chore(deps): bump golang.org/x/tools

Bumps the minor-patch group with 1 update in the / directory: [golang.org/x/tools](https://github.com/golang/tools). Updates `golang.org/x/tools` from 0.44.0 to 0.45.0 - [Release notes](https://github.com/golang/tools/releases) - [Commits](https://github.com/golang/tools/compare/v0.44.0...v0.45.0) --- updated-dependencies: - dependency-name: golang.org/x/tools dependency-version: 0.45.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: minor-patch ... Signed-off-by: dependabot[bot] <support@github.com>
2026-06-18 17:30:13 +00:00 · 2026-05-27 10:18:35 +00:00
101 changed files with 4635 additions and 5344 deletions
@@ -7,9 +7,9 @@ TINYAUTH_APPURL=
 # database config
-# The database driver to use. Valid values: sqlite, postgres, memory.
+# The database driver to use. Valid values: sqlite, memory.
 TINYAUTH_DATABASE_DRIVER="sqlite"
-# The path to the SQLite database file, or connection URL when driver is postgres.
+# The path to the SQLite database, including file name. Only used when driver is sqlite.
 TINYAUTH_DATABASE_PATH="./tinyauth.db"
 # analytics config
@@ -13,17 +13,17 @@ jobs:
    runs-on: ubuntu-latest
    steps:
      - name: Checkout code
-        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
      - name: Setup pnpm
-        uses: pnpm/action-setup@0ebf47130e4866e96fce0953f49152a61190b271 # v6.0.9
+        uses: pnpm/action-setup@0e279bb959325dab635dd2c09392533439d90093 # v6.0.8
        with:
          package_json_file: ./frontend/package.json
      - name: Setup go
        uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6
        with:
-          go-version: "^1.26.4"
+          go-version: "^1.26.0"
      - name: Go dependencies
        run: go mod download
@@ -13,7 +13,7 @@ jobs:
    runs-on: ubuntu-latest
    steps:
      - name: Checkout
-        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
      - name: Delete old release
        run: gh release delete --cleanup-tag --yes nightly || echo release not found
@@ -37,7 +37,7 @@ jobs:
      BUILD_TIMESTAMP: ${{ steps.metadata.outputs.BUILD_TIMESTAMP }}
    steps:
      - name: Checkout
-        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
        with:
          ref: nightly
@@ -55,19 +55,19 @@ jobs:
      - generate-metadata
    steps:
      - name: Checkout
-        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
        with:
          ref: nightly
      - name: Setup pnpm
-        uses: pnpm/action-setup@0ebf47130e4866e96fce0953f49152a61190b271 # v6.0.9
+        uses: pnpm/action-setup@0e279bb959325dab635dd2c09392533439d90093 # v6.0.8
        with:
          package_json_file: ./frontend/package.json
      - name: Install go
        uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6
        with:
-          go-version: "^1.26.4"
+          go-version: "^1.26.0"
      - name: Install frontend dependencies
        working-directory: ./frontend
@@ -100,19 +100,19 @@ jobs:
      - generate-metadata
    steps:
      - name: Checkout
-        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
        with:
          ref: nightly
      - name: Setup pnpm
-        uses: pnpm/action-setup@0ebf47130e4866e96fce0953f49152a61190b271 # v6.0.9
+        uses: pnpm/action-setup@0e279bb959325dab635dd2c09392533439d90093 # v6.0.8
        with:
          package_json_file: ./frontend/package.json
      - name: Install go
        uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6
        with:
-          go-version: "^1.26.4"
+          go-version: "^1.26.0"
      - name: Install frontend dependencies
        working-directory: ./frontend
@@ -145,25 +145,25 @@ jobs:
      - generate-metadata
    steps:
      - name: Checkout
-        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
        with:
          ref: nightly
      - name: Docker meta
        id: meta
-        uses: docker/metadata-action@80c7e94dd9b9319bd5eb7a0e0fe9291e23a2a2e9 # v6
+        uses: docker/metadata-action@030e881283bb7a6894de51c315a6bfe6a94e05cf # v6
        with:
          images: ghcr.io/${{ github.repository_owner }}/tinyauth
      - name: Login to GitHub Container Registry
-        uses: docker/login-action@650006c6eb7dba73a995cc03b0b2d7f5ca915bee # v4
+        uses: docker/login-action@4907a6ddec9925e35a0a9e82d7399ccc52663121 # v4
        with:
          registry: ghcr.io
          username: ${{ github.repository_owner }}
          password: ${{ secrets.GITHUB_TOKEN }}
      - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@d7f5e7f509e45cec5c76c4d5afdd7de93d0b3df5 # v4
+        uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4
      - name: Build and push
        uses: docker/build-push-action@f9f3042f7e2789586610d6e8b85c8f03e5195baf # v7
@@ -173,8 +173,8 @@ jobs:
          labels: ${{ steps.meta.outputs.labels }}
          tags: ghcr.io/${{ github.repository_owner }}/tinyauth
          outputs: type=image,push-by-digest=true,name-canonical=true,push=true
-          cache-from: type=gha,scope=buildkit-amd64
+          cache-from: type=gha
-          cache-to: type=gha,mode=max,scope=buildkit-amd64
+          cache-to: type=gha,mode=max
          github-token: ${{ secrets.GITHUB_TOKEN }}
          build-args: |
            VERSION=${{ needs.generate-metadata.outputs.VERSION }}
@@ -203,25 +203,25 @@ jobs:
      - image-build
    steps:
      - name: Checkout
-        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
        with:
          ref: nightly
      - name: Docker meta
        id: meta
-        uses: docker/metadata-action@80c7e94dd9b9319bd5eb7a0e0fe9291e23a2a2e9 # v6
+        uses: docker/metadata-action@030e881283bb7a6894de51c315a6bfe6a94e05cf # v6
        with:
          images: ghcr.io/${{ github.repository_owner }}/tinyauth
      - name: Login to GitHub Container Registry
-        uses: docker/login-action@650006c6eb7dba73a995cc03b0b2d7f5ca915bee # v4
+        uses: docker/login-action@4907a6ddec9925e35a0a9e82d7399ccc52663121 # v4
        with:
          registry: ghcr.io
          username: ${{ github.repository_owner }}
          password: ${{ secrets.GITHUB_TOKEN }}
      - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@d7f5e7f509e45cec5c76c4d5afdd7de93d0b3df5 # v4
+        uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4
      - name: Build and push
        uses: docker/build-push-action@f9f3042f7e2789586610d6e8b85c8f03e5195baf # v7
@@ -232,8 +232,8 @@ jobs:
          tags: ghcr.io/${{ github.repository_owner }}/tinyauth
          outputs: type=image,push-by-digest=true,name-canonical=true,push=true
          file: Dockerfile.distroless
-          cache-from: type=gha,scope=buildkit-distroless-amd64
+          cache-from: type=gha
-          cache-to: type=gha,mode=max,scope=buildkit-distroless-amd64
+          cache-to: type=gha,mode=max
          github-token: ${{ secrets.GITHUB_TOKEN }}
          build-args: |
            VERSION=${{ needs.generate-metadata.outputs.VERSION }}
@@ -261,25 +261,25 @@ jobs:
      - generate-metadata
    steps:
      - name: Checkout
-        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
        with:
          ref: nightly
      - name: Docker meta
        id: meta
-        uses: docker/metadata-action@80c7e94dd9b9319bd5eb7a0e0fe9291e23a2a2e9 # v6
+        uses: docker/metadata-action@030e881283bb7a6894de51c315a6bfe6a94e05cf # v6
        with:
          images: ghcr.io/${{ github.repository_owner }}/tinyauth
      - name: Login to GitHub Container Registry
-        uses: docker/login-action@650006c6eb7dba73a995cc03b0b2d7f5ca915bee # v4
+        uses: docker/login-action@4907a6ddec9925e35a0a9e82d7399ccc52663121 # v4
        with:
          registry: ghcr.io
          username: ${{ github.repository_owner }}
          password: ${{ secrets.GITHUB_TOKEN }}
      - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@d7f5e7f509e45cec5c76c4d5afdd7de93d0b3df5 # v4
+        uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4
      - name: Build and push
        uses: docker/build-push-action@f9f3042f7e2789586610d6e8b85c8f03e5195baf # v7
@@ -289,8 +289,8 @@ jobs:
          labels: ${{ steps.meta.outputs.labels }}
          tags: ghcr.io/${{ github.repository_owner }}/tinyauth
          outputs: type=image,push-by-digest=true,name-canonical=true,push=true
-          cache-from: type=gha,scope=buildkit-arm64
+          cache-from: type=gha
-          cache-to: type=gha,mode=max,scope=buildkit-arm64
+          cache-to: type=gha,mode=max
          github-token: ${{ secrets.GITHUB_TOKEN }}
          build-args: |
            VERSION=${{ needs.generate-metadata.outputs.VERSION }}
@@ -319,25 +319,25 @@ jobs:
      - image-build-arm
    steps:
      - name: Checkout
-        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
        with:
          ref: nightly
      - name: Docker meta
        id: meta
-        uses: docker/metadata-action@80c7e94dd9b9319bd5eb7a0e0fe9291e23a2a2e9 # v6
+        uses: docker/metadata-action@030e881283bb7a6894de51c315a6bfe6a94e05cf # v6
        with:
          images: ghcr.io/${{ github.repository_owner }}/tinyauth
      - name: Login to GitHub Container Registry
-        uses: docker/login-action@650006c6eb7dba73a995cc03b0b2d7f5ca915bee # v4
+        uses: docker/login-action@4907a6ddec9925e35a0a9e82d7399ccc52663121 # v4
        with:
          registry: ghcr.io
          username: ${{ github.repository_owner }}
          password: ${{ secrets.GITHUB_TOKEN }}
      - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@d7f5e7f509e45cec5c76c4d5afdd7de93d0b3df5 # v4
+        uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4
      - name: Build and push
        uses: docker/build-push-action@f9f3042f7e2789586610d6e8b85c8f03e5195baf # v7
@@ -348,8 +348,8 @@ jobs:
          tags: ghcr.io/${{ github.repository_owner }}/tinyauth
          outputs: type=image,push-by-digest=true,name-canonical=true,push=true
          file: Dockerfile.distroless
-          cache-from: type=gha,scope=buildkit-distroless-arm64
+          cache-from: type=gha
-          cache-to: type=gha,mode=max,scope=buildkit-distroless-arm64
+          cache-to: type=gha,mode=max
          github-token: ${{ secrets.GITHUB_TOKEN }}
          build-args: |
            VERSION=${{ needs.generate-metadata.outputs.VERSION }}
@@ -384,18 +384,18 @@ jobs:
          merge-multiple: true
      - name: Login to GitHub Container Registry
-        uses: docker/login-action@650006c6eb7dba73a995cc03b0b2d7f5ca915bee # v4
+        uses: docker/login-action@4907a6ddec9925e35a0a9e82d7399ccc52663121 # v4
        with:
          registry: ghcr.io
          username: ${{ github.repository_owner }}
          password: ${{ secrets.GITHUB_TOKEN }}
      - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@d7f5e7f509e45cec5c76c4d5afdd7de93d0b3df5 # v4
+        uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4
      - name: Docker meta
        id: meta
-        uses: docker/metadata-action@80c7e94dd9b9319bd5eb7a0e0fe9291e23a2a2e9 # v6
+        uses: docker/metadata-action@030e881283bb7a6894de51c315a6bfe6a94e05cf # v6
        with:
          images: ghcr.io/${{ github.repository_owner }}/tinyauth
          flavor: |
@@ -423,18 +423,18 @@ jobs:
          merge-multiple: true
      - name: Login to GitHub Container Registry
-        uses: docker/login-action@650006c6eb7dba73a995cc03b0b2d7f5ca915bee # v4
+        uses: docker/login-action@4907a6ddec9925e35a0a9e82d7399ccc52663121 # v4
        with:
          registry: ghcr.io
          username: ${{ github.repository_owner }}
          password: ${{ secrets.GITHUB_TOKEN }}
      - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@d7f5e7f509e45cec5c76c4d5afdd7de93d0b3df5 # v4
+        uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4
      - name: Docker meta
        id: meta
-        uses: docker/metadata-action@80c7e94dd9b9319bd5eb7a0e0fe9291e23a2a2e9 # v6
+        uses: docker/metadata-action@030e881283bb7a6894de51c315a6bfe6a94e05cf # v6
        with:
          images: ghcr.io/${{ github.repository_owner }}/tinyauth
          flavor: |
@@ -18,7 +18,7 @@ jobs:
      BUILD_TIMESTAMP: ${{ steps.metadata.outputs.BUILD_TIMESTAMP }}
    steps:
      - name: Checkout
-        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
      - name: Generate metadata
        id: metadata
@@ -33,17 +33,17 @@ jobs:
      - generate-metadata
    steps:
      - name: Checkout
-        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
      - name: Setup pnpm
-        uses: pnpm/action-setup@0ebf47130e4866e96fce0953f49152a61190b271 # v6.0.9
+        uses: pnpm/action-setup@0e279bb959325dab635dd2c09392533439d90093 # v6.0.8
        with:
          package_json_file: ./frontend/package.json
      - name: Install go
        uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6
        with:
-          go-version: "^1.26.4"
+          go-version: "^1.26.0"
      - name: Install frontend dependencies
        working-directory: ./frontend
@@ -75,17 +75,17 @@ jobs:
      - generate-metadata
    steps:
      - name: Checkout
-        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
      - name: Setup pnpm
-        uses: pnpm/action-setup@0ebf47130e4866e96fce0953f49152a61190b271 # v6.0.9
+        uses: pnpm/action-setup@0e279bb959325dab635dd2c09392533439d90093 # v6.0.8
        with:
          package_json_file: ./frontend/package.json
      - name: Install go
        uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6
        with:
-          go-version: "^1.26.4"
+          go-version: "^1.26.0"
      - name: Install frontend dependencies
        working-directory: ./frontend
@@ -117,23 +117,23 @@ jobs:
      - generate-metadata
    steps:
      - name: Checkout
-        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
      - name: Docker meta
        id: meta
-        uses: docker/metadata-action@80c7e94dd9b9319bd5eb7a0e0fe9291e23a2a2e9 # v6
+        uses: docker/metadata-action@030e881283bb7a6894de51c315a6bfe6a94e05cf # v6
        with:
          images: ghcr.io/${{ github.repository_owner }}/tinyauth
      - name: Login to GitHub Container Registry
-        uses: docker/login-action@650006c6eb7dba73a995cc03b0b2d7f5ca915bee # v4
+        uses: docker/login-action@4907a6ddec9925e35a0a9e82d7399ccc52663121 # v4
        with:
          registry: ghcr.io
          username: ${{ github.repository_owner }}
          password: ${{ secrets.GITHUB_TOKEN }}
      - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@d7f5e7f509e45cec5c76c4d5afdd7de93d0b3df5 # v4
+        uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4
      - name: Build and push
        uses: docker/build-push-action@f9f3042f7e2789586610d6e8b85c8f03e5195baf # v7
@@ -143,14 +143,14 @@ jobs:
          labels: ${{ steps.meta.outputs.labels }}
          tags: ghcr.io/${{ github.repository_owner }}/tinyauth
          outputs: type=image,push-by-digest=true,name-canonical=true,push=true
-          cache-from: type=gha,scope=buildkit-amd64
+          cache-from: type=gha
-          cache-to: type=gha,mode=max,scope=buildkit-amd64
+          cache-to: type=gha,mode=max
          github-token: ${{ secrets.GITHUB_TOKEN }}
          build-args: |
            VERSION=${{ needs.generate-metadata.outputs.VERSION }}
            COMMIT_HASH=${{ needs.generate-metadata.outputs.COMMIT_HASH }}
            BUILD_TIMESTAMP=${{ needs.generate-metadata.outputs.BUILD_TIMESTAMP }}
-            LDFLAGS=-s -w
+            LDFLAGS="-s -w"
      - name: Export digest
        run: |
@@ -173,23 +173,23 @@ jobs:
      - image-build
    steps:
      - name: Checkout
-        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
      - name: Docker meta
        id: meta
-        uses: docker/metadata-action@80c7e94dd9b9319bd5eb7a0e0fe9291e23a2a2e9 # v6
+        uses: docker/metadata-action@030e881283bb7a6894de51c315a6bfe6a94e05cf # v6
        with:
          images: ghcr.io/${{ github.repository_owner }}/tinyauth
      - name: Login to GitHub Container Registry
-        uses: docker/login-action@650006c6eb7dba73a995cc03b0b2d7f5ca915bee # v4
+        uses: docker/login-action@4907a6ddec9925e35a0a9e82d7399ccc52663121 # v4
        with:
          registry: ghcr.io
          username: ${{ github.repository_owner }}
          password: ${{ secrets.GITHUB_TOKEN }}
      - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@d7f5e7f509e45cec5c76c4d5afdd7de93d0b3df5 # v4
+        uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4
      - name: Build and push
        uses: docker/build-push-action@f9f3042f7e2789586610d6e8b85c8f03e5195baf # v7
@@ -200,14 +200,14 @@ jobs:
          tags: ghcr.io/${{ github.repository_owner }}/tinyauth
          outputs: type=image,push-by-digest=true,name-canonical=true,push=true
          file: Dockerfile.distroless
-          cache-from: type=gha,scope=buildkit-distroless-amd64
+          cache-from: type=gha
-          cache-to: type=gha,mode=max,scope=buildkit-distroless-amd64
+          cache-to: type=gha,mode=max
          github-token: ${{ secrets.GITHUB_TOKEN }}
          build-args: |
            VERSION=${{ needs.generate-metadata.outputs.VERSION }}
            COMMIT_HASH=${{ needs.generate-metadata.outputs.COMMIT_HASH }}
            BUILD_TIMESTAMP=${{ needs.generate-metadata.outputs.BUILD_TIMESTAMP }}
-            LDFLAGS=-s -w
+            LDFLAGS="-s -w"
      - name: Export digest
        run: |
@@ -229,23 +229,23 @@ jobs:
      - generate-metadata
    steps:
      - name: Checkout
-        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
      - name: Docker meta
        id: meta
-        uses: docker/metadata-action@80c7e94dd9b9319bd5eb7a0e0fe9291e23a2a2e9 # v6
+        uses: docker/metadata-action@030e881283bb7a6894de51c315a6bfe6a94e05cf # v6
        with:
          images: ghcr.io/${{ github.repository_owner }}/tinyauth
      - name: Login to GitHub Container Registry
-        uses: docker/login-action@650006c6eb7dba73a995cc03b0b2d7f5ca915bee # v4
+        uses: docker/login-action@4907a6ddec9925e35a0a9e82d7399ccc52663121 # v4
        with:
          registry: ghcr.io
          username: ${{ github.repository_owner }}
          password: ${{ secrets.GITHUB_TOKEN }}
      - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@d7f5e7f509e45cec5c76c4d5afdd7de93d0b3df5 # v4
+        uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4
      - name: Build and push
        uses: docker/build-push-action@f9f3042f7e2789586610d6e8b85c8f03e5195baf # v7
@@ -255,14 +255,14 @@ jobs:
          labels: ${{ steps.meta.outputs.labels }}
          tags: ghcr.io/${{ github.repository_owner }}/tinyauth
          outputs: type=image,push-by-digest=true,name-canonical=true,push=true
-          cache-from: type=gha,scope=buildkit-arm64
+          cache-from: type=gha
-          cache-to: type=gha,mode=max,scope=buildkit-arm64
+          cache-to: type=gha,mode=max
          github-token: ${{ secrets.GITHUB_TOKEN }}
          build-args: |
            VERSION=${{ needs.generate-metadata.outputs.VERSION }}
            COMMIT_HASH=${{ needs.generate-metadata.outputs.COMMIT_HASH }}
            BUILD_TIMESTAMP=${{ needs.generate-metadata.outputs.BUILD_TIMESTAMP }}
-            LDFLAGS=-s -w
+            LDFLAGS="-s -w"
      - name: Export digest
        run: |
@@ -285,23 +285,23 @@ jobs:
      - image-build-arm
    steps:
      - name: Checkout
-        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
      - name: Docker meta
        id: meta
-        uses: docker/metadata-action@80c7e94dd9b9319bd5eb7a0e0fe9291e23a2a2e9 # v6
+        uses: docker/metadata-action@030e881283bb7a6894de51c315a6bfe6a94e05cf # v6
        with:
          images: ghcr.io/${{ github.repository_owner }}/tinyauth
      - name: Login to GitHub Container Registry
-        uses: docker/login-action@650006c6eb7dba73a995cc03b0b2d7f5ca915bee # v4
+        uses: docker/login-action@4907a6ddec9925e35a0a9e82d7399ccc52663121 # v4
        with:
          registry: ghcr.io
          username: ${{ github.repository_owner }}
          password: ${{ secrets.GITHUB_TOKEN }}
      - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@d7f5e7f509e45cec5c76c4d5afdd7de93d0b3df5 # v4
+        uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4
      - name: Build and push
        uses: docker/build-push-action@f9f3042f7e2789586610d6e8b85c8f03e5195baf # v7
@@ -312,14 +312,14 @@ jobs:
          tags: ghcr.io/${{ github.repository_owner }}/tinyauth
          outputs: type=image,push-by-digest=true,name-canonical=true,push=true
          file: Dockerfile.distroless
-          cache-from: type=gha,scope=buildkit-distroless-arm64
+          cache-from: type=gha
-          cache-to: type=gha,mode=max,scope=buildkit-distroless-arm64
+          cache-to: type=gha,mode=max
          github-token: ${{ secrets.GITHUB_TOKEN }}
          build-args: |
            VERSION=${{ needs.generate-metadata.outputs.VERSION }}
            COMMIT_HASH=${{ needs.generate-metadata.outputs.COMMIT_HASH }}
            BUILD_TIMESTAMP=${{ needs.generate-metadata.outputs.BUILD_TIMESTAMP }}
-            LDFLAGS=-s -w
+            LDFLAGS="-s -w"
      - name: Export digest
        run: |
@@ -349,18 +349,18 @@ jobs:
          merge-multiple: true
      - name: Login to GitHub Container Registry
-        uses: docker/login-action@650006c6eb7dba73a995cc03b0b2d7f5ca915bee # v4
+        uses: docker/login-action@4907a6ddec9925e35a0a9e82d7399ccc52663121 # v4
        with:
          registry: ghcr.io
          username: ${{ github.repository_owner }}
          password: ${{ secrets.GITHUB_TOKEN }}
      - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@d7f5e7f509e45cec5c76c4d5afdd7de93d0b3df5 # v4
+        uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4
      - name: Docker meta
        id: meta
-        uses: docker/metadata-action@80c7e94dd9b9319bd5eb7a0e0fe9291e23a2a2e9 # v6
+        uses: docker/metadata-action@030e881283bb7a6894de51c315a6bfe6a94e05cf # v6
        with:
          images: ghcr.io/${{ github.repository_owner }}/tinyauth
          flavor: |
@@ -390,18 +390,18 @@ jobs:
          merge-multiple: true
      - name: Login to GitHub Container Registry
-        uses: docker/login-action@650006c6eb7dba73a995cc03b0b2d7f5ca915bee # v4
+        uses: docker/login-action@4907a6ddec9925e35a0a9e82d7399ccc52663121 # v4
        with:
          registry: ghcr.io
          username: ${{ github.repository_owner }}
          password: ${{ secrets.GITHUB_TOKEN }}
      - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@d7f5e7f509e45cec5c76c4d5afdd7de93d0b3df5 # v4
+        uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4
      - name: Docker meta
        id: meta
-        uses: docker/metadata-action@80c7e94dd9b9319bd5eb7a0e0fe9291e23a2a2e9 # v6
+        uses: docker/metadata-action@030e881283bb7a6894de51c315a6bfe6a94e05cf # v6
        with:
          images: ghcr.io/${{ github.repository_owner }}/tinyauth
          flavor: |
@@ -19,7 +19,7 @@ jobs:
    steps:
      - name: Checkout code
-        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd
        with:
          persist-credentials: false
@@ -38,6 +38,6 @@ jobs:
          retention-days: 5
      - name: Upload to code-scanning
-        uses: github/codeql-action/upload-sarif@8aad20d150bbac5944a9f9d289da16a4b0d87c1e # v4
+        uses: github/codeql-action/upload-sarif@9e0d7b8d25671d64c341c19c0152d693099fb5ba # v4
        with:
          sarif_file: results.sarif
@@ -11,7 +11,7 @@ jobs:
    runs-on: ubuntu-latest
    steps:
      - name: Checkout
-        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
      - name: Generate Sponsors
        uses: JamesIves/github-sponsors-readme-action@2fd9142e765f755780202122261dc85e78459405 # v1
@@ -8,7 +8,7 @@ Contributing to Tinyauth is straightforward. Follow the steps below to set up a
 ## Requirements
 - pnpm
- Golang v1.26.4 or later
+- Golang v1.24.0 or later
 - Git
 - Docker
 - Make
@@ -1,5 +1,5 @@
 # Site builder
-FROM node:26.3-alpine3.23 AS frontend-builder
+FROM node:26.2-alpine3.23 AS frontend-builder
 WORKDIR /frontend
@@ -46,7 +46,7 @@ RUN CGO_ENABLED=0 go build -ldflags "${LDFLAGS} \
    -X github.com/tinyauthapp/tinyauth/internal/model.BuildTimestamp=${BUILD_TIMESTAMP}" ./cmd/tinyauth
 # Runner
-FROM alpine:3.24 AS runner
+FROM alpine:3.23 AS runner
 WORKDIR /tinyauth
@@ -1,5 +1,5 @@
 # Site builder
-FROM node:26.3-alpine3.23 AS frontend-builder
+FROM node:26.2-alpine3.23 AS frontend-builder
 WORKDIR /frontend
@@ -62,15 +62,6 @@ binary-linux-arm64:
 test:
 	go test -v ./...
 # Go vet
 .PHONY: vet
 vet:
 	go vet ./...
 # Go race
 test-race:
 	go test -race ./...
 # Development
 dev:
 	docker compose -f $(DEV_COMPOSE) up --force-recreate --pull=always --remove-orphans --build
@@ -0,0 +1,36 @@
 import { languages, SupportedLanguage } from "@/lib/i18n/locales";
 import {
  Select,
  SelectContent,
  SelectItem,
  SelectTrigger,
  SelectValue,
 } from "../ui/select";
 import { useState } from "react";
 import i18n from "@/lib/i18n/i18n";
 export const LanguageSelector = () => {
  const [language, setLanguage] = useState<SupportedLanguage>(
    i18n.language as SupportedLanguage,
  );
  const handleSelect = (option: string) => {
    setLanguage(option as SupportedLanguage);
    i18n.changeLanguage(option as SupportedLanguage);
  };
  return (
    <Select onValueChange={handleSelect} value={language}>
      <SelectTrigger aria-label="Select language">
        <SelectValue placeholder="Select language" />
      </SelectTrigger>
      <SelectContent>
        {Object.entries(languages).map(([key, value]) => (
          <SelectItem key={key} value={key}>
            {value}
          </SelectItem>
        ))}
      </SelectContent>
    </Select>
  );
 };
@@ -1,8 +1,9 @@
 import { useAppContext } from "@/context/app-context";
 import { LanguageSelector } from "../language/language";
 import { Outlet } from "react-router";
 import { useCallback, useEffect, useState } from "react";
 import { DomainWarning } from "../domain-warning/domain-warning";
-import { QuickActions } from "../quick-actions/quick-actions";
+import { ThemeToggle } from "../theme-toggle/theme-toggle";
 const BaseLayout = ({ children }: { children: React.ReactNode }) => {
  const { ui } = useAppContext();
@@ -20,8 +21,9 @@ const BaseLayout = ({ children }: { children: React.ReactNode }) => {
        backgroundPosition: "center",
      }}
    >
-      <div className="absolute top-4 right-4">
+      <div className="absolute top-4 right-4 flex flex-row gap-2">
-        <QuickActions />
+        <ThemeToggle />
        <LanguageSelector />
      </div>
      <div className="max-w-sm md:min-w-sm min-w-xs">{children}</div>
    </div>
@@ -1,208 +0,0 @@
 import { languages, SupportedLanguage } from "@/lib/i18n/locales";
 import {
  DropdownMenu,
  DropdownMenuContent,
  DropdownMenuItem,
  DropdownMenuLabel,
  DropdownMenuPortal,
  DropdownMenuSeparator,
  DropdownMenuSub,
  DropdownMenuSubContent,
  DropdownMenuSubTrigger,
  DropdownMenuTrigger,
 } from "../ui/dropdown-menu";
 import { useState } from "react";
 import i18n from "@/lib/i18n/i18n";
 import { useUserContext } from "@/context/user-context";
 import { ScrollArea } from "../ui/scroll-area";
 import { useTheme } from "../providers/theme-provider";
 import {
  Check,
  DoorOpenIcon,
  Languages,
  Monitor,
  Moon,
  Palette,
  Settings,
  Sun,
 } from "lucide-react";
 import { useTranslation } from "react-i18next";
 import { useLocation } from "react-router";
 import { useRef } from "react";
 import {
  useScreenParams,
  recompileScreenParams,
 } from "@/lib/hooks/screen-params";
 import { useMutation } from "@tanstack/react-query";
 import axios from "axios";
 import { toast } from "sonner";
 import { useEffect } from "react";
 function Avatar({ initial }: { initial: string }) {
  return (
    <span className="group relative grid size-10 place-items-center rounded-full">
      <span className="absolute inset-0 overflow-hidden rounded-full bg-linear-to-b from-neutral-50 to-neutral-100 dark:from-neutral-700 dark:to-neutral-950 shadow-lg"></span>
      <span className="relative text-sm font-semibold text-primary">
        {initial}
      </span>
    </span>
  );
 }
 export const QuickActions = () => {
  const { auth } = useUserContext();
  const { theme, setTheme } = useTheme();
  const { t } = useTranslation();
  const { search } = useLocation();
  const [language, setLanguage] = useState<SupportedLanguage>(
    i18n.language as SupportedLanguage,
  );
  const redirectTimer = useRef<number | null>(null);
  const searchParams = new URLSearchParams(search);
  const screenParams = useScreenParams(searchParams);
  const compiledParams = recompileScreenParams(screenParams);
  const logoutMutation = useMutation({
    mutationFn: () => axios.post("/api/user/logout"),
    mutationKey: ["logout"],
    onSuccess: () => {
      toast.success(t("logoutSuccessTitle"), {
        description: t("logoutSuccessSubtitle"),
      });
      redirectTimer.current = window.setTimeout(() => {
        window.location.replace(`/login${compiledParams}`);
      }, 500);
    },
    onError: () => {
      toast.error(t("logoutFailTitle"), {
        description: t("logoutFailSubtitle"),
      });
    },
  });
  useEffect(() => {
    return () => {
      if (redirectTimer.current) {
        clearTimeout(redirectTimer.current);
      }
    };
  }, [redirectTimer]);
  const initial = auth.authenticated
    ? (auth.name[0] || "U").toUpperCase()
    : null;
  const handleSelect = (option: string) => {
    setLanguage(option as SupportedLanguage);
    i18n.changeLanguage(option as SupportedLanguage);
  };
  const themes = [
    { key: "light", label: t("quickActionsThemeLight"), icon: Sun },
    { key: "dark", label: t("quickActionsThemeDark"), icon: Moon },
    { key: "system", label: t("quickActionsThemeSystem"), icon: Monitor },
  ] as const;
  return (
    <DropdownMenu>
      <DropdownMenuTrigger asChild>
        <button
          aria-label={t("quickActionsTitle")}
          className="rounded-full transition-transform duration-200 will-change-transform hover:scale-105 hover:cursor-pointer focus:ring-0 focus:outline-3 focus:outline-ring/50"
        >
          {auth.authenticated ? (
            <Avatar initial={initial!} />
          ) : (
            <span className="bg-card text-primary border-border size-10 flex items-center justify-center rounded-full border shadow-lg">
              <Settings className="size-4" />
            </span>
          )}
        </button>
      </DropdownMenuTrigger>
      <DropdownMenuContent
        align="end"
        sideOffset={8}
        className="rounded-xl p-1"
      >
        {auth.authenticated && (
          <>
            <DropdownMenuLabel className="flex items-center gap-3 p-2">
              <div className="bg-foreground text-background flex size-9 shrink-0 items-center justify-center rounded-full text-sm font-medium">
                {initial}
              </div>
              <div className="flex min-w-0 flex-col">
                <span className="truncate text-sm font-medium">
                  {auth.name}
                </span>
                <span className="text-muted-foreground truncate text-xs font-normal">
                  {auth.email}
                </span>
              </div>
            </DropdownMenuLabel>
            <DropdownMenuSeparator />
          </>
        )}
        <DropdownMenuSub>
          <DropdownMenuSubTrigger>
            <Languages className="size-4" />
            {t("quickActionsLanguage")}
          </DropdownMenuSubTrigger>
          <DropdownMenuPortal>
            <DropdownMenuSubContent sideOffset={8} className="rounded-xl p-1">
              <ScrollArea className="h-80">
                {Object.entries(languages).map(([key, value]) => (
                  <DropdownMenuItem
                    key={key}
                    onSelect={() => handleSelect(key)}
                  >
                    {value}
                    {language === key && <Check className="size-4" />}
                  </DropdownMenuItem>
                ))}
              </ScrollArea>
            </DropdownMenuSubContent>
          </DropdownMenuPortal>
        </DropdownMenuSub>
        <DropdownMenuSub>
          <DropdownMenuSubTrigger>
            <Palette className="size-4" />
            {t("quickActionsTheme")}
          </DropdownMenuSubTrigger>
          <DropdownMenuPortal>
            <DropdownMenuSubContent className="rounded-xl p-1" sideOffset={8}>
              {themes.map(({ key, label, icon: Icon }) => (
                <DropdownMenuItem key={key} onClick={() => setTheme(key)}>
                  <span className="flex items-center gap-2">
                    <Icon className="size-4" />
                    {label}
                  </span>
                  {theme === key && <Check className="size-4" />}
                </DropdownMenuItem>
              ))}
            </DropdownMenuSubContent>
          </DropdownMenuPortal>
        </DropdownMenuSub>
        {auth.authenticated && (
          <>
            <DropdownMenuSeparator />
            <DropdownMenuItem
              onSelect={() => logoutMutation.mutate()}
              className="text-destructive"
            >
              <DoorOpenIcon className="size-4" />
              {t("quickActionsLogout")}
            </DropdownMenuItem>
          </>
        )}
      </DropdownMenuContent>
    </DropdownMenu>
  );
 };
@@ -0,0 +1,40 @@
 import { Moon, Sun } from "lucide-react";
 import { Button } from "@/components/ui/button";
 import {
  DropdownMenu,
  DropdownMenuContent,
  DropdownMenuItem,
  DropdownMenuTrigger,
 } from "@/components/ui/dropdown-menu";
 import { useTheme } from "@/components/providers/theme-provider";
 export function ThemeToggle() {
  const { setTheme } = useTheme();
  return (
    <DropdownMenu>
      <DropdownMenuTrigger asChild>
        <Button
          className="bg-card text-card-foreground hover:bg-card/90"
          size="icon"
        >
          <Sun className="h-[1.2rem] w-[1.2rem] scale-100 rotate-0 transition-all dark:scale-0 dark:-rotate-90" />
          <Moon className="absolute h-[1.2rem] w-[1.2rem] scale-0 rotate-90 transition-all dark:scale-100 dark:rotate-0" />
          <span className="sr-only">Toggle theme</span>
        </Button>
      </DropdownMenuTrigger>
      <DropdownMenuContent align="end">
        <DropdownMenuItem onClick={() => setTheme("light")}>
          Light
        </DropdownMenuItem>
        <DropdownMenuItem onClick={() => setTheme("dark")}>
          Dark
        </DropdownMenuItem>
        <DropdownMenuItem onClick={() => setTheme("system")}>
          System
        </DropdownMenuItem>
      </DropdownMenuContent>
    </DropdownMenu>
  );
 }
@@ -1,56 +0,0 @@
 import * as React from "react"
 import { ScrollArea as ScrollAreaPrimitive } from "radix-ui"
 import { cn } from "@/lib/utils"
 function ScrollArea({
  className,
  children,
  ...props
 }: React.ComponentProps<typeof ScrollAreaPrimitive.Root>) {
  return (
    <ScrollAreaPrimitive.Root
      data-slot="scroll-area"
      className={cn("relative", className)}
      {...props}
    >
      <ScrollAreaPrimitive.Viewport
        data-slot="scroll-area-viewport"
        className="size-full rounded-[inherit] transition-[color,box-shadow] outline-none focus-visible:ring-[3px] focus-visible:ring-ring/50 focus-visible:outline-1"
      >
        {children}
      </ScrollAreaPrimitive.Viewport>
      <ScrollBar />
      <ScrollAreaPrimitive.Corner />
    </ScrollAreaPrimitive.Root>
  )
 }
 function ScrollBar({
  className,
  orientation = "vertical",
  ...props
 }: React.ComponentProps<typeof ScrollAreaPrimitive.ScrollAreaScrollbar>) {
  return (
    <ScrollAreaPrimitive.ScrollAreaScrollbar
      data-slot="scroll-area-scrollbar"
      orientation={orientation}
      className={cn(
        "flex touch-none p-px transition-colors select-none",
        orientation === "vertical" &&
          "h-full w-2.5 border-l border-l-transparent",
        orientation === "horizontal" &&
          "h-2.5 flex-col border-t border-t-transparent",
        className
      )}
      {...props}
    >
      <ScrollAreaPrimitive.ScrollAreaThumb
        data-slot="scroll-area-thumb"
        className="relative flex-1 rounded-full bg-border"
      />
    </ScrollAreaPrimitive.ScrollAreaScrollbar>
  )
 }
 export { ScrollArea, ScrollBar }
@@ -1,17 +0,0 @@
 type UseLoginForProps = {
  login_for?: "oidc" | "app";
  compiledParams: string;
 };
 export const useLoginFor = (props: UseLoginForProps): string => {
  const { login_for, compiledParams } = props;
  switch (login_for) {
    case "oidc":
      return "/oidc/authorize" + compiledParams;
    case "app":
      return "/continue" + compiledParams;
    default:
      return "/logout";
  }
 };
@@ -0,0 +1,76 @@
 import { z } from "zod";
 export const oidcParamsSchema = z.object({
  scope: z.string().min(1),
  response_type: z.string().min(1),
  client_id: z.string().min(1),
  redirect_uri: z.string().min(1),
  state: z.string().optional(),
  nonce: z.string().optional(),
  code_challenge: z.string().optional(),
  code_challenge_method: z.string().optional(),
 });
 function b64urlDecode(s: string): string {
  const base64 = s.replace(/-/g, "+").replace(/_/g, "/");
  return atob(base64.padEnd(base64.length + ((4 - (base64.length % 4)) % 4), "="));
 }
 function decodeRequestObject(jwt: string): Record<string, string> {
  try {
    // Must have exactly 3 parts: header, payload, signature
    const parts = jwt.split(".");
    if (parts.length !== 3) return {};
    // Header must specify "alg": "none" and signature must be empty string
    const header = JSON.parse(b64urlDecode(parts[0]));
    if (!header || typeof header !== "object" || header.alg !== "none" || parts[2] !== "") return {};
    const payload = JSON.parse(b64urlDecode(parts[1]));
    if (!payload || typeof payload !== "object" || Array.isArray(payload)) return {};
    const result: Record<string, string> = {};
    for (const [k, v] of Object.entries(payload)) {
      if (typeof v === "string") result[k] = v;
    }
    return result;
  } catch {
    return {};
  }
 }
 export const useOIDCParams = (
  params: URLSearchParams,
 ): {
  values: z.infer<typeof oidcParamsSchema>;
  issues: string[];
  isOidc: boolean;
  compiled: string;
 } => {
  const obj = Object.fromEntries(params.entries());
  // RFC 9101 / OIDC Core 6.1: if `request` param present, decode JWT payload
  // and merge claims over top-level params (JWT claims take precedence)
  const requestJwt = params.get("request");
  if (requestJwt) {
    const claims = decodeRequestObject(requestJwt);
    Object.assign(obj, claims);
  }
  const parsed = oidcParamsSchema.safeParse(obj);
  if (parsed.success) {
    return {
      values: parsed.data,
      issues: [],
      isOidc: true,
      compiled: new URLSearchParams(parsed.data).toString(),
    };
  }
  return {
    issues: parsed.error.issues.map((issue) => issue.path.toString()),
    values: {} as z.infer<typeof oidcParamsSchema>,
    isOidc: false,
    compiled: "",
  };
 };
@@ -7,7 +7,7 @@ type IuseRedirectUri = {
 };
 export const useRedirectUri = (
-  redirect_uri: string | undefined,
+  redirect_uri: string | null,
  cookieDomain: string,
 ): IuseRedirectUri => {
  let isValid = false;
@@ -1,40 +0,0 @@
 import { z } from "zod";
 type ScreenParams = {
  login_for?: "oidc" | "app";
  redirect_uri?: string;
  oidc_ticket?: string;
  oidc_scope?: string;
  oidc_name?: string;
 };
 const zodScreenParams = z.object({
  login_for: z.enum(["oidc", "app"]).optional(),
  redirect_uri: z.string().optional(),
  oidc_ticket: z.string().optional(),
  oidc_scope: z.string().optional(),
  oidc_name: z.string().optional(),
 });
 export function useScreenParams(params: URLSearchParams): ScreenParams {
  const paramsObj = Object.fromEntries(params.entries());
  const parsed = zodScreenParams.safeParse(paramsObj);
  if (!parsed.success) {
    return {};
  }
  return parsed.data;
 }
 export function recompileScreenParams(params: ScreenParams): string {
  const p = new URLSearchParams(
    Object.fromEntries(
      Object.entries(params).filter(([, v]) => v !== undefined),
    ) as Record<string, string>,
  ).toString();
  if (p.length > 0) {
    return "?" + p;
  }
  return "";
 }
@@ -1,103 +1,96 @@
 {
-  "loginTitle": "Welcome back, login with",
+    "loginTitle": "Welcome back, login with",
-  "loginTitleSimple": "Welcome back, please login",
+    "loginTitleSimple": "Welcome back, please login",
-  "loginDivider": "Or",
+    "loginDivider": "Or",
-  "loginUsername": "Username",
+    "loginUsername": "Username",
-  "loginPassword": "Password",
+    "loginPassword": "Password",
-  "loginSubmit": "Login",
+    "loginSubmit": "Login",
-  "loginFailTitle": "Failed to log in",
+    "loginFailTitle": "Failed to log in",
-  "loginFailSubtitle": "Please check your username and password",
+    "loginFailSubtitle": "Please check your username and password",
-  "loginFailRateLimit": "You failed to login too many times. Please try again later",
+    "loginFailRateLimit": "You failed to login too many times. Please try again later",
-  "loginSuccessTitle": "Logged in",
+    "loginSuccessTitle": "Logged in",
-  "loginSuccessSubtitle": "Welcome back!",
+    "loginSuccessSubtitle": "Welcome back!",
-  "loginOauthFailTitle": "An error occurred",
+    "loginOauthFailTitle": "An error occurred",
-  "loginOauthFailSubtitle": "Failed to get OAuth URL",
+    "loginOauthFailSubtitle": "Failed to get OAuth URL",
-  "loginOauthSuccessTitle": "Redirecting",
+    "loginOauthSuccessTitle": "Redirecting",
-  "loginOauthSuccessSubtitle": "Redirecting to your OAuth provider",
+    "loginOauthSuccessSubtitle": "Redirecting to your OAuth provider",
-  "loginOauthAutoRedirectTitle": "OAuth Auto Redirect",
+    "loginOauthAutoRedirectTitle": "OAuth Auto Redirect",
-  "loginOauthAutoRedirectSubtitle": "You will be automatically redirected to your OAuth provider to authenticate.",
+    "loginOauthAutoRedirectSubtitle": "You will be automatically redirected to your OAuth provider to authenticate.",
-  "loginOauthAutoRedirectButton": "Redirect now",
+    "loginOauthAutoRedirectButton": "Redirect now",
-  "continueTitle": "Continue",
+    "continueTitle": "Continue",
-  "continueRedirectingTitle": "Redirecting...",
+    "continueRedirectingTitle": "Redirecting...",
-  "continueRedirectingSubtitle": "You should be redirected to the app soon",
+    "continueRedirectingSubtitle": "You should be redirected to the app soon",
-  "continueRedirectManually": "Redirect me manually",
+    "continueRedirectManually": "Redirect me manually",
-  "continueInsecureRedirectTitle": "Insecure redirect",
+    "continueInsecureRedirectTitle": "Insecure redirect",
-  "continueInsecureRedirectSubtitle": "You are trying to redirect from <code>https</code> to <code>http</code> which is not secure. Are you sure you want to continue?",
+    "continueInsecureRedirectSubtitle": "You are trying to redirect from <code>https</code> to <code>http</code> which is not secure. Are you sure you want to continue?",
-  "continueUntrustedRedirectTitle": "Untrusted redirect",
+    "continueUntrustedRedirectTitle": "Untrusted redirect",
-  "continueUntrustedRedirectSubtitle": "You are trying to redirect to a domain that does not match your configured domain (<code>{{cookieDomain}}</code>). Are you sure you want to continue?",
+    "continueUntrustedRedirectSubtitle": "You are trying to redirect to a domain that does not match your configured domain (<code>{{cookieDomain}}</code>). Are you sure you want to continue?",
-  "logoutFailTitle": "Failed to log out",
+    "logoutFailTitle": "Failed to log out",
-  "logoutFailSubtitle": "Please try again",
+    "logoutFailSubtitle": "Please try again",
-  "logoutSuccessTitle": "Logged out",
+    "logoutSuccessTitle": "Logged out",
-  "logoutSuccessSubtitle": "You have been logged out",
+    "logoutSuccessSubtitle": "You have been logged out",
-  "logoutTitle": "Logout",
+    "logoutTitle": "Logout",
-  "logoutUsernameSubtitle": "You are currently logged in as <code>{{username}}</code>. Click the button below to logout.",
+    "logoutUsernameSubtitle": "You are currently logged in as <code>{{username}}</code>. Click the button below to logout.",
-  "logoutOauthSubtitle": "You are currently logged in as <code>{{username}}</code> using the {{provider}} OAuth provider. Click the button below to logout.",
+    "logoutOauthSubtitle": "You are currently logged in as <code>{{username}}</code> using the {{provider}} OAuth provider. Click the button below to logout.",
-  "notFoundTitle": "Page not found",
+    "notFoundTitle": "Page not found",
-  "notFoundSubtitle": "The page you are looking for does not exist.",
+    "notFoundSubtitle": "The page you are looking for does not exist.",
-  "notFoundButton": "Go home",
+    "notFoundButton": "Go home",
-  "totpFailTitle": "Failed to verify code",
+    "totpFailTitle": "Failed to verify code",
-  "totpFailSubtitle": "Please check your code and try again",
+    "totpFailSubtitle": "Please check your code and try again",
-  "totpSuccessTitle": "Verified",
+    "totpSuccessTitle": "Verified",
-  "totpSuccessSubtitle": "Redirecting to your app",
+    "totpSuccessSubtitle": "Redirecting to your app",
-  "totpTitle": "Enter your TOTP code",
+    "totpTitle": "Enter your TOTP code",
-  "totpSubtitle": "Please enter the code from your authenticator app.",
+    "totpSubtitle": "Please enter the code from your authenticator app.",
-  "unauthorizedTitle": "Unauthorized",
+    "unauthorizedTitle": "Unauthorized",
-  "unauthorizedResourceSubtitle": "The user with username <code>{{username}}</code> is not authorized to access the resource <code>{{resource}}</code>.",
+    "unauthorizedResourceSubtitle": "The user with username <code>{{username}}</code> is not authorized to access the resource <code>{{resource}}</code>.",
-  "unauthorizedLoginSubtitle": "The user with username <code>{{username}}</code> is not authorized to login.",
+    "unauthorizedLoginSubtitle": "The user with username <code>{{username}}</code> is not authorized to login.",
-  "unauthorizedGroupsSubtitle": "The user with username <code>{{username}}</code> is not in the groups required by the resource <code>{{resource}}</code>.",
+    "unauthorizedGroupsSubtitle": "The user with username <code>{{username}}</code> is not in the groups required by the resource <code>{{resource}}</code>.",
-  "unauthorizedIpSubtitle": "Your IP address <code>{{ip}}</code> is not authorized to access the resource <code>{{resource}}</code>.",
+    "unauthorizedIpSubtitle": "Your IP address <code>{{ip}}</code> is not authorized to access the resource <code>{{resource}}</code>.",
-  "unauthorizedButton": "Try again",
+    "unauthorizedButton": "Try again",
-  "cancelTitle": "Cancel",
+    "cancelTitle": "Cancel",
-  "forgotPasswordTitle": "Forgot your password?",
+    "forgotPasswordTitle": "Forgot your password?",
-  "failedToFetchProvidersTitle": "Failed to load authentication providers. Please check your configuration.",
+    "failedToFetchProvidersTitle": "Failed to load authentication providers. Please check your configuration.",
-  "errorTitle": "An error occurred",
+    "errorTitle": "An error occurred",
-  "errorSubtitleInfo": "The following error occurred while processing your request:",
+    "errorSubtitleInfo": "The following error occurred while processing your request:",
-  "errorSubtitle": "An error occurred while trying to perform this action. Please check your browser console or the app logs for more information.",
+    "errorSubtitle": "An error occurred while trying to perform this action. Please check your browser console or the app logs for more information.",
-  "forgotPasswordMessage": "You can reset your password by changing the `USERS` environment variable.",
+    "forgotPasswordMessage": "You can reset your password by changing the `USERS` environment variable.",
-  "fieldRequired": "This field is required",
+    "fieldRequired": "This field is required",
-  "invalidInput": "Invalid input",
+    "invalidInput": "Invalid input",
-  "domainWarningTitle": "Invalid Domain",
+    "domainWarningTitle": "Invalid Domain",
-  "domainWarningSubtitle": "You are accessing this instance from an incorrect domain. If you proceed, you may encounter issues with authentication.",
+    "domainWarningSubtitle": "You are accessing this instance from an incorrect domain. If you proceed, you may encounter issues with authentication.",
-  "domainWarningCurrent": "Current:",
+    "domainWarningCurrent": "Current:",
-  "domainWarningExpected": "Expected:",
+    "domainWarningExpected": "Expected:",
-  "ignoreTitle": "Ignore",
+    "ignoreTitle": "Ignore",
-  "goToCorrectDomainTitle": "Go to correct domain",
+    "goToCorrectDomainTitle": "Go to correct domain",
-  "authorizeTitle": "Authorize",
+    "authorizeTitle": "Authorize",
-  "authorizeCardTitle": "Continue to {{app}}?",
+    "authorizeCardTitle": "Continue to {{app}}?",
-  "authorizeSubtitle": "Would you like to continue to this app? Please carefully review the permissions requested by the app.",
+    "authorizeSubtitle": "Would you like to continue to this app? Please carefully review the permissions requested by the app.",
-  "authorizeSubtitleOAuth": "Would you like to continue to this app?",
+    "authorizeSubtitleOAuth": "Would you like to continue to this app?",
-  "authorizeLoadingTitle": "Loading...",
+    "authorizeLoadingTitle": "Loading...",
-  "authorizeLoadingSubtitle": "Please wait while we load the client information.",
+    "authorizeLoadingSubtitle": "Please wait while we load the client information.",
-  "authorizeSuccessTitle": "Authorized",
+    "authorizeSuccessTitle": "Authorized",
-  "authorizeSuccessSubtitle": "You will be redirected to the app in a few seconds.",
+    "authorizeSuccessSubtitle": "You will be redirected to the app in a few seconds.",
-  "authorizeErrorClientInfo": "An error occurred while loading the client information. Please try again later.",
+    "authorizeErrorClientInfo": "An error occurred while loading the client information. Please try again later.",
-  "authorizeErrorInvalidParams": "The request is missing required parameters or has invalid parameters. Please check the URL and try again.",
+    "authorizeErrorMissingParams": "The following parameters are missing: {{missingParams}}",
-  "openidScopeName": "OpenID Connect",
+    "openidScopeName": "OpenID Connect",
-  "openidScopeDescription": "Allows the app to access your OpenID Connect information.",
+    "openidScopeDescription": "Allows the app to access your OpenID Connect information.",
-  "emailScopeName": "Email",
+    "emailScopeName": "Email",
-  "emailScopeDescription": "Allows the app to access your email address.",
+    "emailScopeDescription": "Allows the app to access your email address.",
-  "profileScopeName": "Profile",
+    "profileScopeName": "Profile",
-  "profileScopeDescription": "Allows the app to access your profile information.",
+    "profileScopeDescription": "Allows the app to access your profile information.",
-  "groupsScopeName": "Groups",
+    "groupsScopeName": "Groups",
-  "groupsScopeDescription": "Allows the app to access your group information.",
+    "groupsScopeDescription": "Allows the app to access your group information.",
-  "backToLoginButton": "Back to login",
+    "backToLoginButton": "Back to login",
-  "phoneScopeName": "Phone",
+    "phoneScopeName": "Phone",
-  "phoneScopeDescription": "Allows the app to access your phone number.",
+    "phoneScopeDescription": "Allows the app to access your phone number.",
-  "addressScopeName": "Address",
+    "addressScopeName": "Address",
-  "addressScopeDescription": "Allows the app to access your address.",
+    "addressScopeDescription": "Allows the app to access your address.",
-  "loginTailscaleTitle": "Continue with Tailscale",
+    "loginTailscaleTitle": "Continue with Tailscale",
-  "loginTailscaleDescription": "You appear to be accessing Tinyauth from an authorized Tailscale device. Would you like to continue with your Tailscale connection?",
+    "loginTailscaleDescription": "You appear to be accessing Tinyauth from an authorized Tailscale device. Would you like to continue with your Tailscale connection?",
-  "loginTailscaleDeviceName": "Device name:",
+    "loginTailscaleDeviceName": "Device name:",
-  "loginTailscaleSubmit": "Continue with Tailscale",
+    "loginTailscaleSubmit": "Continue with Tailscale",
-  "loginTailscaleOtherMethod": "Login with another method",
+    "loginTailscaleOtherMethod": "Login with another method",
-  "loginTailscaleSuccess": "Successfully authenticated with Tailscale.",
+    "loginTailscaleSuccess": "Successfully authenticated with Tailscale.",
-  "loginTailscaleFail": "Failed to authenticate with Tailscale. Please try again or use another login method.",
+    "loginTailscaleFail": "Failed to authenticate with Tailscale. Please try again or use another login method.",
-  "logoutTailscaleSubtitle": "You are currently logged in with Tailscale on your device <code>{{deviceName}}</code>. Click the button below to logout.",
+    "logoutTailscaleSubtitle": "You are currently logged in with Tailscale on your device <code>{{deviceName}}</code>. Click the button below to logout."
  "quickActionsLanguage": "Language",
  "quickActionsTheme": "Theme",
  "quickActionsThemeLight": "Light",
  "quickActionsThemeDark": "Dark",
  "quickActionsThemeSystem": "System",
  "quickActionsLogout": "Logout",
  "quickActionsTitle": "Quick Actions"
 }
@@ -1,103 +1,96 @@
 {
-  "loginTitle": "Welcome back, login with",
+    "loginTitle": "Welcome back, login with",
-  "loginTitleSimple": "Welcome back, please login",
+    "loginTitleSimple": "Welcome back, please login",
-  "loginDivider": "Or",
+    "loginDivider": "Or",
-  "loginUsername": "Username",
+    "loginUsername": "Username",
-  "loginPassword": "Password",
+    "loginPassword": "Password",
-  "loginSubmit": "Login",
+    "loginSubmit": "Login",
-  "loginFailTitle": "Failed to log in",
+    "loginFailTitle": "Failed to log in",
-  "loginFailSubtitle": "Please check your username and password",
+    "loginFailSubtitle": "Please check your username and password",
-  "loginFailRateLimit": "You failed to login too many times. Please try again later",
+    "loginFailRateLimit": "You failed to login too many times. Please try again later",
-  "loginSuccessTitle": "Logged in",
+    "loginSuccessTitle": "Logged in",
-  "loginSuccessSubtitle": "Welcome back!",
+    "loginSuccessSubtitle": "Welcome back!",
-  "loginOauthFailTitle": "An error occurred",
+    "loginOauthFailTitle": "An error occurred",
-  "loginOauthFailSubtitle": "Failed to get OAuth URL",
+    "loginOauthFailSubtitle": "Failed to get OAuth URL",
-  "loginOauthSuccessTitle": "Redirecting",
+    "loginOauthSuccessTitle": "Redirecting",
-  "loginOauthSuccessSubtitle": "Redirecting to your OAuth provider",
+    "loginOauthSuccessSubtitle": "Redirecting to your OAuth provider",
-  "loginOauthAutoRedirectTitle": "OAuth Auto Redirect",
+    "loginOauthAutoRedirectTitle": "OAuth Auto Redirect",
-  "loginOauthAutoRedirectSubtitle": "You will be automatically redirected to your OAuth provider to authenticate.",
+    "loginOauthAutoRedirectSubtitle": "You will be automatically redirected to your OAuth provider to authenticate.",
-  "loginOauthAutoRedirectButton": "Redirect now",
+    "loginOauthAutoRedirectButton": "Redirect now",
-  "continueTitle": "Continue",
+    "continueTitle": "Continue",
-  "continueRedirectingTitle": "Redirecting...",
+    "continueRedirectingTitle": "Redirecting...",
-  "continueRedirectingSubtitle": "You should be redirected to the app soon",
+    "continueRedirectingSubtitle": "You should be redirected to the app soon",
-  "continueRedirectManually": "Redirect me manually",
+    "continueRedirectManually": "Redirect me manually",
-  "continueInsecureRedirectTitle": "Insecure redirect",
+    "continueInsecureRedirectTitle": "Insecure redirect",
-  "continueInsecureRedirectSubtitle": "You are trying to redirect from <code>https</code> to <code>http</code> which is not secure. Are you sure you want to continue?",
+    "continueInsecureRedirectSubtitle": "You are trying to redirect from <code>https</code> to <code>http</code> which is not secure. Are you sure you want to continue?",
-  "continueUntrustedRedirectTitle": "Untrusted redirect",
+    "continueUntrustedRedirectTitle": "Untrusted redirect",
-  "continueUntrustedRedirectSubtitle": "You are trying to redirect to a domain that does not match your configured domain (<code>{{cookieDomain}}</code>). Are you sure you want to continue?",
+    "continueUntrustedRedirectSubtitle": "You are trying to redirect to a domain that does not match your configured domain (<code>{{cookieDomain}}</code>). Are you sure you want to continue?",
-  "logoutFailTitle": "Failed to log out",
+    "logoutFailTitle": "Failed to log out",
-  "logoutFailSubtitle": "Please try again",
+    "logoutFailSubtitle": "Please try again",
-  "logoutSuccessTitle": "Logged out",
+    "logoutSuccessTitle": "Logged out",
-  "logoutSuccessSubtitle": "You have been logged out",
+    "logoutSuccessSubtitle": "You have been logged out",
-  "logoutTitle": "Logout",
+    "logoutTitle": "Logout",
-  "logoutUsernameSubtitle": "You are currently logged in as <code>{{username}}</code>. Click the button below to logout.",
+    "logoutUsernameSubtitle": "You are currently logged in as <code>{{username}}</code>. Click the button below to logout.",
-  "logoutOauthSubtitle": "You are currently logged in as <code>{{username}}</code> using the {{provider}} OAuth provider. Click the button below to logout.",
+    "logoutOauthSubtitle": "You are currently logged in as <code>{{username}}</code> using the {{provider}} OAuth provider. Click the button below to logout.",
-  "notFoundTitle": "Page not found",
+    "notFoundTitle": "Page not found",
-  "notFoundSubtitle": "The page you are looking for does not exist.",
+    "notFoundSubtitle": "The page you are looking for does not exist.",
-  "notFoundButton": "Go home",
+    "notFoundButton": "Go home",
-  "totpFailTitle": "Failed to verify code",
+    "totpFailTitle": "Failed to verify code",
-  "totpFailSubtitle": "Please check your code and try again",
+    "totpFailSubtitle": "Please check your code and try again",
-  "totpSuccessTitle": "Verified",
+    "totpSuccessTitle": "Verified",
-  "totpSuccessSubtitle": "Redirecting to your app",
+    "totpSuccessSubtitle": "Redirecting to your app",
-  "totpTitle": "Enter your TOTP code",
+    "totpTitle": "Enter your TOTP code",
-  "totpSubtitle": "Please enter the code from your authenticator app.",
+    "totpSubtitle": "Please enter the code from your authenticator app.",
-  "unauthorizedTitle": "Unauthorized",
+    "unauthorizedTitle": "Unauthorized",
-  "unauthorizedResourceSubtitle": "The user with username <code>{{username}}</code> is not authorized to access the resource <code>{{resource}}</code>.",
+    "unauthorizedResourceSubtitle": "The user with username <code>{{username}}</code> is not authorized to access the resource <code>{{resource}}</code>.",
-  "unauthorizedLoginSubtitle": "The user with username <code>{{username}}</code> is not authorized to login.",
+    "unauthorizedLoginSubtitle": "The user with username <code>{{username}}</code> is not authorized to login.",
-  "unauthorizedGroupsSubtitle": "The user with username <code>{{username}}</code> is not in the groups required by the resource <code>{{resource}}</code>.",
+    "unauthorizedGroupsSubtitle": "The user with username <code>{{username}}</code> is not in the groups required by the resource <code>{{resource}}</code>.",
-  "unauthorizedIpSubtitle": "Your IP address <code>{{ip}}</code> is not authorized to access the resource <code>{{resource}}</code>.",
+    "unauthorizedIpSubtitle": "Your IP address <code>{{ip}}</code> is not authorized to access the resource <code>{{resource}}</code>.",
-  "unauthorizedButton": "Try again",
+    "unauthorizedButton": "Try again",
-  "cancelTitle": "Cancel",
+    "cancelTitle": "Cancel",
-  "forgotPasswordTitle": "Forgot your password?",
+    "forgotPasswordTitle": "Forgot your password?",
-  "failedToFetchProvidersTitle": "Failed to load authentication providers. Please check your configuration.",
+    "failedToFetchProvidersTitle": "Failed to load authentication providers. Please check your configuration.",
-  "errorTitle": "An error occurred",
+    "errorTitle": "An error occurred",
-  "errorSubtitleInfo": "The following error occurred while processing your request:",
+    "errorSubtitleInfo": "The following error occurred while processing your request:",
-  "errorSubtitle": "An error occurred while trying to perform this action. Please check your browser console or the app logs for more information.",
+    "errorSubtitle": "An error occurred while trying to perform this action. Please check your browser console or the app logs for more information.",
-  "forgotPasswordMessage": "You can reset your password by changing the `USERS` environment variable.",
+    "forgotPasswordMessage": "You can reset your password by changing the `USERS` environment variable.",
-  "fieldRequired": "This field is required",
+    "fieldRequired": "This field is required",
-  "invalidInput": "Invalid input",
+    "invalidInput": "Invalid input",
-  "domainWarningTitle": "Invalid Domain",
+    "domainWarningTitle": "Invalid Domain",
-  "domainWarningSubtitle": "You are accessing this instance from an incorrect domain. If you proceed, you may encounter issues with authentication.",
+    "domainWarningSubtitle": "You are accessing this instance from an incorrect domain. If you proceed, you may encounter issues with authentication.",
-  "domainWarningCurrent": "Current:",
+    "domainWarningCurrent": "Current:",
-  "domainWarningExpected": "Expected:",
+    "domainWarningExpected": "Expected:",
-  "ignoreTitle": "Ignore",
+    "ignoreTitle": "Ignore",
-  "goToCorrectDomainTitle": "Go to correct domain",
+    "goToCorrectDomainTitle": "Go to correct domain",
-  "authorizeTitle": "Authorize",
+    "authorizeTitle": "Authorize",
-  "authorizeCardTitle": "Continue to {{app}}?",
+    "authorizeCardTitle": "Continue to {{app}}?",
-  "authorizeSubtitle": "Would you like to continue to this app? Please carefully review the permissions requested by the app.",
+    "authorizeSubtitle": "Would you like to continue to this app? Please carefully review the permissions requested by the app.",
-  "authorizeSubtitleOAuth": "Would you like to continue to this app?",
+    "authorizeSubtitleOAuth": "Would you like to continue to this app?",
-  "authorizeLoadingTitle": "Loading...",
+    "authorizeLoadingTitle": "Loading...",
-  "authorizeLoadingSubtitle": "Please wait while we load the client information.",
+    "authorizeLoadingSubtitle": "Please wait while we load the client information.",
-  "authorizeSuccessTitle": "Authorized",
+    "authorizeSuccessTitle": "Authorized",
-  "authorizeSuccessSubtitle": "You will be redirected to the app in a few seconds.",
+    "authorizeSuccessSubtitle": "You will be redirected to the app in a few seconds.",
-  "authorizeErrorClientInfo": "An error occurred while loading the client information. Please try again later.",
+    "authorizeErrorClientInfo": "An error occurred while loading the client information. Please try again later.",
-  "authorizeErrorInvalidParams": "The request is missing required parameters or has invalid parameters. Please check the URL and try again.",
+    "authorizeErrorMissingParams": "The following parameters are missing: {{missingParams}}",
-  "openidScopeName": "OpenID Connect",
+    "openidScopeName": "OpenID Connect",
-  "openidScopeDescription": "Allows the app to access your OpenID Connect information.",
+    "openidScopeDescription": "Allows the app to access your OpenID Connect information.",
-  "emailScopeName": "Email",
+    "emailScopeName": "Email",
-  "emailScopeDescription": "Allows the app to access your email address.",
+    "emailScopeDescription": "Allows the app to access your email address.",
-  "profileScopeName": "Profile",
+    "profileScopeName": "Profile",
-  "profileScopeDescription": "Allows the app to access your profile information.",
+    "profileScopeDescription": "Allows the app to access your profile information.",
-  "groupsScopeName": "Groups",
+    "groupsScopeName": "Groups",
-  "groupsScopeDescription": "Allows the app to access your group information.",
+    "groupsScopeDescription": "Allows the app to access your group information.",
-  "backToLoginButton": "Back to login",
+    "backToLoginButton": "Back to login",
-  "phoneScopeName": "Phone",
+    "phoneScopeName": "Phone",
-  "phoneScopeDescription": "Allows the app to access your phone number.",
+    "phoneScopeDescription": "Allows the app to access your phone number.",
-  "addressScopeName": "Address",
+    "addressScopeName": "Address",
-  "addressScopeDescription": "Allows the app to access your address.",
+    "addressScopeDescription": "Allows the app to access your address.",
-  "loginTailscaleTitle": "Continue with Tailscale",
+    "loginTailscaleTitle": "Continue with Tailscale",
-  "loginTailscaleDescription": "You appear to be accessing Tinyauth from an authorized Tailscale device. Would you like to continue with your Tailscale connection?",
+    "loginTailscaleDescription": "You appear to be accessing Tinyauth from an authorized Tailscale device. Would you like to continue with your Tailscale connection?",
-  "loginTailscaleDeviceName": "Device name:",
+    "loginTailscaleDeviceName": "Device name:",
-  "loginTailscaleSubmit": "Continue with Tailscale",
+    "loginTailscaleSubmit": "Continue with Tailscale",
-  "loginTailscaleOtherMethod": "Login with another method",
+    "loginTailscaleOtherMethod": "Login with another method",
-  "loginTailscaleSuccess": "Successfully authenticated with Tailscale.",
+    "loginTailscaleSuccess": "Successfully authenticated with Tailscale.",
-  "loginTailscaleFail": "Failed to authenticate with Tailscale. Please try again or use another login method.",
+    "loginTailscaleFail": "Failed to authenticate with Tailscale. Please try again or use another login method.",
-  "logoutTailscaleSubtitle": "You are currently logged in with Tailscale on your device <code>{{deviceName}}</code>. Click the button below to logout.",
+    "logoutTailscaleSubtitle": "You are currently logged in with Tailscale on your device <code>{{deviceName}}</code>. Click the button below to logout."
  "quickActionsLanguage": "Language",
  "quickActionsTheme": "Theme",
  "quickActionsThemeLight": "Light",
  "quickActionsThemeDark": "Dark",
  "quickActionsThemeSystem": "System",
  "quickActionsLogout": "Logout",
  "quickActionsTitle": "Quick Actions"
 }
@@ -35,10 +35,7 @@ createRoot(document.getElementById("root")!).render(
                    <Route element={<Layout />} errorElement={<ErrorPage />}>
                      <Route path="/" element={<App />} />
                      <Route path="/login" element={<LoginPage />} />
-                      <Route
+                      <Route path="/authorize" element={<AuthorizePage />} />
                        path="/oidc/authorize"
                        element={<AuthorizePage />}
                      />
                      <Route path="/logout" element={<LogoutPage />} />
                      <Route path="/continue" element={<ContinuePage />} />
                      <Route path="/totp" element={<TotpPage />} />
@@ -1,5 +1,5 @@
 import { useUserContext } from "@/context/user-context";
-import { useMutation } from "@tanstack/react-query";
+import { useMutation, useQuery } from "@tanstack/react-query";
 import { Navigate, useNavigate } from "react-router";
 import { useLocation } from "react-router";
 import {
@@ -10,9 +10,11 @@ import {
  CardFooter,
  CardContent,
 } from "@/components/ui/card";
 import { getOidcClientInfoSchema } from "@/schemas/oidc-schemas";
 import { Button } from "@/components/ui/button";
 import axios from "axios";
 import { toast } from "sonner";
 import { useOIDCParams } from "@/lib/hooks/oidc";
 import { useTranslation } from "react-i18next";
 import { TFunction } from "i18next";
 import { Mail, MapPin, Phone, Shield, User, Users } from "lucide-react";
@@ -21,10 +23,6 @@ import {
  TooltipContent,
  TooltipTrigger,
 } from "@/components/ui/tooltip";
 import {
  recompileScreenParams,
  useScreenParams,
 } from "@/lib/hooks/screen-params";
 type Scope = {
  id: string;
@@ -86,17 +84,27 @@ export const AuthorizePage = () => {
  const scopeMap = createScopeMap(t);
  const searchParams = new URLSearchParams(search);
-  const screenParams = useScreenParams(searchParams);
+  const oidcParams = useOIDCParams(searchParams);
-  const isOidc = screenParams.login_for === "oidc";
+
-  const compiledParams = recompileScreenParams(screenParams);
+  const getClientInfo = useQuery({
    queryKey: ["client", oidcParams.values.client_id],
    queryFn: async () => {
      const res = await fetch(
        `/api/oidc/clients/${encodeURIComponent(oidcParams.values.client_id)}`,
      );
      const data = await getOidcClientInfoSchema.parseAsync(await res.json());
      return data;
    },
    enabled: oidcParams.isOidc,
  });
  const authorizeMutation = useMutation({
    mutationFn: () => {
-      return axios.post("/api/oidc/authorize-complete", {
+      return axios.post("/api/oidc/authorize", {
-        ticket: screenParams.oidc_ticket,
+        ...oidcParams.values,
      });
    },
-    mutationKey: ["authorize", screenParams.oidc_ticket],
+    mutationKey: ["authorize", oidcParams.values.client_id],
    onSuccess: (data) => {
      toast.info(t("authorizeSuccessTitle"), {
        description: t("authorizeSuccessSubtitle"),
@@ -110,32 +118,56 @@ export const AuthorizePage = () => {
    },
  });
-  if (!isOidc || !screenParams.oidc_ticket || !screenParams.oidc_scope) {
+  if (oidcParams.issues.length > 0) {
    return (
      <Navigate
-        to={`/error?error=${encodeURIComponent(t("authorizeErrorInvalidParams"))}`}
+        to={`/error?error=${encodeURIComponent(t("authorizeErrorMissingParams", { missingParams: oidcParams.issues.join(", ") }))}`}
        replace
      />
    );
  }
  if (!auth.authenticated) {
-    return <Navigate to={`/login${compiledParams}`} replace />;
+    return <Navigate to={`/login?${oidcParams.compiled}`} replace />;
  }
  if (getClientInfo.isLoading) {
    return (
      <Card className="gap-0">
        <CardHeader>
          <CardTitle className="text-xl">
            {t("authorizeLoadingTitle")}
          </CardTitle>
        </CardHeader>
        <CardContent>
          <CardDescription>{t("authorizeLoadingSubtitle")}</CardDescription>
        </CardContent>
      </Card>
    );
  }
  if (getClientInfo.isError) {
    return (
      <Navigate
        to={`/error?error=${encodeURIComponent(t("authorizeErrorClientInfo"))}`}
        replace
      />
    );
  }
  const scopes =
-    screenParams.oidc_scope.split(" ").filter((s) => s.trim() !== "") || [];
+    oidcParams.values.scope.split(" ").filter((s) => s.trim() !== "") || [];
  return (
    <Card>
      <CardHeader className="mb-2">
        <div className="flex flex-col gap-3 items-center justify-center text-center">
          <div className="bg-accent-foreground box-content text-muted text-xl font-bold font-sans rounded-lg size-8 p-2 flex items-center justify-center">
-            {screenParams.oidc_name ? screenParams.oidc_name.slice(0, 1) : "U"}
+            {getClientInfo.data?.name.slice(0, 1) || "U"}
          </div>
          <CardTitle className="text-xl">
            {t("authorizeCardTitle", {
-              app: screenParams.oidc_name || "Unknown",
+              app: getClientInfo.data?.name || "Unknown",
            })}
          </CardTitle>
          <CardDescription className="text-sm max-w-sm">
@@ -174,7 +206,7 @@ export const AuthorizePage = () => {
          {t("authorizeTitle")}
        </Button>
        <Button
-          onClick={() => navigate(`/logout${compiledParams}`)}
+          onClick={() => navigate("/")}
          disabled={authorizeMutation.isPending}
          variant="outline"
        >
@@ -12,10 +12,6 @@ import { Trans, useTranslation } from "react-i18next";
 import { Navigate, useLocation, useNavigate } from "react-router";
 import { useCallback, useEffect, useRef, useState } from "react";
 import { useRedirectUri } from "@/lib/hooks/redirect-uri";
 import {
  recompileScreenParams,
  useScreenParams,
 } from "@/lib/hooks/screen-params";
 export const ContinuePage = () => {
  const { app, ui } = useAppContext();
@@ -29,10 +25,7 @@ export const ContinuePage = () => {
  const hasRedirected = useRef(false);
  const searchParams = new URLSearchParams(search);
-  const screenParams = useScreenParams(searchParams);
+  const redirectUri = searchParams.get("redirect_uri");
  const redirectUri = screenParams.redirect_uri;
  const isAppLogin = screenParams.login_for === "app";
  const recompiledParams = recompileScreenParams(screenParams);
  const { url, valid, trusted, allowedProto, httpsDowngrade } = useRedirectUri(
    redirectUri,
@@ -50,8 +43,7 @@ export const ContinuePage = () => {
    auth.authenticated &&
    hasValidRedirect &&
    !showUntrustedWarning &&
-    !showInsecureWarning &&
+    !showInsecureWarning;
    isAppLogin;
  const redirectToTarget = useCallback(() => {
    if (!urlHref || hasRedirected.current) {
@@ -87,10 +79,15 @@ export const ContinuePage = () => {
  }, [shouldAutoRedirect, redirectToTarget]);
  if (!auth.authenticated) {
-    return <Navigate to={`/login${recompiledParams}`} replace />;
+    return (
      <Navigate
        to={`/login${redirectUri ? `?redirect_uri=${encodeURIComponent(redirectUri)}` : ""}`}
        replace
      />
    );
  }
-  if (!hasValidRedirect || !isAppLogin) {
+  if (!hasValidRedirect) {
    return <Navigate to="/logout" replace />;
  }
@@ -11,7 +11,7 @@ export const ErrorPage = () => {
  const { t } = useTranslation();
  const { search } = useLocation();
  const searchParams = new URLSearchParams(search);
-  const error = searchParams.get("error") || "";
+  const error = searchParams.get("error") ?? "";
  return (
    <Card>
@@ -11,18 +11,12 @@ import { useAppContext } from "@/context/app-context";
 import { useTranslation } from "react-i18next";
 import Markdown from "react-markdown";
 import { useLocation } from "react-router";
 import {
  recompileScreenParams,
  useScreenParams,
 } from "@/lib/hooks/screen-params";
 export const ForgotPasswordPage = () => {
  const { ui } = useAppContext();
  const { t } = useTranslation();
  const { search } = useLocation();
  const searchParams = new URLSearchParams(search);
  const screenParams = useScreenParams(searchParams);
  const compiledParams = recompileScreenParams(screenParams);
  return (
    <Card>
@@ -43,7 +37,10 @@ export const ForgotPasswordPage = () => {
          className="w-full"
          variant="outline"
          onClick={() => {
-            window.location.replace(`/login${compiledParams}`);
+            const eparams = searchParams.toString();
            window.location.replace(
              `/login${eparams.length > 0 ? `?${eparams}` : ""}`,
            );
          }}
        >
          {t("backToLoginButton")}
@@ -18,6 +18,7 @@ import { OAuthButton } from "@/components/ui/oauth-button";
 import { SeperatorWithChildren } from "@/components/ui/separator";
 import { useAppContext } from "@/context/app-context";
 import { useUserContext } from "@/context/user-context";
 import { useOIDCParams } from "@/lib/hooks/oidc";
 import { LoginSchema } from "@/schemas/login-schema";
 import { useMutation } from "@tanstack/react-query";
 import axios, { AxiosError } from "axios";
@@ -25,11 +26,6 @@ import { useEffect, useId, useRef, useState } from "react";
 import { useTranslation } from "react-i18next";
 import { Navigate, useLocation } from "react-router";
 import { toast } from "sonner";
 import {
  recompileScreenParams,
  useScreenParams,
 } from "@/lib/hooks/screen-params";
 import { useLoginFor } from "@/lib/hooks/login-for";
 const iconMap: Record<string, React.ReactNode> = {
  google: <GoogleIcon />,
@@ -50,9 +46,7 @@ export const LoginPage = () => {
  const { t } = useTranslation();
  const [showRedirectButton, setShowRedirectButton] = useState(false);
-  const [useTailscale, setUseTailscale] = useState(
+  const [useTailscale, setUseTailscale] = useState(tailscale.nodeName !== undefined);
    tailscale.nodeName !== undefined,
  );
  const hasAutoRedirectedRef = useRef(false);
@@ -62,22 +56,17 @@ export const LoginPage = () => {
  const formId = useId();
  const searchParams = new URLSearchParams(search);
-  const screenParams = useScreenParams(searchParams);
+  const redirectUri = searchParams.get("redirect_uri") || undefined;
-  const compiledParams = recompileScreenParams(screenParams);
+  const oidcParams = useOIDCParams(searchParams);
  const loginForUrl = useLoginFor({
    login_for: screenParams.login_for,
    compiledParams,
  });
  const [isOauthAutoRedirect, setIsOauthAutoRedirect] = useState(
    providers.find((provider) => provider.id === oauth.autoRedirect) !==
-      undefined && screenParams.redirect_uri !== undefined,
+      undefined && redirectUri !== undefined,
  );
  const oauthProviders = providers.filter(
    (provider) => provider.id !== "local" && provider.id !== "ldap",
  );
  const userAuthConfigured =
    providers.find(
      (provider) => provider.id === "local" || provider.id === "ldap",
@@ -90,7 +79,16 @@ export const LoginPage = () => {
    variables: oauthVariables,
  } = useMutation({
    mutationFn: (provider: string) => {
-      return axios.get(`/api/oauth/url/${provider}${compiledParams}`);
+      const getParams = function (): string {
        if (oidcParams.isOidc) {
          return `?${oidcParams.compiled}`;
        }
        if (redirectUri) {
          return `?redirect_uri=${encodeURIComponent(redirectUri)}`;
        }
        return "";
      };
      return axios.get(`/api/oauth/url/${provider}${getParams()}`);
    },
    mutationKey: ["oauth"],
    onSuccess: (data) => {
@@ -121,7 +119,13 @@ export const LoginPage = () => {
    mutationKey: ["login"],
    onSuccess: (data) => {
      if (data.data.totpPending) {
-        window.location.replace(`/totp${compiledParams}`);
+        if (oidcParams.isOidc) {
          window.location.replace(`/totp?${oidcParams.compiled}`);
          return;
        }
        window.location.replace(
          `/totp${redirectUri ? `?redirect_uri=${encodeURIComponent(redirectUri)}` : ""}`,
        );
        return;
      }
@@ -130,7 +134,13 @@ export const LoginPage = () => {
      });
      redirectTimer.current = window.setTimeout(() => {
-        window.location.replace(loginForUrl);
+        if (oidcParams.isOidc) {
          window.location.replace(`/authorize?${oidcParams.compiled}`);
          return;
        }
        window.location.replace(
          `/continue${redirectUri ? `?redirect_uri=${encodeURIComponent(redirectUri)}` : ""}`,
        );
      }, 500);
    },
    onError: (error: AxiosError) => {
@@ -153,7 +163,13 @@ export const LoginPage = () => {
        });
        redirectTimer.current = window.setTimeout(() => {
-          window.location.replace(loginForUrl);
+          if (oidcParams.isOidc) {
            window.location.replace(`/authorize?${oidcParams.compiled}`);
            return;
          }
          window.location.replace(
            `/continue${redirectUri ? `?redirect_uri=${encodeURIComponent(redirectUri)}` : ""}`,
          );
        }, 500);
      },
      onError: () => {
@@ -168,8 +184,7 @@ export const LoginPage = () => {
      !auth.authenticated &&
      isOauthAutoRedirect &&
      !hasAutoRedirectedRef.current &&
-      screenParams.redirect_uri &&
+      redirectUri !== undefined
      screenParams.login_for
    ) {
      hasAutoRedirectedRef.current = true;
      oauthMutate(oauth.autoRedirect);
@@ -180,8 +195,7 @@ export const LoginPage = () => {
    hasAutoRedirectedRef,
    oauth.autoRedirect,
    isOauthAutoRedirect,
-    screenParams.login_for,
+    redirectUri,
    screenParams.redirect_uri,
  ]);
  useEffect(() => {
@@ -196,8 +210,21 @@ export const LoginPage = () => {
    };
  }, [redirectTimer, redirectButtonTimer]);
  if (auth.authenticated && oidcParams.isOidc) {
    return <Navigate to={`/authorize?${oidcParams.compiled}`} replace />;
  }
  if (auth.authenticated && redirectUri !== undefined) {
    return (
      <Navigate
        to={`/continue${redirectUri ? `?redirect_uri=${encodeURIComponent(redirectUri)}` : ""}`}
        replace
      />
    );
  }
  if (auth.authenticated) {
-    return <Navigate to={loginForUrl} replace />;
+    return <Navigate to="/logout" replace />;
  }
  if (isOauthAutoRedirect) {
@@ -15,21 +15,12 @@ import { Navigate } from "react-router";
 import { toast } from "sonner";
 import { type UseMutationResult } from "@tanstack/react-query";
 import { type AxiosResponse } from "axios";
 import { useLocation } from "react-router";
 import {
  useScreenParams,
  recompileScreenParams,
 } from "@/lib/hooks/screen-params";
 export const LogoutPage = () => {
  const { auth, oauth, tailscale } = useUserContext();
  const { t } = useTranslation();
  const { search } = useLocation();
  const redirectTimer = useRef<number | null>(null);
  const searchParams = new URLSearchParams(search);
  const screenParams = useScreenParams(searchParams);
  const compiledParams = recompileScreenParams(screenParams);
  const logoutMutation = useMutation({
    mutationFn: () => axios.post("/api/user/logout"),
@@ -40,7 +31,7 @@ export const LogoutPage = () => {
      });
      redirectTimer.current = window.setTimeout(() => {
-        window.location.replace(`/login${compiledParams}`);
+        window.location.replace("/login");
      }, 500);
    },
    onError: () => {
@@ -59,7 +50,7 @@ export const LogoutPage = () => {
  }, [redirectTimer]);
  if (!auth.authenticated) {
-    return <Navigate to={`/login${compiledParams}`} replace />;
+    return <Navigate to="/login" replace />;
  }
  if (oauth.active) {
@@ -16,14 +16,10 @@ import { useEffect, useId, useRef } from "react";
 import { useTranslation } from "react-i18next";
 import { Navigate, useLocation } from "react-router";
 import { toast } from "sonner";
-import {
+import { useOIDCParams } from "@/lib/hooks/oidc";
  recompileScreenParams,
  useScreenParams,
 } from "@/lib/hooks/screen-params";
 import { useLoginFor } from "@/lib/hooks/login-for";
 export const TotpPage = () => {
-  const { totp, auth } = useUserContext();
+  const { totp } = useUserContext();
  const { t } = useTranslation();
  const { search } = useLocation();
  const formId = useId();
@@ -31,12 +27,8 @@ export const TotpPage = () => {
  const redirectTimer = useRef<number | null>(null);
  const searchParams = new URLSearchParams(search);
-  const screenParams = useScreenParams(searchParams);
+  const redirectUri = searchParams.get("redirect_uri") || undefined;
-  const compiledParams = recompileScreenParams(screenParams);
+  const oidcParams = useOIDCParams(searchParams);
  const loginForUrl = useLoginFor({
    login_for: screenParams.login_for,
    compiledParams,
  });
  const totpMutation = useMutation({
    mutationFn: (values: TotpSchema) => axios.post("/api/user/totp", values),
@@ -47,7 +39,14 @@ export const TotpPage = () => {
      });
      redirectTimer.current = window.setTimeout(() => {
-        window.location.replace(loginForUrl);
+        if (oidcParams.isOidc) {
          window.location.replace(`/authorize?${oidcParams.compiled}`);
          return;
        }
        window.location.replace(
          `/continue${redirectUri ? `?redirect_uri=${encodeURIComponent(redirectUri)}` : ""}`,
        );
      }, 500);
    },
    onError: () => {
@@ -66,10 +65,7 @@ export const TotpPage = () => {
  }, [redirectTimer]);
  if (!totp.pending) {
-    if (auth.authenticated) {
+    return <Navigate to="/" replace />;
      return <Navigate to={loginForUrl} replace />;
    }
    return <Navigate to={`/login${compiledParams}`} replace />;
  }
  return (
@@ -0,0 +1,5 @@
 import { z } from "zod";
 export const getOidcClientInfoSchema = z.object({
  name: z.string(),
 });
@@ -57,11 +57,6 @@ export default defineConfig({
        changeOrigin: true,
        rewrite: (path) => path.replace(/^\/robots.txt/, ""),
      },
      "/authorize": {
        target: "http://tinyauth-backend:3000/authorize",
        changeOrigin: true,
        rewrite: (path) => path.replace(/^\/authorize/, ""),
      },
    },
    allowedHosts: true,
  },
@@ -1,6 +1,6 @@
 module github.com/tinyauthapp/tinyauth
-go 1.26.4
+go 1.26.3
 require (
 	charm.land/huh/v2 v2.0.3
@@ -9,11 +9,10 @@ require (
 	github.com/gin-gonic/gin v1.12.0
 	github.com/go-jose/go-jose/v4 v4.1.4
 	github.com/go-ldap/ldap/v3 v3.4.13
 	github.com/golang-jwt/jwt/v5 v5.3.1
 	github.com/golang-migrate/migrate/v4 v4.19.1
 	github.com/google/go-querystring v1.2.0
 	github.com/google/uuid v1.6.0
-	github.com/jackc/pgx/v5 v5.10.0
+	github.com/jackc/pgx/v5 v5.9.2
 	github.com/mdp/qrterminal/v3 v3.2.1
 	github.com/pquerna/otp v1.5.0
 	github.com/rs/zerolog v1.35.1
@@ -21,14 +20,13 @@ require (
 	github.com/stretchr/testify v1.11.1
 	github.com/tinyauthapp/paerser v0.0.0-20260410140347-85c3740d6298
 	github.com/weppos/publicsuffix-go v0.50.3
 	go.uber.org/dig v1.19.0
 	golang.org/x/crypto v0.52.0
 	golang.org/x/oauth2 v0.36.0
 	golang.org/x/tools v0.45.0
 	k8s.io/apimachinery v0.36.1
 	k8s.io/client-go v0.36.1
-	modernc.org/sqlite v1.51.0
+	modernc.org/sqlite v1.50.1
-	tailscale.com v1.100.0
+	tailscale.com v1.98.3
 )
 require (
@@ -79,7 +77,7 @@ require (
 	github.com/gaissmai/bart v0.26.1 // indirect
 	github.com/gin-contrib/sse v1.1.0 // indirect
 	github.com/go-asn1-ber/asn1-ber v1.5.8-0.20250403174932-29230038a667 // indirect
-	github.com/go-json-experiment/json v0.0.0-20260214004413-d219187c3433 // indirect
+	github.com/go-json-experiment/json v0.0.0-20250813024750-ebf49471dced // indirect
 	github.com/go-logr/logr v1.4.3 // indirect
 	github.com/go-logr/stdr v1.2.2 // indirect
 	github.com/go-playground/locales v0.14.1 // indirect
@@ -128,7 +126,7 @@ require (
 	github.com/pkg/errors v0.9.1 // indirect
 	github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2 // indirect
 	github.com/quic-go/qpack v0.6.0 // indirect
-	github.com/quic-go/quic-go v0.59.1 // indirect
+	github.com/quic-go/quic-go v0.59.0 // indirect
 	github.com/remyoudompheng/bigfft v0.0.0-20230129092748-24d4a6f8daec // indirect
 	github.com/rivo/uniseg v0.4.7 // indirect
 	github.com/safchain/ethtool v0.3.0 // indirect
@@ -139,7 +137,7 @@ require (
 	github.com/tailscale/hujson v0.0.0-20260302212456-ecc657c15afd // indirect
 	github.com/tailscale/peercred v0.0.0-20250107143737-35a0c7bd7edc // indirect
 	github.com/tailscale/web-client-prebuilt v0.0.0-20250124233751-d4cd19a26976 // indirect
-	github.com/tailscale/wireguard-go v0.0.0-20260527010701-b48af7099cad // indirect
+	github.com/tailscale/wireguard-go v0.0.0-20260427181203-e3ac4a0afb4e // indirect
 	github.com/twitchyliquid64/golang-asm v0.15.1 // indirect
 	github.com/ugorji/go/codec v1.3.1 // indirect
 	github.com/x448/float16 v0.8.4 // indirect
@@ -159,7 +157,7 @@ require (
 	golang.org/x/arch v0.22.0 // indirect
 	golang.org/x/exp v0.0.0-20251023183803-a4bb9ffd2546 // indirect
 	golang.org/x/mod v0.36.0 // indirect
-	golang.org/x/net v0.55.0 // indirect
+	golang.org/x/net v0.54.0 // indirect
 	golang.org/x/sync v0.20.0 // indirect
 	golang.org/x/sys v0.45.0 // indirect
 	golang.org/x/term v0.43.0 // indirect
@@ -181,8 +181,8 @@ github.com/go-asn1-ber/asn1-ber v1.5.8-0.20250403174932-29230038a667 h1:BP4M0CvQ
 github.com/go-asn1-ber/asn1-ber v1.5.8-0.20250403174932-29230038a667/go.mod h1:hEBeB/ic+5LoWskz+yKT7vGhhPYkProFKoKdwZRWMe0=
 github.com/go-jose/go-jose/v4 v4.1.4 h1:moDMcTHmvE6Groj34emNPLs/qtYXRVcd6S7NHbHz3kA=
 github.com/go-jose/go-jose/v4 v4.1.4/go.mod h1:x4oUasVrzR7071A4TnHLGSPpNOm2a21K9Kf04k1rs08=
-github.com/go-json-experiment/json v0.0.0-20260214004413-d219187c3433 h1:vymEbVwYFP/L05h5TKQxvkXoKxNvTpjxYKdF1Nlwuao=
+github.com/go-json-experiment/json v0.0.0-20250813024750-ebf49471dced h1:Q311OHjMh/u5E2TITc++WlTP5We0xNseRMkHDyvhW7I=
-github.com/go-json-experiment/json v0.0.0-20260214004413-d219187c3433/go.mod h1:tphK2c80bpPhMOI4v6bIc2xWywPfbqi1Z06+RcrMkDg=
+github.com/go-json-experiment/json v0.0.0-20250813024750-ebf49471dced/go.mod h1:TiCD2a1pcmjd7YnhGH0f/zKNcCD06B029pHhzV23c2M=
 github.com/go-ldap/ldap/v3 v3.4.13 h1:+x1nG9h+MZN7h/lUi5Q3UZ0fJ1GyDQYbPvbuH38baDQ=
 github.com/go-ldap/ldap/v3 v3.4.13/go.mod h1:LxsGZV6vbaK0sIvYfsv47rfh4ca0JXokCoKjZxsszv0=
 github.com/go-logr/logr v1.2.2/go.mod h1:jdQByPbusPIv2/zmleS9BjJVeZ6kBagPoEUsqbVz/1A=
@@ -206,8 +206,6 @@ github.com/go-playground/universal-translator v0.18.1 h1:Bcnm0ZwsGyWbCzImXv+pAJn
 github.com/go-playground/universal-translator v0.18.1/go.mod h1:xekY+UJKNuX9WP91TpwSH2VMlDf28Uj24BCp08ZFTUY=
 github.com/go-playground/validator/v10 v10.30.1 h1:f3zDSN/zOma+w6+1Wswgd9fLkdwy06ntQJp0BBvFG0w=
 github.com/go-playground/validator/v10 v10.30.1/go.mod h1:oSuBIQzuJxL//3MelwSLD5hc2Tu889bF0Idm9Dg26cM=
 github.com/go4org/hashtriemap v0.0.0-20251130024219-545ba229f689 h1:0psnKZ+N2IP43/SZC8SKx6OpFJwLmQb9m9QyV9BC2f8=
 github.com/go4org/hashtriemap v0.0.0-20251130024219-545ba229f689/go.mod h1:OGmRfY/9QEK2P5zCRtmqfbCF283xPkU2dvVA4MvbvpI=
 github.com/go4org/plan9netshell v0.0.0-20250324183649-788daa080737 h1:cf60tHxREO3g1nroKr2osU3JWZsJzkfi7rEg+oAB0Lo=
 github.com/go4org/plan9netshell v0.0.0-20250324183649-788daa080737/go.mod h1:MIS0jDzbU/vuM9MC4YnBITCv+RYuTRq8dJzmCrFsK9g=
 github.com/goccy/go-json v0.10.5 h1:Fq85nIqj+gXn/S5ahsiTlK3TmC85qgirsdTP/+DeaC4=
@@ -216,8 +214,6 @@ github.com/goccy/go-yaml v1.19.2 h1:PmFC1S6h8ljIz6gMRBopkjP1TVT7xuwrButHID66PoM=
 github.com/goccy/go-yaml v1.19.2/go.mod h1:XBurs7gK8ATbW4ZPGKgcbrY1Br56PdM69F7LkFRi1kA=
 github.com/godbus/dbus/v5 v5.1.1-0.20230522191255-76236955d466 h1:sQspH8M4niEijh3PFscJRLDnkL547IeP7kpPe3uUhEg=
 github.com/godbus/dbus/v5 v5.1.1-0.20230522191255-76236955d466/go.mod h1:ZiQxhyQ+bbbfxUKVvjfO498oPYvtYhZzycal3G/NHmU=
 github.com/golang-jwt/jwt/v5 v5.3.1 h1:kYf81DTWFe7t+1VvL7eS+jKFVWaUnK9cB1qbwn63YCY=
 github.com/golang-jwt/jwt/v5 v5.3.1/go.mod h1:fxCRLWMO43lRc8nhHWY6LGqRcf+1gQWArsqaEUEa5bE=
 github.com/golang-migrate/migrate/v4 v4.19.1 h1:OCyb44lFuQfYXYLx1SCxPZQGU7mcaZ7gH9yH4jSFbBA=
 github.com/golang-migrate/migrate/v4 v4.19.1/go.mod h1:CTcgfjxhaUtsLipnLoQRWCrjYXycRz/g5+RWDuYgPrE=
 github.com/golang/groupcache v0.0.0-20241129210726-2c02b8208cf8 h1:f+oWsMOmNPc8JmEHVZIycC7hBoQxHH9pNKQORJNozsQ=
@@ -263,8 +259,8 @@ github.com/jackc/pgpassfile v1.0.0 h1:/6Hmqy13Ss2zCq62VdNG8tM1wchn8zjSGOBJ6icpsI
 github.com/jackc/pgpassfile v1.0.0/go.mod h1:CEx0iS5ambNFdcRtxPj5JhEz+xB6uRky5eyVu/W2HEg=
 github.com/jackc/pgservicefile v0.0.0-20240606120523-5a60cdf6a761 h1:iCEnooe7UlwOQYpKFhBabPMi4aNAfoODPEFNiAnClxo=
 github.com/jackc/pgservicefile v0.0.0-20240606120523-5a60cdf6a761/go.mod h1:5TJZWKEWniPve33vlWYSoGYefn3gLQRzjfDlhSJ9ZKM=
-github.com/jackc/pgx/v5 v5.10.0 h1:VhSvgU2jSli8o3AqIEOTJr7rZwAEUVo4E4XhR94Zfr0=
+github.com/jackc/pgx/v5 v5.9.2 h1:3ZhOzMWnR4yJ+RW1XImIPsD1aNSz4T4fyP7zlQb56hw=
-github.com/jackc/pgx/v5 v5.10.0/go.mod h1:mal1tBGAFfLHvZzaYh77YS/eC6IX9OWbRV1QIIM0Jn4=
+github.com/jackc/pgx/v5 v5.9.2/go.mod h1:mal1tBGAFfLHvZzaYh77YS/eC6IX9OWbRV1QIIM0Jn4=
 github.com/jackc/puddle/v2 v2.2.2 h1:PR8nw+E/1w0GLuRFSmiioY6UooMp6KJv0/61nB7icHo=
 github.com/jackc/puddle/v2 v2.2.2/go.mod h1:vriiEXHvEE654aYKXXjOvZM39qJ0q+azkZFrfEOc3H4=
 github.com/jcmturner/aescts/v2 v2.0.0 h1:9YKLH6ey7H4eDBXW8khjYslgyqG2xZikXP0EQFKrle8=
@@ -386,8 +382,8 @@ github.com/prometheus/common v0.65.0 h1:QDwzd+G1twt//Kwj/Ww6E9FQq1iVMmODnILtW1t2
 github.com/prometheus/common v0.65.0/go.mod h1:0gZns+BLRQ3V6NdaerOhMbwwRbNh9hkGINtQAsP5GS8=
 github.com/quic-go/qpack v0.6.0 h1:g7W+BMYynC1LbYLSqRt8PBg5Tgwxn214ZZR34VIOjz8=
 github.com/quic-go/qpack v0.6.0/go.mod h1:lUpLKChi8njB4ty2bFLX2x4gzDqXwUpaO1DP9qMDZII=
-github.com/quic-go/quic-go v0.59.1 h1:0Gmua0HW1Tv7ANR7hUYwRyD0MG5OJfgvYSZasGZzBic=
+github.com/quic-go/quic-go v0.59.0 h1:OLJkp1Mlm/aS7dpKgTc6cnpynnD2Xg7C1pwL6vy/SAw=
-github.com/quic-go/quic-go v0.59.1/go.mod h1:upnsH4Ju1YkqpLXC305eW3yDZ4NfnNbmQRCMWS58IKU=
+github.com/quic-go/quic-go v0.59.0/go.mod h1:upnsH4Ju1YkqpLXC305eW3yDZ4NfnNbmQRCMWS58IKU=
 github.com/remyoudompheng/bigfft v0.0.0-20230129092748-24d4a6f8daec h1:W09IVJc94icq4NjY3clb7Lk8O1qJ8BdBEF8z0ibU0rE=
 github.com/remyoudompheng/bigfft v0.0.0-20230129092748-24d4a6f8daec/go.mod h1:qqbHyh8v60DhA7CoWK5oRCqLrMHRGoxYCSS9EjAz6Eo=
 github.com/rivo/uniseg v0.4.7 h1:WUdvkW8uEhrYfLC4ZzdpI2ztxP1I582+49Oc5Mq64VQ=
@@ -439,8 +435,8 @@ github.com/tailscale/web-client-prebuilt v0.0.0-20250124233751-d4cd19a26976 h1:U
 github.com/tailscale/web-client-prebuilt v0.0.0-20250124233751-d4cd19a26976/go.mod h1:agQPE6y6ldqCOui2gkIh7ZMztTkIQKH049tv8siLuNQ=
 github.com/tailscale/wf v0.0.0-20240214030419-6fbb0a674ee6 h1:l10Gi6w9jxvinoiq15g8OToDdASBni4CyJOdHY1Hr8M=
 github.com/tailscale/wf v0.0.0-20240214030419-6fbb0a674ee6/go.mod h1:ZXRML051h7o4OcI0d3AaILDIad/Xw0IkXaHM17dic1Y=
-github.com/tailscale/wireguard-go v0.0.0-20260527010701-b48af7099cad h1:Ky26FR5yZ5IKEB0xtm5A8xSTb06ImY7kxBFrvgOmJSg=
+github.com/tailscale/wireguard-go v0.0.0-20260427181203-e3ac4a0afb4e h1:GexFR7ak1iz26fxg8HWCpOEqAOL8UEZJ7J3JxeCalDs=
-github.com/tailscale/wireguard-go v0.0.0-20260527010701-b48af7099cad/go.mod h1:6SerzcvHWQchKO2BfNdmquA77CHSECZuFl+D9fp4RnI=
+github.com/tailscale/wireguard-go v0.0.0-20260427181203-e3ac4a0afb4e/go.mod h1:6SerzcvHWQchKO2BfNdmquA77CHSECZuFl+D9fp4RnI=
 github.com/tailscale/xnet v0.0.0-20240729143630-8497ac4dab2e h1:zOGKqN5D5hHhiYUp091JqK7DPCqSARyUfduhGUY8Bek=
 github.com/tailscale/xnet v0.0.0-20240729143630-8497ac4dab2e/go.mod h1:orPd6JZXXRyuDusYilywte7k094d7dycXXU5YnWsrwg=
 github.com/tc-hib/winres v0.2.1 h1:YDE0FiP0VmtRaDn7+aaChp1KiF4owBiJa5l964l5ujA=
@@ -485,8 +481,6 @@ go.opentelemetry.io/otel/trace v1.43.0 h1:BkNrHpup+4k4w+ZZ86CZoHHEkohws8AY+WTX09
 go.opentelemetry.io/otel/trace v1.43.0/go.mod h1:/QJhyVBUUswCphDVxq+8mld+AvhXZLhe+8WVFxiFff0=
 go.opentelemetry.io/proto/otlp v1.10.0 h1:IQRWgT5srOCYfiWnpqUYz9CVmbO8bFmKcwYxpuCSL2g=
 go.opentelemetry.io/proto/otlp v1.10.0/go.mod h1:/CV4QoCR/S9yaPj8utp3lvQPoqMtxXdzn7ozvvozVqk=
 go.uber.org/dig v1.19.0 h1:BACLhebsYdpQ7IROQ1AGPjrXcP5dF80U3gKoFzbaq/4=
 go.uber.org/dig v1.19.0/go.mod h1:Us0rSJiThwCv2GteUN0Q7OKvU7n5J4dxZ9JKUXozFdE=
 go.uber.org/mock v0.6.0 h1:hyF9dfmbgIX5EfOdasqLsWD6xqpNZlXblLB/Dbnwv3Y=
 go.uber.org/mock v0.6.0/go.mod h1:KiVJ4BqZJaMj4svdfmHM0AUx4NJYO8ZNpPnZn1Z+BBU=
 go.yaml.in/yaml/v2 v2.4.3 h1:6gvOSjQoTB3vt1l+CU+tSyi/HOjfOjRLJ4YwYZGwRO0=
@@ -505,12 +499,12 @@ golang.org/x/exp v0.0.0-20251023183803-a4bb9ffd2546 h1:mgKeJMpvi0yx/sU5GsxQ7p6s2
 golang.org/x/exp v0.0.0-20251023183803-a4bb9ffd2546/go.mod h1:j/pmGrbnkbPtQfxEe5D0VQhZC6qKbfKifgD0oM7sR70=
 golang.org/x/exp/typeparams v0.0.0-20240314144324-c7f7c6466f7f h1:phY1HzDcf18Aq9A8KkmRtY9WvOFIxN8wgfvy6Zm1DV8=
 golang.org/x/exp/typeparams v0.0.0-20240314144324-c7f7c6466f7f/go.mod h1:AbB0pIl9nAr9wVwH+Z2ZpaocVmF5I4GyWCDIsVjR0bk=
-golang.org/x/image v0.41.0 h1:8wS72eGJMJaBxK6okTzd4WaXumUlTVlb753MlsSvTCo=
+golang.org/x/image v0.27.0 h1:C8gA4oWU/tKkdCfYT6T2u4faJu3MeNS5O8UPWlPF61w=
-golang.org/x/image v0.41.0/go.mod h1:uIc348UZMSvS5Z65CVZ7iDPaNobNFEPeJ4kbqTOszmA=
+golang.org/x/image v0.27.0/go.mod h1:xbdrClrAUway1MUTEZDq9mz/UpRwYAkFFNUslZtcB+g=
 golang.org/x/mod v0.36.0 h1:JJjpVx6myfUsUdAzZuOSTTmRE0PfZeNWzzvKrP7amb4=
 golang.org/x/mod v0.36.0/go.mod h1:moc6ELqsWcOw5Ef3xVprK5ul/MvtVvkIXLziUOICjUQ=
-golang.org/x/net v0.55.0 h1:bcvxaJn3e1U6InsFWt1JUq1aSjnRxLzT2rtD2KfkDF8=
+golang.org/x/net v0.54.0 h1:2zJIZAxAHV/OHCDTCOHAYehQzLfSXuf/5SoL/Dv6w/w=
-golang.org/x/net v0.55.0/go.mod h1:L5U2KuzuOe1lY7Z+aWVIKK6qEeJXnXV9yzGA+WCHJww=
+golang.org/x/net v0.54.0/go.mod h1:Sj4oj8jK6XmHpBZU/zWHw3BV3abl4Kvi+Ut7cQcY+cQ=
 golang.org/x/oauth2 v0.36.0 h1:peZ/1z27fi9hUOFCAZaHyrpWG5lwe0RJEEEeH0ThlIs=
 golang.org/x/oauth2 v0.36.0/go.mod h1:YDBUJMTkDnJS+A4BP4eZBjCqtokkg1hODuPjwiGPO7Q=
 golang.org/x/sync v0.0.0-20210220032951-036812b2e83c/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
@@ -593,8 +587,8 @@ modernc.org/opt v0.2.0 h1:tGyef5ApycA7FSEOMraay9SaTk5zmbx7Tu+cJs4QKZg=
 modernc.org/opt v0.2.0/go.mod h1:03fq9lsNfvkYSfxrfUhZCWPk1lm4cq4N+Bh//bEtgns=
 modernc.org/sortutil v1.2.1 h1:+xyoGf15mM3NMlPDnFqrteY07klSFxLElE2PVuWIJ7w=
 modernc.org/sortutil v1.2.1/go.mod h1:7ZI3a3REbai7gzCLcotuw9AC4VZVpYMjDzETGsSMqJE=
-modernc.org/sqlite v1.51.0 h1:aH/MMSoayAIhozZ7uJbVTT9QO/VhzBf0J9tymmmuC/U=
+modernc.org/sqlite v1.50.1 h1:l+cQvn0sd0zJJtfygGHuQJ5AjlrwXmWPw4KP3ZMwr9w=
-modernc.org/sqlite v1.51.0/go.mod h1:tcNzv5p84E0skkmJn038y+hWJbLQXQqEnQfeh5r2JLM=
+modernc.org/sqlite v1.50.1/go.mod h1:tcNzv5p84E0skkmJn038y+hWJbLQXQqEnQfeh5r2JLM=
 modernc.org/strutil v1.2.1 h1:UneZBkQA+DX2Rp35KcM69cSsNES9ly8mQWD71HKlOA0=
 modernc.org/strutil v1.2.1/go.mod h1:EHkiggD70koQxjVdSBM3JKM7k6L0FbGE5eymy9i3B9A=
 modernc.org/token v1.1.0 h1:Xl7Ap9dKaEs5kLoOQeQmPWevfnk/DM5qcLcYlA8ys6Y=
@@ -611,5 +605,5 @@ sigs.k8s.io/yaml v1.6.0 h1:G8fkbMSAFqgEFgh4b1wmtzDnioxFCUgTZhlbj5P9QYs=
 sigs.k8s.io/yaml v1.6.0/go.mod h1:796bPqUfzR/0jLAl6XjHl3Ck7MiyVv8dbTdyT3/pMf4=
 software.sslmate.com/src/go-pkcs12 v0.4.0 h1:H2g08FrTvSFKUj+D309j1DPfk5APnIdAQAB8aEykJ5k=
 software.sslmate.com/src/go-pkcs12 v0.4.0/go.mod h1:Qiz0EyvDRJjjxGyUQa2cCNZn/wMyzrRJ/qcDXOQazLI=
-tailscale.com v1.100.0 h1:nm/M/dEaW9RaRsGUjW2HsSDpsZ60Jwd9k4gNW9tTFiE=
+tailscale.com v1.98.3 h1:caAbG4UfkKfKPE6b1fj5t4ep5qrwEis5AJu91ruvePw=
-tailscale.com v1.100.0/go.mod h1:DQ9YBy85DpNlSyeU2XRIWzbAu3RsGp/frv+Khg57meE=
+tailscale.com v1.98.3/go.mod h1:U23ZwbZlKJMNU7CScy+lCVVlece/S5n09q0nyudncBI=
@@ -1,46 +0,0 @@
 DROP TABLE IF EXISTS "oidc_sessions";
 CREATE TABLE "oidc_codes" (
    "sub"            TEXT   NOT NULL UNIQUE,
    "code_hash"      TEXT   NOT NULL PRIMARY KEY,
    "scope"          TEXT   NOT NULL,
    "redirect_uri"   TEXT   NOT NULL,
    "client_id"      TEXT   NOT NULL,
    "expires_at"     BIGINT NOT NULL,
    "nonce"          TEXT   NOT NULL DEFAULT '',
    "code_challenge" TEXT   NOT NULL DEFAULT ''
 );
 CREATE TABLE "oidc_tokens" (
    "sub"                      TEXT   NOT NULL UNIQUE,
    "access_token_hash"        TEXT   NOT NULL PRIMARY KEY,
    "refresh_token_hash"       TEXT   NOT NULL,
    "code_hash"                TEXT   NOT NULL,
    "scope"                    TEXT   NOT NULL,
    "client_id"                TEXT   NOT NULL,
    "token_expires_at"         BIGINT NOT NULL,
    "refresh_token_expires_at" BIGINT NOT NULL,
    "nonce"                    TEXT   NOT NULL DEFAULT ''
 );
 CREATE TABLE "oidc_userinfo" (
    "sub"                TEXT   NOT NULL PRIMARY KEY,
    "name"               TEXT   NOT NULL,
    "preferred_username" TEXT   NOT NULL,
    "email"              TEXT   NOT NULL,
    "groups"             TEXT   NOT NULL,
    "updated_at"         BIGINT NOT NULL,
    "given_name"         TEXT   NOT NULL,
    "family_name"        TEXT   NOT NULL,
    "middle_name"        TEXT   NOT NULL,
    "nickname"           TEXT   NOT NULL,
    "profile"            TEXT   NOT NULL,
    "picture"            TEXT   NOT NULL,
    "website"            TEXT   NOT NULL,
    "gender"             TEXT   NOT NULL,
    "birthdate"          TEXT   NOT NULL,
    "zoneinfo"           TEXT   NOT NULL,
    "locale"             TEXT   NOT NULL,
    "phone_number"       TEXT   NOT NULL,
    "address"            TEXT   NOT NULL
 );
@@ -1,28 +0,0 @@
 /*
 This migration will nuke the entire setup of OIDC sessions and merge everything
 into one table.
 */
 /*
 Drop all the old tables. Yes, we will log out all OIDC users, but not really a big deal
 */
 DROP TABLE IF EXISTS "oidc_tokens";
 DROP TABLE IF EXISTS "oidc_userinfo";
 DROP TABLE IF EXISTS "oidc_codes";
 /*
 Create a new simple OIDC sessions table that will hold tokens + userinfo.
 */
 CREATE TABLE IF NOT EXISTS "oidc_sessions" (
    "sub" TEXT NOT NULL UNIQUE PRIMARY KEY,
    "access_token_hash" TEXT NOT NULL UNIQUE,
    "refresh_token_hash" TEXT NOT NULL UNIQUE,
    "scope" TEXT NOT NULL,
    "client_id" TEXT NOT NULL,
    "token_expires_at" BIGINT NOT NULL,
    "refresh_token_expires_at" BIGINT NOT NULL,
    "nonce" TEXT NOT NULL DEFAULT '',
    "userinfo_json" TEXT NOT NULL
 );
@@ -1,46 +0,0 @@
 DROP TABLE IF EXISTS "oidc_sessions";
 CREATE TABLE IF NOT EXISTS "oidc_codes" (
    "sub" TEXT NOT NULL UNIQUE,
    "code_hash" TEXT NOT NULL PRIMARY KEY UNIQUE,
    "scope" TEXT NOT NULL,
    "redirect_uri" TEXT NOT NULL,
    "client_id" TEXT NOT NULL,
    "expires_at" INTEGER NOT NULL,
    "nonce" TEXT DEFAULT "",
    "code_challenge" TEXT DEFAULT ""
 );
 CREATE TABLE IF NOT EXISTS "oidc_tokens" (
    "sub" TEXT NOT NULL UNIQUE,
    "access_token_hash" TEXT NOT NULL PRIMARY KEY UNIQUE,
    "refresh_token_hash" TEXT NOT NULL,
    "code_hash" TEXT NOT NULL,
    "scope" TEXT NOT NULL,
    "client_id" TEXT NOT NULL,
    "token_expires_at" INTEGER NOT NULL,
    "refresh_token_expires_at" INTEGER NOT NULL,
    "nonce" TEXT DEFAULT ""
 );
 CREATE TABLE IF NOT EXISTS "oidc_userinfo" (
    "sub"                   TEXT    NOT NULL UNIQUE PRIMARY KEY,
    "name"                  TEXT    NOT NULL,
    "preferred_username"    TEXT    NOT NULL,
    "email"                 TEXT    NOT NULL,
    "groups"                TEXT    NOT NULL,
    "updated_at"            INTEGER NOT NULL,
    "given_name"            TEXT    NOT NULL,
    "family_name"           TEXT    NOT NULL,
    "middle_name"           TEXT    NOT NULL,
    "nickname"              TEXT    NOT NULL,
    "profile"               TEXT    NOT NULL,
    "picture"               TEXT    NOT NULL,
    "website"               TEXT    NOT NULL,
    "gender"                TEXT    NOT NULL,
    "birthdate"             TEXT    NOT NULL,
    "zoneinfo"              TEXT    NOT NULL,
    "locale"                TEXT    NOT NULL,
    "phone_number"          TEXT    NOT NULL,
    "address"               TEXT    NOT NULL
 );
@@ -1,28 +0,0 @@
 /*
 This migration will nuke the entire setup of OIDC sessions and merge everything
 into one table.
 */
 /*
 Drop all the old tables. Yes, we will log out all OIDC users, but not really a big deal
 */
 DROP TABLE IF EXISTS "oidc_tokens";
 DROP TABLE IF EXISTS "oidc_userinfo";
 DROP TABLE IF EXISTS "oidc_codes";
 /*
 Create a new simple OIDC sessions table that will hold tokens + userinfo.
 */
 CREATE TABLE IF NOT EXISTS "oidc_sessions" (
    "sub" TEXT NOT NULL UNIQUE PRIMARY KEY,
    "access_token_hash" TEXT NOT NULL UNIQUE,
    "refresh_token_hash" TEXT NOT NULL UNIQUE,
    "scope" TEXT NOT NULL,
    "client_id" TEXT NOT NULL,
    "token_expires_at" INTEGER NOT NULL,
    "refresh_token_expires_at" INTEGER NOT NULL,
    "nonce" TEXT DEFAULT "",
    "userinfo_json" TEXT NOT NULL
 );
@@ -18,7 +18,6 @@ import (
 	"github.com/gin-gonic/gin"
 	"github.com/steveiliop56/ding"
 	"go.uber.org/dig"
 	"github.com/tinyauthapp/tinyauth/internal/model"
 	"github.com/tinyauthapp/tinyauth/internal/repository"
@@ -57,7 +56,6 @@ type BootstrapApp struct {
 	db        *sql.DB
 	ding      *ding.Ding
 	listeners []Listener
 	dig       *dig.Container
 }
 func NewBootstrapApp(config model.Config) *BootstrapApp {
@@ -72,11 +70,7 @@ func (app *BootstrapApp) Setup() error {
 	app.ctx = ctx
 	app.cancel = cancel
-	// create the dig container
+	// Create a ding instance
 	c := dig.New()
 	app.dig = c
 	// create a ding instance
 	dg := ding.New(ctx)
 	app.ding = dg
@@ -163,6 +157,12 @@ func (app *BootstrapApp) Setup() error {
 		app.runtime.OAuthProviders[id] = provider
 	}
 	// setup oidc clients
 	for id, client := range app.config.OIDC.Clients {
 		client.ID = id
 		app.runtime.OIDCClients = append(app.runtime.OIDCClients, client)
 	}
 	// cookie domain
 	cookieDomainResolver := utils.GetCookieDomain
@@ -211,33 +211,6 @@ func (app *BootstrapApp) Setup() error {
 	// store
 	app.queries = store
 	// provide basic utilities to container
 	type utilityProvider struct {
 		dig.Out
 		Log     *logger.Logger
 		Config  *model.Config
 		Runtime *model.RuntimeConfig
 		Ding    *ding.Ding
 		Ctx     context.Context
 		Queries repository.Store
 	}
 	err = app.dig.Provide(func() utilityProvider {
 		return utilityProvider{
 			Log:     app.log,
 			Config:  &app.config,
 			Runtime: &app.runtime,
 			Ding:    app.ding,
 			Ctx:     app.ctx,
 			Queries: app.queries,
 		}
 	})
 	if err != nil {
 		return fmt.Errorf("failed to provide utilities to container: %w", err)
 	}
 	// services
 	err = app.setupServices()
@@ -13,7 +13,6 @@ import (
 	"github.com/tinyauthapp/tinyauth/internal/controller"
 	"github.com/tinyauthapp/tinyauth/internal/middleware"
 	"github.com/tinyauthapp/tinyauth/internal/model"
 	"go.uber.org/dig"
 	"github.com/gin-gonic/gin"
 )
@@ -41,94 +40,31 @@ func (app *BootstrapApp) setupRouter() error {
 		}
 	}
-	middlewareProvideFor := []any{
+	contextMiddleware := middleware.NewContextMiddleware(app.log, app.runtime, app.services.authService, app.services.oauthBrokerService, app.services.tailscaleService)
-		middleware.NewContextMiddleware,
+	engine.Use(contextMiddleware.Middleware())
 		middleware.NewUIMiddleware,
 		middleware.NewZerologMiddleware,
 	}
-	for _, provider := range middlewareProvideFor {
+	uiMiddleware, err := middleware.NewUIMiddleware()
 		err := app.dig.Provide(provider)
 		if err != nil {
 			return fmt.Errorf("failed to provide middleware: %w", err)
 		}
 	}
 	type middlewareInput struct {
 		dig.In
 		ContextMiddleware *middleware.ContextMiddleware
 		UIMiddleware      *middleware.UIMiddleware
 		ZerologMiddleware *middleware.ZerologMiddleware
 	}
 	err := app.dig.Invoke(func(mi middlewareInput) {
 		engine.Use(mi.ContextMiddleware.Middleware())
 		engine.Use(mi.UIMiddleware.Middleware())
 		engine.Use(mi.ZerologMiddleware.Middleware())
 	})
 	if err != nil {
-		return fmt.Errorf("failed to invoke middleware: %w", err)
+		return fmt.Errorf("failed to initialize UI middleware: %w", err)
 	}
-	err = app.dig.Provide(func() *gin.RouterGroup {
+	engine.Use(uiMiddleware.Middleware())
 		return &engine.RouterGroup
 	}, dig.Name("mainRouterGroup"))
-	if err != nil {
+	zerologMiddleware := middleware.NewZerologMiddleware(app.log)
 		return fmt.Errorf("failed to provide main router group: %w", err)
 	}
-	err = app.dig.Provide(func() *gin.RouterGroup {
+	engine.Use(zerologMiddleware.Middleware())
 		return engine.Group("/api")
 	}, dig.Name("apiRouterGroup"))
-	if err != nil {
+	apiRouter := engine.Group("/api")
 		return fmt.Errorf("failed to provide api router group: %w", err)
 	}
-	controllerProvideFor := []any{
+	controller.NewContextController(app.log, app.config, app.runtime, apiRouter)
-		controller.NewContextController,
+	controller.NewOAuthController(app.log, app.config, app.runtime, apiRouter, app.services.authService)
-		controller.NewOAuthController,
+	controller.NewOIDCController(app.log, app.services.oidcService, app.runtime, apiRouter)
-		controller.NewOIDCController,
+	controller.NewProxyController(app.log, app.runtime, apiRouter, app.services.accessControlService, app.services.authService, app.services.policyEngine)
-		controller.NewProxyController,
+	controller.NewUserController(app.log, app.runtime, apiRouter, app.services.authService)
-		controller.NewUserController,
+	controller.NewResourcesController(app.config, &engine.RouterGroup)
-		controller.NewResourcesController,
+	controller.NewHealthController(apiRouter)
-		controller.NewHealthController,
+	controller.NewWellKnownController(app.services.oidcService, &engine.RouterGroup)
 		controller.NewWellKnownController,
 	}
 	for _, provider := range controllerProvideFor {
 		err := app.dig.Provide(provider)
 		if err != nil {
 			return fmt.Errorf("failed to provide controller: %w", err)
 		}
 	}
 	type controllerInput struct {
 		dig.In
 		ContextController   *controller.ContextController
 		OAuthController     *controller.OAuthController
 		OIDCController      *controller.OIDCController
 		ProxyController     *controller.ProxyController
 		UserController      *controller.UserController
 		ResourcesController *controller.ResourcesController
 		HealthController    *controller.HealthController
 		WellKnownController *controller.WellKnownController
 	}
 	// force dig to build all controllers and register their routes
 	err = app.dig.Invoke(func(ci controllerInput) error {
 		return nil
 	})
 	if err != nil {
 		return fmt.Errorf("failed to invoke controllers: %w", err)
 	}
 	app.router = engine
 	return nil
@@ -5,67 +5,54 @@ import (
 	"os"
 	"github.com/tinyauthapp/tinyauth/internal/service"
 	"go.uber.org/dig"
 )
 func (app *BootstrapApp) setupServices() error {
-	err := app.setupPolicyEngine()
+	ldapService, err := service.NewLdapService(app.log, app.config, app.ding)
 	if err != nil {
-		return fmt.Errorf("failed to setup policy engine: %w", err)
+		app.log.App.Warn().Err(err).Msg("Failed to initialize LDAP connection, will continue without it")
 	}
 	app.services.ldapService = ldapService
 	labelProvider, err := app.getLabelProvider()
 	if err != nil {
-		return fmt.Errorf("failed to get label provider: %w", err)
+		return fmt.Errorf("failed to initialize label provider: %w", err)
 	}
-	serviceProvideFor := []any{
+	tailscaleService, err := service.NewTailscaleService(app.log, app.config, app.ctx, app.ding)
 		func() service.LabelProvider {
 			return labelProvider
 		},
 		service.NewLdapService,
 		service.NewTailscaleService,
 		service.NewAccessControlsService,
 		service.NewOAuthBrokerService,
 		service.NewAuthService,
 		service.NewOIDCService,
 	}
 	for _, provider := range serviceProvideFor {
 		err = app.dig.Provide(provider)
 		if err != nil {
 			return fmt.Errorf("failed to provide service: %w", err)
 		}
 	}
 	type svcInput struct {
 		dig.In
 		AccessControlService *service.AccessControlsService
 		AuthService          *service.AuthService
 		LDAPService          *service.LdapService
 		OAuthBrokerService   *service.OAuthBrokerService
 		OIDCService          *service.OIDCService
 		TailscaleService     *service.TailscaleService
 	}
 	err = app.dig.Invoke(func(i svcInput) error {
 		app.services.accessControlService = i.AccessControlService
 		app.services.authService = i.AuthService
 		app.services.ldapService = i.LDAPService
 		app.services.oauthBrokerService = i.OAuthBrokerService
 		app.services.oidcService = i.OIDCService
 		app.services.tailscaleService = i.TailscaleService
 		return nil
 	})
 	if err != nil {
-		return fmt.Errorf("failed to invoke services: %w", err)
+		app.log.App.Warn().Err(err).Msg("Failed to initialize Tailscale connection, will continue without it")
 	}
 	app.services.tailscaleService = tailscaleService
 	accessControlsService := service.NewAccessControlsService(app.log, app.config, &labelProvider)
 	app.services.accessControlService = accessControlsService
 	err = app.setupPolicyEngine()
 	if err != nil {
 		return fmt.Errorf("failed to initialize policy engine: %w", err)
 	}
 	oauthBrokerService := service.NewOAuthBrokerService(app.log, app.runtime.OAuthProviders, app.ctx)
 	app.services.oauthBrokerService = oauthBrokerService
 	authService := service.NewAuthService(app.log, app.config, app.runtime, app.ctx, app.ding, app.services.ldapService, app.queries, app.services.oauthBrokerService, app.services.tailscaleService, app.services.policyEngine)
 	app.services.authService = authService
 	oidcService, err := service.NewOIDCService(app.log, app.config, app.runtime, app.queries, app.ding)
 	if err != nil {
 		return fmt.Errorf("failed to initialize oidc service: %w", err)
 	}
 	app.services.oidcService = oidcService
 	return nil
 }
@@ -82,93 +69,66 @@ func (app *BootstrapApp) getLabelProvider() (service.LabelProvider, error) {
 		if useKubernetes {
 			app.log.App.Debug().Msg("Using Kubernetes label provider")
-			err := app.dig.Provide(service.NewKubernetesService)
+			kubernetesService, err := service.NewKubernetesService(app.log, app.ctx, app.ding)
 			if err != nil {
-				return nil, fmt.Errorf("failed to provide kubernetes service: %w", err)
+				return nil, fmt.Errorf("failed to initialize kubernetes service: %w", err)
 			}
-			err = app.dig.Invoke(func(k *service.KubernetesService) error {
+			app.services.kubernetesService = kubernetesService
-				app.services.kubernetesService = k
+			return kubernetesService, nil
 				return nil
 			})
 			if err != nil {
 				return nil, fmt.Errorf("failed to invoke kubernetes service: %w", err)
 			}
 			// Kubernetes will fail to initialize with an error if it cannot connect to the cluster
 			// but just to be safe, we check if the service is nil and log a warning if it is
 			if app.services.kubernetesService == nil {
 				if app.config.LabelProvider == "kubernetes" {
 					app.log.App.Warn().Msg("Kubernetes label provider selected but Kubernetes is not available, will continue without it")
 				}
 				return nil, nil
 			}
 			return app.services.kubernetesService, nil
 		}
 		app.log.App.Debug().Msg("Using Docker label provider")
-		err := app.dig.Provide(service.NewDockerService)
+		dockerService, err := service.NewDockerService(app.log, app.ctx, app.ding)
 		if err != nil {
-			return nil, fmt.Errorf("failed to provide docker service: %w", err)
+			return nil, fmt.Errorf("failed to initialize docker service: %w", err)
 		}
-		err = app.dig.Invoke(func(d *service.DockerService) error {
+		if dockerService == nil {
 			app.services.dockerService = d
 			return nil
 		})
 		if err != nil {
 			return nil, fmt.Errorf("failed to invoke docker service: %w", err)
 		}
 		if app.services.dockerService == nil {
 			if app.config.LabelProvider == "docker" {
 				app.log.App.Warn().Msg("Docker label provider selected but Docker is not available, will continue without it")
 			}
 			return nil, nil
 		}
-		return app.services.dockerService, nil
+		app.services.dockerService = dockerService
 		return dockerService, nil
 	default:
 		return nil, fmt.Errorf("invalid label provider: %s", app.config.LabelProvider)
 	}
 }
 func (app *BootstrapApp) setupPolicyEngine() error {
-	err := app.dig.Provide(service.NewPolicyEngine)
+	policyEngine, err := service.NewPolicyEngine(app.config, app.log)
 	if err != nil {
-		return fmt.Errorf("failed to create policy engine: %w", err)
+		return fmt.Errorf("failed to initialize policy engine: %w", err)
 	}
-	err = app.dig.Invoke(func(policyEngine *service.PolicyEngine) error {
+	policyEngine.RegisterRule(service.RuleUserAllowed, &service.UserAllowedRule{
-		policyEngine.RegisterRule(service.RuleUserAllowed, &service.UserAllowedRule{
+		Log: app.log,
-			Log: app.log,
+	})
-		})
+	policyEngine.RegisterRule(service.RuleOAuthGroup, &service.OAuthGroupRule{
-		policyEngine.RegisterRule(service.RuleOAuthGroup, &service.OAuthGroupRule{
+		Log: app.log,
-			Log: app.log,
+	})
-		})
+	policyEngine.RegisterRule(service.RuleLDAPGroup, &service.LDAPGroupRule{
-		policyEngine.RegisterRule(service.RuleLDAPGroup, &service.LDAPGroupRule{
+		Log: app.log,
-			Log: app.log,
+	})
-		})
+	policyEngine.RegisterRule(service.RuleAuthEnabled, &service.AuthEnabledRule{
-		policyEngine.RegisterRule(service.RuleAuthEnabled, &service.AuthEnabledRule{
+		Log: app.log,
-			Log: app.log,
+	})
-		})
+	policyEngine.RegisterRule(service.RuleIPAllowed, &service.IPAllowedRule{
-		policyEngine.RegisterRule(service.RuleIPAllowed, &service.IPAllowedRule{
+		Log:    app.log,
-			Log:    app.log,
+		Config: app.config,
-			Config: app.config,
+	})
-		})
+	policyEngine.RegisterRule(service.RuleIPBypassed, &service.IPBypassedRule{
-		policyEngine.RegisterRule(service.RuleIPBypassed, &service.IPBypassedRule{
+		Log:    app.log,
-			Log:    app.log,
+		Config: app.config,
 			Config: app.config,
 		})
 		return nil
 	})
-	return err
+	app.services.policyEngine = policyEngine
 	return nil
 }
@@ -3,7 +3,6 @@ package controller
 import (
 	"github.com/tinyauthapp/tinyauth/internal/model"
 	"github.com/tinyauthapp/tinyauth/internal/utils/logger"
 	"go.uber.org/dig"
 	"github.com/gin-gonic/gin"
 )
@@ -72,33 +71,29 @@ type AppContextResponse struct {
 	App     ACRApp   `json:"app"`
 }
 type ContextControllerInput struct {
 	dig.In
 	Log         *logger.Logger
 	Config      *model.Config
 	Runtime     *model.RuntimeConfig
 	RouterGroup *gin.RouterGroup `name:"apiRouterGroup"`
 }
 type ContextController struct {
 	log     *logger.Logger
-	config  *model.Config
+	config  model.Config
-	runtime *model.RuntimeConfig
+	runtime model.RuntimeConfig
 }
-func NewContextController(i ContextControllerInput) *ContextController {
+func NewContextController(
 	log *logger.Logger,
 	config model.Config,
 	runtimeConfig model.RuntimeConfig,
 	router *gin.RouterGroup,
 ) *ContextController {
 	controller := &ContextController{
-		log:     i.Log,
+		log:     log,
-		config:  i.Config,
+		config:  config,
-		runtime: i.Runtime,
+		runtime: runtimeConfig,
 	}
-	if !i.Config.UI.WarningsEnabled {
+	if !config.UI.WarningsEnabled {
-		i.Log.App.Warn().Msg("UI warnings are disabled. This may lead to security issues if you are not careful. Make sure to enable warnings in production environments.")
+		log.App.Warn().Msg("UI warnings are disabled. This may lead to security issues if you are not careful. Make sure to enable warnings in production environments.")
 	}
-	contextGroup := i.RouterGroup.Group("/context")
+	contextGroup := router.Group("/context")
 	contextGroup.GET("/user", controller.userContextHandler)
 	contextGroup.GET("/app", controller.appContextHandler)
@@ -1,4 +1,4 @@
-package controller
+package controller_test
 import (
 	"encoding/json"
@@ -9,6 +9,7 @@ import (
 	"github.com/gin-gonic/gin"
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
 	"github.com/tinyauthapp/tinyauth/internal/controller"
 	"github.com/tinyauthapp/tinyauth/internal/model"
 	"github.com/tinyauthapp/tinyauth/internal/test"
 	"github.com/tinyauthapp/tinyauth/internal/utils"
@@ -32,22 +33,22 @@ func TestContextController(t *testing.T) {
 			middlewares: []gin.HandlerFunc{},
 			path:        "/api/context/app",
 			expected: func() string {
-				expectedAppContextResponse := AppContextResponse{
+				expectedAppContextResponse := controller.AppContextResponse{
 					Status:  200,
 					Message: "Success",
-					Auth: ACRAuth{
+					Auth: controller.ACRAuth{
 						Providers: runtime.ConfiguredProviders,
 					},
-					OAuth: ACROAuth{
+					OAuth: controller.ACROAuth{
 						AutoRedirect: cfg.OAuth.AutoRedirect,
 					},
-					UI: ACRUI{
+					UI: controller.ACRUI{
 						Title:                 cfg.UI.Title,
 						ForgotPasswordMessage: cfg.UI.ForgotPasswordMessage,
 						BackgroundImage:       cfg.UI.BackgroundImage,
 						WarningsEnabled:       cfg.UI.WarningsEnabled,
 					},
-					App: ACRApp{
+					App: controller.ACRApp{
 						AppURL:         runtime.AppURL,
 						CookieDomain:   runtime.CookieDomain,
 						TrustedDomains: runtime.TrustedDomains,
@@ -63,7 +64,7 @@ func TestContextController(t *testing.T) {
 			middlewares: []gin.HandlerFunc{},
 			path:        "/api/context/user",
 			expected: func() string {
-				expectedUserContextResponse := UserContextResponse{
+				expectedUserContextResponse := controller.UserContextResponse{
 					Status:  401,
 					Message: "Unauthorized",
 				}
@@ -91,10 +92,10 @@ func TestContextController(t *testing.T) {
 			},
 			path: "/api/context/user",
 			expected: func() string {
-				expectedUserContextResponse := UserContextResponse{
+				expectedUserContextResponse := controller.UserContextResponse{
 					Status:  200,
 					Message: "Success",
-					Auth: UCRAuth{
+					Auth: controller.UCRAuth{
 						Authenticated: true,
 						Username:      "johndoe",
 						Name:          "John Doe",
@@ -120,12 +121,7 @@ func TestContextController(t *testing.T) {
 			group := router.Group("/api")
 			gin.SetMode(gin.TestMode)
-			NewContextController(ContextControllerInput{
+			controller.NewContextController(log, cfg, runtime, group)
 				Log:         log,
 				Config:      &cfg,
 				Runtime:     &runtime,
 				RouterGroup: group,
 			})
 			recorder := httptest.NewRecorder()
@@ -1,12 +1,5 @@
 package controller
 type FrontendLoginFor string
 const (
 	FrontendLoginForOIDC FrontendLoginFor = "oidc"
 	FrontendLoginForApp  FrontendLoginFor = "app"
 )
 type UnauthorizedQuery struct {
 	Username string `url:"username"`
 	Resource string `url:"resource"`
@@ -15,6 +8,5 @@ type UnauthorizedQuery struct {
 }
 type RedirectQuery struct {
-	RedirectURI string           `url:"redirect_uri"`
+	RedirectURI string `url:"redirect_uri"`
 	LoginFor    FrontendLoginFor `url:"login_for"`
 }
@@ -1,24 +1,15 @@
 package controller
-import (
+import "github.com/gin-gonic/gin"
 	"github.com/gin-gonic/gin"
 	"go.uber.org/dig"
 )
 type HealthController struct {
 }
-type HealthControllerInput struct {
+func NewHealthController(router *gin.RouterGroup) *HealthController {
 	dig.In
 	RouterGroup *gin.RouterGroup `name:"apiRouterGroup"`
 }
 func NewHealthController(i HealthControllerInput) *HealthController {
 	controller := &HealthController{}
-	i.RouterGroup.GET("/healthz", controller.healthHandler)
+	router.GET("/healthz", controller.healthHandler)
-	i.RouterGroup.HEAD("/healthz", controller.healthHandler)
+	router.HEAD("/healthz", controller.healthHandler)
 	return controller
 }
@@ -1,4 +1,4 @@
-package controller
+package controller_test
 import (
 	"encoding/json"
@@ -9,6 +9,7 @@ import (
 	"github.com/gin-gonic/gin"
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
 	"github.com/tinyauthapp/tinyauth/internal/controller"
 )
 func TestHealthController(t *testing.T) {
@@ -54,9 +55,7 @@ func TestHealthController(t *testing.T) {
 			group := router.Group("/api")
 			gin.SetMode(gin.TestMode)
-			NewHealthController(HealthControllerInput{
+			controller.NewHealthController(group)
 				RouterGroup: group,
 			})
 			recorder := httptest.NewRecorder()
@@ -3,7 +3,6 @@ package controller
 import (
 	"fmt"
 	"net/http"
 	"net/url"
 	"strings"
 	"time"
@@ -12,8 +11,6 @@ import (
 	"github.com/tinyauthapp/tinyauth/internal/service"
 	"github.com/tinyauthapp/tinyauth/internal/utils"
 	"github.com/tinyauthapp/tinyauth/internal/utils/logger"
 	"github.com/weppos/publicsuffix-go/publicsuffix"
 	"go.uber.org/dig"
 	"github.com/gin-gonic/gin"
 	"github.com/google/go-querystring/query"
@@ -25,30 +22,26 @@ type OAuthRequest struct {
 type OAuthController struct {
 	log     *logger.Logger
-	config  *model.Config
+	config  model.Config
-	runtime *model.RuntimeConfig
+	runtime model.RuntimeConfig
 	auth    *service.AuthService
 }
-type OAuthControllerInput struct {
+func NewOAuthController(
-	dig.In
+	log *logger.Logger,
-
+	config model.Config,
-	Log           *logger.Logger
+	runtimeConfig model.RuntimeConfig,
-	Config        *model.Config
+	router *gin.RouterGroup,
-	RuntimeConfig *model.RuntimeConfig
+	auth *service.AuthService,
-	RouterGroup   *gin.RouterGroup `name:"apiRouterGroup"`
+) *OAuthController {
 	AuthService   *service.AuthService
 }
 func NewOAuthController(i OAuthControllerInput) *OAuthController {
 	controller := &OAuthController{
-		log:     i.Log,
+		log:     log,
-		config:  i.Config,
+		config:  config,
-		runtime: i.RuntimeConfig,
+		runtime: runtimeConfig,
-		auth:    i.AuthService,
+		auth:    auth,
 	}
-	oauthGroup := i.RouterGroup.Group("/oauth")
+	oauthGroup := router.Group("/oauth")
 	oauthGroup.GET("/url/:provider", controller.oauthURLHandler)
 	oauthGroup.GET("/callback/:provider", controller.oauthCallbackHandler)
@@ -68,7 +61,7 @@ func (controller *OAuthController) oauthURLHandler(c *gin.Context) {
 		return
 	}
-	var reqParams service.OAuthCallbackParams
+	var reqParams service.OAuthURLParams
 	err = c.BindQuery(&reqParams)
@@ -82,13 +75,15 @@ func (controller *OAuthController) oauthURLHandler(c *gin.Context) {
 	}
 	if !controller.isOidcRequest(reqParams) {
-		if !controller.isRedirectSafe(reqParams.RedirectURI) {
+		isRedirectSafe := utils.IsRedirectSafe(reqParams.RedirectURI, controller.runtime.CookieDomain)
 		if !isRedirectSafe {
 			controller.log.App.Warn().Str("redirectUri", reqParams.RedirectURI).Msg("Unsafe redirect URI, ignoring")
 			reqParams.RedirectURI = ""
 		}
 	}
-	sessionId, err := controller.auth.NewOAuthSession(req.Provider, reqParams)
+	sessionId, _, err := controller.auth.NewOAuthSession(req.Provider, reqParams)
 	if err != nil {
 		controller.log.App.Error().Err(err).Msg("Failed to create new OAuth session")
@@ -277,14 +272,13 @@ func (controller *OAuthController) oauthCallbackHandler(c *gin.Context) {
 			c.Redirect(http.StatusTemporaryRedirect, fmt.Sprintf("%s/error", controller.runtime.AppURL))
 			return
 		}
-		c.Redirect(http.StatusTemporaryRedirect, fmt.Sprintf("%s/oidc/authorize?%s", controller.runtime.AppURL, queries.Encode()))
+		c.Redirect(http.StatusTemporaryRedirect, fmt.Sprintf("%s/authorize?%s", controller.runtime.AppURL, queries.Encode()))
 		return
 	}
 	if oauthPendingSession.CallbackParams.RedirectURI != "" {
 		queries, err := query.Values(RedirectQuery{
 			RedirectURI: oauthPendingSession.CallbackParams.RedirectURI,
 			LoginFor:    FrontendLoginForApp,
 		})
 		if err != nil {
@@ -300,8 +294,11 @@ func (controller *OAuthController) oauthCallbackHandler(c *gin.Context) {
 	c.Redirect(http.StatusTemporaryRedirect, controller.runtime.AppURL)
 }
-func (controller *OAuthController) isOidcRequest(params service.OAuthCallbackParams) bool {
+func (controller *OAuthController) isOidcRequest(params service.OAuthURLParams) bool {
-	return params.LoginFor == string(FrontendLoginForOIDC)
+	return params.Scope != "" &&
 		params.ResponseType != "" &&
 		params.ClientID != "" &&
 		params.RedirectURI != ""
 }
 func (controller *OAuthController) getCookieDomain() string {
@@ -310,56 +307,3 @@ func (controller *OAuthController) getCookieDomain() string {
 	}
 	return controller.runtime.CookieDomain
 }
 func (controller *OAuthController) isRedirectSafe(redirectURI string) bool {
 	u, err := url.Parse(redirectURI)
 	if err != nil || u.Host == "" || u.Scheme == "" {
 		return false
 	}
 	for _, allowed := range controller.runtime.TrustedDomains {
 		tu, err := url.Parse(allowed)
 		if err != nil {
 			controller.log.App.Error().Err(err).Str("allowed", allowed).Msg("Failed to parse trusted domain")
 			continue
 		}
 		if tu.Scheme != u.Scheme {
 			continue
 		}
 		// exact match
 		if strings.EqualFold(u.Host, tu.Host) {
 			return true
 		}
 		// if subdomains are disabled, end here
 		if !controller.config.Auth.SubdomainsEnabled {
 			continue
 		}
 		// get the root domain (e.g. tinyauth.example.com -> example.com or
 		// tinyauth.sub.example.com -> sub.example.com)
 		_, root, ok := strings.Cut(tu.Host, ".")
 		if !ok {
 			continue
 		}
 		root = strings.ToLower(root)
 		// check if the root domain is in the psl
 		_, err = publicsuffix.DomainFromListWithOptions(publicsuffix.DefaultList, root, nil)
 		if err != nil {
 			continue
 		}
 		// subdomain match
 		if strings.HasSuffix(strings.ToLower(u.Host), "."+root) {
 			return true
 		}
 	}
 	return false
 }
@@ -1,161 +0,0 @@
 package controller
 import (
 	"testing"
 	"github.com/gin-gonic/gin"
 	"github.com/stretchr/testify/assert"
 	"github.com/tinyauthapp/tinyauth/internal/test"
 	"github.com/tinyauthapp/tinyauth/internal/utils/logger"
 )
 func TestOAuthController(t *testing.T) {
 	log := logger.NewLogger().WithTestConfig()
 	log.Init()
 	cfg, runtime := test.CreateTestConfigs(t)
 	type testCase struct {
 		description       string
 		run               func(ctrl *OAuthController)
 		trustedDomains    []string
 		subdomainsEnabled bool
 	}
 	tests := []testCase{
 		{
 			description:       "Test exact match of redirect URI",
 			trustedDomains:    []string{"https://tinyauth.example.com"},
 			subdomainsEnabled: true,
 			run: func(ctrl *OAuthController) {
 				redirectUri := "https://tinyauth.example.com"
 				assert.True(t, ctrl.isRedirectSafe(redirectUri))
 			},
 		},
 		{
 			description:       "Test subdomain match of redirect URI",
 			trustedDomains:    []string{"https://tinyauth.example.com"},
 			subdomainsEnabled: true,
 			run: func(ctrl *OAuthController) {
 				redirectUri := "https://sub.example.com"
 				assert.True(t, ctrl.isRedirectSafe(redirectUri))
 			},
 		},
 		{
 			description:       "Test different trusted domain",
 			trustedDomains:    []string{"https://tinyauth.example.com", "https://tinyauth.foo.com"},
 			subdomainsEnabled: true,
 			run: func(ctrl *OAuthController) {
 				redirectUri := "https://app.foo.com"
 				assert.True(t, ctrl.isRedirectSafe(redirectUri))
 			},
 		},
 		{
 			description: "Test invalid redirect URI",
 			run: func(ctrl *OAuthController) {
 				redirectUri := "https:/malicious"
 				assert.False(t, ctrl.isRedirectSafe(redirectUri))
 			},
 		},
 		{
 			description: "Test empty redirect URI",
 			run: func(ctrl *OAuthController) {
 				redirectUri := ""
 				assert.False(t, ctrl.isRedirectSafe(redirectUri))
 			},
 		},
 		{
 			description:       "Test redirect URI with different scheme",
 			trustedDomains:    []string{"https://tinyauth.example.com"},
 			subdomainsEnabled: true,
 			run: func(ctrl *OAuthController) {
 				redirectUri := "http://tinyauth.example.com"
 				assert.False(t, ctrl.isRedirectSafe(redirectUri))
 			},
 		},
 		{
 			description:       "Test redirect URI with different port",
 			trustedDomains:    []string{"https://tinyauth.example.com"},
 			subdomainsEnabled: true,
 			run: func(ctrl *OAuthController) {
 				redirectUri := "https://tinyauth.example.com:8080"
 				assert.False(t, ctrl.isRedirectSafe(redirectUri))
 			},
 		},
 		{
 			// weird case, subdomains enabled and domain without subdomain can't happen
 			description:    "Test with trusted domain that's in PSL when split",
 			trustedDomains: []string{"https://example.com"}, // will become .com which we
 			// obviously don't want to allow
 			subdomainsEnabled: true,
 			run: func(ctrl *OAuthController) {
 				redirectUri := "https://sub.example.com"
 				assert.False(t, ctrl.isRedirectSafe(redirectUri))
 			},
 		},
 		{
 			description:       "Test subdomain redirect URI when subdomains are disabled",
 			trustedDomains:    []string{"https://tinyauth.example.com"},
 			subdomainsEnabled: false,
 			run: func(ctrl *OAuthController) {
 				redirectUri := "https://sub.tinyauth.example.com"
 				assert.False(t, ctrl.isRedirectSafe(redirectUri))
 			},
 		},
 		{
 			description:       "Test domain like the .co.uk",
 			trustedDomains:    []string{"https://example.co.uk"},
 			subdomainsEnabled: true,
 			run: func(ctrl *OAuthController) {
 				redirectUri := "https://sub.example.co.uk"
 				assert.False(t, ctrl.isRedirectSafe(redirectUri))
 			},
 		},
 		{
 			description:       "Test domain like the .co.uk with subdomains disabled",
 			trustedDomains:    []string{"https://example.co.uk"},
 			subdomainsEnabled: false,
 			run: func(ctrl *OAuthController) {
 				redirectUri := "https://example.co.uk"
 				assert.True(t, ctrl.isRedirectSafe(redirectUri))
 			},
 		},
 		{
 			description:       "Test caps domain",
 			trustedDomains:    []string{"https://TINYAUTH.ExAmpLe.com"},
 			subdomainsEnabled: true,
 			run: func(ctrl *OAuthController) {
 				redirectUri := "https://sUb.ExAmPle.com"
 				assert.True(t, ctrl.isRedirectSafe(redirectUri))
 			},
 		},
 		{
 			description:       "Test edge case with @",
 			trustedDomains:    []string{"https://tinyauth.example.com"},
 			subdomainsEnabled: true,
 			run: func(ctrl *OAuthController) {
 				redirectUri := "https://malicious.example.com@evil.com"
 				assert.False(t, ctrl.isRedirectSafe(redirectUri))
 			},
 		},
 	}
 	// TODO: add auth service
 	for _, tc := range tests {
 		t.Run(tc.description, func(t *testing.T) {
 			router := gin.Default()
 			group := router.Group("/api")
 			gin.SetMode(gin.TestMode)
 			// overwrite the trusted domains and subdomain setting for each test case
 			runtime.TrustedDomains = tc.trustedDomains
 			cfg.Auth.SubdomainsEnabled = tc.subdomainsEnabled
 			ctrl := NewOAuthController(OAuthControllerInput{
 				Log:           log,
 				Config:        &cfg,
 				RuntimeConfig: &runtime,
 				RouterGroup:   group,
 			})
 			tc.run(ctrl)
 		})
 	}
 }
@@ -1,7 +1,6 @@
 package controller
 import (
 	"encoding/json"
 	"errors"
 	"fmt"
 	"net/http"
@@ -9,12 +8,11 @@ import (
 	"strings"
 	"github.com/gin-gonic/gin"
 	"github.com/gin-gonic/gin/binding"
 	"github.com/google/go-querystring/query"
 	"go.uber.org/dig"
 	"github.com/tinyauthapp/tinyauth/internal/model"
 	"github.com/tinyauthapp/tinyauth/internal/service"
 	"github.com/tinyauthapp/tinyauth/internal/utils"
 	"github.com/tinyauthapp/tinyauth/internal/utils/logger"
 )
@@ -25,13 +23,12 @@ type authorizeErrorParams struct {
 	callback      string
 	callbackError string
 	state         string
 	json          bool
 }
 type OIDCController struct {
 	log     *logger.Logger
 	oidc    *service.OIDCService
-	runtime *model.RuntimeConfig
+	runtime model.RuntimeConfig
 }
 type AuthorizeCallback struct {
@@ -68,39 +65,20 @@ type ClientCredentials struct {
 	ClientSecret string
 }
-type AuthorizeScreenParams struct {
+func NewOIDCController(
-	LoginFor   FrontendLoginFor `url:"login_for"`
+	log *logger.Logger,
-	OIDCTicket string           `url:"oidc_ticket"`
+	oidcService *service.OIDCService,
-	OIDCScope  string           `url:"oidc_scope"`
+	runtimeConfig model.RuntimeConfig,
-	OIDCName   string           `url:"oidc_name"`
+	router *gin.RouterGroup) *OIDCController {
 }
 type AuthorizeCompleteRequest struct {
 	Ticket string `json:"ticket" binding:"required"`
 }
 type OIDCControllerInput struct {
 	dig.In
 	Log           *logger.Logger
 	OIDCService   *service.OIDCService
 	RuntimeConfig *model.RuntimeConfig
 	RouterGroup   *gin.RouterGroup `name:"apiRouterGroup"`
 	MainRouter    *gin.RouterGroup `name:"mainRouterGroup"`
 }
 func NewOIDCController(i OIDCControllerInput) *OIDCController {
 	controller := &OIDCController{
-		log:     i.Log,
+		log:     log,
-		oidc:    i.OIDCService,
+		oidc:    oidcService,
-		runtime: i.RuntimeConfig,
+		runtime: runtimeConfig,
 	}
-	i.MainRouter.POST("/authorize", controller.authorize)
+	oidcGroup := router.Group("/oidc")
-	i.MainRouter.GET("/authorize", controller.authorize)
+	oidcGroup.GET("/clients/:id", controller.GetClientInfo)
-
+	oidcGroup.POST("/authorize", controller.Authorize)
 	oidcGroup := i.RouterGroup.Group("/oidc")
 	oidcGroup.POST("/authorize-complete", controller.authorizeComplete)
 	oidcGroup.POST("/token", controller.Token)
 	oidcGroup.GET("/userinfo", controller.Userinfo)
 	oidcGroup.POST("/userinfo", controller.Userinfo)
@@ -108,10 +86,47 @@ func NewOIDCController(i OIDCControllerInput) *OIDCController {
 	return controller
 }
-// This endpoint does **not** return a code, it handles param validation, ticket creation
+func (controller *OIDCController) GetClientInfo(c *gin.Context) {
-// and then redirects to the frontend to handle the consent screen. It performs no destructive
+	if controller.oidc == nil {
-// actions (like logging out an existing session)
+		controller.log.App.Warn().Msg("Received OIDC client info request but OIDC server is not configured")
-func (controller *OIDCController) authorize(c *gin.Context) {
+		c.JSON(500, gin.H{
 			"status":  500,
 			"message": "OIDC not configured",
 		})
 		return
 	}
 	var req ClientRequest
 	err := c.BindUri(&req)
 	if err != nil {
 		controller.log.App.Error().Err(err).Msg("Failed to bind URI")
 		c.JSON(400, gin.H{
 			"status":  400,
 			"message": "Bad Request",
 		})
 		return
 	}
 	client, ok := controller.oidc.GetClient(req.ClientID)
 	if !ok {
 		controller.log.App.Warn().Str("clientId", req.ClientID).Msg("Client not found")
 		c.JSON(404, gin.H{
 			"status":  404,
 			"message": "Client not found",
 		})
 		return
 	}
 	c.JSON(200, gin.H{
 		"status": 200,
 		"client": client.ClientID,
 		"name":   client.Name,
 	})
 }
 func (controller *OIDCController) Authorize(c *gin.Context) {
 	if controller.oidc == nil {
 		controller.authorizeError(c, authorizeErrorParams{
 			err:          errors.New("err_oidc_not_configured"),
@@ -121,14 +136,35 @@ func (controller *OIDCController) authorize(c *gin.Context) {
 		return
 	}
-	req, err := controller.resolveAuthorizeRequest(c)
+	userContext, err := new(model.UserContext).NewFromGin(c)
 	if err != nil {
 		controller.log.App.Warn().Err(err).Msg("Failed to resolve authorize request")
 		controller.authorizeError(c, authorizeErrorParams{
 			err:          err,
-			reason:       "Failed to resolve authorize request",
+			reason:       "Failed to get user context",
-			reasonPublic: "The authorization request is invalid",
+			reasonPublic: "User is not logged in or the session is invalid",
 		})
 		return
 	}
 	if !userContext.Authenticated {
 		controller.authorizeError(c, authorizeErrorParams{
 			err:          errors.New("err user not logged in"),
 			reason:       "User not logged in",
 			reasonPublic: "The user is not logged in",
 		})
 		return
 	}
 	var req service.AuthorizeRequest
 	err = c.Bind(&req)
 	if err != nil {
 		controller.authorizeError(c, authorizeErrorParams{
 			err:          err,
 			reason:       "Failed to bind JSON",
 			reasonPublic: "The client provided an invalid authorization request",
 		})
 		return
 	}
@@ -144,7 +180,7 @@ func (controller *OIDCController) authorize(c *gin.Context) {
 		return
 	}
-	err = controller.oidc.ValidateAuthorizeParams(*req)
+	err = controller.oidc.ValidateAuthorizeParams(req)
 	if err != nil {
 		controller.log.App.Warn().Err(err).Msg("Failed to validate authorize params")
@@ -167,97 +203,9 @@ func (controller *OIDCController) authorize(c *gin.Context) {
 		return
 	}
-	ticket := controller.oidc.CreateAuthorizeRequestTicket(*req)
+	// WARNING: Since Tinyauth is stateless, we cannot have a sub that never changes. We will just create a uuid out of the username and client name which remains stable, but if username or client name changes then sub changes too.
-
+	sub := utils.GenerateUUID(fmt.Sprintf("%s:%s", userContext.GetUsername(), client.ID))
-	queries, err := query.Values(AuthorizeScreenParams{
+	code := utils.GenerateString(32)
 		LoginFor:   FrontendLoginForOIDC,
 		OIDCTicket: ticket,
 		OIDCScope:  req.Scope,
 		OIDCName:   client.Name,
 	})
 	if err != nil {
 		controller.authorizeError(c, authorizeErrorParams{
 			err:          err,
 			reason:       "Failed to compile authorize queries",
 			reasonPublic: "An internal error occured while processing your request",
 		})
 		return
 	}
 	redirectUrl := fmt.Sprintf("%s/oidc/authorize?%s", controller.oidc.GetIssuer(), queries.Encode())
 	c.Redirect(http.StatusFound, redirectUrl)
 }
 // The actual **internal** endpoint that actually creates the code and session.
 // It is called by the frontend after the user has logged in and given consent.
 func (controller *OIDCController) authorizeComplete(c *gin.Context) {
 	if controller.oidc == nil {
 		// For this endpoint we return JSON errors since it's called
 		// by the frontend and not an external client, so there's
 		// no redirect_uri to send the user to in case of error
 		controller.authorizeError(c, authorizeErrorParams{
 			err:          errors.New("err_oidc_not_configured"),
 			reason:       "OIDC not configured",
 			reasonPublic: "This instance is not configured for OIDC",
 			json:         true,
 		})
 		return
 	}
 	userContext, err := new(model.UserContext).NewFromGin(c)
 	if err != nil {
 		controller.authorizeError(c, authorizeErrorParams{
 			err:          err,
 			reason:       "Failed to get user context",
 			reasonPublic: "User is not logged in or the session is invalid",
 			json:         true,
 		})
 		return
 	}
 	if !userContext.Authenticated {
 		controller.authorizeError(c, authorizeErrorParams{
 			err:          errors.New("err user not logged in"),
 			reason:       "User not logged in",
 			reasonPublic: "The user is not logged in",
 			json:         true,
 		})
 		return
 	}
 	var req AuthorizeCompleteRequest
 	err = c.BindJSON(&req)
 	if err != nil {
 		controller.authorizeError(c, authorizeErrorParams{
 			err:          err,
 			reason:       "Failed to bind JSON",
 			reasonPublic: "The client provided an invalid authorization request",
 			json:         true,
 		})
 		return
 	}
 	authorizeReq, ok := controller.oidc.GetAuthorizeRequestByTicket(req.Ticket)
 	if !ok {
 		controller.authorizeError(c, authorizeErrorParams{
 			err:          errors.New("authorize request not found for ticket"),
 			reason:       "Invalid or expired ticket",
 			reasonPublic: "The authorization request has expired or is invalid",
 			json:         true,
 		})
 		return
 	}
 	// We no longer need the ticket
 	controller.oidc.DeleteAuthorizeRequestTicket(req.Ticket)
 	// Create the sub to find and delete old sessions
 	sub := controller.oidc.CreateSub(*userContext, authorizeReq.ClientID)
 	// Before storing the code, delete old session
 	err = controller.oidc.DeleteOldSession(c, sub)
@@ -266,20 +214,48 @@ func (controller *OIDCController) authorizeComplete(c *gin.Context) {
 			err:           err,
 			reason:        "Failed to delete old sessions",
 			reasonPublic:  "Failed to delete old sessions",
-			callback:      authorizeReq.RedirectURI,
+			callback:      req.RedirectURI,
 			callbackError: "server_error",
-			state:         authorizeReq.State,
+			state:         req.State,
 			json:          true,
 		})
 		return
 	}
-	// Create the authorization code
+	err = controller.oidc.StoreCode(c, sub, code, req)
-	code := controller.oidc.CreateCode(*authorizeReq, *userContext)
+
 	if err != nil {
 		controller.authorizeError(c, authorizeErrorParams{
 			err:           err,
 			reason:        "Failed to store code",
 			reasonPublic:  "Failed to store code",
 			callback:      req.RedirectURI,
 			callbackError: "server_error",
 			state:         req.State,
 		})
 		return
 	}
 	// We also need a snapshot of the user that authorized this (skip if no openid scope)
 	if slices.Contains(strings.Fields(req.Scope), "openid") {
 		err = controller.oidc.StoreUserinfo(c, sub, *userContext, req)
 		if err != nil {
 			controller.log.App.Error().Err(err).Msg("Failed to store user info")
 			controller.authorizeError(c, authorizeErrorParams{
 				err:           err,
 				reason:        "Failed to store user info",
 				reasonPublic:  "Failed to store user info",
 				callback:      req.RedirectURI,
 				callbackError: "server_error",
 				state:         req.State,
 			})
 			return
 		}
 	}
 	queries, err := query.Values(AuthorizeCallback{
 		Code:  code,
-		State: authorizeReq.State,
+		State: req.State,
 	})
 	if err != nil {
@@ -287,17 +263,16 @@ func (controller *OIDCController) authorizeComplete(c *gin.Context) {
 			err:           err,
 			reason:        "Failed to build query",
 			reasonPublic:  "Failed to build query",
-			callback:      authorizeReq.RedirectURI,
+			callback:      req.RedirectURI,
 			callbackError: "server_error",
-			state:         authorizeReq.State,
+			state:         req.State,
 			json:          true,
 		})
 		return
 	}
 	c.JSON(200, gin.H{
 		"status":       200,
-		"redirect_uri": fmt.Sprintf("%s?%s", authorizeReq.RedirectURI, queries.Encode()),
+		"redirect_uri": fmt.Sprintf("%s?%s", req.RedirectURI, queries.Encode()),
 	})
 }
@@ -379,34 +354,39 @@ func (controller *OIDCController) Token(c *gin.Context) {
 	switch req.GrantType {
 	case "authorization_code":
-		entry, ok := controller.oidc.GetCodeEntry(controller.oidc.Hash(req.Code), client.ClientID)
+		entry, err := controller.oidc.GetCodeEntry(c, controller.oidc.Hash(req.Code), client.ClientID)
-
+		if err != nil {
-		if !ok {
+			if err := controller.oidc.DeleteTokenByCodeHash(c, controller.oidc.Hash(req.Code)); err != nil {
-			// ensure no code reuse
+				controller.log.App.Error().Err(err).Msg("Failed to revoke tokens for replayed code")
-			usedCodeSub, ok := controller.oidc.IsCodeUsed(controller.oidc.Hash(req.Code))
+			}
-
+			if errors.Is(err, service.ErrCodeNotFound) {
-			if ok {
+				controller.log.App.Warn().Msg("Code not found")
 				controller.log.App.Warn().Msg("Code reuse detected")
 				err := controller.oidc.DeleteSessionBySub(c, usedCodeSub)
 				if err != nil {
 					controller.log.App.Error().Err(err).Msg("Failed to delete session for reused code")
 				}
 				c.JSON(400, gin.H{
 					"error": "invalid_grant",
 				})
 				return
 			}
-
+			if errors.Is(err, service.ErrCodeExpired) {
-			controller.log.App.Warn().Msg("Code not found")
+				controller.log.App.Warn().Msg("Code expired")
 				c.JSON(400, gin.H{
 					"error": "invalid_grant",
 				})
 				return
 			}
 			if errors.Is(err, service.ErrInvalidClient) {
 				controller.log.App.Warn().Msg("Code does not belong to client")
 				c.JSON(400, gin.H{
 					"error": "invalid_client",
 				})
 				return
 			}
 			controller.log.App.Error().Err(err).Msg("Failed to get code entry")
 			c.JSON(400, gin.H{
-				"error": "invalid_grant",
+				"error": "server_error",
 			})
 			return
 		}
 		// mark code as used to prevent reuse
 		controller.oidc.MarkCodeAsUsed(controller.oidc.Hash(req.Code), entry.Userinfo.Sub)
 		if entry.RedirectURI != req.RedirectURI {
 			controller.log.App.Warn().Msg("Redirect URI does not match")
 			c.JSON(400, gin.H{
@@ -415,7 +395,7 @@ func (controller *OIDCController) Token(c *gin.Context) {
 			return
 		}
-		ok = controller.oidc.ValidatePKCE(entry.CodeChallenge, req.CodeVerifier)
+		ok := controller.oidc.ValidatePKCE(entry.CodeChallenge, req.CodeVerifier)
 		if !ok {
 			controller.log.App.Warn().Msg("PKCE validation failed")
@@ -425,7 +405,7 @@ func (controller *OIDCController) Token(c *gin.Context) {
 			return
 		}
-		tokenRes, err := controller.oidc.GenerateAccessToken(c, client, *entry)
+		tokenRes, err := controller.oidc.GenerateAccessToken(c, client, entry)
 		if err != nil {
 			controller.log.App.Error().Err(err).Msg("Failed to generate access token")
@@ -435,7 +415,7 @@ func (controller *OIDCController) Token(c *gin.Context) {
 			return
 		}
-		tokenResponse = *tokenRes
+		tokenResponse = tokenRes
 	case "refresh_token":
 		tokenRes, err := controller.oidc.RefreshAccessToken(c, req.RefreshToken, creds.ClientID)
@@ -463,7 +443,7 @@ func (controller *OIDCController) Token(c *gin.Context) {
 			return
 		}
-		tokenResponse = *tokenRes
+		tokenResponse = tokenRes
 	}
 	c.Header("cache-control", "no-store")
@@ -527,7 +507,7 @@ func (controller *OIDCController) Userinfo(c *gin.Context) {
 		return
 	}
-	entry, err := controller.oidc.GetSessionByToken(c, controller.oidc.Hash(token))
+	entry, err := controller.oidc.GetAccessToken(c, controller.oidc.Hash(token))
 	if err != nil {
 		if errors.Is(err, service.ErrTokenNotFound) {
@@ -546,17 +526,15 @@ func (controller *OIDCController) Userinfo(c *gin.Context) {
 	}
 	// If we don't have the openid scope, return an error
-	if !slices.Contains(strings.Split(entry.Scope, " "), "openid") {
+	if !slices.Contains(strings.Split(entry.Scope, ","), "openid") {
-		controller.log.App.Warn().Msg("OIDC userinfo accessed with missing openid scope")
+		controller.log.App.Warn().Msg("OIDC userinfo accessed with token missing openid scope")
 		c.JSON(401, gin.H{
 			"error": "invalid_scope",
 		})
 		return
 	}
-	var userinfo service.UserinfoResponse
+	user, err := controller.oidc.GetUserinfo(c, entry.Sub)
 	err = json.Unmarshal([]byte(entry.UserinfoJson), &userinfo)
 	if err != nil {
 		controller.log.App.Error().Err(err).Msg("Failed to get user info")
@@ -566,7 +544,7 @@ func (controller *OIDCController) Userinfo(c *gin.Context) {
 		return
 	}
-	c.JSON(200, controller.oidc.CompileUserinfo(userinfo, entry.Scope))
+	c.JSON(200, controller.oidc.CompileUserinfo(user, entry.Scope))
 }
 func (controller *OIDCController) authorizeError(c *gin.Context, params authorizeErrorParams) {
@@ -588,22 +566,14 @@ func (controller *OIDCController) authorizeError(c *gin.Context, params authoriz
 		queries, err := query.Values(errorQueries)
 		if err != nil {
 			controller.log.App.Error().Err(err).Msg("Failed to build callback error query")
 			c.AbortWithStatus(http.StatusInternalServerError)
 			return
 		}
-		redirectUrl := fmt.Sprintf("%s?%s", params.callback, queries.Encode())
+		c.JSON(200, gin.H{
-
+			"status":       200,
-		if params.json {
+			"redirect_uri": fmt.Sprintf("%s?%s", params.callback, queries.Encode()),
-			c.JSON(200, gin.H{
+		})
 				"status":       200,
 				"redirect_uri": redirectUrl,
 			})
 			return
 		}
 		c.Redirect(http.StatusFound, redirectUrl)
 		return
 	}
@@ -614,7 +584,6 @@ func (controller *OIDCController) authorizeError(c *gin.Context, params authoriz
 	queries, err := query.Values(errorQueries)
 	if err != nil {
 		controller.log.App.Error().Err(err).Msg("Failed to build error query")
 		c.AbortWithStatus(http.StatusInternalServerError)
 		return
 	}
@@ -627,61 +596,8 @@ func (controller *OIDCController) authorizeError(c *gin.Context, params authoriz
 		redirectUrl = fmt.Sprintf("%s/error?%s", controller.runtime.AppURL, queries.Encode())
 	}
-	if params.json {
+	c.JSON(200, gin.H{
-		c.JSON(200, gin.H{
+		"status":       200,
-			"status":       200,
+		"redirect_uri": redirectUrl,
-			"redirect_uri": redirectUrl,
+	})
 		})
 		return
 	}
 	c.Redirect(http.StatusFound, redirectUrl)
 }
 func (controller *OIDCController) resolveAuthorizeRequest(c *gin.Context) (*service.AuthorizeRequest, error) {
 	// step 1: if we have a request object, decode it and ignore other params. If not, bind the params as usual
 	// we check both query and form parameters for the request object since this endpoint can be called with both GET and POST
 	requestObject, err := controller.resolveRequestObject(c)
 	if err != nil {
 		return nil, err
 	}
 	if requestObject != nil {
 		return requestObject, nil
 	}
 	// step 2: by default we assume normal GET query parameters
 	// step 3: if it's a POST request, we try form parameters
 	return controller.resolveNormalParams(c)
 }
 func (controller *OIDCController) resolveRequestObject(c *gin.Context) (*service.AuthorizeRequest, error) {
 	raw := c.Query("request")
 	if raw == "" && c.Request.Method == http.MethodPost {
 		raw = c.PostForm("request")
 	}
 	if raw == "" {
 		return nil, nil
 	}
 	return controller.oidc.DecodeAuthorizeJWT(raw)
 }
 func (controller *OIDCController) resolveNormalParams(c *gin.Context) (*service.AuthorizeRequest, error) {
 	var req service.AuthorizeRequest
 	bind := binding.Query
 	if c.Request.Method == http.MethodPost {
 		bind = binding.Form
 	}
 	if err := c.ShouldBindWith(&req, bind); err != nil {
 		return nil, err
 	}
 	return &req, nil
 }
@@ -13,7 +13,6 @@ import (
 	"github.com/tinyauthapp/tinyauth/internal/service"
 	"github.com/tinyauthapp/tinyauth/internal/utils"
 	"github.com/tinyauthapp/tinyauth/internal/utils/logger"
 	"go.uber.org/dig"
 	"github.com/gin-gonic/gin"
 	"github.com/google/go-querystring/query"
@@ -54,33 +53,29 @@ type ProxyContext struct {
 type ProxyController struct {
 	log          *logger.Logger
-	runtime      *model.RuntimeConfig
+	runtime      model.RuntimeConfig
 	acls         *service.AccessControlsService
 	auth         *service.AuthService
 	policyEngine *service.PolicyEngine
 }
-type ProxyControllerInput struct {
+func NewProxyController(
-	dig.In
+	log *logger.Logger,
-
+	runtime model.RuntimeConfig,
-	Log           *logger.Logger
+	router *gin.RouterGroup,
-	RuntimeConfig *model.RuntimeConfig
+	acls *service.AccessControlsService,
-	RouterGroup   *gin.RouterGroup `name:"apiRouterGroup"`
+	auth *service.AuthService,
-	ACLsService   *service.AccessControlsService
+	policyEngine *service.PolicyEngine,
-	AuthService   *service.AuthService
+) *ProxyController {
 	PolicyEngine  *service.PolicyEngine
 }
 func NewProxyController(i ProxyControllerInput) *ProxyController {
 	controller := &ProxyController{
-		log:          i.Log,
+		log:          log,
-		runtime:      i.RuntimeConfig,
+		runtime:      runtime,
-		acls:         i.ACLsService,
+		acls:         acls,
-		auth:         i.AuthService,
+		auth:         auth,
-		policyEngine: i.PolicyEngine,
+		policyEngine: policyEngine,
 	}
-	proxyGroup := i.RouterGroup.Group("/auth")
+	proxyGroup := router.Group("/auth")
 	proxyGroup.Any("/:proxy", controller.proxyHandler)
 	return controller
@@ -158,7 +153,7 @@ func (controller *ProxyController) proxyHandler(c *gin.Context) {
 			return
 		}
-		c.Redirect(http.StatusFound, redirectURL)
+		c.Redirect(http.StatusTemporaryRedirect, redirectURL)
 		return
 	}
@@ -207,7 +202,7 @@ func (controller *ProxyController) proxyHandler(c *gin.Context) {
 				return
 			}
-			c.Redirect(http.StatusFound, redirectURL)
+			c.Redirect(http.StatusTemporaryRedirect, redirectURL)
 			return
 		}
@@ -251,7 +246,7 @@ func (controller *ProxyController) proxyHandler(c *gin.Context) {
 					return
 				}
-				c.Redirect(http.StatusFound, redirectURL)
+				c.Redirect(http.StatusTemporaryRedirect, redirectURL)
 				return
 			}
 		}
@@ -280,7 +275,6 @@ func (controller *ProxyController) proxyHandler(c *gin.Context) {
 	queries, err := query.Values(RedirectQuery{
 		RedirectURI: fmt.Sprintf("%s://%s%s", proxyCtx.Proto, proxyCtx.Host, proxyCtx.Path),
 		LoginFor:    FrontendLoginForApp,
 	})
 	if err != nil {
@@ -300,7 +294,7 @@ func (controller *ProxyController) proxyHandler(c *gin.Context) {
 		return
 	}
-	c.Redirect(http.StatusFound, redirectURL)
+	c.Redirect(http.StatusTemporaryRedirect, redirectURL)
 }
 func (controller *ProxyController) setHeaders(c *gin.Context, acls *model.App) {
@@ -336,7 +330,7 @@ func (controller *ProxyController) handleError(c *gin.Context, proxyCtx ProxyCon
 		return
 	}
-	c.Redirect(http.StatusFound, redirectURL)
+	c.Redirect(http.StatusTemporaryRedirect, redirectURL)
 }
 func (controller *ProxyController) getHeader(c *gin.Context, header string) (string, bool) {
@@ -1,18 +1,15 @@
-package controller
+package controller_test
 import (
 	"context"
 	"encoding/base64"
 	"fmt"
 	"net/http"
 	"net/http/httptest"
 	"net/url"
 	"testing"
 	"github.com/gin-gonic/gin"
 	"github.com/steveiliop56/ding"
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
 	"github.com/tinyauthapp/tinyauth/internal/controller"
 	"github.com/tinyauthapp/tinyauth/internal/model"
 	"github.com/tinyauthapp/tinyauth/internal/repository/memory"
 	"github.com/tinyauthapp/tinyauth/internal/service"
@@ -66,17 +63,6 @@ func TestProxyController(t *testing.T) {
 	}
 	tests := []testCase{
 		{
 			description: "Should get bad request on invalid proxy",
 			middlewares: []gin.HandlerFunc{},
 			run: func(t *testing.T, router *gin.Engine, recorder *httptest.ResponseRecorder) {
 				req := httptest.NewRequest("GET", "/api/auth/invalid", nil)
 				router.ServeHTTP(recorder, req)
 				assert.Equal(t, http.StatusBadRequest, recorder.Code)
 				assert.Contains(t, recorder.Body.String(), "Bad request")
 			},
 		},
 		{
 			description: "Default forward auth should be detected and used for traefik",
 			middlewares: []gin.HandlerFunc{},
@@ -88,11 +74,9 @@ func TestProxyController(t *testing.T) {
 				req.Header.Set("user-agent", browserUserAgent)
 				router.ServeHTTP(recorder, req)
-				assert.Equal(t, http.StatusFound, recorder.Code)
+				assert.Equal(t, 307, recorder.Code)
 				location := recorder.Header().Get("Location")
-				assert.Contains(t, location, url.QueryEscape("https://test.example.com/"))
+				assert.Equal(t, "https://tinyauth.example.com/login?redirect_uri=https%3A%2F%2Ftest.example.com%2F", location)
 				assert.Contains(t, location, "login_for=app")
 				assert.Contains(t, location, "https://tinyauth.example.com/login")
 			},
 		},
 		{
@@ -103,11 +87,9 @@ func TestProxyController(t *testing.T) {
 				req.Header.Set("x-original-url", "https://test.example.com/")
 				req.Header.Set("user-agent", browserUserAgent)
 				router.ServeHTTP(recorder, req)
-				assert.Equal(t, http.StatusUnauthorized, recorder.Code)
+				assert.Equal(t, 401, recorder.Code)
 				location := recorder.Header().Get("x-tinyauth-location")
-				assert.Contains(t, location, url.QueryEscape("https://test.example.com/"))
+				assert.Equal(t, "https://tinyauth.example.com/login?redirect_uri=https%3A%2F%2Ftest.example.com%2F", location)
 				assert.Contains(t, location, "login_for=app")
 				assert.Contains(t, location, "https://tinyauth.example.com/login")
 			},
 		},
 		{
@@ -119,11 +101,9 @@ func TestProxyController(t *testing.T) {
 				req.Header.Set("x-forwarded-proto", "https")
 				req.Header.Set("user-agent", browserUserAgent)
 				router.ServeHTTP(recorder, req)
-				assert.Equal(t, http.StatusFound, recorder.Code)
+				assert.Equal(t, 307, recorder.Code)
 				location := recorder.Header().Get("Location")
-				assert.Contains(t, location, url.QueryEscape("https://test.example.com/hello"))
+				assert.Equal(t, "https://tinyauth.example.com/login?redirect_uri=https%3A%2F%2Ftest.example.com%2Fhello", location)
 				assert.Contains(t, location, "login_for=app")
 				assert.Contains(t, location, "https://tinyauth.example.com/login")
 			},
 		},
 		{
@@ -137,11 +117,9 @@ func TestProxyController(t *testing.T) {
 				req.Header.Set("user-agent", browserUserAgent)
 				router.ServeHTTP(recorder, req)
-				assert.Equal(t, http.StatusFound, recorder.Code)
+				assert.Equal(t, 307, recorder.Code)
 				location := recorder.Header().Get("Location")
-				assert.Contains(t, location, url.QueryEscape("https://test.example.com/"))
+				assert.Equal(t, "https://tinyauth.example.com/login?redirect_uri=https%3A%2F%2Ftest.example.com%2F", location)
 				assert.Contains(t, location, "login_for=app")
 				assert.Contains(t, location, "https://tinyauth.example.com/login")
 			},
 		},
 		{
@@ -154,11 +132,9 @@ func TestProxyController(t *testing.T) {
 				req.Header.Set("x-forwarded-uri", "/")
 				req.Header.Set("user-agent", browserUserAgent)
 				router.ServeHTTP(recorder, req)
-				assert.Equal(t, http.StatusUnauthorized, recorder.Code)
+				assert.Equal(t, 401, recorder.Code)
 				location := recorder.Header().Get("x-tinyauth-location")
-				assert.Contains(t, location, url.QueryEscape("https://test.example.com/"))
+				assert.Equal(t, "https://tinyauth.example.com/login?redirect_uri=https%3A%2F%2Ftest.example.com%2F", location)
 				assert.Contains(t, location, "login_for=app")
 				assert.Contains(t, location, "https://tinyauth.example.com/login")
 			},
 		},
 		{
@@ -172,11 +148,9 @@ func TestProxyController(t *testing.T) {
 				req.Header.Set("x-forwarded-uri", "/hello")
 				req.Header.Set("user-agent", browserUserAgent)
 				router.ServeHTTP(recorder, req)
-				assert.Equal(t, http.StatusFound, recorder.Code)
+				assert.Equal(t, 307, recorder.Code)
 				location := recorder.Header().Get("Location")
-				assert.Contains(t, location, url.QueryEscape("https://test.example.com/"))
+				assert.Equal(t, "https://tinyauth.example.com/login?redirect_uri=https%3A%2F%2Ftest.example.com%2Fhello", location)
 				assert.Contains(t, location, "login_for=app")
 				assert.Contains(t, location, "https://tinyauth.example.com/login")
 			},
 		},
 		{
@@ -189,7 +163,7 @@ func TestProxyController(t *testing.T) {
 				req.Header.Set("x-forwarded-uri", "/")
 				router.ServeHTTP(recorder, req)
-				assert.Equal(t, http.StatusUnauthorized, recorder.Code)
+				assert.Equal(t, 401, recorder.Code)
 				assert.Contains(t, recorder.Body.String(), `"status":401`)
 				assert.Contains(t, recorder.Body.String(), `"message":"Unauthorized"`)
 			},
@@ -204,7 +178,7 @@ func TestProxyController(t *testing.T) {
 				req.Header.Set("x-forwarded-uri", "/")
 				router.ServeHTTP(recorder, req)
-				assert.Equal(t, http.StatusUnauthorized, recorder.Code)
+				assert.Equal(t, 401, recorder.Code)
 				assert.Contains(t, recorder.Body.String(), `"status":401`)
 				assert.Contains(t, recorder.Body.String(), `"message":"Unauthorized"`)
 			},
@@ -219,7 +193,7 @@ func TestProxyController(t *testing.T) {
 				req.Header.Set("x-forwarded-uri", "/hello")
 				router.ServeHTTP(recorder, req)
-				assert.Equal(t, http.StatusUnauthorized, recorder.Code)
+				assert.Equal(t, 401, recorder.Code)
 				assert.Contains(t, recorder.Body.String(), `"status":401`)
 				assert.Contains(t, recorder.Body.String(), `"message":"Unauthorized"`)
 			},
@@ -236,7 +210,7 @@ func TestProxyController(t *testing.T) {
 				req.Header.Set("x-forwarded-uri", "/")
 				router.ServeHTTP(recorder, req)
-				assert.Equal(t, http.StatusOK, recorder.Code)
+				assert.Equal(t, 200, recorder.Code)
 				assert.Equal(t, "testuser", recorder.Header().Get("remote-user"))
 				assert.Equal(t, "Testuser", recorder.Header().Get("remote-name"))
 				assert.Equal(t, "testuser@example.com", recorder.Header().Get("remote-email"))
@@ -252,7 +226,7 @@ func TestProxyController(t *testing.T) {
 				req.Header.Set("x-original-url", "https://test.example.com/")
 				router.ServeHTTP(recorder, req)
-				assert.Equal(t, http.StatusOK, recorder.Code)
+				assert.Equal(t, 200, recorder.Code)
 				assert.Equal(t, "testuser", recorder.Header().Get("remote-user"))
 				assert.Equal(t, "Testuser", recorder.Header().Get("remote-name"))
 				assert.Equal(t, "testuser@example.com", recorder.Header().Get("remote-email"))
@@ -269,7 +243,7 @@ func TestProxyController(t *testing.T) {
 				req.Header.Set("x-forwarded-proto", "https")
 				router.ServeHTTP(recorder, req)
-				assert.Equal(t, http.StatusOK, recorder.Code)
+				assert.Equal(t, 200, recorder.Code)
 				assert.Equal(t, "testuser", recorder.Header().Get("remote-user"))
 				assert.Equal(t, "Testuser", recorder.Header().Get("remote-name"))
 				assert.Equal(t, "testuser@example.com", recorder.Header().Get("remote-email"))
@@ -284,7 +258,7 @@ func TestProxyController(t *testing.T) {
 				req.Header.Set("x-forwarded-proto", "https")
 				req.Header.Set("x-forwarded-uri", "/allowed")
 				router.ServeHTTP(recorder, req)
-				assert.Equal(t, http.StatusOK, recorder.Code)
+				assert.Equal(t, 200, recorder.Code)
 			},
 		},
 		{
@@ -294,7 +268,7 @@ func TestProxyController(t *testing.T) {
 				req := httptest.NewRequest("GET", "/api/auth/nginx", nil)
 				req.Header.Set("x-original-url", "https://path-allow.example.com/allowed")
 				router.ServeHTTP(recorder, req)
-				assert.Equal(t, http.StatusOK, recorder.Code)
+				assert.Equal(t, 200, recorder.Code)
 			},
 		},
 		{
@@ -305,7 +279,7 @@ func TestProxyController(t *testing.T) {
 				req.Host = "path-allow.example.com"
 				req.Header.Set("x-forwarded-proto", "https")
 				router.ServeHTTP(recorder, req)
-				assert.Equal(t, http.StatusOK, recorder.Code)
+				assert.Equal(t, 200, recorder.Code)
 			},
 		},
 		{
@@ -318,7 +292,7 @@ func TestProxyController(t *testing.T) {
 				req.Header.Set("x-forwarded-uri", "/")
 				req.Header.Set("x-forwarded-for", "10.10.10.10")
 				router.ServeHTTP(recorder, req)
-				assert.Equal(t, http.StatusOK, recorder.Code)
+				assert.Equal(t, 200, recorder.Code)
 			},
 		},
 		{
@@ -329,7 +303,7 @@ func TestProxyController(t *testing.T) {
 				req.Header.Set("x-original-url", "https://ip-bypass.example.com/")
 				req.Header.Set("x-forwarded-for", "10.10.10.10")
 				router.ServeHTTP(recorder, req)
-				assert.Equal(t, http.StatusOK, recorder.Code)
+				assert.Equal(t, 200, recorder.Code)
 			},
 		},
 		{
@@ -341,7 +315,7 @@ func TestProxyController(t *testing.T) {
 				req.Header.Set("x-forwarded-proto", "https")
 				req.Header.Set("x-forwarded-for", "10.10.10.10")
 				router.ServeHTTP(recorder, req)
-				assert.Equal(t, http.StatusOK, recorder.Code)
+				assert.Equal(t, 200, recorder.Code)
 			},
 		},
 		{
@@ -355,7 +329,7 @@ func TestProxyController(t *testing.T) {
 				req.Header.Set("x-forwarded-proto", "https")
 				req.Header.Set("x-forwarded-uri", "/")
 				router.ServeHTTP(recorder, req)
-				assert.Equal(t, http.StatusOK, recorder.Code)
+				assert.Equal(t, 200, recorder.Code)
 			},
 		},
 		{
@@ -369,301 +343,12 @@ func TestProxyController(t *testing.T) {
 				req.Header.Set("x-forwarded-proto", "https")
 				req.Header.Set("x-forwarded-uri", "/")
 				router.ServeHTTP(recorder, req)
-				assert.Equal(t, http.StatusForbidden, recorder.Code)
+				assert.Equal(t, 403, recorder.Code)
 				assert.Equal(t, "", recorder.Header().Get("remote-user"))
 				assert.Equal(t, "", recorder.Header().Get("remote-name"))
 				assert.Equal(t, "", recorder.Header().Get("remote-email"))
 			},
 		},
 		{
 			description: "Test IP block rule, with non browser user agent",
 			middlewares: []gin.HandlerFunc{},
 			run: func(t *testing.T, router *gin.Engine, recorder *httptest.ResponseRecorder) {
 				req := httptest.NewRequest("GET", "/api/auth/traefik", nil)
 				req.Header.Set("x-forwarded-host", "ip-block.example.com")
 				req.Header.Set("x-forwarded-proto", "https")
 				req.Header.Set("x-forwarded-uri", "/")
 				req.Header.Set("x-forwarded-for", "10.10.10.10")
 				router.ServeHTTP(recorder, req)
 				assert.Equal(t, http.StatusForbidden, recorder.Code)
 				assert.Contains(t, recorder.Header().Get("x-tinyauth-location"), runtime.AppURL)
 				assert.Contains(t, recorder.Header().Get("x-tinyauth-location"), "ip=10.10.10.10")
 				assert.Contains(t, recorder.Header().Get("x-tinyauth-location"), "ip-block")
 			},
 		},
 		{
 			description: "Test IP block rule, with browser user agent",
 			middlewares: []gin.HandlerFunc{},
 			run: func(t *testing.T, router *gin.Engine, recorder *httptest.ResponseRecorder) {
 				req := httptest.NewRequest("GET", "/api/auth/traefik", nil)
 				req.Header.Set("x-forwarded-host", "ip-block.example.com")
 				req.Header.Set("x-forwarded-proto", "https")
 				req.Header.Set("x-forwarded-uri", "/")
 				req.Header.Set("x-forwarded-for", "10.10.10.10")
 				req.Header.Set("user-agent", browserUserAgent)
 				router.ServeHTTP(recorder, req)
 				assert.Equal(t, http.StatusFound, recorder.Code)
 				location := recorder.Header().Get("Location")
 				assert.Contains(t, location, url.QueryEscape("10.10.10.10"))
 				assert.Contains(t, location, url.QueryEscape("ip-block"))
 				assert.Contains(t, location, runtime.AppURL)
 			},
 		},
 		{
 			description: "OAuth allowed group",
 			middlewares: []gin.HandlerFunc{
 				func(ctx *gin.Context) {
 					ctx.Set("context", &model.UserContext{
 						Authenticated: true,
 						Provider:      model.ProviderOAuth,
 						OAuth: &model.OAuthContext{
 							BaseContext: model.BaseContext{
 								Username: "testuser",
 								Name:     "Testuser",
 								Email:    "testuser@example.com",
 							},
 							Groups: []string{"group1"},
 						},
 					})
 					ctx.Next()
 				},
 			},
 			run: func(t *testing.T, router *gin.Engine, recorder *httptest.ResponseRecorder) {
 				req := httptest.NewRequest("GET", "/api/auth/traefik", nil)
 				req.Header.Set("x-forwarded-host", "oauth-group.example.com")
 				req.Header.Set("x-forwarded-proto", "https")
 				req.Header.Set("x-forwarded-uri", "/")
 				router.ServeHTTP(recorder, req)
 				assert.Equal(t, http.StatusOK, recorder.Code)
 				assert.Equal(t, "testuser", recorder.Header().Get("remote-user"))
 				assert.Equal(t, "Testuser", recorder.Header().Get("remote-name"))
 				assert.Equal(t, "testuser@example.com", recorder.Header().Get("remote-email"))
 				assert.Equal(t, "group1", recorder.Header().Get("remote-groups"))
 			},
 		},
 		{
 			description: "OAuth not in required groups and non browser",
 			middlewares: []gin.HandlerFunc{
 				func(ctx *gin.Context) {
 					ctx.Set("context", &model.UserContext{
 						Authenticated: true,
 						Provider:      model.ProviderOAuth,
 						OAuth: &model.OAuthContext{
 							BaseContext: model.BaseContext{
 								Username: "testuser",
 								Name:     "Testuser",
 								Email:    "testuser@example.com",
 							},
 							Groups: []string{"group3"},
 						},
 					})
 					ctx.Next()
 				},
 			},
 			run: func(t *testing.T, router *gin.Engine, recorder *httptest.ResponseRecorder) {
 				req := httptest.NewRequest("GET", "/api/auth/traefik", nil)
 				req.Header.Set("x-forwarded-host", "oauth-group.example.com")
 				req.Header.Set("x-forwarded-proto", "https")
 				req.Header.Set("x-forwarded-uri", "/")
 				router.ServeHTTP(recorder, req)
 				assert.Equal(t, http.StatusForbidden, recorder.Code)
 				assert.Equal(t, "", recorder.Header().Get("remote-user"))
 				assert.Equal(t, "", recorder.Header().Get("remote-name"))
 				assert.Equal(t, "", recorder.Header().Get("remote-email"))
 				assert.Equal(t, "", recorder.Header().Get("remote-groups"))
 				assert.Contains(t, recorder.Header().Get("x-tinyauth-location"), runtime.AppURL)
 				assert.Contains(t, recorder.Header().Get("x-tinyauth-location"), "groupErr=true")
 				assert.Contains(t, recorder.Header().Get("x-tinyauth-location"), "oauth-group")
 			},
 		},
 		{
 			description: "OAuth not in required groups and browser",
 			middlewares: []gin.HandlerFunc{
 				func(ctx *gin.Context) {
 					ctx.Set("context", &model.UserContext{
 						Authenticated: true,
 						Provider:      model.ProviderOAuth,
 						OAuth: &model.OAuthContext{
 							BaseContext: model.BaseContext{
 								Username: "testuser",
 								Name:     "Testuser",
 								Email:    "testuser@example.com",
 							},
 							Groups: []string{"group3"},
 						},
 					})
 					ctx.Next()
 				},
 			},
 			run: func(t *testing.T, router *gin.Engine, recorder *httptest.ResponseRecorder) {
 				req := httptest.NewRequest("GET", "/api/auth/traefik", nil)
 				req.Header.Set("x-forwarded-host", "oauth-group.example.com")
 				req.Header.Set("x-forwarded-proto", "https")
 				req.Header.Set("x-forwarded-uri", "/")
 				req.Header.Set("user-agent", browserUserAgent)
 				router.ServeHTTP(recorder, req)
 				assert.Equal(t, http.StatusFound, recorder.Code)
 				location := recorder.Header().Get("Location")
 				assert.Contains(t, location, "groupErr=true")
 				assert.Contains(t, location, "oauth-group")
 				assert.Contains(t, location, runtime.AppURL)
 			},
 		},
 		{
 			description: "LDAP allowed group",
 			middlewares: []gin.HandlerFunc{
 				func(ctx *gin.Context) {
 					ctx.Set("context", &model.UserContext{
 						Authenticated: true,
 						Provider:      model.ProviderLDAP,
 						LDAP: &model.LDAPContext{
 							BaseContext: model.BaseContext{
 								Username: "testuser",
 								Name:     "Testuser",
 								Email:    "testuser@example.com",
 							},
 							Groups: []string{"group1"},
 						},
 					})
 					ctx.Next()
 				},
 			},
 			run: func(t *testing.T, router *gin.Engine, recorder *httptest.ResponseRecorder) {
 				req := httptest.NewRequest("GET", "/api/auth/traefik", nil)
 				req.Header.Set("x-forwarded-host", "ldap-group.example.com")
 				req.Header.Set("x-forwarded-proto", "https")
 				req.Header.Set("x-forwarded-uri", "/")
 				router.ServeHTTP(recorder, req)
 				assert.Equal(t, http.StatusOK, recorder.Code)
 				assert.Equal(t, "testuser", recorder.Header().Get("remote-user"))
 				assert.Equal(t, "Testuser", recorder.Header().Get("remote-name"))
 				assert.Equal(t, "testuser@example.com", recorder.Header().Get("remote-email"))
 				assert.Equal(t, "group1", recorder.Header().Get("remote-groups"))
 			},
 		},
 		{
 			description: "LDAP not in required groups and non browser",
 			middlewares: []gin.HandlerFunc{
 				func(ctx *gin.Context) {
 					ctx.Set("context", &model.UserContext{
 						Authenticated: true,
 						Provider:      model.ProviderLDAP,
 						LDAP: &model.LDAPContext{
 							BaseContext: model.BaseContext{
 								Username: "testuser",
 								Name:     "Testuser",
 								Email:    "testuser@example.com",
 							},
 							Groups: []string{"group3"},
 						},
 					})
 					ctx.Next()
 				},
 			},
 			run: func(t *testing.T, router *gin.Engine, recorder *httptest.ResponseRecorder) {
 				req := httptest.NewRequest("GET", "/api/auth/traefik", nil)
 				req.Header.Set("x-forwarded-host", "ldap-group.example.com")
 				req.Header.Set("x-forwarded-proto", "https")
 				req.Header.Set("x-forwarded-uri", "/")
 				router.ServeHTTP(recorder, req)
 				assert.Equal(t, http.StatusForbidden, recorder.Code)
 				assert.Equal(t, "", recorder.Header().Get("remote-user"))
 				assert.Equal(t, "", recorder.Header().Get("remote-name"))
 				assert.Equal(t, "", recorder.Header().Get("remote-email"))
 				assert.Equal(t, "", recorder.Header().Get("remote-groups"))
 				assert.Contains(t, recorder.Header().Get("x-tinyauth-location"), runtime.AppURL)
 				assert.Contains(t, recorder.Header().Get("x-tinyauth-location"), "groupErr=true")
 				assert.Contains(t, recorder.Header().Get("x-tinyauth-location"), "ldap-group")
 			},
 		},
 		{
 			description: "LDAP not in required groups and browser",
 			middlewares: []gin.HandlerFunc{
 				func(ctx *gin.Context) {
 					ctx.Set("context", &model.UserContext{
 						Authenticated: true,
 						Provider:      model.ProviderLDAP,
 						LDAP: &model.LDAPContext{
 							BaseContext: model.BaseContext{
 								Username: "testuser",
 								Name:     "Testuser",
 								Email:    "testuser@example.com",
 							},
 							Groups: []string{"group3"},
 						},
 					})
 					ctx.Next()
 				},
 			},
 			run: func(t *testing.T, router *gin.Engine, recorder *httptest.ResponseRecorder) {
 				req := httptest.NewRequest("GET", "/api/auth/traefik", nil)
 				req.Header.Set("x-forwarded-host", "ldap-group.example.com")
 				req.Header.Set("x-forwarded-proto", "https")
 				req.Header.Set("x-forwarded-uri", "/")
 				req.Header.Set("user-agent", browserUserAgent)
 				router.ServeHTTP(recorder, req)
 				assert.Equal(t, http.StatusFound, recorder.Code)
 				location := recorder.Header().Get("Location")
 				assert.Contains(t, location, "groupErr=true")
 				assert.Contains(t, location, "ldap-group")
 				assert.Contains(t, location, runtime.AppURL)
 			},
 		},
 		{
 			description: "Should add basic auth if it's in ACLs",
 			middlewares: []gin.HandlerFunc{
 				simpleCtx,
 			},
 			run: func(t *testing.T, router *gin.Engine, recorder *httptest.ResponseRecorder) {
 				req := httptest.NewRequest("GET", "/api/auth/traefik", nil)
 				req.Header.Set("x-forwarded-host", "basic-auth.example.com")
 				req.Header.Set("x-forwarded-proto", "https")
 				req.Header.Set("x-forwarded-uri", "/")
 				req.Header.Set("authorization", "foo") // should be overridden by basic auth
 				router.ServeHTTP(recorder, req)
 				assert.Equal(t, http.StatusOK, recorder.Code)
 				authorizationHeader := recorder.Header().Get("Authorization")
 				assert.NotEmpty(t, authorizationHeader)
 				assert.Equal(t, fmt.Sprintf("Basic %s", base64.StdEncoding.EncodeToString([]byte("test:password"))), authorizationHeader)
 			},
 		},
 		{
 			description: "Authorization header should be preserved when not basic auth acls",
 			middlewares: []gin.HandlerFunc{
 				simpleCtx,
 			},
 			run: func(t *testing.T, router *gin.Engine, recorder *httptest.ResponseRecorder) {
 				req := httptest.NewRequest("GET", "/api/auth/traefik", nil)
 				req.Header.Set("x-forwarded-host", "test.example.com")
 				req.Header.Set("x-forwarded-proto", "https")
 				req.Header.Set("x-forwarded-uri", "/")
 				req.Header.Set("authorization", "Bearer mytoken")
 				router.ServeHTTP(recorder, req)
 				assert.Equal(t, http.StatusOK, recorder.Code)
 				authorizationHeader := recorder.Header().Get("Authorization")
 				assert.NotEmpty(t, authorizationHeader)
 				assert.Equal(t, "Bearer mytoken", authorizationHeader)
 			},
 		},
 		{
 			description: "Should add response headers if present",
 			middlewares: []gin.HandlerFunc{
 				simpleCtx,
 			},
 			run: func(t *testing.T, router *gin.Engine, recorder *httptest.ResponseRecorder) {
 				req := httptest.NewRequest("GET", "/api/auth/traefik", nil)
 				req.Header.Set("x-forwarded-host", "response-headers.example.com")
 				req.Header.Set("x-forwarded-proto", "https")
 				req.Header.Set("x-forwarded-uri", "/")
 				router.ServeHTTP(recorder, req)
 				assert.Equal(t, http.StatusOK, recorder.Code)
 				assert.Equal(t, "bar", recorder.Header().Get("x-foo"))
 			},
 		},
 	}
 	store := memory.New()
@@ -671,21 +356,10 @@ func TestProxyController(t *testing.T) {
 	ctx := context.TODO()
 	dg := ding.New(ctx)
-	broker := service.NewOAuthBrokerService(service.OAuthBrokerServiceInput{
+	broker := service.NewOAuthBrokerService(log, map[string]model.OAuthServiceConfig{}, ctx)
-		Log:     log,
+	aclsService := service.NewAccessControlsService(log, cfg, nil)
 		Runtime: &runtime,
 		Ctx:     ctx,
 	})
 	aclsService := service.NewAccessControlsService(service.AccessControlServiceInput{
 		Log:           log,
 		Config:        &cfg,
 		LabelProvider: nil,
 	})
-	policyEngine, err := service.NewPolicyEngine(service.PolicyEngineInput{
+	policyEngine, err := service.NewPolicyEngine(cfg, log)
 		Log:    log,
 		Config: &cfg,
 	})
 	require.NoError(t, err)
 	policyEngine.RegisterRule(service.RuleUserAllowed, &service.UserAllowedRule{
@@ -708,18 +382,7 @@ func TestProxyController(t *testing.T) {
 		Log: log,
 	})
-	authService := service.NewAuthService(service.AuthServiceInput{
+	authService := service.NewAuthService(log, cfg, runtime, ctx, dg, nil, store, broker, nil, policyEngine)
 		Log:          log,
 		Config:       &cfg,
 		Runtime:      &runtime,
 		Ctx:          ctx,
 		Ding:         dg,
 		LDAP:         nil,
 		Queries:      store,
 		OAuthBroker:  broker,
 		Tailscale:    nil,
 		PolicyEngine: policyEngine,
 	})
 	for _, test := range tests {
 		t.Run(test.description, func(t *testing.T) {
@@ -734,14 +397,7 @@ func TestProxyController(t *testing.T) {
 			recorder := httptest.NewRecorder()
-			NewProxyController(ProxyControllerInput{
+			controller.NewProxyController(log, runtime, group, aclsService, authService, policyEngine)
 				Log:           log,
 				RuntimeConfig: &runtime,
 				RouterGroup:   group,
 				ACLsService:   aclsService,
 				AuthService:   authService,
 				PolicyEngine:  policyEngine,
 			})
 			test.run(t, router, recorder)
 		})
@@ -5,30 +5,25 @@ import (
 	"github.com/gin-gonic/gin"
 	"github.com/tinyauthapp/tinyauth/internal/model"
 	"go.uber.org/dig"
 )
 type ResourcesController struct {
-	config     *model.Config
+	config     model.Config
 	fileServer http.Handler
 }
-type ResourcesControllerInput struct {
+func NewResourcesController(
-	dig.In
+	config model.Config,
-
+	router *gin.RouterGroup,
-	RouterGroup *gin.RouterGroup `name:"mainRouterGroup"`
+) *ResourcesController {
-	Config      *model.Config
+	fileServer := http.StripPrefix("/resources", http.FileServer(http.Dir(config.Resources.Path)))
 }
 func NewResourcesController(i ResourcesControllerInput) *ResourcesController {
 	fileServer := http.StripPrefix("/resources", http.FileServer(http.Dir(i.Config.Resources.Path)))
 	controller := &ResourcesController{
-		config:     i.Config,
+		config:     config,
 		fileServer: fileServer,
 	}
-	i.RouterGroup.GET("/resources/*resource", controller.resourcesHandler)
+	router.GET("/resources/*resource", controller.resourcesHandler)
 	return controller
 }
@@ -1,4 +1,4 @@
-package controller
+package controller_test
 import (
 	"net/http/httptest"
@@ -9,7 +9,7 @@ import (
 	"github.com/gin-gonic/gin"
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
-	"github.com/tinyauthapp/tinyauth/internal/model"
+	"github.com/tinyauthapp/tinyauth/internal/controller"
 	"github.com/tinyauthapp/tinyauth/internal/test"
 )
@@ -19,12 +19,8 @@ func TestResourcesController(t *testing.T) {
 	err := os.MkdirAll(cfg.Resources.Path, 0777)
 	require.NoError(t, err)
 	// create a "backup" of the original configuration to restore after each test
 	originalCfg := cfg.Resources
 	type testCase struct {
 		description string
 		customCfg   *model.ResourcesConfig
 		run         func(t *testing.T, router *gin.Engine, recorder *httptest.ResponseRecorder)
 	}
@@ -57,32 +53,6 @@ func TestResourcesController(t *testing.T) {
 				assert.Equal(t, 404, recorder.Code)
 			},
 		},
 		{
 			description: "Ensure resources controller returns 404 when resources path is empty",
 			customCfg: &model.ResourcesConfig{
 				Path:    "",
 				Enabled: true,
 			},
 			run: func(t *testing.T, router *gin.Engine, recorder *httptest.ResponseRecorder) {
 				req := httptest.NewRequest("GET", "/resources/testfile.txt", nil)
 				router.ServeHTTP(recorder, req)
 				assert.Equal(t, 404, recorder.Code)
 			},
 		},
 		{
 			description: "Ensure resources controller returns 403 when resources are disabled",
 			customCfg: &model.ResourcesConfig{
 				Path:    cfg.Resources.Path,
 				Enabled: false,
 			},
 			run: func(t *testing.T, router *gin.Engine, recorder *httptest.ResponseRecorder) {
 				req := httptest.NewRequest("GET", "/resources/testfile.txt", nil)
 				router.ServeHTTP(recorder, req)
 				assert.Equal(t, 403, recorder.Code)
 			},
 		},
 	}
 	testFilePath := cfg.Resources.Path + "/testfile.txt"
@@ -99,18 +69,7 @@ func TestResourcesController(t *testing.T) {
 			group := router.Group("/")
 			gin.SetMode(gin.TestMode)
-			// if custom configuration is provided, override the default config
+			controller.NewResourcesController(cfg, group)
 			if test.customCfg != nil {
 				cfg.Resources = *test.customCfg
 			} else {
 				// Reset to default configuration for each test
 				cfg.Resources = originalCfg
 			}
 			NewResourcesController(ResourcesControllerInput{
 				RouterGroup: group,
 				Config:      &cfg,
 			})
 			recorder := httptest.NewRecorder()
 			test.run(t, router, recorder)
@@ -11,7 +11,6 @@ import (
 	"github.com/tinyauthapp/tinyauth/internal/service"
 	"github.com/tinyauthapp/tinyauth/internal/utils"
 	"github.com/tinyauthapp/tinyauth/internal/utils/logger"
 	"go.uber.org/dig"
 	"github.com/gin-gonic/gin"
 	"github.com/pquerna/otp/totp"
@@ -28,27 +27,23 @@ type TotpRequest struct {
 type UserController struct {
 	log     *logger.Logger
-	runtime *model.RuntimeConfig
+	runtime model.RuntimeConfig
 	auth    *service.AuthService
 }
-type UserControllerInput struct {
+func NewUserController(
-	dig.In
+	log *logger.Logger,
-
+	runtimeConfig model.RuntimeConfig,
-	Log           *logger.Logger
+	router *gin.RouterGroup,
-	RuntimeConfig *model.RuntimeConfig
+	auth *service.AuthService,
-	RouterGroup   *gin.RouterGroup `name:"apiRouterGroup"`
+) *UserController {
 	AuthService   *service.AuthService
 }
 func NewUserController(i UserControllerInput) *UserController {
 	controller := &UserController{
-		log:     i.Log,
+		log:     log,
-		runtime: i.RuntimeConfig,
+		runtime: runtimeConfig,
-		auth:    i.AuthService,
+		auth:    auth,
 	}
-	userGroup := i.RouterGroup.Group("/user")
+	userGroup := router.Group("/user")
 	userGroup.POST("/login", controller.loginHandler)
 	userGroup.POST("/logout", controller.logoutHandler)
 	userGroup.POST("/totp", controller.totpHandler)
@@ -1,4 +1,4 @@
-package controller
+package controller_test
 import (
 	"context"
@@ -14,6 +14,7 @@ import (
 	"github.com/steveiliop56/ding"
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
 	"github.com/tinyauthapp/tinyauth/internal/controller"
 	"github.com/tinyauthapp/tinyauth/internal/model"
 	"github.com/tinyauthapp/tinyauth/internal/repository"
 	"github.com/tinyauthapp/tinyauth/internal/repository/memory"
@@ -41,7 +42,6 @@ func TestUserController(t *testing.T) {
 				TOTPPending: true,
 			},
 		})
 		c.Next()
 	}
 	totpAttrCtx := func(c *gin.Context) {
@@ -57,7 +57,6 @@ func TestUserController(t *testing.T) {
 				TOTPPending: true,
 			},
 		})
 		c.Next()
 	}
 	simpleCtx := func(c *gin.Context) {
@@ -72,7 +71,6 @@ func TestUserController(t *testing.T) {
 				},
 			},
 		})
 		c.Next()
 	}
 	store := memory.New()
@@ -84,45 +82,11 @@ func TestUserController(t *testing.T) {
 	}
 	tests := []testCase{
 		{
 			description: "Login should fail gracefully on invalid json",
 			middlewares: []gin.HandlerFunc{},
 			run: func(t *testing.T, router *gin.Engine, recorder *httptest.ResponseRecorder) {
 				req := httptest.NewRequest("POST", "/api/user/login", strings.NewReader(`{"username": "testuser", "password":`))
 				req.Header.Set("Content-Type", "application/json")
 				router.ServeHTTP(recorder, req)
 				assert.Equal(t, 400, recorder.Code)
 				assert.Contains(t, recorder.Body.String(), "Bad Request")
 			},
 		},
 		{
 			description: "Should fail on missing user",
 			middlewares: []gin.HandlerFunc{},
 			run: func(t *testing.T, router *gin.Engine, recorder *httptest.ResponseRecorder) {
 				loginReq := LoginRequest{
 					Username: "nonexistentuser",
 					Password: "password",
 				}
 				loginReqBody, err := json.Marshal(loginReq)
 				require.NoError(t, err)
 				req := httptest.NewRequest("POST", "/api/user/login", strings.NewReader(string(loginReqBody)))
 				req.Header.Set("Content-Type", "application/json")
 				router.ServeHTTP(recorder, req)
 				assert.Equal(t, 401, recorder.Code)
 				assert.Len(t, recorder.Result().Cookies(), 0)
 				assert.Contains(t, recorder.Body.String(), "Unauthorized")
 			},
 		},
 		{
 			description: "Should be able to login with valid credentials",
 			middlewares: []gin.HandlerFunc{},
 			run: func(t *testing.T, router *gin.Engine, recorder *httptest.ResponseRecorder) {
-				loginReq := LoginRequest{
+				loginReq := controller.LoginRequest{
 					Username: "testuser",
 					Password: "password",
 				}
@@ -150,7 +114,7 @@ func TestUserController(t *testing.T) {
 			description: "Should reject login with invalid credentials",
 			middlewares: []gin.HandlerFunc{},
 			run: func(t *testing.T, router *gin.Engine, recorder *httptest.ResponseRecorder) {
-				loginReq := LoginRequest{
+				loginReq := controller.LoginRequest{
 					Username: "testuser",
 					Password: "wrongpassword",
 				}
@@ -171,7 +135,7 @@ func TestUserController(t *testing.T) {
 			description: "Should rate limit on 3 invalid attempts",
 			middlewares: []gin.HandlerFunc{},
 			run: func(t *testing.T, router *gin.Engine, recorder *httptest.ResponseRecorder) {
-				loginReq := LoginRequest{
+				loginReq := controller.LoginRequest{
 					Username: "testuser",
 					Password: "wrongpassword",
 				}
@@ -206,7 +170,7 @@ func TestUserController(t *testing.T) {
 			description: "Should not allow full login with totp",
 			middlewares: []gin.HandlerFunc{},
 			run: func(t *testing.T, router *gin.Engine, recorder *httptest.ResponseRecorder) {
-				loginReq := LoginRequest{
+				loginReq := controller.LoginRequest{
 					Username: "totpuser",
 					Password: "password",
 				}
@@ -243,7 +207,7 @@ func TestUserController(t *testing.T) {
 			},
 			run: func(t *testing.T, router *gin.Engine, recorder *httptest.ResponseRecorder) {
 				// First login to get a session cookie
-				loginReq := LoginRequest{
+				loginReq := controller.LoginRequest{
 					Username: "testuser",
 					Password: "password",
 				}
@@ -279,87 +243,6 @@ func TestUserController(t *testing.T) {
 				assert.Equal(t, -1, cookie.MaxAge) // MaxAge -1 means delete cookie
 			},
 		},
 		{
 			description: "Logout should be treated as valid without a session cookie",
 			middlewares: []gin.HandlerFunc{},
 			run: func(t *testing.T, router *gin.Engine, recorder *httptest.ResponseRecorder) {
 				req := httptest.NewRequest("POST", "/api/user/logout", nil)
 				router.ServeHTTP(recorder, req)
 				assert.Equal(t, 200, recorder.Code)
 			},
 		},
 		{
 			description: "TOTP should gracefully reject invalid json",
 			middlewares: []gin.HandlerFunc{},
 			run: func(t *testing.T, router *gin.Engine, recorder *httptest.ResponseRecorder) {
 				req := httptest.NewRequest("POST", "/api/user/totp", strings.NewReader(`{"code":`))
 				req.Header.Set("Content-Type", "application/json")
 				router.ServeHTTP(recorder, req)
 				assert.Equal(t, 400, recorder.Code)
 				assert.Contains(t, recorder.Body.String(), "Bad Request")
 			},
 		},
 		{
 			description: "TOTP should fail on non-totp context",
 			middlewares: []gin.HandlerFunc{
 				simpleCtx,
 			},
 			run: func(t *testing.T, router *gin.Engine, recorder *httptest.ResponseRecorder) {
 				totpReq := TotpRequest{
 					Code: "123456",
 				}
 				totpReqBody, err := json.Marshal(totpReq)
 				require.NoError(t, err)
 				recorder = httptest.NewRecorder()
 				req := httptest.NewRequest("POST", "/api/user/totp", strings.NewReader(string(totpReqBody)))
 				req.Header.Set("Content-Type", "application/json")
 				router.ServeHTTP(recorder, req)
 				assert.Equal(t, 401, recorder.Code)
 				assert.Contains(t, recorder.Body.String(), "Unauthorized")
 			},
 		},
 		{
 			description: "TOTP should fail when user in context doesn't exist",
 			middlewares: []gin.HandlerFunc{
 				func(ctx *gin.Context) {
 					ctx.Set("context", &model.UserContext{
 						Authenticated: false,
 						Provider:      model.ProviderLocal,
 						Local: &model.LocalContext{
 							BaseContext: model.BaseContext{
 								Username: "idontexist",
 								Name:     "Totpuser",
 								Email:    "totpuser@example.com",
 							},
 							TOTPPending: true,
 						},
 					})
 					ctx.Next()
 				},
 			},
 			run: func(t *testing.T, router *gin.Engine, recorder *httptest.ResponseRecorder) {
 				totpReq := TotpRequest{
 					Code: "123456",
 				}
 				totpReqBody, err := json.Marshal(totpReq)
 				require.NoError(t, err)
 				recorder = httptest.NewRecorder()
 				req := httptest.NewRequest("POST", "/api/user/totp", strings.NewReader(string(totpReqBody)))
 				req.Header.Set("Content-Type", "application/json")
 				router.ServeHTTP(recorder, req)
 				assert.Equal(t, 401, recorder.Code)
 				assert.Contains(t, recorder.Body.String(), "Unauthorized")
 			},
 		},
 		{
 			description: "Should be able to login with totp",
 			middlewares: []gin.HandlerFunc{
@@ -381,7 +264,7 @@ func TestUserController(t *testing.T) {
 				code, err := totp.GenerateCode("JPIEBDKJH6UGWJMX66RR3S55UFP2SGKK", time.Now())
 				require.NoError(t, err)
-				totpReq := TotpRequest{
+				totpReq := controller.TotpRequest{
 					Code: code,
 				}
@@ -419,7 +302,7 @@ func TestUserController(t *testing.T) {
 			},
 			run: func(t *testing.T, router *gin.Engine, recorder *httptest.ResponseRecorder) {
 				for range 3 {
-					totpReq := TotpRequest{
+					totpReq := controller.TotpRequest{
 						Code: "000000", // invalid code
 					}
@@ -451,7 +334,7 @@ func TestUserController(t *testing.T) {
 			description: "Login uses name and email from user attributes",
 			middlewares: []gin.HandlerFunc{},
 			run: func(t *testing.T, router *gin.Engine, recorder *httptest.ResponseRecorder) {
-				loginReq := LoginRequest{Username: "attruser", Password: "password"}
+				loginReq := controller.LoginRequest{Username: "attruser", Password: "password"}
 				body, err := json.Marshal(loginReq)
 				require.NoError(t, err)
@@ -469,7 +352,7 @@ func TestUserController(t *testing.T) {
 			description: "Login with TOTP uses name and email from user attributes in pending session",
 			middlewares: []gin.HandlerFunc{},
 			run: func(t *testing.T, router *gin.Engine, recorder *httptest.ResponseRecorder) {
-				loginReq := LoginRequest{Username: "attrtotpuser", Password: "password"}
+				loginReq := controller.LoginRequest{Username: "attrtotpuser", Password: "password"}
 				body, err := json.Marshal(loginReq)
 				require.NoError(t, err)
@@ -505,7 +388,7 @@ func TestUserController(t *testing.T) {
 				code, err := totp.GenerateCode("JPIEBDKJH6UGWJMX66RR3S55UFP2SGKK", time.Now())
 				require.NoError(t, err)
-				totpReq := TotpRequest{Code: code}
+				totpReq := controller.TotpRequest{Code: code}
 				body, err := json.Marshal(totpReq)
 				require.NoError(t, err)
@@ -531,33 +414,15 @@ func TestUserController(t *testing.T) {
 	ctx := context.TODO()
 	dg := ding.New(ctx)
-	policyEngine, err := service.NewPolicyEngine(service.PolicyEngineInput{
+	policyEngine, err := service.NewPolicyEngine(cfg, log)
 		Log:    log,
 		Config: &cfg,
 	})
 	require.NoError(t, err)
-	broker := service.NewOAuthBrokerService(service.OAuthBrokerServiceInput{
+	broker := service.NewOAuthBrokerService(log, map[string]model.OAuthServiceConfig{}, ctx)
-		Log:     log,
+	authService := service.NewAuthService(log, cfg, runtime, ctx, dg, nil, store, broker, nil, policyEngine)
 		Runtime: &runtime,
 		Ctx:     ctx,
 	})
 	authService := service.NewAuthService(service.AuthServiceInput{
 		Log:          log,
 		Config:       &cfg,
 		Runtime:      &runtime,
 		Ctx:          ctx,
 		Ding:         dg,
 		LDAP:         nil,
 		Queries:      store,
 		OAuthBroker:  broker,
 		Tailscale:    nil,
 		PolicyEngine: policyEngine,
 	})
 	beforeEach := func() {
 		// Clear failed login attempts before each test
-		authService.ClearLoginAttempts()
+		authService.ClearRateLimitsTestingOnly()
 	}
 	for _, test := range tests {
@@ -572,12 +437,7 @@ func TestUserController(t *testing.T) {
 			group := router.Group("/api")
 			gin.SetMode(gin.TestMode)
-			NewUserController(UserControllerInput{
+			controller.NewUserController(log, runtime, group, authService)
 				Log:           log,
 				RuntimeConfig: &runtime,
 				RouterGroup:   group,
 				AuthService:   authService,
 			})
 			recorder := httptest.NewRecorder()
@@ -3,27 +3,11 @@ package controller
 import (
 	"fmt"
 	"net/http"
 	"net/url"
 	"slices"
 	"strings"
 	"github.com/gin-gonic/gin"
 	"github.com/tinyauthapp/tinyauth/internal/service"
 	"go.uber.org/dig"
 )
 const OpenIDConnectRel = "http://openid.net/specs/connect/1.0/issuer"
 type WebfingerResponseLink struct {
 	Rel  string `json:"rel,omitempty"`
 	Href string `json:"href"`
 }
 type WebfingerResponse struct {
 	Subject string                  `json:"subject"`
 	Links   []WebfingerResponseLink `json:"links"`
 }
 type OpenIDConnectConfiguration struct {
 	Issuer                                 string   `json:"issuer"`
 	AuthorizationEndpoint                  string   `json:"authorization_endpoint"`
@@ -46,21 +30,13 @@ type WellKnownController struct {
 	oidc *service.OIDCService
 }
-type WellKnownControllerInput struct {
+func NewWellKnownController(oidc *service.OIDCService, router *gin.RouterGroup) *WellKnownController {
 	dig.In
 	OIDCService *service.OIDCService
 	RouterGroup *gin.RouterGroup `name:"mainRouterGroup"`
 }
 func NewWellKnownController(i WellKnownControllerInput) *WellKnownController {
 	controller := &WellKnownController{
-		oidc: i.OIDCService,
+		oidc: oidc,
 	}
-	i.RouterGroup.GET("/.well-known/openid-configuration", controller.OpenIDConnectConfiguration)
+	router.GET("/.well-known/openid-configuration", controller.OpenIDConnectConfiguration)
-	i.RouterGroup.GET("/.well-known/jwks.json", controller.JWKS)
+	router.GET("/.well-known/jwks.json", controller.JWKS)
 	i.RouterGroup.GET("/.well-known/webfinger", controller.WebFinger)
 	return controller
 }
@@ -121,62 +97,3 @@ func (controller *WellKnownController) JWKS(c *gin.Context) {
 	c.Status(http.StatusOK)
 }
 func (controller *WellKnownController) WebFinger(c *gin.Context) {
 	c.Header("Content-Type", "application/jrd+json")
 	c.Header("Access-Control-Allow-Origin", "*")
 	resource := c.Query("resource")
 	if !controller.validateWebFingerResource(resource) {
 		c.JSON(400, gin.H{
 			"status":  400,
 			"message": "invalid resource",
 		})
 		return
 	}
 	res := WebfingerResponse{
 		Subject: resource,
 		Links:   []WebfingerResponseLink{},
 	}
 	rel := c.Request.URL.Query()["rel"]
 	if controller.oidc != nil && (len(rel) == 0 || slices.Contains(rel, OpenIDConnectRel)) {
 		res.Links = append(res.Links, WebfingerResponseLink{Rel: OpenIDConnectRel, Href: controller.oidc.GetIssuer()})
 	}
 	c.JSON(200, res)
 }
 func (controller *WellKnownController) validateWebFingerResource(resource string) bool {
 	prefix, suffix, found := strings.Cut(resource, ":")
 	if !found {
 		return false
 	}
 	switch prefix {
 	case "acct":
 		if strings.Count(suffix, "@") != 1 {
 			return false
 		}
 		username, domain, found := strings.Cut(suffix, "@")
 		if !found || username == "" || domain == "" {
 			return false
 		}
 	case "https", "http":
 		u, err := url.Parse(resource)
 		if err != nil {
 			return false
 		}
 		if u.Host == "" {
 			return false
 		}
 	default:
 		return false
 	}
 	return true
 }
@@ -1,17 +1,17 @@
-package controller
+package controller_test
 import (
 	"context"
 	"encoding/json"
 	"fmt"
 	"net/http/httptest"
 	"net/url"
 	"testing"
 	"github.com/gin-gonic/gin"
 	"github.com/steveiliop56/ding"
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
 	"github.com/tinyauthapp/tinyauth/internal/controller"
 	"github.com/tinyauthapp/tinyauth/internal/repository/memory"
 	"github.com/tinyauthapp/tinyauth/internal/service"
 	"github.com/tinyauthapp/tinyauth/internal/test"
@@ -26,25 +26,23 @@ func TestWellKnownController(t *testing.T) {
 	type testCase struct {
 		description string
 		oidcEnabled bool
 		run         func(t *testing.T, router *gin.Engine, recorder *httptest.ResponseRecorder)
 	}
 	tests := []testCase{
 		{
 			description: "Ensure well-known endpoint returns correct OIDC configuration",
 			oidcEnabled: true,
 			run: func(t *testing.T, router *gin.Engine, recorder *httptest.ResponseRecorder) {
 				req := httptest.NewRequest("GET", "/.well-known/openid-configuration", nil)
 				router.ServeHTTP(recorder, req)
 				assert.Equal(t, 200, recorder.Code)
-				res := OpenIDConnectConfiguration{}
+				res := controller.OpenIDConnectConfiguration{}
 				err := json.Unmarshal(recorder.Body.Bytes(), &res)
-				require.NoError(t, err)
+				assert.NoError(t, err)
-				expected := OpenIDConnectConfiguration{
+				expected := controller.OpenIDConnectConfiguration{
 					Issuer:                                 runtime.AppURL,
 					AuthorizationEndpoint:                  fmt.Sprintf("%s/authorize", runtime.AppURL),
 					TokenEndpoint:                          fmt.Sprintf("%s/api/oidc/token", runtime.AppURL),
@@ -58,8 +56,8 @@ func TestWellKnownController(t *testing.T) {
 					TokenEndpointAuthMethodsSupported:      []string{"client_secret_basic", "client_secret_post"},
 					ClaimsSupported:                        []string{"sub", "updated_at", "name", "preferred_username", "email", "email_verified", "groups", "phone_number", "phone_number_verified", "address", "given_name", "family_name", "middle_name", "nickname", "profile", "picture", "website", "gender", "birthdate", "zoneinfo", "locale"},
 					ServiceDocumentation:                   "https://tinyauth.app/docs/guides/oidc",
 					RequestObjectSigningAlgValuesSupported: []string{"none"},
 					RequestParameterSupported:              true,
 					RequestObjectSigningAlgValuesSupported: []string{"none"},
 				}
 				assert.Equal(t, expected, res)
@@ -67,7 +65,6 @@ func TestWellKnownController(t *testing.T) {
 		},
 		{
 			description: "Ensure well-known endpoint returns correct JWKS",
 			oidcEnabled: true,
 			run: func(t *testing.T, router *gin.Engine, recorder *httptest.ResponseRecorder) {
 				req := httptest.NewRequest("GET", "/.well-known/jwks.json", nil)
 				router.ServeHTTP(recorder, req)
@@ -76,204 +73,19 @@ func TestWellKnownController(t *testing.T) {
 				decodedBody := make(map[string]any)
 				err := json.Unmarshal(recorder.Body.Bytes(), &decodedBody)
-				require.NoError(t, err)
+				assert.NoError(t, err)
 				keys, ok := decodedBody["keys"].([]any)
-				require.True(t, ok)
+				assert.True(t, ok)
 				assert.Len(t, keys, 1)
 				keyData, ok := keys[0].(map[string]any)
-				require.True(t, ok)
+				assert.True(t, ok)
 				assert.Equal(t, "RSA", keyData["kty"])
 				assert.Equal(t, "sig", keyData["use"])
 				assert.Equal(t, "RS256", keyData["alg"])
 			},
 		},
 		{
 			description: "Ensure openid configuration returns 500 on nil oidc service",
 			oidcEnabled: false,
 			run: func(t *testing.T, router *gin.Engine, recorder *httptest.ResponseRecorder) {
 				req := httptest.NewRequest("GET", "/.well-known/openid-configuration", nil)
 				router.ServeHTTP(recorder, req)
 				assert.Equal(t, 500, recorder.Code)
 				decodedBody := make(map[string]any)
 				err := json.Unmarshal(recorder.Body.Bytes(), &decodedBody)
 				require.NoError(t, err)
 				assert.Equal(t, "OIDC service not configured", decodedBody["message"])
 			},
 		},
 		{
 			description: "Ensure jwks endpoint returns 500 on nil oidc service",
 			oidcEnabled: false,
 			run: func(t *testing.T, router *gin.Engine, recorder *httptest.ResponseRecorder) {
 				req := httptest.NewRequest("GET", "/.well-known/jwks.json", nil)
 				router.ServeHTTP(recorder, req)
 				assert.Equal(t, 500, recorder.Code)
 				decodedBody := make(map[string]any)
 				err := json.Unmarshal(recorder.Body.Bytes(), &decodedBody)
 				require.NoError(t, err)
 				assert.Equal(t, "OIDC service not configured", decodedBody["message"])
 			},
 		},
 		{
 			description: "Ensure webfinger returns 400 on invalid resource",
 			oidcEnabled: true,
 			run: func(t *testing.T, router *gin.Engine, recorder *httptest.ResponseRecorder) {
 				req := httptest.NewRequest("GET", "/.well-known/webfinger?resource=invalid-resource", nil)
 				router.ServeHTTP(recorder, req)
 				assert.Equal(t, 400, recorder.Code)
 				assert.Equal(t, "application/jrd+json", recorder.Header().Get("content-type"))
 				assert.Equal(t, "*", recorder.Header().Get("access-control-allow-origin"))
 				decodedBody := make(map[string]any)
 				err := json.Unmarshal(recorder.Body.Bytes(), &decodedBody)
 				require.NoError(t, err)
 				assert.Equal(t, "invalid resource", decodedBody["message"])
 			},
 		},
 		{
 			description: "Ensure webfinger resource validator allows acct",
 			oidcEnabled: true,
 			run: func(t *testing.T, router *gin.Engine, recorder *httptest.ResponseRecorder) {
 				resource := "acct:testuser@example.com"
 				req := httptest.NewRequest("GET", fmt.Sprintf("/.well-known/webfinger?resource=%s", url.QueryEscape(resource)), nil)
 				router.ServeHTTP(recorder, req)
 				assert.Equal(t, 200, recorder.Code)
 				assert.Equal(t, "application/jrd+json", recorder.Header().Get("content-type"))
 				assert.Equal(t, "*", recorder.Header().Get("access-control-allow-origin"))
 			},
 		},
 		{
 			description: "Ensure webfinger resource validator allows https",
 			oidcEnabled: true,
 			run: func(t *testing.T, router *gin.Engine, recorder *httptest.ResponseRecorder) {
 				resource := "https://example.com/testuser"
 				req := httptest.NewRequest("GET", fmt.Sprintf("/.well-known/webfinger?resource=%s", url.QueryEscape(resource)), nil)
 				router.ServeHTTP(recorder, req)
 				assert.Equal(t, 200, recorder.Code)
 				assert.Equal(t, "application/jrd+json", recorder.Header().Get("content-type"))
 				assert.Equal(t, "*", recorder.Header().Get("access-control-allow-origin"))
 			},
 		},
 		{
 			description: "Ensure webfinger resource validator allows http",
 			oidcEnabled: true,
 			run: func(t *testing.T, router *gin.Engine, recorder *httptest.ResponseRecorder) {
 				resource := "http://example.com/testuser"
 				req := httptest.NewRequest("GET", fmt.Sprintf("/.well-known/webfinger?resource=%s", url.QueryEscape(resource)), nil)
 				router.ServeHTTP(recorder, req)
 				assert.Equal(t, 200, recorder.Code)
 				assert.Equal(t, "application/jrd+json", recorder.Header().Get("content-type"))
 				assert.Equal(t, "*", recorder.Header().Get("access-control-allow-origin"))
 			},
 		},
 		{
 			description: "Webfinger should return no links when oidc is nil",
 			oidcEnabled: false,
 			run: func(t *testing.T, router *gin.Engine, recorder *httptest.ResponseRecorder) {
 				resource := "acct:testuser@example.com"
 				req := httptest.NewRequest("GET", fmt.Sprintf("/.well-known/webfinger?resource=%s", url.QueryEscape(resource)), nil)
 				router.ServeHTTP(recorder, req)
 				assert.Equal(t, 200, recorder.Code)
 				assert.Equal(t, "application/jrd+json", recorder.Header().Get("content-type"))
 				assert.Equal(t, "*", recorder.Header().Get("access-control-allow-origin"))
 				decodedBody := make(map[string]any)
 				err := json.Unmarshal(recorder.Body.Bytes(), &decodedBody)
 				require.NoError(t, err)
 				links, ok := decodedBody["links"].([]any)
 				require.True(t, ok)
 				assert.Len(t, links, 0)
 			},
 		},
 		{
 			description: "Webfinger should return links when oidc is configured and no rel is provided",
 			oidcEnabled: true,
 			run: func(t *testing.T, router *gin.Engine, recorder *httptest.ResponseRecorder) {
 				resource := "acct:testuser@example.com"
 				req := httptest.NewRequest("GET", fmt.Sprintf("/.well-known/webfinger?resource=%s", url.QueryEscape(resource)), nil)
 				router.ServeHTTP(recorder, req)
 				assert.Equal(t, 200, recorder.Code)
 				assert.Equal(t, "application/jrd+json", recorder.Header().Get("content-type"))
 				assert.Equal(t, "*", recorder.Header().Get("access-control-allow-origin"))
 				decodedBody := make(map[string]any)
 				err := json.Unmarshal(recorder.Body.Bytes(), &decodedBody)
 				require.NoError(t, err)
 				links, ok := decodedBody["links"].([]any)
 				require.True(t, ok)
 				assert.Len(t, links, 1)
 				linkData, ok := links[0].(map[string]any)
 				require.True(t, ok)
 				assert.Equal(t, "http://openid.net/specs/connect/1.0/issuer", linkData["rel"])
 				assert.Equal(t, runtime.AppURL, linkData["href"])
 			},
 		},
 		{
 			description: "Webfinger should return links when oidc is configured and rel is provided",
 			oidcEnabled: true,
 			run: func(t *testing.T, router *gin.Engine, recorder *httptest.ResponseRecorder) {
 				resource := fmt.Sprintf("acct:%s@%s", "testuser", runtime.AppURL)
 				rel := "http://openid.net/specs/connect/1.0/issuer"
 				req := httptest.NewRequest("GET", fmt.Sprintf("/.well-known/webfinger?resource=%s&rel=%s", url.QueryEscape(resource), url.QueryEscape(rel)), nil)
 				router.ServeHTTP(recorder, req)
 				assert.Equal(t, 200, recorder.Code)
 				assert.Equal(t, "application/jrd+json", recorder.Header().Get("content-type"))
 				assert.Equal(t, "*", recorder.Header().Get("access-control-allow-origin"))
 				decodedBody := make(map[string]any)
 				err := json.Unmarshal(recorder.Body.Bytes(), &decodedBody)
 				require.NoError(t, err)
 				links, ok := decodedBody["links"].([]any)
 				require.True(t, ok)
 				assert.Len(t, links, 1)
 				linkData, ok := links[0].(map[string]any)
 				require.True(t, ok)
 				assert.Equal(t, rel, linkData["rel"])
 				assert.Equal(t, runtime.AppURL, linkData["href"])
 			},
 		},
 		{
 			description: "Webfinger should return no links when oidc is configured and rel is provided but does not match",
 			oidcEnabled: true,
 			run: func(t *testing.T, router *gin.Engine, recorder *httptest.ResponseRecorder) {
 				resource := "acct:testuser@example.com"
 				rel := "http://example.com/does-not-exist"
 				req := httptest.NewRequest("GET", fmt.Sprintf("/.well-known/webfinger?resource=%s&rel=%s", url.QueryEscape(resource), url.QueryEscape(rel)), nil)
 				router.ServeHTTP(recorder, req)
 				assert.Equal(t, 200, recorder.Code)
 				assert.Equal(t, "application/jrd+json", recorder.Header().Get("content-type"))
 				assert.Equal(t, "*", recorder.Header().Get("access-control-allow-origin"))
 				decodedBody := make(map[string]any)
 				err := json.Unmarshal(recorder.Body.Bytes(), &decodedBody)
 				require.NoError(t, err)
 				links, ok := decodedBody["links"].([]any)
 				require.True(t, ok)
 				assert.Len(t, links, 0)
 			},
 		},
 	}
 	ctx := context.TODO()
@@ -281,13 +93,7 @@ func TestWellKnownController(t *testing.T) {
 	store := memory.New()
-	oidcService, err := service.NewOIDCService(service.OIDCServiceInput{
+	oidcService, err := service.NewOIDCService(log, cfg, runtime, store, dg)
 		Log:     log,
 		Config:  &cfg,
 		Runtime: &runtime,
 		Queries: store,
 		Ding:    dg,
 	})
 	require.NoError(t, err)
 	for _, test := range tests {
@@ -297,15 +103,7 @@ func TestWellKnownController(t *testing.T) {
 			recorder := httptest.NewRecorder()
-			wellKnownControllerInput := WellKnownControllerInput{
+			controller.NewWellKnownController(oidcService, &router.RouterGroup)
 				RouterGroup: &router.RouterGroup,
 			}
 			if test.oidcEnabled {
 				wellKnownControllerInput.OIDCService = oidcService
 			}
 			NewWellKnownController(wellKnownControllerInput)
 			test.run(t, router, recorder)
 		})
@@ -11,7 +11,6 @@ import (
 	"github.com/tinyauthapp/tinyauth/internal/service"
 	"github.com/tinyauthapp/tinyauth/internal/utils"
 	"github.com/tinyauthapp/tinyauth/internal/utils/logger"
 	"go.uber.org/dig"
 	"github.com/gin-gonic/gin"
 )
@@ -38,29 +37,25 @@ var (
 type ContextMiddleware struct {
 	log       *logger.Logger
-	runtime   *model.RuntimeConfig
+	runtime   model.RuntimeConfig
 	auth      *service.AuthService
 	broker    *service.OAuthBrokerService
 	tailscale *service.TailscaleService
 }
-type ContextMiddlewareInput struct {
+func NewContextMiddleware(
-	dig.In
+	log *logger.Logger,
-
+	runtime model.RuntimeConfig,
-	Log              *logger.Logger
+	auth *service.AuthService,
-	RuntimeConfig    *model.RuntimeConfig
+	broker *service.OAuthBrokerService,
-	AuthService      *service.AuthService
+	tailscale *service.TailscaleService,
-	BrokerService    *service.OAuthBrokerService
+) *ContextMiddleware {
 	TailscaleService *service.TailscaleService
 }
 func NewContextMiddleware(i ContextMiddlewareInput) *ContextMiddleware {
 	return &ContextMiddleware{
-		log:       i.Log,
+		log:       log,
-		runtime:   i.RuntimeConfig,
+		runtime:   runtime,
-		auth:      i.AuthService,
+		auth:      auth,
-		broker:    i.BrokerService,
+		broker:    broker,
-		tailscale: i.TailscaleService,
+		tailscale: tailscale,
 	}
 }
@@ -331,6 +326,11 @@ func (m *ContextMiddleware) tailscaleWhois(ctx context.Context, ip string) (*mod
 			Name:     whois.DisplayName,
 		},
 		UserID: whois.UserID,
 		Tags:   whois.Tags,
 	}
 	if !strings.ContainsAny(uctx.Email, "@") {
 		uctx.Email = utils.CompileUserEmail(uctx.Email+"-tailscale", m.runtime.CookieDomain)
 	}
 	return &uctx, nil
@@ -1,4 +1,4 @@
-package middleware
+package middleware_test
 import (
 	"context"
@@ -12,6 +12,7 @@ import (
 	"github.com/steveiliop56/ding"
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
 	"github.com/tinyauthapp/tinyauth/internal/middleware"
 	"github.com/tinyauthapp/tinyauth/internal/model"
 	"github.com/tinyauthapp/tinyauth/internal/repository"
 	"github.com/tinyauthapp/tinyauth/internal/repository/memory"
@@ -253,40 +254,16 @@ func TestContextMiddleware(t *testing.T) {
 	store := memory.New()
-	policyEngine, err := service.NewPolicyEngine(service.PolicyEngineInput{
+	policyEngine, err := service.NewPolicyEngine(cfg, log)
 		Log:    log,
 		Config: &cfg,
 	})
 	require.NoError(t, err)
-	broker := service.NewOAuthBrokerService(service.OAuthBrokerServiceInput{
+	broker := service.NewOAuthBrokerService(log, map[string]model.OAuthServiceConfig{}, ctx)
-		Log:     log,
+	authService := service.NewAuthService(log, cfg, runtime, ctx, dg, nil, store, broker, nil, policyEngine)
 		Runtime: &runtime,
 		Ctx:     ctx,
 	})
 	authService := service.NewAuthService(service.AuthServiceInput{
 		Log:          log,
 		Config:       &cfg,
 		Runtime:      &runtime,
 		Ctx:          ctx,
 		Ding:         dg,
 		LDAP:         nil,
 		Queries:      store,
 		OAuthBroker:  broker,
 		Tailscale:    nil,
 		PolicyEngine: policyEngine,
 	})
-	contextMiddleware := NewContextMiddleware(ContextMiddlewareInput{
+	contextMiddleware := middleware.NewContextMiddleware(log, runtime, authService, broker, nil)
 		Log:              log,
 		RuntimeConfig:    &runtime,
 		AuthService:      authService,
 		BrokerService:    broker,
 		TailscaleService: nil,
 	})
 	for _, test := range tests {
-		authService.ClearLoginAttempts()
+		authService.ClearRateLimitsTestingOnly()
 		t.Run(test.description, func(t *testing.T) {
 			gin.SetMode(gin.TestMode)
@@ -9,7 +9,6 @@ import (
 	"time"
 	"github.com/tinyauthapp/tinyauth/internal/assets"
 	"go.uber.org/dig"
 	"github.com/gin-gonic/gin"
 )
@@ -19,12 +18,7 @@ type UIMiddleware struct {
 	uiFileServer http.Handler
 }
-// for future use if we need to inject dependencies into the middleware
+func NewUIMiddleware() (*UIMiddleware, error) {
 type UIMiddlewareInput struct {
 	dig.In
 }
 func NewUIMiddleware(_ UIMiddlewareInput) (*UIMiddleware, error) {
 	m := &UIMiddleware{}
 	ui, err := fs.Sub(assets.FrontendAssets, "dist")
@@ -44,7 +38,7 @@ func (m *UIMiddleware) Middleware() gin.HandlerFunc {
 		path := strings.TrimPrefix(c.Request.URL.Path, "/")
 		switch strings.SplitN(path, "/", 2)[0] {
-		case "api", "resources", ".well-known", "authorize":
+		case "api", "resources", ".well-known":
 			c.Next()
 			return
 		case "robots.txt":
@@ -6,7 +6,6 @@ import (
 	"github.com/gin-gonic/gin"
 	"github.com/tinyauthapp/tinyauth/internal/utils/logger"
 	"go.uber.org/dig"
 )
 // See context middleware for explanation of why we have to do this
@@ -22,15 +21,9 @@ type ZerologMiddleware struct {
 	log *logger.Logger
 }
-type ZerologMiddlewareInput struct {
+func NewZerologMiddleware(log *logger.Logger) *ZerologMiddleware {
 	dig.In
 	Log *logger.Logger
 }
 func NewZerologMiddleware(i ZerologMiddlewareInput) *ZerologMiddleware {
 	return &ZerologMiddleware{
-		log: i.Log,
+		log: log,
 	}
 }
@@ -28,7 +28,6 @@ func NewDefaultConfiguration() *Config {
 			ACLs: ACLsConfig{
 				Policy: "allow",
 			},
 			LockdownEnabled: true,
 		},
 		UI: UIConfig{
 			Title:                 "Tinyauth",
@@ -121,7 +120,6 @@ type AuthConfig struct {
 	SessionMaxLifetime int                       `description:"Maximum session lifetime in seconds." yaml:"sessionMaxLifetime"`
 	LoginTimeout       int                       `description:"Login timeout in seconds." yaml:"loginTimeout"`
 	LoginMaxRetries    int                       `description:"Maximum login retries." yaml:"loginMaxRetries"`
 	LockdownEnabled    bool                      `description:"Enable lockdown mode after maximum login retries. Lockdown mode limit is calculated automatically." yaml:"lockdownEnabled"`
 	TrustedProxies     []string                  `description:"Comma-separated list of trusted proxy addresses." yaml:"trustedProxies"`
 	ACLs               ACLsConfig                `description:"ACLs configuration." yaml:"acls"`
 }
@@ -180,16 +178,15 @@ type UIConfig struct {
 }
 type LDAPConfig struct {
-	Address          string `description:"LDAP server address." yaml:"address"`
+	Address       string `description:"LDAP server address." yaml:"address"`
-	BindDN           string `description:"Bind DN for LDAP authentication." yaml:"bindDn"`
+	BindDN        string `description:"Bind DN for LDAP authentication." yaml:"bindDn"`
-	BindPassword     string `description:"Bind password for LDAP authentication." yaml:"bindPassword"`
+	BindPassword  string `description:"Bind password for LDAP authentication." yaml:"bindPassword"`
-	BindPasswordFile string `description:"Path to the Bind password." yaml:"bindPasswordFile"`
+	BaseDN        string `description:"Base DN for LDAP searches." yaml:"baseDn"`
-	BaseDN           string `description:"Base DN for LDAP searches." yaml:"baseDn"`
+	Insecure      bool   `description:"Allow insecure LDAP connections." yaml:"insecure"`
-	Insecure         bool   `description:"Allow insecure LDAP connections." yaml:"insecure"`
+	SearchFilter  string `description:"LDAP search filter." yaml:"searchFilter"`
-	SearchFilter     string `description:"LDAP search filter." yaml:"searchFilter"`
+	AuthCert      string `description:"Certificate for mTLS authentication." yaml:"authCert"`
-	AuthCert         string `description:"Certificate for mTLS authentication." yaml:"authCert"`
+	AuthKey       string `description:"Certificate key for mTLS authentication." yaml:"authKey"`
-	AuthKey          string `description:"Certificate key for mTLS authentication." yaml:"authKey"`
+	GroupCacheTTL int    `description:"Cache duration for LDAP group membership in seconds." yaml:"groupCacheTTL"`
 	GroupCacheTTL    int    `description:"Cache duration for LDAP group membership in seconds." yaml:"groupCacheTTL"`
 }
 type LogConfig struct {
@@ -59,6 +59,8 @@ type LDAPContext struct {
 type TailscaleContext struct {
 	BaseContext
 	UserID string
 	// for future use
 	Tags []string
 }
 func (c *UserContext) IsAuthenticated() bool {
@@ -1,4 +1,4 @@
-package model
+package model_test
 import (
 	"net/http/httptest"
@@ -7,6 +7,7 @@ import (
 	"github.com/gin-gonic/gin"
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
 	"github.com/tinyauthapp/tinyauth/internal/model"
 	"github.com/tinyauthapp/tinyauth/internal/repository"
 )
@@ -21,44 +22,44 @@ func TestContext(t *testing.T) {
 	tests := []struct {
 		description string
-		context     *UserContext
+		context     *model.UserContext
-		run         func(*testing.T, *UserContext) any
+		run         func(*testing.T, *model.UserContext) any
 		expected    any
 	}{
 		{
 			description: "IsAuthenticated reflects Authenticated field",
-			context:     &UserContext{Authenticated: true},
+			context:     &model.UserContext{Authenticated: true},
-			run:         func(t *testing.T, c *UserContext) any { return c.IsAuthenticated() },
+			run:         func(t *testing.T, c *model.UserContext) any { return c.IsAuthenticated() },
 			expected:    true,
 		},
 		{
 			description: "IsLocal returns true for ProviderLocal",
-			context:     &UserContext{Provider: ProviderLocal, Local: &LocalContext{}},
+			context:     &model.UserContext{Provider: model.ProviderLocal, Local: &model.LocalContext{}},
-			run:         func(t *testing.T, c *UserContext) any { return c.IsLocal() },
+			run:         func(t *testing.T, c *model.UserContext) any { return c.IsLocal() },
 			expected:    true,
 		},
 		{
 			description: "IsOAuth returns true for ProviderOAuth",
-			context:     &UserContext{Provider: ProviderOAuth, OAuth: &OAuthContext{}},
+			context:     &model.UserContext{Provider: model.ProviderOAuth, OAuth: &model.OAuthContext{}},
-			run:         func(t *testing.T, c *UserContext) any { return c.IsOAuth() },
+			run:         func(t *testing.T, c *model.UserContext) any { return c.IsOAuth() },
 			expected:    true,
 		},
 		{
 			description: "IsLDAP returns true for ProviderLDAP",
-			context:     &UserContext{Provider: ProviderLDAP, LDAP: &LDAPContext{}},
+			context:     &model.UserContext{Provider: model.ProviderLDAP, LDAP: &model.LDAPContext{}},
-			run:         func(t *testing.T, c *UserContext) any { return c.IsLDAP() },
+			run:         func(t *testing.T, c *model.UserContext) any { return c.IsLDAP() },
 			expected:    true,
 		},
 		{
 			description: "IsBasicAuth returns true for ProviderBasicAuth",
-			context:     &UserContext{Provider: ProviderBasicAuth, Local: &LocalContext{}},
+			context:     &model.UserContext{Provider: model.ProviderBasicAuth, Local: &model.LocalContext{}},
-			run:         func(t *testing.T, c *UserContext) any { return c.IsBasicAuth() },
+			run:         func(t *testing.T, c *model.UserContext) any { return c.IsBasicAuth() },
 			expected:    true,
 		},
 		{
 			description: "NewFromSession local session is authenticated and ProviderLocal",
-			context:     &UserContext{},
+			context:     &model.UserContext{},
-			run: func(t *testing.T, c *UserContext) any {
+			run: func(t *testing.T, c *model.UserContext) any {
 				got, err := c.NewFromSession(&repository.Session{
 					Username: "alice", Email: "alice@example.com", Name: "Alice",
 					Provider: "local",
@@ -66,12 +67,12 @@ func TestContext(t *testing.T) {
 				require.NoError(t, err)
 				return [2]any{got.Provider, got.Authenticated}
 			},
-			expected: [2]any{ProviderLocal, true},
+			expected: [2]any{model.ProviderLocal, true},
 		},
 		{
 			description: "NewFromSession local session with TotpPending is not authenticated",
-			context:     &UserContext{},
+			context:     &model.UserContext{},
-			run: func(t *testing.T, c *UserContext) any {
+			run: func(t *testing.T, c *model.UserContext) any {
 				got, err := c.NewFromSession(&repository.Session{
 					Username: "bob", Provider: "local", TotpPending: true,
 				})
@@ -82,20 +83,20 @@ func TestContext(t *testing.T) {
 		},
 		{
 			description: "NewFromSession ldap session is ProviderLDAP",
-			context:     &UserContext{},
+			context:     &model.UserContext{},
-			run: func(t *testing.T, c *UserContext) any {
+			run: func(t *testing.T, c *model.UserContext) any {
 				got, err := c.NewFromSession(&repository.Session{
 					Username: "carol", Provider: "ldap",
 				})
 				require.NoError(t, err)
 				return got.Provider
 			},
-			expected: ProviderLDAP,
+			expected: model.ProviderLDAP,
 		},
 		{
 			description: "NewFromSession unknown provider defaults to OAuth and populates oauth fields",
-			context:     &UserContext{},
+			context:     &model.UserContext{},
-			run: func(t *testing.T, c *UserContext) any {
+			run: func(t *testing.T, c *model.UserContext) any {
 				got, err := c.NewFromSession(&repository.Session{
 					Username: "dave", Provider: "github",
 					OAuthGroups: "devs,admins", OAuthSub: "sub-123", OAuthName: "GitHub",
@@ -103,126 +104,126 @@ func TestContext(t *testing.T) {
 				require.NoError(t, err)
 				return [5]any{got.Provider, got.OAuth.ID, got.OAuth.Sub, got.OAuth.DisplayName, got.OAuth.Groups}
 			},
-			expected: [5]any{ProviderOAuth, "github", "sub-123", "GitHub", []string{"devs", "admins"}},
+			expected: [5]any{model.ProviderOAuth, "github", "sub-123", "GitHub", []string{"devs", "admins"}},
 		},
 		{
 			description: "Local getters return BaseContext fields",
-			context: &UserContext{
+			context: &model.UserContext{
-				Provider: ProviderLocal,
+				Provider: model.ProviderLocal,
-				Local:    &LocalContext{BaseContext: BaseContext{Username: "alice", Email: "alice@example.com", Name: "Alice"}},
+				Local:    &model.LocalContext{BaseContext: model.BaseContext{Username: "alice", Email: "alice@example.com", Name: "Alice"}},
 			},
-			run: func(t *testing.T, c *UserContext) any {
+			run: func(t *testing.T, c *model.UserContext) any {
 				return [3]string{c.GetUsername(), c.GetEmail(), c.GetName()}
 			},
 			expected: [3]string{"alice", "alice@example.com", "Alice"},
 		},
 		{
 			description: "BasicAuth getters fall back to local fields",
-			context: &UserContext{
+			context: &model.UserContext{
-				Provider: ProviderBasicAuth,
+				Provider: model.ProviderBasicAuth,
-				Local:    &LocalContext{BaseContext: BaseContext{Username: "bob", Email: "bob@example.com", Name: "Bob"}},
+				Local:    &model.LocalContext{BaseContext: model.BaseContext{Username: "bob", Email: "bob@example.com", Name: "Bob"}},
 			},
-			run: func(t *testing.T, c *UserContext) any {
+			run: func(t *testing.T, c *model.UserContext) any {
 				return [3]string{c.GetUsername(), c.GetEmail(), c.GetName()}
 			},
 			expected: [3]string{"bob", "bob@example.com", "Bob"},
 		},
 		{
 			description: "LDAP getters return LDAP fields",
-			context: &UserContext{
+			context: &model.UserContext{
-				Provider: ProviderLDAP,
+				Provider: model.ProviderLDAP,
-				LDAP:     &LDAPContext{BaseContext: BaseContext{Username: "carol", Email: "carol@example.com", Name: "Carol"}},
+				LDAP:     &model.LDAPContext{BaseContext: model.BaseContext{Username: "carol", Email: "carol@example.com", Name: "Carol"}},
 			},
-			run: func(t *testing.T, c *UserContext) any {
+			run: func(t *testing.T, c *model.UserContext) any {
 				return [3]string{c.GetUsername(), c.GetEmail(), c.GetName()}
 			},
 			expected: [3]string{"carol", "carol@example.com", "Carol"},
 		},
 		{
 			description: "OAuth getters return OAuth fields",
-			context: &UserContext{
+			context: &model.UserContext{
-				Provider: ProviderOAuth,
+				Provider: model.ProviderOAuth,
-				OAuth:    &OAuthContext{BaseContext: BaseContext{Username: "dave", Email: "dave@example.com", Name: "Dave"}},
+				OAuth:    &model.OAuthContext{BaseContext: model.BaseContext{Username: "dave", Email: "dave@example.com", Name: "Dave"}},
 			},
-			run: func(t *testing.T, c *UserContext) any {
+			run: func(t *testing.T, c *model.UserContext) any {
 				return [3]string{c.GetUsername(), c.GetEmail(), c.GetName()}
 			},
 			expected: [3]string{"dave", "dave@example.com", "Dave"},
 		},
 		{
 			description: "ProviderName returns 'local' for ProviderLocal",
-			context:     &UserContext{Provider: ProviderLocal},
+			context:     &model.UserContext{Provider: model.ProviderLocal},
-			run:         func(t *testing.T, c *UserContext) any { return c.GetProviderID() },
+			run:         func(t *testing.T, c *model.UserContext) any { return c.GetProviderID() },
 			expected:    "local",
 		},
 		{
 			description: "ProviderName returns 'local' for ProviderBasicAuth",
-			context:     &UserContext{Provider: ProviderBasicAuth},
+			context:     &model.UserContext{Provider: model.ProviderBasicAuth},
-			run:         func(t *testing.T, c *UserContext) any { return c.GetProviderID() },
+			run:         func(t *testing.T, c *model.UserContext) any { return c.GetProviderID() },
 			expected:    "local",
 		},
 		{
 			description: "ProviderName returns 'ldap' for ProviderLDAP",
-			context:     &UserContext{Provider: ProviderLDAP},
+			context:     &model.UserContext{Provider: model.ProviderLDAP},
-			run:         func(t *testing.T, c *UserContext) any { return c.GetProviderID() },
+			run:         func(t *testing.T, c *model.UserContext) any { return c.GetProviderID() },
 			expected:    "ldap",
 		},
 		{
 			description: "ProviderName returns OAuth provider ID for ProviderOAuth",
-			context: &UserContext{
+			context: &model.UserContext{
-				Provider: ProviderOAuth,
+				Provider: model.ProviderOAuth,
-				OAuth:    &OAuthContext{ID: "github"},
+				OAuth:    &model.OAuthContext{ID: "github"},
 			},
-			run:      func(t *testing.T, c *UserContext) any { return c.GetProviderID() },
+			run:      func(t *testing.T, c *model.UserContext) any { return c.GetProviderID() },
 			expected: "github",
 		},
 		{
 			description: "TOTPPending returns true when local context is pending",
-			context: &UserContext{
+			context: &model.UserContext{
-				Provider: ProviderLocal,
+				Provider: model.ProviderLocal,
-				Local:    &LocalContext{TOTPPending: true},
+				Local:    &model.LocalContext{TOTPPending: true},
 			},
-			run:      func(t *testing.T, c *UserContext) any { return c.TOTPPending() },
+			run:      func(t *testing.T, c *model.UserContext) any { return c.TOTPPending() },
 			expected: true,
 		},
 		{
 			description: "TOTPPending returns false when local context is not pending",
-			context: &UserContext{
+			context: &model.UserContext{
-				Provider: ProviderLocal,
+				Provider: model.ProviderLocal,
-				Local:    &LocalContext{TOTPPending: false},
+				Local:    &model.LocalContext{TOTPPending: false},
 			},
-			run:      func(t *testing.T, c *UserContext) any { return c.TOTPPending() },
+			run:      func(t *testing.T, c *model.UserContext) any { return c.TOTPPending() },
 			expected: false,
 		},
 		{
 			description: "TOTPPending returns false for non-local providers",
-			context:     &UserContext{Provider: ProviderOAuth, OAuth: &OAuthContext{}},
+			context:     &model.UserContext{Provider: model.ProviderOAuth, OAuth: &model.OAuthContext{}},
-			run:         func(t *testing.T, c *UserContext) any { return c.TOTPPending() },
+			run:         func(t *testing.T, c *model.UserContext) any { return c.TOTPPending() },
 			expected:    false,
 		},
 		{
 			description: "OAuthName returns DisplayName for ProviderOAuth",
-			context: &UserContext{
+			context: &model.UserContext{
-				Provider: ProviderOAuth,
+				Provider: model.ProviderOAuth,
-				OAuth:    &OAuthContext{DisplayName: "Google"},
+				OAuth:    &model.OAuthContext{DisplayName: "Google"},
 			},
-			run:      func(t *testing.T, c *UserContext) any { return c.OAuthName() },
+			run:      func(t *testing.T, c *model.UserContext) any { return c.OAuthName() },
 			expected: "Google",
 		},
 		{
 			description: "OAuthName returns empty string for non-oauth providers",
-			context:     &UserContext{Provider: ProviderLocal, Local: &LocalContext{}},
+			context:     &model.UserContext{Provider: model.ProviderLocal, Local: &model.LocalContext{}},
-			run:         func(t *testing.T, c *UserContext) any { return c.OAuthName() },
+			run:         func(t *testing.T, c *model.UserContext) any { return c.OAuthName() },
 			expected:    "",
 		},
 		{
 			description: "NewFromGin populates context from gin value",
-			context:     &UserContext{},
+			context:     &model.UserContext{},
-			run: func(t *testing.T, c *UserContext) any {
+			run: func(t *testing.T, c *model.UserContext) any {
-				stored := &UserContext{
+				stored := &model.UserContext{
 					Authenticated: true,
-					Provider:      ProviderLocal,
+					Provider:      model.ProviderLocal,
-					Local:         &LocalContext{BaseContext: BaseContext{Username: "alice"}},
+					Local:         &model.LocalContext{BaseContext: model.BaseContext{Username: "alice"}},
 				}
 				got, err := c.NewFromGin(newGinCtx(stored, true))
 				require.NoError(t, err)
@@ -232,17 +233,17 @@ func TestContext(t *testing.T) {
 		},
 		{
 			description: "NewFromGin returns error when context value is missing",
-			context:     &UserContext{},
+			context:     &model.UserContext{},
-			run: func(t *testing.T, c *UserContext) any {
+			run: func(t *testing.T, c *model.UserContext) any {
 				_, err := c.NewFromGin(newGinCtx(nil, false))
 				return err.Error()
 			},
-			expected: ErrUserContextNotFound.Error(),
+			expected: model.ErrUserContextNotFound.Error(),
 		},
 		{
 			description: "NewFromGin returns error when context value has wrong type",
-			context:     &UserContext{},
+			context:     &model.UserContext{},
-			run: func(t *testing.T, c *UserContext) any {
+			run: func(t *testing.T, c *model.UserContext) any {
 				_, err := c.NewFromGin(newGinCtx("not a user context", true))
 				return err.Error()
 			},
@@ -250,17 +251,17 @@ func TestContext(t *testing.T) {
 		},
 		{
 			description: "NewFromGin returns an error when context doesn't include user information",
-			context:     &UserContext{},
+			context:     &model.UserContext{},
-			run: func(t *testing.T, c *UserContext) any {
+			run: func(t *testing.T, c *model.UserContext) any {
-				_, err := c.NewFromGin(newGinCtx(&UserContext{Provider: ProviderLocal}, true))
+				_, err := c.NewFromGin(newGinCtx(&model.UserContext{Provider: model.ProviderLocal}, true))
 				return err.Error()
 			},
 			expected: "incomplete user context",
 		},
 		{
 			description: "Getters should not panic if provider context is empty",
-			context:     &UserContext{Provider: ProviderLocal},
+			context:     &model.UserContext{Provider: model.ProviderLocal},
-			run: func(t *testing.T, c *UserContext) any {
+			run: func(t *testing.T, c *model.UserContext) any {
 				return [3]string{c.GetUsername(), c.GetEmail(), c.GetName()}
 			},
 			expected: [3]string{"", "", ""},
@@ -12,6 +12,7 @@ type RuntimeConfig struct {
 	OAuthProviders         map[string]OAuthServiceConfig
 	OAuthWhitelist         []string
 	ConfiguredProviders    []Provider
 	OIDCClients            []OIDCClientConfig
 	TrustedDomains         []string
 }
@@ -101,182 +101,366 @@ func TestMemoryStore(t *testing.T) {
 			},
 		},
 		{
-			description: "Create and get OIDC session",
+			description: "Create and get OIDC code",
 			run: func(t *testing.T, s repository.Store) {
-				sess, err := s.CreateOIDCSession(ctx, repository.CreateOIDCSessionParams{
+				code, err := s.CreateOidcCode(ctx, repository.CreateOidcCodeParams{
-					Sub:              "sub-1",
+					Sub:      "sub-1",
-					AccessTokenHash:  "at-1",
+					CodeHash: "hash-1",
-					RefreshTokenHash: "rt-1",
+					Scope:    "openid",
 					Scope:            "openid",
 				})
 				require.NoError(t, err)
-				assert.Equal(t, "sub-1", sess.Sub)
+				assert.Equal(t, "sub-1", code.Sub)
-				got, err := s.GetOIDCSessionBySub(ctx, "sub-1")
+				// destructive read removes the record
 				got, err := s.GetOidcCode(ctx, "hash-1")
 				require.NoError(t, err)
-				assert.Equal(t, sess, got)
+				assert.Equal(t, code, got)
-			},
+
-		},
+				_, err = s.GetOidcCode(ctx, "hash-1")
 		{
 			description: "Get OIDC session by sub not found",
 			run: func(t *testing.T, s repository.Store) {
 				_, err := s.GetOIDCSessionBySub(ctx, "missing")
 				assert.ErrorIs(t, err, repository.ErrNotFound)
 			},
 		},
 		{
-			description: "Get OIDC session by access token hash",
+			description: "Get OIDC code not found",
 			run: func(t *testing.T, s repository.Store) {
-				_, err := s.CreateOIDCSession(ctx, repository.CreateOIDCSessionParams{
+				_, err := s.GetOidcCode(ctx, "missing")
 				assert.ErrorIs(t, err, repository.ErrNotFound)
 			},
 		},
 		{
 			description: "Get OIDC code by sub",
 			run: func(t *testing.T, s repository.Store) {
 				_, err := s.CreateOidcCode(ctx, repository.CreateOidcCodeParams{Sub: "sub-1", CodeHash: "hash-1"})
 				require.NoError(t, err)
 				got, err := s.GetOidcCodeBySub(ctx, "sub-1")
 				require.NoError(t, err)
 				assert.Equal(t, "sub-1", got.Sub)
 				// destructive — gone after read
 				_, err = s.GetOidcCodeBySub(ctx, "sub-1")
 				assert.ErrorIs(t, err, repository.ErrNotFound)
 			},
 		},
 		{
 			description: "Get OIDC code by sub not found",
 			run: func(t *testing.T, s repository.Store) {
 				_, err := s.GetOidcCodeBySub(ctx, "missing")
 				assert.ErrorIs(t, err, repository.ErrNotFound)
 			},
 		},
 		{
 			description: "Get OIDC code unsafe",
 			run: func(t *testing.T, s repository.Store) {
 				_, err := s.CreateOidcCode(ctx, repository.CreateOidcCodeParams{Sub: "sub-1", CodeHash: "hash-1"})
 				require.NoError(t, err)
 				got, err := s.GetOidcCodeUnsafe(ctx, "hash-1")
 				require.NoError(t, err)
 				assert.Equal(t, "sub-1", got.Sub)
 				// non-destructive — still present
 				_, err = s.GetOidcCodeUnsafe(ctx, "hash-1")
 				assert.NoError(t, err)
 			},
 		},
 		{
 			description: "Get OIDC code unsafe not found",
 			run: func(t *testing.T, s repository.Store) {
 				_, err := s.GetOidcCodeUnsafe(ctx, "missing")
 				assert.ErrorIs(t, err, repository.ErrNotFound)
 			},
 		},
 		{
 			description: "Get OIDC code by sub unsafe",
 			run: func(t *testing.T, s repository.Store) {
 				_, err := s.CreateOidcCode(ctx, repository.CreateOidcCodeParams{Sub: "sub-1", CodeHash: "hash-1"})
 				require.NoError(t, err)
 				got, err := s.GetOidcCodeBySubUnsafe(ctx, "sub-1")
 				require.NoError(t, err)
 				assert.Equal(t, "hash-1", got.CodeHash)
 				// non-destructive — still present
 				_, err = s.GetOidcCodeBySubUnsafe(ctx, "sub-1")
 				assert.NoError(t, err)
 			},
 		},
 		{
 			description: "Get OIDC code by sub unsafe not found",
 			run: func(t *testing.T, s repository.Store) {
 				_, err := s.GetOidcCodeBySubUnsafe(ctx, "missing")
 				assert.ErrorIs(t, err, repository.ErrNotFound)
 			},
 		},
 		{
 			description: "Create OIDC code unique sub constraint",
 			run: func(t *testing.T, s repository.Store) {
 				_, err := s.CreateOidcCode(ctx, repository.CreateOidcCodeParams{Sub: "sub-1", CodeHash: "hash-1"})
 				require.NoError(t, err)
 				_, err = s.CreateOidcCode(ctx, repository.CreateOidcCodeParams{Sub: "sub-1", CodeHash: "hash-2"})
 				assert.ErrorContains(t, err, "UNIQUE constraint failed: oidc_codes.sub")
 			},
 		},
 		{
 			description: "Delete OIDC code",
 			run: func(t *testing.T, s repository.Store) {
 				_, err := s.CreateOidcCode(ctx, repository.CreateOidcCodeParams{Sub: "sub-1", CodeHash: "hash-1"})
 				require.NoError(t, err)
 				require.NoError(t, s.DeleteOidcCode(ctx, "hash-1"))
 				_, err = s.GetOidcCodeUnsafe(ctx, "hash-1")
 				assert.ErrorIs(t, err, repository.ErrNotFound)
 			},
 		},
 		{
 			description: "Delete OIDC code by sub",
 			run: func(t *testing.T, s repository.Store) {
 				_, err := s.CreateOidcCode(ctx, repository.CreateOidcCodeParams{Sub: "sub-1", CodeHash: "hash-1"})
 				require.NoError(t, err)
 				require.NoError(t, s.DeleteOidcCodeBySub(ctx, "sub-1"))
 				_, err = s.GetOidcCodeUnsafe(ctx, "hash-1")
 				assert.ErrorIs(t, err, repository.ErrNotFound)
 			},
 		},
 		{
 			description: "Delete expired OIDC codes",
 			run: func(t *testing.T, s repository.Store) {
 				_, err := s.CreateOidcCode(ctx, repository.CreateOidcCodeParams{Sub: "sub-1", CodeHash: "hash-1", ExpiresAt: 10})
 				require.NoError(t, err)
 				_, err = s.CreateOidcCode(ctx, repository.CreateOidcCodeParams{Sub: "sub-2", CodeHash: "hash-2", ExpiresAt: 100})
 				require.NoError(t, err)
 				deleted, err := s.DeleteExpiredOidcCodes(ctx, 50)
 				require.NoError(t, err)
 				require.Len(t, deleted, 1)
 				assert.Equal(t, "hash-1", deleted[0].CodeHash)
 				_, err = s.GetOidcCodeUnsafe(ctx, "hash-2")
 				assert.NoError(t, err)
 			},
 		},
 		{
 			description: "Create and get OIDC token",
 			run: func(t *testing.T, s repository.Store) {
 				tok, err := s.CreateOidcToken(ctx, repository.CreateOidcTokenParams{
 					Sub:             "sub-1",
 					AccessTokenHash: "at-hash-1",
 					CodeHash:        "code-hash-1",
 				})
 				require.NoError(t, err)
 				assert.Equal(t, "sub-1", tok.Sub)
 				got, err := s.GetOidcToken(ctx, "at-hash-1")
 				require.NoError(t, err)
 				assert.Equal(t, tok, got)
 			},
 		},
 		{
 			description: "Get OIDC token not found",
 			run: func(t *testing.T, s repository.Store) {
 				_, err := s.GetOidcToken(ctx, "missing")
 				assert.ErrorIs(t, err, repository.ErrNotFound)
 			},
 		},
 		{
 			description: "Create OIDC token unique sub constraint",
 			run: func(t *testing.T, s repository.Store) {
 				_, err := s.CreateOidcToken(ctx, repository.CreateOidcTokenParams{Sub: "sub-1", AccessTokenHash: "at-1"})
 				require.NoError(t, err)
 				_, err = s.CreateOidcToken(ctx, repository.CreateOidcTokenParams{Sub: "sub-1", AccessTokenHash: "at-2"})
 				assert.ErrorContains(t, err, "UNIQUE constraint failed: oidc_tokens.sub")
 			},
 		},
 		{
 			description: "Get OIDC token by refresh token",
 			run: func(t *testing.T, s repository.Store) {
 				_, err := s.CreateOidcToken(ctx, repository.CreateOidcTokenParams{
 					Sub:              "sub-1",
 					AccessTokenHash:  "at-1",
 					RefreshTokenHash: "rt-1",
 				})
 				require.NoError(t, err)
-				got, err := s.GetOIDCSessionByAccessTokenHash(ctx, "at-1")
+				got, err := s.GetOidcTokenByRefreshToken(ctx, "rt-1")
 				require.NoError(t, err)
 				assert.Equal(t, "sub-1", got.Sub)
 			},
 		},
 		{
-			description: "Get OIDC session by access token hash not found",
+			description: "Get OIDC token by refresh token not found",
 			run: func(t *testing.T, s repository.Store) {
-				_, err := s.GetOIDCSessionByAccessTokenHash(ctx, "missing")
+				_, err := s.GetOidcTokenByRefreshToken(ctx, "missing")
 				assert.ErrorIs(t, err, repository.ErrNotFound)
 			},
 		},
 		{
-			description: "Get OIDC session by refresh token hash",
+			description: "Get OIDC token by sub",
 			run: func(t *testing.T, s repository.Store) {
-				_, err := s.CreateOIDCSession(ctx, repository.CreateOIDCSessionParams{
+				_, err := s.CreateOidcToken(ctx, repository.CreateOidcTokenParams{
 					Sub:             "sub-1",
 					AccessTokenHash: "at-1",
 				})
 				require.NoError(t, err)
 				got, err := s.GetOidcTokenBySub(ctx, "sub-1")
 				require.NoError(t, err)
 				assert.Equal(t, "at-1", got.AccessTokenHash)
 			},
 		},
 		{
 			description: "Get OIDC token by sub not found",
 			run: func(t *testing.T, s repository.Store) {
 				_, err := s.GetOidcTokenBySub(ctx, "missing")
 				assert.ErrorIs(t, err, repository.ErrNotFound)
 			},
 		},
 		{
 			description: "Update OIDC token by refresh token",
 			run: func(t *testing.T, s repository.Store) {
 				_, err := s.CreateOidcToken(ctx, repository.CreateOidcTokenParams{
 					Sub:              "sub-1",
 					AccessTokenHash:  "at-1",
 					RefreshTokenHash: "rt-1",
 				})
 				require.NoError(t, err)
-				got, err := s.GetOIDCSessionByRefreshTokenHash(ctx, "rt-1")
+				updated, err := s.UpdateOidcTokenByRefreshToken(ctx, repository.UpdateOidcTokenByRefreshTokenParams{
-				require.NoError(t, err)
+					RefreshTokenHash_2:    "rt-1",
 				assert.Equal(t, "sub-1", got.Sub)
 			},
 		},
 		{
 			description: "Get OIDC session by refresh token hash not found",
 			run: func(t *testing.T, s repository.Store) {
 				_, err := s.GetOIDCSessionByRefreshTokenHash(ctx, "missing")
 				assert.ErrorIs(t, err, repository.ErrNotFound)
 			},
 		},
 		{
 			description: "Create OIDC session unique sub constraint",
 			run: func(t *testing.T, s repository.Store) {
 				_, err := s.CreateOIDCSession(ctx, repository.CreateOIDCSessionParams{Sub: "sub-1", AccessTokenHash: "at-1", RefreshTokenHash: "rt-1"})
 				require.NoError(t, err)
 				_, err = s.CreateOIDCSession(ctx, repository.CreateOIDCSessionParams{Sub: "sub-1", AccessTokenHash: "at-2", RefreshTokenHash: "rt-2"})
 				assert.ErrorContains(t, err, "UNIQUE constraint failed: oidc_sessions.sub")
 			},
 		},
 		{
 			description: "Create OIDC session unique access token hash constraint",
 			run: func(t *testing.T, s repository.Store) {
 				_, err := s.CreateOIDCSession(ctx, repository.CreateOIDCSessionParams{Sub: "sub-1", AccessTokenHash: "at-1", RefreshTokenHash: "rt-1"})
 				require.NoError(t, err)
 				_, err = s.CreateOIDCSession(ctx, repository.CreateOIDCSessionParams{Sub: "sub-2", AccessTokenHash: "at-1", RefreshTokenHash: "rt-2"})
 				assert.ErrorContains(t, err, "UNIQUE constraint failed: oidc_sessions.access_token_hash")
 			},
 		},
 		{
 			description: "Create OIDC session unique refresh token hash constraint",
 			run: func(t *testing.T, s repository.Store) {
 				_, err := s.CreateOIDCSession(ctx, repository.CreateOIDCSessionParams{Sub: "sub-1", AccessTokenHash: "at-1", RefreshTokenHash: "rt-1"})
 				require.NoError(t, err)
 				_, err = s.CreateOIDCSession(ctx, repository.CreateOIDCSessionParams{Sub: "sub-2", AccessTokenHash: "at-2", RefreshTokenHash: "rt-1"})
 				assert.ErrorContains(t, err, "UNIQUE constraint failed: oidc_sessions.refresh_token_hash")
 			},
 		},
 		{
 			description: "Update OIDC session",
 			run: func(t *testing.T, s repository.Store) {
 				_, err := s.CreateOIDCSession(ctx, repository.CreateOIDCSessionParams{
 					Sub:              "sub-1",
 					AccessTokenHash:  "at-1",
 					RefreshTokenHash: "rt-1",
 				})
 				require.NoError(t, err)
 				updated, err := s.UpdateOIDCSession(ctx, repository.UpdateOIDCSessionParams{
 					Sub:                   "sub-1",
 					AccessTokenHash:       "at-2",
 					RefreshTokenHash:      "rt-2",
 					Scope:                 "openid profile",
 					TokenExpiresAt:        200,
 					RefreshTokenExpiresAt: 400,
 				})
 				require.NoError(t, err)
 				assert.Equal(t, "at-2", updated.AccessTokenHash)
 				assert.Equal(t, "rt-2", updated.RefreshTokenHash)
 				assert.Equal(t, "openid profile", updated.Scope)
-				// updated token hashes are now queryable, old ones are gone
+				// old key gone, new key present
-				got, err := s.GetOIDCSessionByAccessTokenHash(ctx, "at-2")
+				_, err = s.GetOidcToken(ctx, "at-1")
 				assert.ErrorIs(t, err, repository.ErrNotFound)
 				got, err := s.GetOidcToken(ctx, "at-2")
 				require.NoError(t, err)
 				assert.Equal(t, "sub-1", got.Sub)
-
+			},
-				_, err = s.GetOIDCSessionByAccessTokenHash(ctx, "at-1")
+		},
 		{
 			description: "Update OIDC token by refresh token not found",
 			run: func(t *testing.T, s repository.Store) {
 				_, err := s.UpdateOidcTokenByRefreshToken(ctx, repository.UpdateOidcTokenByRefreshTokenParams{
 					RefreshTokenHash_2: "missing",
 				})
 				assert.ErrorIs(t, err, repository.ErrNotFound)
 			},
 		},
 		{
-			description: "Update OIDC session not found",
+			description: "Delete OIDC token",
 			run: func(t *testing.T, s repository.Store) {
-				_, err := s.UpdateOIDCSession(ctx, repository.UpdateOIDCSessionParams{Sub: "missing"})
+				_, err := s.CreateOidcToken(ctx, repository.CreateOidcTokenParams{Sub: "sub-1", AccessTokenHash: "at-1"})
 				assert.ErrorIs(t, err, repository.ErrNotFound)
 			},
 		},
 		{
 			description: "Delete OIDC session by sub",
 			run: func(t *testing.T, s repository.Store) {
 				_, err := s.CreateOIDCSession(ctx, repository.CreateOIDCSessionParams{Sub: "sub-1", AccessTokenHash: "at-1", RefreshTokenHash: "rt-1"})
 				require.NoError(t, err)
-				require.NoError(t, s.DeleteOIDCSessionBySub(ctx, "sub-1"))
+				require.NoError(t, s.DeleteOidcToken(ctx, "at-1"))
-				_, err = s.GetOIDCSessionBySub(ctx, "sub-1")
+				_, err = s.GetOidcToken(ctx, "at-1")
 				assert.ErrorIs(t, err, repository.ErrNotFound)
 			},
 		},
 		{
-			description: "Delete expired OIDC sessions",
+			description: "Delete OIDC token by sub",
 			run: func(t *testing.T, s repository.Store) {
 				_, err := s.CreateOidcToken(ctx, repository.CreateOidcTokenParams{Sub: "sub-1", AccessTokenHash: "at-1"})
 				require.NoError(t, err)
 				require.NoError(t, s.DeleteOidcTokenBySub(ctx, "sub-1"))
 				_, err = s.GetOidcToken(ctx, "at-1")
 				assert.ErrorIs(t, err, repository.ErrNotFound)
 			},
 		},
 		{
 			description: "Delete OIDC token by code hash",
 			run: func(t *testing.T, s repository.Store) {
 				_, err := s.CreateOidcToken(ctx, repository.CreateOidcTokenParams{
 					Sub:             "sub-1",
 					AccessTokenHash: "at-1",
 					CodeHash:        "code-1",
 				})
 				require.NoError(t, err)
 				require.NoError(t, s.DeleteOidcTokenByCodeHash(ctx, "code-1"))
 				_, err = s.GetOidcToken(ctx, "at-1")
 				assert.ErrorIs(t, err, repository.ErrNotFound)
 			},
 		},
 		{
 			description: "Delete expired OIDC tokens",
 			run: func(t *testing.T, s repository.Store) {
 				// both expiries past
-				_, err := s.CreateOIDCSession(ctx, repository.CreateOIDCSessionParams{
+				_, err := s.CreateOidcToken(ctx, repository.CreateOidcTokenParams{
-					Sub: "sub-1", AccessTokenHash: "at-1", RefreshTokenHash: "rt-1",
+					Sub: "sub-1", AccessTokenHash: "at-1",
 					TokenExpiresAt: 10, RefreshTokenExpiresAt: 10,
 				})
 				require.NoError(t, err)
 				// valid
-				_, err = s.CreateOIDCSession(ctx, repository.CreateOIDCSessionParams{
+				_, err = s.CreateOidcToken(ctx, repository.CreateOidcTokenParams{
-					Sub: "sub-2", AccessTokenHash: "at-2", RefreshTokenHash: "rt-2",
+					Sub: "sub-3", AccessTokenHash: "at-3",
 					TokenExpiresAt: 100, RefreshTokenExpiresAt: 100,
 				})
 				require.NoError(t, err)
-				require.NoError(t, s.DeleteExpiredOIDCSessions(ctx, repository.DeleteExpiredOIDCSessionsParams{
+				deleted, err := s.DeleteExpiredOidcTokens(ctx, repository.DeleteExpiredOidcTokensParams{
 					TokenExpiresAt:        50,
 					RefreshTokenExpiresAt: 50,
-				}))
+				})
 				require.NoError(t, err)
 				assert.Len(t, deleted, 1)
-				_, err = s.GetOIDCSessionBySub(ctx, "sub-1")
+				_, err = s.GetOidcToken(ctx, "at-3")
 				assert.ErrorIs(t, err, repository.ErrNotFound)
 				_, err = s.GetOIDCSessionBySub(ctx, "sub-2")
 				assert.NoError(t, err)
 			},
 		},
 		{
 			description: "Create and get OIDC user info",
 			run: func(t *testing.T, s repository.Store) {
 				u, err := s.CreateOidcUserInfo(ctx, repository.CreateOidcUserInfoParams{
 					Sub:   "sub-1",
 					Name:  "Alice",
 					Email: "alice@example.com",
 				})
 				require.NoError(t, err)
 				assert.Equal(t, "sub-1", u.Sub)
 				got, err := s.GetOidcUserInfo(ctx, "sub-1")
 				require.NoError(t, err)
 				assert.Equal(t, u, got)
 			},
 		},
 		{
 			description: "Get OIDC user info not found",
 			run: func(t *testing.T, s repository.Store) {
 				_, err := s.GetOidcUserInfo(ctx, "missing")
 				assert.ErrorIs(t, err, repository.ErrNotFound)
 			},
 		},
 		{
 			description: "Delete OIDC user info",
 			run: func(t *testing.T, s repository.Store) {
 				_, err := s.CreateOidcUserInfo(ctx, repository.CreateOidcUserInfoParams{Sub: "sub-1"})
 				require.NoError(t, err)
 				require.NoError(t, s.DeleteOidcUserInfo(ctx, "sub-1"))
 				_, err = s.GetOidcUserInfo(ctx, "sub-1")
 				assert.ErrorIs(t, err, repository.ErrNotFound)
 			},
 		},
 	}
 	for _, test := range tests {
@@ -7,90 +7,235 @@ import (
 	"github.com/tinyauthapp/tinyauth/internal/repository"
 )
-func (s *Store) CreateOIDCSession(_ context.Context, arg repository.CreateOIDCSessionParams) (repository.OidcSession, error) {
+func (s *Store) CreateOidcCode(_ context.Context, arg repository.CreateOidcCodeParams) (repository.OidcCode, error) {
 	s.mu.Lock()
 	defer s.mu.Unlock()
-	// Enforce UNIQUE constraints (sub is the primary key, access/refresh token hashes are unique).
+	// Enforce sub UNIQUE constraint
-	for _, sess := range s.oidcSessions {
+	for _, c := range s.oidcCodes {
-		switch {
+		if c.Sub == arg.Sub {
-		case sess.Sub == arg.Sub:
+			return repository.OidcCode{}, fmt.Errorf("UNIQUE constraint failed: oidc_codes.sub")
 			return repository.OidcSession{}, fmt.Errorf("UNIQUE constraint failed: oidc_sessions.sub")
 		case sess.AccessTokenHash == arg.AccessTokenHash:
 			return repository.OidcSession{}, fmt.Errorf("UNIQUE constraint failed: oidc_sessions.access_token_hash")
 		case sess.RefreshTokenHash == arg.RefreshTokenHash:
 			return repository.OidcSession{}, fmt.Errorf("UNIQUE constraint failed: oidc_sessions.refresh_token_hash")
 		}
 	}
-	sess := repository.OidcSession(arg)
+	code := repository.OidcCode(arg)
-	s.oidcSessions[arg.Sub] = sess
+	s.oidcCodes[arg.CodeHash] = code
-	return sess, nil
+	return code, nil
 }
-func (s *Store) GetOIDCSessionBySub(_ context.Context, sub string) (repository.OidcSession, error) {
+// GetOidcCode is a destructive read: it deletes and returns the code (mirrors SQLite's DELETE...RETURNING).
-	s.mu.RLock()
+func (s *Store) GetOidcCode(_ context.Context, codeHash string) (repository.OidcCode, error) {
-	defer s.mu.RUnlock()
+	s.mu.Lock()
-	sess, ok := s.oidcSessions[sub]
+	defer s.mu.Unlock()
 	c, ok := s.oidcCodes[codeHash]
 	if !ok {
-		return repository.OidcSession{}, repository.ErrNotFound
+		return repository.OidcCode{}, repository.ErrNotFound
 	}
-	return sess, nil
+	delete(s.oidcCodes, codeHash)
 	return c, nil
 }
-func (s *Store) GetOIDCSessionByAccessTokenHash(_ context.Context, accessTokenHash string) (repository.OidcSession, error) {
+// GetOidcCodeBySub is a destructive read: it deletes and returns the code (mirrors SQLite's DELETE...RETURNING).
-	s.mu.RLock()
+func (s *Store) GetOidcCodeBySub(_ context.Context, sub string) (repository.OidcCode, error) {
 	defer s.mu.RUnlock()
 	for _, sess := range s.oidcSessions {
 		if sess.AccessTokenHash == accessTokenHash {
 			return sess, nil
 		}
 	}
 	return repository.OidcSession{}, repository.ErrNotFound
 }
 func (s *Store) GetOIDCSessionByRefreshTokenHash(_ context.Context, refreshTokenHash string) (repository.OidcSession, error) {
 	s.mu.RLock()
 	defer s.mu.RUnlock()
 	for _, sess := range s.oidcSessions {
 		if sess.RefreshTokenHash == refreshTokenHash {
 			return sess, nil
 		}
 	}
 	return repository.OidcSession{}, repository.ErrNotFound
 }
 func (s *Store) UpdateOIDCSession(_ context.Context, arg repository.UpdateOIDCSessionParams) (repository.OidcSession, error) {
 	s.mu.Lock()
 	defer s.mu.Unlock()
-	sess, ok := s.oidcSessions[arg.Sub]
+	for k, c := range s.oidcCodes {
 		if c.Sub == sub {
 			delete(s.oidcCodes, k)
 			return c, nil
 		}
 	}
 	return repository.OidcCode{}, repository.ErrNotFound
 }
 // GetOidcCodeUnsafe is a non-destructive read (mirrors SQLite's SELECT).
 func (s *Store) GetOidcCodeUnsafe(_ context.Context, codeHash string) (repository.OidcCode, error) {
 	s.mu.RLock()
 	defer s.mu.RUnlock()
 	c, ok := s.oidcCodes[codeHash]
 	if !ok {
-		return repository.OidcSession{}, repository.ErrNotFound
+		return repository.OidcCode{}, repository.ErrNotFound
 	}
-	sess.AccessTokenHash = arg.AccessTokenHash
+	return c, nil
 	sess.RefreshTokenHash = arg.RefreshTokenHash
 	sess.Scope = arg.Scope
 	sess.ClientID = arg.ClientID
 	sess.TokenExpiresAt = arg.TokenExpiresAt
 	sess.RefreshTokenExpiresAt = arg.RefreshTokenExpiresAt
 	sess.Nonce = arg.Nonce
 	sess.UserinfoJson = arg.UserinfoJson
 	s.oidcSessions[arg.Sub] = sess
 	return sess, nil
 }
-func (s *Store) DeleteOIDCSessionBySub(_ context.Context, sub string) error {
+// GetOidcCodeBySubUnsafe is a non-destructive read (mirrors SQLite's SELECT).
 func (s *Store) GetOidcCodeBySubUnsafe(_ context.Context, sub string) (repository.OidcCode, error) {
 	s.mu.RLock()
 	defer s.mu.RUnlock()
 	for _, c := range s.oidcCodes {
 		if c.Sub == sub {
 			return c, nil
 		}
 	}
 	return repository.OidcCode{}, repository.ErrNotFound
 }
 func (s *Store) DeleteOidcCode(_ context.Context, codeHash string) error {
 	s.mu.Lock()
 	defer s.mu.Unlock()
-	delete(s.oidcSessions, sub)
+	delete(s.oidcCodes, codeHash)
 	return nil
 }
-func (s *Store) DeleteExpiredOIDCSessions(_ context.Context, arg repository.DeleteExpiredOIDCSessionsParams) error {
+func (s *Store) DeleteOidcCodeBySub(_ context.Context, sub string) error {
 	s.mu.Lock()
 	defer s.mu.Unlock()
-	for k, sess := range s.oidcSessions {
+	for k, c := range s.oidcCodes {
-		if sess.TokenExpiresAt < arg.TokenExpiresAt && sess.RefreshTokenExpiresAt < arg.RefreshTokenExpiresAt {
+		if c.Sub == sub {
-			delete(s.oidcSessions, k)
+			delete(s.oidcCodes, k)
 		}
 	}
 	return nil
 }
 func (s *Store) DeleteExpiredOidcCodes(_ context.Context, expiresAt int64) ([]repository.OidcCode, error) {
 	s.mu.Lock()
 	defer s.mu.Unlock()
 	var deleted []repository.OidcCode
 	for k, c := range s.oidcCodes {
 		if c.ExpiresAt < expiresAt {
 			deleted = append(deleted, c)
 			delete(s.oidcCodes, k)
 		}
 	}
 	return deleted, nil
 }
 func (s *Store) CreateOidcToken(_ context.Context, arg repository.CreateOidcTokenParams) (repository.OidcToken, error) {
 	s.mu.Lock()
 	defer s.mu.Unlock()
 	// Enforce sub UNIQUE constraint
 	for _, t := range s.oidcTokens {
 		if t.Sub == arg.Sub {
 			return repository.OidcToken{}, fmt.Errorf("UNIQUE constraint failed: oidc_tokens.sub")
 		}
 	}
 	tok := repository.OidcToken{
 		Sub:                   arg.Sub,
 		AccessTokenHash:       arg.AccessTokenHash,
 		RefreshTokenHash:      arg.RefreshTokenHash,
 		CodeHash:              arg.CodeHash,
 		Scope:                 arg.Scope,
 		ClientID:              arg.ClientID,
 		TokenExpiresAt:        arg.TokenExpiresAt,
 		RefreshTokenExpiresAt: arg.RefreshTokenExpiresAt,
 		Nonce:                 arg.Nonce,
 	}
 	s.oidcTokens[arg.AccessTokenHash] = tok
 	return tok, nil
 }
 func (s *Store) GetOidcToken(_ context.Context, accessTokenHash string) (repository.OidcToken, error) {
 	s.mu.RLock()
 	defer s.mu.RUnlock()
 	t, ok := s.oidcTokens[accessTokenHash]
 	if !ok {
 		return repository.OidcToken{}, repository.ErrNotFound
 	}
 	return t, nil
 }
 func (s *Store) GetOidcTokenByRefreshToken(_ context.Context, refreshTokenHash string) (repository.OidcToken, error) {
 	s.mu.RLock()
 	defer s.mu.RUnlock()
 	for _, t := range s.oidcTokens {
 		if t.RefreshTokenHash == refreshTokenHash {
 			return t, nil
 		}
 	}
 	return repository.OidcToken{}, repository.ErrNotFound
 }
 func (s *Store) GetOidcTokenBySub(_ context.Context, sub string) (repository.OidcToken, error) {
 	s.mu.RLock()
 	defer s.mu.RUnlock()
 	for _, t := range s.oidcTokens {
 		if t.Sub == sub {
 			return t, nil
 		}
 	}
 	return repository.OidcToken{}, repository.ErrNotFound
 }
 func (s *Store) UpdateOidcTokenByRefreshToken(_ context.Context, arg repository.UpdateOidcTokenByRefreshTokenParams) (repository.OidcToken, error) {
 	s.mu.Lock()
 	defer s.mu.Unlock()
 	for k, t := range s.oidcTokens {
 		if t.RefreshTokenHash == arg.RefreshTokenHash_2 {
 			delete(s.oidcTokens, k)
 			t.AccessTokenHash = arg.AccessTokenHash
 			t.RefreshTokenHash = arg.RefreshTokenHash
 			t.TokenExpiresAt = arg.TokenExpiresAt
 			t.RefreshTokenExpiresAt = arg.RefreshTokenExpiresAt
 			s.oidcTokens[arg.AccessTokenHash] = t
 			return t, nil
 		}
 	}
 	return repository.OidcToken{}, repository.ErrNotFound
 }
 func (s *Store) DeleteOidcToken(_ context.Context, accessTokenHash string) error {
 	s.mu.Lock()
 	defer s.mu.Unlock()
 	delete(s.oidcTokens, accessTokenHash)
 	return nil
 }
 func (s *Store) DeleteOidcTokenBySub(_ context.Context, sub string) error {
 	s.mu.Lock()
 	defer s.mu.Unlock()
 	for k, t := range s.oidcTokens {
 		if t.Sub == sub {
 			delete(s.oidcTokens, k)
 		}
 	}
 	return nil
 }
 func (s *Store) DeleteOidcTokenByCodeHash(_ context.Context, codeHash string) error {
 	s.mu.Lock()
 	defer s.mu.Unlock()
 	for k, t := range s.oidcTokens {
 		if t.CodeHash == codeHash {
 			delete(s.oidcTokens, k)
 		}
 	}
 	return nil
 }
 func (s *Store) DeleteExpiredOidcTokens(_ context.Context, arg repository.DeleteExpiredOidcTokensParams) ([]repository.OidcToken, error) {
 	s.mu.Lock()
 	defer s.mu.Unlock()
 	var deleted []repository.OidcToken
 	for k, t := range s.oidcTokens {
 		if t.TokenExpiresAt < arg.TokenExpiresAt && t.RefreshTokenExpiresAt < arg.RefreshTokenExpiresAt {
 			deleted = append(deleted, t)
 			delete(s.oidcTokens, k)
 		}
 	}
 	return deleted, nil
 }
 func (s *Store) CreateOidcUserInfo(_ context.Context, arg repository.CreateOidcUserInfoParams) (repository.OidcUserinfo, error) {
 	s.mu.Lock()
 	defer s.mu.Unlock()
 	u := repository.OidcUserinfo(arg)
 	s.oidcUsers[arg.Sub] = u
 	return u, nil
 }
 func (s *Store) GetOidcUserInfo(_ context.Context, sub string) (repository.OidcUserinfo, error) {
 	s.mu.RLock()
 	defer s.mu.RUnlock()
 	u, ok := s.oidcUsers[sub]
 	if !ok {
 		return repository.OidcUserinfo{}, repository.ErrNotFound
 	}
 	return u, nil
 }
 func (s *Store) DeleteOidcUserInfo(_ context.Context, sub string) error {
 	s.mu.Lock()
 	defer s.mu.Unlock()
 	delete(s.oidcUsers, sub)
 	return nil
 }
@@ -9,15 +9,19 @@ import (
 // Store is a thread-safe in-memory implementation of repository.Store.
 type Store struct {
-	mu           sync.RWMutex
+	mu         sync.RWMutex
-	sessions     map[string]repository.Session
+	sessions   map[string]repository.Session
-	oidcSessions map[string]repository.OidcSession
+	oidcCodes  map[string]repository.OidcCode
 	oidcTokens map[string]repository.OidcToken
 	oidcUsers  map[string]repository.OidcUserinfo
 }
 // New returns a new empty in-memory Store.
 func New() repository.Store {
 	return &Store{
-		sessions:     make(map[string]repository.Session),
+		sessions:   make(map[string]repository.Session),
-		oidcSessions: make(map[string]repository.OidcSession),
+		oidcCodes:  make(map[string]repository.OidcCode),
 		oidcTokens: make(map[string]repository.OidcToken),
 		oidcUsers:  make(map[string]repository.OidcUserinfo),
 	}
 }
@@ -17,16 +17,49 @@ type Session struct {
 	OAuthSub    string
 }
-type OidcSession struct {
+type OidcCode struct {
 	Sub           string
 	CodeHash      string
 	Scope         string
 	RedirectURI   string
 	ClientID      string
 	ExpiresAt     int64
 	Nonce         string
 	CodeChallenge string
 }
 type OidcToken struct {
 	Sub                   string
 	AccessTokenHash       string
 	RefreshTokenHash      string
 	CodeHash              string
 	Scope                 string
 	ClientID              string
 	TokenExpiresAt        int64
 	RefreshTokenExpiresAt int64
 	Nonce                 string
-	UserinfoJson          string
+}
 type OidcUserinfo struct {
 	Sub               string
 	Name              string
 	PreferredUsername string
 	Email             string
 	Groups            string
 	UpdatedAt         int64
 	GivenName         string
 	FamilyName        string
 	MiddleName        string
 	Nickname          string
 	Profile           string
 	Picture           string
 	Website           string
 	Gender            string
 	Birthdate         string
 	Zoneinfo          string
 	Locale            string
 	PhoneNumber       string
 	Address           string
 }
 type CreateSessionParams struct {
@@ -56,7 +89,18 @@ type UpdateSessionParams struct {
 	UUID        string
 }
-type CreateOIDCSessionParams struct {
+type CreateOidcCodeParams struct {
 	Sub           string
 	CodeHash      string
 	Scope         string
 	RedirectURI   string
 	ClientID      string
 	ExpiresAt     int64
 	Nonce         string
 	CodeChallenge string
 }
 type CreateOidcTokenParams struct {
 	Sub                   string
 	AccessTokenHash       string
 	RefreshTokenHash      string
@@ -64,23 +108,41 @@ type CreateOIDCSessionParams struct {
 	ClientID              string
 	TokenExpiresAt        int64
 	RefreshTokenExpiresAt int64
 	CodeHash              string
 	Nonce                 string
 	UserinfoJson          string
 }
-type UpdateOIDCSessionParams struct {
+type UpdateOidcTokenByRefreshTokenParams struct {
 	AccessTokenHash       string
 	RefreshTokenHash      string
 	Scope                 string
 	ClientID              string
 	TokenExpiresAt        int64
 	RefreshTokenExpiresAt int64
-	Nonce                 string
+	RefreshTokenHash_2    string
 	UserinfoJson          string
 	Sub                   string
 }
-type DeleteExpiredOIDCSessionsParams struct {
+type DeleteExpiredOidcTokensParams struct {
 	TokenExpiresAt        int64
 	RefreshTokenExpiresAt int64
 }
 type CreateOidcUserInfoParams struct {
 	Sub               string
 	Name              string
 	PreferredUsername string
 	Email             string
 	Groups            string
 	UpdatedAt         int64
 	GivenName         string
 	FamilyName        string
 	MiddleName        string
 	Nickname          string
 	Profile           string
 	Picture           string
 	Website           string
 	Gender            string
 	Birthdate         string
 	Zoneinfo          string
 	Locale            string
 	PhoneNumber       string
 	Address           string
 }
@@ -4,16 +4,49 @@
 package postgres
-type OidcSession struct {
+type OidcCode struct {
 	Sub           string
 	CodeHash      string
 	Scope         string
 	RedirectURI   string
 	ClientID      string
 	ExpiresAt     int64
 	Nonce         string
 	CodeChallenge string
 }
 type OidcToken struct {
 	Sub                   string
 	AccessTokenHash       string
 	RefreshTokenHash      string
 	CodeHash              string
 	Scope                 string
 	ClientID              string
 	TokenExpiresAt        int64
 	RefreshTokenExpiresAt int64
 	Nonce                 string
-	UserinfoJson          string
+}
 type OidcUserinfo struct {
 	Sub               string
 	Name              string
 	PreferredUsername string
 	Email             string
 	Groups            string
 	UpdatedAt         int64
 	GivenName         string
 	FamilyName        string
 	MiddleName        string
 	Nickname          string
 	Profile           string
 	Picture           string
 	Website           string
 	Gender            string
 	Birthdate         string
 	Zoneinfo          string
 	Locale            string
 	PhoneNumber       string
 	Address           string
 }
 type Session struct {
@@ -9,8 +9,60 @@ import (
 	"context"
 )
-const createOIDCSession = `-- name: CreateOIDCSession :one
+const createOidcCode = `-- name: CreateOidcCode :one
-INSERT INTO "oidc_sessions" (
+INSERT INTO "oidc_codes" (
    "sub",
    "code_hash",
    "scope",
    "redirect_uri",
    "client_id",
    "expires_at",
    "nonce",
    "code_challenge"
 ) VALUES (
    $1, $2, $3, $4, $5, $6, $7, $8
 )
 RETURNING sub, code_hash, scope, redirect_uri, client_id, expires_at, nonce, code_challenge
 `
 type CreateOidcCodeParams struct {
 	Sub           string
 	CodeHash      string
 	Scope         string
 	RedirectURI   string
 	ClientID      string
 	ExpiresAt     int64
 	Nonce         string
 	CodeChallenge string
 }
 func (q *Queries) CreateOidcCode(ctx context.Context, arg CreateOidcCodeParams) (OidcCode, error) {
 	row := q.db.QueryRowContext(ctx, createOidcCode,
 		arg.Sub,
 		arg.CodeHash,
 		arg.Scope,
 		arg.RedirectURI,
 		arg.ClientID,
 		arg.ExpiresAt,
 		arg.Nonce,
 		arg.CodeChallenge,
 	)
 	var i OidcCode
 	err := row.Scan(
 		&i.Sub,
 		&i.CodeHash,
 		&i.Scope,
 		&i.RedirectURI,
 		&i.ClientID,
 		&i.ExpiresAt,
 		&i.Nonce,
 		&i.CodeChallenge,
 	)
 	return i, err
 }
 const createOidcToken = `-- name: CreateOidcToken :one
 INSERT INTO "oidc_tokens" (
    "sub",
    "access_token_hash",
    "refresh_token_hash",
@@ -18,15 +70,15 @@ INSERT INTO "oidc_sessions" (
    "client_id",
    "token_expires_at",
    "refresh_token_expires_at",
-    "nonce",
+    "code_hash",
-    "userinfo_json"
+    "nonce"
 ) VALUES (
    $1, $2, $3, $4, $5, $6, $7, $8, $9
 )
-RETURNING sub, access_token_hash, refresh_token_hash, scope, client_id, token_expires_at, refresh_token_expires_at, nonce, userinfo_json
+RETURNING sub, access_token_hash, refresh_token_hash, code_hash, scope, client_id, token_expires_at, refresh_token_expires_at, nonce
 `
-type CreateOIDCSessionParams struct {
+type CreateOidcTokenParams struct {
 	Sub                   string
 	AccessTokenHash       string
 	RefreshTokenHash      string
@@ -34,12 +86,12 @@ type CreateOIDCSessionParams struct {
 	ClientID              string
 	TokenExpiresAt        int64
 	RefreshTokenExpiresAt int64
 	CodeHash              string
 	Nonce                 string
 	UserinfoJson          string
 }
-func (q *Queries) CreateOIDCSession(ctx context.Context, arg CreateOIDCSessionParams) (OidcSession, error) {
+func (q *Queries) CreateOidcToken(ctx context.Context, arg CreateOidcTokenParams) (OidcToken, error) {
-	row := q.db.QueryRowContext(ctx, createOIDCSession,
+	row := q.db.QueryRowContext(ctx, createOidcToken,
 		arg.Sub,
 		arg.AccessTokenHash,
 		arg.RefreshTokenHash,
@@ -47,164 +99,483 @@ func (q *Queries) CreateOIDCSession(ctx context.Context, arg CreateOIDCSessionPa
 		arg.ClientID,
 		arg.TokenExpiresAt,
 		arg.RefreshTokenExpiresAt,
 		arg.CodeHash,
 		arg.Nonce,
 		arg.UserinfoJson,
 	)
-	var i OidcSession
+	var i OidcToken
 	err := row.Scan(
 		&i.Sub,
 		&i.AccessTokenHash,
 		&i.RefreshTokenHash,
 		&i.CodeHash,
 		&i.Scope,
 		&i.ClientID,
 		&i.TokenExpiresAt,
 		&i.RefreshTokenExpiresAt,
 		&i.Nonce,
 		&i.UserinfoJson,
 	)
 	return i, err
 }
-const deleteExpiredOIDCSessions = `-- name: DeleteExpiredOIDCSessions :exec
+const createOidcUserInfo = `-- name: CreateOidcUserInfo :one
-DELETE FROM "oidc_sessions"
+INSERT INTO "oidc_userinfo" (
-WHERE "token_expires_at" < $1 AND "refresh_token_expires_at" < $2
+    "sub",
    "name",
    "preferred_username",
    "email",
    "groups",
    "updated_at",
    "given_name",
    "family_name",
    "middle_name",
    "nickname",
    "profile",
    "picture",
    "website",
    "gender",
    "birthdate",
    "zoneinfo",
    "locale",
    "phone_number",
    "address"
 ) VALUES (
    $1, $2, $3, $4, $5, $6, $7, $8, $9, $10, $11, $12, $13, $14, $15, $16, $17, $18, $19
 )
 RETURNING sub, name, preferred_username, email, groups, updated_at, given_name, family_name, middle_name, nickname, profile, picture, website, gender, birthdate, zoneinfo, locale, phone_number, address
 `
-type DeleteExpiredOIDCSessionsParams struct {
+type CreateOidcUserInfoParams struct {
 	Sub               string
 	Name              string
 	PreferredUsername string
 	Email             string
 	Groups            string
 	UpdatedAt         int64
 	GivenName         string
 	FamilyName        string
 	MiddleName        string
 	Nickname          string
 	Profile           string
 	Picture           string
 	Website           string
 	Gender            string
 	Birthdate         string
 	Zoneinfo          string
 	Locale            string
 	PhoneNumber       string
 	Address           string
 }
 func (q *Queries) CreateOidcUserInfo(ctx context.Context, arg CreateOidcUserInfoParams) (OidcUserinfo, error) {
 	row := q.db.QueryRowContext(ctx, createOidcUserInfo,
 		arg.Sub,
 		arg.Name,
 		arg.PreferredUsername,
 		arg.Email,
 		arg.Groups,
 		arg.UpdatedAt,
 		arg.GivenName,
 		arg.FamilyName,
 		arg.MiddleName,
 		arg.Nickname,
 		arg.Profile,
 		arg.Picture,
 		arg.Website,
 		arg.Gender,
 		arg.Birthdate,
 		arg.Zoneinfo,
 		arg.Locale,
 		arg.PhoneNumber,
 		arg.Address,
 	)
 	var i OidcUserinfo
 	err := row.Scan(
 		&i.Sub,
 		&i.Name,
 		&i.PreferredUsername,
 		&i.Email,
 		&i.Groups,
 		&i.UpdatedAt,
 		&i.GivenName,
 		&i.FamilyName,
 		&i.MiddleName,
 		&i.Nickname,
 		&i.Profile,
 		&i.Picture,
 		&i.Website,
 		&i.Gender,
 		&i.Birthdate,
 		&i.Zoneinfo,
 		&i.Locale,
 		&i.PhoneNumber,
 		&i.Address,
 	)
 	return i, err
 }
 const deleteExpiredOidcCodes = `-- name: DeleteExpiredOidcCodes :many
 DELETE FROM "oidc_codes"
 WHERE "expires_at" < $1
 RETURNING sub, code_hash, scope, redirect_uri, client_id, expires_at, nonce, code_challenge
 `
 func (q *Queries) DeleteExpiredOidcCodes(ctx context.Context, expiresAt int64) ([]OidcCode, error) {
 	rows, err := q.db.QueryContext(ctx, deleteExpiredOidcCodes, expiresAt)
 	if err != nil {
 		return nil, err
 	}
 	defer rows.Close()
 	var items []OidcCode
 	for rows.Next() {
 		var i OidcCode
 		if err := rows.Scan(
 			&i.Sub,
 			&i.CodeHash,
 			&i.Scope,
 			&i.RedirectURI,
 			&i.ClientID,
 			&i.ExpiresAt,
 			&i.Nonce,
 			&i.CodeChallenge,
 		); err != nil {
 			return nil, err
 		}
 		items = append(items, i)
 	}
 	if err := rows.Close(); err != nil {
 		return nil, err
 	}
 	if err := rows.Err(); err != nil {
 		return nil, err
 	}
 	return items, nil
 }
 const deleteExpiredOidcTokens = `-- name: DeleteExpiredOidcTokens :many
 DELETE FROM "oidc_tokens"
 WHERE "token_expires_at" < $1 AND "refresh_token_expires_at" < $2
 RETURNING sub, access_token_hash, refresh_token_hash, code_hash, scope, client_id, token_expires_at, refresh_token_expires_at, nonce
 `
 type DeleteExpiredOidcTokensParams struct {
 	TokenExpiresAt        int64
 	RefreshTokenExpiresAt int64
 }
-func (q *Queries) DeleteExpiredOIDCSessions(ctx context.Context, arg DeleteExpiredOIDCSessionsParams) error {
+func (q *Queries) DeleteExpiredOidcTokens(ctx context.Context, arg DeleteExpiredOidcTokensParams) ([]OidcToken, error) {
-	_, err := q.db.ExecContext(ctx, deleteExpiredOIDCSessions, arg.TokenExpiresAt, arg.RefreshTokenExpiresAt)
+	rows, err := q.db.QueryContext(ctx, deleteExpiredOidcTokens, arg.TokenExpiresAt, arg.RefreshTokenExpiresAt)
 	if err != nil {
 		return nil, err
 	}
 	defer rows.Close()
 	var items []OidcToken
 	for rows.Next() {
 		var i OidcToken
 		if err := rows.Scan(
 			&i.Sub,
 			&i.AccessTokenHash,
 			&i.RefreshTokenHash,
 			&i.CodeHash,
 			&i.Scope,
 			&i.ClientID,
 			&i.TokenExpiresAt,
 			&i.RefreshTokenExpiresAt,
 			&i.Nonce,
 		); err != nil {
 			return nil, err
 		}
 		items = append(items, i)
 	}
 	if err := rows.Close(); err != nil {
 		return nil, err
 	}
 	if err := rows.Err(); err != nil {
 		return nil, err
 	}
 	return items, nil
 }
 const deleteOidcCode = `-- name: DeleteOidcCode :exec
 DELETE FROM "oidc_codes"
 WHERE "code_hash" = $1
 `
 func (q *Queries) DeleteOidcCode(ctx context.Context, codeHash string) error {
 	_, err := q.db.ExecContext(ctx, deleteOidcCode, codeHash)
 	return err
 }
-const deleteOIDCSessionBySub = `-- name: DeleteOIDCSessionBySub :exec
+const deleteOidcCodeBySub = `-- name: DeleteOidcCodeBySub :exec
-DELETE FROM "oidc_sessions"
+DELETE FROM "oidc_codes"
 WHERE "sub" = $1
 `
-func (q *Queries) DeleteOIDCSessionBySub(ctx context.Context, sub string) error {
+func (q *Queries) DeleteOidcCodeBySub(ctx context.Context, sub string) error {
-	_, err := q.db.ExecContext(ctx, deleteOIDCSessionBySub, sub)
+	_, err := q.db.ExecContext(ctx, deleteOidcCodeBySub, sub)
 	return err
 }
-const getOIDCSessionByAccessTokenHash = `-- name: GetOIDCSessionByAccessTokenHash :one
+const deleteOidcToken = `-- name: DeleteOidcToken :exec
-SELECT sub, access_token_hash, refresh_token_hash, scope, client_id, token_expires_at, refresh_token_expires_at, nonce, userinfo_json FROM "oidc_sessions"
+DELETE FROM "oidc_tokens"
 WHERE "access_token_hash" = $1
 `
-func (q *Queries) GetOIDCSessionByAccessTokenHash(ctx context.Context, accessTokenHash string) (OidcSession, error) {
+func (q *Queries) DeleteOidcToken(ctx context.Context, accessTokenHash string) error {
-	row := q.db.QueryRowContext(ctx, getOIDCSessionByAccessTokenHash, accessTokenHash)
+	_, err := q.db.ExecContext(ctx, deleteOidcToken, accessTokenHash)
-	var i OidcSession
+	return err
 	err := row.Scan(
 		&i.Sub,
 		&i.AccessTokenHash,
 		&i.RefreshTokenHash,
 		&i.Scope,
 		&i.ClientID,
 		&i.TokenExpiresAt,
 		&i.RefreshTokenExpiresAt,
 		&i.Nonce,
 		&i.UserinfoJson,
 	)
 	return i, err
 }
-const getOIDCSessionByRefreshTokenHash = `-- name: GetOIDCSessionByRefreshTokenHash :one
+const deleteOidcTokenByCodeHash = `-- name: DeleteOidcTokenByCodeHash :exec
-SELECT sub, access_token_hash, refresh_token_hash, scope, client_id, token_expires_at, refresh_token_expires_at, nonce, userinfo_json FROM "oidc_sessions"
+DELETE FROM "oidc_tokens"
-WHERE "refresh_token_hash" = $1
+WHERE "code_hash" = $1
 `
-func (q *Queries) GetOIDCSessionByRefreshTokenHash(ctx context.Context, refreshTokenHash string) (OidcSession, error) {
+func (q *Queries) DeleteOidcTokenByCodeHash(ctx context.Context, codeHash string) error {
-	row := q.db.QueryRowContext(ctx, getOIDCSessionByRefreshTokenHash, refreshTokenHash)
+	_, err := q.db.ExecContext(ctx, deleteOidcTokenByCodeHash, codeHash)
-	var i OidcSession
+	return err
 	err := row.Scan(
 		&i.Sub,
 		&i.AccessTokenHash,
 		&i.RefreshTokenHash,
 		&i.Scope,
 		&i.ClientID,
 		&i.TokenExpiresAt,
 		&i.RefreshTokenExpiresAt,
 		&i.Nonce,
 		&i.UserinfoJson,
 	)
 	return i, err
 }
-const getOIDCSessionBySub = `-- name: GetOIDCSessionBySub :one
+const deleteOidcTokenBySub = `-- name: DeleteOidcTokenBySub :exec
-SELECT sub, access_token_hash, refresh_token_hash, scope, client_id, token_expires_at, refresh_token_expires_at, nonce, userinfo_json FROM "oidc_sessions"
+DELETE FROM "oidc_tokens"
 WHERE "sub" = $1
 `
-func (q *Queries) GetOIDCSessionBySub(ctx context.Context, sub string) (OidcSession, error) {
+func (q *Queries) DeleteOidcTokenBySub(ctx context.Context, sub string) error {
-	row := q.db.QueryRowContext(ctx, getOIDCSessionBySub, sub)
+	_, err := q.db.ExecContext(ctx, deleteOidcTokenBySub, sub)
-	var i OidcSession
+	return err
 	err := row.Scan(
 		&i.Sub,
 		&i.AccessTokenHash,
 		&i.RefreshTokenHash,
 		&i.Scope,
 		&i.ClientID,
 		&i.TokenExpiresAt,
 		&i.RefreshTokenExpiresAt,
 		&i.Nonce,
 		&i.UserinfoJson,
 	)
 	return i, err
 }
-const updateOIDCSession = `-- name: UpdateOIDCSession :one
+const deleteOidcUserInfo = `-- name: DeleteOidcUserInfo :exec
-UPDATE "oidc_sessions" SET
+DELETE FROM "oidc_userinfo"
-    "access_token_hash" = $1,
+WHERE "sub" = $1
    "refresh_token_hash" = $2,
    "scope" = $3,
    "client_id" = $4,
    "token_expires_at" = $5,
    "refresh_token_expires_at" = $6,
    "nonce" = $7,
    "userinfo_json" = $8
 WHERE "sub" = $9
 RETURNING sub, access_token_hash, refresh_token_hash, scope, client_id, token_expires_at, refresh_token_expires_at, nonce, userinfo_json
 `
-type UpdateOIDCSessionParams struct {
+func (q *Queries) DeleteOidcUserInfo(ctx context.Context, sub string) error {
-	AccessTokenHash       string
+	_, err := q.db.ExecContext(ctx, deleteOidcUserInfo, sub)
-	RefreshTokenHash      string
+	return err
 	Scope                 string
 	ClientID              string
 	TokenExpiresAt        int64
 	RefreshTokenExpiresAt int64
 	Nonce                 string
 	UserinfoJson          string
 	Sub                   string
 }
-func (q *Queries) UpdateOIDCSession(ctx context.Context, arg UpdateOIDCSessionParams) (OidcSession, error) {
+const getOidcCode = `-- name: GetOidcCode :one
-	row := q.db.QueryRowContext(ctx, updateOIDCSession,
+DELETE FROM "oidc_codes"
-		arg.AccessTokenHash,
+WHERE "code_hash" = $1
-		arg.RefreshTokenHash,
+RETURNING sub, code_hash, scope, redirect_uri, client_id, expires_at, nonce, code_challenge
-		arg.Scope,
+`
-		arg.ClientID,
+
-		arg.TokenExpiresAt,
+func (q *Queries) GetOidcCode(ctx context.Context, codeHash string) (OidcCode, error) {
-		arg.RefreshTokenExpiresAt,
+	row := q.db.QueryRowContext(ctx, getOidcCode, codeHash)
-		arg.Nonce,
+	var i OidcCode
-		arg.UserinfoJson,
+	err := row.Scan(
-		arg.Sub,
+		&i.Sub,
 		&i.CodeHash,
 		&i.Scope,
 		&i.RedirectURI,
 		&i.ClientID,
 		&i.ExpiresAt,
 		&i.Nonce,
 		&i.CodeChallenge,
 	)
-	var i OidcSession
+	return i, err
 }
 const getOidcCodeBySub = `-- name: GetOidcCodeBySub :one
 DELETE FROM "oidc_codes"
 WHERE "sub" = $1
 RETURNING sub, code_hash, scope, redirect_uri, client_id, expires_at, nonce, code_challenge
 `
 func (q *Queries) GetOidcCodeBySub(ctx context.Context, sub string) (OidcCode, error) {
 	row := q.db.QueryRowContext(ctx, getOidcCodeBySub, sub)
 	var i OidcCode
 	err := row.Scan(
 		&i.Sub,
 		&i.CodeHash,
 		&i.Scope,
 		&i.RedirectURI,
 		&i.ClientID,
 		&i.ExpiresAt,
 		&i.Nonce,
 		&i.CodeChallenge,
 	)
 	return i, err
 }
 const getOidcCodeBySubUnsafe = `-- name: GetOidcCodeBySubUnsafe :one
 SELECT sub, code_hash, scope, redirect_uri, client_id, expires_at, nonce, code_challenge FROM "oidc_codes"
 WHERE "sub" = $1
 `
 func (q *Queries) GetOidcCodeBySubUnsafe(ctx context.Context, sub string) (OidcCode, error) {
 	row := q.db.QueryRowContext(ctx, getOidcCodeBySubUnsafe, sub)
 	var i OidcCode
 	err := row.Scan(
 		&i.Sub,
 		&i.CodeHash,
 		&i.Scope,
 		&i.RedirectURI,
 		&i.ClientID,
 		&i.ExpiresAt,
 		&i.Nonce,
 		&i.CodeChallenge,
 	)
 	return i, err
 }
 const getOidcCodeUnsafe = `-- name: GetOidcCodeUnsafe :one
 SELECT sub, code_hash, scope, redirect_uri, client_id, expires_at, nonce, code_challenge FROM "oidc_codes"
 WHERE "code_hash" = $1
 `
 func (q *Queries) GetOidcCodeUnsafe(ctx context.Context, codeHash string) (OidcCode, error) {
 	row := q.db.QueryRowContext(ctx, getOidcCodeUnsafe, codeHash)
 	var i OidcCode
 	err := row.Scan(
 		&i.Sub,
 		&i.CodeHash,
 		&i.Scope,
 		&i.RedirectURI,
 		&i.ClientID,
 		&i.ExpiresAt,
 		&i.Nonce,
 		&i.CodeChallenge,
 	)
 	return i, err
 }
 const getOidcToken = `-- name: GetOidcToken :one
 SELECT sub, access_token_hash, refresh_token_hash, code_hash, scope, client_id, token_expires_at, refresh_token_expires_at, nonce FROM "oidc_tokens"
 WHERE "access_token_hash" = $1
 `
 func (q *Queries) GetOidcToken(ctx context.Context, accessTokenHash string) (OidcToken, error) {
 	row := q.db.QueryRowContext(ctx, getOidcToken, accessTokenHash)
 	var i OidcToken
 	err := row.Scan(
 		&i.Sub,
 		&i.AccessTokenHash,
 		&i.RefreshTokenHash,
 		&i.CodeHash,
 		&i.Scope,
 		&i.ClientID,
 		&i.TokenExpiresAt,
 		&i.RefreshTokenExpiresAt,
 		&i.Nonce,
 	)
 	return i, err
 }
 const getOidcTokenByRefreshToken = `-- name: GetOidcTokenByRefreshToken :one
 SELECT sub, access_token_hash, refresh_token_hash, code_hash, scope, client_id, token_expires_at, refresh_token_expires_at, nonce FROM "oidc_tokens"
 WHERE "refresh_token_hash" = $1
 `
 func (q *Queries) GetOidcTokenByRefreshToken(ctx context.Context, refreshTokenHash string) (OidcToken, error) {
 	row := q.db.QueryRowContext(ctx, getOidcTokenByRefreshToken, refreshTokenHash)
 	var i OidcToken
 	err := row.Scan(
 		&i.Sub,
 		&i.AccessTokenHash,
 		&i.RefreshTokenHash,
 		&i.CodeHash,
 		&i.Scope,
 		&i.ClientID,
 		&i.TokenExpiresAt,
 		&i.RefreshTokenExpiresAt,
 		&i.Nonce,
 	)
 	return i, err
 }
 const getOidcTokenBySub = `-- name: GetOidcTokenBySub :one
 SELECT sub, access_token_hash, refresh_token_hash, code_hash, scope, client_id, token_expires_at, refresh_token_expires_at, nonce FROM "oidc_tokens"
 WHERE "sub" = $1
 `
 func (q *Queries) GetOidcTokenBySub(ctx context.Context, sub string) (OidcToken, error) {
 	row := q.db.QueryRowContext(ctx, getOidcTokenBySub, sub)
 	var i OidcToken
 	err := row.Scan(
 		&i.Sub,
 		&i.AccessTokenHash,
 		&i.RefreshTokenHash,
 		&i.CodeHash,
 		&i.Scope,
 		&i.ClientID,
 		&i.TokenExpiresAt,
 		&i.RefreshTokenExpiresAt,
 		&i.Nonce,
 	)
 	return i, err
 }
 const getOidcUserInfo = `-- name: GetOidcUserInfo :one
 SELECT sub, name, preferred_username, email, groups, updated_at, given_name, family_name, middle_name, nickname, profile, picture, website, gender, birthdate, zoneinfo, locale, phone_number, address FROM "oidc_userinfo"
 WHERE "sub" = $1
 `
 func (q *Queries) GetOidcUserInfo(ctx context.Context, sub string) (OidcUserinfo, error) {
 	row := q.db.QueryRowContext(ctx, getOidcUserInfo, sub)
 	var i OidcUserinfo
 	err := row.Scan(
 		&i.Sub,
 		&i.Name,
 		&i.PreferredUsername,
 		&i.Email,
 		&i.Groups,
 		&i.UpdatedAt,
 		&i.GivenName,
 		&i.FamilyName,
 		&i.MiddleName,
 		&i.Nickname,
 		&i.Profile,
 		&i.Picture,
 		&i.Website,
 		&i.Gender,
 		&i.Birthdate,
 		&i.Zoneinfo,
 		&i.Locale,
 		&i.PhoneNumber,
 		&i.Address,
 	)
 	return i, err
 }
 const updateOidcTokenByRefreshToken = `-- name: UpdateOidcTokenByRefreshToken :one
 UPDATE "oidc_tokens" SET
    "access_token_hash"        = $1,
    "refresh_token_hash"       = $2,
    "token_expires_at"         = $3,
    "refresh_token_expires_at" = $4
 WHERE "refresh_token_hash" = $5
 RETURNING sub, access_token_hash, refresh_token_hash, code_hash, scope, client_id, token_expires_at, refresh_token_expires_at, nonce
 `
 type UpdateOidcTokenByRefreshTokenParams struct {
 	AccessTokenHash       string
 	RefreshTokenHash      string
 	TokenExpiresAt        int64
 	RefreshTokenExpiresAt int64
 	RefreshTokenHash_2    string
 }
 func (q *Queries) UpdateOidcTokenByRefreshToken(ctx context.Context, arg UpdateOidcTokenByRefreshTokenParams) (OidcToken, error) {
 	row := q.db.QueryRowContext(ctx, updateOidcTokenByRefreshToken,
 		arg.AccessTokenHash,
 		arg.RefreshTokenHash,
 		arg.TokenExpiresAt,
 		arg.RefreshTokenExpiresAt,
 		arg.RefreshTokenHash_2,
 	)
 	var i OidcToken
 	err := row.Scan(
 		&i.Sub,
 		&i.AccessTokenHash,
 		&i.RefreshTokenHash,
 		&i.CodeHash,
 		&i.Scope,
 		&i.ClientID,
 		&i.TokenExpiresAt,
 		&i.RefreshTokenExpiresAt,
 		&i.Nonce,
 		&i.UserinfoJson,
 	)
 	return i, err
 }
@@ -32,12 +32,28 @@ func mapErr(err error) error {
 	return err
 }
-func (s *Store) CreateOIDCSession(ctx context.Context, arg repository.CreateOIDCSessionParams) (repository.OidcSession, error) {
+func (s *Store) CreateOidcCode(ctx context.Context, arg repository.CreateOidcCodeParams) (repository.OidcCode, error) {
-	r, err := s.q.CreateOIDCSession(ctx, CreateOIDCSessionParams(arg))
+	r, err := s.q.CreateOidcCode(ctx, CreateOidcCodeParams(arg))
 	if err != nil {
-		return repository.OidcSession{}, mapErr(err)
+		return repository.OidcCode{}, mapErr(err)
 	}
-	return repository.OidcSession(r), nil
+	return repository.OidcCode(r), nil
 }
 func (s *Store) CreateOidcToken(ctx context.Context, arg repository.CreateOidcTokenParams) (repository.OidcToken, error) {
 	r, err := s.q.CreateOidcToken(ctx, CreateOidcTokenParams(arg))
 	if err != nil {
 		return repository.OidcToken{}, mapErr(err)
 	}
 	return repository.OidcToken(r), nil
 }
 func (s *Store) CreateOidcUserInfo(ctx context.Context, arg repository.CreateOidcUserInfoParams) (repository.OidcUserinfo, error) {
 	r, err := s.q.CreateOidcUserInfo(ctx, CreateOidcUserInfoParams(arg))
 	if err != nil {
 		return repository.OidcUserinfo{}, mapErr(err)
 	}
 	return repository.OidcUserinfo(r), nil
 }
 func (s *Store) CreateSession(ctx context.Context, arg repository.CreateSessionParams) (repository.Session, error) {
@@ -48,44 +64,124 @@ func (s *Store) CreateSession(ctx context.Context, arg repository.CreateSessionP
 	return repository.Session(r), nil
 }
-func (s *Store) DeleteExpiredOIDCSessions(ctx context.Context, arg repository.DeleteExpiredOIDCSessionsParams) error {
+func (s *Store) DeleteExpiredOidcCodes(ctx context.Context, expiresAt int64) ([]repository.OidcCode, error) {
-	return mapErr(s.q.DeleteExpiredOIDCSessions(ctx, DeleteExpiredOIDCSessionsParams(arg)))
+	rows, err := s.q.DeleteExpiredOidcCodes(ctx, expiresAt)
 	if err != nil {
 		return nil, mapErr(err)
 	}
 	out := make([]repository.OidcCode, len(rows))
 	for i, row := range rows {
 		out[i] = repository.OidcCode(row)
 	}
 	return out, nil
 }
 func (s *Store) DeleteExpiredOidcTokens(ctx context.Context, arg repository.DeleteExpiredOidcTokensParams) ([]repository.OidcToken, error) {
 	rows, err := s.q.DeleteExpiredOidcTokens(ctx, DeleteExpiredOidcTokensParams(arg))
 	if err != nil {
 		return nil, mapErr(err)
 	}
 	out := make([]repository.OidcToken, len(rows))
 	for i, row := range rows {
 		out[i] = repository.OidcToken(row)
 	}
 	return out, nil
 }
 func (s *Store) DeleteExpiredSessions(ctx context.Context, expiry int64) error {
 	return mapErr(s.q.DeleteExpiredSessions(ctx, expiry))
 }
-func (s *Store) DeleteOIDCSessionBySub(ctx context.Context, sub string) error {
+func (s *Store) DeleteOidcCode(ctx context.Context, codeHash string) error {
-	return mapErr(s.q.DeleteOIDCSessionBySub(ctx, sub))
+	return mapErr(s.q.DeleteOidcCode(ctx, codeHash))
 }
 func (s *Store) DeleteOidcCodeBySub(ctx context.Context, sub string) error {
 	return mapErr(s.q.DeleteOidcCodeBySub(ctx, sub))
 }
 func (s *Store) DeleteOidcToken(ctx context.Context, accessTokenHash string) error {
 	return mapErr(s.q.DeleteOidcToken(ctx, accessTokenHash))
 }
 func (s *Store) DeleteOidcTokenByCodeHash(ctx context.Context, codeHash string) error {
 	return mapErr(s.q.DeleteOidcTokenByCodeHash(ctx, codeHash))
 }
 func (s *Store) DeleteOidcTokenBySub(ctx context.Context, sub string) error {
 	return mapErr(s.q.DeleteOidcTokenBySub(ctx, sub))
 }
 func (s *Store) DeleteOidcUserInfo(ctx context.Context, sub string) error {
 	return mapErr(s.q.DeleteOidcUserInfo(ctx, sub))
 }
 func (s *Store) DeleteSession(ctx context.Context, uuid string) error {
 	return mapErr(s.q.DeleteSession(ctx, uuid))
 }
-func (s *Store) GetOIDCSessionByAccessTokenHash(ctx context.Context, accessTokenHash string) (repository.OidcSession, error) {
+func (s *Store) GetOidcCode(ctx context.Context, codeHash string) (repository.OidcCode, error) {
-	r, err := s.q.GetOIDCSessionByAccessTokenHash(ctx, accessTokenHash)
+	r, err := s.q.GetOidcCode(ctx, codeHash)
 	if err != nil {
-		return repository.OidcSession{}, mapErr(err)
+		return repository.OidcCode{}, mapErr(err)
 	}
-	return repository.OidcSession(r), nil
+	return repository.OidcCode(r), nil
 }
-func (s *Store) GetOIDCSessionByRefreshTokenHash(ctx context.Context, refreshTokenHash string) (repository.OidcSession, error) {
+func (s *Store) GetOidcCodeBySub(ctx context.Context, sub string) (repository.OidcCode, error) {
-	r, err := s.q.GetOIDCSessionByRefreshTokenHash(ctx, refreshTokenHash)
+	r, err := s.q.GetOidcCodeBySub(ctx, sub)
 	if err != nil {
-		return repository.OidcSession{}, mapErr(err)
+		return repository.OidcCode{}, mapErr(err)
 	}
-	return repository.OidcSession(r), nil
+	return repository.OidcCode(r), nil
 }
-func (s *Store) GetOIDCSessionBySub(ctx context.Context, sub string) (repository.OidcSession, error) {
+func (s *Store) GetOidcCodeBySubUnsafe(ctx context.Context, sub string) (repository.OidcCode, error) {
-	r, err := s.q.GetOIDCSessionBySub(ctx, sub)
+	r, err := s.q.GetOidcCodeBySubUnsafe(ctx, sub)
 	if err != nil {
-		return repository.OidcSession{}, mapErr(err)
+		return repository.OidcCode{}, mapErr(err)
 	}
-	return repository.OidcSession(r), nil
+	return repository.OidcCode(r), nil
 }
 func (s *Store) GetOidcCodeUnsafe(ctx context.Context, codeHash string) (repository.OidcCode, error) {
 	r, err := s.q.GetOidcCodeUnsafe(ctx, codeHash)
 	if err != nil {
 		return repository.OidcCode{}, mapErr(err)
 	}
 	return repository.OidcCode(r), nil
 }
 func (s *Store) GetOidcToken(ctx context.Context, accessTokenHash string) (repository.OidcToken, error) {
 	r, err := s.q.GetOidcToken(ctx, accessTokenHash)
 	if err != nil {
 		return repository.OidcToken{}, mapErr(err)
 	}
 	return repository.OidcToken(r), nil
 }
 func (s *Store) GetOidcTokenByRefreshToken(ctx context.Context, refreshTokenHash string) (repository.OidcToken, error) {
 	r, err := s.q.GetOidcTokenByRefreshToken(ctx, refreshTokenHash)
 	if err != nil {
 		return repository.OidcToken{}, mapErr(err)
 	}
 	return repository.OidcToken(r), nil
 }
 func (s *Store) GetOidcTokenBySub(ctx context.Context, sub string) (repository.OidcToken, error) {
 	r, err := s.q.GetOidcTokenBySub(ctx, sub)
 	if err != nil {
 		return repository.OidcToken{}, mapErr(err)
 	}
 	return repository.OidcToken(r), nil
 }
 func (s *Store) GetOidcUserInfo(ctx context.Context, sub string) (repository.OidcUserinfo, error) {
 	r, err := s.q.GetOidcUserInfo(ctx, sub)
 	if err != nil {
 		return repository.OidcUserinfo{}, mapErr(err)
 	}
 	return repository.OidcUserinfo(r), nil
 }
 func (s *Store) GetSession(ctx context.Context, uuid string) (repository.Session, error) {
@@ -96,12 +192,12 @@ func (s *Store) GetSession(ctx context.Context, uuid string) (repository.Session
 	return repository.Session(r), nil
 }
-func (s *Store) UpdateOIDCSession(ctx context.Context, arg repository.UpdateOIDCSessionParams) (repository.OidcSession, error) {
+func (s *Store) UpdateOidcTokenByRefreshToken(ctx context.Context, arg repository.UpdateOidcTokenByRefreshTokenParams) (repository.OidcToken, error) {
-	r, err := s.q.UpdateOIDCSession(ctx, UpdateOIDCSessionParams(arg))
+	r, err := s.q.UpdateOidcTokenByRefreshToken(ctx, UpdateOidcTokenByRefreshTokenParams(arg))
 	if err != nil {
-		return repository.OidcSession{}, mapErr(err)
+		return repository.OidcToken{}, mapErr(err)
 	}
-	return repository.OidcSession(r), nil
+	return repository.OidcToken(r), nil
 }
 func (s *Store) UpdateSession(ctx context.Context, arg repository.UpdateSessionParams) (repository.Session, error) {
@@ -4,16 +4,49 @@
 package sqlite
-type OidcSession struct {
+type OidcCode struct {
 	Sub           string
 	CodeHash      string
 	Scope         string
 	RedirectURI   string
 	ClientID      string
 	ExpiresAt     int64
 	Nonce         string
 	CodeChallenge string
 }
 type OidcToken struct {
 	Sub                   string
 	AccessTokenHash       string
 	RefreshTokenHash      string
 	CodeHash              string
 	Scope                 string
 	ClientID              string
 	TokenExpiresAt        int64
 	RefreshTokenExpiresAt int64
 	Nonce                 string
-	UserinfoJson          string
+}
 type OidcUserinfo struct {
 	Sub               string
 	Name              string
 	PreferredUsername string
 	Email             string
 	Groups            string
 	UpdatedAt         int64
 	GivenName         string
 	FamilyName        string
 	MiddleName        string
 	Nickname          string
 	Profile           string
 	Picture           string
 	Website           string
 	Gender            string
 	Birthdate         string
 	Zoneinfo          string
 	Locale            string
 	PhoneNumber       string
 	Address           string
 }
 type Session struct {
@@ -9,8 +9,60 @@ import (
 	"context"
 )
-const createOIDCSession = `-- name: CreateOIDCSession :one
+const createOidcCode = `-- name: CreateOidcCode :one
-INSERT INTO "oidc_sessions" (
+INSERT INTO "oidc_codes" (
    "sub",
    "code_hash",
    "scope",
    "redirect_uri",
    "client_id",
    "expires_at",
    "nonce",
    "code_challenge"
 ) VALUES (
    ?, ?, ?, ?, ?, ?, ?, ?
 )
 RETURNING sub, code_hash, scope, redirect_uri, client_id, expires_at, nonce, code_challenge
 `
 type CreateOidcCodeParams struct {
 	Sub           string
 	CodeHash      string
 	Scope         string
 	RedirectURI   string
 	ClientID      string
 	ExpiresAt     int64
 	Nonce         string
 	CodeChallenge string
 }
 func (q *Queries) CreateOidcCode(ctx context.Context, arg CreateOidcCodeParams) (OidcCode, error) {
 	row := q.db.QueryRowContext(ctx, createOidcCode,
 		arg.Sub,
 		arg.CodeHash,
 		arg.Scope,
 		arg.RedirectURI,
 		arg.ClientID,
 		arg.ExpiresAt,
 		arg.Nonce,
 		arg.CodeChallenge,
 	)
 	var i OidcCode
 	err := row.Scan(
 		&i.Sub,
 		&i.CodeHash,
 		&i.Scope,
 		&i.RedirectURI,
 		&i.ClientID,
 		&i.ExpiresAt,
 		&i.Nonce,
 		&i.CodeChallenge,
 	)
 	return i, err
 }
 const createOidcToken = `-- name: CreateOidcToken :one
 INSERT INTO "oidc_tokens" (
    "sub",
    "access_token_hash",
    "refresh_token_hash",
@@ -18,15 +70,15 @@ INSERT INTO "oidc_sessions" (
    "client_id",
    "token_expires_at",
    "refresh_token_expires_at",
-    "nonce",
+    "code_hash",
-    "userinfo_json"
+    "nonce"
 ) VALUES (
    ?, ?, ?, ?, ?, ?, ?, ?, ?
 )
-RETURNING sub, access_token_hash, refresh_token_hash, scope, client_id, token_expires_at, refresh_token_expires_at, nonce, userinfo_json
+RETURNING sub, access_token_hash, refresh_token_hash, code_hash, scope, client_id, token_expires_at, refresh_token_expires_at, nonce
 `
-type CreateOIDCSessionParams struct {
+type CreateOidcTokenParams struct {
 	Sub                   string
 	AccessTokenHash       string
 	RefreshTokenHash      string
@@ -34,12 +86,12 @@ type CreateOIDCSessionParams struct {
 	ClientID              string
 	TokenExpiresAt        int64
 	RefreshTokenExpiresAt int64
 	CodeHash              string
 	Nonce                 string
 	UserinfoJson          string
 }
-func (q *Queries) CreateOIDCSession(ctx context.Context, arg CreateOIDCSessionParams) (OidcSession, error) {
+func (q *Queries) CreateOidcToken(ctx context.Context, arg CreateOidcTokenParams) (OidcToken, error) {
-	row := q.db.QueryRowContext(ctx, createOIDCSession,
+	row := q.db.QueryRowContext(ctx, createOidcToken,
 		arg.Sub,
 		arg.AccessTokenHash,
 		arg.RefreshTokenHash,
@@ -47,164 +99,483 @@ func (q *Queries) CreateOIDCSession(ctx context.Context, arg CreateOIDCSessionPa
 		arg.ClientID,
 		arg.TokenExpiresAt,
 		arg.RefreshTokenExpiresAt,
 		arg.CodeHash,
 		arg.Nonce,
 		arg.UserinfoJson,
 	)
-	var i OidcSession
+	var i OidcToken
 	err := row.Scan(
 		&i.Sub,
 		&i.AccessTokenHash,
 		&i.RefreshTokenHash,
 		&i.CodeHash,
 		&i.Scope,
 		&i.ClientID,
 		&i.TokenExpiresAt,
 		&i.RefreshTokenExpiresAt,
 		&i.Nonce,
 		&i.UserinfoJson,
 	)
 	return i, err
 }
-const deleteExpiredOIDCSessions = `-- name: DeleteExpiredOIDCSessions :exec
+const createOidcUserInfo = `-- name: CreateOidcUserInfo :one
-DELETE FROM "oidc_sessions"
+INSERT INTO "oidc_userinfo" (
-WHERE "token_expires_at" < ? AND "refresh_token_expires_at" < ?
+    "sub",
    "name",
    "preferred_username",
    "email",
    "groups",
    "updated_at",
    "given_name",
    "family_name",
    "middle_name",
    "nickname",
    "profile",
    "picture",
    "website",
    "gender",
    "birthdate",
    "zoneinfo",
    "locale",
    "phone_number",
    "address"
 ) VALUES (
    ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?
 )
 RETURNING sub, name, preferred_username, email, "groups", updated_at, given_name, family_name, middle_name, nickname, profile, picture, website, gender, birthdate, zoneinfo, locale, phone_number, address
 `
-type DeleteExpiredOIDCSessionsParams struct {
+type CreateOidcUserInfoParams struct {
 	Sub               string
 	Name              string
 	PreferredUsername string
 	Email             string
 	Groups            string
 	UpdatedAt         int64
 	GivenName         string
 	FamilyName        string
 	MiddleName        string
 	Nickname          string
 	Profile           string
 	Picture           string
 	Website           string
 	Gender            string
 	Birthdate         string
 	Zoneinfo          string
 	Locale            string
 	PhoneNumber       string
 	Address           string
 }
 func (q *Queries) CreateOidcUserInfo(ctx context.Context, arg CreateOidcUserInfoParams) (OidcUserinfo, error) {
 	row := q.db.QueryRowContext(ctx, createOidcUserInfo,
 		arg.Sub,
 		arg.Name,
 		arg.PreferredUsername,
 		arg.Email,
 		arg.Groups,
 		arg.UpdatedAt,
 		arg.GivenName,
 		arg.FamilyName,
 		arg.MiddleName,
 		arg.Nickname,
 		arg.Profile,
 		arg.Picture,
 		arg.Website,
 		arg.Gender,
 		arg.Birthdate,
 		arg.Zoneinfo,
 		arg.Locale,
 		arg.PhoneNumber,
 		arg.Address,
 	)
 	var i OidcUserinfo
 	err := row.Scan(
 		&i.Sub,
 		&i.Name,
 		&i.PreferredUsername,
 		&i.Email,
 		&i.Groups,
 		&i.UpdatedAt,
 		&i.GivenName,
 		&i.FamilyName,
 		&i.MiddleName,
 		&i.Nickname,
 		&i.Profile,
 		&i.Picture,
 		&i.Website,
 		&i.Gender,
 		&i.Birthdate,
 		&i.Zoneinfo,
 		&i.Locale,
 		&i.PhoneNumber,
 		&i.Address,
 	)
 	return i, err
 }
 const deleteExpiredOidcCodes = `-- name: DeleteExpiredOidcCodes :many
 DELETE FROM "oidc_codes"
 WHERE "expires_at" < ?
 RETURNING sub, code_hash, scope, redirect_uri, client_id, expires_at, nonce, code_challenge
 `
 func (q *Queries) DeleteExpiredOidcCodes(ctx context.Context, expiresAt int64) ([]OidcCode, error) {
 	rows, err := q.db.QueryContext(ctx, deleteExpiredOidcCodes, expiresAt)
 	if err != nil {
 		return nil, err
 	}
 	defer rows.Close()
 	var items []OidcCode
 	for rows.Next() {
 		var i OidcCode
 		if err := rows.Scan(
 			&i.Sub,
 			&i.CodeHash,
 			&i.Scope,
 			&i.RedirectURI,
 			&i.ClientID,
 			&i.ExpiresAt,
 			&i.Nonce,
 			&i.CodeChallenge,
 		); err != nil {
 			return nil, err
 		}
 		items = append(items, i)
 	}
 	if err := rows.Close(); err != nil {
 		return nil, err
 	}
 	if err := rows.Err(); err != nil {
 		return nil, err
 	}
 	return items, nil
 }
 const deleteExpiredOidcTokens = `-- name: DeleteExpiredOidcTokens :many
 DELETE FROM "oidc_tokens"
 WHERE "token_expires_at" < ? AND "refresh_token_expires_at" < ?
 RETURNING sub, access_token_hash, refresh_token_hash, code_hash, scope, client_id, token_expires_at, refresh_token_expires_at, nonce
 `
 type DeleteExpiredOidcTokensParams struct {
 	TokenExpiresAt        int64
 	RefreshTokenExpiresAt int64
 }
-func (q *Queries) DeleteExpiredOIDCSessions(ctx context.Context, arg DeleteExpiredOIDCSessionsParams) error {
+func (q *Queries) DeleteExpiredOidcTokens(ctx context.Context, arg DeleteExpiredOidcTokensParams) ([]OidcToken, error) {
-	_, err := q.db.ExecContext(ctx, deleteExpiredOIDCSessions, arg.TokenExpiresAt, arg.RefreshTokenExpiresAt)
+	rows, err := q.db.QueryContext(ctx, deleteExpiredOidcTokens, arg.TokenExpiresAt, arg.RefreshTokenExpiresAt)
 	if err != nil {
 		return nil, err
 	}
 	defer rows.Close()
 	var items []OidcToken
 	for rows.Next() {
 		var i OidcToken
 		if err := rows.Scan(
 			&i.Sub,
 			&i.AccessTokenHash,
 			&i.RefreshTokenHash,
 			&i.CodeHash,
 			&i.Scope,
 			&i.ClientID,
 			&i.TokenExpiresAt,
 			&i.RefreshTokenExpiresAt,
 			&i.Nonce,
 		); err != nil {
 			return nil, err
 		}
 		items = append(items, i)
 	}
 	if err := rows.Close(); err != nil {
 		return nil, err
 	}
 	if err := rows.Err(); err != nil {
 		return nil, err
 	}
 	return items, nil
 }
 const deleteOidcCode = `-- name: DeleteOidcCode :exec
 DELETE FROM "oidc_codes"
 WHERE "code_hash" = ?
 `
 func (q *Queries) DeleteOidcCode(ctx context.Context, codeHash string) error {
 	_, err := q.db.ExecContext(ctx, deleteOidcCode, codeHash)
 	return err
 }
-const deleteOIDCSessionBySub = `-- name: DeleteOIDCSessionBySub :exec
+const deleteOidcCodeBySub = `-- name: DeleteOidcCodeBySub :exec
-DELETE FROM "oidc_sessions"
+DELETE FROM "oidc_codes"
 WHERE "sub" = ?
 `
-func (q *Queries) DeleteOIDCSessionBySub(ctx context.Context, sub string) error {
+func (q *Queries) DeleteOidcCodeBySub(ctx context.Context, sub string) error {
-	_, err := q.db.ExecContext(ctx, deleteOIDCSessionBySub, sub)
+	_, err := q.db.ExecContext(ctx, deleteOidcCodeBySub, sub)
 	return err
 }
-const getOIDCSessionByAccessTokenHash = `-- name: GetOIDCSessionByAccessTokenHash :one
+const deleteOidcToken = `-- name: DeleteOidcToken :exec
-SELECT sub, access_token_hash, refresh_token_hash, scope, client_id, token_expires_at, refresh_token_expires_at, nonce, userinfo_json FROM "oidc_sessions"
+DELETE FROM "oidc_tokens"
 WHERE "access_token_hash" = ?
 `
-func (q *Queries) GetOIDCSessionByAccessTokenHash(ctx context.Context, accessTokenHash string) (OidcSession, error) {
+func (q *Queries) DeleteOidcToken(ctx context.Context, accessTokenHash string) error {
-	row := q.db.QueryRowContext(ctx, getOIDCSessionByAccessTokenHash, accessTokenHash)
+	_, err := q.db.ExecContext(ctx, deleteOidcToken, accessTokenHash)
-	var i OidcSession
+	return err
 }
 const deleteOidcTokenByCodeHash = `-- name: DeleteOidcTokenByCodeHash :exec
 DELETE FROM "oidc_tokens"
 WHERE "code_hash" = ?
 `
 func (q *Queries) DeleteOidcTokenByCodeHash(ctx context.Context, codeHash string) error {
 	_, err := q.db.ExecContext(ctx, deleteOidcTokenByCodeHash, codeHash)
 	return err
 }
 const deleteOidcTokenBySub = `-- name: DeleteOidcTokenBySub :exec
 DELETE FROM "oidc_tokens"
 WHERE "sub" = ?
 `
 func (q *Queries) DeleteOidcTokenBySub(ctx context.Context, sub string) error {
 	_, err := q.db.ExecContext(ctx, deleteOidcTokenBySub, sub)
 	return err
 }
 const deleteOidcUserInfo = `-- name: DeleteOidcUserInfo :exec
 DELETE FROM "oidc_userinfo"
 WHERE "sub" = ?
 `
 func (q *Queries) DeleteOidcUserInfo(ctx context.Context, sub string) error {
 	_, err := q.db.ExecContext(ctx, deleteOidcUserInfo, sub)
 	return err
 }
 const getOidcCode = `-- name: GetOidcCode :one
 DELETE FROM "oidc_codes"
 WHERE "code_hash" = ?
 RETURNING sub, code_hash, scope, redirect_uri, client_id, expires_at, nonce, code_challenge
 `
 func (q *Queries) GetOidcCode(ctx context.Context, codeHash string) (OidcCode, error) {
 	row := q.db.QueryRowContext(ctx, getOidcCode, codeHash)
 	var i OidcCode
 	err := row.Scan(
 		&i.Sub,
 		&i.CodeHash,
 		&i.Scope,
 		&i.RedirectURI,
 		&i.ClientID,
 		&i.ExpiresAt,
 		&i.Nonce,
 		&i.CodeChallenge,
 	)
 	return i, err
 }
 const getOidcCodeBySub = `-- name: GetOidcCodeBySub :one
 DELETE FROM "oidc_codes"
 WHERE "sub" = ?
 RETURNING sub, code_hash, scope, redirect_uri, client_id, expires_at, nonce, code_challenge
 `
 func (q *Queries) GetOidcCodeBySub(ctx context.Context, sub string) (OidcCode, error) {
 	row := q.db.QueryRowContext(ctx, getOidcCodeBySub, sub)
 	var i OidcCode
 	err := row.Scan(
 		&i.Sub,
 		&i.CodeHash,
 		&i.Scope,
 		&i.RedirectURI,
 		&i.ClientID,
 		&i.ExpiresAt,
 		&i.Nonce,
 		&i.CodeChallenge,
 	)
 	return i, err
 }
 const getOidcCodeBySubUnsafe = `-- name: GetOidcCodeBySubUnsafe :one
 SELECT sub, code_hash, scope, redirect_uri, client_id, expires_at, nonce, code_challenge FROM "oidc_codes"
 WHERE "sub" = ?
 `
 func (q *Queries) GetOidcCodeBySubUnsafe(ctx context.Context, sub string) (OidcCode, error) {
 	row := q.db.QueryRowContext(ctx, getOidcCodeBySubUnsafe, sub)
 	var i OidcCode
 	err := row.Scan(
 		&i.Sub,
 		&i.CodeHash,
 		&i.Scope,
 		&i.RedirectURI,
 		&i.ClientID,
 		&i.ExpiresAt,
 		&i.Nonce,
 		&i.CodeChallenge,
 	)
 	return i, err
 }
 const getOidcCodeUnsafe = `-- name: GetOidcCodeUnsafe :one
 SELECT sub, code_hash, scope, redirect_uri, client_id, expires_at, nonce, code_challenge FROM "oidc_codes"
 WHERE "code_hash" = ?
 `
 func (q *Queries) GetOidcCodeUnsafe(ctx context.Context, codeHash string) (OidcCode, error) {
 	row := q.db.QueryRowContext(ctx, getOidcCodeUnsafe, codeHash)
 	var i OidcCode
 	err := row.Scan(
 		&i.Sub,
 		&i.CodeHash,
 		&i.Scope,
 		&i.RedirectURI,
 		&i.ClientID,
 		&i.ExpiresAt,
 		&i.Nonce,
 		&i.CodeChallenge,
 	)
 	return i, err
 }
 const getOidcToken = `-- name: GetOidcToken :one
 SELECT sub, access_token_hash, refresh_token_hash, code_hash, scope, client_id, token_expires_at, refresh_token_expires_at, nonce FROM "oidc_tokens"
 WHERE "access_token_hash" = ?
 `
 func (q *Queries) GetOidcToken(ctx context.Context, accessTokenHash string) (OidcToken, error) {
 	row := q.db.QueryRowContext(ctx, getOidcToken, accessTokenHash)
 	var i OidcToken
 	err := row.Scan(
 		&i.Sub,
 		&i.AccessTokenHash,
 		&i.RefreshTokenHash,
 		&i.CodeHash,
 		&i.Scope,
 		&i.ClientID,
 		&i.TokenExpiresAt,
 		&i.RefreshTokenExpiresAt,
 		&i.Nonce,
 		&i.UserinfoJson,
 	)
 	return i, err
 }
-const getOIDCSessionByRefreshTokenHash = `-- name: GetOIDCSessionByRefreshTokenHash :one
+const getOidcTokenByRefreshToken = `-- name: GetOidcTokenByRefreshToken :one
-SELECT sub, access_token_hash, refresh_token_hash, scope, client_id, token_expires_at, refresh_token_expires_at, nonce, userinfo_json FROM "oidc_sessions"
+SELECT sub, access_token_hash, refresh_token_hash, code_hash, scope, client_id, token_expires_at, refresh_token_expires_at, nonce FROM "oidc_tokens"
 WHERE "refresh_token_hash" = ?
 `
-func (q *Queries) GetOIDCSessionByRefreshTokenHash(ctx context.Context, refreshTokenHash string) (OidcSession, error) {
+func (q *Queries) GetOidcTokenByRefreshToken(ctx context.Context, refreshTokenHash string) (OidcToken, error) {
-	row := q.db.QueryRowContext(ctx, getOIDCSessionByRefreshTokenHash, refreshTokenHash)
+	row := q.db.QueryRowContext(ctx, getOidcTokenByRefreshToken, refreshTokenHash)
-	var i OidcSession
+	var i OidcToken
 	err := row.Scan(
 		&i.Sub,
 		&i.AccessTokenHash,
 		&i.RefreshTokenHash,
 		&i.CodeHash,
 		&i.Scope,
 		&i.ClientID,
 		&i.TokenExpiresAt,
 		&i.RefreshTokenExpiresAt,
 		&i.Nonce,
 		&i.UserinfoJson,
 	)
 	return i, err
 }
-const getOIDCSessionBySub = `-- name: GetOIDCSessionBySub :one
+const getOidcTokenBySub = `-- name: GetOidcTokenBySub :one
-SELECT sub, access_token_hash, refresh_token_hash, scope, client_id, token_expires_at, refresh_token_expires_at, nonce, userinfo_json FROM "oidc_sessions"
+SELECT sub, access_token_hash, refresh_token_hash, code_hash, scope, client_id, token_expires_at, refresh_token_expires_at, nonce FROM "oidc_tokens"
 WHERE "sub" = ?
 `
-func (q *Queries) GetOIDCSessionBySub(ctx context.Context, sub string) (OidcSession, error) {
+func (q *Queries) GetOidcTokenBySub(ctx context.Context, sub string) (OidcToken, error) {
-	row := q.db.QueryRowContext(ctx, getOIDCSessionBySub, sub)
+	row := q.db.QueryRowContext(ctx, getOidcTokenBySub, sub)
-	var i OidcSession
+	var i OidcToken
 	err := row.Scan(
 		&i.Sub,
 		&i.AccessTokenHash,
 		&i.RefreshTokenHash,
 		&i.CodeHash,
 		&i.Scope,
 		&i.ClientID,
 		&i.TokenExpiresAt,
 		&i.RefreshTokenExpiresAt,
 		&i.Nonce,
 		&i.UserinfoJson,
 	)
 	return i, err
 }
-const updateOIDCSession = `-- name: UpdateOIDCSession :one
+const getOidcUserInfo = `-- name: GetOidcUserInfo :one
-UPDATE "oidc_sessions" SET
+SELECT sub, name, preferred_username, email, "groups", updated_at, given_name, family_name, middle_name, nickname, profile, picture, website, gender, birthdate, zoneinfo, locale, phone_number, address FROM "oidc_userinfo"
 WHERE "sub" = ?
 `
 func (q *Queries) GetOidcUserInfo(ctx context.Context, sub string) (OidcUserinfo, error) {
 	row := q.db.QueryRowContext(ctx, getOidcUserInfo, sub)
 	var i OidcUserinfo
 	err := row.Scan(
 		&i.Sub,
 		&i.Name,
 		&i.PreferredUsername,
 		&i.Email,
 		&i.Groups,
 		&i.UpdatedAt,
 		&i.GivenName,
 		&i.FamilyName,
 		&i.MiddleName,
 		&i.Nickname,
 		&i.Profile,
 		&i.Picture,
 		&i.Website,
 		&i.Gender,
 		&i.Birthdate,
 		&i.Zoneinfo,
 		&i.Locale,
 		&i.PhoneNumber,
 		&i.Address,
 	)
 	return i, err
 }
 const updateOidcTokenByRefreshToken = `-- name: UpdateOidcTokenByRefreshToken :one
 UPDATE "oidc_tokens" SET
    "access_token_hash" = ?,
    "refresh_token_hash" = ?,
    "scope" = ?,
    "client_id" = ?,
    "token_expires_at" = ?,
-    "refresh_token_expires_at" = ?,
+    "refresh_token_expires_at" = ?
-    "nonce" = ?,
+WHERE "refresh_token_hash" = ?
-    "userinfo_json" = ?
+RETURNING sub, access_token_hash, refresh_token_hash, code_hash, scope, client_id, token_expires_at, refresh_token_expires_at, nonce
 WHERE "sub" = ?
 RETURNING sub, access_token_hash, refresh_token_hash, scope, client_id, token_expires_at, refresh_token_expires_at, nonce, userinfo_json
 `
-type UpdateOIDCSessionParams struct {
+type UpdateOidcTokenByRefreshTokenParams struct {
 	AccessTokenHash       string
 	RefreshTokenHash      string
 	Scope                 string
 	ClientID              string
 	TokenExpiresAt        int64
 	RefreshTokenExpiresAt int64
-	Nonce                 string
+	RefreshTokenHash_2    string
 	UserinfoJson          string
 	Sub                   string
 }
-func (q *Queries) UpdateOIDCSession(ctx context.Context, arg UpdateOIDCSessionParams) (OidcSession, error) {
+func (q *Queries) UpdateOidcTokenByRefreshToken(ctx context.Context, arg UpdateOidcTokenByRefreshTokenParams) (OidcToken, error) {
-	row := q.db.QueryRowContext(ctx, updateOIDCSession,
+	row := q.db.QueryRowContext(ctx, updateOidcTokenByRefreshToken,
 		arg.AccessTokenHash,
 		arg.RefreshTokenHash,
 		arg.Scope,
 		arg.ClientID,
 		arg.TokenExpiresAt,
 		arg.RefreshTokenExpiresAt,
-		arg.Nonce,
+		arg.RefreshTokenHash_2,
 		arg.UserinfoJson,
 		arg.Sub,
 	)
-	var i OidcSession
+	var i OidcToken
 	err := row.Scan(
 		&i.Sub,
 		&i.AccessTokenHash,
 		&i.RefreshTokenHash,
 		&i.CodeHash,
 		&i.Scope,
 		&i.ClientID,
 		&i.TokenExpiresAt,
 		&i.RefreshTokenExpiresAt,
 		&i.Nonce,
 		&i.UserinfoJson,
 	)
 	return i, err
 }
@@ -32,12 +32,28 @@ func mapErr(err error) error {
 	return err
 }
-func (s *Store) CreateOIDCSession(ctx context.Context, arg repository.CreateOIDCSessionParams) (repository.OidcSession, error) {
+func (s *Store) CreateOidcCode(ctx context.Context, arg repository.CreateOidcCodeParams) (repository.OidcCode, error) {
-	r, err := s.q.CreateOIDCSession(ctx, CreateOIDCSessionParams(arg))
+	r, err := s.q.CreateOidcCode(ctx, CreateOidcCodeParams(arg))
 	if err != nil {
-		return repository.OidcSession{}, mapErr(err)
+		return repository.OidcCode{}, mapErr(err)
 	}
-	return repository.OidcSession(r), nil
+	return repository.OidcCode(r), nil
 }
 func (s *Store) CreateOidcToken(ctx context.Context, arg repository.CreateOidcTokenParams) (repository.OidcToken, error) {
 	r, err := s.q.CreateOidcToken(ctx, CreateOidcTokenParams(arg))
 	if err != nil {
 		return repository.OidcToken{}, mapErr(err)
 	}
 	return repository.OidcToken(r), nil
 }
 func (s *Store) CreateOidcUserInfo(ctx context.Context, arg repository.CreateOidcUserInfoParams) (repository.OidcUserinfo, error) {
 	r, err := s.q.CreateOidcUserInfo(ctx, CreateOidcUserInfoParams(arg))
 	if err != nil {
 		return repository.OidcUserinfo{}, mapErr(err)
 	}
 	return repository.OidcUserinfo(r), nil
 }
 func (s *Store) CreateSession(ctx context.Context, arg repository.CreateSessionParams) (repository.Session, error) {
@@ -48,44 +64,124 @@ func (s *Store) CreateSession(ctx context.Context, arg repository.CreateSessionP
 	return repository.Session(r), nil
 }
-func (s *Store) DeleteExpiredOIDCSessions(ctx context.Context, arg repository.DeleteExpiredOIDCSessionsParams) error {
+func (s *Store) DeleteExpiredOidcCodes(ctx context.Context, expiresAt int64) ([]repository.OidcCode, error) {
-	return mapErr(s.q.DeleteExpiredOIDCSessions(ctx, DeleteExpiredOIDCSessionsParams(arg)))
+	rows, err := s.q.DeleteExpiredOidcCodes(ctx, expiresAt)
 	if err != nil {
 		return nil, mapErr(err)
 	}
 	out := make([]repository.OidcCode, len(rows))
 	for i, row := range rows {
 		out[i] = repository.OidcCode(row)
 	}
 	return out, nil
 }
 func (s *Store) DeleteExpiredOidcTokens(ctx context.Context, arg repository.DeleteExpiredOidcTokensParams) ([]repository.OidcToken, error) {
 	rows, err := s.q.DeleteExpiredOidcTokens(ctx, DeleteExpiredOidcTokensParams(arg))
 	if err != nil {
 		return nil, mapErr(err)
 	}
 	out := make([]repository.OidcToken, len(rows))
 	for i, row := range rows {
 		out[i] = repository.OidcToken(row)
 	}
 	return out, nil
 }
 func (s *Store) DeleteExpiredSessions(ctx context.Context, expiry int64) error {
 	return mapErr(s.q.DeleteExpiredSessions(ctx, expiry))
 }
-func (s *Store) DeleteOIDCSessionBySub(ctx context.Context, sub string) error {
+func (s *Store) DeleteOidcCode(ctx context.Context, codeHash string) error {
-	return mapErr(s.q.DeleteOIDCSessionBySub(ctx, sub))
+	return mapErr(s.q.DeleteOidcCode(ctx, codeHash))
 }
 func (s *Store) DeleteOidcCodeBySub(ctx context.Context, sub string) error {
 	return mapErr(s.q.DeleteOidcCodeBySub(ctx, sub))
 }
 func (s *Store) DeleteOidcToken(ctx context.Context, accessTokenHash string) error {
 	return mapErr(s.q.DeleteOidcToken(ctx, accessTokenHash))
 }
 func (s *Store) DeleteOidcTokenByCodeHash(ctx context.Context, codeHash string) error {
 	return mapErr(s.q.DeleteOidcTokenByCodeHash(ctx, codeHash))
 }
 func (s *Store) DeleteOidcTokenBySub(ctx context.Context, sub string) error {
 	return mapErr(s.q.DeleteOidcTokenBySub(ctx, sub))
 }
 func (s *Store) DeleteOidcUserInfo(ctx context.Context, sub string) error {
 	return mapErr(s.q.DeleteOidcUserInfo(ctx, sub))
 }
 func (s *Store) DeleteSession(ctx context.Context, uuid string) error {
 	return mapErr(s.q.DeleteSession(ctx, uuid))
 }
-func (s *Store) GetOIDCSessionByAccessTokenHash(ctx context.Context, accessTokenHash string) (repository.OidcSession, error) {
+func (s *Store) GetOidcCode(ctx context.Context, codeHash string) (repository.OidcCode, error) {
-	r, err := s.q.GetOIDCSessionByAccessTokenHash(ctx, accessTokenHash)
+	r, err := s.q.GetOidcCode(ctx, codeHash)
 	if err != nil {
-		return repository.OidcSession{}, mapErr(err)
+		return repository.OidcCode{}, mapErr(err)
 	}
-	return repository.OidcSession(r), nil
+	return repository.OidcCode(r), nil
 }
-func (s *Store) GetOIDCSessionByRefreshTokenHash(ctx context.Context, refreshTokenHash string) (repository.OidcSession, error) {
+func (s *Store) GetOidcCodeBySub(ctx context.Context, sub string) (repository.OidcCode, error) {
-	r, err := s.q.GetOIDCSessionByRefreshTokenHash(ctx, refreshTokenHash)
+	r, err := s.q.GetOidcCodeBySub(ctx, sub)
 	if err != nil {
-		return repository.OidcSession{}, mapErr(err)
+		return repository.OidcCode{}, mapErr(err)
 	}
-	return repository.OidcSession(r), nil
+	return repository.OidcCode(r), nil
 }
-func (s *Store) GetOIDCSessionBySub(ctx context.Context, sub string) (repository.OidcSession, error) {
+func (s *Store) GetOidcCodeBySubUnsafe(ctx context.Context, sub string) (repository.OidcCode, error) {
-	r, err := s.q.GetOIDCSessionBySub(ctx, sub)
+	r, err := s.q.GetOidcCodeBySubUnsafe(ctx, sub)
 	if err != nil {
-		return repository.OidcSession{}, mapErr(err)
+		return repository.OidcCode{}, mapErr(err)
 	}
-	return repository.OidcSession(r), nil
+	return repository.OidcCode(r), nil
 }
 func (s *Store) GetOidcCodeUnsafe(ctx context.Context, codeHash string) (repository.OidcCode, error) {
 	r, err := s.q.GetOidcCodeUnsafe(ctx, codeHash)
 	if err != nil {
 		return repository.OidcCode{}, mapErr(err)
 	}
 	return repository.OidcCode(r), nil
 }
 func (s *Store) GetOidcToken(ctx context.Context, accessTokenHash string) (repository.OidcToken, error) {
 	r, err := s.q.GetOidcToken(ctx, accessTokenHash)
 	if err != nil {
 		return repository.OidcToken{}, mapErr(err)
 	}
 	return repository.OidcToken(r), nil
 }
 func (s *Store) GetOidcTokenByRefreshToken(ctx context.Context, refreshTokenHash string) (repository.OidcToken, error) {
 	r, err := s.q.GetOidcTokenByRefreshToken(ctx, refreshTokenHash)
 	if err != nil {
 		return repository.OidcToken{}, mapErr(err)
 	}
 	return repository.OidcToken(r), nil
 }
 func (s *Store) GetOidcTokenBySub(ctx context.Context, sub string) (repository.OidcToken, error) {
 	r, err := s.q.GetOidcTokenBySub(ctx, sub)
 	if err != nil {
 		return repository.OidcToken{}, mapErr(err)
 	}
 	return repository.OidcToken(r), nil
 }
 func (s *Store) GetOidcUserInfo(ctx context.Context, sub string) (repository.OidcUserinfo, error) {
 	r, err := s.q.GetOidcUserInfo(ctx, sub)
 	if err != nil {
 		return repository.OidcUserinfo{}, mapErr(err)
 	}
 	return repository.OidcUserinfo(r), nil
 }
 func (s *Store) GetSession(ctx context.Context, uuid string) (repository.Session, error) {
@@ -96,12 +192,12 @@ func (s *Store) GetSession(ctx context.Context, uuid string) (repository.Session
 	return repository.Session(r), nil
 }
-func (s *Store) UpdateOIDCSession(ctx context.Context, arg repository.UpdateOIDCSessionParams) (repository.OidcSession, error) {
+func (s *Store) UpdateOidcTokenByRefreshToken(ctx context.Context, arg repository.UpdateOidcTokenByRefreshTokenParams) (repository.OidcToken, error) {
-	r, err := s.q.UpdateOIDCSession(ctx, UpdateOIDCSessionParams(arg))
+	r, err := s.q.UpdateOidcTokenByRefreshToken(ctx, UpdateOidcTokenByRefreshTokenParams(arg))
 	if err != nil {
-		return repository.OidcSession{}, mapErr(err)
+		return repository.OidcToken{}, mapErr(err)
 	}
-	return repository.OidcSession(r), nil
+	return repository.OidcToken(r), nil
 }
 func (s *Store) UpdateSession(ctx context.Context, arg repository.UpdateSessionParams) (repository.Session, error) {
@@ -19,12 +19,29 @@ type Store interface {
 	DeleteSession(ctx context.Context, uuid string) error
 	DeleteExpiredSessions(ctx context.Context, expiry int64) error
-	// OIDC sessions
+	// OIDC codes
-	CreateOIDCSession(ctx context.Context, arg CreateOIDCSessionParams) (OidcSession, error)
+	CreateOidcCode(ctx context.Context, arg CreateOidcCodeParams) (OidcCode, error)
-	DeleteExpiredOIDCSessions(ctx context.Context, arg DeleteExpiredOIDCSessionsParams) error
+	GetOidcCode(ctx context.Context, codeHash string) (OidcCode, error)
-	DeleteOIDCSessionBySub(ctx context.Context, sub string) error
+	GetOidcCodeBySub(ctx context.Context, sub string) (OidcCode, error)
-	GetOIDCSessionByAccessTokenHash(ctx context.Context, accessTokenHash string) (OidcSession, error)
+	GetOidcCodeUnsafe(ctx context.Context, codeHash string) (OidcCode, error)
-	GetOIDCSessionByRefreshTokenHash(ctx context.Context, refreshTokenHash string) (OidcSession, error)
+	GetOidcCodeBySubUnsafe(ctx context.Context, sub string) (OidcCode, error)
-	GetOIDCSessionBySub(ctx context.Context, sub string) (OidcSession, error)
+	DeleteOidcCode(ctx context.Context, codeHash string) error
-	UpdateOIDCSession(ctx context.Context, arg UpdateOIDCSessionParams) (OidcSession, error)
+	DeleteOidcCodeBySub(ctx context.Context, sub string) error
 	DeleteExpiredOidcCodes(ctx context.Context, expiresAt int64) ([]OidcCode, error)
 	// OIDC tokens
 	CreateOidcToken(ctx context.Context, arg CreateOidcTokenParams) (OidcToken, error)
 	GetOidcToken(ctx context.Context, accessTokenHash string) (OidcToken, error)
 	GetOidcTokenByRefreshToken(ctx context.Context, refreshTokenHash string) (OidcToken, error)
 	GetOidcTokenBySub(ctx context.Context, sub string) (OidcToken, error)
 	UpdateOidcTokenByRefreshToken(ctx context.Context, arg UpdateOidcTokenByRefreshTokenParams) (OidcToken, error)
 	DeleteOidcToken(ctx context.Context, accessTokenHash string) error
 	DeleteOidcTokenBySub(ctx context.Context, sub string) error
 	DeleteOidcTokenByCodeHash(ctx context.Context, codeHash string) error
 	DeleteExpiredOidcTokens(ctx context.Context, arg DeleteExpiredOidcTokensParams) ([]OidcToken, error)
 	// OIDC userinfo
 	CreateOidcUserInfo(ctx context.Context, arg CreateOidcUserInfoParams) (OidcUserinfo, error)
 	GetOidcUserInfo(ctx context.Context, sub string) (OidcUserinfo, error)
 	DeleteOidcUserInfo(ctx context.Context, sub string) error
 }
@@ -5,7 +5,6 @@ import (
 	"github.com/tinyauthapp/tinyauth/internal/model"
 	"github.com/tinyauthapp/tinyauth/internal/utils/logger"
 	"go.uber.org/dig"
 )
 type LabelProvider interface {
@@ -14,24 +13,19 @@ type LabelProvider interface {
 type AccessControlsService struct {
 	log           *logger.Logger
-	config        *model.Config
+	config        model.Config
-	labelProvider LabelProvider
+	labelProvider *LabelProvider
 }
-type AccessControlServiceInput struct {
+func NewAccessControlsService(
-	dig.In
+	log *logger.Logger,
-
+	config model.Config,
-	Log           *logger.Logger
+	labelProvider *LabelProvider) *AccessControlsService {
 	Config        *model.Config
 	LabelProvider LabelProvider `optional:"true"`
 }
 func NewAccessControlsService(i AccessControlServiceInput) *AccessControlsService {
 	return &AccessControlsService{
-		log:           i.Log,
+		log:           log,
-		config:        i.Config,
+		config:        config,
-		labelProvider: i.LabelProvider,
+		labelProvider: labelProvider,
 	}
 }
@@ -63,8 +57,8 @@ func (service *AccessControlsService) GetAccessControls(domain string) (*model.A
 	}
 	// If we have a label provider configured, try to get ACLs from it
-	if service.labelProvider != nil {
+	if service.labelProvider != nil && *service.labelProvider != nil {
-		return service.labelProvider.GetLabels(domain)
+		return (*service.labelProvider).GetLabels(domain)
 	}
 	// no labels
@@ -87,11 +87,7 @@ func TestLookupStaticACLs(t *testing.T) {
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
-			svc := NewAccessControlsService(AccessControlServiceInput{
+			svc := NewAccessControlsService(log, model.Config{Apps: tt.apps}, nil)
 				Log:           log,
 				Config:        &model.Config{Apps: tt.apps},
 				LabelProvider: nil,
 			})
 			got := svc.lookupStaticACLs(tt.domain)
 			if tt.expectNil {
 				assert.Nil(t, got)
@@ -116,11 +112,7 @@ func TestGetAccessControls(t *testing.T) {
 				},
 			},
 		}
-		svc := NewAccessControlsService(AccessControlServiceInput{
+		svc := NewAccessControlsService(log, config, nil)
 			Log:           log,
 			Config:        &config,
 			LabelProvider: nil,
 		})
 		got, err := svc.GetAccessControls("foo.example.com")
@@ -131,11 +123,7 @@ func TestGetAccessControls(t *testing.T) {
 	})
 	t.Run("returns nil when no static match and no label provider", func(t *testing.T) {
-		svc := NewAccessControlsService(AccessControlServiceInput{
+		svc := NewAccessControlsService(log, model.Config{}, nil)
 			Log:           log,
 			Config:        &model.Config{},
 			LabelProvider: nil,
 		})
 		got, err := svc.GetAccessControls("unknown.example.com")
@@ -145,11 +133,7 @@ func TestGetAccessControls(t *testing.T) {
 	t.Run("returns nil when label provider pointer wraps a nil interface", func(t *testing.T) {
 		var provider LabelProvider
-		svc := NewAccessControlsService(AccessControlServiceInput{
+		svc := NewAccessControlsService(log, model.Config{}, &provider)
 			Log:           log,
 			Config:        &model.Config{},
 			LabelProvider: provider, // nil provider
 		})
 		got, err := svc.GetAccessControls("unknown.example.com")
@@ -168,11 +152,7 @@ func TestGetAccessControls(t *testing.T) {
 			},
 		}
 		var provider LabelProvider = mock
-		svc := NewAccessControlsService(AccessControlServiceInput{
+		svc := NewAccessControlsService(log, model.Config{}, &provider)
 			Log:           log,
 			Config:        &model.Config{},
 			LabelProvider: provider,
 		})
 		got, err := svc.GetAccessControls("dynamic.example.com")
@@ -190,11 +170,7 @@ func TestGetAccessControls(t *testing.T) {
 				"foo": {Config: model.AppConfig{Domain: "foo.example.com"}},
 			},
 		}
-		svc := NewAccessControlsService(AccessControlServiceInput{
+		svc := NewAccessControlsService(log, config, &provider)
 			Log:           log,
 			Config:        &config,
 			LabelProvider: provider,
 		})
 		got, err := svc.GetAccessControls("foo.example.com")
@@ -212,11 +188,7 @@ func TestGetAccessControls(t *testing.T) {
 			},
 		}
 		var provider LabelProvider = mock
-		svc := NewAccessControlsService(AccessControlServiceInput{
+		svc := NewAccessControlsService(log, model.Config{}, &provider)
 			Log:           log,
 			Config:        &model.Config{},
 			LabelProvider: provider,
 		})
 		got, err := svc.GetAccessControls("dynamic.example.com")
@@ -2,10 +2,8 @@ package service
 import (
 	"context"
 	"crypto/rand"
 	"errors"
 	"fmt"
 	"math/big"
 	"net/http"
 	"strings"
 	"sync"
@@ -16,7 +14,8 @@ import (
 	"github.com/tinyauthapp/tinyauth/internal/repository"
 	"github.com/tinyauthapp/tinyauth/internal/utils"
 	"github.com/tinyauthapp/tinyauth/internal/utils/logger"
-	"go.uber.org/dig"
+
 	"slices"
 	"github.com/google/uuid"
 	"golang.org/x/crypto/bcrypt"
@@ -27,19 +26,23 @@ import (
 // but for now these are just safety limits to prevent unbounded memory usage
 const MaxOAuthPendingSessions = 256
 const OAuthCleanupCount = 16
 const MaxLoginAttemptRecords = 256
 var (
 	ErrUserNotFound = errors.New("user not found")
 )
-// We either store params for redirecting to an app after OAuth login,
+// slightly modified version of the AuthorizeRequest from the OIDC service to basically accept all
-// or for redirecting back to the authorize screen to continue OIDC
+// parameters and pass them to the authorize page if needed
-type OAuthCallbackParams struct {
+type OAuthURLParams struct {
-	LoginFor    string `form:"login_for" url:"login_for"`
+	Scope               string `form:"scope" url:"scope"`
-	OIDCTicket  string `form:"oidc_ticket" url:"oidc_ticket"`
+	ResponseType        string `form:"response_type" url:"response_type"`
-	OIDCScope   string `form:"oidc_scope" url:"oidc_scope"`
+	ClientID            string `form:"client_id" url:"client_id"`
-	OIDCName    string `form:"oidc_name" url:"oidc_name"`
+	RedirectURI         string `form:"redirect_uri" url:"redirect_uri"`
-	RedirectURI string `form:"redirect_uri" url:"redirect_uri"`
+	State               string `form:"state" url:"state"`
 	Nonce               string `form:"nonce" url:"nonce"`
 	CodeChallenge       string `form:"code_challenge" url:"code_challenge"`
 	CodeChallengeMethod string `form:"code_challenge_method" url:"code_challenge_method"`
 }
 type OAuthPendingSession struct {
@@ -48,7 +51,12 @@ type OAuthPendingSession struct {
 	Token          *oauth2.Token
 	Service        *OAuthServiceImpl
 	ExpiresAt      time.Time
-	CallbackParams OAuthCallbackParams
+	CallbackParams OAuthURLParams
 }
 type LdapGroupsCache struct {
 	Groups  []string
 	Expires time.Time
 }
 type LoginAttempt struct {
@@ -57,11 +65,16 @@ type LoginAttempt struct {
 	LockedUntil    time.Time
 }
 type Lockdown struct {
 	Active      bool
 	ActiveUntil time.Time
 }
 type AuthService struct {
 	log     *logger.Logger
-	config  *model.Config
+	config  model.Config
-	runtime *model.RuntimeConfig
+	runtime model.RuntimeConfig
-	ctx     context.Context
+	context context.Context
 	ldap         *LdapService
 	queries      repository.Store
@@ -69,84 +82,45 @@ type AuthService struct {
 	tailscale    *TailscaleService
 	policyEngine *PolicyEngine
-	lockdown struct {
+	loginAttempts        map[string]*LoginAttempt
-		active     bool
+	ldapGroupsCache      map[string]*LdapGroupsCache
-		until      time.Time
+	oauthPendingSessions map[string]*OAuthPendingSession
-		ctx        context.Context
+	oauthMutex           sync.RWMutex
-		cancelFunc context.CancelFunc
+	loginMutex           sync.RWMutex
-		mu         sync.RWMutex
+	ldapGroupsMutex      sync.RWMutex
-	}
+	lockdown             *Lockdown
-
+	lockdownCtx          context.Context
-	caches struct {
+	lockdownCancelFunc   context.CancelFunc
 		login *CacheStore[LoginAttempt]
 		oauth *CacheStore[OAuthPendingSession]
 		ldap  *CacheStore[[]string]
 	}
 	maxLoginLimits int
 }
-type AuthServiceInput struct {
+func NewAuthService(
-	dig.In
+	log *logger.Logger,
-
+	config model.Config,
-	Log          *logger.Logger
+	runtime model.RuntimeConfig,
-	Config       *model.Config
+	ctx context.Context,
-	Runtime      *model.RuntimeConfig
+	dg *ding.Ding,
-	Ctx          context.Context
+	ldap *LdapService,
-	Ding         *ding.Ding
+	queries repository.Store,
-	LDAP         *LdapService `optional:"true"`
+	oauthBroker *OAuthBrokerService,
-	Queries      repository.Store
+	tailscale *TailscaleService,
-	OAuthBroker  *OAuthBrokerService
+	policy *PolicyEngine,
-	Tailscale    *TailscaleService `optional:"true"`
+) *AuthService {
 	PolicyEngine *PolicyEngine
 }
 func NewAuthService(i AuthServiceInput) *AuthService {
 	service := &AuthService{
-		log:          i.Log,
+		log:                  log,
-		runtime:      i.Runtime,
+		runtime:              runtime,
-		ctx:          i.Ctx,
+		context:              ctx,
-		config:       i.Config,
+		config:               config,
-		ldap:         i.LDAP,
+		loginAttempts:        make(map[string]*LoginAttempt),
-		queries:      i.Queries,
+		ldapGroupsCache:      make(map[string]*LdapGroupsCache),
-		oauthBroker:  i.OAuthBroker,
+		oauthPendingSessions: make(map[string]*OAuthPendingSession),
-		tailscale:    i.Tailscale,
+		ldap:                 ldap,
-		policyEngine: i.PolicyEngine,
+		queries:              queries,
 		oauthBroker:          oauthBroker,
 		tailscale:            tailscale,
 		policyEngine:         policy,
 	}
-	// get the max login limits based on the number of users and the configured max retries
+	dg.Go(service.cleanupOAuthSessions, ding.RingMinor)
 	service.maxLoginLimits = service.calculateLockdownLimit()
 	loginCacheSize := 0
 	if !service.config.Auth.LockdownEnabled {
 		loginCacheSize = service.maxLoginLimits
 	}
 	// caches setup
 	oauthCache := NewCacheStore[OAuthPendingSession](256)
 	loginCache := NewCacheStore[LoginAttempt](loginCacheSize)
 	ldapCache := NewCacheStore[[]string](1024)
 	service.caches.oauth = oauthCache
 	service.caches.login = loginCache
 	service.caches.ldap = ldapCache
 	i.Ding.Go(func(ctx context.Context) {
 		ticker := time.NewTicker(1 * time.Minute)
 		defer ticker.Stop()
 		for {
 			select {
 			case <-ticker.C:
 				service.caches.oauth.Sweep()
 				service.caches.login.Sweep()
 				service.caches.ldap.Sweep()
 			case <-ctx.Done():
 				return
 			}
 		}
 	}, ding.RingMinor)
 	return service
 }
@@ -221,12 +195,14 @@ func (auth *AuthService) GetLDAPUser(userDN string) (*model.LDAPUser, error) {
 		return nil, errors.New("ldap service not configured")
 	}
-	entry, exists := auth.caches.ldap.Get(userDN)
+	auth.ldapGroupsMutex.RLock()
 	entry, exists := auth.ldapGroupsCache[userDN]
 	auth.ldapGroupsMutex.RUnlock()
-	if exists {
+	if exists && time.Now().Before(entry.Expires) {
 		return &model.LDAPUser{
 			DN:     userDN,
-			Groups: entry,
+			Groups: entry.Groups,
 		}, nil
 	}
@@ -236,7 +212,12 @@ func (auth *AuthService) GetLDAPUser(userDN string) (*model.LDAPUser, error) {
 		return nil, fmt.Errorf("failed to get ldap groups: %w", err)
 	}
-	auth.caches.ldap.Set(userDN, groups, time.Duration(auth.config.LDAP.GroupCacheTTL)*time.Second)
+	auth.ldapGroupsMutex.Lock()
 	auth.ldapGroupsCache[userDN] = &LdapGroupsCache{
 		Groups:  groups,
 		Expires: time.Now().Add(time.Duration(auth.config.LDAP.GroupCacheTTL) * time.Second),
 	}
 	auth.ldapGroupsMutex.Unlock()
 	return &model.LDAPUser{
 		DN:     userDN,
@@ -245,7 +226,11 @@ func (auth *AuthService) GetLDAPUser(userDN string) (*model.LDAPUser, error) {
 }
 func (auth *AuthService) IsAccountLocked(identifier string) (bool, int) {
-	if locked, remaining := auth.IsInLockdown(); locked {
+	auth.loginMutex.RLock()
 	defer auth.loginMutex.RUnlock()
 	if auth.lockdown != nil && auth.lockdown.Active {
 		remaining := int(time.Until(auth.lockdown.ActiveUntil).Seconds())
 		return true, remaining
 	}
@@ -253,7 +238,7 @@ func (auth *AuthService) IsAccountLocked(identifier string) (bool, int) {
 		return false, 0
 	}
-	attempt, exists := auth.caches.login.Get(identifier)
+	attempt, exists := auth.loginAttempts[identifier]
 	if !exists {
 		return false, 0
 	}
@@ -271,49 +256,37 @@ func (auth *AuthService) RecordLoginAttempt(identifier string, success bool) {
 		return
 	}
-	if !success && auth.config.Auth.LockdownEnabled && auth.caches.login.Size() >= auth.maxLoginLimits {
+	auth.loginMutex.Lock()
-		if locked, _ := auth.IsInLockdown(); locked {
+	defer auth.loginMutex.Unlock()
 	if len(auth.loginAttempts) >= MaxLoginAttemptRecords {
 		if auth.lockdown != nil && auth.lockdown.Active {
 			return
 		}
 		go auth.lockdownMode()
 		return
 	}
-	auth.caches.login.WithLock(func(actions CacheStoreActions[LoginAttempt]) {
+	attempt, exists := auth.loginAttempts[identifier]
-		entry, ok := actions.Get(identifier)
+	if !exists {
 		attempt = &LoginAttempt{}
 		auth.loginAttempts[identifier] = attempt
 	}
-		if !ok {
+	attempt.LastAttempt = time.Now()
 			attempt := LoginAttempt{
 				LastAttempt: time.Now(),
 			}
 			if !success {
 				attempt.FailedAttempts = 1
 				if attempt.FailedAttempts >= auth.config.Auth.LoginMaxRetries {
 					attempt.LockedUntil = time.Now().Add(time.Duration(auth.config.Auth.LoginTimeout) * time.Second)
 					auth.log.App.Warn().Str("identifier", identifier).Int("failedAttempts", attempt.FailedAttempts).Msg("Account locked due to too many failed login attempts")
 				}
 			}
 			// match current tinyauth behavior which doesn't expire rate limits
 			actions.Set(identifier, attempt, 0)
 			return
 		}
-		entry.LastAttempt = time.Now()
+	if success {
 		attempt.FailedAttempts = 0
 		attempt.LockedUntil = time.Time{} // Reset lock time
 		return
 	}
-		if success {
+	attempt.FailedAttempts++
 			entry.FailedAttempts = 0
 			entry.LockedUntil = time.Time{}
 		} else {
 			entry.FailedAttempts++
-			if entry.FailedAttempts >= auth.config.Auth.LoginMaxRetries {
+	if attempt.FailedAttempts >= auth.config.Auth.LoginMaxRetries {
-				entry.LockedUntil = time.Now().Add(time.Duration(auth.config.Auth.LoginTimeout) * time.Second)
+		attempt.LockedUntil = time.Now().Add(time.Duration(auth.config.Auth.LoginTimeout) * time.Second)
-				auth.log.App.Warn().Str("identifier", identifier).Int("failedAttempts", entry.FailedAttempts).Msg("Account locked due to too many failed login attempts")
+		auth.log.App.Warn().Str("identifier", identifier).Int("failedAttempts", attempt.FailedAttempts).Msg("Account locked due to too many failed login attempts")
-			}
+	}
 		}
 		actions.Set(identifier, entry, 0)
 	})
 }
 // We could also directly access the policyEngine.effectToAccess but
@@ -530,17 +503,19 @@ func (auth *AuthService) LDAPAuthConfigured() bool {
 	return auth.ldap != nil
 }
-func (auth *AuthService) NewOAuthSession(serviceName string, params OAuthCallbackParams) (string, error) {
+func (auth *AuthService) NewOAuthSession(serviceName string, params OAuthURLParams) (string, OAuthPendingSession, error) {
 	auth.ensureOAuthSessionLimit()
 	service, ok := auth.oauthBroker.GetService(serviceName)
 	if !ok {
-		return "", fmt.Errorf("oauth service not found: %s", serviceName)
+		return "", OAuthPendingSession{}, fmt.Errorf("oauth service not found: %s", serviceName)
 	}
 	sessionId, err := uuid.NewRandom()
 	if err != nil {
-		return "", fmt.Errorf("failed to generate session ID: %w", err)
+		return "", OAuthPendingSession{}, fmt.Errorf("failed to generate session ID: %w", err)
 	}
 	state := service.NewRandom()
@@ -554,9 +529,11 @@ func (auth *AuthService) NewOAuthSession(serviceName string, params OAuthCallbac
 		CallbackParams: params,
 	}
-	auth.caches.oauth.Set(sessionId.String(), session, time.Minute*10)
+	auth.oauthMutex.Lock()
 	auth.oauthPendingSessions[sessionId.String()] = &session
 	auth.oauthMutex.Unlock()
-	return sessionId.String(), nil
+	return sessionId.String(), session, nil
 }
 func (auth *AuthService) GetOAuthURL(sessionId string) (string, error) {
@@ -570,10 +547,10 @@ func (auth *AuthService) GetOAuthURL(sessionId string) (string, error) {
 }
 func (auth *AuthService) GetOAuthToken(sessionId string, code string) (*oauth2.Token, error) {
-	session, ok := auth.caches.oauth.Get(sessionId)
+	session, err := auth.GetOAuthPendingSession(sessionId)
-	if !ok {
+	if err != nil {
-		return nil, fmt.Errorf("oauth session not found: %s", sessionId)
+		return nil, err
 	}
 	token, err := (*session.Service).GetToken(code, session.Verifier)
@@ -582,14 +559,9 @@ func (auth *AuthService) GetOAuthToken(sessionId string, code string) (*oauth2.T
 		return nil, fmt.Errorf("failed to exchange code for token: %w", err)
 	}
 	auth.oauthMutex.Lock()
 	session.Token = token
-
+	auth.oauthMutex.Unlock()
 	// ttl 0 means keep current expiration
 	ok = auth.caches.oauth.Update(sessionId, session, 0)
 	if !ok {
 		return nil, fmt.Errorf("failed to update oauth session with token: %s", sessionId)
 	}
 	return token, nil
 }
@@ -625,40 +597,123 @@ func (auth *AuthService) GetOAuthService(sessionId string) (OAuthServiceImpl, er
 }
 func (auth *AuthService) EndOAuthSession(sessionId string) {
-	auth.caches.oauth.Delete(sessionId)
+	auth.oauthMutex.Lock()
 	delete(auth.oauthPendingSessions, sessionId)
 	auth.oauthMutex.Unlock()
 }
 func (auth *AuthService) cleanupOAuthSessions(ctx context.Context) {
 	auth.log.App.Debug().Msg("Starting OAuth session cleanup routine")
 	ticker := time.NewTicker(30 * time.Minute)
 	defer ticker.Stop()
 	for {
 		select {
 		case <-ticker.C:
 			auth.log.App.Debug().Msg("Running OAuth session cleanup")
 			auth.oauthMutex.Lock()
 			now := time.Now()
 			for sessionId, session := range auth.oauthPendingSessions {
 				if now.After(session.ExpiresAt) {
 					delete(auth.oauthPendingSessions, sessionId)
 				}
 			}
 			auth.oauthMutex.Unlock()
 			auth.log.App.Debug().Msg("OAuth session cleanup completed")
 		case <-ctx.Done():
 			auth.log.App.Debug().Msg("Stopping OAuth session cleanup routine")
 			return
 		}
 	}
 }
 func (auth *AuthService) GetOAuthPendingSession(sessionId string) (*OAuthPendingSession, error) {
-	session, exists := auth.caches.oauth.Get(sessionId)
+	auth.ensureOAuthSessionLimit()
 	auth.oauthMutex.RLock()
 	session, exists := auth.oauthPendingSessions[sessionId]
 	auth.oauthMutex.RUnlock()
 	if !exists {
 		return &OAuthPendingSession{}, fmt.Errorf("oauth session not found: %s", sessionId)
 	}
-	return &session, nil
+	if time.Now().After(session.ExpiresAt) {
 		auth.oauthMutex.Lock()
 		delete(auth.oauthPendingSessions, sessionId)
 		auth.oauthMutex.Unlock()
 		return &OAuthPendingSession{}, fmt.Errorf("oauth session expired: %s", sessionId)
 	}
 	return session, nil
 }
-func (auth *AuthService) lockdownMode() {
+func (auth *AuthService) ensureOAuthSessionLimit() {
-	auth.lockdown.mu.Lock()
+	auth.oauthMutex.Lock()
 	defer auth.oauthMutex.Unlock()
-	if auth.lockdown.active {
+	if len(auth.oauthPendingSessions) <= MaxOAuthPendingSessions {
 		auth.lockdown.mu.Unlock()
 		return
 	}
-	ctx, cancel := context.WithCancel(auth.ctx)
+	type entry struct {
 		id        string
 		expiresAt int64
 	}
 	entries := make([]entry, 0, len(auth.oauthPendingSessions))
 	for id, session := range auth.oauthPendingSessions {
 		entries = append(entries, entry{id, session.ExpiresAt.Unix()})
 	}
 	slices.SortFunc(entries, func(a, b entry) int {
 		if a.expiresAt < b.expiresAt {
 			return -1
 		}
 		if a.expiresAt > b.expiresAt {
 			return 1
 		}
 		return 0
 	})
 	for _, e := range entries[:OAuthCleanupCount] {
 		delete(auth.oauthPendingSessions, e.id)
 	}
 }
 func (auth *AuthService) lockdownMode() {
 	ctx, cancel := context.WithCancel(context.Background())
 	auth.loginMutex.Lock()
 	if auth.lockdown != nil && auth.lockdown.Active {
 		auth.loginMutex.Unlock()
 		cancel()
 		return
 	}
 	auth.lockdownCtx = ctx
 	auth.lockdownCancelFunc = cancel
 	auth.log.App.Warn().Msg("Too many failed login attempts, entering lockdown mode")
-	auth.lockdown.active = true
+	auth.lockdown = &Lockdown{
-	auth.lockdown.ctx = ctx
+		Active:      true,
-	auth.lockdown.cancelFunc = cancel
+		ActiveUntil: time.Now().Add(time.Duration(auth.config.Auth.LoginTimeout) * time.Second),
 	}
-	d := time.Duration(auth.config.Auth.LoginTimeout) * time.Second
+	// At this point all login attemps will also expire so,
-	auth.lockdown.until = time.Now().Add(d)
+	// we might as well clear them to free up memory
-	timer := time.NewTimer(d)
+	auth.loginAttempts = make(map[string]*LoginAttempt)
-	auth.lockdown.mu.Unlock()
+	timer := time.NewTimer(time.Until(auth.lockdown.ActiveUntil))
 	auth.loginMutex.Unlock()
 	defer cancel()
 	defer timer.Stop()
@@ -668,61 +723,24 @@ func (auth *AuthService) lockdownMode() {
 		// Timer expired, end lockdown
 	case <-ctx.Done():
 		// Context cancelled, end lockdown
 	case <-auth.context.Done():
 		// Service is shutting down, end lockdown
 	}
-	auth.lockdown.mu.Lock()
+	auth.loginMutex.Lock()
 	auth.log.App.Info().Msg("Exiting lockdown mode")
-	auth.caches.login.Clear()
+	auth.lockdown = nil
-	auth.lockdown.active = false
+	auth.loginMutex.Unlock()
 	auth.lockdown.until = time.Time{}
 	auth.lockdown.ctx = nil
 	auth.lockdown.cancelFunc = nil
 	auth.lockdown.mu.Unlock()
 }
-func (auth *AuthService) IsInLockdown() (bool, int) {
+// Function only used for testing - do not use in prod!
-	auth.lockdown.mu.RLock()
+func (auth *AuthService) ClearRateLimitsTestingOnly() {
-	defer auth.lockdown.mu.RUnlock()
+	auth.loginMutex.Lock()
-	if auth.lockdown.active {
+	auth.loginAttempts = make(map[string]*LoginAttempt)
-		remaining := int(time.Until(auth.lockdown.until).Seconds())
+	if auth.lockdown != nil {
-		return true, remaining
+		auth.lockdownCancelFunc()
 	}
-	return false, 0
+	auth.loginMutex.Unlock()
 }
 // mostly a testing function, not useful for anything else
 func (auth *AuthService) ClearLoginAttempts() {
 	auth.caches.login.Clear()
 }
 func (auth *AuthService) calculateLockdownLimit() int {
 	userCount := len(auth.runtime.LocalUsers)
 	if auth.ldap != nil {
 		ldapUsers, err := auth.ldap.GetUserCount()
 		if err != nil {
 			auth.log.App.Warn().Err(err).Msg("Failed to get LDAP user count")
 		} else {
 			userCount += ldapUsers
 		}
 	}
 	limit := userCount * auth.config.Auth.LoginMaxRetries
 	jitter, err := rand.Int(rand.Reader, big.NewInt(64))
 	if err != nil {
 		auth.log.App.Warn().Err(err).Msg("Failed to generate jitter for lockdown limit")
 	} else {
 		limit += int(jitter.Int64())
 	}
 	if limit < 256 {
 		limit = 256
 	}
 	return limit
 }
@@ -4,7 +4,6 @@ import (
 	"testing"
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
 	"github.com/tinyauthapp/tinyauth/internal/model"
 	"github.com/tinyauthapp/tinyauth/internal/utils/logger"
 )
@@ -13,22 +12,9 @@ func TestIsEmailWhitelistedUsesProviderSpecificList(t *testing.T) {
 	log := logger.NewLogger().WithTestConfig()
 	log.Init()
 	policyEngine, err := NewPolicyEngine(PolicyEngineInput{
 		Log: log,
 		Config: &model.Config{
 			Auth: model.AuthConfig{
 				ACLs: model.ACLsConfig{
 					Policy: string(PolicyAllow),
 				},
 			},
 		},
 	})
 	require.NoError(t, err)
 	auth := &AuthService{
 		log: log,
-		runtime: &model.RuntimeConfig{
+		runtime: model.RuntimeConfig{
 			OAuthWhitelist: []string{"global@example.com"},
 			OAuthProviders: map[string]model.OAuthServiceConfig{
 				"github": {
@@ -42,7 +28,6 @@ func TestIsEmailWhitelistedUsesProviderSpecificList(t *testing.T) {
 				},
 			},
 		},
 		policyEngine: policyEngine,
 	}
 	assert.True(t, auth.IsEmailWhitelisted("github", "github@example.com"))
@@ -1,197 +0,0 @@
 package service
 import (
 	"slices"
 	"sync"
 	"time"
 )
 type CacheStoreActions[T any] struct {
 	Set    func(key string, value T, ttl time.Duration)
 	Get    func(key string) (T, bool)
 	Delete func(key string)
 	Update func(key string, value T, ttl time.Duration) bool
 }
 type cacheEntry[T any] struct {
 	value     T
 	expiresAt *time.Time
 }
 type CacheStore[T any] struct {
 	cache   map[string]cacheEntry[T]
 	order   []string
 	mu      sync.RWMutex
 	maxSize int
 }
 func NewCacheStore[T any](maxSize int) *CacheStore[T] {
 	return &CacheStore[T]{
 		cache:   make(map[string]cacheEntry[T]),
 		order:   make([]string, 0),
 		maxSize: maxSize,
 	}
 }
 // With lock allows performing multiple operations on the cache store atomically.
 // The provided mutate function receives a set of actions (Set, Get, Delete) that
 // can be used to manipulate the cache store within the locked context.
 func (cs *CacheStore[T]) WithLock(mutate func(actions CacheStoreActions[T])) {
 	cs.mu.Lock()
 	defer cs.mu.Unlock()
 	actions := CacheStoreActions[T]{
 		Set:    cs.setCallback,
 		Get:    cs.getCallback,
 		Delete: cs.deleteCallback,
 		Update: cs.updateCallback,
 	}
 	mutate(actions)
 }
 func (cs *CacheStore[T]) updateCallback(key string, value T, ttl time.Duration) bool {
 	if currentEntry, exists := cs.cache[key]; exists {
 		if currentEntry.expiresAt != nil && time.Now().After(*currentEntry.expiresAt) {
 			return false
 		}
 		entry := cacheEntry[T]{
 			value:     value,
 			expiresAt: currentEntry.expiresAt,
 		}
 		if ttl > 0 {
 			expiration := time.Now().Add(ttl)
 			entry.expiresAt = &expiration
 		}
 		cs.cache[key] = entry
 		return true
 	}
 	return false
 }
 func (cs *CacheStore[T]) Update(key string, value T, ttl time.Duration) bool {
 	cs.mu.Lock()
 	defer cs.mu.Unlock()
 	return cs.updateCallback(key, value, ttl)
 }
 func (cs *CacheStore[T]) setCallback(key string, value T, ttl time.Duration) {
 	if cs.maxSize > 0 {
 		if _, exists := cs.cache[key]; !exists && len(cs.cache) >= cs.maxSize {
 			cs.evictOne()
 		}
 	}
 	var expiresAt *time.Time
 	if ttl > 0 {
 		expiration := time.Now().Add(ttl)
 		expiresAt = &expiration
 	}
 	cs.cache[key] = cacheEntry[T]{
 		value:     value,
 		expiresAt: expiresAt,
 	}
 	if !slices.Contains(cs.order, key) {
 		cs.order = append(cs.order, key)
 	}
 }
 func (cs *CacheStore[T]) Set(key string, value T, ttl time.Duration) {
 	cs.mu.Lock()
 	defer cs.mu.Unlock()
 	cs.setCallback(key, value, ttl)
 }
 func (cs *CacheStore[T]) getCallback(key string) (T, bool) {
 	entry, exists := cs.cache[key]
 	if !exists {
 		var zero T
 		return zero, false
 	}
 	if entry.expiresAt != nil && time.Now().After(*entry.expiresAt) {
 		var zero T
 		return zero, false
 	}
 	return entry.value, true
 }
 func (cs *CacheStore[T]) Get(key string) (T, bool) {
 	cs.mu.RLock()
 	defer cs.mu.RUnlock()
 	return cs.getCallback(key)
 }
 func (cs *CacheStore[T]) deleteCallback(key string) {
 	delete(cs.cache, key)
 	keyIdx := slices.Index(cs.order, key)
 	if keyIdx != -1 {
 		cs.order = append(cs.order[:keyIdx], cs.order[keyIdx+1:]...)
 	}
 }
 func (cs *CacheStore[T]) Delete(key string) {
 	cs.mu.Lock()
 	defer cs.mu.Unlock()
 	cs.deleteCallback(key)
 }
 func (cs *CacheStore[T]) Sweep() {
 	cs.mu.Lock()
 	for key, entry := range cs.cache {
 		if entry.expiresAt != nil && time.Now().After(*entry.expiresAt) {
 			cs.deleteCallback(key)
 		}
 	}
 	cs.mu.Unlock()
 }
 func (cs *CacheStore[T]) evictOne() bool {
 	now := time.Now()
 	var oldestKey string
 	var oldestExp *time.Time
 	for k, e := range cs.cache {
 		if e.expiresAt != nil && now.After(*e.expiresAt) {
 			cs.deleteCallback(k)
 			return true
 		}
 		if e.expiresAt != nil && (oldestExp == nil || e.expiresAt.Before(*oldestExp)) {
 			oldestKey, oldestExp = k, e.expiresAt
 		}
 	}
 	// If we found an oldest key, evict it else we delete the first key in the order list
 	if oldestKey != "" {
 		cs.deleteCallback(oldestKey)
 		return true
 	} else {
 		if len(cs.order) > 0 {
 			cs.deleteCallback(cs.order[0])
 			return true
 		}
 	}
 	return false
 }
 func (cs *CacheStore[T]) Size() int {
 	cs.mu.RLock()
 	defer cs.mu.RUnlock()
 	return len(cs.cache)
 }
 func (cs *CacheStore[T]) Clear() {
 	cs.mu.Lock()
 	defer cs.mu.Unlock()
 	cs.cache = make(map[string]cacheEntry[T])
 	cs.order = make([]string, 0)
 }
@@ -1,383 +0,0 @@
 package service
 import (
 	"strconv"
 	"sync"
 	"testing"
 	"time"
 	"github.com/stretchr/testify/assert"
 )
 func TestCacheStoreGet(t *testing.T) {
 	tests := []struct {
 		name      string
 		setup     func(cs *CacheStore[string])
 		wantValue string
 		wantOk    bool
 	}{
 		{
 			name:      "returns a stored value",
 			setup:     func(cs *CacheStore[string]) { cs.Set("key", "value", 0) },
 			wantValue: "value",
 			wantOk:    true,
 		},
 		{
 			name:   "reports a missing key",
 			setup:  func(cs *CacheStore[string]) {},
 			wantOk: false,
 		},
 		{
 			name: "returns the latest value after an overwrite",
 			setup: func(cs *CacheStore[string]) {
 				cs.Set("key", "first", 0)
 				cs.Set("key", "second", 0)
 			},
 			wantValue: "second",
 			wantOk:    true,
 		},
 		{
 			name:      "returns a non-expired entry",
 			setup:     func(cs *CacheStore[string]) { cs.Set("key", "value", time.Minute) },
 			wantValue: "value",
 			wantOk:    true,
 		},
 		{
 			name: "treats an expired entry as missing",
 			setup: func(cs *CacheStore[string]) {
 				cs.Set("key", "value", 10*time.Millisecond)
 				time.Sleep(20 * time.Millisecond)
 			},
 			wantOk: false,
 		},
 	}
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
 			cs := NewCacheStore[string](0)
 			tt.setup(cs)
 			value, ok := cs.Get("key")
 			assert.Equal(t, tt.wantOk, ok)
 			if tt.wantOk {
 				assert.Equal(t, tt.wantValue, value)
 			}
 		})
 	}
 }
 func TestCacheStoreUpdate(t *testing.T) {
 	tests := []struct {
 		name        string
 		setup       func(cs *CacheStore[string])
 		ttl         time.Duration
 		wantOk      bool
 		afterWait   time.Duration
 		wantPresent bool
 		wantValue   string
 	}{
 		{
 			name:        "updates an existing entry",
 			setup:       func(cs *CacheStore[string]) { cs.Set("key", "old", 0) },
 			ttl:         0,
 			wantOk:      true,
 			wantPresent: true,
 			wantValue:   "new",
 		},
 		{
 			name:        "does not create a missing entry",
 			setup:       func(cs *CacheStore[string]) {},
 			ttl:         0,
 			wantOk:      false,
 			wantPresent: false,
 		},
 		{
 			name:        "preserves the existing expiry when ttl is zero",
 			setup:       func(cs *CacheStore[string]) { cs.Set("key", "old", 30*time.Millisecond) },
 			ttl:         0,
 			wantOk:      true,
 			afterWait:   40 * time.Millisecond,
 			wantPresent: false,
 		},
 		{
 			name:        "refreshes the expiry when ttl is provided",
 			setup:       func(cs *CacheStore[string]) { cs.Set("key", "old", 10*time.Millisecond) },
 			ttl:         time.Minute,
 			wantOk:      true,
 			afterWait:   20 * time.Millisecond,
 			wantPresent: true,
 			wantValue:   "new",
 		},
 		{
 			name: "does not update an expired entry",
 			setup: func(cs *CacheStore[string]) {
 				cs.Set("key", "old", 10*time.Millisecond)
 				time.Sleep(20 * time.Millisecond)
 			},
 			ttl:         time.Minute,
 			wantOk:      false,
 			wantPresent: false,
 		},
 	}
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
 			cs := NewCacheStore[string](0)
 			tt.setup(cs)
 			ok := cs.Update("key", "new", tt.ttl)
 			assert.Equal(t, tt.wantOk, ok)
 			time.Sleep(tt.afterWait)
 			value, present := cs.Get("key")
 			assert.Equal(t, tt.wantPresent, present)
 			if tt.wantPresent {
 				assert.Equal(t, tt.wantValue, value)
 			}
 		})
 	}
 }
 func TestCacheStoreDelete(t *testing.T) {
 	tests := []struct {
 		name     string
 		setup    func(cs *CacheStore[string])
 		key      string
 		wantSize int
 	}{
 		{
 			name: "removes an existing key",
 			setup: func(cs *CacheStore[string]) {
 				cs.Set("a", "1", 0)
 				cs.Set("b", "2", 0)
 			},
 			key:      "a",
 			wantSize: 1,
 		},
 		{
 			name:     "is a no-op for a missing key",
 			setup:    func(cs *CacheStore[string]) { cs.Set("a", "1", 0) },
 			key:      "missing",
 			wantSize: 1,
 		},
 	}
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
 			cs := NewCacheStore[string](0)
 			tt.setup(cs)
 			cs.Delete(tt.key)
 			_, ok := cs.Get(tt.key)
 			assert.False(t, ok)
 			assert.Equal(t, tt.wantSize, cs.Size())
 		})
 	}
 }
 func TestCacheStoreSweep(t *testing.T) {
 	tests := []struct {
 		name     string
 		setup    func(cs *CacheStore[string])
 		present  []string
 		absent   []string
 		wantSize int
 	}{
 		{
 			name: "removes expired entries and keeps the rest",
 			setup: func(cs *CacheStore[string]) {
 				cs.Set("permanent", "value", 0)
 				cs.Set("expired", "value", 10*time.Millisecond)
 				time.Sleep(20 * time.Millisecond)
 			},
 			present:  []string{"permanent"},
 			absent:   []string{"expired"},
 			wantSize: 1,
 		},
 		{
 			name: "keeps all live entries",
 			setup: func(cs *CacheStore[string]) {
 				cs.Set("a", "value", 0)
 				cs.Set("b", "value", time.Minute)
 			},
 			present:  []string{"a", "b"},
 			wantSize: 2,
 		},
 	}
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
 			cs := NewCacheStore[string](0)
 			tt.setup(cs)
 			cs.Sweep()
 			for _, key := range tt.present {
 				_, ok := cs.Get(key)
 				assert.True(t, ok)
 			}
 			for _, key := range tt.absent {
 				_, ok := cs.Get(key)
 				assert.False(t, ok)
 			}
 			assert.Equal(t, tt.wantSize, cs.Size())
 		})
 	}
 }
 func TestCacheStoreEviction(t *testing.T) {
 	// Every case uses a cache with maxSize 2; the final Set in setup is the
 	// insertion that overflows the cache and triggers an eviction.
 	tests := []struct {
 		name     string
 		setup    func(cs *CacheStore[string])
 		present  []string
 		absent   []string
 		wantSize int
 	}{
 		{
 			name: "evicts an already expired entry first",
 			setup: func(cs *CacheStore[string]) {
 				cs.Set("expired", "value", 10*time.Millisecond)
 				cs.Set("fresh", "value", time.Minute)
 				time.Sleep(20 * time.Millisecond)
 				cs.Set("new", "value", time.Minute)
 			},
 			present:  []string{"fresh", "new"},
 			absent:   []string{"expired"},
 			wantSize: 2,
 		},
 		{
 			name: "evicts the entry expiring soonest",
 			setup: func(cs *CacheStore[string]) {
 				cs.Set("soon", "value", 50*time.Millisecond)
 				cs.Set("later", "value", time.Hour)
 				cs.Set("new", "value", time.Hour)
 			},
 			present:  []string{"later", "new"},
 			absent:   []string{"soon"},
 			wantSize: 2,
 		},
 		{
 			name: "evicts the oldest inserted entry when none have a ttl",
 			setup: func(cs *CacheStore[string]) {
 				cs.Set("first", "value", 0)
 				cs.Set("second", "value", 0)
 				cs.Set("third", "value", 0)
 			},
 			present:  []string{"second", "third"},
 			absent:   []string{"first"},
 			wantSize: 2,
 		},
 		{
 			name: "overwriting an existing key does not trigger eviction",
 			setup: func(cs *CacheStore[string]) {
 				cs.Set("a", "1", 0)
 				cs.Set("b", "2", 0)
 				cs.Set("a", "updated", 0)
 			},
 			present:  []string{"a", "b"},
 			wantSize: 2,
 		},
 	}
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
 			cs := NewCacheStore[string](2)
 			tt.setup(cs)
 			for _, key := range tt.present {
 				_, ok := cs.Get(key)
 				assert.True(t, ok)
 			}
 			for _, key := range tt.absent {
 				_, ok := cs.Get(key)
 				assert.False(t, ok)
 			}
 			assert.Equal(t, tt.wantSize, cs.Size())
 		})
 	}
 }
 func TestCacheStoreSizeAndClear(t *testing.T) {
 	cs := NewCacheStore[string](0)
 	assert.Equal(t, 0, cs.Size())
 	cs.Set("a", "1", 0)
 	cs.Set("b", "2", 0)
 	assert.Equal(t, 2, cs.Size())
 	cs.Clear()
 	assert.Equal(t, 0, cs.Size())
 	_, ok := cs.Get("a")
 	assert.False(t, ok)
 }
 func TestCacheStoreWithLock(t *testing.T) {
 	cs := NewCacheStore[int](0)
 	cs.Set("counter", 1, 0)
 	// All four actions run atomically under a single lock.
 	cs.WithLock(func(actions CacheStoreActions[int]) {
 		current, ok := actions.Get("counter")
 		assert.True(t, ok)
 		actions.Set("counter", current+1, 0)
 		actions.Set("other", 100, 0)
 		actions.Delete("counter")
 		updated := actions.Update("other", 200, 0)
 		assert.True(t, updated)
 	})
 	_, ok := cs.Get("counter")
 	assert.False(t, ok)
 	value, ok := cs.Get("other")
 	assert.True(t, ok)
 	assert.Equal(t, 200, value)
 }
 // TestCacheStoreConcurrency exercises every locking path concurrently so the
 // race detector (go test -race) can flag unsynchronised access.
 func TestCacheStoreConcurrency(t *testing.T) {
 	cs := NewCacheStore[int](64)
 	const goroutines = 16
 	const iterations = 200
 	var wg sync.WaitGroup
 	wg.Add(goroutines)
 	for g := range goroutines {
 		go func(g int) {
 			defer wg.Done()
 			for i := range iterations {
 				key := strconv.Itoa((g*iterations + i) % 32)
 				switch i % 6 {
 				case 0:
 					cs.Set(key, i, time.Minute)
 				case 1:
 					cs.Get(key)
 				case 2:
 					cs.Update(key, i, time.Minute)
 				case 3:
 					cs.Delete(key)
 				case 4:
 					cs.Size()
 				case 5:
 					cs.WithLock(func(actions CacheStoreActions[int]) {
 						if v, ok := actions.Get(key); ok {
 							actions.Set(key, v+1, time.Minute)
 						}
 					})
 				}
 			}
 		}(g)
 	}
 	wg.Wait()
 }
@@ -8,7 +8,6 @@ import (
 	"github.com/tinyauthapp/tinyauth/internal/model"
 	"github.com/tinyauthapp/tinyauth/internal/utils/decoders"
 	"github.com/tinyauthapp/tinyauth/internal/utils/logger"
 	"go.uber.org/dig"
 	container "github.com/docker/docker/api/types/container"
 	"github.com/docker/docker/client"
@@ -22,40 +21,36 @@ type DockerService struct {
 	isConnected bool
 }
-type DockerServiceInput struct {
+func NewDockerService(
-	dig.In
+	log *logger.Logger,
-
+	ctx context.Context,
-	Log  *logger.Logger
+	dg *ding.Ding,
-	Ctx  context.Context
+) (*DockerService, error) {
 	Ding *ding.Ding
 }
 func NewDockerService(i DockerServiceInput) (*DockerService, error) {
 	client, err := client.NewClientWithOpts(client.FromEnv)
 	if err != nil {
 		return nil, err
 	}
-	client.NegotiateAPIVersion(i.Ctx)
+	client.NegotiateAPIVersion(ctx)
-	_, err = client.Ping(i.Ctx)
+	_, err = client.Ping(ctx)
 	if err != nil {
-		i.Log.App.Debug().Err(err).Msg("Docker not connected")
+		log.App.Debug().Err(err).Msg("Docker not connected")
 		return nil, nil
 	}
 	service := &DockerService{
-		log:     i.Log,
+		log:     log,
 		client:  client,
-		context: i.Ctx,
+		context: ctx,
 	}
 	service.isConnected = true
 	service.log.App.Debug().Msg("Docker connected successfully")
-	i.Ding.Go(service.watchAndClose, ding.RingMajor)
+	dg.Go(service.watchAndClose, ding.RingMajor)
 	return service, nil
 }
@@ -12,7 +12,6 @@ import (
 	"github.com/tinyauthapp/tinyauth/internal/model"
 	"github.com/tinyauthapp/tinyauth/internal/utils/decoders"
 	"github.com/tinyauthapp/tinyauth/internal/utils/logger"
 	"go.uber.org/dig"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"
@@ -49,15 +48,11 @@ type KubernetesService struct {
 	appNameIndex map[string]ingressAppKey
 }
-type KubernetesServiceInput struct {
+func NewKubernetesService(
-	dig.In
+	log *logger.Logger,
-
+	ctx context.Context,
-	Log  *logger.Logger
+	dg *ding.Ding,
-	Ctx  context.Context
+) (*KubernetesService, error) {
 	Ding *ding.Ding
 }
 func NewKubernetesService(i KubernetesServiceInput) (*KubernetesService, error) {
 	cfg, err := rest.InClusterConfig()
 	if err != nil {
 		return nil, fmt.Errorf("failed to get in-cluster kubernetes config: %w", err)
@@ -74,31 +69,31 @@ func NewKubernetesService(i KubernetesServiceInput) (*KubernetesService, error)
 		Resource: "ingresses",
 	}
-	accessCtx, accessCancel := context.WithTimeout(i.Ctx, 5*time.Second)
+	accessCtx, accessCancel := context.WithTimeout(ctx, 5*time.Second)
 	defer accessCancel()
 	_, err = client.Resource(gvr).List(accessCtx, metav1.ListOptions{Limit: 1})
 	if err != nil {
-		i.Log.App.Warn().Err(err).Str("api", gvr.GroupVersion().String()).Msg("Failed to access Ingress API, Kubernetes label provider will be disabled")
+		log.App.Warn().Err(err).Str("api", gvr.GroupVersion().String()).Msg("Failed to access Ingress API, Kubernetes label provider will be disabled")
 		return nil, fmt.Errorf("failed to access ingress api: %w", err)
 	}
-	i.Log.App.Debug().Str("api", gvr.GroupVersion().String()).Msg("Successfully accessed Ingress API, starting watcher")
+	log.App.Debug().Str("api", gvr.GroupVersion().String()).Msg("Successfully accessed Ingress API, starting watcher")
 	service := &KubernetesService{
-		log:          i.Log,
+		log:          log,
 		client:       client,
 		ingressApps:  make(map[ingressKey][]ingressApp),
 		domainIndex:  make(map[string]ingressAppKey),
 		appNameIndex: make(map[string]ingressAppKey),
 	}
-	i.Ding.Go(func(ctx context.Context) {
+	dg.Go(func(ctx context.Context) {
 		service.watchGVR(gvr, ctx)
 	}, ding.RingMajor)
 	service.started = true
-	i.Log.App.Debug().Msg("Kubernetes label provider started successfully")
+	log.App.Debug().Msg("Kubernetes label provider started successfully")
 	return service, nil
 }
@@ -11,50 +11,41 @@ import (
 	ldapgo "github.com/go-ldap/ldap/v3"
 	"github.com/steveiliop56/ding"
 	"github.com/tinyauthapp/tinyauth/internal/model"
 	"github.com/tinyauthapp/tinyauth/internal/utils"
 	"github.com/tinyauthapp/tinyauth/internal/utils/logger"
 	"go.uber.org/dig"
 )
 type LdapService struct {
 	log    *logger.Logger
-	config *model.Config
+	config model.Config
-	conn   *ldapgo.Conn
+	conn  *ldapgo.Conn
-	mutex  sync.RWMutex
+	mutex sync.RWMutex
-	cert   *tls.Certificate
+	cert  *tls.Certificate
 	bindPw string
 }
-type LdapServiceInput struct {
+func NewLdapService(
-	dig.In
+	log *logger.Logger,
-
+	config model.Config,
-	Log    *logger.Logger
+	dg *ding.Ding,
-	Config *model.Config
+) (*LdapService, error) {
-	Ding   *ding.Ding
+	if config.LDAP.Address == "" {
 }
 func NewLdapService(i LdapServiceInput) (*LdapService, error) {
 	if i.Config.LDAP.Address == "" {
 		return nil, nil
 	}
 	ldap := &LdapService{
-		log:    i.Log,
+		log:    log,
-		config: i.Config,
+		config: config,
 	}
 	ldap.bindPw = utils.GetSecret(i.Config.LDAP.BindPassword, i.Config.LDAP.BindPasswordFile)
 	// Check whether authentication with client certificate is possible
-	if i.Config.LDAP.AuthCert != "" && i.Config.LDAP.AuthKey != "" {
+	if config.LDAP.AuthCert != "" && config.LDAP.AuthKey != "" {
-		cert, err := tls.LoadX509KeyPair(i.Config.LDAP.AuthCert, i.Config.LDAP.AuthKey)
+		cert, err := tls.LoadX509KeyPair(config.LDAP.AuthCert, config.LDAP.AuthKey)
 		if err != nil {
 			return nil, fmt.Errorf("failed to initialize LDAP with mTLS authentication: %w", err)
 		}
-		i.Log.App.Info().Msg("LDAP mTLS authentication configured successfully")
+		log.App.Info().Msg("LDAP mTLS authentication configured successfully")
 		ldap.cert = &cert
@@ -76,7 +67,7 @@ func NewLdapService(i LdapServiceInput) (*LdapService, error) {
 		return nil, fmt.Errorf("failed to connect to ldap server: %w", err)
 	}
-	i.Ding.Go(func(ctx context.Context) {
+	dg.Go(func(ctx context.Context) {
 		ldap.log.App.Debug().Msg("Starting LDAP connection heartbeat routine")
 		ticker := time.NewTicker(5 * time.Minute)
@@ -169,26 +160,6 @@ func (ldap *LdapService) GetUserInfo(username string) (dn string, email string,
 	return entry.DN, entry.GetAttributeValue("mail"), nil
 }
 func (ldap *LdapService) GetUserCount() (int, error) {
 	searchRequest := ldapgo.NewSearchRequest(
 		ldap.config.LDAP.BaseDN,
 		ldapgo.ScopeWholeSubtree, ldapgo.NeverDerefAliases, 0, 0, false,
 		"(objectClass=person)",
 		[]string{"dn"},
 		nil,
 	)
 	ldap.mutex.Lock()
 	defer ldap.mutex.Unlock()
 	searchResult, err := ldap.conn.Search(searchRequest)
 	if err != nil {
 		return 0, err
 	}
 	return len(searchResult.Entries), nil
 }
 func (ldap *LdapService) GetUserGroups(userDN string) ([]string, error) {
 	escapedUserDN := ldapgo.EscapeFilter(userDN)
@@ -241,7 +212,7 @@ func (ldap *LdapService) BindService(rebind bool) error {
 	if ldap.cert != nil {
 		return ldap.conn.ExternalBind()
 	}
-	return ldap.conn.Bind(ldap.config.LDAP.BindDN, ldap.bindPw)
+	return ldap.conn.Bind(ldap.config.LDAP.BindDN, ldap.config.LDAP.BindPassword)
 }
 func (ldap *LdapService) Bind(userDN string, password string) error {
@@ -5,7 +5,6 @@ import (
 	"github.com/tinyauthapp/tinyauth/internal/model"
 	"github.com/tinyauthapp/tinyauth/internal/utils/logger"
 	"go.uber.org/dig"
 	"slices"
@@ -33,27 +32,23 @@ var presets = map[string]func(config model.OAuthServiceConfig, ctx context.Conte
 	"google": newGoogleOAuthService,
 }
-type OAuthBrokerServiceInput struct {
+func NewOAuthBrokerService(
-	dig.In
+	log *logger.Logger,
-
+	configs map[string]model.OAuthServiceConfig,
-	Log     *logger.Logger
+	ctx context.Context,
-	Runtime *model.RuntimeConfig
+) *OAuthBrokerService {
 	Ctx     context.Context
 }
 func NewOAuthBrokerService(i OAuthBrokerServiceInput) *OAuthBrokerService {
 	service := &OAuthBrokerService{
-		log:      i.Log,
+		log:      log,
 		services: make(map[string]OAuthServiceImpl),
-		configs:  i.Runtime.OAuthProviders,
+		configs:  configs,
 	}
-	for name, cfg := range service.configs {
+	for name, cfg := range configs {
 		if presetFunc, exists := presets[name]; exists {
-			service.services[name] = presetFunc(cfg, i.Ctx)
+			service.services[name] = presetFunc(cfg, ctx)
 			service.log.App.Debug().Str("service", name).Msg("Loaded OAuth service from preset")
 		} else {
-			service.services[name] = NewOAuthService(cfg, name, i.Ctx)
+			service.services[name] = NewOAuthService(cfg, name, ctx)
 			service.log.App.Debug().Str("service", name).Msg("Loaded OAuth service from custom config")
 		}
 	}
@@ -17,7 +17,7 @@ type GithubEmailResponse []struct {
 	Verified bool   `json:"verified"`
 }
-type GithubUserinfoResponse struct {
+type GithubUserInfoResponse struct {
 	Login string `json:"login"`
 	Name  string `json:"name"`
 	ID    int    `json:"id"`
@@ -30,7 +30,7 @@ func defaultExtractor(client *http.Client, url string) (*model.Claims, error) {
 func githubExtractor(client *http.Client, _ string) (*model.Claims, error) {
 	var user model.Claims
-	userInfo, err := simpleReq[GithubUserinfoResponse](client, "https://api.github.com/user", map[string]string{
+	userInfo, err := simpleReq[GithubUserInfoResponse](client, "https://api.github.com/user", map[string]string{
 		"accept": "application/vnd.github+json",
 	})
 	if err != nil {
@@ -10,13 +10,13 @@ import (
 	"golang.org/x/oauth2"
 )
-type OAuthUserinfoExtractor func(client *http.Client, url string) (*model.Claims, error)
+type UserinfoExtractor func(client *http.Client, url string) (*model.Claims, error)
 type OAuthService struct {
 	serviceCfg        model.OAuthServiceConfig
 	config            *oauth2.Config
 	ctx               context.Context
-	userinfoExtractor OAuthUserinfoExtractor
+	userinfoExtractor UserinfoExtractor
 	id                string
 }
@@ -50,7 +50,7 @@ func NewOAuthService(config model.OAuthServiceConfig, id string, ctx context.Con
 	}
 }
-func (s *OAuthService) WithUserinfoExtractor(extractor OAuthUserinfoExtractor) *OAuthService {
+func (s *OAuthService) WithUserinfoExtractor(extractor UserinfoExtractor) *OAuthService {
 	s.userinfoExtractor = extractor
 	return s
 }
@@ -14,20 +14,18 @@ import (
 	"fmt"
 	"net/url"
 	"os"
 	"path/filepath"
 	"strings"
 	"time"
 	"slices"
 	"github.com/gin-gonic/gin"
 	"github.com/go-jose/go-jose/v4"
 	"github.com/golang-jwt/jwt/v5"
 	"github.com/steveiliop56/ding"
 	"github.com/tinyauthapp/tinyauth/internal/model"
 	"github.com/tinyauthapp/tinyauth/internal/repository"
 	"github.com/tinyauthapp/tinyauth/internal/utils"
 	"github.com/tinyauthapp/tinyauth/internal/utils/logger"
 	"go.uber.org/dig"
 )
 var (
@@ -44,10 +42,6 @@ var (
 	ErrInvalidClient = errors.New("invalid_client")
 )
 // This is not spec-compliant, the ID token SHOULD NOT contain user info claims but,
 // it has became a "standard" and apps are looking for the claims in the ID tokens
 // instead of calling the userinfo endpoint, so we include them in the ID token as well
 // for better compatibility with existing apps
 type ClaimSet struct {
 	Iss               string   `json:"iss"`
 	Aud               string   `json:"aud"`
@@ -73,8 +67,6 @@ type ClaimSet struct {
 	Nonce             string   `json:"nonce,omitempty"`
 }
 // We use this struct as both a response struct and a struct to store userinfo
 // in the database
 type UserinfoResponse struct {
 	Sub                 string              `json:"sub"`
 	Name                string              `json:"name,omitempty"`
@@ -109,66 +101,41 @@ type TokenResponse struct {
 }
 type AuthorizeRequest struct {
-	Scope               string `form:"scope" json:"scope" url:"scope"`
+	Scope               string `json:"scope" binding:"required"`
-	ResponseType        string `form:"response_type" json:"response_type" url:"response_type"`
+	ResponseType        string `json:"response_type" binding:"required"`
-	ClientID            string `form:"client_id" json:"client_id" url:"client_id"`
+	ClientID            string `json:"client_id" binding:"required"`
-	RedirectURI         string `form:"redirect_uri" json:"redirect_uri" url:"redirect_uri"`
+	RedirectURI         string `json:"redirect_uri" binding:"required"`
-	State               string `form:"state" json:"state" url:"state"`
+	State               string `json:"state"`
-	Nonce               string `form:"nonce" json:"nonce" url:"nonce"`
+	Nonce               string `json:"nonce"`
-	CodeChallenge       string `form:"code_challenge" json:"code_challenge" url:"code_challenge"`
+	CodeChallenge       string `json:"code_challenge"`
-	CodeChallengeMethod string `form:"code_challenge_method" json:"code_challenge_method" url:"code_challenge_method"`
+	CodeChallengeMethod string `json:"code_challenge_method"`
 }
 type AuthorizeCodeEntry struct {
 	CodeHash      string
 	Scope         string
 	RedirectURI   string
 	ClientID      string
 	Nonce         string
 	CodeChallenge string
 	Userinfo      UserinfoResponse
 }
 type UsedCodeEntry struct {
 	Sub string
 }
 type OIDCService struct {
 	log     *logger.Logger
-	config  *model.Config
+	config  model.Config
-	runtime *model.RuntimeConfig
+	runtime model.RuntimeConfig
 	queries repository.Store
 	clients    map[string]model.OIDCClientConfig
 	privateKey *rsa.PrivateKey
 	publicKey  *rsa.PublicKey
 	issuer     string
 	caches struct {
 		code      *CacheStore[AuthorizeCodeEntry]
 		usedCode  *CacheStore[UsedCodeEntry]
 		authorize *CacheStore[AuthorizeRequest]
 	}
 }
-type OIDCServiceInput struct {
+func NewOIDCService(
-	dig.In
+	log *logger.Logger,
-
+	config model.Config,
-	Log     *logger.Logger
+	runtime model.RuntimeConfig,
-	Config  *model.Config
+	queries repository.Store,
-	Runtime *model.RuntimeConfig
+	dg *ding.Ding) (*OIDCService, error) {
 	Queries repository.Store
 	Ding    *ding.Ding
 }
 func NewOIDCService(i OIDCServiceInput) (*OIDCService, error) {
 	// If not configured, skip init
-	if len(i.Config.OIDC.Clients) == 0 {
+	if len(runtime.OIDCClients) == 0 {
 		return nil, nil
 	}
 	// Ensure issuer is https
-	uissuer, err := url.Parse(i.Runtime.AppURL)
+	uissuer, err := url.Parse(runtime.AppURL)
 	if err != nil {
 		return nil, fmt.Errorf("failed to parse app url: %w", err)
@@ -181,14 +148,14 @@ func NewOIDCService(i OIDCServiceInput) (*OIDCService, error) {
 	issuer := fmt.Sprintf("%s://%s", uissuer.Scheme, uissuer.Host)
 	// Create/load private and public keys
-	if strings.TrimSpace(i.Config.OIDC.PrivateKeyPath) == "" ||
+	if strings.TrimSpace(config.OIDC.PrivateKeyPath) == "" ||
-		strings.TrimSpace(i.Config.OIDC.PublicKeyPath) == "" {
+		strings.TrimSpace(config.OIDC.PublicKeyPath) == "" {
 		return nil, errors.New("private key path and public key path are required")
 	}
 	var privateKey *rsa.PrivateKey
-	fprivateKey, err := os.ReadFile(i.Config.OIDC.PrivateKeyPath)
+	fprivateKey, err := os.ReadFile(config.OIDC.PrivateKeyPath)
 	if err != nil && !errors.Is(err, os.ErrNotExist) {
 		return nil, err
@@ -207,12 +174,8 @@ func NewOIDCService(i OIDCServiceInput) (*OIDCService, error) {
 			Type:  "RSA PRIVATE KEY",
 			Bytes: der,
 		})
-		i.Log.App.Trace().Str("type", "RSA PRIVATE KEY").Msg("Generated private RSA key")
+		log.App.Trace().Str("type", "RSA PRIVATE KEY").Msg("Generated private RSA key")
-		err := os.MkdirAll(filepath.Dir(i.Config.OIDC.PrivateKeyPath), 0700)
+		err = os.WriteFile(config.OIDC.PrivateKeyPath, encoded, 0600)
 		if err != nil {
 			return nil, fmt.Errorf("failed to create directory for private key: %w", err)
 		}
 		err = os.WriteFile(i.Config.OIDC.PrivateKeyPath, encoded, 0600)
 		if err != nil {
 			return nil, fmt.Errorf("failed to write private key to file: %w", err)
 		}
@@ -221,7 +184,7 @@ func NewOIDCService(i OIDCServiceInput) (*OIDCService, error) {
 		if block == nil {
 			return nil, errors.New("failed to decode private key")
 		}
-		i.Log.App.Trace().Str("type", block.Type).Msg("Loaded private key")
+		log.App.Trace().Str("type", block.Type).Msg("Loaded private key")
 		privateKey, err = x509.ParsePKCS1PrivateKey(block.Bytes)
 		if err != nil {
 			return nil, fmt.Errorf("failed to parse private key: %w", err)
@@ -230,7 +193,7 @@ func NewOIDCService(i OIDCServiceInput) (*OIDCService, error) {
 	var publicKey crypto.PublicKey
-	fpublicKey, err := os.ReadFile(i.Config.OIDC.PublicKeyPath)
+	fpublicKey, err := os.ReadFile(config.OIDC.PublicKeyPath)
 	if err != nil && !errors.Is(err, os.ErrNotExist) {
 		return nil, fmt.Errorf("failed to read public key: %w", err)
@@ -246,12 +209,8 @@ func NewOIDCService(i OIDCServiceInput) (*OIDCService, error) {
 			Type:  "RSA PUBLIC KEY",
 			Bytes: der,
 		})
-		i.Log.App.Trace().Str("type", "RSA PUBLIC KEY").Msg("Generated public RSA key")
+		log.App.Trace().Str("type", "RSA PUBLIC KEY").Msg("Generated public RSA key")
-		err := os.MkdirAll(filepath.Dir(i.Config.OIDC.PublicKeyPath), 0700)
+		err = os.WriteFile(config.OIDC.PublicKeyPath, encoded, 0644)
 		if err != nil {
 			return nil, fmt.Errorf("failed to create directory for public key: %w", err)
 		}
 		err = os.WriteFile(i.Config.OIDC.PublicKeyPath, encoded, 0644)
 		if err != nil {
 			return nil, err
 		}
@@ -260,7 +219,7 @@ func NewOIDCService(i OIDCServiceInput) (*OIDCService, error) {
 		if block == nil {
 			return nil, errors.New("failed to decode public key")
 		}
-		i.Log.App.Trace().Str("type", block.Type).Msg("Loaded public key")
+		log.App.Trace().Str("type", block.Type).Msg("Loaded public key")
 		switch block.Type {
 		case "RSA PUBLIC KEY":
 			publicKey, err = x509.ParsePKCS1PublicKey(block.Bytes)
@@ -290,7 +249,7 @@ func NewOIDCService(i OIDCServiceInput) (*OIDCService, error) {
 	// We will reorganize the client into a map with the client ID as the key
 	clients := make(map[string]model.OIDCClientConfig)
-	for id, client := range i.Config.OIDC.Clients {
+	for id, client := range config.OIDC.Clients {
 		client.ID = id
 		if client.Name == "" {
 			client.Name = utils.Capitalize(client.ID)
@@ -306,15 +265,15 @@ func NewOIDCService(i OIDCServiceInput) (*OIDCService, error) {
 		}
 		client.ClientSecretFile = ""
 		clients[id] = client
-		i.Log.App.Debug().Str("clientId", client.ClientID).Msg("Loaded OIDC client configuration")
+		log.App.Debug().Str("clientId", client.ClientID).Msg("Loaded OIDC client configuration")
 	}
 	// Initialize the service
 	service := &OIDCService{
-		log:     i.Log,
+		log:     log,
-		config:  i.Config,
+		config:  config,
-		runtime: i.Runtime,
+		runtime: runtime,
-		queries: i.Queries,
+		queries: queries,
 		clients:    clients,
 		privateKey: privateKey,
@@ -323,33 +282,7 @@ func NewOIDCService(i OIDCServiceInput) (*OIDCService, error) {
 	}
 	// Start cleanup routine
-	i.Ding.Go(service.cleanupRoutine, ding.RingMinor)
+	dg.Go(service.cleanupRoutine, ding.RingMinor)
 	// Create caches
 	codeCash := NewCacheStore[AuthorizeCodeEntry](256)
 	usedCode := NewCacheStore[UsedCodeEntry](256)
 	authorize := NewCacheStore[AuthorizeRequest](256)
 	service.caches.code = codeCash
 	service.caches.usedCode = usedCode
 	service.caches.authorize = authorize
 	// Start cache cleanup routine
 	i.Ding.Go(func(ctx context.Context) {
 		ticker := time.NewTicker(1 * time.Minute)
 		defer ticker.Stop()
 		for {
 			select {
 			case <-ticker.C:
 				service.caches.code.Sweep()
 				service.caches.usedCode.Sweep()
 				service.caches.authorize.Sweep()
 			case <-ctx.Done():
 				return
 			}
 		}
 	}, ding.RingMinor)
 	return service, nil
 }
@@ -412,17 +345,19 @@ func (service *OIDCService) filterScopes(scopes []string) []string {
 	})
 }
-func (service *OIDCService) CreateCode(req AuthorizeRequest, userContext model.UserContext) string {
+func (service *OIDCService) StoreCode(c *gin.Context, sub string, code string, req AuthorizeRequest) error {
-	code := utils.GenerateString(32)
+	// Fixed 10 minutes
-	sub := service.CreateSub(userContext, req.ClientID)
+	expiresAt := time.Now().Add(time.Minute * time.Duration(10)).Unix()
-	entry := AuthorizeCodeEntry{
+	entry := repository.CreateOidcCodeParams{
-		CodeHash:    service.Hash(code),
+		Sub:      sub,
-		Scope:       strings.Join(service.filterScopes(strings.Split(req.Scope, " ")), " "),
+		CodeHash: service.Hash(code),
 		// Here it's safe to split and trust the output since, we validated the scopes before
 		Scope:       strings.Join(service.filterScopes(strings.Split(req.Scope, " ")), ","),
 		RedirectURI: req.RedirectURI,
 		ClientID:    req.ClientID,
 		ExpiresAt:   expiresAt,
 		Nonce:       req.Nonce,
 		Userinfo:    service.userinfoFromContext(userContext, sub),
 	}
 	if req.CodeChallenge != "" {
@@ -434,14 +369,14 @@ func (service *OIDCService) CreateCode(req AuthorizeRequest, userContext model.U
 		}
 	}
-	// Store the code in the cache
+	// Insert the code into the database
-	service.caches.code.Set(entry.CodeHash, entry, 1*time.Minute)
+	_, err := service.queries.CreateOidcCode(c, entry)
-	return code
+	return err
 }
-func (service *OIDCService) userinfoFromContext(userContext model.UserContext, sub string) UserinfoResponse {
+func (service *OIDCService) StoreUserinfo(c *gin.Context, sub string, userContext model.UserContext, req AuthorizeRequest) error {
-	userInfo := UserinfoResponse{
+	userInfoParams := repository.CreateOidcUserInfoParams{
 		Sub:               sub,
 		Name:              userContext.GetName(),
 		Email:             userContext.GetEmail(),
@@ -450,31 +385,37 @@ func (service *OIDCService) userinfoFromContext(userContext model.UserContext, s
 	}
 	if userContext.IsLocal() {
-		userInfo.GivenName = userContext.Local.Attributes.GivenName
+		addressJSON, err := json.Marshal(userContext.Local.Attributes.Address)
-		userInfo.FamilyName = userContext.Local.Attributes.FamilyName
+		if err != nil {
-		userInfo.MiddleName = userContext.Local.Attributes.MiddleName
+			return err
-		userInfo.Nickname = userContext.Local.Attributes.Nickname
+		}
-		userInfo.Profile = userContext.Local.Attributes.Profile
+		userInfoParams.GivenName = userContext.Local.Attributes.GivenName
-		userInfo.Picture = userContext.Local.Attributes.Picture
+		userInfoParams.FamilyName = userContext.Local.Attributes.FamilyName
-		userInfo.Website = userContext.Local.Attributes.Website
+		userInfoParams.MiddleName = userContext.Local.Attributes.MiddleName
-		userInfo.Gender = userContext.Local.Attributes.Gender
+		userInfoParams.Nickname = userContext.Local.Attributes.Nickname
-		userInfo.Birthdate = userContext.Local.Attributes.Birthdate
+		userInfoParams.Profile = userContext.Local.Attributes.Profile
-		userInfo.Zoneinfo = userContext.Local.Attributes.Zoneinfo
+		userInfoParams.Picture = userContext.Local.Attributes.Picture
-		userInfo.Locale = userContext.Local.Attributes.Locale
+		userInfoParams.Website = userContext.Local.Attributes.Website
-		userInfo.PhoneNumber = userContext.Local.Attributes.PhoneNumber
+		userInfoParams.Gender = userContext.Local.Attributes.Gender
-		userInfo.Address = &userContext.Local.Attributes.Address
+		userInfoParams.Birthdate = userContext.Local.Attributes.Birthdate
 		userInfoParams.Zoneinfo = userContext.Local.Attributes.Zoneinfo
 		userInfoParams.Locale = userContext.Local.Attributes.Locale
 		userInfoParams.PhoneNumber = userContext.Local.Attributes.PhoneNumber
 		userInfoParams.Address = string(addressJSON)
 	}
 	// Tinyauth will pass through the groups it got from an LDAP or an OIDC server
 	if userContext.IsLDAP() {
-		userInfo.Groups = userContext.LDAP.Groups
+		userInfoParams.Groups = strings.Join(userContext.LDAP.Groups, ",")
 	}
 	if userContext.IsOAuth() {
-		userInfo.Groups = userContext.OAuth.Groups
+		userInfoParams.Groups = strings.Join(userContext.OAuth.Groups, ",")
 	}
-	return userInfo
+	_, err := service.queries.CreateOidcUserInfo(c, userInfoParams)
 	return err
 }
 func (service *OIDCService) ValidateGrantType(grantType string) error {
@@ -485,34 +426,36 @@ func (service *OIDCService) ValidateGrantType(grantType string) error {
 	return nil
 }
-func (service *OIDCService) GetCodeEntry(codeHash string, clientId string) (*AuthorizeCodeEntry, bool) {
+func (service *OIDCService) GetCodeEntry(c *gin.Context, codeHash string, clientId string) (repository.OidcCode, error) {
-	var entry AuthorizeCodeEntry
+	oidcCode, err := service.queries.GetOidcCode(c, codeHash)
 	var ok bool
-	service.caches.code.WithLock(func(actions CacheStoreActions[AuthorizeCodeEntry]) {
+	if err != nil {
-		entry, ok = actions.Get(codeHash)
+		if errors.Is(err, repository.ErrNotFound) {
-
+			return repository.OidcCode{}, ErrCodeNotFound
 		if !ok {
 			return
 		}
-
+		return repository.OidcCode{}, err
 		if entry.ClientID != clientId {
 			ok = false
 			return
 		}
 		// Since the code can only be used once, we delete it from the cache after retrieving it
 		actions.Delete(codeHash)
 	})
 	if !ok {
 		return nil, false
 	}
-	return &entry, true
+	if time.Now().Unix() > oidcCode.ExpiresAt {
 		err = service.queries.DeleteOidcCode(c, codeHash)
 		if err != nil {
 			return repository.OidcCode{}, err
 		}
 		err = service.DeleteUserinfo(c, oidcCode.Sub)
 		if err != nil {
 			return repository.OidcCode{}, err
 		}
 		return repository.OidcCode{}, ErrCodeExpired
 	}
 	if oidcCode.ClientID != clientId {
 		return repository.OidcCode{}, ErrInvalidClient
 	}
 	return oidcCode, nil
 }
-func (service *OIDCService) generateIDToken(client model.OIDCClientConfig, user UserinfoResponse, scope string, nonce string) (string, error) {
+func (service *OIDCService) generateIDToken(client model.OIDCClientConfig, user repository.OidcUserinfo, scope string, nonce string) (string, error) {
 	createdAt := time.Now().Unix()
 	expiresAt := time.Now().Add(time.Duration(service.config.Auth.SessionExpiry) * time.Second).Unix()
@@ -578,11 +521,17 @@ func (service *OIDCService) generateIDToken(client model.OIDCClientConfig, user
 	return token, nil
 }
-func (service *OIDCService) GenerateAccessToken(ctx context.Context, client model.OIDCClientConfig, codeEntry AuthorizeCodeEntry) (*TokenResponse, error) {
+func (service *OIDCService) GenerateAccessToken(c *gin.Context, client model.OIDCClientConfig, codeEntry repository.OidcCode) (TokenResponse, error) {
-	idToken, err := service.generateIDToken(client, codeEntry.Userinfo, codeEntry.Scope, codeEntry.Nonce)
+	user, err := service.GetUserinfo(c, codeEntry.Sub)
 	if err != nil {
-		return nil, err
+		return TokenResponse{}, err
 	}
 	idToken, err := service.generateIDToken(client, user, codeEntry.Scope, codeEntry.Nonce)
 	if err != nil {
 		return TokenResponse{}, err
 	}
 	accessToken := utils.GenerateString(32)
@@ -602,68 +551,56 @@ func (service *OIDCService) GenerateAccessToken(ctx context.Context, client mode
 		Scope:        strings.ReplaceAll(codeEntry.Scope, ",", " "),
 	}
-	var userInfoJson []byte
+	_, err = service.queries.CreateOidcToken(c, repository.CreateOidcTokenParams{
-
+		Sub:                   codeEntry.Sub,
 	userInfoJson, err = json.Marshal(codeEntry.Userinfo)
 	if err != nil {
 		return nil, err
 	}
 	_, err = service.queries.CreateOIDCSession(ctx, repository.CreateOIDCSessionParams{
 		Sub:                   codeEntry.Userinfo.Sub,
 		AccessTokenHash:       service.Hash(accessToken),
 		RefreshTokenHash:      service.Hash(refreshToken),
 		Scope:                 codeEntry.Scope,
 		ClientID:              client.ClientID,
 		Scope:                 codeEntry.Scope,
 		TokenExpiresAt:        tokenExpiresAt,
 		RefreshTokenExpiresAt: refreshTokenExpiresAt,
 		Nonce:                 codeEntry.Nonce,
-		UserinfoJson:          string(userInfoJson),
+		CodeHash:              codeEntry.CodeHash,
 	})
 	if err != nil {
-		return nil, err
+		return TokenResponse{}, err
 	}
-	return &tokenResponse, nil
+	return tokenResponse, nil
 }
-func (service *OIDCService) RefreshAccessToken(ctx context.Context, refreshToken string, clientId string) (*TokenResponse, error) {
+func (service *OIDCService) RefreshAccessToken(c *gin.Context, refreshToken string, reqClientId string) (TokenResponse, error) {
-	entry, err := service.queries.GetOIDCSessionByRefreshTokenHash(ctx, service.Hash(refreshToken))
+	entry, err := service.queries.GetOidcTokenByRefreshToken(c, service.Hash(refreshToken))
 	if err != nil {
 		if errors.Is(err, repository.ErrNotFound) {
-			return nil, ErrTokenNotFound
+			return TokenResponse{}, ErrTokenNotFound
 		}
-		return nil, err
+		return TokenResponse{}, err
 	}
 	if entry.RefreshTokenExpiresAt < time.Now().Unix() {
-		return nil, ErrTokenExpired
+		return TokenResponse{}, ErrTokenExpired
 	}
 	// Ensure the client ID in the request matches the client ID in the token
-	if entry.ClientID != clientId {
+	if entry.ClientID != reqClientId {
-		return nil, ErrInvalidClient
+		return TokenResponse{}, ErrInvalidClient
 	}
-	// we need to unmarshal the userinfo from the database to include it in the new ID token,
+	user, err := service.GetUserinfo(c, entry.Sub)
 	// since the ID token includes user claims for better compatibility with existing apps
 	var userInfo UserinfoResponse
 	err = json.Unmarshal([]byte(entry.UserinfoJson), &userInfo)
 	if err != nil {
-		return nil, err
+		return TokenResponse{}, err
 	}
 	idToken, err := service.generateIDToken(model.OIDCClientConfig{
 		ClientID: entry.ClientID,
-	}, userInfo, entry.Scope, entry.Nonce)
+	}, user, entry.Scope, entry.Nonce)
 	if err != nil {
-		return nil, err
+		return TokenResponse{}, err
 	}
 	accessToken := utils.GenerateString(32)
@@ -681,54 +618,71 @@ func (service *OIDCService) RefreshAccessToken(ctx context.Context, refreshToken
 		Scope:        strings.ReplaceAll(entry.Scope, ",", " "),
 	}
-	_, err = service.queries.UpdateOIDCSession(ctx, repository.UpdateOIDCSessionParams{
+	_, err = service.queries.UpdateOidcTokenByRefreshToken(c, repository.UpdateOidcTokenByRefreshTokenParams{
 		Sub:                   entry.Sub,
 		AccessTokenHash:       service.Hash(accessToken),
 		RefreshTokenHash:      service.Hash(newRefreshToken),
 		Scope:                 entry.Scope,
 		ClientID:              entry.ClientID,
 		TokenExpiresAt:        tokenExpiresAt,
 		RefreshTokenExpiresAt: refreshTokenExpiresAt,
-		Nonce:                 entry.Nonce,
+		RefreshTokenHash_2:    service.Hash(refreshToken), // that's the selector, it's not stored in the db
 		UserinfoJson:          entry.UserinfoJson,
 	})
 	if err != nil {
-		return nil, err
+		return TokenResponse{}, err
 	}
-	return &tokenResponse, nil
+	return tokenResponse, nil
 }
-func (service *OIDCService) GetSessionByToken(ctx context.Context, tokenHash string) (*repository.OidcSession, error) {
+func (service *OIDCService) DeleteCodeEntry(c *gin.Context, codeHash string) error {
-	entry, err := service.queries.GetOIDCSessionByAccessTokenHash(ctx, tokenHash)
+	return service.queries.DeleteOidcCode(c, codeHash)
 }
 func (service *OIDCService) DeleteUserinfo(c *gin.Context, sub string) error {
 	return service.queries.DeleteOidcUserInfo(c, sub)
 }
 func (service *OIDCService) DeleteToken(c *gin.Context, tokenHash string) error {
 	return service.queries.DeleteOidcToken(c, tokenHash)
 }
 func (service *OIDCService) DeleteTokenByCodeHash(c *gin.Context, codeHash string) error {
 	return service.queries.DeleteOidcTokenByCodeHash(c, codeHash)
 }
 func (service *OIDCService) GetAccessToken(c *gin.Context, tokenHash string) (repository.OidcToken, error) {
 	entry, err := service.queries.GetOidcToken(c, tokenHash)
 	if err != nil {
 		if errors.Is(err, repository.ErrNotFound) {
-			return nil, ErrTokenNotFound
+			return repository.OidcToken{}, ErrTokenNotFound
 		}
-		return nil, err
+		return repository.OidcToken{}, err
 	}
 	if entry.TokenExpiresAt < time.Now().Unix() {
-		// If refresh token is expired, delete the session
+		// If refresh token is expired, delete the token and userinfo since there is no way for the client to access anything anymore
 		// since there is no way for the client to access anything anymore
 		if entry.RefreshTokenExpiresAt < time.Now().Unix() {
-			// Deletes by sub
+			err := service.DeleteToken(c, tokenHash)
 			err := service.queries.DeleteOIDCSessionBySub(ctx, entry.Sub)
 			if err != nil {
-				return nil, err
+				return repository.OidcToken{}, err
 			}
 			err = service.DeleteUserinfo(c, entry.Sub)
 			if err != nil {
 				return repository.OidcToken{}, err
 			}
 			return nil, ErrTokenExpired
 		}
-		return nil, ErrTokenExpired
+		return repository.OidcToken{}, ErrTokenExpired
 	}
-	return &entry, nil
+	return entry, nil
 }
-func (service *OIDCService) CompileUserinfo(user UserinfoResponse, scope string) UserinfoResponse {
+func (service *OIDCService) GetUserinfo(c *gin.Context, sub string) (repository.OidcUserinfo, error) {
-	scopes := strings.Split(scope, " ")
+	return service.queries.GetOidcUserInfo(c, sub)
 }
 func (service *OIDCService) CompileUserinfo(user repository.OidcUserinfo, scope string) UserinfoResponse {
 	scopes := strings.Split(scope, ",") // split by comma since it's a db entry
 	userInfo := UserinfoResponse{
 		Sub:       user.Sub,
 		UpdatedAt: user.UpdatedAt,
@@ -756,7 +710,11 @@ func (service *OIDCService) CompileUserinfo(user UserinfoResponse, scope string)
 	}
 	if slices.Contains(scopes, "groups") {
-		userInfo.Groups = user.Groups
+		if user.Groups != "" {
 			userInfo.Groups = strings.Split(user.Groups, ",")
 		} else {
 			userInfo.Groups = []string{}
 		}
 	}
 	if slices.Contains(scopes, "phone") {
@@ -766,7 +724,10 @@ func (service *OIDCService) CompileUserinfo(user UserinfoResponse, scope string)
 	}
 	if slices.Contains(scopes, "address") {
-		userInfo.Address = user.Address
+		var addr model.AddressClaim
 		if err := json.Unmarshal([]byte(user.Address), &addr); err == nil {
 			userInfo.Address = &addr
 		}
 	}
 	return userInfo
@@ -779,16 +740,25 @@ func (service *OIDCService) Hash(token string) string {
 }
 func (service *OIDCService) DeleteOldSession(ctx context.Context, sub string) error {
-	err := service.queries.DeleteOIDCSessionBySub(ctx, sub)
+	err := service.queries.DeleteOidcCodeBySub(ctx, sub)
 	if err != nil && !errors.Is(err, repository.ErrNotFound) {
 		return err
 	}
 	err = service.queries.DeleteOidcTokenBySub(ctx, sub)
 	if err != nil && !errors.Is(err, repository.ErrNotFound) {
 		return err
 	}
 	err = service.queries.DeleteOidcUserInfo(ctx, sub)
 	if err != nil && !errors.Is(err, repository.ErrNotFound) {
 		return err
 	}
 	return nil
 }
 // Cleanup routine - Resource heavy due to the linked tables
 func (service *OIDCService) cleanupRoutine(ctx context.Context) {
 	service.log.App.Debug().Msg("Starting OIDC cleanup routine")
-	ticker := time.NewTicker(30 * time.Minute)
+	ticker := time.NewTicker(time.Duration(30) * time.Minute)
 	defer ticker.Stop()
 	for {
@@ -798,14 +768,46 @@ func (service *OIDCService) cleanupRoutine(ctx context.Context) {
 			currentTime := time.Now().Unix()
-			// Limitation of sqlc, meaning we need to specify a timestamp for both token and refresh token expiry
+			// For the OIDC tokens, if they are expired we delete the userinfo and codes
-			err := service.queries.DeleteExpiredOIDCSessions(ctx, repository.DeleteExpiredOIDCSessionsParams{
+			expiredTokens, err := service.queries.DeleteExpiredOidcTokens(ctx, repository.DeleteExpiredOidcTokensParams{
 				TokenExpiresAt:        currentTime,
 				RefreshTokenExpiresAt: currentTime,
 			})
 			if err != nil {
-				service.log.App.Warn().Err(err).Msg("Failed to delete expired OIDC sessions")
+				service.log.App.Warn().Err(err).Msg("Failed to delete expired tokens")
 			}
 			for _, expiredToken := range expiredTokens {
 				err := service.DeleteOldSession(ctx, expiredToken.Sub)
 				if err != nil {
 					service.log.App.Warn().Err(err).Msg("Failed to delete session for expired token")
 				}
 			}
 			// For expired codes, we need to get the sub, check if tokens are expired and if they are remove everything
 			expiredCodes, err := service.queries.DeleteExpiredOidcCodes(ctx, currentTime)
 			if err != nil {
 				service.log.App.Warn().Err(err).Msg("Failed to delete expired codes")
 			}
 			for _, expiredCode := range expiredCodes {
 				token, err := service.queries.GetOidcTokenBySub(ctx, expiredCode.Sub)
 				if err != nil {
 					if !errors.Is(err, repository.ErrNotFound) {
 						service.log.App.Warn().Err(err).Msg("Failed to get token by sub for expired code")
 					}
 					continue
 				}
 				if token.TokenExpiresAt < currentTime && token.RefreshTokenExpiresAt < currentTime {
 					err := service.DeleteOldSession(ctx, expiredCode.Sub)
 					if err != nil {
 						service.log.App.Warn().Err(err).Msg("Failed to delete session for expired code")
 					}
 				}
 			}
 			service.log.App.Debug().Msg("Finished OIDC cleanup routine")
@@ -849,85 +851,3 @@ func (service *OIDCService) hashAndEncodePKCE(codeVerifier string) string {
 	hasher.Write([]byte(codeVerifier))
 	return base64.RawURLEncoding.EncodeToString(hasher.Sum(nil))
 }
 // WARNING: Since Tinyauth is stateless, we cannot have a sub that never changes.
 // We will just create a uuid out of the username and client name which remains stable,
 // but if username or client name changes then sub changes too.
 func (service *OIDCService) CreateSub(userContext model.UserContext, clientId string) string {
 	return utils.GenerateUUID(fmt.Sprintf("%s:%s", userContext.GetUsername(), clientId))
 }
 func (service *OIDCService) IsCodeUsed(codeHash string) (string, bool) {
 	entry, ok := service.caches.usedCode.Get(codeHash)
 	if !ok {
 		return "", false
 	}
 	return entry.Sub, true
 }
 func (service *OIDCService) MarkCodeAsUsed(codeHash string, sub string) {
 	entry := UsedCodeEntry{
 		Sub: sub,
 	}
 	service.caches.usedCode.Set(codeHash, entry, 2*time.Minute)
 }
 func (service *OIDCService) DeleteSessionBySub(ctx context.Context, sub string) error {
 	return service.queries.DeleteOIDCSessionBySub(ctx, sub)
 }
 func (service *OIDCService) CreateAuthorizeRequestTicket(req AuthorizeRequest) string {
 	ticket := utils.GenerateString(32)
 	service.caches.authorize.Set(ticket, req, 10*time.Minute)
 	return ticket
 }
 func (service *OIDCService) GetAuthorizeRequestByTicket(ticket string) (*AuthorizeRequest, bool) {
 	entry, ok := service.caches.authorize.Get(ticket)
 	if !ok {
 		return nil, false
 	}
 	return &entry, true
 }
 func (service *OIDCService) DeleteAuthorizeRequestTicket(ticket string) {
 	service.caches.authorize.Delete(ticket)
 }
 // TODO: support signed request objects in the future
 func (service *OIDCService) DecodeAuthorizeJWT(tokenString string) (*AuthorizeRequest, error) {
 	var claims jwt.MapClaims
 	token, _, err := jwt.NewParser().ParseUnverified(tokenString, &claims)
 	if err != nil {
 		return nil, fmt.Errorf("failed to parse authorize request jwt: %w", err)
 	}
 	alg, ok := token.Header["alg"].(string)
 	if !ok || alg != "none" || string(token.Signature) != "" {
 		return nil, fmt.Errorf("only unsigned jwts are supported for authorize requests")
 	}
 	get := func(k string) string {
 		v, _ := claims[k].(string)
 		return v
 	}
 	return &AuthorizeRequest{
 		Scope:               get("scope"),
 		ResponseType:        get("response_type"),
 		ClientID:            get("client_id"),
 		RedirectURI:         get("redirect_uri"),
 		State:               get("state"),
 		Nonce:               get("nonce"),
 		CodeChallenge:       get("code_challenge"),
 		CodeChallengeMethod: get("code_challenge_method"),
 	}, nil
 }
@@ -1,7 +1,8 @@
-package service
+package service_test
 import (
 	"context"
 	"encoding/json"
 	"testing"
 	"github.com/steveiliop56/ding"
@@ -9,17 +10,28 @@ import (
 	"github.com/stretchr/testify/require"
 	"github.com/tinyauthapp/tinyauth/internal/model"
-	"github.com/tinyauthapp/tinyauth/internal/repository/memory"
+	"github.com/tinyauthapp/tinyauth/internal/repository"
 	"github.com/tinyauthapp/tinyauth/internal/service"
 	"github.com/tinyauthapp/tinyauth/internal/utils/logger"
 )
-func newTestUser() UserinfoResponse {
+func newTestUser() repository.OidcUserinfo {
-	return UserinfoResponse{
+	addr := model.AddressClaim{
 		Formatted:     "123 Main St",
 		StreetAddress: "123 Main St",
 		Locality:      "Springfield",
 		Region:        "IL",
 		PostalCode:    "62701",
 		Country:       "US",
 	}
 	addrJSON, _ := json.Marshal(addr)
 	return repository.OidcUserinfo{
 		Sub:               "test-sub",
 		Name:              "Test User",
 		PreferredUsername: "testuser",
 		Email:             "test@example.com",
-		Groups:            []string{"admins", "users"},
+		Groups:            "admins,users",
 		UpdatedAt:         1234567890,
 		GivenName:         "Test",
 		FamilyName:        "User",
@@ -33,14 +45,7 @@ func newTestUser() UserinfoResponse {
 		Zoneinfo:          "America/Chicago",
 		Locale:            "en-US",
 		PhoneNumber:       "+15555550100",
-		Address: &model.AddressClaim{
+		Address:           string(addrJSON),
 			Formatted:     "123 Main St",
 			StreetAddress: "123 Main St",
 			Locality:      "Springfield",
 			Region:        "IL",
 			PostalCode:    "62701",
 			Country:       "US",
 		},
 	}
 }
@@ -67,29 +72,21 @@ func TestCompileUserinfo(t *testing.T) {
 	ctx := context.TODO()
 	dg := ding.New(ctx)
-	store := memory.New()
+	svc, err := service.NewOIDCService(log, cfg, runtime, nil, dg)
 	svc, err := NewOIDCService(OIDCServiceInput{
 		Log:     log,
 		Config:  &cfg,
 		Runtime: &runtime,
 		Queries: store,
 		Ding:    dg,
 	})
 	require.NoError(t, err)
 	type testCase struct {
 		description string
-		mutate      func(u *UserinfoResponse)
+		mutate      func(u *repository.OidcUserinfo)
 		scope       string
-		run         func(t *testing.T, info UserinfoResponse)
+		run         func(t *testing.T, info service.UserinfoResponse)
 	}
 	tests := []testCase{
 		{
 			description: "openid scope only returns sub and updated_at",
 			scope:       "openid",
-			run: func(t *testing.T, info UserinfoResponse) {
+			run: func(t *testing.T, info service.UserinfoResponse) {
 				assert.Equal(t, "test-sub", info.Sub)
 				assert.Equal(t, int64(1234567890), info.UpdatedAt)
 				assert.Empty(t, info.Name)
@@ -101,8 +98,8 @@ func TestCompileUserinfo(t *testing.T) {
 		},
 		{
 			description: "profile scope returns all profile fields",
-			scope:       "openid profile",
+			scope:       "openid,profile",
-			run: func(t *testing.T, info UserinfoResponse) {
+			run: func(t *testing.T, info service.UserinfoResponse) {
 				assert.Equal(t, "Test User", info.Name)
 				assert.Equal(t, "testuser", info.PreferredUsername)
 				assert.Equal(t, "Test", info.GivenName)
@@ -121,8 +118,8 @@ func TestCompileUserinfo(t *testing.T) {
 		},
 		{
 			description: "email scope sets email and email_verified true when email present",
-			scope:       "openid email",
+			scope:       "openid,email",
-			run: func(t *testing.T, info UserinfoResponse) {
+			run: func(t *testing.T, info service.UserinfoResponse) {
 				assert.Equal(t, "test@example.com", info.Email)
 				assert.True(t, info.EmailVerified)
 				assert.Empty(t, info.Name)
@@ -130,17 +127,17 @@ func TestCompileUserinfo(t *testing.T) {
 		},
 		{
 			description: "email scope sets email_verified false when email absent",
-			scope:       "openid email",
+			scope:       "openid,email",
-			mutate:      func(u *UserinfoResponse) { u.Email = "" },
+			mutate:      func(u *repository.OidcUserinfo) { u.Email = "" },
-			run: func(t *testing.T, info UserinfoResponse) {
+			run: func(t *testing.T, info service.UserinfoResponse) {
 				assert.Empty(t, info.Email)
 				assert.False(t, info.EmailVerified)
 			},
 		},
 		{
 			description: "phone scope sets phone_number_verified true when phone present",
-			scope:       "openid phone",
+			scope:       "openid,phone",
-			run: func(t *testing.T, info UserinfoResponse) {
+			run: func(t *testing.T, info service.UserinfoResponse) {
 				assert.Equal(t, "+15555550100", info.PhoneNumber)
 				require.NotNil(t, info.PhoneNumberVerified)
 				assert.True(t, *info.PhoneNumberVerified)
@@ -148,17 +145,17 @@ func TestCompileUserinfo(t *testing.T) {
 		},
 		{
 			description: "phone scope sets phone_number_verified false when phone absent",
-			scope:       "openid phone",
+			scope:       "openid,phone",
-			mutate:      func(u *UserinfoResponse) { u.PhoneNumber = "" },
+			mutate:      func(u *repository.OidcUserinfo) { u.PhoneNumber = "" },
-			run: func(t *testing.T, info UserinfoResponse) {
+			run: func(t *testing.T, info service.UserinfoResponse) {
 				require.NotNil(t, info.PhoneNumberVerified)
 				assert.False(t, *info.PhoneNumberVerified)
 			},
 		},
 		{
 			description: "address scope returns parsed address",
-			scope:       "openid address",
+			scope:       "openid,address",
-			run: func(t *testing.T, info UserinfoResponse) {
+			run: func(t *testing.T, info service.UserinfoResponse) {
 				require.NotNil(t, info.Address)
 				assert.Equal(t, "123 Main St", info.Address.Formatted)
 				assert.Equal(t, "123 Main St", info.Address.StreetAddress)
@@ -168,17 +165,33 @@ func TestCompileUserinfo(t *testing.T) {
 				assert.Equal(t, "US", info.Address.Country)
 			},
 		},
 		{
 			description: "address scope with invalid JSON omits address",
 			scope:       "openid,address",
 			mutate:      func(u *repository.OidcUserinfo) { u.Address = "not-valid-json" },
 			run: func(t *testing.T, info service.UserinfoResponse) {
 				assert.Nil(t, info.Address)
 			},
 		},
 		{
 			description: "groups scope returns split groups",
-			scope:       "openid groups",
+			scope:       "openid,groups",
-			run: func(t *testing.T, info UserinfoResponse) {
+			run: func(t *testing.T, info service.UserinfoResponse) {
 				assert.Equal(t, []string{"admins", "users"}, info.Groups)
 			},
 		},
 		{
 			description: "groups scope returns empty slice when no groups",
 			scope:       "openid,groups",
 			mutate:      func(u *repository.OidcUserinfo) { u.Groups = "" },
 			run: func(t *testing.T, info service.UserinfoResponse) {
 				assert.Equal(t, []string{}, info.Groups)
 			},
 		},
 		{
 			description: "all scopes return all fields",
-			scope:       "openid profile email phone address groups",
+			scope:       "openid,profile,email,phone,address,groups",
-			run: func(t *testing.T, info UserinfoResponse) {
+			run: func(t *testing.T, info service.UserinfoResponse) {
 				assert.Equal(t, "Test User", info.Name)
 				assert.Equal(t, "test@example.com", info.Email)
 				assert.Equal(t, "+15555550100", info.PhoneNumber)
@@ -6,7 +6,6 @@ import (
 	"github.com/tinyauthapp/tinyauth/internal/model"
 	"github.com/tinyauthapp/tinyauth/internal/utils/logger"
 	"go.uber.org/dig"
 )
 type Policy string
@@ -41,28 +40,21 @@ type PolicyEngine struct {
 	policy Policy
 }
-type PolicyEngineInput struct {
+func NewPolicyEngine(config model.Config, log *logger.Logger) (*PolicyEngine, error) {
 	dig.In
 	Log    *logger.Logger
 	Config *model.Config
 }
 func NewPolicyEngine(i PolicyEngineInput) (*PolicyEngine, error) {
 	engine := PolicyEngine{
-		log:   i.Log,
+		log:   log,
 		rules: make(map[RuleName]Rule),
 	}
-	switch i.Config.Auth.ACLs.Policy {
+	switch config.Auth.ACLs.Policy {
 	case string(PolicyAllow):
-		i.Log.App.Debug().Msg("Using 'allow' ACL policy: access to apps will be allowed by default unless explicitly blocked")
+		log.App.Debug().Msg("Using 'allow' ACL policy: access to apps will be allowed by default unless explicitly blocked")
 		engine.policy = PolicyAllow
 	case string(PolicyDeny):
-		i.Log.App.Debug().Msg("Using 'deny' ACL policy: access to apps will be blocked by default unless explicitly allowed")
+		log.App.Debug().Msg("Using 'deny' ACL policy: access to apps will be blocked by default unless explicitly allowed")
 		engine.policy = PolicyDeny
 	default:
-		return nil, fmt.Errorf("invalid acl policy: %s", i.Config.Auth.ACLs.Policy)
+		return nil, fmt.Errorf("invalid acl policy: %s", config.Auth.ACLs.Policy)
 	}
 	return &engine, nil
@@ -1,9 +1,10 @@
-package service
+package service_test
 import (
 	"testing"
 	"github.com/stretchr/testify/assert"
 	"github.com/tinyauthapp/tinyauth/internal/service"
 	"github.com/tinyauthapp/tinyauth/internal/test"
 	"github.com/tinyauthapp/tinyauth/internal/utils/logger"
 )
@@ -11,14 +12,14 @@ import (
 // Create test rule
 type TestRule struct{}
-func (rule *TestRule) Evaluate(ctx *ACLContext) Effect {
+func (rule *TestRule) Evaluate(ctx *service.ACLContext) service.Effect {
 	switch ctx.Path {
 	case "/allowed":
-		return EffectAllow
+		return service.EffectAllow
 	case "/denied":
-		return EffectDeny
+		return service.EffectDeny
 	default:
-		return EffectAbstain
+		return service.EffectAbstain
 	}
 }
@@ -32,51 +33,36 @@ func TestPolicyEngine(t *testing.T) {
 	// Engine should fail with invalid policy
 	cfg.Auth.ACLs.Policy = "invalid_policy"
-	_, err := NewPolicyEngine(PolicyEngineInput{
+	_, err := service.NewPolicyEngine(cfg, log)
 		Log:    log,
 		Config: &cfg,
 	})
 	assert.Error(t, err)
 	// Engine should initialize with 'allow' policy
-	cfg.Auth.ACLs.Policy = string(PolicyAllow)
+	cfg.Auth.ACLs.Policy = string(service.PolicyAllow)
-	engine, err := NewPolicyEngine(PolicyEngineInput{
+	engine, err := service.NewPolicyEngine(cfg, log)
 		Log:    log,
 		Config: &cfg,
 	})
 	assert.NoError(t, err)
-	assert.Equal(t, PolicyAllow, engine.Policy())
+	assert.Equal(t, service.PolicyAllow, engine.Policy())
 	// Engine should initialize with 'deny' policy
-	cfg.Auth.ACLs.Policy = string(PolicyDeny)
+	cfg.Auth.ACLs.Policy = string(service.PolicyDeny)
-	engine, err = NewPolicyEngine(PolicyEngineInput{
+	engine, err = service.NewPolicyEngine(cfg, log)
 		Log:    log,
 		Config: &cfg,
 	})
 	assert.NoError(t, err)
-	assert.Equal(t, PolicyDeny, engine.Policy())
+	assert.Equal(t, service.PolicyDeny, engine.Policy())
 	// Engine should allow adding rules
-	engine, err = NewPolicyEngine(PolicyEngineInput{
+	engine, err = service.NewPolicyEngine(cfg, log)
 		Log:    log,
 		Config: &cfg,
 	})
 	assert.NoError(t, err)
 	engine.RegisterRule("test-rule", testRule)
 	_, ok := engine.Rules()["test-rule"]
 	assert.True(t, ok)
 	// Begin allow policy tests
-	cfg.Auth.ACLs.Policy = string(PolicyAllow)
+	cfg.Auth.ACLs.Policy = string(service.PolicyAllow)
-	engine, err = NewPolicyEngine(PolicyEngineInput{
+	engine, err = service.NewPolicyEngine(cfg, log)
 		Log:    log,
 		Config: &cfg,
 	})
 	assert.NoError(t, err)
 	engine.RegisterRule("test-rule", testRule)
 	// With allow policy, if rule allows, access should be allowed
-	ctx := &ACLContext{Path: "/allowed"}
+	ctx := &service.ACLContext{Path: "/allowed"}
 	assert.Equal(t, true, engine.Evaluate("test-rule", ctx))
 	// With allow policy, if rule denies, access should be denied
@@ -88,11 +74,8 @@ func TestPolicyEngine(t *testing.T) {
 	assert.Equal(t, true, engine.Evaluate("test-rule", ctx))
 	// Begin deny policy tests
-	cfg.Auth.ACLs.Policy = string(PolicyDeny)
+	cfg.Auth.ACLs.Policy = string(service.PolicyDeny)
-	engine, err = NewPolicyEngine(PolicyEngineInput{
+	engine, err = service.NewPolicyEngine(cfg, log)
 		Log:    log,
 		Config: &cfg,
 	})
 	assert.NoError(t, err)
 	engine.RegisterRule("test-rule", testRule)
@@ -12,7 +12,6 @@ import (
 	"github.com/steveiliop56/ding"
 	"github.com/tinyauthapp/tinyauth/internal/model"
 	"github.com/tinyauthapp/tinyauth/internal/utils/logger"
 	"go.uber.org/dig"
 	"tailscale.com/client/local"
 	"tailscale.com/tsnet"
 )
@@ -22,11 +21,12 @@ type TailscaleWhoisResponse struct {
 	LoginName   string
 	DisplayName string
 	NodeName    string
 	Tags        []string
 }
 type TailscaleService struct {
 	log    *logger.Logger
-	config *model.Config
+	config model.Config
 	ctx    context.Context
 	srv *tsnet.Server
@@ -35,31 +35,22 @@ type TailscaleService struct {
 	mu  sync.Mutex
 }
-type TailscaleServiceInput struct {
+func NewTailscaleService(log *logger.Logger, config model.Config, ctx context.Context, dg *ding.Ding) (*TailscaleService, error) {
-	dig.In
+	if !config.Tailscale.Enabled {
 	Log    *logger.Logger
 	Config *model.Config
 	Ctx    context.Context
 	Ding   *ding.Ding
 }
 func NewTailscaleService(i TailscaleServiceInput) (*TailscaleService, error) {
 	if !i.Config.Tailscale.Enabled {
 		return nil, nil
 	}
 	srv := new(tsnet.Server)
 	// node options
-	srv.Dir = i.Config.Tailscale.Dir
+	srv.Dir = config.Tailscale.Dir
-	srv.Hostname = i.Config.Tailscale.Hostname
+	srv.Hostname = config.Tailscale.Hostname
-	srv.AuthKey = i.Config.Tailscale.AuthKey
+	srv.AuthKey = config.Tailscale.AuthKey
-	srv.Ephemeral = i.Config.Tailscale.Ephemeral
+	srv.Ephemeral = config.Tailscale.Ephemeral
 	// redirect logs to zerolog
-	srv.Logf = i.Log.App.Printf
+	srv.Logf = log.App.Printf
-	srv.UserLogf = i.Log.App.Printf
+	srv.UserLogf = log.App.Printf
 	err := srv.Start()
@@ -75,14 +66,14 @@ func NewTailscaleService(i TailscaleServiceInput) (*TailscaleService, error) {
 	}
 	service := &TailscaleService{
-		log:    i.Log,
+		log:    log,
-		config: i.Config,
+		config: config,
-		ctx:    i.Ctx,
+		ctx:    ctx,
 		srv:    srv,
 		lc:     lc,
 	}
-	connectCtx, cancel := context.WithTimeout(i.Ctx, 2*time.Minute) // large enough timeout to allow for user to manually authenticate with link if needed
+	connectCtx, cancel := context.WithTimeout(ctx, 2*time.Minute) // large enough timeout to allow for user to manually authenticate with link if needed
 	defer cancel()
 	err = service.waitForConn(connectCtx)
@@ -92,7 +83,7 @@ func NewTailscaleService(i TailscaleServiceInput) (*TailscaleService, error) {
 		return nil, fmt.Errorf("failed to connect to tailscale network: %w", err)
 	}
-	i.Ding.Go(service.watchAndClose, ding.RingMajor)
+	dg.Go(service.watchAndClose, ding.RingMajor)
 	return service, nil
 }
@@ -124,18 +115,12 @@ func (ts *TailscaleService) Whois(ctx context.Context, addr string) (*TailscaleW
 		return nil, fmt.Errorf("failed to get client whois: %w", err)
 	}
 	if who.Node.IsTagged() {
 		ts.log.App.Debug().Msgf("Skipping whois for tagged node %s", who.Node.Name)
 		return nil, nil
 	}
 	uid := strings.TrimPrefix(who.UserProfile.ID.String(), "userid:")
 	res := TailscaleWhoisResponse{
-		UserID:      uid,
+		UserID:      who.UserProfile.ID.String(),
 		LoginName:   who.UserProfile.LoginName,
 		DisplayName: who.UserProfile.DisplayName,
 		NodeName:    strings.TrimSuffix(who.Node.Name, "."),
 		Tags:        who.Node.Tags,
 	}
 	return &res, nil
@@ -76,50 +76,6 @@ func CreateTestConfigs(t *testing.T) (model.Config, model.RuntimeConfig) {
 					Bypass: []string{"10.10.10.10"},
 				},
 			},
 			"ip_block": {
 				Config: model.AppConfig{
 					Domain: "ip-block.example.com",
 				},
 				IP: model.AppIP{
 					Block: []string{"10.10.10.10"},
 				},
 			},
 			"oauth_group": {
 				Config: model.AppConfig{
 					Domain: "oauth-group.example.com",
 				},
 				OAuth: model.AppOAuth{
 					Whitelist: "testuser@example.com",
 					Groups:    "group1,group2",
 				},
 			},
 			"ldap_group": {
 				Config: model.AppConfig{
 					Domain: "ldap-group.example.com",
 				},
 				LDAP: model.AppLDAP{
 					Groups: "group1,group2",
 				},
 			},
 			"basic_auth": {
 				Config: model.AppConfig{
 					Domain: "basic-auth.example.com",
 				},
 				Response: model.AppResponse{
 					BasicAuth: model.AppBasicAuth{
 						Username: "test",
 						Password: "password",
 					},
 				},
 			},
 			"response_headers": {
 				Config: model.AppConfig{
 					Domain: "response-headers.example.com",
 				},
 				Response: model.AppResponse{
 					Headers: []string{"x-foo=bar"},
 				},
 			},
 		},
 	}
@@ -165,10 +121,14 @@ func CreateTestConfigs(t *testing.T) (model.Config, model.RuntimeConfig) {
 		CookieDomain:      "example.com",
 		AppURL:            "https://tinyauth.example.com",
 		SessionCookieName: "tinyauth-session",
-		TrustedDomains: []string{
+		OIDCClients: func() []model.OIDCClientConfig {
-			"https://tinyauth.example.com",
+			var clients []model.OIDCClientConfig
-			"https://tinyauth.foo.com",
+			for id, client := range config.OIDC.Clients {
-		},
+				client.ID = id
 				clients = append(clients, client)
 			}
 			return clients
 		}(),
 	}
 	return config, runtime
@@ -2,6 +2,7 @@ package utils
 import (
 	"errors"
 	"fmt"
 	"net"
 	"net/url"
 	"strings"
@@ -87,3 +88,23 @@ func Filter[T any](slice []T, test func(T) bool) (res []T) {
 	}
 	return res
 }
 func IsRedirectSafe(redirectURL string, domain string) bool {
 	if redirectURL == "" {
 		return false
 	}
 	parsed, err := url.Parse(redirectURL)
 	if err != nil {
 		return false
 	}
 	hostname := parsed.Hostname()
 	if strings.HasSuffix(hostname, fmt.Sprintf(".%s", domain)) {
 		return true
 	}
 	return hostname == domain
 }
@@ -126,6 +126,61 @@ func TestFilter(t *testing.T) {
 	assert.Equal(t, expectedStr, resultStr)
 }
 func TestIsRedirectSafe(t *testing.T) {
 	// Setup
 	domain := "example.com"
 	// Case with no subdomain
 	redirectURL := "http://example.com/welcome"
 	result := utils.IsRedirectSafe(redirectURL, domain)
 	assert.True(t, result)
 	// Case with different domain
 	redirectURL = "http://malicious.com/phishing"
 	result = utils.IsRedirectSafe(redirectURL, domain)
 	assert.False(t, result)
 	// Case with subdomain
 	redirectURL = "http://sub.example.com/page"
 	result = utils.IsRedirectSafe(redirectURL, domain)
 	assert.True(t, result)
 	// Case with sub-subdomain
 	redirectURL = "http://a.b.example.com/home"
 	result = utils.IsRedirectSafe(redirectURL, domain)
 	assert.True(t, result)
 	// Case with empty redirect URL
 	redirectURL = ""
 	result = utils.IsRedirectSafe(redirectURL, domain)
 	assert.False(t, result)
 	// Case with invalid URL
 	redirectURL = "http://[::1]:namedport"
 	result = utils.IsRedirectSafe(redirectURL, domain)
 	assert.False(t, result)
 	// Case with URL having port
 	redirectURL = "http://sub.example.com:8080/page"
 	result = utils.IsRedirectSafe(redirectURL, domain)
 	assert.True(t, result)
 	// Case with URL having different subdomain
 	redirectURL = "http://another.example.com/page"
 	result = utils.IsRedirectSafe(redirectURL, domain)
 	assert.True(t, result)
 	// Case with URL having different TLD
 	redirectURL = "http://example.org/page"
 	result = utils.IsRedirectSafe(redirectURL, domain)
 	assert.False(t, result)
 	// Case with malicious domain
 	redirectURL = "https://malicious-example.com/yoyo"
 	result = utils.IsRedirectSafe(redirectURL, domain)
 	assert.False(t, result)
 }
 func TestGetStandaloneCookieDomain(t *testing.T) {
 	// Normal case
 	domain := "http://tinyauth.app"
@@ -1,17 +1,46 @@
-- name: GetOIDCSessionBySub :one
+-- name: CreateOidcCode :one
-SELECT * FROM "oidc_sessions"
+INSERT INTO "oidc_codes" (
    "sub",
    "code_hash",
    "scope",
    "redirect_uri",
    "client_id",
    "expires_at",
    "nonce",
    "code_challenge"
 ) VALUES (
    $1, $2, $3, $4, $5, $6, $7, $8
 )
 RETURNING *;
 -- name: GetOidcCodeUnsafe :one
 SELECT * FROM "oidc_codes"
 WHERE "code_hash" = $1;
 -- name: GetOidcCode :one
 DELETE FROM "oidc_codes"
 WHERE "code_hash" = $1
 RETURNING *;
 -- name: GetOidcCodeBySubUnsafe :one
 SELECT * FROM "oidc_codes"
 WHERE "sub" = $1;
-- name: GetOIDCSessionByAccessTokenHash :one
+-- name: GetOidcCodeBySub :one
-SELECT * FROM "oidc_sessions"
+DELETE FROM "oidc_codes"
-WHERE "access_token_hash" = $1;
+WHERE "sub" = $1
 RETURNING *;
-- name: GetOIDCSessionByRefreshTokenHash :one
+-- name: DeleteOidcCode :exec
-SELECT * FROM "oidc_sessions"
+DELETE FROM "oidc_codes"
-WHERE "refresh_token_hash" = $1;
+WHERE "code_hash" = $1;
-- name: CreateOIDCSession :one
+-- name: DeleteOidcCodeBySub :exec
-INSERT INTO "oidc_sessions" (
+DELETE FROM "oidc_codes"
 WHERE "sub" = $1;
 -- name: CreateOidcToken :one
 INSERT INTO "oidc_tokens" (
    "sub",
    "access_token_hash",
    "refresh_token_hash",
@@ -19,30 +48,86 @@ INSERT INTO "oidc_sessions" (
    "client_id",
    "token_expires_at",
    "refresh_token_expires_at",
-    "nonce",
+    "code_hash",
-    "userinfo_json"
+    "nonce"
 ) VALUES (
    $1, $2, $3, $4, $5, $6, $7, $8, $9
 )
 RETURNING *;
-- name: DeleteOIDCSessionBySub :exec
+-- name: UpdateOidcTokenByRefreshToken :one
-DELETE FROM "oidc_sessions"
+UPDATE "oidc_tokens" SET
    "access_token_hash"        = $1,
    "refresh_token_hash"       = $2,
    "token_expires_at"         = $3,
    "refresh_token_expires_at" = $4
 WHERE "refresh_token_hash" = $5
 RETURNING *;
 -- name: GetOidcToken :one
 SELECT * FROM "oidc_tokens"
 WHERE "access_token_hash" = $1;
 -- name: GetOidcTokenByRefreshToken :one
 SELECT * FROM "oidc_tokens"
 WHERE "refresh_token_hash" = $1;
 -- name: GetOidcTokenBySub :one
 SELECT * FROM "oidc_tokens"
 WHERE "sub" = $1;
-- name: DeleteExpiredOIDCSessions :exec
+-- name: DeleteOidcTokenByCodeHash :exec
-DELETE FROM "oidc_sessions"
+DELETE FROM "oidc_tokens"
-WHERE "token_expires_at" < $1 AND "refresh_token_expires_at" < $2;
+WHERE "code_hash" = $1;
-- name: UpdateOIDCSession :one
+-- name: DeleteOidcToken :exec
-UPDATE "oidc_sessions" SET
+DELETE FROM "oidc_tokens"
-    "access_token_hash" = $1,
+WHERE "access_token_hash" = $1;
-    "refresh_token_hash" = $2,
+
-    "scope" = $3,
+-- name: DeleteOidcTokenBySub :exec
-    "client_id" = $4,
+DELETE FROM "oidc_tokens"
-    "token_expires_at" = $5,
+WHERE "sub" = $1;
-    "refresh_token_expires_at" = $6,
+
-    "nonce" = $7,
+-- name: CreateOidcUserInfo :one
-    "userinfo_json" = $8
+INSERT INTO "oidc_userinfo" (
-WHERE "sub" = $9
+    "sub",
    "name",
    "preferred_username",
    "email",
    "groups",
    "updated_at",
    "given_name",
    "family_name",
    "middle_name",
    "nickname",
    "profile",
    "picture",
    "website",
    "gender",
    "birthdate",
    "zoneinfo",
    "locale",
    "phone_number",
    "address"
 ) VALUES (
    $1, $2, $3, $4, $5, $6, $7, $8, $9, $10, $11, $12, $13, $14, $15, $16, $17, $18, $19
 )
 RETURNING *;
 -- name: GetOidcUserInfo :one
 SELECT * FROM "oidc_userinfo"
 WHERE "sub" = $1;
 -- name: DeleteOidcUserInfo :exec
 DELETE FROM "oidc_userinfo"
 WHERE "sub" = $1;
 -- name: DeleteExpiredOidcCodes :many
 DELETE FROM "oidc_codes"
 WHERE "expires_at" < $1
 RETURNING *;
 -- name: DeleteExpiredOidcTokens :many
 DELETE FROM "oidc_tokens"
 WHERE "token_expires_at" < $1 AND "refresh_token_expires_at" < $2
 RETURNING *;
@@ -1,11 +1,44 @@
-CREATE TABLE IF NOT EXISTS "oidc_sessions" (
+CREATE TABLE IF NOT EXISTS "oidc_codes" (
-    "sub" TEXT NOT NULL UNIQUE PRIMARY KEY,
+    "sub"            TEXT   NOT NULL UNIQUE,
-    "access_token_hash" TEXT NOT NULL UNIQUE,
+    "code_hash"      TEXT   NOT NULL PRIMARY KEY,
-    "refresh_token_hash" TEXT NOT NULL UNIQUE,
+    "scope"          TEXT   NOT NULL,
-    "scope" TEXT NOT NULL,
+    "redirect_uri"   TEXT   NOT NULL,
-    "client_id" TEXT NOT NULL,
+    "client_id"      TEXT   NOT NULL,
-    "token_expires_at" BIGINT NOT NULL,
+    "expires_at"     BIGINT NOT NULL,
-    "refresh_token_expires_at" BIGINT NOT NULL,
+    "nonce"          TEXT   NOT NULL DEFAULT '',
-    "nonce" TEXT NOT NULL DEFAULT '',
+    "code_challenge" TEXT   NOT NULL DEFAULT ''
-    "userinfo_json" TEXT NOT NULL
+);
 CREATE TABLE IF NOT EXISTS "oidc_tokens" (
    "sub"                      TEXT   NOT NULL UNIQUE,
    "access_token_hash"        TEXT   NOT NULL PRIMARY KEY,
    "refresh_token_hash"       TEXT   NOT NULL,
    "code_hash"                TEXT   NOT NULL,
    "scope"                    TEXT   NOT NULL,
    "client_id"                TEXT   NOT NULL,
    "token_expires_at"         BIGINT NOT NULL,
    "refresh_token_expires_at" BIGINT NOT NULL,
    "nonce"                    TEXT   NOT NULL DEFAULT ''
 );
 CREATE TABLE IF NOT EXISTS "oidc_userinfo" (
    "sub"                TEXT   NOT NULL PRIMARY KEY,
    "name"               TEXT   NOT NULL,
    "preferred_username" TEXT   NOT NULL,
    "email"              TEXT   NOT NULL,
    "groups"             TEXT   NOT NULL,
    "updated_at"         BIGINT NOT NULL,
    "given_name"         TEXT   NOT NULL,
    "family_name"        TEXT   NOT NULL,
    "middle_name"        TEXT   NOT NULL,
    "nickname"           TEXT   NOT NULL,
    "profile"            TEXT   NOT NULL,
    "picture"            TEXT   NOT NULL,
    "website"            TEXT   NOT NULL,
    "gender"             TEXT   NOT NULL,
    "birthdate"          TEXT   NOT NULL,
    "zoneinfo"           TEXT   NOT NULL,
    "locale"             TEXT   NOT NULL,
    "phone_number"       TEXT   NOT NULL,
    "address"            TEXT   NOT NULL
 );
@@ -1,17 +1,46 @@
-- name: GetOIDCSessionBySub :one
+-- name: CreateOidcCode :one
-SELECT * FROM "oidc_sessions"
+INSERT INTO "oidc_codes" (
    "sub",
    "code_hash",
    "scope",
    "redirect_uri",
    "client_id",
    "expires_at",
    "nonce",
    "code_challenge"
 ) VALUES (
    ?, ?, ?, ?, ?, ?, ?, ?
 )
 RETURNING *;
 -- name: GetOidcCodeUnsafe :one
 SELECT * FROM "oidc_codes"
 WHERE "code_hash" = ?;
 -- name: GetOidcCode :one
 DELETE FROM "oidc_codes"
 WHERE "code_hash" = ?
 RETURNING *;
 -- name: GetOidcCodeBySubUnsafe :one
 SELECT * FROM "oidc_codes"
 WHERE "sub" = ?;
-- name: GetOIDCSessionByAccessTokenHash :one
+-- name: GetOidcCodeBySub :one
-SELECT * FROM "oidc_sessions"
+DELETE FROM "oidc_codes"
-WHERE "access_token_hash" = ?;
+WHERE "sub" = ?
 RETURNING *;
-- name: GetOIDCSessionByRefreshTokenHash :one
+-- name: DeleteOidcCode :exec
-SELECT * FROM "oidc_sessions"
+DELETE FROM "oidc_codes"
-WHERE "refresh_token_hash" = ?;
+WHERE "code_hash" = ?;
-- name: CreateOIDCSession :one
+-- name: DeleteOidcCodeBySub :exec
-INSERT INTO "oidc_sessions" (
+DELETE FROM "oidc_codes"
 WHERE "sub" = ?;
 -- name: CreateOidcToken :one
 INSERT INTO "oidc_tokens" (
    "sub",
    "access_token_hash",
    "refresh_token_hash",
@@ -19,30 +48,86 @@ INSERT INTO "oidc_sessions" (
    "client_id",
    "token_expires_at",
    "refresh_token_expires_at",
-    "nonce",
+    "code_hash",
-    "userinfo_json"
+    "nonce"
 ) VALUES (
    ?, ?, ?, ?, ?, ?, ?, ?, ?
 )
 RETURNING *;
-- name: DeleteOIDCSessionBySub :exec
+-- name: UpdateOidcTokenByRefreshToken :one
-DELETE FROM "oidc_sessions"
+UPDATE "oidc_tokens" SET
 WHERE "sub" = ?;
 -- name: DeleteExpiredOIDCSessions :exec
 DELETE FROM "oidc_sessions"
 WHERE "token_expires_at" < ? AND "refresh_token_expires_at" < ?;
 -- name: UpdateOIDCSession :one
 UPDATE "oidc_sessions" SET
    "access_token_hash" = ?,
    "refresh_token_hash" = ?,
    "scope" = ?,
    "client_id" = ?,
    "token_expires_at" = ?,
-    "refresh_token_expires_at" = ?,
+    "refresh_token_expires_at" = ?
-    "nonce" = ?,
+WHERE "refresh_token_hash" = ?
-    "userinfo_json" = ?
+RETURNING *;
-WHERE "sub" = ?
+
 -- name: GetOidcToken :one
 SELECT * FROM "oidc_tokens"
 WHERE "access_token_hash" = ?;
 -- name: GetOidcTokenByRefreshToken :one
 SELECT * FROM "oidc_tokens"
 WHERE "refresh_token_hash" = ?;
 -- name: GetOidcTokenBySub :one
 SELECT * FROM "oidc_tokens"
 WHERE "sub" = ?;
 -- name: DeleteOidcTokenByCodeHash :exec
 DELETE FROM "oidc_tokens"
 WHERE "code_hash" = ?;
 -- name: DeleteOidcToken :exec
 DELETE FROM "oidc_tokens"
 WHERE "access_token_hash" = ?;
 -- name: DeleteOidcTokenBySub :exec
 DELETE FROM "oidc_tokens"
 WHERE "sub" = ?;
 -- name: CreateOidcUserInfo :one
 INSERT INTO "oidc_userinfo" (
    "sub",
    "name",
    "preferred_username",
    "email",
    "groups",
    "updated_at",
    "given_name",
    "family_name",
    "middle_name",
    "nickname",
    "profile",
    "picture",
    "website",
    "gender",
    "birthdate",
    "zoneinfo",
    "locale",
    "phone_number",
    "address"
 ) VALUES (
    ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?
 )
 RETURNING *;
 -- name: GetOidcUserInfo :one
 SELECT * FROM "oidc_userinfo"
 WHERE "sub" = ?;
 -- name: DeleteOidcUserInfo :exec
 DELETE FROM "oidc_userinfo"
 WHERE "sub" = ?;
 -- name: DeleteExpiredOidcCodes :many
 DELETE FROM "oidc_codes"
 WHERE "expires_at" < ?
 RETURNING *;
 -- name: DeleteExpiredOidcTokens :many
 DELETE FROM "oidc_tokens"
 WHERE "token_expires_at" < ? AND "refresh_token_expires_at" < ?
 RETURNING *;
@@ -1,11 +1,44 @@
-CREATE TABLE IF NOT EXISTS "oidc_sessions" (
+CREATE TABLE IF NOT EXISTS "oidc_codes" (
-    "sub" TEXT NOT NULL UNIQUE PRIMARY KEY,
+    "sub" TEXT NOT NULL UNIQUE,
-    "access_token_hash" TEXT NOT NULL UNIQUE,
+    "code_hash" TEXT NOT NULL PRIMARY KEY UNIQUE,
-    "refresh_token_hash" TEXT NOT NULL UNIQUE,
+    "scope" TEXT NOT NULL,
    "redirect_uri" TEXT NOT NULL,
    "client_id" TEXT NOT NULL,
    "expires_at" INTEGER NOT NULL,
    "nonce" TEXT DEFAULT "",
    "code_challenge" TEXT DEFAULT ""
 );
 CREATE TABLE IF NOT EXISTS "oidc_tokens" (
    "sub" TEXT NOT NULL UNIQUE,
    "access_token_hash" TEXT NOT NULL PRIMARY KEY UNIQUE,
    "refresh_token_hash" TEXT NOT NULL,
    "code_hash" TEXT NOT NULL,
    "scope" TEXT NOT NULL,
    "client_id" TEXT NOT NULL,
    "token_expires_at" INTEGER NOT NULL,
    "refresh_token_expires_at" INTEGER NOT NULL,
-    "nonce" TEXT NOT NULL DEFAULT "",
+    "nonce" TEXT DEFAULT ""
-    "userinfo_json" TEXT NOT NULL
+);
 CREATE TABLE IF NOT EXISTS "oidc_userinfo" (
    "sub"                   TEXT    NOT NULL UNIQUE PRIMARY KEY,
    "name"                  TEXT    NOT NULL,
    "preferred_username"    TEXT    NOT NULL,
    "email"                 TEXT    NOT NULL,
    "groups"                TEXT    NOT NULL,
    "updated_at"            INTEGER NOT NULL,
    "given_name"            TEXT    NOT NULL,
    "family_name"           TEXT    NOT NULL,
    "middle_name"           TEXT    NOT NULL,
    "nickname"              TEXT    NOT NULL,
    "profile"               TEXT    NOT NULL,
    "picture"               TEXT    NOT NULL,
    "website"               TEXT    NOT NULL,
    "gender"                TEXT    NOT NULL,
    "birthdate"             TEXT    NOT NULL,
    "zoneinfo"              TEXT    NOT NULL,
    "locale"                TEXT    NOT NULL,
    "phone_number"          TEXT    NOT NULL,
    "address"               TEXT    NOT NULL
 );
--- a/Show More
+++ b/Show More