feat: add frontend

feat: add backend for oidc consent
chore: init db migrations
2026-06-14 15:30:16 +00:00 · 2026-06-11 18:40:56 +03:00 · 2026-06-11 18:18:47 +03:00 · 2026-06-11 18:18:39 +03:00 · 2026-06-11 18:18:21 +03:00
51 changed files with 1007 additions and 315 deletions
@@ -206,6 +206,8 @@ TINYAUTH_LDAP_ADDRESS=
 TINYAUTH_LDAP_BINDDN=
 # Bind password for LDAP authentication.
 TINYAUTH_LDAP_BINDPASSWORD=
+# Path to the Bind password.
+TINYAUTH_LDAP_BINDPASSWORDFILE=
 # Base DN for LDAP searches.
 TINYAUTH_LDAP_BASEDN=
 # Allow insecure LDAP connections.
@@ -15,7 +15,7 @@ export const useRedirectUri = (
  let isAllowedProto = false;
  let isHttpsDowngrade = false;

-  if (!redirect_uri) {
+  if (redirect_uri === undefined) {
    return {
      valid: isValid,
      trusted: isTrusted,
@@ -6,6 +6,7 @@ type ScreenParams = {
  oidc_ticket?: string;
  oidc_scope?: string;
  oidc_name?: string;
+  oidc_show_consent?: boolean;
 };

 const zodScreenParams = z.object({
@@ -14,6 +15,7 @@ const zodScreenParams = z.object({
  oidc_ticket: z.string().optional(),
  oidc_scope: z.string().optional(),
  oidc_name: z.string().optional(),
+  oidc_show_consent: z.stringbool().optional(),
 });

 export function useScreenParams(params: URLSearchParams): ScreenParams {
@@ -25,6 +25,7 @@ import {
  recompileScreenParams,
  useScreenParams,
 } from "@/lib/hooks/screen-params";
+import { useEffect } from "react";

 type Scope = {
  id: string;
@@ -90,27 +91,54 @@ export const AuthorizePage = () => {
  const isOidc = screenParams.login_for === "oidc";
  const compiledParams = recompileScreenParams(screenParams);

-  const authorizeMutation = useMutation({
-    mutationFn: () => {
-      return axios.post("/api/oidc/authorize-complete", {
-        ticket: screenParams.oidc_ticket,
-      });
-    },
-    mutationKey: ["authorize", screenParams.oidc_ticket],
-    onSuccess: (data) => {
-      toast.info(t("authorizeSuccessTitle"), {
-        description: t("authorizeSuccessSubtitle"),
-      });
-      window.location.replace(data.data.redirect_uri);
-    },
-    onError: (error) => {
-      window.location.replace(
-        `/error?error=${encodeURIComponent(error.message)}`,
-      );
-    },
-  });
+  const { mutate: authorizeMutate, isPending: authorizeIsPending } =
+    useMutation({
+      mutationFn: () => {
+        return axios.post("/api/oidc/authorize-complete", {
+          ticket: screenParams.oidc_ticket,
+        });
+      },
+      mutationKey: ["authorize", screenParams.oidc_ticket],
+      onSuccess: (data) => {
+        toast.info(t("authorizeSuccessTitle"), {
+          description: t("authorizeSuccessSubtitle"),
+        });
+        window.location.replace(data.data.redirect_uri);
+      },
+      onError: (error) => {
+        window.location.replace(
+          `/error?error=${encodeURIComponent(error.message)}`,
+        );
+      },
+    });

-  if (!isOidc || !screenParams.oidc_ticket || !screenParams.oidc_scope) {
+  useEffect(() => {
+    if (
+      !isOidc ||
+      screenParams.oidc_ticket === undefined ||
+      screenParams.oidc_scope === undefined ||
+      !auth.authenticated
+    ) {
+      return;
+    }
+
+    if (screenParams.oidc_show_consent === false) {
+      authorizeMutate();
+    }
+  }, [
+    isOidc,
+    screenParams.oidc_ticket,
+    screenParams.oidc_scope,
+    screenParams.oidc_show_consent,
+    auth.authenticated,
+    authorizeMutate,
+  ]);
+
+  if (
+    !isOidc ||
+    screenParams.oidc_ticket === undefined ||
+    screenParams.oidc_scope === undefined
+  ) {
    return (
      <Navigate
        to={`/error?error=${encodeURIComponent(t("authorizeErrorInvalidParams"))}`}
@@ -126,6 +154,19 @@ export const AuthorizePage = () => {
  const scopes =
    screenParams.oidc_scope.split(" ").filter((s) => s.trim() !== "") || [];

+  if (screenParams.oidc_show_consent === false) {
+    return (
+      <Card>
+        <CardHeader className="gap-1.5">
+          <CardTitle className="text-xl">Authorizing</CardTitle>
+          <CardDescription>
+            You will soon be redirected to your application...
+          </CardDescription>
+        </CardHeader>
+      </Card>
+    );
+  }
+
  return (
    <Card>
      <CardHeader className="mb-2">
@@ -167,15 +208,12 @@ export const AuthorizePage = () => {
        </CardContent>
      )}
      <CardFooter className="flex flex-col items-stretch gap-3">
-        <Button
-          onClick={() => authorizeMutation.mutate()}
-          loading={authorizeMutation.isPending}
-        >
+        <Button onClick={() => authorizeMutate()} loading={authorizeIsPending}>
          {t("authorizeTitle")}
        </Button>
        <Button
          onClick={() => navigate(`/logout${compiledParams}`)}
-          disabled={authorizeMutation.isPending}
+          disabled={authorizeIsPending}
          variant="outline"
        >
          {t("cancelTitle")}
@@ -11,7 +11,7 @@ export const ErrorPage = () => {
  const { t } = useTranslation();
  const { search } = useLocation();
  const searchParams = new URLSearchParams(search);
-  const error = searchParams.get("error") || "";
+  const error = searchParams.get("error") ?? "";

  return (
    <Card>
@@ -168,8 +168,7 @@ export const LoginPage = () => {
      !auth.authenticated &&
      isOauthAutoRedirect &&
      !hasAutoRedirectedRef.current &&
-      screenParams.redirect_uri &&
-      screenParams.login_for
+      screenParams.login_for !== undefined
    ) {
      hasAutoRedirectedRef.current = true;
      oauthMutate(oauth.autoRedirect);
@@ -181,7 +180,6 @@ export const LoginPage = () => {
    oauth.autoRedirect,
    isOauthAutoRedirect,
    screenParams.login_for,
-    screenParams.redirect_uri,
  ]);

  useEffect(() => {
@@ -67,15 +67,24 @@ func run() error {
 		Overlay: map[string][]byte{outPath: stub},
 	}

-	driverTypePkg, err := loadOnePkg(cfg, *driverPkg)
+	repoPkgPath := parentPkg(*driverPkg)
+
+	pkgs, err := loadMultiplePkgs(cfg, *driverPkg, repoPkgPath)
+
 	if err != nil {
-		return fmt.Errorf("load driver package: %w", err)
+		return fmt.Errorf("load packages: %w", err)
 	}

-	repoPkgPath := parentPkg(*driverPkg)
-	repoTypePkg, err := loadOnePkg(cfg, repoPkgPath)
-	if err != nil {
-		return fmt.Errorf("load repo package: %w", err)
+	driverTypePkg, ok := pkgs[*driverPkg]
+
+	if !ok {
+		return fmt.Errorf("driver package %s not found in loaded packages", *driverPkg)
+	}
+
+	repoTypePkg, ok := pkgs[repoPkgPath]
+
+	if !ok {
+		return fmt.Errorf("repository package %s not found in loaded packages", repoPkgPath)
 	}

 	if err := validateStructShapes(driverTypePkg, repoTypePkg); err != nil {
@@ -106,25 +115,25 @@ func run() error {
 	return nil
 }

-// loadOnePkg loads a single package via cfg and returns its *types.Package,
-// or an error if the package fails to load or has type errors.
-func loadOnePkg(cfg *packages.Config, importPath string) (*types.Package, error) {
-	pkgs, err := packages.Load(cfg, importPath)
+// loadMultiplePkgs loads multiple packages via cfg and returns a map of import path → *types.Package,
+// or an error if any package fails to load or has type errors.
+func loadMultiplePkgs(cfg *packages.Config, importPaths ...string) (map[string]*types.Package, error) {
+	pkgs, err := packages.Load(cfg, importPaths...)
 	if err != nil {
-		return nil, fmt.Errorf("load %s: %w", importPath, err)
+		return nil, fmt.Errorf("load %v: %w", importPaths, err)
 	}
-	if len(pkgs) != 1 {
-		return nil, fmt.Errorf("expected 1 package for %s, got %d", importPath, len(pkgs))
-	}
-	pkg := pkgs[0]
-	if len(pkg.Errors) > 0 {
-		msgs := make([]string, len(pkg.Errors))
-		for i, e := range pkg.Errors {
-			msgs[i] = e.Error()
+	out := make(map[string]*types.Package)
+	for _, pkg := range pkgs {
+		if len(pkg.Errors) > 0 {
+			msgs := make([]string, len(pkg.Errors))
+			for i, e := range pkg.Errors {
+				msgs[i] = e.Error()
+			}
+			return nil, fmt.Errorf("package %s has errors:\n  %s", pkg.PkgPath, strings.Join(msgs, "\n  "))
 		}
-		return nil, fmt.Errorf("package %s has errors:\n  %s", importPath, strings.Join(msgs, "\n  "))
+		out[pkg.PkgPath] = pkg.Types
 	}
-	return pkg.Types, nil
+	return out, nil
 }

 // parentPkg returns the parent import path (everything before the last /).
@@ -0,0 +1,7 @@
+CREATE TABLE IF NOT EXISTS "oidc_consent" (
+    "uuid" TEXT NOT NULL UNIQUE PRIMARY KEY,
+    "client_id" TEXT NOT NULL,
+    "scopes" TEXT NOT NULL,
+    "created_at" TIMESTAMP NOT NULL DEFAULT CURRENT_TIMESTAMP,
+    "updated_at" TIMESTAMP NOT NULL DEFAULT CURRENT_TIMESTAMP
+);
@@ -0,0 +1 @@
+DROP TABLE IF EXISTS "oidc_consent";
@@ -0,0 +1 @@
+DROP TABLE IF EXISTS "oidc_consent";
@@ -0,0 +1,7 @@
+CREATE TABLE IF NOT EXISTS "oidc_consent" (
+    "uuid" TEXT NOT NULL UNIQUE PRIMARY KEY,
+    "client_id" TEXT NOT NULL,
+    "scopes" TEXT NOT NULL,
+    "created_at" DATETIME NOT NULL DEFAULT CURRENT_TIMESTAMP,
+    "updated_at" DATETIME NOT NULL DEFAULT CURRENT_TIMESTAMP
+);
@@ -31,10 +31,24 @@ import (
 // 2. HTTP server listeners - ding.RingNormal
 // 3. Networking layers, user and label providers (e.g. ailscale service, kubernetes service) - ding.RingMajor
 // 4. Database connection - ding.RingCritical
+
+type Services struct {
+	accessControlService *service.AccessControlsService
+	authService          *service.AuthService
+	dockerService        *service.DockerService
+	kubernetesService    *service.KubernetesService
+	ldapService          *service.LdapService
+	oauthBrokerService   *service.OAuthBrokerService
+	oidcService          *service.OIDCService
+	tailscaleService     *service.TailscaleService
+	policyEngine         *service.PolicyEngine
+}
+
 type BootstrapApp struct {
 	config    model.Config
 	runtime   model.RuntimeConfig
-	services  service.Services
+	helpers   model.RuntimeHelpers
+	services  Services
 	log       *logger.Logger
 	ctx       context.Context
 	cancel    context.CancelFunc
@@ -43,9 +57,6 @@ type BootstrapApp struct {
 	db        *sql.DB
 	ding      *ding.Ding
 	listeners []Listener
-	deps      struct {
-		service *service.ServiceDependencies
-	}
 }

 func NewBootstrapApp(config model.Config) *BootstrapApp {
@@ -175,9 +186,8 @@ func (app *BootstrapApp) Setup() error {
 	cookieId := strings.Split(app.runtime.UUID, "-")[0] // first 8 characters of the uuid should be good enough

 	app.runtime.SessionCookieName = fmt.Sprintf("%s-%s", model.SessionCookieName, cookieId)
-	app.runtime.CSRFCookieName = fmt.Sprintf("%s-%s", model.CSRFCookieName, cookieId)
-	app.runtime.RedirectCookieName = fmt.Sprintf("%s-%s", model.RedirectCookieName, cookieId)
 	app.runtime.OAuthSessionCookieName = fmt.Sprintf("%s-%s", model.OAuthSessionCookieName, cookieId)
+	app.runtime.ConsentCookieName = fmt.Sprintf("%s-%s", model.ConsentCookieName, cookieId)

 	// database
 	store, err := app.SetupStore()
@@ -223,7 +233,7 @@ func (app *BootstrapApp) Setup() error {
 		return configuredProviders[i].Name < configuredProviders[j].Name
 	})

-	if app.services.AuthService.LocalAuthConfigured() {
+	if app.services.authService.LocalAuthConfigured() {
 		configuredProviders = append(configuredProviders, model.Provider{
 			Name:  "Local",
 			ID:    "local",
@@ -231,7 +241,7 @@ func (app *BootstrapApp) Setup() error {
 		})
 	}

-	if app.services.AuthService.LDAPAuthConfigured() {
+	if app.services.authService.LDAPAuthConfigured() {
 		configuredProviders = append(configuredProviders, model.Provider{
 			Name:  "LDAP",
 			ID:    "ldap",
@@ -250,10 +260,13 @@ func (app *BootstrapApp) Setup() error {
 	app.runtime.ConfiguredProviders = configuredProviders

 	// throw in tailscale if it's configured just before setting up the controllers
-	if app.services.TailscaleService != nil {
-		app.runtime.TrustedDomains = append(app.runtime.TrustedDomains, "https://"+app.services.TailscaleService.GetHostname())
+	if app.services.tailscaleService != nil {
+		app.runtime.TrustedDomains = append(app.runtime.TrustedDomains, "https://"+app.services.tailscaleService.GetHostname())
 	}

+	// runtime helpers
+	app.helpers.GetCookieDomain = app.getCookieDomain
+
 	// setup router
 	err = app.setupRouter()

@@ -0,0 +1,55 @@
+package bootstrap
+
+import (
+	"context"
+	"errors"
+	"fmt"
+
+	"github.com/tinyauthapp/tinyauth/internal/utils"
+)
+
+// Not really the best place for the helpers to be but it works because bootstrap app provides
+// them with everything they need
+
+func (app *BootstrapApp) getCookieDomain(ctx context.Context, ip string) (string, error) {
+	cookieDomain := app.runtime.CookieDomain
+
+	if app.isTailscaleRequest(ctx, ip) {
+		if app.services.tailscaleService == nil {
+			return "", errors.New("tailscale service is not configured")
+		}
+
+		tsCookieDomain, err := utils.GetCookieDomain(fmt.Sprintf("https://%s", app.services.tailscaleService.GetHostname()))
+
+		if err != nil {
+			return "", fmt.Errorf("failed to get cookie domain for tailscale user: %w", err)
+		}
+
+		cookieDomain = tsCookieDomain
+	}
+
+	if app.config.Auth.SubdomainsEnabled {
+		cookieDomain = "." + cookieDomain
+	}
+
+	return cookieDomain, nil
+}
+
+func (app *BootstrapApp) isTailscaleRequest(ctx context.Context, ip string) bool {
+	if app.services.tailscaleService == nil {
+		return false
+	}
+
+	whois, err := app.services.tailscaleService.Whois(ctx, ip)
+
+	if err != nil {
+		app.log.App.Error().Err(err).Msgf("Error performing Tailscale whois for IP %s: %v", ip, err)
+		return false
+	}
+
+	if whois == nil {
+		return false
+	}
+
+	return true
+}
@@ -40,7 +40,7 @@ func (app *BootstrapApp) setupRouter() error {
 		}
 	}

-	contextMiddleware := middleware.NewContextMiddleware(app.log, app.runtime, app.services.AuthService, app.services.OAuthBrokerService, app.services.TailscaleService)
+	contextMiddleware := middleware.NewContextMiddleware(app.log, app.runtime, app.services.authService, app.services.oauthBrokerService, app.services.tailscaleService)
 	engine.Use(contextMiddleware.Middleware())

 	uiMiddleware, err := middleware.NewUIMiddleware()
@@ -58,13 +58,13 @@ func (app *BootstrapApp) setupRouter() error {
 	apiRouter := engine.Group("/api")

 	controller.NewContextController(app.log, app.config, app.runtime, apiRouter)
-	controller.NewOAuthController(app.log, app.config, app.runtime, apiRouter, app.services.AuthService)
-	controller.NewOIDCController(app.log, app.services.OIDCService, app.runtime, apiRouter, &engine.RouterGroup)
-	controller.NewProxyController(app.log, app.runtime, apiRouter, app.services.AccessControlService, app.services.AuthService, app.services.PolicyEngine)
-	controller.NewUserController(app.log, app.runtime, apiRouter, app.services.AuthService)
+	controller.NewOAuthController(app.log, app.config, app.runtime, &app.helpers, apiRouter, app.services.authService)
+	controller.NewOIDCController(app.log, app.services.oidcService, app.runtime, &app.helpers, app.config, apiRouter, &engine.RouterGroup)
+	controller.NewProxyController(app.log, app.runtime, apiRouter, app.services.accessControlService, app.services.authService, app.services.policyEngine)
+	controller.NewUserController(app.log, app.runtime, apiRouter, app.services.authService)
 	controller.NewResourcesController(app.config, &engine.RouterGroup)
 	controller.NewHealthController(apiRouter)
-	controller.NewWellKnownController(app.services.OIDCService, &engine.RouterGroup)
+	controller.NewWellKnownController(app.services.oidcService, &engine.RouterGroup)

 	app.router = engine
 	return nil
@@ -99,7 +99,7 @@ func (app *BootstrapApp) calculateListenerPolicy() []Listener {
 	l := []Listener{}

 	if !app.config.Server.ConcurrentListenersEnabled {
-		if app.services.TailscaleService != nil {
+		if app.services.tailscaleService != nil {
 			l = append(l, ListenerTailscale)
 			return l
 		}
@@ -117,7 +117,7 @@ func (app *BootstrapApp) calculateListenerPolicy() []Listener {
 		l = append(l, ListenerUnix)
 	}

-	if app.services.TailscaleService != nil {
+	if app.services.tailscaleService != nil {
 		l = append(l, ListenerTailscale)
 	}

@@ -186,9 +186,9 @@ func (app *BootstrapApp) serveUnix(ctx context.Context) error {
 }

 func (app *BootstrapApp) serveTailscale(ctx context.Context) error {
-	app.log.App.Info().Msgf("Starting Tailscale server on %s", fmt.Sprintf("https://%s", app.services.TailscaleService.GetHostname()))
+	app.log.App.Info().Msgf("Starting Tailscale server on %s", fmt.Sprintf("https://%s", app.services.tailscaleService.GetHostname()))

-	listener, err := app.services.TailscaleService.CreateListener()
+	listener, err := app.services.tailscaleService.CreateListener()

 	if err != nil {
 		return fmt.Errorf("failed to create tailscale listener: %w", err)
@@ -8,23 +8,13 @@ import (
 )

 func (app *BootstrapApp) setupServices() error {
-	app.deps.service = &service.ServiceDependencies{
-		Log:           app.log,
-		StaticConfig:  &app.config,
-		RuntimeConfig: &app.runtime,
-		Ctx:           app.ctx,
-		Ding:          app.ding,
-		Services:      &app.services,
-		Queries:       &app.queries,
-	}
-
-	ldap, err := service.NewLdapService(app.deps.service)
+	ldapService, err := service.NewLdapService(app.log, app.config, app.ding)

 	if err != nil {
 		app.log.App.Warn().Err(err).Msg("Failed to initialize LDAP connection, will continue without it")
 	}

-	app.services.LDAPService = ldap
+	app.services.ldapService = ldapService

 	labelProvider, err := app.getLabelProvider()

@@ -32,18 +22,16 @@ func (app *BootstrapApp) setupServices() error {
 		return fmt.Errorf("failed to initialize label provider: %w", err)
 	}

-	app.deps.service.LabelProvider = labelProvider
-
-	tailscaleService, err := service.NewTailscaleService(app.deps.service)
+	tailscaleService, err := service.NewTailscaleService(app.log, app.config, app.ctx, app.ding)

 	if err != nil {
 		app.log.App.Warn().Err(err).Msg("Failed to initialize Tailscale connection, will continue without it")
 	}

-	app.services.TailscaleService = tailscaleService
+	app.services.tailscaleService = tailscaleService

-	accessControlsService := service.NewAccessControlsService(app.deps.service)
-	app.services.AccessControlService = accessControlsService
+	accessControlsService := service.NewAccessControlsService(app.log, app.config, &labelProvider)
+	app.services.accessControlService = accessControlsService

 	err = app.setupPolicyEngine()

@@ -51,19 +39,19 @@ func (app *BootstrapApp) setupServices() error {
 		return fmt.Errorf("failed to initialize policy engine: %w", err)
 	}

-	oauthBrokerService := service.NewOAuthBrokerService(app.deps.service)
-	app.services.OAuthBrokerService = oauthBrokerService
+	oauthBrokerService := service.NewOAuthBrokerService(app.log, app.runtime.OAuthProviders, app.ctx)
+	app.services.oauthBrokerService = oauthBrokerService

-	authService := service.NewAuthService(app.deps.service)
-	app.services.AuthService = authService
+	authService := service.NewAuthService(app.log, app.config, app.runtime, &app.helpers, app.ctx, app.ding, app.services.ldapService, app.queries, app.services.oauthBrokerService, app.services.tailscaleService, app.services.policyEngine)
+	app.services.authService = authService

-	oidcService, err := service.NewOIDCService(app.deps.service)
+	oidcService, err := service.NewOIDCService(app.log, app.config, app.runtime, app.queries, app.ding)

 	if err != nil {
 		return fmt.Errorf("failed to initialize oidc service: %w", err)
 	}

-	app.services.OIDCService = oidcService
+	app.services.oidcService = oidcService

 	return nil
 }
@@ -81,19 +69,19 @@ func (app *BootstrapApp) getLabelProvider() (service.LabelProvider, error) {
 		if useKubernetes {
 			app.log.App.Debug().Msg("Using Kubernetes label provider")

-			kubernetesService, err := service.NewKubernetesService(app.deps.service)
+			kubernetesService, err := service.NewKubernetesService(app.log, app.ctx, app.ding)

 			if err != nil {
 				return nil, fmt.Errorf("failed to initialize kubernetes service: %w", err)
 			}

-			app.services.KubernetesService = kubernetesService
+			app.services.kubernetesService = kubernetesService
 			return kubernetesService, nil
 		}

 		app.log.App.Debug().Msg("Using Docker label provider")

-		dockerService, err := service.NewDockerService(app.deps.service)
+		dockerService, err := service.NewDockerService(app.log, app.ctx, app.ding)

 		if err != nil {
 			return nil, fmt.Errorf("failed to initialize docker service: %w", err)
@@ -106,7 +94,7 @@ func (app *BootstrapApp) getLabelProvider() (service.LabelProvider, error) {
 			return nil, nil
 		}

-		app.services.DockerService = dockerService
+		app.services.dockerService = dockerService
 		return dockerService, nil
 	default:
 		return nil, fmt.Errorf("invalid label provider: %s", app.config.LabelProvider)
@@ -114,7 +102,7 @@ func (app *BootstrapApp) getLabelProvider() (service.LabelProvider, error) {
 }

 func (app *BootstrapApp) setupPolicyEngine() error {
-	policyEngine, err := service.NewPolicyEngine(app.deps.service)
+	policyEngine, err := service.NewPolicyEngine(app.config, app.log)

 	if err != nil {
 		return fmt.Errorf("failed to initialize policy engine: %w", err)
@@ -141,6 +129,6 @@ func (app *BootstrapApp) setupPolicyEngine() error {
 		Config: app.config,
 	})

-	app.services.PolicyEngine = policyEngine
+	app.services.policyEngine = policyEngine
 	return nil
 }
@@ -24,6 +24,7 @@ type OAuthController struct {
 	log     *logger.Logger
 	config  model.Config
 	runtime model.RuntimeConfig
+	helpers *model.RuntimeHelpers
 	auth    *service.AuthService
 }

@@ -31,6 +32,7 @@ func NewOAuthController(
 	log *logger.Logger,
 	config model.Config,
 	runtimeConfig model.RuntimeConfig,
+	helpers *model.RuntimeHelpers,
 	router *gin.RouterGroup,
 	auth *service.AuthService,
 ) *OAuthController {
@@ -38,6 +40,7 @@ func NewOAuthController(
 		log:     log,
 		config:  config,
 		runtime: runtimeConfig,
+		helpers: helpers,
 		auth:    auth,
 	}

@@ -105,7 +108,18 @@ func (controller *OAuthController) oauthURLHandler(c *gin.Context) {
 		return
 	}

-	c.SetCookie(controller.runtime.OAuthSessionCookieName, sessionId, int(time.Hour.Seconds()), "/", controller.getCookieDomain(), controller.config.Auth.SecureCookie, true)
+	cookieDomain, err := controller.helpers.GetCookieDomain(c, c.RemoteIP())
+
+	if err != nil {
+		controller.log.App.Error().Err(err).Msg("Failed to determine cookie domain")
+		c.JSON(500, gin.H{
+			"status":  500,
+			"message": "Internal Server Error",
+		})
+		return
+	}
+
+	c.SetCookie(controller.runtime.OAuthSessionCookieName, sessionId, int(time.Hour.Seconds()), "/", cookieDomain, controller.config.Auth.SecureCookie, true)

 	c.JSON(200, gin.H{
 		"status":  200,
@@ -135,7 +149,15 @@ func (controller *OAuthController) oauthCallbackHandler(c *gin.Context) {
 		return
 	}

-	c.SetCookie(controller.runtime.OAuthSessionCookieName, "", -1, "/", controller.getCookieDomain(), controller.config.Auth.SecureCookie, true)
+	cookieDomain, err := controller.helpers.GetCookieDomain(c, c.RemoteIP())
+
+	if err != nil {
+		controller.log.App.Error().Err(err).Msg("Failed to determine cookie domain")
+		c.Redirect(http.StatusTemporaryRedirect, fmt.Sprintf("%s/error", controller.runtime.AppURL))
+		return
+	}
+
+	c.SetCookie(controller.runtime.OAuthSessionCookieName, "", -1, "/", cookieDomain, controller.config.Auth.SecureCookie, true)

 	oauthPendingSession, err := controller.auth.GetOAuthPendingSession(sessionIdCookie)

@@ -252,7 +274,7 @@ func (controller *OAuthController) oauthCallbackHandler(c *gin.Context) {

 	controller.log.App.Debug().Msg("Creating session cookie for user")

-	cookie, err := controller.auth.CreateSession(c, sessionCookie)
+	cookie, err := controller.auth.CreateSession(c, sessionCookie, c.RemoteIP())

 	if err != nil {
 		controller.log.App.Error().Err(err).Msg("Failed to create session cookie")
@@ -298,10 +320,3 @@ func (controller *OAuthController) oauthCallbackHandler(c *gin.Context) {
 func (controller *OAuthController) isOidcRequest(params service.OAuthCallbackParams) bool {
 	return params.LoginFor == string(FrontendLoginForOIDC)
 }
-
-func (controller *OAuthController) getCookieDomain() string {
-	if controller.config.Auth.SubdomainsEnabled {
-		return "." + controller.runtime.CookieDomain
-	}
-	return controller.runtime.CookieDomain
-}
@@ -1,12 +1,14 @@
 package controller

 import (
+	"database/sql"
 	"encoding/json"
 	"errors"
 	"fmt"
 	"net/http"
 	"slices"
 	"strings"
+	"time"

 	"github.com/gin-gonic/gin"
 	"github.com/gin-gonic/gin/binding"
@@ -31,6 +33,8 @@ type OIDCController struct {
 	log     *logger.Logger
 	oidc    *service.OIDCService
 	runtime model.RuntimeConfig
+	helpers *model.RuntimeHelpers
+	config  model.Config
 }

 type AuthorizeCallback struct {
@@ -68,10 +72,11 @@ type ClientCredentials struct {
 }

 type AuthorizeScreenParams struct {
-	LoginFor   FrontendLoginFor `url:"login_for"`
-	OIDCTicket string           `url:"oidc_ticket"`
-	OIDCScope  string           `url:"oidc_scope"`
-	OIDCName   string           `url:"oidc_name"`
+	LoginFor        FrontendLoginFor `url:"login_for"`
+	OIDCTicket      string           `url:"oidc_ticket"`
+	OIDCScope       string           `url:"oidc_scope"`
+	OIDCName        string           `url:"oidc_name"`
+	OIDCShowConsent bool             `url:"oidc_show_consent"`
 }

 type AuthorizeCompleteRequest struct {
@@ -82,12 +87,16 @@ func NewOIDCController(
 	log *logger.Logger,
 	oidcService *service.OIDCService,
 	runtimeConfig model.RuntimeConfig,
+	helpers *model.RuntimeHelpers,
+	config model.Config,
 	router *gin.RouterGroup,
 	mainRouter *gin.RouterGroup) *OIDCController {
 	controller := &OIDCController{
 		log:     log,
 		oidc:    oidcService,
 		runtime: runtimeConfig,
+		helpers: helpers,
+		config:  config,
 	}

 	mainRouter.POST("/authorize", controller.authorize)
@@ -163,11 +172,31 @@ func (controller *OIDCController) authorize(c *gin.Context) {

 	ticket := controller.oidc.CreateAuthorizeRequestTicket(*req)

+	// Check if we have consented before for this client and scope
+	consnetCookie, err := c.Cookie(controller.runtime.ConsentCookieName)
+
+	showConsent := true
+
+	if err == nil {
+		consentEntry, err := controller.oidc.GetConsentEntry(c, consnetCookie)
+
+		if err == nil && consentEntry != nil {
+			if consentEntry.ClientID == req.ClientID && consentEntry.Scopes == req.Scope {
+				showConsent = false
+			}
+		} else {
+			if !errors.Is(err, sql.ErrNoRows) {
+				controller.log.App.Error().Err(err).Msg("Failed to get consent entry for consent cookie")
+			}
+		}
+	}
+
 	queries, err := query.Values(AuthorizeScreenParams{
-		LoginFor:   FrontendLoginForOIDC,
-		OIDCTicket: ticket,
-		OIDCScope:  req.Scope,
-		OIDCName:   client.Name,
+		LoginFor:        FrontendLoginForOIDC,
+		OIDCTicket:      ticket,
+		OIDCScope:       req.Scope,
+		OIDCName:        client.Name,
+		OIDCShowConsent: showConsent,
 	})

 	if err != nil {
@@ -289,6 +318,33 @@ func (controller *OIDCController) authorizeComplete(c *gin.Context) {
 		return
 	}

+	// Just before returning let's set the consent cookie
+	consnetUUID, err := controller.oidc.CreateConsentEntry(c, authorizeReq.ClientID, authorizeReq.Scope)
+
+	// If we fail to create the consent entry, we don't want to block the authorization flow,
+	// but we log the error and move on without setting the cookie
+	if err == nil {
+		cookieDomain, err := controller.helpers.GetCookieDomain(c.Request.Context(), c.RemoteIP())
+
+		if err == nil {
+			cookie := &http.Cookie{
+				Name:     controller.runtime.ConsentCookieName,
+				Value:    consnetUUID,
+				Path:     "/",
+				Domain:   cookieDomain,
+				Expires:  time.Now().Add(365 * 24 * time.Hour), // set consent cookie for 1 year
+				Secure:   controller.config.Auth.SecureCookie,
+				HttpOnly: true,
+				SameSite: http.SameSiteLaxMode,
+			}
+			http.SetCookie(c.Writer, cookie)
+		} else {
+			controller.log.App.Error().Err(err).Msg("Failed to determine cookie domain for consent cookie")
+		}
+	} else {
+		controller.log.App.Error().Err(err).Msg("Failed to create consent entry")
+	}
+
 	c.JSON(200, gin.H{
 		"status":       200,
 		"redirect_uri": fmt.Sprintf("%s?%s", authorizeReq.RedirectURI, queries.Encode()),
@@ -30,6 +30,8 @@ func TestOIDCController(t *testing.T) {

 	cfg, runtime := test.CreateTestConfigs(t)

+	helpers := test.CreateTestHelpers()
+
 	ctx := context.TODO()
 	dg := ding.New(ctx)

@@ -831,7 +833,7 @@ func TestOIDCController(t *testing.T) {
 				svc = nil
 			}

-			controller.NewOIDCController(log, svc, runtime, group, &router.RouterGroup)
+			controller.NewOIDCController(log, svc, runtime, helpers, cfg, group, &router.RouterGroup)

 			recorder := httptest.NewRecorder()

@@ -24,6 +24,8 @@ func TestProxyController(t *testing.T) {

 	cfg, runtime := test.CreateTestConfigs(t)

+	helpers := test.CreateTestHelpers()
+
 	const browserUserAgent = `
 	Mozilla/5.0 (Linux; Android 8.0.0; SM-G955U Build/R16NW) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/146.0.0.0 Mobile Safari/537.36`

@@ -395,7 +397,7 @@ func TestProxyController(t *testing.T) {
 		Log: log,
 	})

-	authService := service.NewAuthService(log, cfg, runtime, ctx, dg, nil, store, broker, nil, policyEngine)
+	authService := service.NewAuthService(log, cfg, runtime, helpers, ctx, dg, nil, store, broker, nil, policyEngine)

 	for _, test := range tests {
 		t.Run(test.description, func(t *testing.T) {
@@ -150,7 +150,7 @@ func (controller *UserController) loginHandler(c *gin.Context) {
 				Email:       email,
 				Provider:    "local",
 				TotpPending: true,
-			})
+			}, c.RemoteIP())

 			if err != nil {
 				controller.log.App.Error().Err(err).Str("username", req.Username).Msg("Failed to create pending TOTP session")
@@ -195,7 +195,7 @@ func (controller *UserController) loginHandler(c *gin.Context) {
 		}
 	}

-	cookie, err := controller.auth.CreateSession(c, sessionCookie)
+	cookie, err := controller.auth.CreateSession(c, sessionCookie, c.RemoteIP())

 	if err != nil {
 		controller.log.App.Error().Err(err).Str("username", req.Username).Msg("Failed to create session cookie after successful login")
@@ -246,7 +246,7 @@ func (controller *UserController) logoutHandler(c *gin.Context) {
 		return
 	}

-	cookie, err := controller.auth.DeleteSession(c, uuid)
+	cookie, err := controller.auth.DeleteSession(c, uuid, c.RemoteIP())

 	if err != nil {
 		controller.log.App.Error().Err(err).Msg("Error deleting session on logout")
@@ -350,7 +350,7 @@ func (controller *UserController) totpHandler(c *gin.Context) {
 	uuid, err := c.Cookie(controller.runtime.SessionCookieName)

 	if err == nil {
-		_, err = controller.auth.DeleteSession(c, uuid)
+		_, err = controller.auth.DeleteSession(c, uuid, c.RemoteIP())
 		if err != nil {
 			controller.log.App.Error().Err(err).Msg("Failed to delete pending TOTP session after successful verification")
 		}
@@ -374,7 +374,7 @@ func (controller *UserController) totpHandler(c *gin.Context) {
 		sessionCookie.Email = user.Attributes.Email
 	}

-	cookie, err := controller.auth.CreateSession(c, sessionCookie)
+	cookie, err := controller.auth.CreateSession(c, sessionCookie, c.RemoteIP())

 	if err != nil {
 		controller.log.App.Error().Err(err).Str("username", context.GetUsername()).Msg("Failed to create session cookie after successful TOTP verification")
@@ -424,7 +424,7 @@ func (controller *UserController) tailscaleHandler(c *gin.Context) {
 		Provider: "tailscale",
 	}

-	cookie, err := controller.auth.CreateSession(c, sessionCookie)
+	cookie, err := controller.auth.CreateSession(c, sessionCookie, c.RemoteIP())

 	if err != nil {
 		controller.log.App.Error().Err(err).Str("username", context.GetUsername()).Msg("Failed to create session cookie after successful Tailscale login")
@@ -29,6 +29,8 @@ func TestUserController(t *testing.T) {

 	cfg, runtime := test.CreateTestConfigs(t)

+	helpers := test.CreateTestHelpers()
+
 	totpCtx := func(c *gin.Context) {
 		c.Set("context", &model.UserContext{
 			Authenticated: false,
@@ -418,7 +420,7 @@ func TestUserController(t *testing.T) {
 	require.NoError(t, err)

 	broker := service.NewOAuthBrokerService(log, map[string]model.OAuthServiceConfig{}, ctx)
-	authService := service.NewAuthService(log, cfg, runtime, ctx, dg, nil, store, broker, nil, policyEngine)
+	authService := service.NewAuthService(log, cfg, runtime, helpers, ctx, dg, nil, store, broker, nil, policyEngine)

 	beforeEach := func() {
 		// Clear failed login attempts before each test
@@ -206,12 +206,12 @@ func (m *ContextMiddleware) cookieAuth(ctx context.Context, uuid string, ip stri
 		}

 		if !m.auth.IsEmailWhitelisted(userContext.OAuth.ID, userContext.OAuth.Email) {
-			m.auth.DeleteSession(ctx, uuid)
+			m.auth.DeleteSession(ctx, uuid, ip)
 			return nil, nil, fmt.Errorf("email from session cookie not whitelisted: %s", userContext.OAuth.Email)
 		}
 	}

-	cookie, err := m.auth.RefreshSession(ctx, uuid)
+	cookie, err := m.auth.RefreshSession(ctx, uuid, ip)

 	if err != nil {
 		return nil, nil, fmt.Errorf("error refreshing session: %w", err)
@@ -27,6 +27,8 @@ func TestContextMiddleware(t *testing.T) {

 	cfg, runtime := test.CreateTestConfigs(t)

+	helpers := test.CreateTestHelpers()
+
 	basicAuthHeader := func(username, password string) string {
 		return "Basic " + base64.StdEncoding.EncodeToString([]byte(username+":"+password))
 	}
@@ -258,7 +260,7 @@ func TestContextMiddleware(t *testing.T) {
 	require.NoError(t, err)

 	broker := service.NewOAuthBrokerService(log, map[string]model.OAuthServiceConfig{}, ctx)
-	authService := service.NewAuthService(log, cfg, runtime, ctx, dg, nil, store, broker, nil, policyEngine)
+	authService := service.NewAuthService(log, cfg, runtime, helpers, ctx, dg, nil, store, broker, nil, policyEngine)

 	contextMiddleware := middleware.NewContextMiddleware(log, runtime, authService, broker, nil)

@@ -18,8 +18,7 @@ var OverrideProviders = map[string]string{
 }

 const SessionCookieName = "tinyauth-session"
-const CSRFCookieName = "tinyauth-csrf"
-const RedirectCookieName = "tinyauth-redirect"
 const OAuthSessionCookieName = "tinyauth-oauth"
+const ConsentCookieName = "tinyauth-consent"

 const GracefulShutdownTimeout = 5 // seconds
@@ -1,13 +1,14 @@
 package model

+import "context"
+
 type RuntimeConfig struct {
 	AppURL                 string
 	UUID                   string
 	CookieDomain           string
 	SessionCookieName      string
-	CSRFCookieName         string
-	RedirectCookieName     string
 	OAuthSessionCookieName string
+	ConsentCookieName      string
 	LocalUsers             []LocalUser
 	OAuthProviders         map[string]OAuthServiceConfig
 	OAuthWhitelist         []string
@@ -16,6 +17,10 @@ type RuntimeConfig struct {
 	TrustedDomains         []string
 }

+type RuntimeHelpers struct {
+	GetCookieDomain func(ctx context.Context, ip string) (string, error)
+}
+
 type Provider struct {
 	Name  string `json:"name"`
 	ID    string `json:"id"`
@@ -277,6 +277,78 @@ func TestMemoryStore(t *testing.T) {
 				assert.NoError(t, err)
 			},
 		},
+		{
+			description: "Create and get OIDC consent",
+			run: func(t *testing.T, s repository.Store) {
+				consent, err := s.CreateOIDCConsent(ctx, repository.CreateOIDCConsentParams{
+					UUID:     "uuid-1",
+					ClientID: "client-1",
+					Scopes:   "openid profile",
+				})
+				require.NoError(t, err)
+				assert.Equal(t, "uuid-1", consent.UUID)
+				assert.Equal(t, "client-1", consent.ClientID)
+				assert.Equal(t, "openid profile", consent.Scopes)
+
+				got, err := s.GetOIDCConsentByUUID(ctx, "uuid-1")
+				require.NoError(t, err)
+				assert.Equal(t, consent, got)
+			},
+		},
+		{
+			description: "Get OIDC consent by UUID not found",
+			run: func(t *testing.T, s repository.Store) {
+				_, err := s.GetOIDCConsentByUUID(ctx, "missing")
+				assert.ErrorIs(t, err, repository.ErrNotFound)
+			},
+		},
+		{
+			description: "Create OIDC consent unique UUID constraint",
+			run: func(t *testing.T, s repository.Store) {
+				_, err := s.CreateOIDCConsent(ctx, repository.CreateOIDCConsentParams{UUID: "uuid-1", ClientID: "client-1", Scopes: "openid"})
+				require.NoError(t, err)
+
+				_, err = s.CreateOIDCConsent(ctx, repository.CreateOIDCConsentParams{UUID: "uuid-1", ClientID: "client-2", Scopes: "profile"})
+				assert.ErrorContains(t, err, "UNIQUE constraint failed: oidc_consent.uuid")
+			},
+		},
+		{
+			description: "Update OIDC consent",
+			run: func(t *testing.T, s repository.Store) {
+				_, err := s.CreateOIDCConsent(ctx, repository.CreateOIDCConsentParams{UUID: "uuid-1", ClientID: "client-1", Scopes: "openid"})
+				require.NoError(t, err)
+
+				updated, err := s.UpdateOIDCConsent(ctx, repository.UpdateOIDCConsentParams{
+					UUID:   "uuid-1",
+					Scopes: "profile email",
+				})
+				require.NoError(t, err)
+				assert.Equal(t, "profile email", updated.Scopes)
+
+				got, err := s.GetOIDCConsentByUUID(ctx, "uuid-1")
+				require.NoError(t, err)
+				assert.Equal(t, updated, got)
+			},
+		},
+		{
+			description: "Update OIDC consent not found",
+			run: func(t *testing.T, s repository.Store) {
+				_, err := s.UpdateOIDCConsent(ctx, repository.UpdateOIDCConsentParams{UUID: "missing"})
+				assert.ErrorIs(t, err, repository.ErrNotFound)
+			},
+		},
+		{
+			description: "Delete OIDC consent by UUID",
+			run: func(t *testing.T, s repository.Store) {
+				_, err := s.CreateOIDCConsent(ctx, repository.CreateOIDCConsentParams{UUID: "uuid-1", ClientID: "client-1", Scopes: "openid"})
+				require.NoError(t, err)
+
+				require.NoError(t, s.DeleteOIDCConsentByUUID(ctx, "uuid-1"))
+
+				_, err = s.GetOIDCConsentByUUID(ctx, "uuid-1")
+				assert.ErrorIs(t, err, repository.ErrNotFound)
+			},
+		},
 	}

 	for _, test := range tests {
@@ -94,3 +94,47 @@ func (s *Store) DeleteExpiredOIDCSessions(_ context.Context, arg repository.Dele
 	}
 	return nil
 }
+
+func (s *Store) CreateOIDCConsent(_ context.Context, arg repository.CreateOIDCConsentParams) (repository.OidcConsent, error) {
+	s.mu.Lock()
+	defer s.mu.Unlock()
+	if _, ok := s.oidcConsent[arg.UUID]; ok {
+		return repository.OidcConsent{}, fmt.Errorf("UNIQUE constraint failed: oidc_consent.uuid")
+	}
+	consent := repository.OidcConsent{
+		UUID:     arg.UUID,
+		ClientID: arg.ClientID,
+		Scopes:   arg.Scopes,
+	}
+	s.oidcConsent[arg.UUID] = consent
+	return consent, nil
+}
+
+func (s *Store) GetOIDCConsentByUUID(_ context.Context, uuid string) (repository.OidcConsent, error) {
+	s.mu.RLock()
+	defer s.mu.RUnlock()
+	consent, ok := s.oidcConsent[uuid]
+	if !ok {
+		return repository.OidcConsent{}, repository.ErrNotFound
+	}
+	return consent, nil
+}
+
+func (s *Store) UpdateOIDCConsent(_ context.Context, arg repository.UpdateOIDCConsentParams) (repository.OidcConsent, error) {
+	s.mu.Lock()
+	defer s.mu.Unlock()
+	consent, ok := s.oidcConsent[arg.UUID]
+	if !ok {
+		return repository.OidcConsent{}, repository.ErrNotFound
+	}
+	consent.Scopes = arg.Scopes
+	s.oidcConsent[arg.UUID] = consent
+	return consent, nil
+}
+
+func (s *Store) DeleteOIDCConsentByUUID(_ context.Context, uuid string) error {
+	s.mu.Lock()
+	defer s.mu.Unlock()
+	delete(s.oidcConsent, uuid)
+	return nil
+}
@@ -12,6 +12,7 @@ type Store struct {
 	mu           sync.RWMutex
 	sessions     map[string]repository.Session
 	oidcSessions map[string]repository.OidcSession
+	oidcConsent  map[string]repository.OidcConsent
 }

 // New returns a new empty in-memory Store.
@@ -19,5 +20,6 @@ func New() repository.Store {
 	return &Store{
 		sessions:     make(map[string]repository.Session),
 		oidcSessions: make(map[string]repository.OidcSession),
+		oidcConsent:  make(map[string]repository.OidcConsent),
 	}
 }
@@ -1,8 +1,18 @@
 package repository

+import "time"
+
 // Shared model and parameter types for all storage drivers.
 // sqlc-generated driver packages use these via the conversion layer in their store.go.

+type OidcConsent struct {
+	UUID      string
+	ClientID  string
+	Scopes    string
+	CreatedAt time.Time
+	UpdatedAt time.Time
+}
+
 type Session struct {
 	UUID        string
 	Username    string
@@ -84,3 +94,14 @@ type DeleteExpiredOIDCSessionsParams struct {
 	TokenExpiresAt        int64
 	RefreshTokenExpiresAt int64
 }
+
+type CreateOIDCConsentParams struct {
+	UUID     string
+	ClientID string
+	Scopes   string
+}
+
+type UpdateOIDCConsentParams struct {
+	Scopes string
+	UUID   string
+}
@@ -4,6 +4,18 @@

 package postgres

+import (
+	"time"
+)
+
+type OidcConsent struct {
+	UUID      string
+	ClientID  string
+	Scopes    string
+	CreatedAt time.Time
+	UpdatedAt time.Time
+}
+
 type OidcSession struct {
 	Sub                   string
 	AccessTokenHash       string
@@ -9,6 +9,36 @@ import (
 	"context"
 )

+const createOIDCConsent = `-- name: CreateOIDCConsent :one
+INSERT INTO "oidc_consent" (
+    "uuid",
+    "client_id",
+    "scopes"
+) VALUES (
+    $1, $2, $3
+)
+RETURNING uuid, client_id, scopes, created_at, updated_at
+`
+
+type CreateOIDCConsentParams struct {
+	UUID     string
+	ClientID string
+	Scopes   string
+}
+
+func (q *Queries) CreateOIDCConsent(ctx context.Context, arg CreateOIDCConsentParams) (OidcConsent, error) {
+	row := q.db.QueryRowContext(ctx, createOIDCConsent, arg.UUID, arg.ClientID, arg.Scopes)
+	var i OidcConsent
+	err := row.Scan(
+		&i.UUID,
+		&i.ClientID,
+		&i.Scopes,
+		&i.CreatedAt,
+		&i.UpdatedAt,
+	)
+	return i, err
+}
+
 const createOIDCSession = `-- name: CreateOIDCSession :one
 INSERT INTO "oidc_sessions" (
    "sub",
@@ -80,6 +110,16 @@ func (q *Queries) DeleteExpiredOIDCSessions(ctx context.Context, arg DeleteExpir
 	return err
 }

+const deleteOIDCConsentByUUID = `-- name: DeleteOIDCConsentByUUID :exec
+DELETE FROM "oidc_consent"
+WHERE "uuid" = $1
+`
+
+func (q *Queries) DeleteOIDCConsentByUUID(ctx context.Context, uuid string) error {
+	_, err := q.db.ExecContext(ctx, deleteOIDCConsentByUUID, uuid)
+	return err
+}
+
 const deleteOIDCSessionBySub = `-- name: DeleteOIDCSessionBySub :exec
 DELETE FROM "oidc_sessions"
 WHERE "sub" = $1
@@ -90,6 +130,24 @@ func (q *Queries) DeleteOIDCSessionBySub(ctx context.Context, sub string) error
 	return err
 }

+const getOIDCConsentByUUID = `-- name: GetOIDCConsentByUUID :one
+SELECT uuid, client_id, scopes, created_at, updated_at FROM "oidc_consent"
+WHERE "uuid" = $1
+`
+
+func (q *Queries) GetOIDCConsentByUUID(ctx context.Context, uuid string) (OidcConsent, error) {
+	row := q.db.QueryRowContext(ctx, getOIDCConsentByUUID, uuid)
+	var i OidcConsent
+	err := row.Scan(
+		&i.UUID,
+		&i.ClientID,
+		&i.Scopes,
+		&i.CreatedAt,
+		&i.UpdatedAt,
+	)
+	return i, err
+}
+
 const getOIDCSessionByAccessTokenHash = `-- name: GetOIDCSessionByAccessTokenHash :one
 SELECT sub, access_token_hash, refresh_token_hash, scope, client_id, token_expires_at, refresh_token_expires_at, nonce, userinfo_json FROM "oidc_sessions"
 WHERE "access_token_hash" = $1
@@ -156,6 +214,32 @@ func (q *Queries) GetOIDCSessionBySub(ctx context.Context, sub string) (OidcSess
 	return i, err
 }

+const updateOIDCConsent = `-- name: UpdateOIDCConsent :one
+UPDATE "oidc_consent" SET
+    "scopes" = $1,
+    "updated_at" = CURRENT_TIMESTAMP
+WHERE "uuid" = $2
+RETURNING uuid, client_id, scopes, created_at, updated_at
+`
+
+type UpdateOIDCConsentParams struct {
+	Scopes string
+	UUID   string
+}
+
+func (q *Queries) UpdateOIDCConsent(ctx context.Context, arg UpdateOIDCConsentParams) (OidcConsent, error) {
+	row := q.db.QueryRowContext(ctx, updateOIDCConsent, arg.Scopes, arg.UUID)
+	var i OidcConsent
+	err := row.Scan(
+		&i.UUID,
+		&i.ClientID,
+		&i.Scopes,
+		&i.CreatedAt,
+		&i.UpdatedAt,
+	)
+	return i, err
+}
+
 const updateOIDCSession = `-- name: UpdateOIDCSession :one
 UPDATE "oidc_sessions" SET
    "access_token_hash" = $1,
@@ -32,6 +32,14 @@ func mapErr(err error) error {
 	return err
 }

+func (s *Store) CreateOIDCConsent(ctx context.Context, arg repository.CreateOIDCConsentParams) (repository.OidcConsent, error) {
+	r, err := s.q.CreateOIDCConsent(ctx, CreateOIDCConsentParams(arg))
+	if err != nil {
+		return repository.OidcConsent{}, mapErr(err)
+	}
+	return repository.OidcConsent(r), nil
+}
+
 func (s *Store) CreateOIDCSession(ctx context.Context, arg repository.CreateOIDCSessionParams) (repository.OidcSession, error) {
 	r, err := s.q.CreateOIDCSession(ctx, CreateOIDCSessionParams(arg))
 	if err != nil {
@@ -56,6 +64,10 @@ func (s *Store) DeleteExpiredSessions(ctx context.Context, expiry int64) error {
 	return mapErr(s.q.DeleteExpiredSessions(ctx, expiry))
 }

+func (s *Store) DeleteOIDCConsentByUUID(ctx context.Context, uuid string) error {
+	return mapErr(s.q.DeleteOIDCConsentByUUID(ctx, uuid))
+}
+
 func (s *Store) DeleteOIDCSessionBySub(ctx context.Context, sub string) error {
 	return mapErr(s.q.DeleteOIDCSessionBySub(ctx, sub))
 }
@@ -64,6 +76,14 @@ func (s *Store) DeleteSession(ctx context.Context, uuid string) error {
 	return mapErr(s.q.DeleteSession(ctx, uuid))
 }

+func (s *Store) GetOIDCConsentByUUID(ctx context.Context, uuid string) (repository.OidcConsent, error) {
+	r, err := s.q.GetOIDCConsentByUUID(ctx, uuid)
+	if err != nil {
+		return repository.OidcConsent{}, mapErr(err)
+	}
+	return repository.OidcConsent(r), nil
+}
+
 func (s *Store) GetOIDCSessionByAccessTokenHash(ctx context.Context, accessTokenHash string) (repository.OidcSession, error) {
 	r, err := s.q.GetOIDCSessionByAccessTokenHash(ctx, accessTokenHash)
 	if err != nil {
@@ -96,6 +116,14 @@ func (s *Store) GetSession(ctx context.Context, uuid string) (repository.Session
 	return repository.Session(r), nil
 }

+func (s *Store) UpdateOIDCConsent(ctx context.Context, arg repository.UpdateOIDCConsentParams) (repository.OidcConsent, error) {
+	r, err := s.q.UpdateOIDCConsent(ctx, UpdateOIDCConsentParams(arg))
+	if err != nil {
+		return repository.OidcConsent{}, mapErr(err)
+	}
+	return repository.OidcConsent(r), nil
+}
+
 func (s *Store) UpdateOIDCSession(ctx context.Context, arg repository.UpdateOIDCSessionParams) (repository.OidcSession, error) {
 	r, err := s.q.UpdateOIDCSession(ctx, UpdateOIDCSessionParams(arg))
 	if err != nil {
@@ -4,6 +4,18 @@

 package sqlite

+import (
+	"time"
+)
+
+type OidcConsent struct {
+	UUID      string
+	ClientID  string
+	Scopes    string
+	CreatedAt time.Time
+	UpdatedAt time.Time
+}
+
 type OidcSession struct {
 	Sub                   string
 	AccessTokenHash       string
@@ -9,6 +9,36 @@ import (
 	"context"
 )

+const createOIDCConsent = `-- name: CreateOIDCConsent :one
+INSERT INTO "oidc_consent" (
+    "uuid",
+    "client_id",
+    "scopes"
+) VALUES (
+    ?, ?, ?
+)
+RETURNING uuid, client_id, scopes, created_at, updated_at
+`
+
+type CreateOIDCConsentParams struct {
+	UUID     string
+	ClientID string
+	Scopes   string
+}
+
+func (q *Queries) CreateOIDCConsent(ctx context.Context, arg CreateOIDCConsentParams) (OidcConsent, error) {
+	row := q.db.QueryRowContext(ctx, createOIDCConsent, arg.UUID, arg.ClientID, arg.Scopes)
+	var i OidcConsent
+	err := row.Scan(
+		&i.UUID,
+		&i.ClientID,
+		&i.Scopes,
+		&i.CreatedAt,
+		&i.UpdatedAt,
+	)
+	return i, err
+}
+
 const createOIDCSession = `-- name: CreateOIDCSession :one
 INSERT INTO "oidc_sessions" (
    "sub",
@@ -80,6 +110,16 @@ func (q *Queries) DeleteExpiredOIDCSessions(ctx context.Context, arg DeleteExpir
 	return err
 }

+const deleteOIDCConsentByUUID = `-- name: DeleteOIDCConsentByUUID :exec
+DELETE FROM "oidc_consent"
+WHERE "uuid" = ?
+`
+
+func (q *Queries) DeleteOIDCConsentByUUID(ctx context.Context, uuid string) error {
+	_, err := q.db.ExecContext(ctx, deleteOIDCConsentByUUID, uuid)
+	return err
+}
+
 const deleteOIDCSessionBySub = `-- name: DeleteOIDCSessionBySub :exec
 DELETE FROM "oidc_sessions"
 WHERE "sub" = ?
@@ -90,6 +130,24 @@ func (q *Queries) DeleteOIDCSessionBySub(ctx context.Context, sub string) error
 	return err
 }

+const getOIDCConsentByUUID = `-- name: GetOIDCConsentByUUID :one
+SELECT uuid, client_id, scopes, created_at, updated_at FROM "oidc_consent"
+WHERE "uuid" = ?
+`
+
+func (q *Queries) GetOIDCConsentByUUID(ctx context.Context, uuid string) (OidcConsent, error) {
+	row := q.db.QueryRowContext(ctx, getOIDCConsentByUUID, uuid)
+	var i OidcConsent
+	err := row.Scan(
+		&i.UUID,
+		&i.ClientID,
+		&i.Scopes,
+		&i.CreatedAt,
+		&i.UpdatedAt,
+	)
+	return i, err
+}
+
 const getOIDCSessionByAccessTokenHash = `-- name: GetOIDCSessionByAccessTokenHash :one
 SELECT sub, access_token_hash, refresh_token_hash, scope, client_id, token_expires_at, refresh_token_expires_at, nonce, userinfo_json FROM "oidc_sessions"
 WHERE "access_token_hash" = ?
@@ -156,6 +214,32 @@ func (q *Queries) GetOIDCSessionBySub(ctx context.Context, sub string) (OidcSess
 	return i, err
 }

+const updateOIDCConsent = `-- name: UpdateOIDCConsent :one
+UPDATE "oidc_consent" SET
+    "scopes" = ?,
+    "updated_at" = CURRENT_TIMESTAMP
+WHERE "uuid" = ?
+RETURNING uuid, client_id, scopes, created_at, updated_at
+`
+
+type UpdateOIDCConsentParams struct {
+	Scopes string
+	UUID   string
+}
+
+func (q *Queries) UpdateOIDCConsent(ctx context.Context, arg UpdateOIDCConsentParams) (OidcConsent, error) {
+	row := q.db.QueryRowContext(ctx, updateOIDCConsent, arg.Scopes, arg.UUID)
+	var i OidcConsent
+	err := row.Scan(
+		&i.UUID,
+		&i.ClientID,
+		&i.Scopes,
+		&i.CreatedAt,
+		&i.UpdatedAt,
+	)
+	return i, err
+}
+
 const updateOIDCSession = `-- name: UpdateOIDCSession :one
 UPDATE "oidc_sessions" SET
    "access_token_hash" = ?,
@@ -32,6 +32,14 @@ func mapErr(err error) error {
 	return err
 }

+func (s *Store) CreateOIDCConsent(ctx context.Context, arg repository.CreateOIDCConsentParams) (repository.OidcConsent, error) {
+	r, err := s.q.CreateOIDCConsent(ctx, CreateOIDCConsentParams(arg))
+	if err != nil {
+		return repository.OidcConsent{}, mapErr(err)
+	}
+	return repository.OidcConsent(r), nil
+}
+
 func (s *Store) CreateOIDCSession(ctx context.Context, arg repository.CreateOIDCSessionParams) (repository.OidcSession, error) {
 	r, err := s.q.CreateOIDCSession(ctx, CreateOIDCSessionParams(arg))
 	if err != nil {
@@ -56,6 +64,10 @@ func (s *Store) DeleteExpiredSessions(ctx context.Context, expiry int64) error {
 	return mapErr(s.q.DeleteExpiredSessions(ctx, expiry))
 }

+func (s *Store) DeleteOIDCConsentByUUID(ctx context.Context, uuid string) error {
+	return mapErr(s.q.DeleteOIDCConsentByUUID(ctx, uuid))
+}
+
 func (s *Store) DeleteOIDCSessionBySub(ctx context.Context, sub string) error {
 	return mapErr(s.q.DeleteOIDCSessionBySub(ctx, sub))
 }
@@ -64,6 +76,14 @@ func (s *Store) DeleteSession(ctx context.Context, uuid string) error {
 	return mapErr(s.q.DeleteSession(ctx, uuid))
 }

+func (s *Store) GetOIDCConsentByUUID(ctx context.Context, uuid string) (repository.OidcConsent, error) {
+	r, err := s.q.GetOIDCConsentByUUID(ctx, uuid)
+	if err != nil {
+		return repository.OidcConsent{}, mapErr(err)
+	}
+	return repository.OidcConsent(r), nil
+}
+
 func (s *Store) GetOIDCSessionByAccessTokenHash(ctx context.Context, accessTokenHash string) (repository.OidcSession, error) {
 	r, err := s.q.GetOIDCSessionByAccessTokenHash(ctx, accessTokenHash)
 	if err != nil {
@@ -96,6 +116,14 @@ func (s *Store) GetSession(ctx context.Context, uuid string) (repository.Session
 	return repository.Session(r), nil
 }

+func (s *Store) UpdateOIDCConsent(ctx context.Context, arg repository.UpdateOIDCConsentParams) (repository.OidcConsent, error) {
+	r, err := s.q.UpdateOIDCConsent(ctx, UpdateOIDCConsentParams(arg))
+	if err != nil {
+		return repository.OidcConsent{}, mapErr(err)
+	}
+	return repository.OidcConsent(r), nil
+}
+
 func (s *Store) UpdateOIDCSession(ctx context.Context, arg repository.UpdateOIDCSessionParams) (repository.OidcSession, error) {
 	r, err := s.q.UpdateOIDCSession(ctx, UpdateOIDCSessionParams(arg))
 	if err != nil {
@@ -27,4 +27,10 @@ type Store interface {
 	GetOIDCSessionByRefreshTokenHash(ctx context.Context, refreshTokenHash string) (OidcSession, error)
 	GetOIDCSessionBySub(ctx context.Context, sub string) (OidcSession, error)
 	UpdateOIDCSession(ctx context.Context, arg UpdateOIDCSessionParams) (OidcSession, error)
+
+	// OIDC consents
+	CreateOIDCConsent(ctx context.Context, arg CreateOIDCConsentParams) (OidcConsent, error)
+	DeleteOIDCConsentByUUID(ctx context.Context, uuid string) error
+	GetOIDCConsentByUUID(ctx context.Context, uuid string) (OidcConsent, error)
+	UpdateOIDCConsent(ctx context.Context, arg UpdateOIDCConsentParams) (OidcConsent, error)
 }
@@ -13,18 +13,19 @@ type LabelProvider interface {

 type AccessControlsService struct {
 	log           *logger.Logger
-	config        *model.Config
+	config        model.Config
 	labelProvider *LabelProvider
 }

 func NewAccessControlsService(
-	deps *ServiceDependencies,
-) *AccessControlsService {
+	log *logger.Logger,
+	config model.Config,
+	labelProvider *LabelProvider) *AccessControlsService {

 	return &AccessControlsService{
-		log:           deps.Log,
-		config:        deps.StaticConfig,
-		labelProvider: &deps.LabelProvider,
+		log:           log,
+		config:        config,
+		labelProvider: labelProvider,
 	}
 }

@@ -57,8 +57,9 @@ type LoginAttempt struct {

 type AuthService struct {
 	log     *logger.Logger
-	config  *model.Config
-	runtime *model.RuntimeConfig
+	config  model.Config
+	runtime model.RuntimeConfig
+	helpers *model.RuntimeHelpers
 	ctx     context.Context

 	ldap         *LdapService
@@ -83,18 +84,29 @@ type AuthService struct {
 }

 func NewAuthService(
-	deps *ServiceDependencies,
+	log *logger.Logger,
+	config model.Config,
+	runtime model.RuntimeConfig,
+	helpers *model.RuntimeHelpers,
+	ctx context.Context,
+	dg *ding.Ding,
+	ldap *LdapService,
+	queries repository.Store,
+	oauthBroker *OAuthBrokerService,
+	tailscale *TailscaleService,
+	policy *PolicyEngine,
 ) *AuthService {
 	service := &AuthService{
-		log:          deps.Log,
-		runtime:      deps.RuntimeConfig,
-		ctx:          deps.Ctx,
-		config:       deps.StaticConfig,
-		ldap:         deps.Services.LDAPService,
-		queries:      *deps.Queries,
-		oauthBroker:  deps.Services.OAuthBrokerService,
-		tailscale:    deps.Services.TailscaleService,
-		policyEngine: deps.Services.PolicyEngine,
+		log:          log,
+		runtime:      runtime,
+		helpers:      helpers,
+		ctx:          ctx,
+		config:       config,
+		ldap:         ldap,
+		queries:      queries,
+		oauthBroker:  oauthBroker,
+		tailscale:    tailscale,
+		policyEngine: policy,
 	}

 	// caches setup
@@ -106,7 +118,7 @@ func NewAuthService(
 	service.caches.login = loginCache
 	service.caches.ldap = ldapCache

-	deps.Ding.Go(func(ctx context.Context) {
+	dg.Go(func(ctx context.Context) {
 		ticker := time.NewTicker(1 * time.Minute)
 		defer ticker.Stop()

@@ -313,7 +325,7 @@ func (auth *AuthService) IsEmailWhitelisted(provider string, email string) bool
 	})
 }

-func (auth *AuthService) CreateSession(ctx context.Context, data repository.Session) (*http.Cookie, error) {
+func (auth *AuthService) CreateSession(ctx context.Context, data repository.Session, ip string) (*http.Cookie, error) {
 	if data.Provider == "tailscale" && auth.tailscale == nil {
 		return nil, fmt.Errorf("tailscale service not configured, cannot create session for tailscale user")
 	}
@@ -354,33 +366,17 @@ func (auth *AuthService) CreateSession(ctx context.Context, data repository.Sess
 		return nil, fmt.Errorf("failed to create session entry: %w", err)
 	}

-	if data.Provider == "tailscale" {
-		auth.log.App.Trace().Str("url", fmt.Sprintf("https://%s", auth.tailscale.GetHostname())).Msg("Extracting root domain from Tailscale hostname")
+	cookieDomain, err := auth.helpers.GetCookieDomain(ctx, ip)

-		tsCookieDomain, err := utils.GetCookieDomain(fmt.Sprintf("https://%s", auth.tailscale.GetHostname()))
-
-		if err != nil {
-			return nil, fmt.Errorf("failed to get cookie domain for tailscale user: %w", err)
-		}
-
-		return &http.Cookie{
-			Name:     auth.runtime.SessionCookieName,
-			Value:    session.UUID,
-			Path:     "/",
-			Domain:   fmt.Sprintf(".%s", tsCookieDomain),
-			Expires:  expiresAt,
-			MaxAge:   int(time.Until(expiresAt).Seconds()),
-			Secure:   auth.config.Auth.SecureCookie,
-			HttpOnly: true,
-			SameSite: http.SameSiteLaxMode,
-		}, nil
+	if err != nil {
+		return nil, fmt.Errorf("failed to determine cookie domain: %w", err)
 	}

 	return &http.Cookie{
 		Name:     auth.runtime.SessionCookieName,
 		Value:    session.UUID,
 		Path:     "/",
-		Domain:   fmt.Sprintf(".%s", auth.runtime.CookieDomain),
+		Domain:   cookieDomain,
 		Expires:  expiresAt,
 		MaxAge:   int(time.Until(expiresAt).Seconds()),
 		Secure:   auth.config.Auth.SecureCookie,
@@ -389,13 +385,17 @@ func (auth *AuthService) CreateSession(ctx context.Context, data repository.Sess
 	}, nil
 }

-func (auth *AuthService) RefreshSession(ctx context.Context, uuid string) (*http.Cookie, error) {
+func (auth *AuthService) RefreshSession(ctx context.Context, uuid string, ip string) (*http.Cookie, error) {
 	session, err := auth.queries.GetSession(ctx, uuid)

 	if err != nil {
 		return nil, fmt.Errorf("failed to retrieve session: %w", err)
 	}

+	if session.Provider == "tailscale" && auth.tailscale == nil {
+		return nil, fmt.Errorf("tailscale service not configured, cannot create session for tailscale user")
+	}
+
 	currentTime := time.Now().Unix()

 	var refreshThreshold int64
@@ -429,11 +429,17 @@ func (auth *AuthService) RefreshSession(ctx context.Context, uuid string) (*http
 		return nil, fmt.Errorf("failed to update session expiry: %w", err)
 	}

+	cookieDomain, err := auth.helpers.GetCookieDomain(ctx, ip)
+
+	if err != nil {
+		return nil, fmt.Errorf("failed to determine cookie domain: %w", err)
+	}
+
 	return &http.Cookie{
 		Name:     auth.runtime.SessionCookieName,
 		Value:    session.UUID,
 		Path:     "/",
-		Domain:   fmt.Sprintf(".%s", auth.runtime.CookieDomain),
+		Domain:   cookieDomain,
 		Expires:  time.Now().Add(time.Duration(newExpiry-currentTime) * time.Second),
 		MaxAge:   int(newExpiry - currentTime),
 		Secure:   auth.config.Auth.SecureCookie,
@@ -443,18 +449,24 @@ func (auth *AuthService) RefreshSession(ctx context.Context, uuid string) (*http

 }

-func (auth *AuthService) DeleteSession(ctx context.Context, uuid string) (*http.Cookie, error) {
+func (auth *AuthService) DeleteSession(ctx context.Context, uuid string, ip string) (*http.Cookie, error) {
 	err := auth.queries.DeleteSession(ctx, uuid)

 	if err != nil {
 		auth.log.App.Error().Err(err).Str("uuid", uuid).Msg("Failed to delete session from database")
 	}

+	cookieDomain, err := auth.helpers.GetCookieDomain(ctx, ip)
+
+	if err != nil {
+		return nil, fmt.Errorf("failed to determine cookie domain: %w", err)
+	}
+
 	return &http.Cookie{
 		Name:     auth.runtime.SessionCookieName,
 		Value:    "",
 		Path:     "/",
-		Domain:   fmt.Sprintf(".%s", auth.runtime.CookieDomain),
+		Domain:   cookieDomain,
 		Expires:  time.Now(),
 		MaxAge:   -1,
 		Secure:   auth.config.Auth.SecureCookie,
@@ -22,7 +22,9 @@ type DockerService struct {
 }

 func NewDockerService(
-	deps *ServiceDependencies,
+	log *logger.Logger,
+	ctx context.Context,
+	dg *ding.Ding,
 ) (*DockerService, error) {

 	client, err := client.NewClientWithOpts(client.FromEnv)
@@ -30,25 +32,25 @@ func NewDockerService(
 		return nil, err
 	}

-	client.NegotiateAPIVersion(deps.Ctx)
+	client.NegotiateAPIVersion(ctx)

-	_, err = client.Ping(deps.Ctx)
+	_, err = client.Ping(ctx)

 	if err != nil {
-		deps.Log.App.Debug().Err(err).Msg("Docker not connected")
+		log.App.Debug().Err(err).Msg("Docker not connected")
 		return nil, nil
 	}

 	service := &DockerService{
-		log:     deps.Log,
+		log:     log,
 		client:  client,
-		context: deps.Ctx,
+		context: ctx,
 	}

 	service.isConnected = true
 	service.log.App.Debug().Msg("Docker connected successfully")

-	deps.Ding.Go(service.watchAndClose, ding.RingMajor)
+	dg.Go(service.watchAndClose, ding.RingMajor)

 	return service, nil
 }
@@ -49,7 +49,9 @@ type KubernetesService struct {
 }

 func NewKubernetesService(
-	deps *ServiceDependencies,
+	log *logger.Logger,
+	ctx context.Context,
+	dg *ding.Ding,
 ) (*KubernetesService, error) {
 	cfg, err := rest.InClusterConfig()
 	if err != nil {
@@ -67,31 +69,31 @@ func NewKubernetesService(
 		Resource: "ingresses",
 	}

-	accessCtx, accessCancel := context.WithTimeout(deps.Ctx, 5*time.Second)
+	accessCtx, accessCancel := context.WithTimeout(ctx, 5*time.Second)
 	defer accessCancel()

 	_, err = client.Resource(gvr).List(accessCtx, metav1.ListOptions{Limit: 1})
 	if err != nil {
-		deps.Log.App.Warn().Err(err).Str("api", gvr.GroupVersion().String()).Msg("Failed to access Ingress API, Kubernetes label provider will be disabled")
+		log.App.Warn().Err(err).Str("api", gvr.GroupVersion().String()).Msg("Failed to access Ingress API, Kubernetes label provider will be disabled")
 		return nil, fmt.Errorf("failed to access ingress api: %w", err)
 	}

-	deps.Log.App.Debug().Str("api", gvr.GroupVersion().String()).Msg("Successfully accessed Ingress API, starting watcher")
+	log.App.Debug().Str("api", gvr.GroupVersion().String()).Msg("Successfully accessed Ingress API, starting watcher")

 	service := &KubernetesService{
-		log:          deps.Log,
+		log:          log,
 		client:       client,
 		ingressApps:  make(map[ingressKey][]ingressApp),
 		domainIndex:  make(map[string]ingressAppKey),
 		appNameIndex: make(map[string]ingressAppKey),
 	}

-	deps.Ding.Go(func(ctx context.Context) {
+	dg.Go(func(ctx context.Context) {
 		service.watchGVR(gvr, ctx)
 	}, ding.RingMajor)

 	service.started = true
-	deps.Log.App.Debug().Msg("Kubernetes label provider started successfully")
+	log.App.Debug().Msg("Kubernetes label provider started successfully")

 	return service, nil
 }
@@ -17,38 +17,40 @@ import (

 type LdapService struct {
 	log    *logger.Logger
-	config *model.Config
+	config model.Config

-	conn       *ldapgo.Conn
-	mutex      sync.RWMutex
-	cert       *tls.Certificate
-	ldapBindPw string
+	conn  *ldapgo.Conn
+	mutex sync.RWMutex
+	cert  *tls.Certificate
 }

 func NewLdapService(
-	deps *ServiceDependencies,
+	log *logger.Logger,
+	config model.Config,
+	dg *ding.Ding,
 ) (*LdapService, error) {
-	if deps.StaticConfig.LDAP.Address == "" {
+	if config.LDAP.Address == "" {
 		return nil, nil
 	}

-	ldapBindPw := utils.GetSecret(deps.StaticConfig.LDAP.BindPassword, deps.StaticConfig.LDAP.BindPasswordFile)
+	secret := utils.GetSecret(config.LDAP.BindPassword, config.LDAP.BindPasswordFile)
+	config.LDAP.BindPassword = secret
+	config.LDAP.BindPasswordFile = ""

 	ldap := &LdapService{
-		log:        deps.Log,
-		config:     deps.StaticConfig,
-		ldapBindPw: ldapBindPw,
+		log:    log,
+		config: config,
 	}

 	// Check whether authentication with client certificate is possible
-	if deps.StaticConfig.LDAP.AuthCert != "" && deps.StaticConfig.LDAP.AuthKey != "" {
-		cert, err := tls.LoadX509KeyPair(deps.StaticConfig.LDAP.AuthCert, deps.StaticConfig.LDAP.AuthKey)
+	if config.LDAP.AuthCert != "" && config.LDAP.AuthKey != "" {
+		cert, err := tls.LoadX509KeyPair(config.LDAP.AuthCert, config.LDAP.AuthKey)

 		if err != nil {
 			return nil, fmt.Errorf("failed to initialize LDAP with mTLS authentication: %w", err)
 		}

-		ldap.log.App.Info().Msg("LDAP mTLS authentication configured successfully")
+		log.App.Info().Msg("LDAP mTLS authentication configured successfully")

 		ldap.cert = &cert

@@ -70,7 +72,7 @@ func NewLdapService(
 		return nil, fmt.Errorf("failed to connect to ldap server: %w", err)
 	}

-	deps.Ding.Go(func(ctx context.Context) {
+	dg.Go(func(ctx context.Context) {
 		ldap.log.App.Debug().Msg("Starting LDAP connection heartbeat routine")

 		ticker := time.NewTicker(5 * time.Minute)
@@ -33,20 +33,22 @@ var presets = map[string]func(config model.OAuthServiceConfig, ctx context.Conte
 }

 func NewOAuthBrokerService(
-	deps *ServiceDependencies,
+	log *logger.Logger,
+	configs map[string]model.OAuthServiceConfig,
+	ctx context.Context,
 ) *OAuthBrokerService {
 	service := &OAuthBrokerService{
-		log:      deps.Log,
+		log:      log,
 		services: make(map[string]OAuthServiceImpl),
-		configs:  deps.RuntimeConfig.OAuthProviders,
+		configs:  configs,
 	}

-	for name, cfg := range service.configs {
+	for name, cfg := range configs {
 		if presetFunc, exists := presets[name]; exists {
-			service.services[name] = presetFunc(cfg, deps.Ctx)
+			service.services[name] = presetFunc(cfg, ctx)
 			service.log.App.Debug().Str("service", name).Msg("Loaded OAuth service from preset")
 		} else {
-			service.services[name] = NewOAuthService(cfg, name, deps.Ctx)
+			service.services[name] = NewOAuthService(cfg, name, ctx)
 			service.log.App.Debug().Str("service", name).Msg("Loaded OAuth service from custom config")
 		}
 	}
@@ -21,6 +21,7 @@ import (

 	"github.com/go-jose/go-jose/v4"
 	"github.com/golang-jwt/jwt/v5"
+	"github.com/google/uuid"
 	"github.com/steveiliop56/ding"
 	"github.com/tinyauthapp/tinyauth/internal/model"
 	"github.com/tinyauthapp/tinyauth/internal/repository"
@@ -107,6 +108,7 @@ type TokenResponse struct {
 }

 type AuthorizeRequest struct {
+	jwt.Claims
 	Scope               string `form:"scope" json:"scope" url:"scope"`
 	ResponseType        string `form:"response_type" json:"response_type" url:"response_type"`
 	ClientID            string `form:"client_id" json:"client_id" url:"client_id"`
@@ -133,8 +135,8 @@ type UsedCodeEntry struct {

 type OIDCService struct {
 	log     *logger.Logger
-	config  *model.Config
-	runtime *model.RuntimeConfig
+	config  model.Config
+	runtime model.RuntimeConfig
 	queries repository.Store

 	clients    map[string]model.OIDCClientConfig
@@ -150,15 +152,18 @@ type OIDCService struct {
 }

 func NewOIDCService(
-	deps *ServiceDependencies,
-) (*OIDCService, error) {
+	log *logger.Logger,
+	config model.Config,
+	runtime model.RuntimeConfig,
+	queries repository.Store,
+	dg *ding.Ding) (*OIDCService, error) {
 	// If not configured, skip init
-	if len(deps.RuntimeConfig.OIDCClients) == 0 {
+	if len(runtime.OIDCClients) == 0 {
 		return nil, nil
 	}

 	// Ensure issuer is https
-	uissuer, err := url.Parse(deps.RuntimeConfig.AppURL)
+	uissuer, err := url.Parse(runtime.AppURL)

 	if err != nil {
 		return nil, fmt.Errorf("failed to parse app url: %w", err)
@@ -171,14 +176,14 @@ func NewOIDCService(
 	issuer := fmt.Sprintf("%s://%s", uissuer.Scheme, uissuer.Host)

 	// Create/load private and public keys
-	if strings.TrimSpace(deps.StaticConfig.OIDC.PrivateKeyPath) == "" ||
-		strings.TrimSpace(deps.StaticConfig.OIDC.PublicKeyPath) == "" {
+	if strings.TrimSpace(config.OIDC.PrivateKeyPath) == "" ||
+		strings.TrimSpace(config.OIDC.PublicKeyPath) == "" {
 		return nil, errors.New("private key path and public key path are required")
 	}

 	var privateKey *rsa.PrivateKey

-	fprivateKey, err := os.ReadFile(deps.StaticConfig.OIDC.PrivateKeyPath)
+	fprivateKey, err := os.ReadFile(config.OIDC.PrivateKeyPath)

 	if err != nil && !errors.Is(err, os.ErrNotExist) {
 		return nil, err
@@ -197,8 +202,8 @@ func NewOIDCService(
 			Type:  "RSA PRIVATE KEY",
 			Bytes: der,
 		})
-		deps.Log.App.Trace().Str("type", "RSA PRIVATE KEY").Msg("Generated private RSA key")
-		err = os.WriteFile(deps.StaticConfig.OIDC.PrivateKeyPath, encoded, 0600)
+		log.App.Trace().Str("type", "RSA PRIVATE KEY").Msg("Generated private RSA key")
+		err = os.WriteFile(config.OIDC.PrivateKeyPath, encoded, 0600)
 		if err != nil {
 			return nil, fmt.Errorf("failed to write private key to file: %w", err)
 		}
@@ -207,7 +212,7 @@ func NewOIDCService(
 		if block == nil {
 			return nil, errors.New("failed to decode private key")
 		}
-		deps.Log.App.Trace().Str("type", block.Type).Msg("Loaded private key")
+		log.App.Trace().Str("type", block.Type).Msg("Loaded private key")
 		privateKey, err = x509.ParsePKCS1PrivateKey(block.Bytes)
 		if err != nil {
 			return nil, fmt.Errorf("failed to parse private key: %w", err)
@@ -216,7 +221,7 @@ func NewOIDCService(

 	var publicKey crypto.PublicKey

-	fpublicKey, err := os.ReadFile(deps.StaticConfig.OIDC.PublicKeyPath)
+	fpublicKey, err := os.ReadFile(config.OIDC.PublicKeyPath)

 	if err != nil && !errors.Is(err, os.ErrNotExist) {
 		return nil, fmt.Errorf("failed to read public key: %w", err)
@@ -232,8 +237,8 @@ func NewOIDCService(
 			Type:  "RSA PUBLIC KEY",
 			Bytes: der,
 		})
-		deps.Log.App.Trace().Str("type", "RSA PUBLIC KEY").Msg("Generated public RSA key")
-		err = os.WriteFile(deps.StaticConfig.OIDC.PublicKeyPath, encoded, 0644)
+		log.App.Trace().Str("type", "RSA PUBLIC KEY").Msg("Generated public RSA key")
+		err = os.WriteFile(config.OIDC.PublicKeyPath, encoded, 0644)
 		if err != nil {
 			return nil, err
 		}
@@ -242,7 +247,7 @@ func NewOIDCService(
 		if block == nil {
 			return nil, errors.New("failed to decode public key")
 		}
-		deps.Log.App.Trace().Str("type", block.Type).Msg("Loaded public key")
+		log.App.Trace().Str("type", block.Type).Msg("Loaded public key")
 		switch block.Type {
 		case "RSA PUBLIC KEY":
 			publicKey, err = x509.ParsePKCS1PublicKey(block.Bytes)
@@ -272,7 +277,7 @@ func NewOIDCService(
 	// We will reorganize the client into a map with the client ID as the key
 	clients := make(map[string]model.OIDCClientConfig)

-	for id, client := range deps.StaticConfig.OIDC.Clients {
+	for id, client := range config.OIDC.Clients {
 		client.ID = id
 		if client.Name == "" {
 			client.Name = utils.Capitalize(client.ID)
@@ -288,15 +293,15 @@ func NewOIDCService(
 		}
 		client.ClientSecretFile = ""
 		clients[id] = client
-		deps.Log.App.Debug().Str("clientId", client.ClientID).Msg("Loaded OIDC client configuration")
+		log.App.Debug().Str("clientId", client.ClientID).Msg("Loaded OIDC client configuration")
 	}

 	// Initialize the service
 	service := &OIDCService{
-		log:     deps.Log,
-		config:  deps.StaticConfig,
-		runtime: deps.RuntimeConfig,
-		queries: *deps.Queries,
+		log:     log,
+		config:  config,
+		runtime: runtime,
+		queries: queries,

 		clients:    clients,
 		privateKey: privateKey,
@@ -305,7 +310,7 @@ func NewOIDCService(
 	}

 	// Start cleanup routine
-	deps.Ding.Go(service.cleanupRoutine, ding.RingMinor)
+	dg.Go(service.cleanupRoutine, ding.RingMinor)

 	// Create caches
 	codeCash := NewCacheStore[AuthorizeCodeEntry](256)
@@ -317,7 +322,7 @@ func NewOIDCService(
 	service.caches.authorize = authorize

 	// Start cache cleanup routine
-	deps.Ding.Go(func(ctx context.Context) {
+	dg.Go(func(ctx context.Context) {
 		ticker := time.NewTicker(1 * time.Minute)
 		defer ticker.Stop()

@@ -884,32 +889,63 @@ func (service *OIDCService) DeleteAuthorizeRequestTicket(ticket string) {

 // TODO: support signed request objects in the future
 func (service *OIDCService) DecodeAuthorizeJWT(tokenString string) (*AuthorizeRequest, error) {
-	var claims jwt.MapClaims
+	var req AuthorizeRequest
+
+	token, _, err := jwt.NewParser().ParseUnverified(tokenString, &req)

-	token, _, err := jwt.NewParser().ParseUnverified(tokenString, &claims)
 	if err != nil {
 		return nil, fmt.Errorf("failed to parse authorize request jwt: %w", err)
 	}

-	alg, ok := token.Header["alg"].(string)
+	claims, ok := token.Claims.(*AuthorizeRequest)

-	if !ok || alg != "none" || string(token.Signature) != "" {
-		return nil, fmt.Errorf("only unsigned jwts are supported for authorize requests")
+	if !ok {
+		return nil, errors.New("failed to parse claims from authorize request jwt")
 	}

-	get := func(k string) string {
-		v, _ := claims[k].(string)
-		return v
-	}
-
-	return &AuthorizeRequest{
-		Scope:               get("scope"),
-		ResponseType:        get("response_type"),
-		ClientID:            get("client_id"),
-		RedirectURI:         get("redirect_uri"),
-		State:               get("state"),
-		Nonce:               get("nonce"),
-		CodeChallenge:       get("code_challenge"),
-		CodeChallengeMethod: get("code_challenge_method"),
-	}, nil
+	return claims, nil
+}
+
+func (service *OIDCService) CreateConsentEntry(ctx context.Context, clientId string, scope string) (string, error) {
+	u := uuid.New()
+
+	entry := repository.CreateOIDCConsentParams{
+		UUID:     u.String(),
+		ClientID: clientId,
+		Scopes:   scope,
+	}
+
+	_, err := service.queries.CreateOIDCConsent(ctx, entry)
+
+	if err != nil {
+		return "", err
+	}
+
+	return entry.UUID, nil
+}
+
+func (service *OIDCService) GetConsentEntry(ctx context.Context, uuid string) (*repository.OidcConsent, error) {
+	entry, err := service.queries.GetOIDCConsentByUUID(ctx, uuid)
+
+	if err != nil {
+		if errors.Is(err, repository.ErrNotFound) {
+			return nil, nil
+		}
+		return nil, err
+	}
+
+	return &entry, nil
+}
+
+func (service *OIDCService) DeleteConsentEntry(ctx context.Context, uuid string) error {
+	return service.queries.DeleteOIDCConsentByUUID(ctx, uuid)
+}
+
+func (service *OIDCService) UpdateConsentEntry(ctx context.Context, uuid string, scopes string) error {
+	_, err := service.queries.UpdateOIDCConsent(ctx, repository.UpdateOIDCConsentParams{
+		UUID:   uuid,
+		Scopes: scopes,
+	})
+
+	return err
 }
@@ -40,23 +40,21 @@ type PolicyEngine struct {
 	policy Policy
 }

-func NewPolicyEngine(
-	deps *ServiceDependencies,
-) (*PolicyEngine, error) {
+func NewPolicyEngine(config model.Config, log *logger.Logger) (*PolicyEngine, error) {
 	engine := PolicyEngine{
-		log:   deps.Log,
+		log:   log,
 		rules: make(map[RuleName]Rule),
 	}

-	switch deps.StaticConfig.Auth.ACLs.Policy {
+	switch config.Auth.ACLs.Policy {
 	case string(PolicyAllow):
-		deps.Log.App.Debug().Msg("Using 'allow' ACL policy: access to apps will be allowed by default unless explicitly blocked")
+		log.App.Debug().Msg("Using 'allow' ACL policy: access to apps will be allowed by default unless explicitly blocked")
 		engine.policy = PolicyAllow
 	case string(PolicyDeny):
-		deps.Log.App.Debug().Msg("Using 'deny' ACL policy: access to apps will be blocked by default unless explicitly allowed")
+		log.App.Debug().Msg("Using 'deny' ACL policy: access to apps will be blocked by default unless explicitly allowed")
 		engine.policy = PolicyDeny
 	default:
-		return nil, fmt.Errorf("invalid acl policy: %s", deps.StaticConfig.Auth.ACLs.Policy)
+		return nil, fmt.Errorf("invalid acl policy: %s", config.Auth.ACLs.Policy)
 	}

 	return &engine, nil
@@ -1,33 +0,0 @@
-package service
-
-import (
-	"context"
-
-	"github.com/steveiliop56/ding"
-	"github.com/tinyauthapp/tinyauth/internal/model"
-	"github.com/tinyauthapp/tinyauth/internal/repository"
-	"github.com/tinyauthapp/tinyauth/internal/utils/logger"
-)
-
-type Services struct {
-	AccessControlService *AccessControlsService
-	AuthService          *AuthService
-	DockerService        *DockerService
-	KubernetesService    *KubernetesService
-	LDAPService          *LdapService
-	OAuthBrokerService   *OAuthBrokerService
-	OIDCService          *OIDCService
-	TailscaleService     *TailscaleService
-	PolicyEngine         *PolicyEngine
-}
-
-type ServiceDependencies struct {
-	Log           *logger.Logger
-	StaticConfig  *model.Config
-	RuntimeConfig *model.RuntimeConfig
-	Ctx           context.Context
-	Ding          *ding.Ding
-	Services      *Services
-	LabelProvider LabelProvider
-	Queries       *repository.Store
-}
@@ -25,7 +25,7 @@ type TailscaleWhoisResponse struct {

 type TailscaleService struct {
 	log    *logger.Logger
-	config *model.Config
+	config model.Config
 	ctx    context.Context

 	srv *tsnet.Server
@@ -34,24 +34,22 @@ type TailscaleService struct {
 	mu  sync.Mutex
 }

-func NewTailscaleService(
-	deps *ServiceDependencies,
-) (*TailscaleService, error) {
-	if !deps.StaticConfig.Tailscale.Enabled {
+func NewTailscaleService(log *logger.Logger, config model.Config, ctx context.Context, dg *ding.Ding) (*TailscaleService, error) {
+	if !config.Tailscale.Enabled {
 		return nil, nil
 	}

 	srv := new(tsnet.Server)

 	// node options
-	srv.Dir = deps.StaticConfig.Tailscale.Dir
-	srv.Hostname = deps.StaticConfig.Tailscale.Hostname
-	srv.AuthKey = deps.StaticConfig.Tailscale.AuthKey
-	srv.Ephemeral = deps.StaticConfig.Tailscale.Ephemeral
+	srv.Dir = config.Tailscale.Dir
+	srv.Hostname = config.Tailscale.Hostname
+	srv.AuthKey = config.Tailscale.AuthKey
+	srv.Ephemeral = config.Tailscale.Ephemeral

 	// redirect logs to zerolog
-	srv.Logf = deps.Log.App.Printf
-	srv.UserLogf = deps.Log.App.Printf
+	srv.Logf = log.App.Printf
+	srv.UserLogf = log.App.Printf

 	err := srv.Start()

@@ -67,14 +65,14 @@ func NewTailscaleService(
 	}

 	service := &TailscaleService{
-		log:    deps.Log,
-		config: deps.StaticConfig,
-		ctx:    deps.Ctx,
+		log:    log,
+		config: config,
+		ctx:    ctx,
 		srv:    srv,
 		lc:     lc,
 	}

-	connectCtx, cancel := context.WithTimeout(deps.Ctx, 2*time.Minute) // large enough timeout to allow for user to manually authenticate with link if needed
+	connectCtx, cancel := context.WithTimeout(ctx, 2*time.Minute) // large enough timeout to allow for user to manually authenticate with link if needed
 	defer cancel()

 	err = service.waitForConn(connectCtx)
@@ -84,7 +82,7 @@ func NewTailscaleService(
 		return nil, fmt.Errorf("failed to connect to tailscale network: %w", err)
 	}

-	deps.Ding.Go(service.watchAndClose, ding.RingMajor)
+	dg.Go(service.watchAndClose, ding.RingMajor)

 	return service, nil
 }
@@ -1,6 +1,7 @@
 package test

 import (
+	"context"
 	"path/filepath"
 	"testing"

@@ -133,3 +134,11 @@ func CreateTestConfigs(t *testing.T) (model.Config, model.RuntimeConfig) {

 	return config, runtime
 }
+
+func CreateTestHelpers() *model.RuntimeHelpers {
+	return &model.RuntimeHelpers{
+		GetCookieDomain: func(ctx context.Context, ip string) (string, error) {
+			return "example.com", nil
+		},
+	}
+}
@@ -46,3 +46,28 @@ UPDATE "oidc_sessions" SET
    "userinfo_json" = $8
 WHERE "sub" = $9
 RETURNING *;
+
+-- name: CreateOIDCConsent :one
+INSERT INTO "oidc_consent" (
+    "uuid",
+    "client_id",
+    "scopes"
+) VALUES (
+    $1, $2, $3
+)
+RETURNING *;
+
+-- name: GetOIDCConsentByUUID :one
+SELECT * FROM "oidc_consent"
+WHERE "uuid" = $1;
+
+-- name: UpdateOIDCConsent :one
+UPDATE "oidc_consent" SET
+    "scopes" = $1,
+    "updated_at" = CURRENT_TIMESTAMP
+WHERE "uuid" = $2
+RETURNING *;
+
+-- name: DeleteOIDCConsentByUUID :exec
+DELETE FROM "oidc_consent"
+WHERE "uuid" = $1;
@@ -9,3 +9,11 @@ CREATE TABLE IF NOT EXISTS "oidc_sessions" (
    "nonce" TEXT NOT NULL DEFAULT '',
    "userinfo_json" TEXT NOT NULL
 );
+
+CREATE TABLE IF NOT EXISTS "oidc_consent" (
+    "uuid" TEXT NOT NULL UNIQUE PRIMARY KEY,
+    "client_id" TEXT NOT NULL,
+    "scopes" TEXT NOT NULL,
+    "created_at" TIMESTAMP NOT NULL DEFAULT CURRENT_TIMESTAMP,
+    "updated_at" TIMESTAMP NOT NULL DEFAULT CURRENT_TIMESTAMP
+);
@@ -46,3 +46,28 @@ UPDATE "oidc_sessions" SET
    "userinfo_json" = ?
 WHERE "sub" = ?
 RETURNING *;
+
+-- name: CreateOIDCConsent :one
+INSERT INTO "oidc_consent" (
+    "uuid",
+    "client_id",
+    "scopes"
+) VALUES (
+    ?, ?, ?
+)
+RETURNING *;
+
+-- name: GetOIDCConsentByUUID :one
+SELECT * FROM "oidc_consent"
+WHERE "uuid" = ?;
+
+-- name: UpdateOIDCConsent :one
+UPDATE "oidc_consent" SET
+    "scopes" = ?,
+    "updated_at" = CURRENT_TIMESTAMP
+WHERE "uuid" = ?
+RETURNING *;
+
+-- name: DeleteOIDCConsentByUUID :exec
+DELETE FROM "oidc_consent"
+WHERE "uuid" = ?;
@@ -9,3 +9,11 @@ CREATE TABLE IF NOT EXISTS "oidc_sessions" (
    "nonce" TEXT NOT NULL DEFAULT "",
    "userinfo_json" TEXT NOT NULL
 );
+
+CREATE TABLE IF NOT EXISTS "oidc_consent" (
+    "uuid" TEXT NOT NULL UNIQUE PRIMARY KEY,
+    "client_id" TEXT NOT NULL,
+    "scopes" TEXT NOT NULL,
+    "created_at" DATETIME NOT NULL DEFAULT CURRENT_TIMESTAMP,
+    "updated_at" DATETIME NOT NULL DEFAULT CURRENT_TIMESTAMP
+);
Author	SHA1	Message	Date
Stavros	cd51263428	feat: add frontend	2026-06-11 18:40:56 +03:00
Stavros	24f166551e	feat: add backend for oidc consent	2026-06-11 18:18:47 +03:00
Stavros	e4c5f14d8c	chore: init db migrations	2026-06-11 18:18:39 +03:00
Stavros	ed97021c19	chore: merge oidc-authorize branch	2026-06-11 18:18:21 +03:00