleteOidcToken :exec
-UPDATE "oidc_tokens" SET
+DELETE FROM "oidc_tokens"
-    "access_token_hash" = ?,
+WHERE "access_token" = ?;
    "refresh_token_hash" = ?,
    "token_expires_at" = ?,
    "refresh_token_expires_at" = ?
 WHERE "refresh_token_hash" = ?
 RETURNING *;
 -- name: GetOidcToken :one
 SELECT * FROM "oidc_tokens"
-WHERE "access_token_hash" = ?;
+WHERE "access_token" = ?;
 -- name: GetOidcTokenByRefreshToken :one
 SELECT * FROM "oidc_tokens"
 WHERE "refresh_token_hash" = ?;
 -- name: GetOidcTokenBySub :one
 SELECT * FROM "oidc_tokens"
 WHERE "sub" = ?;
 -- name: DeleteOidcToken :exec
 DELETE FROM "oidc_tokens"
 WHERE "access_token_hash" = ?;
 -- name: DeleteOidcTokenBySub :exec
 DELETE FROM "oidc_tokens"
 WHERE "sub" = ?;
 -- name: CreateOidcUserInfo :one
 INSERT INTO "oidc_userinfo" (
@@ -94,20 +52,10 @@ INSERT INTO "oidc_userinfo" (
 )
 RETURNING *;
 -- name: GetOidcUserInfo :one
 SELECT * FROM "oidc_userinfo"
 WHERE "sub" = ?;
 -- name: DeleteOidcUserInfo :exec
 DELETE FROM "oidc_userinfo"
 WHERE "sub" = ?;
-- name: DeleteExpiredOidcCodes :many
+-- name: GetOidcUserInfo :one
-DELETE FROM "oidc_codes"
+SELECT * FROM "oidc_userinfo"
-WHERE "expires_at" < ?
+WHERE "sub" = ?;
 RETURNING *;
 -- name: DeleteExpiredOidcTokens :many
 DELETE FROM "oidc_tokens"
 WHERE "token_expires_at" < ? AND "refresh_token_expires_at" < ?
 RETURNING *;
--- a/sql/oidc_schemas.sql
+++ b/sql/oidc_schemas.sql
@@ -1,6 +1,6 @@
 CREATE TABLE IF NOT EXISTS "oidc_codes" (
    "sub" TEXT NOT NULL UNIQUE,
-    "code_hash" TEXT NOT NULL PRIMARY KEY UNIQUE,
+    "code" TEXT NOT NULL PRIMARY KEY UNIQUE,
    "scope" TEXT NOT NULL,
    "redirect_uri" TEXT NOT NULL,
    "client_id" TEXT NOT NULL,
@@ -9,12 +9,10 @@ CREATE TABLE IF NOT EXISTS "oidc_codes" (
 CREATE TABLE IF NOT EXISTS "oidc_tokens" (
    "sub" TEXT NOT NULL UNIQUE,
-    "access_token_hash" TEXT NOT NULL PRIMARY KEY UNIQUE,
+    "access_token" TEXT NOT NULL PRIMARY KEY UNIQUE,
    "refresh_token_hash" TEXT NOT NULL,
    "scope" TEXT NOT NULL,
    "client_id" TEXT NOT NULL,
-    "token_expires_at" INTEGER NOT NULL,
+    "expires_at" INTEGER NOT NULL
    "refresh_token_expires_at" INTEGER NOT NULL
 );
 CREATE TABLE IF NOT EXISTS "oidc_userinfo" (
Author	SHA1	Message	Date
Stavros	71bc3966bc	feat: adapt frontend to oidc flow	2026-01-24 15:52:22 +02:00
Stavros	c817e353f6	refactor: implement oidc following tinyauth patterns	2026-01-24 14:31:03 +02:00
Stavros	97e90ea560	feat: implement basic oidc functionality	2026-01-22 22:30:23 +02:00
Stavros	6ae7c1cbda	wip: authorize page	2026-01-21 20:12:32 +02:00
Stavros	7dc3525a8d	chore: add oidc base config	2026-01-21 18:54:00 +02:00