chore(deps): bump alpine from 3.23 to 3.24

Bumps alpine from 3.23 to 3.24. --- updated-dependencies: - dependency-name: alpine dependency-version: '3.24' dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com>
2026-06-14 15:30:16 +00:00 · 2026-06-10 08:13:13 +00:00
63 changed files with 1642 additions and 2431 deletions
@@ -46,7 +46,7 @@ RUN CGO_ENABLED=0 go build -ldflags "${LDFLAGS} \
    -X github.com/tinyauthapp/tinyauth/internal/model.BuildTimestamp=${BUILD_TIMESTAMP}" ./cmd/tinyauth
 # Runner
-FROM alpine:3.23 AS runner
+FROM alpine:3.24 AS runner
 WORKDIR /tinyauth
@@ -0,0 +1,36 @@
 import { languages, SupportedLanguage } from "@/lib/i18n/locales";
 import {
  Select,
  SelectContent,
  SelectItem,
  SelectTrigger,
  SelectValue,
 } from "../ui/select";
 import { useState } from "react";
 import i18n from "@/lib/i18n/i18n";
 export const LanguageSelector = () => {
  const [language, setLanguage] = useState<SupportedLanguage>(
    i18n.language as SupportedLanguage,
  );
  const handleSelect = (option: string) => {
    setLanguage(option as SupportedLanguage);
    i18n.changeLanguage(option as SupportedLanguage);
  };
  return (
    <Select onValueChange={handleSelect} value={language}>
      <SelectTrigger aria-label="Select language">
        <SelectValue placeholder="Select language" />
      </SelectTrigger>
      <SelectContent>
        {Object.entries(languages).map(([key, value]) => (
          <SelectItem key={key} value={key}>
            {value}
          </SelectItem>
        ))}
      </SelectContent>
    </Select>
  );
 };
@@ -1,8 +1,9 @@
 import { useAppContext } from "@/context/app-context";
 import { LanguageSelector } from "../language/language";
 import { Outlet } from "react-router";
 import { useCallback, useEffect, useState } from "react";
 import { DomainWarning } from "../domain-warning/domain-warning";
-import { QuickActions } from "../quick-actions/quick-actions";
+import { ThemeToggle } from "../theme-toggle/theme-toggle";
 const BaseLayout = ({ children }: { children: React.ReactNode }) => {
  const { ui } = useAppContext();
@@ -20,8 +21,9 @@ const BaseLayout = ({ children }: { children: React.ReactNode }) => {
        backgroundPosition: "center",
      }}
    >
-      <div className="absolute top-4 right-4">
+      <div className="absolute top-4 right-4 flex flex-row gap-2">
-        <QuickActions />
+        <ThemeToggle />
        <LanguageSelector />
      </div>
      <div className="max-w-sm md:min-w-sm min-w-xs">{children}</div>
    </div>
@@ -1,208 +0,0 @@
 import { languages, SupportedLanguage } from "@/lib/i18n/locales";
 import {
  DropdownMenu,
  DropdownMenuContent,
  DropdownMenuItem,
  DropdownMenuLabel,
  DropdownMenuPortal,
  DropdownMenuSeparator,
  DropdownMenuSub,
  DropdownMenuSubContent,
  DropdownMenuSubTrigger,
  DropdownMenuTrigger,
 } from "../ui/dropdown-menu";
 import { useState } from "react";
 import i18n from "@/lib/i18n/i18n";
 import { useUserContext } from "@/context/user-context";
 import { ScrollArea } from "../ui/scroll-area";
 import { useTheme } from "../providers/theme-provider";
 import {
  Check,
  DoorOpenIcon,
  Languages,
  Monitor,
  Moon,
  Palette,
  Settings,
  Sun,
 } from "lucide-react";
 import { useTranslation } from "react-i18next";
 import { useLocation } from "react-router";
 import { useRef } from "react";
 import {
  useScreenParams,
  recompileScreenParams,
 } from "@/lib/hooks/screen-params";
 import { useMutation } from "@tanstack/react-query";
 import axios from "axios";
 import { toast } from "sonner";
 import { useEffect } from "react";
 function Avatar({ initial }: { initial: string }) {
  return (
    <span className="group relative grid size-10 place-items-center rounded-full">
      <span className="absolute inset-0 overflow-hidden rounded-full bg-linear-to-b from-neutral-50 to-neutral-100 dark:from-neutral-700 dark:to-neutral-950 shadow-lg"></span>
      <span className="relative text-sm font-semibold text-primary">
        {initial}
      </span>
    </span>
  );
 }
 export const QuickActions = () => {
  const { auth } = useUserContext();
  const { theme, setTheme } = useTheme();
  const { t } = useTranslation();
  const { search } = useLocation();
  const [language, setLanguage] = useState<SupportedLanguage>(
    i18n.language as SupportedLanguage,
  );
  const redirectTimer = useRef<number | null>(null);
  const searchParams = new URLSearchParams(search);
  const screenParams = useScreenParams(searchParams);
  const compiledParams = recompileScreenParams(screenParams);
  const logoutMutation = useMutation({
    mutationFn: () => axios.post("/api/user/logout"),
    mutationKey: ["logout"],
    onSuccess: () => {
      toast.success(t("logoutSuccessTitle"), {
        description: t("logoutSuccessSubtitle"),
      });
      redirectTimer.current = window.setTimeout(() => {
        window.location.replace(`/login${compiledParams}`);
      }, 500);
    },
    onError: () => {
      toast.error(t("logoutFailTitle"), {
        description: t("logoutFailSubtitle"),
      });
    },
  });
  useEffect(() => {
    return () => {
      if (redirectTimer.current) {
        clearTimeout(redirectTimer.current);
      }
    };
  }, [redirectTimer]);
  const initial = auth.authenticated
    ? (auth.name[0] || "U").toUpperCase()
    : null;
  const handleSelect = (option: string) => {
    setLanguage(option as SupportedLanguage);
    i18n.changeLanguage(option as SupportedLanguage);
  };
  const themes = [
    { key: "light", label: t("quickActionsThemeLight"), icon: Sun },
    { key: "dark", label: t("quickActionsThemeDark"), icon: Moon },
    { key: "system", label: t("quickActionsThemeSystem"), icon: Monitor },
  ] as const;
  return (
    <DropdownMenu>
      <DropdownMenuTrigger asChild>
        <button
          aria-label={t("quickActionsTitle")}
          className="rounded-full transition-transform duration-200 will-change-transform hover:scale-105 hover:cursor-pointer focus:ring-0 focus:outline-3 focus:outline-ring/50"
        >
          {auth.authenticated ? (
            <Avatar initial={initial!} />
          ) : (
            <span className="bg-card text-primary border-border size-10 flex items-center justify-center rounded-full border shadow-lg">
              <Settings className="size-4" />
            </span>
          )}
        </button>
      </DropdownMenuTrigger>
      <DropdownMenuContent
        align="end"
        sideOffset={8}
        className="rounded-xl p-1"
      >
        {auth.authenticated && (
          <>
            <DropdownMenuLabel className="flex items-center gap-3 p-2">
              <div className="bg-foreground text-background flex size-9 shrink-0 items-center justify-center rounded-full text-sm font-medium">
                {initial}
              </div>
              <div className="flex min-w-0 flex-col">
                <span className="truncate text-sm font-medium">
                  {auth.name}
                </span>
                <span className="text-muted-foreground truncate text-xs font-normal">
                  {auth.email}
                </span>
              </div>
            </DropdownMenuLabel>
            <DropdownMenuSeparator />
          </>
        )}
        <DropdownMenuSub>
          <DropdownMenuSubTrigger>
            <Languages className="size-4" />
            {t("quickActionsLanguage")}
          </DropdownMenuSubTrigger>
          <DropdownMenuPortal>
            <DropdownMenuSubContent sideOffset={8} className="rounded-xl p-1">
              <ScrollArea className="h-80">
                {Object.entries(languages).map(([key, value]) => (
                  <DropdownMenuItem
                    key={key}
                    onSelect={() => handleSelect(key)}
                  >
                    {value}
                    {language === key && <Check className="size-4" />}
                  </DropdownMenuItem>
                ))}
              </ScrollArea>
            </DropdownMenuSubContent>
          </DropdownMenuPortal>
        </DropdownMenuSub>
        <DropdownMenuSub>
          <DropdownMenuSubTrigger>
            <Palette className="size-4" />
            {t("quickActionsTheme")}
          </DropdownMenuSubTrigger>
          <DropdownMenuPortal>
            <DropdownMenuSubContent className="rounded-xl p-1" sideOffset={8}>
              {themes.map(({ key, label, icon: Icon }) => (
                <DropdownMenuItem key={key} onClick={() => setTheme(key)}>
                  <span className="flex items-center gap-2">
                    <Icon className="size-4" />
                    {label}
                  </span>
                  {theme === key && <Check className="size-4" />}
                </DropdownMenuItem>
              ))}
            </DropdownMenuSubContent>
          </DropdownMenuPortal>
        </DropdownMenuSub>
        {auth.authenticated && (
          <>
            <DropdownMenuSeparator />
            <DropdownMenuItem
              onSelect={() => logoutMutation.mutate()}
              className="text-destructive"
            >
              <DoorOpenIcon className="size-4" />
              {t("quickActionsLogout")}
            </DropdownMenuItem>
          </>
        )}
      </DropdownMenuContent>
    </DropdownMenu>
  );
 };
@@ -0,0 +1,40 @@
 import { Moon, Sun } from "lucide-react";
 import { Button } from "@/components/ui/button";
 import {
  DropdownMenu,
  DropdownMenuContent,
  DropdownMenuItem,
  DropdownMenuTrigger,
 } from "@/components/ui/dropdown-menu";
 import { useTheme } from "@/components/providers/theme-provider";
 export function ThemeToggle() {
  const { setTheme } = useTheme();
  return (
    <DropdownMenu>
      <DropdownMenuTrigger asChild>
        <Button
          className="bg-card text-card-foreground hover:bg-card/90"
          size="icon"
        >
          <Sun className="h-[1.2rem] w-[1.2rem] scale-100 rotate-0 transition-all dark:scale-0 dark:-rotate-90" />
          <Moon className="absolute h-[1.2rem] w-[1.2rem] scale-0 rotate-90 transition-all dark:scale-100 dark:rotate-0" />
          <span className="sr-only">Toggle theme</span>
        </Button>
      </DropdownMenuTrigger>
      <DropdownMenuContent align="end">
        <DropdownMenuItem onClick={() => setTheme("light")}>
          Light
        </DropdownMenuItem>
        <DropdownMenuItem onClick={() => setTheme("dark")}>
          Dark
        </DropdownMenuItem>
        <DropdownMenuItem onClick={() => setTheme("system")}>
          System
        </DropdownMenuItem>
      </DropdownMenuContent>
    </DropdownMenu>
  );
 }
@@ -1,56 +0,0 @@
 import * as React from "react"
 import { ScrollArea as ScrollAreaPrimitive } from "radix-ui"
 import { cn } from "@/lib/utils"
 function ScrollArea({
  className,
  children,
  ...props
 }: React.ComponentProps<typeof ScrollAreaPrimitive.Root>) {
  return (
    <ScrollAreaPrimitive.Root
      data-slot="scroll-area"
      className={cn("relative", className)}
      {...props}
    >
      <ScrollAreaPrimitive.Viewport
        data-slot="scroll-area-viewport"
        className="size-full rounded-[inherit] transition-[color,box-shadow] outline-none focus-visible:ring-[3px] focus-visible:ring-ring/50 focus-visible:outline-1"
      >
        {children}
      </ScrollAreaPrimitive.Viewport>
      <ScrollBar />
      <ScrollAreaPrimitive.Corner />
    </ScrollAreaPrimitive.Root>
  )
 }
 function ScrollBar({
  className,
  orientation = "vertical",
  ...props
 }: React.ComponentProps<typeof ScrollAreaPrimitive.ScrollAreaScrollbar>) {
  return (
    <ScrollAreaPrimitive.ScrollAreaScrollbar
      data-slot="scroll-area-scrollbar"
      orientation={orientation}
      className={cn(
        "flex touch-none p-px transition-colors select-none",
        orientation === "vertical" &&
          "h-full w-2.5 border-l border-l-transparent",
        orientation === "horizontal" &&
          "h-2.5 flex-col border-t border-t-transparent",
        className
      )}
      {...props}
    >
      <ScrollAreaPrimitive.ScrollAreaThumb
        data-slot="scroll-area-thumb"
        className="relative flex-1 rounded-full bg-border"
      />
    </ScrollAreaPrimitive.ScrollAreaScrollbar>
  )
 }
 export { ScrollArea, ScrollBar }
@@ -1,17 +0,0 @@
 type UseLoginForProps = {
  login_for?: "oidc" | "app";
  compiledParams: string;
 };
 export const useLoginFor = (props: UseLoginForProps): string => {
  const { login_for, compiledParams } = props;
  switch (login_for) {
    case "oidc":
      return "/oidc/authorize" + compiledParams;
    case "app":
      return "/continue" + compiledParams;
    default:
      return "/logout";
  }
 };
@@ -0,0 +1,76 @@
 import { z } from "zod";
 export const oidcParamsSchema = z.object({
  scope: z.string().min(1),
  response_type: z.string().min(1),
  client_id: z.string().min(1),
  redirect_uri: z.string().min(1),
  state: z.string().optional(),
  nonce: z.string().optional(),
  code_challenge: z.string().optional(),
  code_challenge_method: z.string().optional(),
 });
 function b64urlDecode(s: string): string {
  const base64 = s.replace(/-/g, "+").replace(/_/g, "/");
  return atob(base64.padEnd(base64.length + ((4 - (base64.length % 4)) % 4), "="));
 }
 function decodeRequestObject(jwt: string): Record<string, string> {
  try {
    // Must have exactly 3 parts: header, payload, signature
    const parts = jwt.split(".");
    if (parts.length !== 3) return {};
    // Header must specify "alg": "none" and signature must be empty string
    const header = JSON.parse(b64urlDecode(parts[0]));
    if (!header || typeof header !== "object" || header.alg !== "none" || parts[2] !== "") return {};
    const payload = JSON.parse(b64urlDecode(parts[1]));
    if (!payload || typeof payload !== "object" || Array.isArray(payload)) return {};
    const result: Record<string, string> = {};
    for (const [k, v] of Object.entries(payload)) {
      if (typeof v === "string") result[k] = v;
    }
    return result;
  } catch {
    return {};
  }
 }
 export const useOIDCParams = (
  params: URLSearchParams,
 ): {
  values: z.infer<typeof oidcParamsSchema>;
  issues: string[];
  isOidc: boolean;
  compiled: string;
 } => {
  const obj = Object.fromEntries(params.entries());
  // RFC 9101 / OIDC Core 6.1: if `request` param present, decode JWT payload
  // and merge claims over top-level params (JWT claims take precedence)
  const requestJwt = params.get("request");
  if (requestJwt) {
    const claims = decodeRequestObject(requestJwt);
    Object.assign(obj, claims);
  }
  const parsed = oidcParamsSchema.safeParse(obj);
  if (parsed.success) {
    return {
      values: parsed.data,
      issues: [],
      isOidc: true,
      compiled: new URLSearchParams(parsed.data).toString(),
    };
  }
  return {
    issues: parsed.error.issues.map((issue) => issue.path.toString()),
    values: {} as z.infer<typeof oidcParamsSchema>,
    isOidc: false,
    compiled: "",
  };
 };
@@ -7,7 +7,7 @@ type IuseRedirectUri = {
 };
 export const useRedirectUri = (
-  redirect_uri: string | undefined,
+  redirect_uri: string | null,
  cookieDomain: string,
 ): IuseRedirectUri => {
  let isValid = false;
@@ -1,40 +0,0 @@
 import { z } from "zod";
 type ScreenParams = {
  login_for?: "oidc" | "app";
  redirect_uri?: string;
  oidc_ticket?: string;
  oidc_scope?: string;
  oidc_name?: string;
 };
 const zodScreenParams = z.object({
  login_for: z.enum(["oidc", "app"]).optional(),
  redirect_uri: z.string().optional(),
  oidc_ticket: z.string().optional(),
  oidc_scope: z.string().optional(),
  oidc_name: z.string().optional(),
 });
 export function useScreenParams(params: URLSearchParams): ScreenParams {
  const paramsObj = Object.fromEntries(params.entries());
  const parsed = zodScreenParams.safeParse(paramsObj);
  if (!parsed.success) {
    return {};
  }
  return parsed.data;
 }
 export function recompileScreenParams(params: ScreenParams): string {
  const p = new URLSearchParams(
    Object.fromEntries(
      Object.entries(params).filter(([, v]) => v !== undefined),
    ) as Record<string, string>,
  ).toString();
  if (p.length > 0) {
    return "?" + p;
  }
  return "";
 }
@@ -1,103 +1,96 @@
 {
-  "loginTitle": "Welcome back, login with",
+    "loginTitle": "Welcome back, login with",
-  "loginTitleSimple": "Welcome back, please login",
+    "loginTitleSimple": "Welcome back, please login",
-  "loginDivider": "Or",
+    "loginDivider": "Or",
-  "loginUsername": "Username",
+    "loginUsername": "Username",
-  "loginPassword": "Password",
+    "loginPassword": "Password",
-  "loginSubmit": "Login",
+    "loginSubmit": "Login",
-  "loginFailTitle": "Failed to log in",
+    "loginFailTitle": "Failed to log in",
-  "loginFailSubtitle": "Please check your username and password",
+    "loginFailSubtitle": "Please check your username and password",
-  "loginFailRateLimit": "You failed to login too many times. Please try again later",
+    "loginFailRateLimit": "You failed to login too many times. Please try again later",
-  "loginSuccessTitle": "Logged in",
+    "loginSuccessTitle": "Logged in",
-  "loginSuccessSubtitle": "Welcome back!",
+    "loginSuccessSubtitle": "Welcome back!",
-  "loginOauthFailTitle": "An error occurred",
+    "loginOauthFailTitle": "An error occurred",
-  "loginOauthFailSubtitle": "Failed to get OAuth URL",
+    "loginOauthFailSubtitle": "Failed to get OAuth URL",
-  "loginOauthSuccessTitle": "Redirecting",
+    "loginOauthSuccessTitle": "Redirecting",
-  "loginOauthSuccessSubtitle": "Redirecting to your OAuth provider",
+    "loginOauthSuccessSubtitle": "Redirecting to your OAuth provider",
-  "loginOauthAutoRedirectTitle": "OAuth Auto Redirect",
+    "loginOauthAutoRedirectTitle": "OAuth Auto Redirect",
-  "loginOauthAutoRedirectSubtitle": "You will be automatically redirected to your OAuth provider to authenticate.",
+    "loginOauthAutoRedirectSubtitle": "You will be automatically redirected to your OAuth provider to authenticate.",
-  "loginOauthAutoRedirectButton": "Redirect now",
+    "loginOauthAutoRedirectButton": "Redirect now",
-  "continueTitle": "Continue",
+    "continueTitle": "Continue",
-  "continueRedirectingTitle": "Redirecting...",
+    "continueRedirectingTitle": "Redirecting...",
-  "continueRedirectingSubtitle": "You should be redirected to the app soon",
+    "continueRedirectingSubtitle": "You should be redirected to the app soon",
-  "continueRedirectManually": "Redirect me manually",
+    "continueRedirectManually": "Redirect me manually",
-  "continueInsecureRedirectTitle": "Insecure redirect",
+    "continueInsecureRedirectTitle": "Insecure redirect",
-  "continueInsecureRedirectSubtitle": "You are trying to redirect from <code>https</code> to <code>http</code> which is not secure. Are you sure you want to continue?",
+    "continueInsecureRedirectSubtitle": "You are trying to redirect from <code>https</code> to <code>http</code> which is not secure. Are you sure you want to continue?",
-  "continueUntrustedRedirectTitle": "Untrusted redirect",
+    "continueUntrustedRedirectTitle": "Untrusted redirect",
-  "continueUntrustedRedirectSubtitle": "You are trying to redirect to a domain that does not match your configured domain (<code>{{cookieDomain}}</code>). Are you sure you want to continue?",
+    "continueUntrustedRedirectSubtitle": "You are trying to redirect to a domain that does not match your configured domain (<code>{{cookieDomain}}</code>). Are you sure you want to continue?",
-  "logoutFailTitle": "Failed to log out",
+    "logoutFailTitle": "Failed to log out",
-  "logoutFailSubtitle": "Please try again",
+    "logoutFailSubtitle": "Please try again",
-  "logoutSuccessTitle": "Logged out",
+    "logoutSuccessTitle": "Logged out",
-  "logoutSuccessSubtitle": "You have been logged out",
+    "logoutSuccessSubtitle": "You have been logged out",
-  "logoutTitle": "Logout",
+    "logoutTitle": "Logout",
-  "logoutUsernameSubtitle": "You are currently logged in as <code>{{username}}</code>. Click the button below to logout.",
+    "logoutUsernameSubtitle": "You are currently logged in as <code>{{username}}</code>. Click the button below to logout.",
-  "logoutOauthSubtitle": "You are currently logged in as <code>{{username}}</code> using the {{provider}} OAuth provider. Click the button below to logout.",
+    "logoutOauthSubtitle": "You are currently logged in as <code>{{username}}</code> using the {{provider}} OAuth provider. Click the button below to logout.",
-  "notFoundTitle": "Page not found",
+    "notFoundTitle": "Page not found",
-  "notFoundSubtitle": "The page you are looking for does not exist.",
+    "notFoundSubtitle": "The page you are looking for does not exist.",
-  "notFoundButton": "Go home",
+    "notFoundButton": "Go home",
-  "totpFailTitle": "Failed to verify code",
+    "totpFailTitle": "Failed to verify code",
-  "totpFailSubtitle": "Please check your code and try again",
+    "totpFailSubtitle": "Please check your code and try again",
-  "totpSuccessTitle": "Verified",
+    "totpSuccessTitle": "Verified",
-  "totpSuccessSubtitle": "Redirecting to your app",
+    "totpSuccessSubtitle": "Redirecting to your app",
-  "totpTitle": "Enter your TOTP code",
+    "totpTitle": "Enter your TOTP code",
-  "totpSubtitle": "Please enter the code from your authenticator app.",
+    "totpSubtitle": "Please enter the code from your authenticator app.",
-  "unauthorizedTitle": "Unauthorized",
+    "unauthorizedTitle": "Unauthorized",
-  "unauthorizedResourceSubtitle": "The user with username <code>{{username}}</code> is not authorized to access the resource <code>{{resource}}</code>.",
+    "unauthorizedResourceSubtitle": "The user with username <code>{{username}}</code> is not authorized to access the resource <code>{{resource}}</code>.",
-  "unauthorizedLoginSubtitle": "The user with username <code>{{username}}</code> is not authorized to login.",
+    "unauthorizedLoginSubtitle": "The user with username <code>{{username}}</code> is not authorized to login.",
-  "unauthorizedGroupsSubtitle": "The user with username <code>{{username}}</code> is not in the groups required by the resource <code>{{resource}}</code>.",
+    "unauthorizedGroupsSubtitle": "The user with username <code>{{username}}</code> is not in the groups required by the resource <code>{{resource}}</code>.",
-  "unauthorizedIpSubtitle": "Your IP address <code>{{ip}}</code> is not authorized to access the resource <code>{{resource}}</code>.",
+    "unauthorizedIpSubtitle": "Your IP address <code>{{ip}}</code> is not authorized to access the resource <code>{{resource}}</code>.",
-  "unauthorizedButton": "Try again",
+    "unauthorizedButton": "Try again",
-  "cancelTitle": "Cancel",
+    "cancelTitle": "Cancel",
-  "forgotPasswordTitle": "Forgot your password?",
+    "forgotPasswordTitle": "Forgot your password?",
-  "failedToFetchProvidersTitle": "Failed to load authentication providers. Please check your configuration.",
+    "failedToFetchProvidersTitle": "Failed to load authentication providers. Please check your configuration.",
-  "errorTitle": "An error occurred",
+    "errorTitle": "An error occurred",
-  "errorSubtitleInfo": "The following error occurred while processing your request:",
+    "errorSubtitleInfo": "The following error occurred while processing your request:",
-  "errorSubtitle": "An error occurred while trying to perform this action. Please check your browser console or the app logs for more information.",
+    "errorSubtitle": "An error occurred while trying to perform this action. Please check your browser console or the app logs for more information.",
-  "forgotPasswordMessage": "You can reset your password by changing the `USERS` environment variable.",
+    "forgotPasswordMessage": "You can reset your password by changing the `USERS` environment variable.",
-  "fieldRequired": "This field is required",
+    "fieldRequired": "This field is required",
-  "invalidInput": "Invalid input",
+    "invalidInput": "Invalid input",
-  "domainWarningTitle": "Invalid Domain",
+    "domainWarningTitle": "Invalid Domain",
-  "domainWarningSubtitle": "You are accessing this instance from an incorrect domain. If you proceed, you may encounter issues with authentication.",
+    "domainWarningSubtitle": "You are accessing this instance from an incorrect domain. If you proceed, you may encounter issues with authentication.",
-  "domainWarningCurrent": "Current:",
+    "domainWarningCurrent": "Current:",
-  "domainWarningExpected": "Expected:",
+    "domainWarningExpected": "Expected:",
-  "ignoreTitle": "Ignore",
+    "ignoreTitle": "Ignore",
-  "goToCorrectDomainTitle": "Go to correct domain",
+    "goToCorrectDomainTitle": "Go to correct domain",
-  "authorizeTitle": "Authorize",
+    "authorizeTitle": "Authorize",
-  "authorizeCardTitle": "Continue to {{app}}?",
+    "authorizeCardTitle": "Continue to {{app}}?",
-  "authorizeSubtitle": "Would you like to continue to this app? Please carefully review the permissions requested by the app.",
+    "authorizeSubtitle": "Would you like to continue to this app? Please carefully review the permissions requested by the app.",
-  "authorizeSubtitleOAuth": "Would you like to continue to this app?",
+    "authorizeSubtitleOAuth": "Would you like to continue to this app?",
-  "authorizeLoadingTitle": "Loading...",
+    "authorizeLoadingTitle": "Loading...",
-  "authorizeLoadingSubtitle": "Please wait while we load the client information.",
+    "authorizeLoadingSubtitle": "Please wait while we load the client information.",
-  "authorizeSuccessTitle": "Authorized",
+    "authorizeSuccessTitle": "Authorized",
-  "authorizeSuccessSubtitle": "You will be redirected to the app in a few seconds.",
+    "authorizeSuccessSubtitle": "You will be redirected to the app in a few seconds.",
-  "authorizeErrorClientInfo": "An error occurred while loading the client information. Please try again later.",
+    "authorizeErrorClientInfo": "An error occurred while loading the client information. Please try again later.",
-  "authorizeErrorInvalidParams": "The request is missing required parameters or has invalid parameters. Please check the URL and try again.",
+    "authorizeErrorMissingParams": "The following parameters are missing: {{missingParams}}",
-  "openidScopeName": "OpenID Connect",
+    "openidScopeName": "OpenID Connect",
-  "openidScopeDescription": "Allows the app to access your OpenID Connect information.",
+    "openidScopeDescription": "Allows the app to access your OpenID Connect information.",
-  "emailScopeName": "Email",
+    "emailScopeName": "Email",
-  "emailScopeDescription": "Allows the app to access your email address.",
+    "emailScopeDescription": "Allows the app to access your email address.",
-  "profileScopeName": "Profile",
+    "profileScopeName": "Profile",
-  "profileScopeDescription": "Allows the app to access your profile information.",
+    "profileScopeDescription": "Allows the app to access your profile information.",
-  "groupsScopeName": "Groups",
+    "groupsScopeName": "Groups",
-  "groupsScopeDescription": "Allows the app to access your group information.",
+    "groupsScopeDescription": "Allows the app to access your group information.",
-  "backToLoginButton": "Back to login",
+    "backToLoginButton": "Back to login",
-  "phoneScopeName": "Phone",
+    "phoneScopeName": "Phone",
-  "phoneScopeDescription": "Allows the app to access your phone number.",
+    "phoneScopeDescription": "Allows the app to access your phone number.",
-  "addressScopeName": "Address",
+    "addressScopeName": "Address",
-  "addressScopeDescription": "Allows the app to access your address.",
+    "addressScopeDescription": "Allows the app to access your address.",
-  "loginTailscaleTitle": "Continue with Tailscale",
+    "loginTailscaleTitle": "Continue with Tailscale",
-  "loginTailscaleDescription": "You appear to be accessing Tinyauth from an authorized Tailscale device. Would you like to continue with your Tailscale connection?",
+    "loginTailscaleDescription": "You appear to be accessing Tinyauth from an authorized Tailscale device. Would you like to continue with your Tailscale connection?",
-  "loginTailscaleDeviceName": "Device name:",
+    "loginTailscaleDeviceName": "Device name:",
-  "loginTailscaleSubmit": "Continue with Tailscale",
+    "loginTailscaleSubmit": "Continue with Tailscale",
-  "loginTailscaleOtherMethod": "Login with another method",
+    "loginTailscaleOtherMethod": "Login with another method",
-  "loginTailscaleSuccess": "Successfully authenticated with Tailscale.",
+    "loginTailscaleSuccess": "Successfully authenticated with Tailscale.",
-  "loginTailscaleFail": "Failed to authenticate with Tailscale. Please try again or use another login method.",
+    "loginTailscaleFail": "Failed to authenticate with Tailscale. Please try again or use another login method.",
-  "logoutTailscaleSubtitle": "You are currently logged in with Tailscale on your device <code>{{deviceName}}</code>. Click the button below to logout.",
+    "logoutTailscaleSubtitle": "You are currently logged in with Tailscale on your device <code>{{deviceName}}</code>. Click the button below to logout."
  "quickActionsLanguage": "Language",
  "quickActionsTheme": "Theme",
  "quickActionsThemeLight": "Light",
  "quickActionsThemeDark": "Dark",
  "quickActionsThemeSystem": "System",
  "quickActionsLogout": "Logout",
  "quickActionsTitle": "Quick Actions"
 }
@@ -1,103 +1,96 @@
 {
-  "loginTitle": "Welcome back, login with",
+    "loginTitle": "Welcome back, login with",
-  "loginTitleSimple": "Welcome back, please login",
+    "loginTitleSimple": "Welcome back, please login",
-  "loginDivider": "Or",
+    "loginDivider": "Or",
-  "loginUsername": "Username",
+    "loginUsername": "Username",
-  "loginPassword": "Password",
+    "loginPassword": "Password",
-  "loginSubmit": "Login",
+    "loginSubmit": "Login",
-  "loginFailTitle": "Failed to log in",
+    "loginFailTitle": "Failed to log in",
-  "loginFailSubtitle": "Please check your username and password",
+    "loginFailSubtitle": "Please check your username and password",
-  "loginFailRateLimit": "You failed to login too many times. Please try again later",
+    "loginFailRateLimit": "You failed to login too many times. Please try again later",
-  "loginSuccessTitle": "Logged in",
+    "loginSuccessTitle": "Logged in",
-  "loginSuccessSubtitle": "Welcome back!",
+    "loginSuccessSubtitle": "Welcome back!",
-  "loginOauthFailTitle": "An error occurred",
+    "loginOauthFailTitle": "An error occurred",
-  "loginOauthFailSubtitle": "Failed to get OAuth URL",
+    "loginOauthFailSubtitle": "Failed to get OAuth URL",
-  "loginOauthSuccessTitle": "Redirecting",
+    "loginOauthSuccessTitle": "Redirecting",
-  "loginOauthSuccessSubtitle": "Redirecting to your OAuth provider",
+    "loginOauthSuccessSubtitle": "Redirecting to your OAuth provider",
-  "loginOauthAutoRedirectTitle": "OAuth Auto Redirect",
+    "loginOauthAutoRedirectTitle": "OAuth Auto Redirect",
-  "loginOauthAutoRedirectSubtitle": "You will be automatically redirected to your OAuth provider to authenticate.",
+    "loginOauthAutoRedirectSubtitle": "You will be automatically redirected to your OAuth provider to authenticate.",
-  "loginOauthAutoRedirectButton": "Redirect now",
+    "loginOauthAutoRedirectButton": "Redirect now",
-  "continueTitle": "Continue",
+    "continueTitle": "Continue",
-  "continueRedirectingTitle": "Redirecting...",
+    "continueRedirectingTitle": "Redirecting...",
-  "continueRedirectingSubtitle": "You should be redirected to the app soon",
+    "continueRedirectingSubtitle": "You should be redirected to the app soon",
-  "continueRedirectManually": "Redirect me manually",
+    "continueRedirectManually": "Redirect me manually",
-  "continueInsecureRedirectTitle": "Insecure redirect",
+    "continueInsecureRedirectTitle": "Insecure redirect",
-  "continueInsecureRedirectSubtitle": "You are trying to redirect from <code>https</code> to <code>http</code> which is not secure. Are you sure you want to continue?",
+    "continueInsecureRedirectSubtitle": "You are trying to redirect from <code>https</code> to <code>http</code> which is not secure. Are you sure you want to continue?",
-  "continueUntrustedRedirectTitle": "Untrusted redirect",
+    "continueUntrustedRedirectTitle": "Untrusted redirect",
-  "continueUntrustedRedirectSubtitle": "You are trying to redirect to a domain that does not match your configured domain (<code>{{cookieDomain}}</code>). Are you sure you want to continue?",
+    "continueUntrustedRedirectSubtitle": "You are trying to redirect to a domain that does not match your configured domain (<code>{{cookieDomain}}</code>). Are you sure you want to continue?",
-  "logoutFailTitle": "Failed to log out",
+    "logoutFailTitle": "Failed to log out",
-  "logoutFailSubtitle": "Please try again",
+    "logoutFailSubtitle": "Please try again",
-  "logoutSuccessTitle": "Logged out",
+    "logoutSuccessTitle": "Logged out",
-  "logoutSuccessSubtitle": "You have been logged out",
+    "logoutSuccessSubtitle": "You have been logged out",
-  "logoutTitle": "Logout",
+    "logoutTitle": "Logout",
-  "logoutUsernameSubtitle": "You are currently logged in as <code>{{username}}</code>. Click the button below to logout.",
+    "logoutUsernameSubtitle": "You are currently logged in as <code>{{username}}</code>. Click the button below to logout.",
-  "logoutOauthSubtitle": "You are currently logged in as <code>{{username}}</code> using the {{provider}} OAuth provider. Click the button below to logout.",
+    "logoutOauthSubtitle": "You are currently logged in as <code>{{username}}</code> using the {{provider}} OAuth provider. Click the button below to logout.",
-  "notFoundTitle": "Page not found",
+    "notFoundTitle": "Page not found",
-  "notFoundSubtitle": "The page you are looking for does not exist.",
+    "notFoundSubtitle": "The page you are looking for does not exist.",
-  "notFoundButton": "Go home",
+    "notFoundButton": "Go home",
-  "totpFailTitle": "Failed to verify code",
+    "totpFailTitle": "Failed to verify code",
-  "totpFailSubtitle": "Please check your code and try again",
+    "totpFailSubtitle": "Please check your code and try again",
-  "totpSuccessTitle": "Verified",
+    "totpSuccessTitle": "Verified",
-  "totpSuccessSubtitle": "Redirecting to your app",
+    "totpSuccessSubtitle": "Redirecting to your app",
-  "totpTitle": "Enter your TOTP code",
+    "totpTitle": "Enter your TOTP code",
-  "totpSubtitle": "Please enter the code from your authenticator app.",
+    "totpSubtitle": "Please enter the code from your authenticator app.",
-  "unauthorizedTitle": "Unauthorized",
+    "unauthorizedTitle": "Unauthorized",
-  "unauthorizedResourceSubtitle": "The user with username <code>{{username}}</code> is not authorized to access the resource <code>{{resource}}</code>.",
+    "unauthorizedResourceSubtitle": "The user with username <code>{{username}}</code> is not authorized to access the resource <code>{{resource}}</code>.",
-  "unauthorizedLoginSubtitle": "The user with username <code>{{username}}</code> is not authorized to login.",
+    "unauthorizedLoginSubtitle": "The user with username <code>{{username}}</code> is not authorized to login.",
-  "unauthorizedGroupsSubtitle": "The user with username <code>{{username}}</code> is not in the groups required by the resource <code>{{resource}}</code>.",
+    "unauthorizedGroupsSubtitle": "The user with username <code>{{username}}</code> is not in the groups required by the resource <code>{{resource}}</code>.",
-  "unauthorizedIpSubtitle": "Your IP address <code>{{ip}}</code> is not authorized to access the resource <code>{{resource}}</code>.",
+    "unauthorizedIpSubtitle": "Your IP address <code>{{ip}}</code> is not authorized to access the resource <code>{{resource}}</code>.",
-  "unauthorizedButton": "Try again",
+    "unauthorizedButton": "Try again",
-  "cancelTitle": "Cancel",
+    "cancelTitle": "Cancel",
-  "forgotPasswordTitle": "Forgot your password?",
+    "forgotPasswordTitle": "Forgot your password?",
-  "failedToFetchProvidersTitle": "Failed to load authentication providers. Please check your configuration.",
+    "failedToFetchProvidersTitle": "Failed to load authentication providers. Please check your configuration.",
-  "errorTitle": "An error occurred",
+    "errorTitle": "An error occurred",
-  "errorSubtitleInfo": "The following error occurred while processing your request:",
+    "errorSubtitleInfo": "The following error occurred while processing your request:",
-  "errorSubtitle": "An error occurred while trying to perform this action. Please check your browser console or the app logs for more information.",
+    "errorSubtitle": "An error occurred while trying to perform this action. Please check your browser console or the app logs for more information.",
-  "forgotPasswordMessage": "You can reset your password by changing the `USERS` environment variable.",
+    "forgotPasswordMessage": "You can reset your password by changing the `USERS` environment variable.",
-  "fieldRequired": "This field is required",
+    "fieldRequired": "This field is required",
-  "invalidInput": "Invalid input",
+    "invalidInput": "Invalid input",
-  "domainWarningTitle": "Invalid Domain",
+    "domainWarningTitle": "Invalid Domain",
-  "domainWarningSubtitle": "You are accessing this instance from an incorrect domain. If you proceed, you may encounter issues with authentication.",
+    "domainWarningSubtitle": "You are accessing this instance from an incorrect domain. If you proceed, you may encounter issues with authentication.",
-  "domainWarningCurrent": "Current:",
+    "domainWarningCurrent": "Current:",
-  "domainWarningExpected": "Expected:",
+    "domainWarningExpected": "Expected:",
-  "ignoreTitle": "Ignore",
+    "ignoreTitle": "Ignore",
-  "goToCorrectDomainTitle": "Go to correct domain",
+    "goToCorrectDomainTitle": "Go to correct domain",
-  "authorizeTitle": "Authorize",
+    "authorizeTitle": "Authorize",
-  "authorizeCardTitle": "Continue to {{app}}?",
+    "authorizeCardTitle": "Continue to {{app}}?",
-  "authorizeSubtitle": "Would you like to continue to this app? Please carefully review the permissions requested by the app.",
+    "authorizeSubtitle": "Would you like to continue to this app? Please carefully review the permissions requested by the app.",
-  "authorizeSubtitleOAuth": "Would you like to continue to this app?",
+    "authorizeSubtitleOAuth": "Would you like to continue to this app?",
-  "authorizeLoadingTitle": "Loading...",
+    "authorizeLoadingTitle": "Loading...",
-  "authorizeLoadingSubtitle": "Please wait while we load the client information.",
+    "authorizeLoadingSubtitle": "Please wait while we load the client information.",
-  "authorizeSuccessTitle": "Authorized",
+    "authorizeSuccessTitle": "Authorized",
-  "authorizeSuccessSubtitle": "You will be redirected to the app in a few seconds.",
+    "authorizeSuccessSubtitle": "You will be redirected to the app in a few seconds.",
-  "authorizeErrorClientInfo": "An error occurred while loading the client information. Please try again later.",
+    "authorizeErrorClientInfo": "An error occurred while loading the client information. Please try again later.",
-  "authorizeErrorInvalidParams": "The request is missing required parameters or has invalid parameters. Please check the URL and try again.",
+    "authorizeErrorMissingParams": "The following parameters are missing: {{missingParams}}",
-  "openidScopeName": "OpenID Connect",
+    "openidScopeName": "OpenID Connect",
-  "openidScopeDescription": "Allows the app to access your OpenID Connect information.",
+    "openidScopeDescription": "Allows the app to access your OpenID Connect information.",
-  "emailScopeName": "Email",
+    "emailScopeName": "Email",
-  "emailScopeDescription": "Allows the app to access your email address.",
+    "emailScopeDescription": "Allows the app to access your email address.",
-  "profileScopeName": "Profile",
+    "profileScopeName": "Profile",
-  "profileScopeDescription": "Allows the app to access your profile information.",
+    "profileScopeDescription": "Allows the app to access your profile information.",
-  "groupsScopeName": "Groups",
+    "groupsScopeName": "Groups",
-  "groupsScopeDescription": "Allows the app to access your group information.",
+    "groupsScopeDescription": "Allows the app to access your group information.",
-  "backToLoginButton": "Back to login",
+    "backToLoginButton": "Back to login",
-  "phoneScopeName": "Phone",
+    "phoneScopeName": "Phone",
-  "phoneScopeDescription": "Allows the app to access your phone number.",
+    "phoneScopeDescription": "Allows the app to access your phone number.",
-  "addressScopeName": "Address",
+    "addressScopeName": "Address",
-  "addressScopeDescription": "Allows the app to access your address.",
+    "addressScopeDescription": "Allows the app to access your address.",
-  "loginTailscaleTitle": "Continue with Tailscale",
+    "loginTailscaleTitle": "Continue with Tailscale",
-  "loginTailscaleDescription": "You appear to be accessing Tinyauth from an authorized Tailscale device. Would you like to continue with your Tailscale connection?",
+    "loginTailscaleDescription": "You appear to be accessing Tinyauth from an authorized Tailscale device. Would you like to continue with your Tailscale connection?",
-  "loginTailscaleDeviceName": "Device name:",
+    "loginTailscaleDeviceName": "Device name:",
-  "loginTailscaleSubmit": "Continue with Tailscale",
+    "loginTailscaleSubmit": "Continue with Tailscale",
-  "loginTailscaleOtherMethod": "Login with another method",
+    "loginTailscaleOtherMethod": "Login with another method",
-  "loginTailscaleSuccess": "Successfully authenticated with Tailscale.",
+    "loginTailscaleSuccess": "Successfully authenticated with Tailscale.",
-  "loginTailscaleFail": "Failed to authenticate with Tailscale. Please try again or use another login method.",
+    "loginTailscaleFail": "Failed to authenticate with Tailscale. Please try again or use another login method.",
-  "logoutTailscaleSubtitle": "You are currently logged in with Tailscale on your device <code>{{deviceName}}</code>. Click the button below to logout.",
+    "logoutTailscaleSubtitle": "You are currently logged in with Tailscale on your device <code>{{deviceName}}</code>. Click the button below to logout."
  "quickActionsLanguage": "Language",
  "quickActionsTheme": "Theme",
  "quickActionsThemeLight": "Light",
  "quickActionsThemeDark": "Dark",
  "quickActionsThemeSystem": "System",
  "quickActionsLogout": "Logout",
  "quickActionsTitle": "Quick Actions"
 }
@@ -35,10 +35,7 @@ createRoot(document.getElementById("root")!).render(
                    <Route element={<Layout />} errorElement={<ErrorPage />}>
                      <Route path="/" element={<App />} />
                      <Route path="/login" element={<LoginPage />} />
-                      <Route
+                      <Route path="/authorize" element={<AuthorizePage />} />
                        path="/oidc/authorize"
                        element={<AuthorizePage />}
                      />
                      <Route path="/logout" element={<LogoutPage />} />
                      <Route path="/continue" element={<ContinuePage />} />
                      <Route path="/totp" element={<TotpPage />} />
@@ -1,5 +1,5 @@
 import { useUserContext } from "@/context/user-context";
-import { useMutation } from "@tanstack/react-query";
+import { useMutation, useQuery } from "@tanstack/react-query";
 import { Navigate, useNavigate } from "react-router";
 import { useLocation } from "react-router";
 import {
@@ -10,9 +10,11 @@ import {
  CardFooter,
  CardContent,
 } from "@/components/ui/card";
 import { getOidcClientInfoSchema } from "@/schemas/oidc-schemas";
 import { Button } from "@/components/ui/button";
 import axios from "axios";
 import { toast } from "sonner";
 import { useOIDCParams } from "@/lib/hooks/oidc";
 import { useTranslation } from "react-i18next";
 import { TFunction } from "i18next";
 import { Mail, MapPin, Phone, Shield, User, Users } from "lucide-react";
@@ -21,10 +23,6 @@ import {
  TooltipContent,
  TooltipTrigger,
 } from "@/components/ui/tooltip";
 import {
  recompileScreenParams,
  useScreenParams,
 } from "@/lib/hooks/screen-params";
 type Scope = {
  id: string;
@@ -86,17 +84,27 @@ export const AuthorizePage = () => {
  const scopeMap = createScopeMap(t);
  const searchParams = new URLSearchParams(search);
-  const screenParams = useScreenParams(searchParams);
+  const oidcParams = useOIDCParams(searchParams);
-  const isOidc = screenParams.login_for === "oidc";
+
-  const compiledParams = recompileScreenParams(screenParams);
+  const getClientInfo = useQuery({
    queryKey: ["client", oidcParams.values.client_id],
    queryFn: async () => {
      const res = await fetch(
        `/api/oidc/clients/${encodeURIComponent(oidcParams.values.client_id)}`,
      );
      const data = await getOidcClientInfoSchema.parseAsync(await res.json());
      return data;
    },
    enabled: oidcParams.isOidc,
  });
  const authorizeMutation = useMutation({
    mutationFn: () => {
-      return axios.post("/api/oidc/authorize-complete", {
+      return axios.post("/api/oidc/authorize", {
-        ticket: screenParams.oidc_ticket,
+        ...oidcParams.values,
      });
    },
-    mutationKey: ["authorize", screenParams.oidc_ticket],
+    mutationKey: ["authorize", oidcParams.values.client_id],
    onSuccess: (data) => {
      toast.info(t("authorizeSuccessTitle"), {
        description: t("authorizeSuccessSubtitle"),
@@ -110,32 +118,56 @@ export const AuthorizePage = () => {
    },
  });
-  if (!isOidc || !screenParams.oidc_ticket || !screenParams.oidc_scope) {
+  if (oidcParams.issues.length > 0) {
    return (
      <Navigate
-        to={`/error?error=${encodeURIComponent(t("authorizeErrorInvalidParams"))}`}
+        to={`/error?error=${encodeURIComponent(t("authorizeErrorMissingParams", { missingParams: oidcParams.issues.join(", ") }))}`}
        replace
      />
    );
  }
  if (!auth.authenticated) {
-    return <Navigate to={`/login${compiledParams}`} replace />;
+    return <Navigate to={`/login?${oidcParams.compiled}`} replace />;
  }
  if (getClientInfo.isLoading) {
    return (
      <Card className="gap-0">
        <CardHeader>
          <CardTitle className="text-xl">
            {t("authorizeLoadingTitle")}
          </CardTitle>
        </CardHeader>
        <CardContent>
          <CardDescription>{t("authorizeLoadingSubtitle")}</CardDescription>
        </CardContent>
      </Card>
    );
  }
  if (getClientInfo.isError) {
    return (
      <Navigate
        to={`/error?error=${encodeURIComponent(t("authorizeErrorClientInfo"))}`}
        replace
      />
    );
  }
  const scopes =
-    screenParams.oidc_scope.split(" ").filter((s) => s.trim() !== "") || [];
+    oidcParams.values.scope.split(" ").filter((s) => s.trim() !== "") || [];
  return (
    <Card>
      <CardHeader className="mb-2">
        <div className="flex flex-col gap-3 items-center justify-center text-center">
          <div className="bg-accent-foreground box-content text-muted text-xl font-bold font-sans rounded-lg size-8 p-2 flex items-center justify-center">
-            {screenParams.oidc_name ? screenParams.oidc_name.slice(0, 1) : "U"}
+            {getClientInfo.data?.name.slice(0, 1) || "U"}
          </div>
          <CardTitle className="text-xl">
            {t("authorizeCardTitle", {
-              app: screenParams.oidc_name || "Unknown",
+              app: getClientInfo.data?.name || "Unknown",
            })}
          </CardTitle>
          <CardDescription className="text-sm max-w-sm">
@@ -174,7 +206,7 @@ export const AuthorizePage = () => {
          {t("authorizeTitle")}
        </Button>
        <Button
-          onClick={() => navigate(`/logout${compiledParams}`)}
+          onClick={() => navigate("/")}
          disabled={authorizeMutation.isPending}
          variant="outline"
        >
@@ -12,10 +12,6 @@ import { Trans, useTranslation } from "react-i18next";
 import { Navigate, useLocation, useNavigate } from "react-router";
 import { useCallback, useEffect, useRef, useState } from "react";
 import { useRedirectUri } from "@/lib/hooks/redirect-uri";
 import {
  recompileScreenParams,
  useScreenParams,
 } from "@/lib/hooks/screen-params";
 export const ContinuePage = () => {
  const { app, ui } = useAppContext();
@@ -29,10 +25,7 @@ export const ContinuePage = () => {
  const hasRedirected = useRef(false);
  const searchParams = new URLSearchParams(search);
-  const screenParams = useScreenParams(searchParams);
+  const redirectUri = searchParams.get("redirect_uri");
  const redirectUri = screenParams.redirect_uri;
  const isAppLogin = screenParams.login_for === "app";
  const recompiledParams = recompileScreenParams(screenParams);
  const { url, valid, trusted, allowedProto, httpsDowngrade } = useRedirectUri(
    redirectUri,
@@ -50,8 +43,7 @@ export const ContinuePage = () => {
    auth.authenticated &&
    hasValidRedirect &&
    !showUntrustedWarning &&
-    !showInsecureWarning &&
+    !showInsecureWarning;
    isAppLogin;
  const redirectToTarget = useCallback(() => {
    if (!urlHref || hasRedirected.current) {
@@ -87,10 +79,15 @@ export const ContinuePage = () => {
  }, [shouldAutoRedirect, redirectToTarget]);
  if (!auth.authenticated) {
-    return <Navigate to={`/login${recompiledParams}`} replace />;
+    return (
      <Navigate
        to={`/login${redirectUri ? `?redirect_uri=${encodeURIComponent(redirectUri)}` : ""}`}
        replace
      />
    );
  }
-  if (!hasValidRedirect || !isAppLogin) {
+  if (!hasValidRedirect) {
    return <Navigate to="/logout" replace />;
  }
@@ -11,7 +11,7 @@ export const ErrorPage = () => {
  const { t } = useTranslation();
  const { search } = useLocation();
  const searchParams = new URLSearchParams(search);
-  const error = searchParams.get("error") || "";
+  const error = searchParams.get("error") ?? "";
  return (
    <Card>
@@ -11,18 +11,12 @@ import { useAppContext } from "@/context/app-context";
 import { useTranslation } from "react-i18next";
 import Markdown from "react-markdown";
 import { useLocation } from "react-router";
 import {
  recompileScreenParams,
  useScreenParams,
 } from "@/lib/hooks/screen-params";
 export const ForgotPasswordPage = () => {
  const { ui } = useAppContext();
  const { t } = useTranslation();
  const { search } = useLocation();
  const searchParams = new URLSearchParams(search);
  const screenParams = useScreenParams(searchParams);
  const compiledParams = recompileScreenParams(screenParams);
  return (
    <Card>
@@ -43,7 +37,10 @@ export const ForgotPasswordPage = () => {
          className="w-full"
          variant="outline"
          onClick={() => {
-            window.location.replace(`/login${compiledParams}`);
+            const eparams = searchParams.toString();
            window.location.replace(
              `/login${eparams.length > 0 ? `?${eparams}` : ""}`,
            );
          }}
        >
          {t("backToLoginButton")}
@@ -18,6 +18,7 @@ import { OAuthButton } from "@/components/ui/oauth-button";
 import { SeperatorWithChildren } from "@/components/ui/separator";
 import { useAppContext } from "@/context/app-context";
 import { useUserContext } from "@/context/user-context";
 import { useOIDCParams } from "@/lib/hooks/oidc";
 import { LoginSchema } from "@/schemas/login-schema";
 import { useMutation } from "@tanstack/react-query";
 import axios, { AxiosError } from "axios";
@@ -25,11 +26,6 @@ import { useEffect, useId, useRef, useState } from "react";
 import { useTranslation } from "react-i18next";
 import { Navigate, useLocation } from "react-router";
 import { toast } from "sonner";
 import {
  recompileScreenParams,
  useScreenParams,
 } from "@/lib/hooks/screen-params";
 import { useLoginFor } from "@/lib/hooks/login-for";
 const iconMap: Record<string, React.ReactNode> = {
  google: <GoogleIcon />,
@@ -50,9 +46,7 @@ export const LoginPage = () => {
  const { t } = useTranslation();
  const [showRedirectButton, setShowRedirectButton] = useState(false);
-  const [useTailscale, setUseTailscale] = useState(
+  const [useTailscale, setUseTailscale] = useState(tailscale.nodeName !== undefined);
    tailscale.nodeName !== undefined,
  );
  const hasAutoRedirectedRef = useRef(false);
@@ -62,22 +56,17 @@ export const LoginPage = () => {
  const formId = useId();
  const searchParams = new URLSearchParams(search);
-  const screenParams = useScreenParams(searchParams);
+  const redirectUri = searchParams.get("redirect_uri") || undefined;
-  const compiledParams = recompileScreenParams(screenParams);
+  const oidcParams = useOIDCParams(searchParams);
  const loginForUrl = useLoginFor({
    login_for: screenParams.login_for,
    compiledParams,
  });
  const [isOauthAutoRedirect, setIsOauthAutoRedirect] = useState(
    providers.find((provider) => provider.id === oauth.autoRedirect) !==
-      undefined && screenParams.redirect_uri !== undefined,
+      undefined && redirectUri !== undefined,
  );
  const oauthProviders = providers.filter(
    (provider) => provider.id !== "local" && provider.id !== "ldap",
  );
  const userAuthConfigured =
    providers.find(
      (provider) => provider.id === "local" || provider.id === "ldap",
@@ -90,7 +79,16 @@ export const LoginPage = () => {
    variables: oauthVariables,
  } = useMutation({
    mutationFn: (provider: string) => {
-      return axios.get(`/api/oauth/url/${provider}${compiledParams}`);
+      const getParams = function (): string {
        if (oidcParams.isOidc) {
          return `?${oidcParams.compiled}`;
        }
        if (redirectUri) {
          return `?redirect_uri=${encodeURIComponent(redirectUri)}`;
        }
        return "";
      };
      return axios.get(`/api/oauth/url/${provider}${getParams()}`);
    },
    mutationKey: ["oauth"],
    onSuccess: (data) => {
@@ -121,7 +119,13 @@ export const LoginPage = () => {
    mutationKey: ["login"],
    onSuccess: (data) => {
      if (data.data.totpPending) {
-        window.location.replace(`/totp${compiledParams}`);
+        if (oidcParams.isOidc) {
          window.location.replace(`/totp?${oidcParams.compiled}`);
          return;
        }
        window.location.replace(
          `/totp${redirectUri ? `?redirect_uri=${encodeURIComponent(redirectUri)}` : ""}`,
        );
        return;
      }
@@ -130,7 +134,13 @@ export const LoginPage = () => {
      });
      redirectTimer.current = window.setTimeout(() => {
-        window.location.replace(loginForUrl);
+        if (oidcParams.isOidc) {
          window.location.replace(`/authorize?${oidcParams.compiled}`);
          return;
        }
        window.location.replace(
          `/continue${redirectUri ? `?redirect_uri=${encodeURIComponent(redirectUri)}` : ""}`,
        );
      }, 500);
    },
    onError: (error: AxiosError) => {
@@ -153,7 +163,13 @@ export const LoginPage = () => {
        });
        redirectTimer.current = window.setTimeout(() => {
-          window.location.replace(loginForUrl);
+          if (oidcParams.isOidc) {
            window.location.replace(`/authorize?${oidcParams.compiled}`);
            return;
          }
          window.location.replace(
            `/continue${redirectUri ? `?redirect_uri=${encodeURIComponent(redirectUri)}` : ""}`,
          );
        }, 500);
      },
      onError: () => {
@@ -168,8 +184,7 @@ export const LoginPage = () => {
      !auth.authenticated &&
      isOauthAutoRedirect &&
      !hasAutoRedirectedRef.current &&
-      screenParams.redirect_uri &&
+      redirectUri !== undefined
      screenParams.login_for
    ) {
      hasAutoRedirectedRef.current = true;
      oauthMutate(oauth.autoRedirect);
@@ -180,8 +195,7 @@ export const LoginPage = () => {
    hasAutoRedirectedRef,
    oauth.autoRedirect,
    isOauthAutoRedirect,
-    screenParams.login_for,
+    redirectUri,
    screenParams.redirect_uri,
  ]);
  useEffect(() => {
@@ -196,8 +210,21 @@ export const LoginPage = () => {
    };
  }, [redirectTimer, redirectButtonTimer]);
  if (auth.authenticated && oidcParams.isOidc) {
    return <Navigate to={`/authorize?${oidcParams.compiled}`} replace />;
  }
  if (auth.authenticated && redirectUri !== undefined) {
    return (
      <Navigate
        to={`/continue${redirectUri ? `?redirect_uri=${encodeURIComponent(redirectUri)}` : ""}`}
        replace
      />
    );
  }
  if (auth.authenticated) {
-    return <Navigate to={loginForUrl} replace />;
+    return <Navigate to="/logout" replace />;
  }
  if (isOauthAutoRedirect) {
@@ -15,21 +15,12 @@ import { Navigate } from "react-router";
 import { toast } from "sonner";
 import { type UseMutationResult } from "@tanstack/react-query";
 import { type AxiosResponse } from "axios";
 import { useLocation } from "react-router";
 import {
  useScreenParams,
  recompileScreenParams,
 } from "@/lib/hooks/screen-params";
 export const LogoutPage = () => {
  const { auth, oauth, tailscale } = useUserContext();
  const { t } = useTranslation();
  const { search } = useLocation();
  const redirectTimer = useRef<number | null>(null);
  const searchParams = new URLSearchParams(search);
  const screenParams = useScreenParams(searchParams);
  const compiledParams = recompileScreenParams(screenParams);
  const logoutMutation = useMutation({
    mutationFn: () => axios.post("/api/user/logout"),
@@ -40,7 +31,7 @@ export const LogoutPage = () => {
      });
      redirectTimer.current = window.setTimeout(() => {
-        window.location.replace(`/login${compiledParams}`);
+        window.location.replace("/login");
      }, 500);
    },
    onError: () => {
@@ -59,7 +50,7 @@ export const LogoutPage = () => {
  }, [redirectTimer]);
  if (!auth.authenticated) {
-    return <Navigate to={`/login${compiledParams}`} replace />;
+    return <Navigate to="/login" replace />;
  }
  if (oauth.active) {
@@ -16,14 +16,10 @@ import { useEffect, useId, useRef } from "react";
 import { useTranslation } from "react-i18next";
 import { Navigate, useLocation } from "react-router";
 import { toast } from "sonner";
-import {
+import { useOIDCParams } from "@/lib/hooks/oidc";
  recompileScreenParams,
  useScreenParams,
 } from "@/lib/hooks/screen-params";
 import { useLoginFor } from "@/lib/hooks/login-for";
 export const TotpPage = () => {
-  const { totp, auth } = useUserContext();
+  const { totp } = useUserContext();
  const { t } = useTranslation();
  const { search } = useLocation();
  const formId = useId();
@@ -31,12 +27,8 @@ export const TotpPage = () => {
  const redirectTimer = useRef<number | null>(null);
  const searchParams = new URLSearchParams(search);
-  const screenParams = useScreenParams(searchParams);
+  const redirectUri = searchParams.get("redirect_uri") || undefined;
-  const compiledParams = recompileScreenParams(screenParams);
+  const oidcParams = useOIDCParams(searchParams);
  const loginForUrl = useLoginFor({
    login_for: screenParams.login_for,
    compiledParams,
  });
  const totpMutation = useMutation({
    mutationFn: (values: TotpSchema) => axios.post("/api/user/totp", values),
@@ -47,7 +39,14 @@ export const TotpPage = () => {
      });
      redirectTimer.current = window.setTimeout(() => {
-        window.location.replace(loginForUrl);
+        if (oidcParams.isOidc) {
          window.location.replace(`/authorize?${oidcParams.compiled}`);
          return;
        }
        window.location.replace(
          `/continue${redirectUri ? `?redirect_uri=${encodeURIComponent(redirectUri)}` : ""}`,
        );
      }, 500);
    },
    onError: () => {
@@ -66,10 +65,7 @@ export const TotpPage = () => {
  }, [redirectTimer]);
  if (!totp.pending) {
-    if (auth.authenticated) {
+    return <Navigate to="/" replace />;
      return <Navigate to={loginForUrl} replace />;
    }
    return <Navigate to={`/login${compiledParams}`} replace />;
  }
  return (
@@ -0,0 +1,5 @@
 import { z } from "zod";
 export const getOidcClientInfoSchema = z.object({
  name: z.string(),
 });
@@ -57,11 +57,6 @@ export default defineConfig({
        changeOrigin: true,
        rewrite: (path) => path.replace(/^\/robots.txt/, ""),
      },
      "/authorize": {
        target: "http://tinyauth-backend:3000/authorize",
        changeOrigin: true,
        rewrite: (path) => path.replace(/^\/authorize/, ""),
      },
    },
    allowedHosts: true,
  },
@@ -9,7 +9,6 @@ require (
 	github.com/gin-gonic/gin v1.12.0
 	github.com/go-jose/go-jose/v4 v4.1.4
 	github.com/go-ldap/ldap/v3 v3.4.13
 	github.com/golang-jwt/jwt/v5 v5.3.1
 	github.com/golang-migrate/migrate/v4 v4.19.1
 	github.com/google/go-querystring v1.2.0
 	github.com/google/uuid v1.6.0
@@ -21,7 +20,6 @@ require (
 	github.com/stretchr/testify v1.11.1
 	github.com/tinyauthapp/paerser v0.0.0-20260410140347-85c3740d6298
 	github.com/weppos/publicsuffix-go v0.50.3
 	go.uber.org/dig v1.19.0
 	golang.org/x/crypto v0.52.0
 	golang.org/x/oauth2 v0.36.0
 	golang.org/x/tools v0.45.0
@@ -216,8 +216,6 @@ github.com/goccy/go-yaml v1.19.2 h1:PmFC1S6h8ljIz6gMRBopkjP1TVT7xuwrButHID66PoM=
 github.com/goccy/go-yaml v1.19.2/go.mod h1:XBurs7gK8ATbW4ZPGKgcbrY1Br56PdM69F7LkFRi1kA=
 github.com/godbus/dbus/v5 v5.1.1-0.20230522191255-76236955d466 h1:sQspH8M4niEijh3PFscJRLDnkL547IeP7kpPe3uUhEg=
 github.com/godbus/dbus/v5 v5.1.1-0.20230522191255-76236955d466/go.mod h1:ZiQxhyQ+bbbfxUKVvjfO498oPYvtYhZzycal3G/NHmU=
 github.com/golang-jwt/jwt/v5 v5.3.1 h1:kYf81DTWFe7t+1VvL7eS+jKFVWaUnK9cB1qbwn63YCY=
 github.com/golang-jwt/jwt/v5 v5.3.1/go.mod h1:fxCRLWMO43lRc8nhHWY6LGqRcf+1gQWArsqaEUEa5bE=
 github.com/golang-migrate/migrate/v4 v4.19.1 h1:OCyb44lFuQfYXYLx1SCxPZQGU7mcaZ7gH9yH4jSFbBA=
 github.com/golang-migrate/migrate/v4 v4.19.1/go.mod h1:CTcgfjxhaUtsLipnLoQRWCrjYXycRz/g5+RWDuYgPrE=
 github.com/golang/groupcache v0.0.0-20241129210726-2c02b8208cf8 h1:f+oWsMOmNPc8JmEHVZIycC7hBoQxHH9pNKQORJNozsQ=
@@ -485,8 +483,6 @@ go.opentelemetry.io/otel/trace v1.43.0 h1:BkNrHpup+4k4w+ZZ86CZoHHEkohws8AY+WTX09
 go.opentelemetry.io/otel/trace v1.43.0/go.mod h1:/QJhyVBUUswCphDVxq+8mld+AvhXZLhe+8WVFxiFff0=
 go.opentelemetry.io/proto/otlp v1.10.0 h1:IQRWgT5srOCYfiWnpqUYz9CVmbO8bFmKcwYxpuCSL2g=
 go.opentelemetry.io/proto/otlp v1.10.0/go.mod h1:/CV4QoCR/S9yaPj8utp3lvQPoqMtxXdzn7ozvvozVqk=
 go.uber.org/dig v1.19.0 h1:BACLhebsYdpQ7IROQ1AGPjrXcP5dF80U3gKoFzbaq/4=
 go.uber.org/dig v1.19.0/go.mod h1:Us0rSJiThwCv2GteUN0Q7OKvU7n5J4dxZ9JKUXozFdE=
 go.uber.org/mock v0.6.0 h1:hyF9dfmbgIX5EfOdasqLsWD6xqpNZlXblLB/Dbnwv3Y=
 go.uber.org/mock v0.6.0/go.mod h1:KiVJ4BqZJaMj4svdfmHM0AUx4NJYO8ZNpPnZn1Z+BBU=
 go.yaml.in/yaml/v2 v2.4.3 h1:6gvOSjQoTB3vt1l+CU+tSyi/HOjfOjRLJ4YwYZGwRO0=
@@ -18,7 +18,6 @@ import (
 	"github.com/gin-gonic/gin"
 	"github.com/steveiliop56/ding"
 	"go.uber.org/dig"
 	"github.com/tinyauthapp/tinyauth/internal/model"
 	"github.com/tinyauthapp/tinyauth/internal/repository"
@@ -57,7 +56,6 @@ type BootstrapApp struct {
 	db        *sql.DB
 	ding      *ding.Ding
 	listeners []Listener
 	dig       *dig.Container
 }
 func NewBootstrapApp(config model.Config) *BootstrapApp {
@@ -72,11 +70,7 @@ func (app *BootstrapApp) Setup() error {
 	app.ctx = ctx
 	app.cancel = cancel
-	// create the dig container
+	// Create a ding instance
 	c := dig.New()
 	app.dig = c
 	// create a ding instance
 	dg := ding.New(ctx)
 	app.ding = dg
@@ -163,6 +157,12 @@ func (app *BootstrapApp) Setup() error {
 		app.runtime.OAuthProviders[id] = provider
 	}
 	// setup oidc clients
 	for id, client := range app.config.OIDC.Clients {
 		client.ID = id
 		app.runtime.OIDCClients = append(app.runtime.OIDCClients, client)
 	}
 	// cookie domain
 	cookieDomainResolver := utils.GetCookieDomain
@@ -211,33 +211,6 @@ func (app *BootstrapApp) Setup() error {
 	// store
 	app.queries = store
 	// provide basic utilities to container
 	type utilityProvider struct {
 		dig.Out
 		Log     *logger.Logger
 		Config  *model.Config
 		Runtime *model.RuntimeConfig
 		Ding    *ding.Ding
 		Ctx     context.Context
 		Queries repository.Store
 	}
 	err = app.dig.Provide(func() utilityProvider {
 		return utilityProvider{
 			Log:     app.log,
 			Config:  &app.config,
 			Runtime: &app.runtime,
 			Ding:    app.ding,
 			Ctx:     app.ctx,
 			Queries: app.queries,
 		}
 	})
 	if err != nil {
 		return fmt.Errorf("failed to provide utilities to container: %w", err)
 	}
 	// services
 	err = app.setupServices()
@@ -13,7 +13,6 @@ import (
 	"github.com/tinyauthapp/tinyauth/internal/controller"
 	"github.com/tinyauthapp/tinyauth/internal/middleware"
 	"github.com/tinyauthapp/tinyauth/internal/model"
 	"go.uber.org/dig"
 	"github.com/gin-gonic/gin"
 )
@@ -41,119 +40,31 @@ func (app *BootstrapApp) setupRouter() error {
 		}
 	}
-	err := app.dig.Provide(middleware.NewContextMiddleware)
+	contextMiddleware := middleware.NewContextMiddleware(app.log, app.runtime, app.services.authService, app.services.oauthBrokerService, app.services.tailscaleService)
 	engine.Use(contextMiddleware.Middleware())
 	uiMiddleware, err := middleware.NewUIMiddleware()
 	if err != nil {
-		return fmt.Errorf("failed to provide context middleware: %w", err)
+		return fmt.Errorf("failed to initialize UI middleware: %w", err)
 	}
-	err = app.dig.Provide(middleware.NewUIMiddleware)
+	engine.Use(uiMiddleware.Middleware())
-	if err != nil {
+	zerologMiddleware := middleware.NewZerologMiddleware(app.log)
 		return fmt.Errorf("failed to provide ui middleware: %w", err)
 	}
-	err = app.dig.Provide(middleware.NewZerologMiddleware)
+	engine.Use(zerologMiddleware.Middleware())
-	if err != nil {
+	apiRouter := engine.Group("/api")
 		return fmt.Errorf("failed to provide zerolog middleware: %w", err)
 	}
-	type middlewareInput struct {
+	controller.NewContextController(app.log, app.config, app.runtime, apiRouter)
-		dig.In
+	controller.NewOAuthController(app.log, app.config, app.runtime, apiRouter, app.services.authService)
-
+	controller.NewOIDCController(app.log, app.services.oidcService, app.runtime, apiRouter)
-		ContextMiddleware *middleware.ContextMiddleware
+	controller.NewProxyController(app.log, app.runtime, apiRouter, app.services.accessControlService, app.services.authService, app.services.policyEngine)
-		UIMiddleware      *middleware.UIMiddleware
+	controller.NewUserController(app.log, app.runtime, apiRouter, app.services.authService)
-		ZerologMiddleware *middleware.ZerologMiddleware
+	controller.NewResourcesController(app.config, &engine.RouterGroup)
-	}
+	controller.NewHealthController(apiRouter)
-
+	controller.NewWellKnownController(app.services.oidcService, &engine.RouterGroup)
 	err = app.dig.Invoke(func(mi middlewareInput) {
 		engine.Use(mi.ContextMiddleware.Middleware())
 		engine.Use(mi.UIMiddleware.Middleware())
 		engine.Use(mi.ZerologMiddleware.Middleware())
 	})
 	if err != nil {
 		return fmt.Errorf("failed to invoke middleware: %w", err)
 	}
 	err = app.dig.Provide(func() *gin.RouterGroup {
 		return &engine.RouterGroup
 	}, dig.Name("mainRouterGroup"))
 	if err != nil {
 		return fmt.Errorf("failed to provide main router group: %w", err)
 	}
 	err = app.dig.Provide(func() *gin.RouterGroup {
 		return engine.Group("/api")
 	}, dig.Name("apiRouterGroup"))
 	if err != nil {
 		return fmt.Errorf("failed to provide api router group: %w", err)
 	}
 	err = app.dig.Provide(controller.NewContextController)
 	if err != nil {
 		return fmt.Errorf("failed to provide context controller: %w", err)
 	}
 	err = app.dig.Provide(controller.NewOAuthController)
 	if err != nil {
 		return fmt.Errorf("failed to provide oauth controller: %w", err)
 	}
 	err = app.dig.Provide(controller.NewOIDCController)
 	if err != nil {
 		return fmt.Errorf("failed to provide oidc controller: %w", err)
 	}
 	err = app.dig.Provide(controller.NewProxyController)
 	if err != nil {
 		return fmt.Errorf("failed to provide proxy controller: %w", err)
 	}
 	err = app.dig.Provide(controller.NewUserController)
 	if err != nil {
 		return fmt.Errorf("failed to provide user controller: %w", err)
 	}
 	err = app.dig.Provide(controller.NewResourcesController)
 	if err != nil {
 		return fmt.Errorf("failed to provide resources controller: %w", err)
 	}
 	err = app.dig.Provide(controller.NewHealthController)
 	if err != nil {
 		return fmt.Errorf("failed to provide health controller: %w", err)
 	}
 	err = app.dig.Provide(controller.NewWellKnownController)
 	if err != nil {
 		return fmt.Errorf("failed to provide well-known controller: %w", err)
 	}
 	type controllerInput struct {
 		dig.In
 		ContextController   *controller.ContextController
 		OAuthController     *controller.OAuthController
 		OIDCController      *controller.OIDCController
 		ProxyController     *controller.ProxyController
 		UserController      *controller.UserController
 		ResourcesController *controller.ResourcesController
 		HealthController    *controller.HealthController
 		WellKnownController *controller.WellKnownController
 	}
 	// force dig to build all controllers and register their routes
 	err = app.dig.Invoke(func(ci controllerInput) error {
 		return nil
 	})
 	if err != nil {
 		return fmt.Errorf("failed to invoke controllers: %w", err)
 	}
 	app.router = engine
 	return nil
@@ -5,84 +5,54 @@ import (
 	"os"
 	"github.com/tinyauthapp/tinyauth/internal/service"
 	"go.uber.org/dig"
 )
 func (app *BootstrapApp) setupServices() error {
-	err := app.setupPolicyEngine()
+	ldapService, err := service.NewLdapService(app.log, app.config, app.ding)
 	if err != nil {
-		return fmt.Errorf("failed to setup policy engine: %w", err)
+		app.log.App.Warn().Err(err).Msg("Failed to initialize LDAP connection, will continue without it")
 	}
 	app.services.ldapService = ldapService
 	labelProvider, err := app.getLabelProvider()
 	if err != nil {
-		return fmt.Errorf("failed to get label provider: %w", err)
+		return fmt.Errorf("failed to initialize label provider: %w", err)
 	}
-	err = app.dig.Provide(func() service.LabelProvider {
+	tailscaleService, err := service.NewTailscaleService(app.log, app.config, app.ctx, app.ding)
 		return labelProvider
 	})
 	if err != nil {
-		return fmt.Errorf("failed to provide label provider: %w", err)
+		app.log.App.Warn().Err(err).Msg("Failed to initialize Tailscale connection, will continue without it")
 	}
-	err = app.dig.Provide(service.NewLdapService)
+	app.services.tailscaleService = tailscaleService
 	if err != nil {
 		return fmt.Errorf("failed to provide ldap service: %w", err)
 	}
-	err = app.dig.Provide(service.NewTailscaleService)
+	accessControlsService := service.NewAccessControlsService(app.log, app.config, &labelProvider)
-	if err != nil {
+	app.services.accessControlService = accessControlsService
 		return fmt.Errorf("failed to provide tailscale service: %w", err)
 	}
-	err = app.dig.Provide(service.NewAccessControlsService)
+	err = app.setupPolicyEngine()
 	if err != nil {
 		return fmt.Errorf("failed to provide access controls service: %w", err)
 	}
 	err = app.dig.Provide(service.NewOAuthBrokerService)
 	if err != nil {
 		return fmt.Errorf("failed to provide oauth broker service: %w", err)
 	}
 	err = app.dig.Provide(service.NewAuthService)
 	if err != nil {
 		return fmt.Errorf("failed to provide auth service: %w", err)
 	}
 	err = app.dig.Provide(service.NewOIDCService)
 	if err != nil {
 		return fmt.Errorf("failed to provide oidc service: %w", err)
 	}
 	type svcInput struct {
 		dig.In
 		AccessControlService *service.AccessControlsService
 		AuthService          *service.AuthService
 		LDAPService          *service.LdapService
 		OAuthBrokerService   *service.OAuthBrokerService
 		OIDCService          *service.OIDCService
 		TailscaleService     *service.TailscaleService
 	}
 	err = app.dig.Invoke(func(i svcInput) error {
 		app.services.accessControlService = i.AccessControlService
 		app.services.authService = i.AuthService
 		app.services.ldapService = i.LDAPService
 		app.services.oauthBrokerService = i.OAuthBrokerService
 		app.services.tailscaleService = i.TailscaleService
 		return nil
 	})
 	if err != nil {
-		return fmt.Errorf("failed to invoke services: %w", err)
+		return fmt.Errorf("failed to initialize policy engine: %w", err)
 	}
 	oauthBrokerService := service.NewOAuthBrokerService(app.log, app.runtime.OAuthProviders, app.ctx)
 	app.services.oauthBrokerService = oauthBrokerService
 	authService := service.NewAuthService(app.log, app.config, app.runtime, app.ctx, app.ding, app.services.ldapService, app.queries, app.services.oauthBrokerService, app.services.tailscaleService, app.services.policyEngine)
 	app.services.authService = authService
 	oidcService, err := service.NewOIDCService(app.log, app.config, app.runtime, app.queries, app.ding)
 	if err != nil {
 		return fmt.Errorf("failed to initialize oidc service: %w", err)
 	}
 	app.services.oidcService = oidcService
 	return nil
 }
@@ -99,93 +69,66 @@ func (app *BootstrapApp) getLabelProvider() (service.LabelProvider, error) {
 		if useKubernetes {
 			app.log.App.Debug().Msg("Using Kubernetes label provider")
-			err := app.dig.Provide(service.NewKubernetesService)
+			kubernetesService, err := service.NewKubernetesService(app.log, app.ctx, app.ding)
 			if err != nil {
-				return nil, fmt.Errorf("failed to provide kubernetes service: %w", err)
+				return nil, fmt.Errorf("failed to initialize kubernetes service: %w", err)
 			}
-			err = app.dig.Invoke(func(k *service.KubernetesService) error {
+			app.services.kubernetesService = kubernetesService
-				app.services.kubernetesService = k
+			return kubernetesService, nil
 				return nil
 			})
 			if err != nil {
 				return nil, fmt.Errorf("failed to invoke kubernetes service: %w", err)
 			}
 			// Kubernetes will fail to initialize with an error if it cannot connect to the cluster
 			// but just to be safe, we check if the service is nil and log a warning if it is
 			if app.services.kubernetesService == nil {
 				if app.config.LabelProvider == "kubernetes" {
 					app.log.App.Warn().Msg("Kubernetes label provider selected but Kubernetes is not available, will continue without it")
 				}
 				return nil, nil
 			}
 			return app.services.kubernetesService, nil
 		}
 		app.log.App.Debug().Msg("Using Docker label provider")
-		err := app.dig.Provide(service.NewDockerService)
+		dockerService, err := service.NewDockerService(app.log, app.ctx, app.ding)
 		if err != nil {
-			return nil, fmt.Errorf("failed to provide docker service: %w", err)
+			return nil, fmt.Errorf("failed to initialize docker service: %w", err)
 		}
-		err = app.dig.Invoke(func(d *service.DockerService) error {
+		if dockerService == nil {
 			app.services.dockerService = d
 			return nil
 		})
 		if err != nil {
 			return nil, fmt.Errorf("failed to invoke docker service: %w", err)
 		}
 		if app.services.dockerService == nil {
 			if app.config.LabelProvider == "docker" {
 				app.log.App.Warn().Msg("Docker label provider selected but Docker is not available, will continue without it")
 			}
 			return nil, nil
 		}
-		return app.services.dockerService, nil
+		app.services.dockerService = dockerService
 		return dockerService, nil
 	default:
 		return nil, fmt.Errorf("invalid label provider: %s", app.config.LabelProvider)
 	}
 }
 func (app *BootstrapApp) setupPolicyEngine() error {
-	err := app.dig.Provide(service.NewPolicyEngine)
+	policyEngine, err := service.NewPolicyEngine(app.config, app.log)
 	if err != nil {
-		return fmt.Errorf("failed to create policy engine: %w", err)
+		return fmt.Errorf("failed to initialize policy engine: %w", err)
 	}
-	err = app.dig.Invoke(func(policyEngine *service.PolicyEngine) error {
+	policyEngine.RegisterRule(service.RuleUserAllowed, &service.UserAllowedRule{
-		policyEngine.RegisterRule(service.RuleUserAllowed, &service.UserAllowedRule{
+		Log: app.log,
-			Log: app.log,
+	})
-		})
+	policyEngine.RegisterRule(service.RuleOAuthGroup, &service.OAuthGroupRule{
-		policyEngine.RegisterRule(service.RuleOAuthGroup, &service.OAuthGroupRule{
+		Log: app.log,
-			Log: app.log,
+	})
-		})
+	policyEngine.RegisterRule(service.RuleLDAPGroup, &service.LDAPGroupRule{
-		policyEngine.RegisterRule(service.RuleLDAPGroup, &service.LDAPGroupRule{
+		Log: app.log,
-			Log: app.log,
+	})
-		})
+	policyEngine.RegisterRule(service.RuleAuthEnabled, &service.AuthEnabledRule{
-		policyEngine.RegisterRule(service.RuleAuthEnabled, &service.AuthEnabledRule{
+		Log: app.log,
-			Log: app.log,
+	})
-		})
+	policyEngine.RegisterRule(service.RuleIPAllowed, &service.IPAllowedRule{
-		policyEngine.RegisterRule(service.RuleIPAllowed, &service.IPAllowedRule{
+		Log:    app.log,
-			Log:    app.log,
+		Config: app.config,
-			Config: app.config,
+	})
-		})
+	policyEngine.RegisterRule(service.RuleIPBypassed, &service.IPBypassedRule{
-		policyEngine.RegisterRule(service.RuleIPBypassed, &service.IPBypassedRule{
+		Log:    app.log,
-			Log:    app.log,
+		Config: app.config,
 			Config: app.config,
 		})
 		return nil
 	})
-	return err
+	app.services.policyEngine = policyEngine
 	return nil
 }
@@ -3,7 +3,6 @@ package controller
 import (
 	"github.com/tinyauthapp/tinyauth/internal/model"
 	"github.com/tinyauthapp/tinyauth/internal/utils/logger"
 	"go.uber.org/dig"
 	"github.com/gin-gonic/gin"
 )
@@ -72,33 +71,29 @@ type AppContextResponse struct {
 	App     ACRApp   `json:"app"`
 }
 type ContextControllerInput struct {
 	dig.In
 	Log         *logger.Logger
 	Config      *model.Config
 	Runtime     *model.RuntimeConfig
 	RouterGroup *gin.RouterGroup `name:"apiRouterGroup"`
 }
 type ContextController struct {
 	log     *logger.Logger
-	config  *model.Config
+	config  model.Config
-	runtime *model.RuntimeConfig
+	runtime model.RuntimeConfig
 }
-func NewContextController(i ContextControllerInput) *ContextController {
+func NewContextController(
 	log *logger.Logger,
 	config model.Config,
 	runtimeConfig model.RuntimeConfig,
 	router *gin.RouterGroup,
 ) *ContextController {
 	controller := &ContextController{
-		log:     i.Log,
+		log:     log,
-		config:  i.Config,
+		config:  config,
-		runtime: i.Runtime,
+		runtime: runtimeConfig,
 	}
-	if !i.Config.UI.WarningsEnabled {
+	if !config.UI.WarningsEnabled {
-		i.Log.App.Warn().Msg("UI warnings are disabled. This may lead to security issues if you are not careful. Make sure to enable warnings in production environments.")
+		log.App.Warn().Msg("UI warnings are disabled. This may lead to security issues if you are not careful. Make sure to enable warnings in production environments.")
 	}
-	contextGroup := i.RouterGroup.Group("/context")
+	contextGroup := router.Group("/context")
 	contextGroup.GET("/user", controller.userContextHandler)
 	contextGroup.GET("/app", controller.appContextHandler)
@@ -121,12 +121,7 @@ func TestContextController(t *testing.T) {
 			group := router.Group("/api")
 			gin.SetMode(gin.TestMode)
-			controller.NewContextController(controller.ContextControllerInput{
+			controller.NewContextController(log, cfg, runtime, group)
 				Log:         log,
 				Config:      &cfg,
 				Runtime:     &runtime,
 				RouterGroup: group,
 			})
 			recorder := httptest.NewRecorder()
@@ -1,12 +1,5 @@
 package controller
 type FrontendLoginFor string
 const (
 	FrontendLoginForOIDC FrontendLoginFor = "oidc"
 	FrontendLoginForApp  FrontendLoginFor = "app"
 )
 type UnauthorizedQuery struct {
 	Username string `url:"username"`
 	Resource string `url:"resource"`
@@ -15,6 +8,5 @@ type UnauthorizedQuery struct {
 }
 type RedirectQuery struct {
-	RedirectURI string           `url:"redirect_uri"`
+	RedirectURI string `url:"redirect_uri"`
 	LoginFor    FrontendLoginFor `url:"login_for"`
 }
@@ -1,24 +1,15 @@
 package controller
-import (
+import "github.com/gin-gonic/gin"
 	"github.com/gin-gonic/gin"
 	"go.uber.org/dig"
 )
 type HealthController struct {
 }
-type HealthControllerInput struct {
+func NewHealthController(router *gin.RouterGroup) *HealthController {
 	dig.In
 	RouterGroup *gin.RouterGroup `name:"apiRouterGroup"`
 }
 func NewHealthController(i HealthControllerInput) *HealthController {
 	controller := &HealthController{}
-	i.RouterGroup.GET("/healthz", controller.healthHandler)
+	router.GET("/healthz", controller.healthHandler)
-	i.RouterGroup.HEAD("/healthz", controller.healthHandler)
+	router.HEAD("/healthz", controller.healthHandler)
 	return controller
 }
@@ -55,9 +55,7 @@ func TestHealthController(t *testing.T) {
 			group := router.Group("/api")
 			gin.SetMode(gin.TestMode)
-			controller.NewHealthController(controller.HealthControllerInput{
+			controller.NewHealthController(group)
 				RouterGroup: group,
 			})
 			recorder := httptest.NewRecorder()
@@ -11,7 +11,6 @@ import (
 	"github.com/tinyauthapp/tinyauth/internal/service"
 	"github.com/tinyauthapp/tinyauth/internal/utils"
 	"github.com/tinyauthapp/tinyauth/internal/utils/logger"
 	"go.uber.org/dig"
 	"github.com/gin-gonic/gin"
 	"github.com/google/go-querystring/query"
@@ -23,30 +22,26 @@ type OAuthRequest struct {
 type OAuthController struct {
 	log     *logger.Logger
-	config  *model.Config
+	config  model.Config
-	runtime *model.RuntimeConfig
+	runtime model.RuntimeConfig
 	auth    *service.AuthService
 }
-type OAuthControllerInput struct {
+func NewOAuthController(
-	dig.In
+	log *logger.Logger,
-
+	config model.Config,
-	Log           *logger.Logger
+	runtimeConfig model.RuntimeConfig,
-	Config        *model.Config
+	router *gin.RouterGroup,
-	RuntimeConfig *model.RuntimeConfig
+	auth *service.AuthService,
-	RouterGroup   *gin.RouterGroup `name:"apiRouterGroup"`
+) *OAuthController {
 	AuthService   *service.AuthService
 }
 func NewOAuthController(i OAuthControllerInput) *OAuthController {
 	controller := &OAuthController{
-		log:     i.Log,
+		log:     log,
-		config:  i.Config,
+		config:  config,
-		runtime: i.RuntimeConfig,
+		runtime: runtimeConfig,
-		auth:    i.AuthService,
+		auth:    auth,
 	}
-	oauthGroup := i.RouterGroup.Group("/oauth")
+	oauthGroup := router.Group("/oauth")
 	oauthGroup.GET("/url/:provider", controller.oauthURLHandler)
 	oauthGroup.GET("/callback/:provider", controller.oauthCallbackHandler)
@@ -66,7 +61,7 @@ func (controller *OAuthController) oauthURLHandler(c *gin.Context) {
 		return
 	}
-	var reqParams service.OAuthCallbackParams
+	var reqParams service.OAuthURLParams
 	err = c.BindQuery(&reqParams)
@@ -88,7 +83,7 @@ func (controller *OAuthController) oauthURLHandler(c *gin.Context) {
 		}
 	}
-	sessionId, err := controller.auth.NewOAuthSession(req.Provider, reqParams)
+	sessionId, _, err := controller.auth.NewOAuthSession(req.Provider, reqParams)
 	if err != nil {
 		controller.log.App.Error().Err(err).Msg("Failed to create new OAuth session")
@@ -277,14 +272,13 @@ func (controller *OAuthController) oauthCallbackHandler(c *gin.Context) {
 			c.Redirect(http.StatusTemporaryRedirect, fmt.Sprintf("%s/error", controller.runtime.AppURL))
 			return
 		}
-		c.Redirect(http.StatusTemporaryRedirect, fmt.Sprintf("%s/oidc/authorize?%s", controller.runtime.AppURL, queries.Encode()))
+		c.Redirect(http.StatusTemporaryRedirect, fmt.Sprintf("%s/authorize?%s", controller.runtime.AppURL, queries.Encode()))
 		return
 	}
 	if oauthPendingSession.CallbackParams.RedirectURI != "" {
 		queries, err := query.Values(RedirectQuery{
 			RedirectURI: oauthPendingSession.CallbackParams.RedirectURI,
 			LoginFor:    FrontendLoginForApp,
 		})
 		if err != nil {
@@ -300,8 +294,11 @@ func (controller *OAuthController) oauthCallbackHandler(c *gin.Context) {
 	c.Redirect(http.StatusTemporaryRedirect, controller.runtime.AppURL)
 }
-func (controller *OAuthController) isOidcRequest(params service.OAuthCallbackParams) bool {
+func (controller *OAuthController) isOidcRequest(params service.OAuthURLParams) bool {
-	return params.LoginFor == string(FrontendLoginForOIDC)
+	return params.Scope != "" &&
 		params.ResponseType != "" &&
 		params.ClientID != "" &&
 		params.RedirectURI != ""
 }
 func (controller *OAuthController) getCookieDomain() string {
@@ -9,9 +9,7 @@ import (
 	"strings"
 	"github.com/gin-gonic/gin"
 	"github.com/gin-gonic/gin/binding"
 	"github.com/google/go-querystring/query"
 	"go.uber.org/dig"
 	"github.com/tinyauthapp/tinyauth/internal/model"
 	"github.com/tinyauthapp/tinyauth/internal/service"
@@ -25,13 +23,12 @@ type authorizeErrorParams struct {
 	callback      string
 	callbackError string
 	state         string
 	json          bool
 }
 type OIDCController struct {
 	log     *logger.Logger
 	oidc    *service.OIDCService
-	runtime *model.RuntimeConfig
+	runtime model.RuntimeConfig
 }
 type AuthorizeCallback struct {
@@ -68,39 +65,20 @@ type ClientCredentials struct {
 	ClientSecret string
 }
-type AuthorizeScreenParams struct {
+func NewOIDCController(
-	LoginFor   FrontendLoginFor `url:"login_for"`
+	log *logger.Logger,
-	OIDCTicket string           `url:"oidc_ticket"`
+	oidcService *service.OIDCService,
-	OIDCScope  string           `url:"oidc_scope"`
+	runtimeConfig model.RuntimeConfig,
-	OIDCName   string           `url:"oidc_name"`
+	router *gin.RouterGroup) *OIDCController {
 }
 type AuthorizeCompleteRequest struct {
 	Ticket string `json:"ticket" binding:"required"`
 }
 type OIDCControllerInput struct {
 	dig.In
 	Log           *logger.Logger
 	OIDCService   *service.OIDCService
 	RuntimeConfig *model.RuntimeConfig
 	RouterGroup   *gin.RouterGroup `name:"apiRouterGroup"`
 	MainRouter    *gin.RouterGroup `name:"mainRouterGroup"`
 }
 func NewOIDCController(i OIDCControllerInput) *OIDCController {
 	controller := &OIDCController{
-		log:     i.Log,
+		log:     log,
-		oidc:    i.OIDCService,
+		oidc:    oidcService,
-		runtime: i.RuntimeConfig,
+		runtime: runtimeConfig,
 	}
-	i.MainRouter.POST("/authorize", controller.authorize)
+	oidcGroup := router.Group("/oidc")
-	i.MainRouter.GET("/authorize", controller.authorize)
+	oidcGroup.GET("/clients/:id", controller.GetClientInfo)
-
+	oidcGroup.POST("/authorize", controller.Authorize)
 	oidcGroup := i.RouterGroup.Group("/oidc")
 	oidcGroup.POST("/authorize-complete", controller.authorizeComplete)
 	oidcGroup.POST("/token", controller.Token)
 	oidcGroup.GET("/userinfo", controller.Userinfo)
 	oidcGroup.POST("/userinfo", controller.Userinfo)
@@ -108,10 +86,47 @@ func NewOIDCController(i OIDCControllerInput) *OIDCController {
 	return controller
 }
-// This endpoint does **not** return a code, it handles param validation, ticket creation
+func (controller *OIDCController) GetClientInfo(c *gin.Context) {
-// and then redirects to the frontend to handle the consent screen. It performs no destructive
+	if controller.oidc == nil {
-// actions (like logging out an existing session)
+		controller.log.App.Warn().Msg("Received OIDC client info request but OIDC server is not configured")
-func (controller *OIDCController) authorize(c *gin.Context) {
+		c.JSON(500, gin.H{
 			"status":  500,
 			"message": "OIDC not configured",
 		})
 		return
 	}
 	var req ClientRequest
 	err := c.BindUri(&req)
 	if err != nil {
 		controller.log.App.Error().Err(err).Msg("Failed to bind URI")
 		c.JSON(400, gin.H{
 			"status":  400,
 			"message": "Bad Request",
 		})
 		return
 	}
 	client, ok := controller.oidc.GetClient(req.ClientID)
 	if !ok {
 		controller.log.App.Warn().Str("clientId", req.ClientID).Msg("Client not found")
 		c.JSON(404, gin.H{
 			"status":  404,
 			"message": "Client not found",
 		})
 		return
 	}
 	c.JSON(200, gin.H{
 		"status": 200,
 		"client": client.ClientID,
 		"name":   client.Name,
 	})
 }
 func (controller *OIDCController) Authorize(c *gin.Context) {
 	if controller.oidc == nil {
 		controller.authorizeError(c, authorizeErrorParams{
 			err:          errors.New("err_oidc_not_configured"),
@@ -121,19 +136,40 @@ func (controller *OIDCController) authorize(c *gin.Context) {
 		return
 	}
-	req, err := controller.resolveAuthorizeRequest(c)
+	userContext, err := new(model.UserContext).NewFromGin(c)
 	if err != nil {
 		controller.log.App.Warn().Err(err).Msg("Failed to resolve authorize request")
 		controller.authorizeError(c, authorizeErrorParams{
 			err:          err,
-			reason:       "Failed to resolve authorize request",
+			reason:       "Failed to get user context",
-			reasonPublic: "The authorization request is invalid",
+			reasonPublic: "User is not logged in or the session is invalid",
 		})
 		return
 	}
-	client, ok := controller.oidc.GetClient(req.ClientID)
+	if !userContext.Authenticated {
 		controller.authorizeError(c, authorizeErrorParams{
 			err:          errors.New("err user not logged in"),
 			reason:       "User not logged in",
 			reasonPublic: "The user is not logged in",
 		})
 		return
 	}
 	var req service.AuthorizeRequest
 	err = c.Bind(&req)
 	if err != nil {
 		controller.authorizeError(c, authorizeErrorParams{
 			err:          err,
 			reason:       "Failed to bind JSON",
 			reasonPublic: "The client provided an invalid authorization request",
 		})
 		return
 	}
 	_, ok := controller.oidc.GetClient(req.ClientID)
 	if !ok {
 		controller.authorizeError(c, authorizeErrorParams{
@@ -144,7 +180,7 @@ func (controller *OIDCController) authorize(c *gin.Context) {
 		return
 	}
-	err = controller.oidc.ValidateAuthorizeParams(*req)
+	err = controller.oidc.ValidateAuthorizeParams(req)
 	if err != nil {
 		controller.log.App.Warn().Err(err).Msg("Failed to validate authorize params")
@@ -167,97 +203,8 @@ func (controller *OIDCController) authorize(c *gin.Context) {
 		return
 	}
 	ticket := controller.oidc.CreateAuthorizeRequestTicket(*req)
 	queries, err := query.Values(AuthorizeScreenParams{
 		LoginFor:   FrontendLoginForOIDC,
 		OIDCTicket: ticket,
 		OIDCScope:  req.Scope,
 		OIDCName:   client.Name,
 	})
 	if err != nil {
 		controller.authorizeError(c, authorizeErrorParams{
 			err:          err,
 			reason:       "Failed to compile authorize queries",
 			reasonPublic: "An internal error occured while processing your request",
 		})
 		return
 	}
 	redirectUrl := fmt.Sprintf("%s/oidc/authorize?%s", controller.oidc.GetIssuer(), queries.Encode())
 	c.Redirect(http.StatusFound, redirectUrl)
 }
 // The actual **internal** endpoint that actually creates the code and session.
 // It is called by the frontend after the user has logged in and given consent.
 func (controller *OIDCController) authorizeComplete(c *gin.Context) {
 	if controller.oidc == nil {
 		// For this endpoint we return JSON errors since it's called
 		// by the frontend and not an external client, so there's
 		// no redirect_uri to send the user to in case of error
 		controller.authorizeError(c, authorizeErrorParams{
 			err:          errors.New("err_oidc_not_configured"),
 			reason:       "OIDC not configured",
 			reasonPublic: "This instance is not configured for OIDC",
 			json:         true,
 		})
 		return
 	}
 	userContext, err := new(model.UserContext).NewFromGin(c)
 	if err != nil {
 		controller.authorizeError(c, authorizeErrorParams{
 			err:          err,
 			reason:       "Failed to get user context",
 			reasonPublic: "User is not logged in or the session is invalid",
 			json:         true,
 		})
 		return
 	}
 	if !userContext.Authenticated {
 		controller.authorizeError(c, authorizeErrorParams{
 			err:          errors.New("err user not logged in"),
 			reason:       "User not logged in",
 			reasonPublic: "The user is not logged in",
 			json:         true,
 		})
 		return
 	}
 	var req AuthorizeCompleteRequest
 	err = c.BindJSON(&req)
 	if err != nil {
 		controller.authorizeError(c, authorizeErrorParams{
 			err:          err,
 			reason:       "Failed to bind JSON",
 			reasonPublic: "The client provided an invalid authorization request",
 			json:         true,
 		})
 		return
 	}
 	authorizeReq, ok := controller.oidc.GetAuthorizeRequestByTicket(req.Ticket)
 	if !ok {
 		controller.authorizeError(c, authorizeErrorParams{
 			err:          errors.New("authorize request not found for ticket"),
 			reason:       "Invalid or expired ticket",
 			reasonPublic: "The authorization request has expired or is invalid",
 			json:         true,
 		})
 		return
 	}
 	// We no longer need the ticket
 	controller.oidc.DeleteAuthorizeRequestTicket(req.Ticket)
 	// Create the sub to find and delete old sessions
-	sub := controller.oidc.CreateSub(*userContext, authorizeReq.ClientID)
+	sub := controller.oidc.CreateSub(*userContext, req.ClientID)
 	// Before storing the code, delete old session
 	err = controller.oidc.DeleteOldSession(c, sub)
@@ -266,20 +213,19 @@ func (controller *OIDCController) authorizeComplete(c *gin.Context) {
 			err:           err,
 			reason:        "Failed to delete old sessions",
 			reasonPublic:  "Failed to delete old sessions",
-			callback:      authorizeReq.RedirectURI,
+			callback:      req.RedirectURI,
 			callbackError: "server_error",
-			state:         authorizeReq.State,
+			state:         req.State,
 			json:          true,
 		})
 		return
 	}
 	// Create the authorization code
-	code := controller.oidc.CreateCode(*authorizeReq, *userContext)
+	code := controller.oidc.CreateCode(req, *userContext)
 	queries, err := query.Values(AuthorizeCallback{
 		Code:  code,
-		State: authorizeReq.State,
+		State: req.State,
 	})
 	if err != nil {
@@ -287,17 +233,16 @@ func (controller *OIDCController) authorizeComplete(c *gin.Context) {
 			err:           err,
 			reason:        "Failed to build query",
 			reasonPublic:  "Failed to build query",
-			callback:      authorizeReq.RedirectURI,
+			callback:      req.RedirectURI,
 			callbackError: "server_error",
-			state:         authorizeReq.State,
+			state:         req.State,
 			json:          true,
 		})
 		return
 	}
 	c.JSON(200, gin.H{
 		"status":       200,
-		"redirect_uri": fmt.Sprintf("%s?%s", authorizeReq.RedirectURI, queries.Encode()),
+		"redirect_uri": fmt.Sprintf("%s?%s", req.RedirectURI, queries.Encode()),
 	})
 }
@@ -588,22 +533,14 @@ func (controller *OIDCController) authorizeError(c *gin.Context, params authoriz
 		queries, err := query.Values(errorQueries)
 		if err != nil {
 			controller.log.App.Error().Err(err).Msg("Failed to build callback error query")
 			c.AbortWithStatus(http.StatusInternalServerError)
 			return
 		}
-		redirectUrl := fmt.Sprintf("%s?%s", params.callback, queries.Encode())
+		c.JSON(200, gin.H{
-
+			"status":       200,
-		if params.json {
+			"redirect_uri": fmt.Sprintf("%s?%s", params.callback, queries.Encode()),
-			c.JSON(200, gin.H{
+		})
 				"status":       200,
 				"redirect_uri": redirectUrl,
 			})
 			return
 		}
 		c.Redirect(http.StatusFound, redirectUrl)
 		return
 	}
@@ -614,7 +551,6 @@ func (controller *OIDCController) authorizeError(c *gin.Context, params authoriz
 	queries, err := query.Values(errorQueries)
 	if err != nil {
 		controller.log.App.Error().Err(err).Msg("Failed to build error query")
 		c.AbortWithStatus(http.StatusInternalServerError)
 		return
 	}
@@ -627,61 +563,8 @@ func (controller *OIDCController) authorizeError(c *gin.Context, params authoriz
 		redirectUrl = fmt.Sprintf("%s/error?%s", controller.runtime.AppURL, queries.Encode())
 	}
-	if params.json {
+	c.JSON(200, gin.H{
-		c.JSON(200, gin.H{
+		"status":       200,
-			"status":       200,
+		"redirect_uri": redirectUrl,
-			"redirect_uri": redirectUrl,
+	})
 		})
 		return
 	}
 	c.Redirect(http.StatusFound, redirectUrl)
 }
 func (controller *OIDCController) resolveAuthorizeRequest(c *gin.Context) (*service.AuthorizeRequest, error) {
 	// step 1: if we have a request object, decode it and ignore other params. If not, bind the params as usual
 	// we check both query and form parameters for the request object since this endpoint can be called with both GET and POST
 	requestObject, err := controller.resolveRequestObject(c)
 	if err != nil {
 		return nil, err
 	}
 	if requestObject != nil {
 		return requestObject, nil
 	}
 	// step 2: by default we assume normal GET query parameters
 	// step 3: if it's a POST request, we try form parameters
 	return controller.resolveNormalParams(c)
 }
 func (controller *OIDCController) resolveRequestObject(c *gin.Context) (*service.AuthorizeRequest, error) {
 	raw := c.Query("request")
 	if raw == "" && c.Request.Method == http.MethodPost {
 		raw = c.PostForm("request")
 	}
 	if raw == "" {
 		return nil, nil
 	}
 	return controller.oidc.DecodeAuthorizeJWT(raw)
 }
 func (controller *OIDCController) resolveNormalParams(c *gin.Context) (*service.AuthorizeRequest, error) {
 	var req service.AuthorizeRequest
 	bind := binding.Query
 	if c.Request.Method == http.MethodPost {
 		bind = binding.Form
 	}
 	if err := c.ShouldBindWith(&req, bind); err != nil {
 		return nil, err
 	}
 	return &req, nil
 }
@@ -13,7 +13,6 @@ import (
 	"github.com/tinyauthapp/tinyauth/internal/service"
 	"github.com/tinyauthapp/tinyauth/internal/utils"
 	"github.com/tinyauthapp/tinyauth/internal/utils/logger"
 	"go.uber.org/dig"
 	"github.com/gin-gonic/gin"
 	"github.com/google/go-querystring/query"
@@ -54,33 +53,29 @@ type ProxyContext struct {
 type ProxyController struct {
 	log          *logger.Logger
-	runtime      *model.RuntimeConfig
+	runtime      model.RuntimeConfig
 	acls         *service.AccessControlsService
 	auth         *service.AuthService
 	policyEngine *service.PolicyEngine
 }
-type ProxyControllerInput struct {
+func NewProxyController(
-	dig.In
+	log *logger.Logger,
-
+	runtime model.RuntimeConfig,
-	Log           *logger.Logger
+	router *gin.RouterGroup,
-	RuntimeConfig *model.RuntimeConfig
+	acls *service.AccessControlsService,
-	RouterGroup   *gin.RouterGroup `name:"apiRouterGroup"`
+	auth *service.AuthService,
-	ACLsService   *service.AccessControlsService
+	policyEngine *service.PolicyEngine,
-	AuthService   *service.AuthService
+) *ProxyController {
 	PolicyEngine  *service.PolicyEngine
 }
 func NewProxyController(i ProxyControllerInput) *ProxyController {
 	controller := &ProxyController{
-		log:          i.Log,
+		log:          log,
-		runtime:      i.RuntimeConfig,
+		runtime:      runtime,
-		acls:         i.ACLsService,
+		acls:         acls,
-		auth:         i.AuthService,
+		auth:         auth,
-		policyEngine: i.PolicyEngine,
+		policyEngine: policyEngine,
 	}
-	proxyGroup := i.RouterGroup.Group("/auth")
+	proxyGroup := router.Group("/auth")
 	proxyGroup.Any("/:proxy", controller.proxyHandler)
 	return controller
@@ -280,7 +275,6 @@ func (controller *ProxyController) proxyHandler(c *gin.Context) {
 	queries, err := query.Values(RedirectQuery{
 		RedirectURI: fmt.Sprintf("%s://%s%s", proxyCtx.Proto, proxyCtx.Host, proxyCtx.Path),
 		LoginFor:    FrontendLoginForApp,
 	})
 	if err != nil {
@@ -3,7 +3,6 @@ package controller_test
 import (
 	"context"
 	"net/http/httptest"
 	"net/url"
 	"testing"
 	"github.com/gin-gonic/gin"
@@ -77,9 +76,7 @@ func TestProxyController(t *testing.T) {
 				assert.Equal(t, 307, recorder.Code)
 				location := recorder.Header().Get("Location")
-				assert.Contains(t, location, url.QueryEscape("https://test.example.com/"))
+				assert.Equal(t, "https://tinyauth.example.com/login?redirect_uri=https%3A%2F%2Ftest.example.com%2F", location)
 				assert.Contains(t, location, "login_for=app")
 				assert.Contains(t, location, "https://tinyauth.example.com/login")
 			},
 		},
 		{
@@ -92,9 +89,7 @@ func TestProxyController(t *testing.T) {
 				router.ServeHTTP(recorder, req)
 				assert.Equal(t, 401, recorder.Code)
 				location := recorder.Header().Get("x-tinyauth-location")
-				assert.Contains(t, location, url.QueryEscape("https://test.example.com/"))
+				assert.Equal(t, "https://tinyauth.example.com/login?redirect_uri=https%3A%2F%2Ftest.example.com%2F", location)
 				assert.Contains(t, location, "login_for=app")
 				assert.Contains(t, location, "https://tinyauth.example.com/login")
 			},
 		},
 		{
@@ -108,9 +103,7 @@ func TestProxyController(t *testing.T) {
 				router.ServeHTTP(recorder, req)
 				assert.Equal(t, 307, recorder.Code)
 				location := recorder.Header().Get("Location")
-				assert.Contains(t, location, url.QueryEscape("https://test.example.com/hello"))
+				assert.Equal(t, "https://tinyauth.example.com/login?redirect_uri=https%3A%2F%2Ftest.example.com%2Fhello", location)
 				assert.Contains(t, location, "login_for=app")
 				assert.Contains(t, location, "https://tinyauth.example.com/login")
 			},
 		},
 		{
@@ -126,9 +119,7 @@ func TestProxyController(t *testing.T) {
 				assert.Equal(t, 307, recorder.Code)
 				location := recorder.Header().Get("Location")
-				assert.Contains(t, location, url.QueryEscape("https://test.example.com/"))
+				assert.Equal(t, "https://tinyauth.example.com/login?redirect_uri=https%3A%2F%2Ftest.example.com%2F", location)
 				assert.Contains(t, location, "login_for=app")
 				assert.Contains(t, location, "https://tinyauth.example.com/login")
 			},
 		},
 		{
@@ -143,9 +134,7 @@ func TestProxyController(t *testing.T) {
 				router.ServeHTTP(recorder, req)
 				assert.Equal(t, 401, recorder.Code)
 				location := recorder.Header().Get("x-tinyauth-location")
-				assert.Contains(t, location, url.QueryEscape("https://test.example.com/"))
+				assert.Equal(t, "https://tinyauth.example.com/login?redirect_uri=https%3A%2F%2Ftest.example.com%2F", location)
 				assert.Contains(t, location, "login_for=app")
 				assert.Contains(t, location, "https://tinyauth.example.com/login")
 			},
 		},
 		{
@@ -161,9 +150,7 @@ func TestProxyController(t *testing.T) {
 				router.ServeHTTP(recorder, req)
 				assert.Equal(t, 307, recorder.Code)
 				location := recorder.Header().Get("Location")
-				assert.Contains(t, location, url.QueryEscape("https://test.example.com/"))
+				assert.Equal(t, "https://tinyauth.example.com/login?redirect_uri=https%3A%2F%2Ftest.example.com%2Fhello", location)
 				assert.Contains(t, location, "login_for=app")
 				assert.Contains(t, location, "https://tinyauth.example.com/login")
 			},
 		},
 		{
@@ -369,21 +356,10 @@ func TestProxyController(t *testing.T) {
 	ctx := context.TODO()
 	dg := ding.New(ctx)
-	broker := service.NewOAuthBrokerService(service.OAuthBrokerServiceInput{
+	broker := service.NewOAuthBrokerService(log, map[string]model.OAuthServiceConfig{}, ctx)
-		Log:     log,
+	aclsService := service.NewAccessControlsService(log, cfg, nil)
 		Runtime: &runtime,
 		Ctx:     ctx,
 	})
 	aclsService := service.NewAccessControlsService(service.AccessControlServiceInput{
 		Log:           log,
 		Config:        &cfg,
 		LabelProvider: nil,
 	})
-	policyEngine, err := service.NewPolicyEngine(service.PolicyEngineInput{
+	policyEngine, err := service.NewPolicyEngine(cfg, log)
 		Log:    log,
 		Config: &cfg,
 	})
 	require.NoError(t, err)
 	policyEngine.RegisterRule(service.RuleUserAllowed, &service.UserAllowedRule{
@@ -406,18 +382,7 @@ func TestProxyController(t *testing.T) {
 		Log: log,
 	})
-	authService := service.NewAuthService(service.AuthServiceInput{
+	authService := service.NewAuthService(log, cfg, runtime, ctx, dg, nil, store, broker, nil, policyEngine)
 		Log:          log,
 		Config:       &cfg,
 		Runtime:      &runtime,
 		Ctx:          ctx,
 		Ding:         dg,
 		LDAP:         nil,
 		Queries:      store,
 		OAuthBroker:  broker,
 		Tailscale:    nil,
 		PolicyEngine: policyEngine,
 	})
 	for _, test := range tests {
 		t.Run(test.description, func(t *testing.T) {
@@ -432,14 +397,7 @@ func TestProxyController(t *testing.T) {
 			recorder := httptest.NewRecorder()
-			controller.NewProxyController(controller.ProxyControllerInput{
+			controller.NewProxyController(log, runtime, group, aclsService, authService, policyEngine)
 				Log:           log,
 				RuntimeConfig: &runtime,
 				RouterGroup:   group,
 				ACLsService:   aclsService,
 				AuthService:   authService,
 				PolicyEngine:  policyEngine,
 			})
 			test.run(t, router, recorder)
 		})
@@ -5,30 +5,25 @@ import (
 	"github.com/gin-gonic/gin"
 	"github.com/tinyauthapp/tinyauth/internal/model"
 	"go.uber.org/dig"
 )
 type ResourcesController struct {
-	config     *model.Config
+	config     model.Config
 	fileServer http.Handler
 }
-type ResourcesControllerInput struct {
+func NewResourcesController(
-	dig.In
+	config model.Config,
-
+	router *gin.RouterGroup,
-	RouterGroup *gin.RouterGroup `name:"mainRouterGroup"`
+) *ResourcesController {
-	Config      *model.Config
+	fileServer := http.StripPrefix("/resources", http.FileServer(http.Dir(config.Resources.Path)))
 }
 func NewResourcesController(i ResourcesControllerInput) *ResourcesController {
 	fileServer := http.StripPrefix("/resources", http.FileServer(http.Dir(i.Config.Resources.Path)))
 	controller := &ResourcesController{
-		config:     i.Config,
+		config:     config,
 		fileServer: fileServer,
 	}
-	i.RouterGroup.GET("/resources/*resource", controller.resourcesHandler)
+	router.GET("/resources/*resource", controller.resourcesHandler)
 	return controller
 }
@@ -69,10 +69,7 @@ func TestResourcesController(t *testing.T) {
 			group := router.Group("/")
 			gin.SetMode(gin.TestMode)
-			controller.NewResourcesController(controller.ResourcesControllerInput{
+			controller.NewResourcesController(cfg, group)
 				RouterGroup: group,
 				Config:      &cfg,
 			})
 			recorder := httptest.NewRecorder()
 			test.run(t, router, recorder)
@@ -11,7 +11,6 @@ import (
 	"github.com/tinyauthapp/tinyauth/internal/service"
 	"github.com/tinyauthapp/tinyauth/internal/utils"
 	"github.com/tinyauthapp/tinyauth/internal/utils/logger"
 	"go.uber.org/dig"
 	"github.com/gin-gonic/gin"
 	"github.com/pquerna/otp/totp"
@@ -28,27 +27,23 @@ type TotpRequest struct {
 type UserController struct {
 	log     *logger.Logger
-	runtime *model.RuntimeConfig
+	runtime model.RuntimeConfig
 	auth    *service.AuthService
 }
-type UserControllerInput struct {
+func NewUserController(
-	dig.In
+	log *logger.Logger,
-
+	runtimeConfig model.RuntimeConfig,
-	Log           *logger.Logger
+	router *gin.RouterGroup,
-	RuntimeConfig *model.RuntimeConfig
+	auth *service.AuthService,
-	RouterGroup   *gin.RouterGroup `name:"apiRouterGroup"`
+) *UserController {
 	AuthService   *service.AuthService
 }
 func NewUserController(i UserControllerInput) *UserController {
 	controller := &UserController{
-		log:     i.Log,
+		log:     log,
-		runtime: i.RuntimeConfig,
+		runtime: runtimeConfig,
-		auth:    i.AuthService,
+		auth:    auth,
 	}
-	userGroup := i.RouterGroup.Group("/user")
+	userGroup := router.Group("/user")
 	userGroup.POST("/login", controller.loginHandler)
 	userGroup.POST("/logout", controller.logoutHandler)
 	userGroup.POST("/totp", controller.totpHandler)
@@ -414,29 +414,11 @@ func TestUserController(t *testing.T) {
 	ctx := context.TODO()
 	dg := ding.New(ctx)
-	policyEngine, err := service.NewPolicyEngine(service.PolicyEngineInput{
+	policyEngine, err := service.NewPolicyEngine(cfg, log)
 		Log:    log,
 		Config: &cfg,
 	})
 	require.NoError(t, err)
-	broker := service.NewOAuthBrokerService(service.OAuthBrokerServiceInput{
+	broker := service.NewOAuthBrokerService(log, map[string]model.OAuthServiceConfig{}, ctx)
-		Log:     log,
+	authService := service.NewAuthService(log, cfg, runtime, ctx, dg, nil, store, broker, nil, policyEngine)
 		Runtime: &runtime,
 		Ctx:     ctx,
 	})
 	authService := service.NewAuthService(service.AuthServiceInput{
 		Log:          log,
 		Config:       &cfg,
 		Runtime:      &runtime,
 		Ctx:          ctx,
 		Ding:         dg,
 		LDAP:         nil,
 		Queries:      store,
 		OAuthBroker:  broker,
 		Tailscale:    nil,
 		PolicyEngine: policyEngine,
 	})
 	beforeEach := func() {
 		// Clear failed login attempts before each test
@@ -455,12 +437,7 @@ func TestUserController(t *testing.T) {
 			group := router.Group("/api")
 			gin.SetMode(gin.TestMode)
-			controller.NewUserController(controller.UserControllerInput{
+			controller.NewUserController(log, runtime, group, authService)
 				Log:           log,
 				RuntimeConfig: &runtime,
 				RouterGroup:   group,
 				AuthService:   authService,
 			})
 			recorder := httptest.NewRecorder()
@@ -6,7 +6,6 @@ import (
 	"github.com/gin-gonic/gin"
 	"github.com/tinyauthapp/tinyauth/internal/service"
 	"go.uber.org/dig"
 )
 type OpenIDConnectConfiguration struct {
@@ -31,20 +30,13 @@ type WellKnownController struct {
 	oidc *service.OIDCService
 }
-type WellKnownControllerInput struct {
+func NewWellKnownController(oidc *service.OIDCService, router *gin.RouterGroup) *WellKnownController {
 	dig.In
 	OIDCService *service.OIDCService
 	RouterGroup *gin.RouterGroup `name:"mainRouterGroup"`
 }
 func NewWellKnownController(i WellKnownControllerInput) *WellKnownController {
 	controller := &WellKnownController{
-		oidc: i.OIDCService,
+		oidc: oidc,
 	}
-	i.RouterGroup.GET("/.well-known/openid-configuration", controller.OpenIDConnectConfiguration)
+	router.GET("/.well-known/openid-configuration", controller.OpenIDConnectConfiguration)
-	i.RouterGroup.GET("/.well-known/jwks.json", controller.JWKS)
+	router.GET("/.well-known/jwks.json", controller.JWKS)
 	return controller
 }
@@ -93,13 +93,7 @@ func TestWellKnownController(t *testing.T) {
 	store := memory.New()
-	oidcService, err := service.NewOIDCService(service.OIDCServiceInput{
+	oidcService, err := service.NewOIDCService(log, cfg, runtime, store, dg)
 		Log:     log,
 		Config:  &cfg,
 		Runtime: &runtime,
 		Queries: store,
 		Ding:    dg,
 	})
 	require.NoError(t, err)
 	for _, test := range tests {
@@ -109,10 +103,7 @@ func TestWellKnownController(t *testing.T) {
 			recorder := httptest.NewRecorder()
-			controller.NewWellKnownController(controller.WellKnownControllerInput{
+			controller.NewWellKnownController(oidcService, &router.RouterGroup)
 				OIDCService: oidcService,
 				RouterGroup: &router.RouterGroup,
 			})
 			test.run(t, router, recorder)
 		})
@@ -11,7 +11,6 @@ import (
 	"github.com/tinyauthapp/tinyauth/internal/service"
 	"github.com/tinyauthapp/tinyauth/internal/utils"
 	"github.com/tinyauthapp/tinyauth/internal/utils/logger"
 	"go.uber.org/dig"
 	"github.com/gin-gonic/gin"
 )
@@ -38,29 +37,25 @@ var (
 type ContextMiddleware struct {
 	log       *logger.Logger
-	runtime   *model.RuntimeConfig
+	runtime   model.RuntimeConfig
 	auth      *service.AuthService
 	broker    *service.OAuthBrokerService
 	tailscale *service.TailscaleService
 }
-type ContextMiddlewareInput struct {
+func NewContextMiddleware(
-	dig.In
+	log *logger.Logger,
-
+	runtime model.RuntimeConfig,
-	Log              *logger.Logger
+	auth *service.AuthService,
-	RuntimeConfig    *model.RuntimeConfig
+	broker *service.OAuthBrokerService,
-	AuthService      *service.AuthService
+	tailscale *service.TailscaleService,
-	BrokerService    *service.OAuthBrokerService
+) *ContextMiddleware {
 	TailscaleService *service.TailscaleService
 }
 func NewContextMiddleware(i ContextMiddlewareInput) *ContextMiddleware {
 	return &ContextMiddleware{
-		log:       i.Log,
+		log:       log,
-		runtime:   i.RuntimeConfig,
+		runtime:   runtime,
-		auth:      i.AuthService,
+		auth:      auth,
-		broker:    i.BrokerService,
+		broker:    broker,
-		tailscale: i.TailscaleService,
+		tailscale: tailscale,
 	}
 }
@@ -254,37 +254,13 @@ func TestContextMiddleware(t *testing.T) {
 	store := memory.New()
-	policyEngine, err := service.NewPolicyEngine(service.PolicyEngineInput{
+	policyEngine, err := service.NewPolicyEngine(cfg, log)
 		Log:    log,
 		Config: &cfg,
 	})
 	require.NoError(t, err)
-	broker := service.NewOAuthBrokerService(service.OAuthBrokerServiceInput{
+	broker := service.NewOAuthBrokerService(log, map[string]model.OAuthServiceConfig{}, ctx)
-		Log:     log,
+	authService := service.NewAuthService(log, cfg, runtime, ctx, dg, nil, store, broker, nil, policyEngine)
 		Runtime: &runtime,
 		Ctx:     ctx,
 	})
 	authService := service.NewAuthService(service.AuthServiceInput{
 		Log:          log,
 		Config:       &cfg,
 		Runtime:      &runtime,
 		Ctx:          ctx,
 		Ding:         dg,
 		LDAP:         nil,
 		Queries:      store,
 		OAuthBroker:  broker,
 		Tailscale:    nil,
 		PolicyEngine: policyEngine,
 	})
-	contextMiddleware := middleware.NewContextMiddleware(middleware.ContextMiddlewareInput{
+	contextMiddleware := middleware.NewContextMiddleware(log, runtime, authService, broker, nil)
 		Log:              log,
 		RuntimeConfig:    &runtime,
 		AuthService:      authService,
 		BrokerService:    broker,
 		TailscaleService: nil,
 	})
 	for _, test := range tests {
 		authService.ClearLoginAttempts()
@@ -9,7 +9,6 @@ import (
 	"time"
 	"github.com/tinyauthapp/tinyauth/internal/assets"
 	"go.uber.org/dig"
 	"github.com/gin-gonic/gin"
 )
@@ -19,12 +18,7 @@ type UIMiddleware struct {
 	uiFileServer http.Handler
 }
-// for future use if we need to inject dependencies into the middleware
+func NewUIMiddleware() (*UIMiddleware, error) {
 type UIMiddlewareInput struct {
 	dig.In
 }
 func NewUIMiddleware(_ UIMiddlewareInput) (*UIMiddleware, error) {
 	m := &UIMiddleware{}
 	ui, err := fs.Sub(assets.FrontendAssets, "dist")
@@ -44,7 +38,7 @@ func (m *UIMiddleware) Middleware() gin.HandlerFunc {
 		path := strings.TrimPrefix(c.Request.URL.Path, "/")
 		switch strings.SplitN(path, "/", 2)[0] {
-		case "api", "resources", ".well-known", "authorize":
+		case "api", "resources", ".well-known":
 			c.Next()
 			return
 		case "robots.txt":
@@ -6,7 +6,6 @@ import (
 	"github.com/gin-gonic/gin"
 	"github.com/tinyauthapp/tinyauth/internal/utils/logger"
 	"go.uber.org/dig"
 )
 // See context middleware for explanation of why we have to do this
@@ -22,15 +21,9 @@ type ZerologMiddleware struct {
 	log *logger.Logger
 }
-type ZerologMiddlewareInput struct {
+func NewZerologMiddleware(log *logger.Logger) *ZerologMiddleware {
 	dig.In
 	Log *logger.Logger
 }
 func NewZerologMiddleware(i ZerologMiddlewareInput) *ZerologMiddleware {
 	return &ZerologMiddleware{
-		log: i.Log,
+		log: log,
 	}
 }
@@ -178,16 +178,15 @@ type UIConfig struct {
 }
 type LDAPConfig struct {
-	Address      	 string `description:"LDAP server address." yaml:"address"`
+	Address       string `description:"LDAP server address." yaml:"address"`
-	BindDN       	 string `description:"Bind DN for LDAP authentication." yaml:"bindDn"`
+	BindDN        string `description:"Bind DN for LDAP authentication." yaml:"bindDn"`
-	BindPassword  	 string `description:"Bind password for LDAP authentication." yaml:"bindPassword"`
+	BindPassword  string `description:"Bind password for LDAP authentication." yaml:"bindPassword"`
-	BindPasswordFile string `description:"Path to the Bind password." yaml:"bindPasswordFile"`
+	BaseDN        string `description:"Base DN for LDAP searches." yaml:"baseDn"`
-	BaseDN       	 string `description:"Base DN for LDAP searches." yaml:"baseDn"`
+	Insecure      bool   `description:"Allow insecure LDAP connections." yaml:"insecure"`
-	Insecure     	 bool   `description:"Allow insecure LDAP connections." yaml:"insecure"`
+	SearchFilter  string `description:"LDAP search filter." yaml:"searchFilter"`
-	SearchFilter 	 string `description:"LDAP search filter." yaml:"searchFilter"`
+	AuthCert      string `description:"Certificate for mTLS authentication." yaml:"authCert"`
-	AuthCert     	 string `description:"Certificate for mTLS authentication." yaml:"authCert"`
+	AuthKey       string `description:"Certificate key for mTLS authentication." yaml:"authKey"`
-	AuthKey      	 string `description:"Certificate key for mTLS authentication." yaml:"authKey"`
+	GroupCacheTTL int    `description:"Cache duration for LDAP group membership in seconds." yaml:"groupCacheTTL"`
 	GroupCacheTTL	 int    `description:"Cache duration for LDAP group membership in seconds." yaml:"groupCacheTTL"`
 }
 type LogConfig struct {
@@ -12,6 +12,7 @@ type RuntimeConfig struct {
 	OAuthProviders         map[string]OAuthServiceConfig
 	OAuthWhitelist         []string
 	ConfiguredProviders    []Provider
 	OIDCClients            []OIDCClientConfig
 	TrustedDomains         []string
 }
@@ -5,7 +5,6 @@ import (
 	"github.com/tinyauthapp/tinyauth/internal/model"
 	"github.com/tinyauthapp/tinyauth/internal/utils/logger"
 	"go.uber.org/dig"
 )
 type LabelProvider interface {
@@ -14,24 +13,19 @@ type LabelProvider interface {
 type AccessControlsService struct {
 	log           *logger.Logger
-	config        *model.Config
+	config        model.Config
-	labelProvider LabelProvider
+	labelProvider *LabelProvider
 }
-type AccessControlServiceInput struct {
+func NewAccessControlsService(
-	dig.In
+	log *logger.Logger,
-
+	config model.Config,
-	Log           *logger.Logger
+	labelProvider *LabelProvider) *AccessControlsService {
 	Config        *model.Config
 	LabelProvider LabelProvider `optional:"true"`
 }
 func NewAccessControlsService(i AccessControlServiceInput) *AccessControlsService {
 	return &AccessControlsService{
-		log:           i.Log,
+		log:           log,
-		config:        i.Config,
+		config:        config,
-		labelProvider: i.LabelProvider,
+		labelProvider: labelProvider,
 	}
 }
@@ -63,8 +57,8 @@ func (service *AccessControlsService) GetAccessControls(domain string) (*model.A
 	}
 	// If we have a label provider configured, try to get ACLs from it
-	if service.labelProvider != nil {
+	if service.labelProvider != nil && *service.labelProvider != nil {
-		return service.labelProvider.GetLabels(domain)
+		return (*service.labelProvider).GetLabels(domain)
 	}
 	// no labels
@@ -87,11 +87,7 @@ func TestLookupStaticACLs(t *testing.T) {
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
-			svc := NewAccessControlsService(AccessControlServiceInput{
+			svc := NewAccessControlsService(log, model.Config{Apps: tt.apps}, nil)
 				Log:           log,
 				Config:        &model.Config{Apps: tt.apps},
 				LabelProvider: nil,
 			})
 			got := svc.lookupStaticACLs(tt.domain)
 			if tt.expectNil {
 				assert.Nil(t, got)
@@ -116,11 +112,7 @@ func TestGetAccessControls(t *testing.T) {
 				},
 			},
 		}
-		svc := NewAccessControlsService(AccessControlServiceInput{
+		svc := NewAccessControlsService(log, config, nil)
 			Log:           log,
 			Config:        &config,
 			LabelProvider: nil,
 		})
 		got, err := svc.GetAccessControls("foo.example.com")
@@ -131,11 +123,7 @@ func TestGetAccessControls(t *testing.T) {
 	})
 	t.Run("returns nil when no static match and no label provider", func(t *testing.T) {
-		svc := NewAccessControlsService(AccessControlServiceInput{
+		svc := NewAccessControlsService(log, model.Config{}, nil)
 			Log:           log,
 			Config:        &model.Config{},
 			LabelProvider: nil,
 		})
 		got, err := svc.GetAccessControls("unknown.example.com")
@@ -145,11 +133,7 @@ func TestGetAccessControls(t *testing.T) {
 	t.Run("returns nil when label provider pointer wraps a nil interface", func(t *testing.T) {
 		var provider LabelProvider
-		svc := NewAccessControlsService(AccessControlServiceInput{
+		svc := NewAccessControlsService(log, model.Config{}, &provider)
 			Log:           log,
 			Config:        &model.Config{},
 			LabelProvider: provider, // nil provider
 		})
 		got, err := svc.GetAccessControls("unknown.example.com")
@@ -168,11 +152,7 @@ func TestGetAccessControls(t *testing.T) {
 			},
 		}
 		var provider LabelProvider = mock
-		svc := NewAccessControlsService(AccessControlServiceInput{
+		svc := NewAccessControlsService(log, model.Config{}, &provider)
 			Log:           log,
 			Config:        &model.Config{},
 			LabelProvider: provider,
 		})
 		got, err := svc.GetAccessControls("dynamic.example.com")
@@ -190,11 +170,7 @@ func TestGetAccessControls(t *testing.T) {
 				"foo": {Config: model.AppConfig{Domain: "foo.example.com"}},
 			},
 		}
-		svc := NewAccessControlsService(AccessControlServiceInput{
+		svc := NewAccessControlsService(log, config, &provider)
 			Log:           log,
 			Config:        &config,
 			LabelProvider: provider,
 		})
 		got, err := svc.GetAccessControls("foo.example.com")
@@ -212,11 +188,7 @@ func TestGetAccessControls(t *testing.T) {
 			},
 		}
 		var provider LabelProvider = mock
-		svc := NewAccessControlsService(AccessControlServiceInput{
+		svc := NewAccessControlsService(log, model.Config{}, &provider)
 			Log:           log,
 			Config:        &model.Config{},
 			LabelProvider: provider,
 		})
 		got, err := svc.GetAccessControls("dynamic.example.com")
@@ -14,7 +14,6 @@ import (
 	"github.com/tinyauthapp/tinyauth/internal/repository"
 	"github.com/tinyauthapp/tinyauth/internal/utils"
 	"github.com/tinyauthapp/tinyauth/internal/utils/logger"
 	"go.uber.org/dig"
 	"github.com/google/uuid"
 	"golang.org/x/crypto/bcrypt"
@@ -31,14 +30,17 @@ var (
 	ErrUserNotFound = errors.New("user not found")
 )
-// We either store params for redirecting to an app after OAuth login,
+// slightly modified version of the AuthorizeRequest from the OIDC service to basically accept all
-// or for redirecting back to the authorize screen to continue OIDC
+// parameters and pass them to the authorize page if needed
-type OAuthCallbackParams struct {
+type OAuthURLParams struct {
-	LoginFor    string `form:"login_for" url:"login_for"`
+	Scope               string `form:"scope" url:"scope"`
-	OIDCTicket  string `form:"oidc_ticket" url:"oidc_ticket"`
+	ResponseType        string `form:"response_type" url:"response_type"`
-	OIDCScope   string `form:"oidc_scope" url:"oidc_scope"`
+	ClientID            string `form:"client_id" url:"client_id"`
-	OIDCName    string `form:"oidc_name" url:"oidc_name"`
+	RedirectURI         string `form:"redirect_uri" url:"redirect_uri"`
-	RedirectURI string `form:"redirect_uri" url:"redirect_uri"`
+	State               string `form:"state" url:"state"`
 	Nonce               string `form:"nonce" url:"nonce"`
 	CodeChallenge       string `form:"code_challenge" url:"code_challenge"`
 	CodeChallengeMethod string `form:"code_challenge_method" url:"code_challenge_method"`
 }
 type OAuthPendingSession struct {
@@ -47,7 +49,7 @@ type OAuthPendingSession struct {
 	Token          *oauth2.Token
 	Service        *OAuthServiceImpl
 	ExpiresAt      time.Time
-	CallbackParams OAuthCallbackParams
+	CallbackParams OAuthURLParams
 }
 type LoginAttempt struct {
@@ -58,8 +60,8 @@ type LoginAttempt struct {
 type AuthService struct {
 	log     *logger.Logger
-	config  *model.Config
+	config  model.Config
-	runtime *model.RuntimeConfig
+	runtime model.RuntimeConfig
 	ctx     context.Context
 	ldap         *LdapService
@@ -83,32 +85,28 @@ type AuthService struct {
 	}
 }
-type AuthServiceInput struct {
+func NewAuthService(
-	dig.In
+	log *logger.Logger,
-
+	config model.Config,
-	Log          *logger.Logger
+	runtime model.RuntimeConfig,
-	Config       *model.Config
+	ctx context.Context,
-	Runtime      *model.RuntimeConfig
+	dg *ding.Ding,
-	Ctx          context.Context
+	ldap *LdapService,
-	Ding         *ding.Ding
+	queries repository.Store,
-	LDAP         *LdapService `optional:"true"`
+	oauthBroker *OAuthBrokerService,
-	Queries      repository.Store
+	tailscale *TailscaleService,
-	OAuthBroker  *OAuthBrokerService
+	policy *PolicyEngine,
-	Tailscale    *TailscaleService `optional:"true"`
+) *AuthService {
 	PolicyEngine *PolicyEngine
 }
 func NewAuthService(i AuthServiceInput) *AuthService {
 	service := &AuthService{
-		log:          i.Log,
+		log:          log,
-		runtime:      i.Runtime,
+		runtime:      runtime,
-		ctx:          i.Ctx,
+		ctx:          ctx,
-		config:       i.Config,
+		config:       config,
-		ldap:         i.LDAP,
+		ldap:         ldap,
-		queries:      i.Queries,
+		queries:      queries,
-		oauthBroker:  i.OAuthBroker,
+		oauthBroker:  oauthBroker,
-		tailscale:    i.Tailscale,
+		tailscale:    tailscale,
-		policyEngine: i.PolicyEngine,
+		policyEngine: policy,
 	}
 	// caches setup
@@ -120,7 +118,7 @@ func NewAuthService(i AuthServiceInput) *AuthService {
 	service.caches.login = loginCache
 	service.caches.ldap = ldapCache
-	i.Ding.Go(func(ctx context.Context) {
+	dg.Go(func(ctx context.Context) {
 		ticker := time.NewTicker(1 * time.Minute)
 		defer ticker.Stop()
@@ -518,17 +516,17 @@ func (auth *AuthService) LDAPAuthConfigured() bool {
 	return auth.ldap != nil
 }
-func (auth *AuthService) NewOAuthSession(serviceName string, params OAuthCallbackParams) (string, error) {
+func (auth *AuthService) NewOAuthSession(serviceName string, params OAuthURLParams) (string, OAuthPendingSession, error) {
 	service, ok := auth.oauthBroker.GetService(serviceName)
 	if !ok {
-		return "", fmt.Errorf("oauth service not found: %s", serviceName)
+		return "", OAuthPendingSession{}, fmt.Errorf("oauth service not found: %s", serviceName)
 	}
 	sessionId, err := uuid.NewRandom()
 	if err != nil {
-		return "", fmt.Errorf("failed to generate session ID: %w", err)
+		return "", OAuthPendingSession{}, fmt.Errorf("failed to generate session ID: %w", err)
 	}
 	state := service.NewRandom()
@@ -544,7 +542,7 @@ func (auth *AuthService) NewOAuthSession(serviceName string, params OAuthCallbac
 	auth.caches.oauth.Set(sessionId.String(), session, time.Minute*10)
-	return sessionId.String(), nil
+	return sessionId.String(), session, nil
 }
 func (auth *AuthService) GetOAuthURL(sessionId string) (string, error) {
@@ -4,7 +4,6 @@ import (
 	"testing"
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
 	"github.com/tinyauthapp/tinyauth/internal/model"
 	"github.com/tinyauthapp/tinyauth/internal/utils/logger"
 )
@@ -13,22 +12,9 @@ func TestIsEmailWhitelistedUsesProviderSpecificList(t *testing.T) {
 	log := logger.NewLogger().WithTestConfig()
 	log.Init()
 	policyEngine, err := NewPolicyEngine(PolicyEngineInput{
 		Log: log,
 		Config: &model.Config{
 			Auth: model.AuthConfig{
 				ACLs: model.ACLsConfig{
 					Policy: string(PolicyAllow),
 				},
 			},
 		},
 	})
 	require.NoError(t, err)
 	auth := &AuthService{
 		log: log,
-		runtime: &model.RuntimeConfig{
+		runtime: model.RuntimeConfig{
 			OAuthWhitelist: []string{"global@example.com"},
 			OAuthProviders: map[string]model.OAuthServiceConfig{
 				"github": {
@@ -42,7 +28,6 @@ func TestIsEmailWhitelistedUsesProviderSpecificList(t *testing.T) {
 				},
 			},
 		},
 		policyEngine: policyEngine,
 	}
 	assert.True(t, auth.IsEmailWhitelisted("github", "github@example.com"))
@@ -8,7 +8,6 @@ import (
 	"github.com/tinyauthapp/tinyauth/internal/model"
 	"github.com/tinyauthapp/tinyauth/internal/utils/decoders"
 	"github.com/tinyauthapp/tinyauth/internal/utils/logger"
 	"go.uber.org/dig"
 	container "github.com/docker/docker/api/types/container"
 	"github.com/docker/docker/client"
@@ -22,40 +21,36 @@ type DockerService struct {
 	isConnected bool
 }
-type DockerServiceInput struct {
+func NewDockerService(
-	dig.In
+	log *logger.Logger,
-
+	ctx context.Context,
-	Log  *logger.Logger
+	dg *ding.Ding,
-	Ctx  context.Context
+) (*DockerService, error) {
 	Ding *ding.Ding
 }
 func NewDockerService(i DockerServiceInput) (*DockerService, error) {
 	client, err := client.NewClientWithOpts(client.FromEnv)
 	if err != nil {
 		return nil, err
 	}
-	client.NegotiateAPIVersion(i.Ctx)
+	client.NegotiateAPIVersion(ctx)
-	_, err = client.Ping(i.Ctx)
+	_, err = client.Ping(ctx)
 	if err != nil {
-		i.Log.App.Debug().Err(err).Msg("Docker not connected")
+		log.App.Debug().Err(err).Msg("Docker not connected")
 		return nil, nil
 	}
 	service := &DockerService{
-		log:     i.Log,
+		log:     log,
 		client:  client,
-		context: i.Ctx,
+		context: ctx,
 	}
 	service.isConnected = true
 	service.log.App.Debug().Msg("Docker connected successfully")
-	i.Ding.Go(service.watchAndClose, ding.RingMajor)
+	dg.Go(service.watchAndClose, ding.RingMajor)
 	return service, nil
 }
@@ -12,7 +12,6 @@ import (
 	"github.com/tinyauthapp/tinyauth/internal/model"
 	"github.com/tinyauthapp/tinyauth/internal/utils/decoders"
 	"github.com/tinyauthapp/tinyauth/internal/utils/logger"
 	"go.uber.org/dig"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"
@@ -49,15 +48,11 @@ type KubernetesService struct {
 	appNameIndex map[string]ingressAppKey
 }
-type KubernetesServiceInput struct {
+func NewKubernetesService(
-	dig.In
+	log *logger.Logger,
-
+	ctx context.Context,
-	Log  *logger.Logger
+	dg *ding.Ding,
-	Ctx  context.Context
+) (*KubernetesService, error) {
 	Ding *ding.Ding
 }
 func NewKubernetesService(i KubernetesServiceInput) (*KubernetesService, error) {
 	cfg, err := rest.InClusterConfig()
 	if err != nil {
 		return nil, fmt.Errorf("failed to get in-cluster kubernetes config: %w", err)
@@ -74,31 +69,31 @@ func NewKubernetesService(i KubernetesServiceInput) (*KubernetesService, error)
 		Resource: "ingresses",
 	}
-	accessCtx, accessCancel := context.WithTimeout(i.Ctx, 5*time.Second)
+	accessCtx, accessCancel := context.WithTimeout(ctx, 5*time.Second)
 	defer accessCancel()
 	_, err = client.Resource(gvr).List(accessCtx, metav1.ListOptions{Limit: 1})
 	if err != nil {
-		i.Log.App.Warn().Err(err).Str("api", gvr.GroupVersion().String()).Msg("Failed to access Ingress API, Kubernetes label provider will be disabled")
+		log.App.Warn().Err(err).Str("api", gvr.GroupVersion().String()).Msg("Failed to access Ingress API, Kubernetes label provider will be disabled")
 		return nil, fmt.Errorf("failed to access ingress api: %w", err)
 	}
-	i.Log.App.Debug().Str("api", gvr.GroupVersion().String()).Msg("Successfully accessed Ingress API, starting watcher")
+	log.App.Debug().Str("api", gvr.GroupVersion().String()).Msg("Successfully accessed Ingress API, starting watcher")
 	service := &KubernetesService{
-		log:          i.Log,
+		log:          log,
 		client:       client,
 		ingressApps:  make(map[ingressKey][]ingressApp),
 		domainIndex:  make(map[string]ingressAppKey),
 		appNameIndex: make(map[string]ingressAppKey),
 	}
-	i.Ding.Go(func(ctx context.Context) {
+	dg.Go(func(ctx context.Context) {
 		service.watchGVR(gvr, ctx)
 	}, ding.RingMajor)
 	service.started = true
-	i.Log.App.Debug().Msg("Kubernetes label provider started successfully")
+	log.App.Debug().Msg("Kubernetes label provider started successfully")
 	return service, nil
 }
@@ -11,50 +11,41 @@ import (
 	ldapgo "github.com/go-ldap/ldap/v3"
 	"github.com/steveiliop56/ding"
 	"github.com/tinyauthapp/tinyauth/internal/model"
 	"github.com/tinyauthapp/tinyauth/internal/utils"
 	"github.com/tinyauthapp/tinyauth/internal/utils/logger"
 	"go.uber.org/dig"
 )
 type LdapService struct {
 	log    *logger.Logger
-	config *model.Config
+	config model.Config
-	conn   *ldapgo.Conn
+	conn  *ldapgo.Conn
-	mutex  sync.RWMutex
+	mutex sync.RWMutex
-	cert   *tls.Certificate
+	cert  *tls.Certificate
 	bindPw string
 }
-type LdapServiceInput struct {
+func NewLdapService(
-	dig.In
+	log *logger.Logger,
-
+	config model.Config,
-	Log    *logger.Logger
+	dg *ding.Ding,
-	Config *model.Config
+) (*LdapService, error) {
-	Ding   *ding.Ding
+	if config.LDAP.Address == "" {
 }
 func NewLdapService(i LdapServiceInput) (*LdapService, error) {
 	if i.Config.LDAP.Address == "" {
 		return nil, nil
 	}
 	ldap := &LdapService{
-		log:    i.Log,
+		log:    log,
-		config: i.Config,
+		config: config,
 	}
 	ldap.bindPw = utils.GetSecret(i.Config.LDAP.BindPassword, i.Config.LDAP.BindPasswordFile)
 	// Check whether authentication with client certificate is possible
-	if i.Config.LDAP.AuthCert != "" && i.Config.LDAP.AuthKey != "" {
+	if config.LDAP.AuthCert != "" && config.LDAP.AuthKey != "" {
-		cert, err := tls.LoadX509KeyPair(i.Config.LDAP.AuthCert, i.Config.LDAP.AuthKey)
+		cert, err := tls.LoadX509KeyPair(config.LDAP.AuthCert, config.LDAP.AuthKey)
 		if err != nil {
 			return nil, fmt.Errorf("failed to initialize LDAP with mTLS authentication: %w", err)
 		}
-		i.Log.App.Info().Msg("LDAP mTLS authentication configured successfully")
+		log.App.Info().Msg("LDAP mTLS authentication configured successfully")
 		ldap.cert = &cert
@@ -76,7 +67,7 @@ func NewLdapService(i LdapServiceInput) (*LdapService, error) {
 		return nil, fmt.Errorf("failed to connect to ldap server: %w", err)
 	}
-	i.Ding.Go(func(ctx context.Context) {
+	dg.Go(func(ctx context.Context) {
 		ldap.log.App.Debug().Msg("Starting LDAP connection heartbeat routine")
 		ticker := time.NewTicker(5 * time.Minute)
@@ -221,7 +212,7 @@ func (ldap *LdapService) BindService(rebind bool) error {
 	if ldap.cert != nil {
 		return ldap.conn.ExternalBind()
 	}
-	return ldap.conn.Bind(ldap.config.LDAP.BindDN, ldap.bindPw)
+	return ldap.conn.Bind(ldap.config.LDAP.BindDN, ldap.config.LDAP.BindPassword)
 }
 func (ldap *LdapService) Bind(userDN string, password string) error {
@@ -5,7 +5,6 @@ import (
 	"github.com/tinyauthapp/tinyauth/internal/model"
 	"github.com/tinyauthapp/tinyauth/internal/utils/logger"
 	"go.uber.org/dig"
 	"slices"
@@ -33,27 +32,23 @@ var presets = map[string]func(config model.OAuthServiceConfig, ctx context.Conte
 	"google": newGoogleOAuthService,
 }
-type OAuthBrokerServiceInput struct {
+func NewOAuthBrokerService(
-	dig.In
+	log *logger.Logger,
-
+	configs map[string]model.OAuthServiceConfig,
-	Log     *logger.Logger
+	ctx context.Context,
-	Runtime *model.RuntimeConfig
+) *OAuthBrokerService {
 	Ctx     context.Context
 }
 func NewOAuthBrokerService(i OAuthBrokerServiceInput) *OAuthBrokerService {
 	service := &OAuthBrokerService{
-		log:      i.Log,
+		log:      log,
 		services: make(map[string]OAuthServiceImpl),
-		configs:  i.Runtime.OAuthProviders,
+		configs:  configs,
 	}
-	for name, cfg := range service.configs {
+	for name, cfg := range configs {
 		if presetFunc, exists := presets[name]; exists {
-			service.services[name] = presetFunc(cfg, i.Ctx)
+			service.services[name] = presetFunc(cfg, ctx)
 			service.log.App.Debug().Str("service", name).Msg("Loaded OAuth service from preset")
 		} else {
-			service.services[name] = NewOAuthService(cfg, name, i.Ctx)
+			service.services[name] = NewOAuthService(cfg, name, ctx)
 			service.log.App.Debug().Str("service", name).Msg("Loaded OAuth service from custom config")
 		}
 	}
@@ -14,20 +14,17 @@ import (
 	"fmt"
 	"net/url"
 	"os"
 	"path/filepath"
 	"strings"
 	"time"
 	"slices"
 	"github.com/go-jose/go-jose/v4"
 	"github.com/golang-jwt/jwt/v5"
 	"github.com/steveiliop56/ding"
 	"github.com/tinyauthapp/tinyauth/internal/model"
 	"github.com/tinyauthapp/tinyauth/internal/repository"
 	"github.com/tinyauthapp/tinyauth/internal/utils"
 	"github.com/tinyauthapp/tinyauth/internal/utils/logger"
 	"go.uber.org/dig"
 )
 var (
@@ -109,14 +106,14 @@ type TokenResponse struct {
 }
 type AuthorizeRequest struct {
-	Scope               string `form:"scope" json:"scope" url:"scope"`
+	Scope               string `json:"scope" binding:"required"`
-	ResponseType        string `form:"response_type" json:"response_type" url:"response_type"`
+	ResponseType        string `json:"response_type" binding:"required"`
-	ClientID            string `form:"client_id" json:"client_id" url:"client_id"`
+	ClientID            string `json:"client_id" binding:"required"`
-	RedirectURI         string `form:"redirect_uri" json:"redirect_uri" url:"redirect_uri"`
+	RedirectURI         string `json:"redirect_uri" binding:"required"`
-	State               string `form:"state" json:"state" url:"state"`
+	State               string `json:"state"`
-	Nonce               string `form:"nonce" json:"nonce" url:"nonce"`
+	Nonce               string `json:"nonce"`
-	CodeChallenge       string `form:"code_challenge" json:"code_challenge" url:"code_challenge"`
+	CodeChallenge       string `json:"code_challenge"`
-	CodeChallengeMethod string `form:"code_challenge_method" json:"code_challenge_method" url:"code_challenge_method"`
+	CodeChallengeMethod string `json:"code_challenge_method"`
 }
 type AuthorizeCodeEntry struct {
@@ -135,8 +132,8 @@ type UsedCodeEntry struct {
 type OIDCService struct {
 	log     *logger.Logger
-	config  *model.Config
+	config  model.Config
-	runtime *model.RuntimeConfig
+	runtime model.RuntimeConfig
 	queries repository.Store
 	clients    map[string]model.OIDCClientConfig
@@ -145,30 +142,24 @@ type OIDCService struct {
 	issuer     string
 	caches struct {
-		code      *CacheStore[AuthorizeCodeEntry]
+		code     *CacheStore[AuthorizeCodeEntry]
-		usedCode  *CacheStore[UsedCodeEntry]
+		usedCode *CacheStore[UsedCodeEntry]
 		authorize *CacheStore[AuthorizeRequest]
 	}
 }
-type OIDCServiceInput struct {
+func NewOIDCService(
-	dig.In
+	log *logger.Logger,
-
+	config model.Config,
-	Log     *logger.Logger
+	runtime model.RuntimeConfig,
-	Config  *model.Config
+	queries repository.Store,
-	Runtime *model.RuntimeConfig
+	dg *ding.Ding) (*OIDCService, error) {
 	Queries repository.Store
 	Ding    *ding.Ding
 }
 func NewOIDCService(i OIDCServiceInput) (*OIDCService, error) {
 	// If not configured, skip init
-	if len(i.Config.OIDC.Clients) == 0 {
+	if len(runtime.OIDCClients) == 0 {
 		return nil, nil
 	}
 	// Ensure issuer is https
-	uissuer, err := url.Parse(i.Runtime.AppURL)
+	uissuer, err := url.Parse(runtime.AppURL)
 	if err != nil {
 		return nil, fmt.Errorf("failed to parse app url: %w", err)
@@ -181,14 +172,14 @@ func NewOIDCService(i OIDCServiceInput) (*OIDCService, error) {
 	issuer := fmt.Sprintf("%s://%s", uissuer.Scheme, uissuer.Host)
 	// Create/load private and public keys
-	if strings.TrimSpace(i.Config.OIDC.PrivateKeyPath) == "" ||
+	if strings.TrimSpace(config.OIDC.PrivateKeyPath) == "" ||
-		strings.TrimSpace(i.Config.OIDC.PublicKeyPath) == "" {
+		strings.TrimSpace(config.OIDC.PublicKeyPath) == "" {
 		return nil, errors.New("private key path and public key path are required")
 	}
 	var privateKey *rsa.PrivateKey
-	fprivateKey, err := os.ReadFile(i.Config.OIDC.PrivateKeyPath)
+	fprivateKey, err := os.ReadFile(config.OIDC.PrivateKeyPath)
 	if err != nil && !errors.Is(err, os.ErrNotExist) {
 		return nil, err
@@ -207,12 +198,8 @@ func NewOIDCService(i OIDCServiceInput) (*OIDCService, error) {
 			Type:  "RSA PRIVATE KEY",
 			Bytes: der,
 		})
-		i.Log.App.Trace().Str("type", "RSA PRIVATE KEY").Msg("Generated private RSA key")
+		log.App.Trace().Str("type", "RSA PRIVATE KEY").Msg("Generated private RSA key")
-		err := os.MkdirAll(filepath.Dir(i.Config.OIDC.PrivateKeyPath), 0700)
+		err = os.WriteFile(config.OIDC.PrivateKeyPath, encoded, 0600)
 		if err != nil {
 			return nil, fmt.Errorf("failed to create directory for private key: %w", err)
 		}
 		err = os.WriteFile(i.Config.OIDC.PrivateKeyPath, encoded, 0600)
 		if err != nil {
 			return nil, fmt.Errorf("failed to write private key to file: %w", err)
 		}
@@ -221,7 +208,7 @@ func NewOIDCService(i OIDCServiceInput) (*OIDCService, error) {
 		if block == nil {
 			return nil, errors.New("failed to decode private key")
 		}
-		i.Log.App.Trace().Str("type", block.Type).Msg("Loaded private key")
+		log.App.Trace().Str("type", block.Type).Msg("Loaded private key")
 		privateKey, err = x509.ParsePKCS1PrivateKey(block.Bytes)
 		if err != nil {
 			return nil, fmt.Errorf("failed to parse private key: %w", err)
@@ -230,7 +217,7 @@ func NewOIDCService(i OIDCServiceInput) (*OIDCService, error) {
 	var publicKey crypto.PublicKey
-	fpublicKey, err := os.ReadFile(i.Config.OIDC.PublicKeyPath)
+	fpublicKey, err := os.ReadFile(config.OIDC.PublicKeyPath)
 	if err != nil && !errors.Is(err, os.ErrNotExist) {
 		return nil, fmt.Errorf("failed to read public key: %w", err)
@@ -246,12 +233,8 @@ func NewOIDCService(i OIDCServiceInput) (*OIDCService, error) {
 			Type:  "RSA PUBLIC KEY",
 			Bytes: der,
 		})
-		i.Log.App.Trace().Str("type", "RSA PUBLIC KEY").Msg("Generated public RSA key")
+		log.App.Trace().Str("type", "RSA PUBLIC KEY").Msg("Generated public RSA key")
-		err := os.MkdirAll(filepath.Dir(i.Config.OIDC.PublicKeyPath), 0700)
+		err = os.WriteFile(config.OIDC.PublicKeyPath, encoded, 0644)
 		if err != nil {
 			return nil, fmt.Errorf("failed to create directory for public key: %w", err)
 		}
 		err = os.WriteFile(i.Config.OIDC.PublicKeyPath, encoded, 0644)
 		if err != nil {
 			return nil, err
 		}
@@ -260,7 +243,7 @@ func NewOIDCService(i OIDCServiceInput) (*OIDCService, error) {
 		if block == nil {
 			return nil, errors.New("failed to decode public key")
 		}
-		i.Log.App.Trace().Str("type", block.Type).Msg("Loaded public key")
+		log.App.Trace().Str("type", block.Type).Msg("Loaded public key")
 		switch block.Type {
 		case "RSA PUBLIC KEY":
 			publicKey, err = x509.ParsePKCS1PublicKey(block.Bytes)
@@ -290,7 +273,7 @@ func NewOIDCService(i OIDCServiceInput) (*OIDCService, error) {
 	// We will reorganize the client into a map with the client ID as the key
 	clients := make(map[string]model.OIDCClientConfig)
-	for id, client := range i.Config.OIDC.Clients {
+	for id, client := range config.OIDC.Clients {
 		client.ID = id
 		if client.Name == "" {
 			client.Name = utils.Capitalize(client.ID)
@@ -306,15 +289,15 @@ func NewOIDCService(i OIDCServiceInput) (*OIDCService, error) {
 		}
 		client.ClientSecretFile = ""
 		clients[id] = client
-		i.Log.App.Debug().Str("clientId", client.ClientID).Msg("Loaded OIDC client configuration")
+		log.App.Debug().Str("clientId", client.ClientID).Msg("Loaded OIDC client configuration")
 	}
 	// Initialize the service
 	service := &OIDCService{
-		log:     i.Log,
+		log:     log,
-		config:  i.Config,
+		config:  config,
-		runtime: i.Runtime,
+		runtime: runtime,
-		queries: i.Queries,
+		queries: queries,
 		clients:    clients,
 		privateKey: privateKey,
@@ -323,19 +306,16 @@ func NewOIDCService(i OIDCServiceInput) (*OIDCService, error) {
 	}
 	// Start cleanup routine
-	i.Ding.Go(service.cleanupRoutine, ding.RingMinor)
+	dg.Go(service.cleanupRoutine, ding.RingMinor)
 	// Create caches
 	codeCash := NewCacheStore[AuthorizeCodeEntry](256)
 	usedCode := NewCacheStore[UsedCodeEntry](256)
 	authorize := NewCacheStore[AuthorizeRequest](256)
 	service.caches.code = codeCash
 	service.caches.usedCode = usedCode
 	service.caches.authorize = authorize
 	// Start cache cleanup routine
-	i.Ding.Go(func(ctx context.Context) {
+	dg.Go(func(ctx context.Context) {
 		ticker := time.NewTicker(1 * time.Minute)
 		defer ticker.Stop()
@@ -344,7 +324,6 @@ func NewOIDCService(i OIDCServiceInput) (*OIDCService, error) {
 			case <-ticker.C:
 				service.caches.code.Sweep()
 				service.caches.usedCode.Sweep()
 				service.caches.authorize.Sweep()
 			case <-ctx.Done():
 				return
 			}
@@ -877,57 +856,3 @@ func (service *OIDCService) MarkCodeAsUsed(codeHash string, sub string) {
 func (service *OIDCService) DeleteSessionBySub(ctx context.Context, sub string) error {
 	return service.queries.DeleteOIDCSessionBySub(ctx, sub)
 }
 func (service *OIDCService) CreateAuthorizeRequestTicket(req AuthorizeRequest) string {
 	ticket := utils.GenerateString(32)
 	service.caches.authorize.Set(ticket, req, 10*time.Minute)
 	return ticket
 }
 func (service *OIDCService) GetAuthorizeRequestByTicket(ticket string) (*AuthorizeRequest, bool) {
 	entry, ok := service.caches.authorize.Get(ticket)
 	if !ok {
 		return nil, false
 	}
 	return &entry, true
 }
 func (service *OIDCService) DeleteAuthorizeRequestTicket(ticket string) {
 	service.caches.authorize.Delete(ticket)
 }
 // TODO: support signed request objects in the future
 func (service *OIDCService) DecodeAuthorizeJWT(tokenString string) (*AuthorizeRequest, error) {
 	var claims jwt.MapClaims
 	token, _, err := jwt.NewParser().ParseUnverified(tokenString, &claims)
 	if err != nil {
 		return nil, fmt.Errorf("failed to parse authorize request jwt: %w", err)
 	}
 	alg, ok := token.Header["alg"].(string)
 	if !ok || alg != "none" || string(token.Signature) != "" {
 		return nil, fmt.Errorf("only unsigned jwts are supported for authorize requests")
 	}
 	get := func(k string) string {
 		v, _ := claims[k].(string)
 		return v
 	}
 	return &AuthorizeRequest{
 		Scope:               get("scope"),
 		ResponseType:        get("response_type"),
 		ClientID:            get("client_id"),
 		RedirectURI:         get("redirect_uri"),
 		State:               get("state"),
 		Nonce:               get("nonce"),
 		CodeChallenge:       get("code_challenge"),
 		CodeChallengeMethod: get("code_challenge_method"),
 	}, nil
 }
@@ -9,7 +9,6 @@ import (
 	"github.com/stretchr/testify/require"
 	"github.com/tinyauthapp/tinyauth/internal/model"
 	"github.com/tinyauthapp/tinyauth/internal/repository/memory"
 	"github.com/tinyauthapp/tinyauth/internal/service"
 	"github.com/tinyauthapp/tinyauth/internal/utils/logger"
 )
@@ -68,15 +67,7 @@ func TestCompileUserinfo(t *testing.T) {
 	ctx := context.TODO()
 	dg := ding.New(ctx)
-	store := memory.New()
+	svc, err := service.NewOIDCService(log, cfg, runtime, nil, dg)
 	svc, err := service.NewOIDCService(service.OIDCServiceInput{
 		Log:     log,
 		Config:  &cfg,
 		Runtime: &runtime,
 		Queries: store,
 		Ding:    dg,
 	})
 	require.NoError(t, err)
 	type testCase struct {
@@ -6,7 +6,6 @@ import (
 	"github.com/tinyauthapp/tinyauth/internal/model"
 	"github.com/tinyauthapp/tinyauth/internal/utils/logger"
 	"go.uber.org/dig"
 )
 type Policy string
@@ -41,28 +40,21 @@ type PolicyEngine struct {
 	policy Policy
 }
-type PolicyEngineInput struct {
+func NewPolicyEngine(config model.Config, log *logger.Logger) (*PolicyEngine, error) {
 	dig.In
 	Log    *logger.Logger
 	Config *model.Config
 }
 func NewPolicyEngine(i PolicyEngineInput) (*PolicyEngine, error) {
 	engine := PolicyEngine{
-		log:   i.Log,
+		log:   log,
 		rules: make(map[RuleName]Rule),
 	}
-	switch i.Config.Auth.ACLs.Policy {
+	switch config.Auth.ACLs.Policy {
 	case string(PolicyAllow):
-		i.Log.App.Debug().Msg("Using 'allow' ACL policy: access to apps will be allowed by default unless explicitly blocked")
+		log.App.Debug().Msg("Using 'allow' ACL policy: access to apps will be allowed by default unless explicitly blocked")
 		engine.policy = PolicyAllow
 	case string(PolicyDeny):
-		i.Log.App.Debug().Msg("Using 'deny' ACL policy: access to apps will be blocked by default unless explicitly allowed")
+		log.App.Debug().Msg("Using 'deny' ACL policy: access to apps will be blocked by default unless explicitly allowed")
 		engine.policy = PolicyDeny
 	default:
-		return nil, fmt.Errorf("invalid acl policy: %s", i.Config.Auth.ACLs.Policy)
+		return nil, fmt.Errorf("invalid acl policy: %s", config.Auth.ACLs.Policy)
 	}
 	return &engine, nil
@@ -33,35 +33,23 @@ func TestPolicyEngine(t *testing.T) {
 	// Engine should fail with invalid policy
 	cfg.Auth.ACLs.Policy = "invalid_policy"
-	_, err := service.NewPolicyEngine(service.PolicyEngineInput{
+	_, err := service.NewPolicyEngine(cfg, log)
 		Log:    log,
 		Config: &cfg,
 	})
 	assert.Error(t, err)
 	// Engine should initialize with 'allow' policy
 	cfg.Auth.ACLs.Policy = string(service.PolicyAllow)
-	engine, err := service.NewPolicyEngine(service.PolicyEngineInput{
+	engine, err := service.NewPolicyEngine(cfg, log)
 		Log:    log,
 		Config: &cfg,
 	})
 	assert.NoError(t, err)
 	assert.Equal(t, service.PolicyAllow, engine.Policy())
 	// Engine should initialize with 'deny' policy
 	cfg.Auth.ACLs.Policy = string(service.PolicyDeny)
-	engine, err = service.NewPolicyEngine(service.PolicyEngineInput{
+	engine, err = service.NewPolicyEngine(cfg, log)
 		Log:    log,
 		Config: &cfg,
 	})
 	assert.NoError(t, err)
 	assert.Equal(t, service.PolicyDeny, engine.Policy())
 	// Engine should allow adding rules
-	engine, err = service.NewPolicyEngine(service.PolicyEngineInput{
+	engine, err = service.NewPolicyEngine(cfg, log)
 		Log:    log,
 		Config: &cfg,
 	})
 	assert.NoError(t, err)
 	engine.RegisterRule("test-rule", testRule)
 	_, ok := engine.Rules()["test-rule"]
@@ -69,10 +57,7 @@ func TestPolicyEngine(t *testing.T) {
 	// Begin allow policy tests
 	cfg.Auth.ACLs.Policy = string(service.PolicyAllow)
-	engine, err = service.NewPolicyEngine(service.PolicyEngineInput{
+	engine, err = service.NewPolicyEngine(cfg, log)
 		Log:    log,
 		Config: &cfg,
 	})
 	assert.NoError(t, err)
 	engine.RegisterRule("test-rule", testRule)
@@ -90,10 +75,7 @@ func TestPolicyEngine(t *testing.T) {
 	// Begin deny policy tests
 	cfg.Auth.ACLs.Policy = string(service.PolicyDeny)
-	engine, err = service.NewPolicyEngine(service.PolicyEngineInput{
+	engine, err = service.NewPolicyEngine(cfg, log)
 		Log:    log,
 		Config: &cfg,
 	})
 	assert.NoError(t, err)
 	engine.RegisterRule("test-rule", testRule)
@@ -12,7 +12,6 @@ import (
 	"github.com/steveiliop56/ding"
 	"github.com/tinyauthapp/tinyauth/internal/model"
 	"github.com/tinyauthapp/tinyauth/internal/utils/logger"
 	"go.uber.org/dig"
 	"tailscale.com/client/local"
 	"tailscale.com/tsnet"
 )
@@ -26,7 +25,7 @@ type TailscaleWhoisResponse struct {
 type TailscaleService struct {
 	log    *logger.Logger
-	config *model.Config
+	config model.Config
 	ctx    context.Context
 	srv *tsnet.Server
@@ -35,31 +34,22 @@ type TailscaleService struct {
 	mu  sync.Mutex
 }
-type TailscaleServiceInput struct {
+func NewTailscaleService(log *logger.Logger, config model.Config, ctx context.Context, dg *ding.Ding) (*TailscaleService, error) {
-	dig.In
+	if !config.Tailscale.Enabled {
 	Log    *logger.Logger
 	Config *model.Config
 	Ctx    context.Context
 	Ding   *ding.Ding
 }
 func NewTailscaleService(i TailscaleServiceInput) (*TailscaleService, error) {
 	if !i.Config.Tailscale.Enabled {
 		return nil, nil
 	}
 	srv := new(tsnet.Server)
 	// node options
-	srv.Dir = i.Config.Tailscale.Dir
+	srv.Dir = config.Tailscale.Dir
-	srv.Hostname = i.Config.Tailscale.Hostname
+	srv.Hostname = config.Tailscale.Hostname
-	srv.AuthKey = i.Config.Tailscale.AuthKey
+	srv.AuthKey = config.Tailscale.AuthKey
-	srv.Ephemeral = i.Config.Tailscale.Ephemeral
+	srv.Ephemeral = config.Tailscale.Ephemeral
 	// redirect logs to zerolog
-	srv.Logf = i.Log.App.Printf
+	srv.Logf = log.App.Printf
-	srv.UserLogf = i.Log.App.Printf
+	srv.UserLogf = log.App.Printf
 	err := srv.Start()
@@ -75,14 +65,14 @@ func NewTailscaleService(i TailscaleServiceInput) (*TailscaleService, error) {
 	}
 	service := &TailscaleService{
-		log:    i.Log,
+		log:    log,
-		config: i.Config,
+		config: config,
-		ctx:    i.Ctx,
+		ctx:    ctx,
 		srv:    srv,
 		lc:     lc,
 	}
-	connectCtx, cancel := context.WithTimeout(i.Ctx, 2*time.Minute) // large enough timeout to allow for user to manually authenticate with link if needed
+	connectCtx, cancel := context.WithTimeout(ctx, 2*time.Minute) // large enough timeout to allow for user to manually authenticate with link if needed
 	defer cancel()
 	err = service.waitForConn(connectCtx)
@@ -92,7 +82,7 @@ func NewTailscaleService(i TailscaleServiceInput) (*TailscaleService, error) {
 		return nil, fmt.Errorf("failed to connect to tailscale network: %w", err)
 	}
-	i.Ding.Go(service.watchAndClose, ding.RingMajor)
+	dg.Go(service.watchAndClose, ding.RingMajor)
 	return service, nil
 }
@@ -121,6 +121,14 @@ func CreateTestConfigs(t *testing.T) (model.Config, model.RuntimeConfig) {
 		CookieDomain:      "example.com",
 		AppURL:            "https://tinyauth.example.com",
 		SessionCookieName: "tinyauth-session",
 		OIDCClients: func() []model.OIDCClientConfig {
 			var clients []model.OIDCClientConfig
 			for id, client := range config.OIDC.Clients {
 				client.ID = id
 				clients = append(clients, client)
 			}
 			return clients
 		}(),
 	}
 	return config, runtime