Better error messages

More OpenID Conformance test fixes - work with POST, correct auth code character set, correct no-store cache headers
Updates for oidc conformance
2026-01-03 12:29:27 +11:00 · 2026-01-03 12:28:43 +11:00 · 2026-01-03 10:11:10 +11:00 · 2026-01-02 16:35:12 +11:00 · 2026-01-02 15:47:40 +11:00 · 2026-01-02 15:41:07 +11:00
229 changed files with 20128 additions and 1719 deletions
--- a/.env.example
+++ b/.env.example
@@ -1,5 +1,21 @@
 # Rails Configuration
-SECRET_KEY_BASE=generate-with-bin-rails-secret
+# SECRET_KEY_BASE is used for:
+#   - Session cookie encryption
+#   - Signed token verification
+#   - ActiveRecord encryption (currently: TOTP secrets)
+#   - OIDC token prefix HMAC derivation
+#
+# CRITICAL: Do NOT change SECRET_KEY_BASE after deployment. Changing it will:
+#   - Invalidate all user sessions (users must re-login)
+#   - Break encrypted data (users must re-setup 2FA)
+#   - Invalidate all OIDC access/refresh tokens (clients must re-authenticate)
+#
+# Optional: Override encryption keys with env vars for key rotation:
+#   - ACTIVE_RECORD_ENCRYPTION_PRIMARY_KEY
+#   - ACTIVE_RECORD_ENCRYPTION_DETERMINISTIC_KEY
+#   - ACTIVE_RECORD_ENCRYPTION_KEY_DERIVATION_SALT
+#   - OIDC_TOKEN_PREFIX_HMAC
+SECRET_KEY_BASE=generate-with-bin/rails/secret
 RAILS_ENV=development

 # Database
@@ -16,9 +32,43 @@ SMTP_AUTHENTICATION=plain
 SMTP_ENABLE_STARTTLS=true

 # Application Configuration
-CLINCH_HOST=http://localhost:9000
+CLINCH_HOST=http://localhost:3000
 CLINCH_FROM_EMAIL=noreply@example.com

+# WebAuthn / Passkey Configuration
+# Required for passkeys to work in production (HTTPS required)
+#
+# CLINCH_RP_ID is the Relying Party Identifier - the domain that owns the passkeys
+# - If your site is auth.example.com, use either "auth.example.com" or "example.com"
+# - Using parent domain (e.g., "example.com") allows passkeys to work across all subdomains
+# - Using subdomain (e.g., "auth.example.com") restricts passkeys to that specific subdomain
+#
+# CLINCH_RP_NAME is shown to users when creating/using passkeys
+#
+# Examples:
+#   For https://auth.example.com:
+#     CLINCH_HOST=https://auth.example.com
+#     CLINCH_RP_ID=example.com
+#     CLINCH_RP_NAME="Example Company"
+#
+#   For https://sso.mycompany.com:
+#     CLINCH_HOST=https://sso.mycompany.com
+#     CLINCH_RP_ID=mycompany.com
+#     CLINCH_RP_NAME="My Company Identity"
+#
+CLINCH_RP_ID=localhost
+CLINCH_RP_NAME="Clinch Identity Provider"
+
+# DNS Rebinding Protection Configuration
+# Set to service name (e.g., 'clinch') if running in same Docker compose as Caddy
+CLINCH_DOCKER_SERVICE_NAME=
+
+# Allow internal IP access for cross-compose deployments (true/false)
+CLINCH_ALLOW_INTERNAL_IPS=true
+
+# Allow localhost access for development (true/false)
+CLINCH_ALLOW_LOCALHOST=true
+
 # OIDC Configuration
 # RSA private key for signing ID tokens (JWT)
 # Generate with: openssl genrsa 2048
@@ -34,3 +84,27 @@ CLINCH_FROM_EMAIL=noreply@example.com

 # Optional: Set custom port
 # PORT=9000
+
+# Sentry Configuration (Optional)
+# Enable error tracking and performance monitoring
+# Leave SENTRY_DSN empty to disable Sentry completely
+#
+# Production: Get your DSN from https://sentry.io/settings/projects/
+# SENTRY_DSN=https://your-dsn@sentry.io/project-id
+#
+# Optional: Override Sentry environment (defaults to Rails.env)
+# SENTRY_ENVIRONMENT=production
+#
+# Optional: Override Sentry release (defaults to Git commit hash)
+# SENTRY_RELEASE=v1.0.0
+#
+# Optional: Performance monitoring sample rate (0.0 to 1.0, default 0.2)
+# Higher values provide more data but cost more
+# SENTRY_TRACES_SAMPLE_RATE=0.2
+#
+# Optional: Continuous profiling sample rate (0.0 to 1.0, default 0.0)
+# Very resource intensive, only enable for performance investigations
+# SENTRY_PROFILES_SAMPLE_RATE=0.0
+#
+# Development: Enable Sentry in development for testing
+# SENTRY_ENABLED_IN_DEVELOPMENT=true
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -19,7 +19,9 @@ jobs:
          bundler-cache: true

      - name: Scan for common Rails security vulnerabilities using static analysis
-        run: bin/brakeman --no-pager
+        run: bin/brakeman --no-pager --no-exit-on-warn
+        # Note: 2 weak warnings exist and are documented as acceptable
+        # See docs/beta-checklist.md for details
      
      - name: Scan for known security vulnerabilities in gems used
        run: bin/bundler-audit
@@ -39,10 +41,36 @@ jobs:
      - name: Scan for security vulnerabilities in JavaScript dependencies
        run: bin/importmap audit

+  scan_container:
+    runs-on: ubuntu-latest
+    permissions:
+      security-events: write  # Required for uploading SARIF results
+      contents: read
+
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v5
+
+      - name: Build Docker image
+        run: docker build -t clinch:${{ github.sha }} .
+
+      - name: Run Trivy vulnerability scanner
+        uses: aquasecurity/trivy-action@master
+        with:
+          image-ref: clinch:${{ github.sha }}
+          format: 'sarif'
+          output: 'trivy-results.sarif'
+          severity: 'CRITICAL,HIGH'
+          scanners: 'vuln'  # Only scan vulnerabilities, not secrets (avoids false positives in vendored gems)
+
+      - name: Upload Trivy results to GitHub Security tab
+        uses: github/codeql-action/upload-sarif@v3
+        if: always()
+        with:
+          sarif_file: 'trivy-results.sarif'
+
  lint:
    runs-on: ubuntu-latest
-    env:
-      RUBOCOP_CACHE_ROOT: tmp/rubocop
    steps:
      - name: Checkout code
        uses: actions/checkout@v5
@@ -52,18 +80,8 @@ jobs:
        with:
          bundler-cache: true

-      - name: Prepare RuboCop cache
-        uses: actions/cache@v4
-        env:
-          DEPENDENCIES_HASH: ${{ hashFiles('.ruby-version', '**/.rubocop.yml', '**/.rubocop_todo.yml', 'Gemfile.lock') }}
-        with:
-          path: ${{ env.RUBOCOP_CACHE_ROOT }}
-          key: rubocop-${{ runner.os }}-${{ env.DEPENDENCIES_HASH }}-${{ github.ref_name == github.event.repository.default_branch && github.run_id || 'default' }}
-          restore-keys: |
-            rubocop-${{ runner.os }}-${{ env.DEPENDENCIES_HASH }}-
-
      - name: Lint code for consistent style
-        run: bin/rubocop -f github
+        run: bin/standardrb

  test:
    runs-on: ubuntu-latest
@@ -116,7 +134,7 @@ jobs:
        run: bin/rails db:test:prepare test:system

      - name: Keep screenshots from failed system tests
-        uses: actions/upload-artifact@v4
+        uses: actions/upload-artifact@v5
        if: failure()
        with:
          name: screenshots
--- a/.ruby-version
+++ b/.ruby-version
@@ -1 +1 @@
-3.4.6
+3.4.8
--- a/.standard.yml
+++ b/.standard.yml
@@ -0,0 +1,7 @@
+ignore:
+  - 'test_*.rb'  # Ignore test files in root directory
+  - 'tmp/**/*'
+  - 'vendor/**/*'
+  - 'node_modules/**/*'
+  - 'config/initializers/csp_local_logger.rb'  # Complex CSP logger with intentional block structure
+  - 'config/initializers/sentry_subscriber.rb'  # Sentry subscriber with module structure
--- a/.trivyignore
+++ b/.trivyignore
@@ -0,0 +1,48 @@
+# Trivy ignore file
+# This file tells Trivy to skip specific vulnerabilities or files
+# See: https://aquasecurity.github.io/trivy/latest/docs/configuration/filtering/
+
+# =============================================================================
+# False Positives - Test Fixtures
+# =============================================================================
+
+# Capybara test fixture - not a real private key
+# Ignore secrets in test fixtures
+# Format: secret:<rule-id>:<exact-file-path>
+secret:private-key:/usr/local/bundle/ruby/3.4.0/gems/capybara-3.40.0/spec/fixtures/key.pem
+
+# =============================================================================
+# Unfixable CVEs - No Patches Available (Status: affected/fix_deferred)
+# =============================================================================
+
+# GnuPG vulnerabilities - not used by Clinch at runtime
+# Low risk: dirmngr/gpg tools not invoked during normal operation
+CVE-2025-68973
+
+# Image processing library vulnerabilities
+# Low risk for Clinch: Only admins upload images (app icons), not untrusted users
+# Waiting on Debian security team to release patches
+
+# ImageMagick - Integer overflow (32-bit only)
+CVE-2025-66628
+
+# glib - Integer overflow in URI escaping
+CVE-2025-13601
+
+# HDF5 - Critical vulnerabilities in scientific data format library
+CVE-2025-2153
+CVE-2025-2308
+CVE-2025-2309
+CVE-2025-2310
+
+# libmatio - MATLAB file format library
+CVE-2025-2338
+
+# OpenEXR - Image format vulnerabilities
+CVE-2025-12495
+CVE-2025-12839
+CVE-2025-12840
+CVE-2025-64181
+
+# libvips - Image processing library
+CVE-2025-59933
--- a/Claude.md
+++ b/Claude.md
@@ -0,0 +1,65 @@
+# Claude Code Guidelines for Clinch
+
+This document provides guidelines for AI assistants (Claude, ChatGPT, etc.) working on this codebase.
+
+## Project Context
+
+Clinch is a lightweight identity provider (IdP) supporting:
+- **OIDC/OAuth2** - Standard OAuth flows for modern apps
+- **ForwardAuth** - Trusted-header SSO for reverse proxies (Traefik, Caddy, Nginx)
+- **WebAuthn/Passkeys** - Passwordless authentication
+- Group-based access control
+
+Key characteristics:
+- Rails 8 application with SQLite database
+- Focus on simplicity and self-hosting
+- No external dependencies for core functionality
+
+## Testing Guidelines
+
+### Do Not Test Rails Framework Functionality
+
+When writing tests, focus on testing **our application's specific behavior and logic**, not standard Rails framework functionality.
+
+**Examples of what NOT to test:**
+- Session isolation between users (Rails handles this)
+- Basic ActiveRecord associations (Rails handles this)
+- Standard cookie signing/verification (Rails handles this)
+- Default controller rendering behavior (Rails handles this)
+- Infrastructure-level error handling (database connection failures, network issues, etc.)
+
+**Examples of what TO test:**
+- Forward auth business logic (group-based access control, header configuration, etc.)
+- Custom authentication flows
+- Application-specific session expiration behavior
+- Domain pattern matching logic
+- Custom response header generation
+
+**Why:**
+Testing Rails framework functionality adds no value and can create maintenance burden. Trust that Rails works correctly and focus tests on verifying our application's unique behavior.
+
+### Integration Test Patterns
+
+**Session handling:**
+- Do NOT manually manipulate cookies in integration tests
+- Use the session provided by the test framework
+- To get the actual session ID, use `Session.last.id` after sign-in, not `cookies[:session_id]` (which is signed)
+
+**Application setup:**
+- Always create Application records for the domains you're testing
+- Use wildcard patterns (e.g., `*.example.com`) when testing multiple subdomains
+- Remember: `*` matches one level only (`*.example.com` matches `app.example.com` but NOT `sub.app.example.com`)
+
+**Header assertions:**
+- Always normalize header names to lowercase when asserting (HTTP headers are case-insensitive)
+- Use `response.headers["x-remote-user"]` not `response.headers["X-Remote-User"]`
+
+**Avoid threading in integration tests:**
+- Rails integration tests use a single cookie jar
+- Convert threaded tests to sequential requests instead
+
+### Common Testing Pitfalls
+
+1. **Don't test concurrent users with manual cookie manipulation** - Integration tests can't properly simulate multiple concurrent sessions
+2. **Don't expect `cookies[:session_id]` to be the actual ID** - It's a signed cookie value
+3. **Don't assume wildcard patterns match multiple levels** - `*.domain.com` only matches one level
--- a/9
+++ b/9
@@ -8,14 +8,17 @@
 # For a containerized dev environment, see Dev Containers: https://guides.rubyonrails.org/getting_started_with_devcontainer.html

 # Make sure RUBY_VERSION matches the Ruby version in .ruby-version
-ARG RUBY_VERSION=3.4.6
+ARG RUBY_VERSION=3.4.8
 FROM docker.io/library/ruby:$RUBY_VERSION-slim AS base

+LABEL org.opencontainers.image.source=https://github.com/dkam/clinch
+
 # Rails app lives here
 WORKDIR /rails

-# Install base packages
+# Install base packages and upgrade to latest security patches
 RUN apt-get update -qq && \
+    apt-get upgrade -y && \
    apt-get install --no-install-recommends -y curl libjemalloc2 libvips sqlite3 && \
    ln -s /usr/lib/$(uname -m)-linux-gnu/libjemalloc.so.2 /usr/local/lib/libjemalloc.so && \
    rm -rf /var/lib/apt/lists /var/cache/apt/archives
@@ -32,7 +35,7 @@ FROM base AS build

 # Install packages needed to build gems
 RUN apt-get update -qq && \
-    apt-get install --no-install-recommends -y build-essential git libyaml-dev pkg-config && \
+    apt-get install --no-install-recommends -y build-essential git libyaml-dev pkg-config libssl-dev && \
    rm -rf /var/lib/apt/lists /var/cache/apt/archives

 # Install application gems
--- a/37
+++ b/37
@@ -1,7 +1,7 @@
 source "https://rubygems.org"

 # Bundle edge Rails instead: gem "rails", github: "rails/rails", branch: "main"
-gem "rails", "~> 8.1.0"
+gem "rails", "~> 8.1.1"
 # The modern asset pipeline for Rails [https://github.com/rails/propshaft]
 gem "propshaft"
 # Use sqlite3 as the database for Active Record
@@ -26,18 +26,28 @@ gem "bcrypt", "~> 3.1.7"
 gem "rotp", "~> 6.3"

 # QR code generation for TOTP setup
-gem "rqrcode", "~> 2.0"
+gem "rqrcode", "~> 3.1"

 # JWT for OIDC ID tokens
-gem "jwt", "~> 2.9"
+gem "jwt", "~> 3.1"
+
+# WebAuthn for passkey support
+gem "webauthn", "~> 3.0"
+
+# Public Suffix List for domain parsing
+gem "public_suffix", "~> 7.0"
+
+# Error tracking and performance monitoring (optional, configured via SENTRY_DSN)
+gem "sentry-ruby", "~> 6.2"
+gem "sentry-rails", "~> 6.2"

 # Windows does not include zoneinfo files, so bundle the tzinfo-data gem
-gem "tzinfo-data", platforms: %i[ windows jruby ]
+gem "tzinfo-data", platforms: %i[windows jruby]

-# Use the database-backed adapters for Rails.cache, Active Job, and Action Cable
+# Use the database-backed adapters for Rails.cache and Action Cable
 gem "solid_cache"
-gem "solid_queue"
 gem "solid_cable"
+gem "solid_queue", "~> 1.2"

 # Reduces boot times through caching; required in config/boot.rb
 gem "bootsnap", require: false
@@ -53,7 +63,7 @@ gem "image_processing", "~> 1.2"

 group :development, :test do
  # See https://guides.rubyonrails.org/debugging_rails_applications.html#debugging-with-the-debug-gem
-  gem "debug", platforms: %i[ mri windows ], require: "debug/prelude"
+  gem "debug", platforms: %i[mri windows], require: "debug/prelude"

  # Audits gems for known security defects (use config/bundler-audit.yml to ignore issues)
  gem "bundler-audit", require: false
@@ -61,17 +71,26 @@ group :development, :test do
  # Static analysis for security vulnerabilities [https://brakemanscanner.org/]
  gem "brakeman", require: false

-  # Omakase Ruby styling [https://github.com/rails/rubocop-rails-omakase/]
-  gem "rubocop-rails-omakase", require: false
+  # Standard Ruby style guide, linter, and formatter [https://github.com/standardrb/standard]
+  gem "standard", require: false
 end

 group :development do
  # Use console on exceptions pages [https://github.com/rails/web-console]
  gem "web-console"
+
+  # Preview emails in browser instead of sending them
+  gem "letter_opener"
 end

 group :test do
  # Use system testing [https://guides.rubyonrails.org/testing.html#system-testing]
  gem "capybara"
  gem "selenium-webdriver"
+
+  # Code coverage analysis
+  gem "simplecov", require: false
+
+  # Pin minitest to < 6.0 until Rails 8.1 supports the new API
+  gem "minitest", "< 6.0"
 end
--- a/Gemfile.lock
+++ b/Gemfile.lock
@@ -1,31 +1,31 @@
 GEM
  remote: https://rubygems.org/
  specs:
-    action_text-trix (2.1.15)
+    action_text-trix (2.1.16)
      railties
-    actioncable (8.1.0)
-      actionpack (= 8.1.0)
-      activesupport (= 8.1.0)
+    actioncable (8.1.1)
+      actionpack (= 8.1.1)
+      activesupport (= 8.1.1)
      nio4r (~> 2.0)
      websocket-driver (>= 0.6.1)
      zeitwerk (~> 2.6)
-    actionmailbox (8.1.0)
-      actionpack (= 8.1.0)
-      activejob (= 8.1.0)
-      activerecord (= 8.1.0)
-      activestorage (= 8.1.0)
-      activesupport (= 8.1.0)
+    actionmailbox (8.1.1)
+      actionpack (= 8.1.1)
+      activejob (= 8.1.1)
+      activerecord (= 8.1.1)
+      activestorage (= 8.1.1)
+      activesupport (= 8.1.1)
      mail (>= 2.8.0)
-    actionmailer (8.1.0)
-      actionpack (= 8.1.0)
-      actionview (= 8.1.0)
-      activejob (= 8.1.0)
-      activesupport (= 8.1.0)
+    actionmailer (8.1.1)
+      actionpack (= 8.1.1)
+      actionview (= 8.1.1)
+      activejob (= 8.1.1)
+      activesupport (= 8.1.1)
      mail (>= 2.8.0)
      rails-dom-testing (~> 2.2)
-    actionpack (8.1.0)
-      actionview (= 8.1.0)
-      activesupport (= 8.1.0)
+    actionpack (8.1.1)
+      actionview (= 8.1.1)
+      activesupport (= 8.1.1)
      nokogiri (>= 1.8.5)
      rack (>= 2.2.4)
      rack-session (>= 1.0.1)
@@ -33,36 +33,36 @@ GEM
      rails-dom-testing (~> 2.2)
      rails-html-sanitizer (~> 1.6)
      useragent (~> 0.16)
-    actiontext (8.1.0)
+    actiontext (8.1.1)
      action_text-trix (~> 2.1.15)
-      actionpack (= 8.1.0)
-      activerecord (= 8.1.0)
-      activestorage (= 8.1.0)
-      activesupport (= 8.1.0)
+      actionpack (= 8.1.1)
+      activerecord (= 8.1.1)
+      activestorage (= 8.1.1)
+      activesupport (= 8.1.1)
      globalid (>= 0.6.0)
      nokogiri (>= 1.8.5)
-    actionview (8.1.0)
-      activesupport (= 8.1.0)
+    actionview (8.1.1)
+      activesupport (= 8.1.1)
      builder (~> 3.1)
      erubi (~> 1.11)
      rails-dom-testing (~> 2.2)
      rails-html-sanitizer (~> 1.6)
-    activejob (8.1.0)
-      activesupport (= 8.1.0)
+    activejob (8.1.1)
+      activesupport (= 8.1.1)
      globalid (>= 0.3.6)
-    activemodel (8.1.0)
-      activesupport (= 8.1.0)
-    activerecord (8.1.0)
-      activemodel (= 8.1.0)
-      activesupport (= 8.1.0)
+    activemodel (8.1.1)
+      activesupport (= 8.1.1)
+    activerecord (8.1.1)
+      activemodel (= 8.1.1)
+      activesupport (= 8.1.1)
      timeout (>= 0.4.0)
-    activestorage (8.1.0)
-      actionpack (= 8.1.0)
-      activejob (= 8.1.0)
-      activerecord (= 8.1.0)
-      activesupport (= 8.1.0)
+    activestorage (8.1.1)
+      actionpack (= 8.1.1)
+      activejob (= 8.1.1)
+      activerecord (= 8.1.1)
+      activesupport (= 8.1.1)
      marcel (~> 1.0)
-    activesupport (8.1.0)
+    activesupport (8.1.1)
      base64
      bigdecimal
      concurrent-ruby (~> 1.0, >= 1.3.1)
@@ -75,21 +75,23 @@ GEM
      securerandom (>= 0.3)
      tzinfo (~> 2.0, >= 2.0.5)
      uri (>= 0.13.1)
-    addressable (2.8.7)
-      public_suffix (>= 2.0.2, < 7.0)
+    addressable (2.8.8)
+      public_suffix (>= 2.0.2, < 8.0)
+    android_key_attestation (0.3.0)
    ast (2.4.3)
    base64 (0.3.0)
-    bcrypt (3.1.20)
-    bcrypt_pbkdf (1.1.1)
-    bigdecimal (3.3.1)
+    bcrypt (3.1.21)
+    bcrypt_pbkdf (1.1.2)
+    bigdecimal (4.0.1)
+    bindata (2.5.1)
    bindex (0.8.1)
-    bootsnap (1.18.6)
+    bootsnap (1.20.1)
      msgpack (~> 1.2)
-    brakeman (7.1.0)
+    brakeman (7.1.2)
      racc
    builder (3.3.0)
-    bundler-audit (0.9.2)
-      bundler (>= 1.2.0, < 3)
+    bundler-audit (0.9.3)
+      bundler (>= 1.2.0)
      thor (~> 1.0)
    capybara (3.40.0)
      addressable
@@ -100,34 +102,41 @@ GEM
      rack-test (>= 0.6.3)
      regexp_parser (>= 1.5, < 3.0)
      xpath (~> 3.2)
+    cbor (0.5.10.1)
+    childprocess (5.1.0)
+      logger (~> 1.5)
    chunky_png (1.4.0)
-    concurrent-ruby (1.3.5)
-    connection_pool (2.5.4)
+    concurrent-ruby (1.3.6)
+    connection_pool (3.0.2)
+    cose (1.3.1)
+      cbor (~> 0.5.9)
+      openssl-signature_algorithm (~> 1.0)
    crass (1.0.6)
-    date (3.4.1)
-    debug (1.11.0)
+    date (3.5.1)
+    debug (1.11.1)
      irb (~> 1.10)
      reline (>= 0.3.8)
-    dotenv (3.1.8)
+    docile (1.4.1)
+    dotenv (3.2.0)
    drb (2.2.3)
    ed25519 (1.4.0)
-    erb (5.1.1)
+    erb (6.0.1)
    erubi (1.13.1)
    et-orbi (1.4.0)
      tzinfo
-    ffi (1.17.2-aarch64-linux-gnu)
-    ffi (1.17.2-aarch64-linux-musl)
-    ffi (1.17.2-arm-linux-gnu)
-    ffi (1.17.2-arm-linux-musl)
-    ffi (1.17.2-arm64-darwin)
-    ffi (1.17.2-x86_64-linux-gnu)
-    ffi (1.17.2-x86_64-linux-musl)
+    ffi (1.17.3-aarch64-linux-gnu)
+    ffi (1.17.3-aarch64-linux-musl)
+    ffi (1.17.3-arm-linux-gnu)
+    ffi (1.17.3-arm-linux-musl)
+    ffi (1.17.3-arm64-darwin)
+    ffi (1.17.3-x86_64-linux-gnu)
+    ffi (1.17.3-x86_64-linux-musl)
    fugit (1.12.1)
      et-orbi (~> 1.4)
      raabro (~> 1.4)
    globalid (1.3.0)
      activesupport (>= 6.1)
-    i18n (1.14.7)
+    i18n (1.14.8)
      concurrent-ruby (~> 1.0)
    image_processing (1.14.0)
      mini_magick (>= 4.9.5, < 6)
@@ -136,18 +145,18 @@ GEM
      actionpack (>= 6.0.0)
      activesupport (>= 6.0.0)
      railties (>= 6.0.0)
-    io-console (0.8.1)
-    irb (1.15.2)
+    io-console (0.8.2)
+    irb (1.16.0)
      pp (>= 0.6.0)
      rdoc (>= 4.0.0)
      reline (>= 0.4.2)
    jbuilder (2.14.1)
      actionview (>= 7.0.0)
      activesupport (>= 7.0.0)
-    json (2.15.1)
-    jwt (2.10.2)
+    json (2.18.0)
+    jwt (3.1.2)
      base64
-    kamal (2.8.1)
+    kamal (2.10.1)
      activesupport (>= 7.0)
      base64 (~> 0.2)
      bcrypt_pbkdf (~> 1.0)
@@ -159,9 +168,15 @@ GEM
      thor (~> 1.3)
      zeitwerk (>= 2.6.18, < 3.0)
    language_server-protocol (3.17.0.5)
+    launchy (3.1.1)
+      addressable (~> 2.8)
+      childprocess (~> 5.0)
+      logger (~> 1.6)
+    letter_opener (1.10.0)
+      launchy (>= 2.2, < 4)
    lint_roller (1.1.0)
    logger (1.7.0)
-    loofah (2.24.1)
+    loofah (2.25.0)
      crass (~> 1.0.2)
      nokogiri (>= 1.12.0)
    mail (2.9.0)
@@ -175,9 +190,9 @@ GEM
    mini_magick (5.3.1)
      logger
    mini_mime (1.1.5)
-    minitest (5.26.0)
+    minitest (5.27.0)
    msgpack (1.8.0)
-    net-imap (0.5.12)
+    net-imap (0.6.2)
      date
      net-protocol
    net-pop (0.1.2)
@@ -191,64 +206,67 @@ GEM
    net-smtp (0.5.1)
      net-protocol
    net-ssh (7.3.0)
-    nio4r (2.7.4)
-    nokogiri (1.18.10-aarch64-linux-gnu)
+    nio4r (2.7.5)
+    nokogiri (1.19.0-aarch64-linux-gnu)
      racc (~> 1.4)
-    nokogiri (1.18.10-aarch64-linux-musl)
+    nokogiri (1.19.0-aarch64-linux-musl)
      racc (~> 1.4)
-    nokogiri (1.18.10-arm-linux-gnu)
+    nokogiri (1.19.0-arm-linux-gnu)
      racc (~> 1.4)
-    nokogiri (1.18.10-arm-linux-musl)
+    nokogiri (1.19.0-arm-linux-musl)
      racc (~> 1.4)
-    nokogiri (1.18.10-arm64-darwin)
+    nokogiri (1.19.0-arm64-darwin)
      racc (~> 1.4)
-    nokogiri (1.18.10-x86_64-linux-gnu)
+    nokogiri (1.19.0-x86_64-linux-gnu)
      racc (~> 1.4)
-    nokogiri (1.18.10-x86_64-linux-musl)
+    nokogiri (1.19.0-x86_64-linux-musl)
      racc (~> 1.4)
+    openssl (4.0.0)
+    openssl-signature_algorithm (1.3.0)
+      openssl (> 2.0)
    ostruct (0.6.3)
    parallel (1.27.0)
-    parser (3.3.9.0)
+    parser (3.3.10.0)
      ast (~> 2.4.1)
      racc
    pp (0.6.3)
      prettyprint
    prettyprint (0.2.0)
-    prism (1.6.0)
+    prism (1.7.0)
    propshaft (1.3.1)
      actionpack (>= 7.0.0)
      activesupport (>= 7.0.0)
      rack
-    psych (5.2.6)
+    psych (5.3.1)
      date
      stringio
-    public_suffix (6.0.2)
+    public_suffix (7.0.0)
    puma (7.1.0)
      nio4r (~> 2.0)
    raabro (1.4.0)
    racc (1.8.1)
-    rack (3.2.3)
+    rack (3.2.4)
    rack-session (2.1.1)
      base64 (>= 0.1.0)
      rack (>= 3.0.0)
    rack-test (2.2.0)
      rack (>= 1.3)
-    rackup (2.2.1)
+    rackup (2.3.1)
      rack (>= 3)
-    rails (8.1.0)
-      actioncable (= 8.1.0)
-      actionmailbox (= 8.1.0)
-      actionmailer (= 8.1.0)
-      actionpack (= 8.1.0)
-      actiontext (= 8.1.0)
-      actionview (= 8.1.0)
-      activejob (= 8.1.0)
-      activemodel (= 8.1.0)
-      activerecord (= 8.1.0)
-      activestorage (= 8.1.0)
-      activesupport (= 8.1.0)
+    rails (8.1.1)
+      actioncable (= 8.1.1)
+      actionmailbox (= 8.1.1)
+      actionmailer (= 8.1.1)
+      actionpack (= 8.1.1)
+      actiontext (= 8.1.1)
+      actionview (= 8.1.1)
+      activejob (= 8.1.1)
+      activemodel (= 8.1.1)
+      activerecord (= 8.1.1)
+      activestorage (= 8.1.1)
+      activesupport (= 8.1.1)
      bundler (>= 1.15.0)
-      railties (= 8.1.0)
+      railties (= 8.1.1)
    rails-dom-testing (2.3.0)
      activesupport (>= 5.0.0)
      minitest
@@ -256,9 +274,9 @@ GEM
    rails-html-sanitizer (1.6.2)
      loofah (~> 2.21)
      nokogiri (>= 1.15.7, != 1.16.7, != 1.16.6, != 1.16.5, != 1.16.4, != 1.16.3, != 1.16.2, != 1.16.1, != 1.16.0.rc1, != 1.16.0)
-    railties (8.1.0)
-      actionpack (= 8.1.0)
-      activesupport (= 8.1.0)
+    railties (8.1.1)
+      actionpack (= 8.1.1)
+      activesupport (= 8.1.1)
      irb (~> 1.13)
      rackup (>= 1.0.0)
      rake (>= 12.2)
@@ -266,21 +284,21 @@ GEM
      tsort (>= 0.2)
      zeitwerk (~> 2.6)
    rainbow (3.1.1)
-    rake (13.3.0)
-    rdoc (6.15.0)
+    rake (13.3.1)
+    rdoc (7.0.3)
      erb
      psych (>= 4.0.0)
      tsort
    regexp_parser (2.11.3)
-    reline (0.6.2)
+    reline (0.6.3)
      io-console (~> 0.5)
    rexml (3.4.4)
    rotp (6.3.0)
-    rqrcode (2.2.0)
+    rqrcode (3.1.1)
      chunky_png (~> 1.0)
-      rqrcode_core (~> 1.0)
-    rqrcode_core (1.2.0)
-    rubocop (1.81.6)
+      rqrcode_core (~> 2.0)
+    rqrcode_core (2.0.1)
+    rubocop (1.81.7)
      json (~> 2.3)
      language_server-protocol (~> 3.17.0.2)
      lint_roller (~> 1.1.0)
@@ -291,99 +309,127 @@ GEM
      rubocop-ast (>= 1.47.1, < 2.0)
      ruby-progressbar (~> 1.7)
      unicode-display_width (>= 2.4.0, < 4.0)
-    rubocop-ast (1.47.1)
+    rubocop-ast (1.49.0)
      parser (>= 3.3.7.2)
-      prism (~> 1.4)
+      prism (~> 1.7)
    rubocop-performance (1.26.1)
      lint_roller (~> 1.1)
      rubocop (>= 1.75.0, < 2.0)
      rubocop-ast (>= 1.47.1, < 2.0)
-    rubocop-rails (2.33.4)
-      activesupport (>= 4.2.0)
-      lint_roller (~> 1.1)
-      rack (>= 1.1)
-      rubocop (>= 1.75.0, < 2.0)
-      rubocop-ast (>= 1.44.0, < 2.0)
-    rubocop-rails-omakase (1.1.0)
-      rubocop (>= 1.72)
-      rubocop-performance (>= 1.24)
-      rubocop-rails (>= 2.30)
    ruby-progressbar (1.13.0)
-    ruby-vips (2.2.5)
+    ruby-vips (2.3.0)
      ffi (~> 1.12)
      logger
-    rubyzip (3.2.0)
+    rubyzip (3.2.2)
+    safety_net_attestation (0.5.0)
+      jwt (>= 2.0, < 4.0)
    securerandom (0.4.1)
-    selenium-webdriver (4.37.0)
+    selenium-webdriver (4.39.0)
      base64 (~> 0.2)
      logger (~> 1.4)
      rexml (~> 3.2, >= 3.2.5)
      rubyzip (>= 1.2.2, < 4.0)
      websocket (~> 1.0)
+    sentry-rails (6.2.0)
+      railties (>= 5.2.0)
+      sentry-ruby (~> 6.2.0)
+    sentry-ruby (6.2.0)
+      bigdecimal
+      concurrent-ruby (~> 1.0, >= 1.0.2)
+    simplecov (0.22.0)
+      docile (~> 1.1)
+      simplecov-html (~> 0.11)
+      simplecov_json_formatter (~> 0.1)
+    simplecov-html (0.13.2)
+    simplecov_json_formatter (0.1.4)
    solid_cable (3.0.12)
      actioncable (>= 7.2)
      activejob (>= 7.2)
      activerecord (>= 7.2)
      railties (>= 7.2)
-    solid_cache (1.0.8)
+    solid_cache (1.0.10)
      activejob (>= 7.2)
      activerecord (>= 7.2)
      railties (>= 7.2)
-    solid_queue (1.2.2)
+    solid_queue (1.2.4)
      activejob (>= 7.1)
      activerecord (>= 7.1)
      concurrent-ruby (>= 1.3.1)
      fugit (~> 1.11)
      railties (>= 7.1)
      thor (>= 1.3.1)
-    sqlite3 (2.7.4-aarch64-linux-gnu)
-    sqlite3 (2.7.4-aarch64-linux-musl)
-    sqlite3 (2.7.4-arm-linux-gnu)
-    sqlite3 (2.7.4-arm-linux-musl)
-    sqlite3 (2.7.4-arm64-darwin)
-    sqlite3 (2.7.4-x86_64-linux-gnu)
-    sqlite3 (2.7.4-x86_64-linux-musl)
-    sshkit (1.24.0)
+    sqlite3 (2.9.0-aarch64-linux-gnu)
+    sqlite3 (2.9.0-aarch64-linux-musl)
+    sqlite3 (2.9.0-arm-linux-gnu)
+    sqlite3 (2.9.0-arm-linux-musl)
+    sqlite3 (2.9.0-arm64-darwin)
+    sqlite3 (2.9.0-x86_64-linux-gnu)
+    sqlite3 (2.9.0-x86_64-linux-musl)
+    sshkit (1.25.0)
      base64
      logger
      net-scp (>= 1.1.2)
      net-sftp (>= 2.1.2)
      net-ssh (>= 2.8.0)
      ostruct
+    standard (1.52.0)
+      language_server-protocol (~> 3.17.0.2)
+      lint_roller (~> 1.0)
+      rubocop (~> 1.81.7)
+      standard-custom (~> 1.0.0)
+      standard-performance (~> 1.8)
+    standard-custom (1.0.2)
+      lint_roller (~> 1.0)
+      rubocop (~> 1.50)
+    standard-performance (1.9.0)
+      lint_roller (~> 1.1)
+      rubocop-performance (~> 1.26.0)
    stimulus-rails (1.3.4)
      railties (>= 6.0.0)
-    stringio (3.1.7)
-    tailwindcss-rails (4.3.0)
+    stringio (3.2.0)
+    tailwindcss-rails (4.4.0)
      railties (>= 7.0.0)
      tailwindcss-ruby (~> 4.0)
-    tailwindcss-ruby (4.1.13)
-    tailwindcss-ruby (4.1.13-aarch64-linux-gnu)
-    tailwindcss-ruby (4.1.13-aarch64-linux-musl)
-    tailwindcss-ruby (4.1.13-arm64-darwin)
-    tailwindcss-ruby (4.1.13-x86_64-linux-gnu)
-    tailwindcss-ruby (4.1.13-x86_64-linux-musl)
+    tailwindcss-ruby (4.1.18)
+    tailwindcss-ruby (4.1.18-aarch64-linux-gnu)
+    tailwindcss-ruby (4.1.18-aarch64-linux-musl)
+    tailwindcss-ruby (4.1.18-arm64-darwin)
+    tailwindcss-ruby (4.1.18-x86_64-linux-gnu)
+    tailwindcss-ruby (4.1.18-x86_64-linux-musl)
    thor (1.4.0)
-    thruster (0.1.16)
-    thruster (0.1.16-aarch64-linux)
-    thruster (0.1.16-arm64-darwin)
-    thruster (0.1.16-x86_64-linux)
-    timeout (0.4.3)
+    thruster (0.1.17)
+    thruster (0.1.17-aarch64-linux)
+    thruster (0.1.17-arm64-darwin)
+    thruster (0.1.17-x86_64-linux)
+    timeout (0.6.0)
+    tpm-key_attestation (0.14.1)
+      bindata (~> 2.4)
+      openssl (> 2.0)
+      openssl-signature_algorithm (~> 1.0)
    tsort (0.2.0)
-    turbo-rails (2.0.17)
+    turbo-rails (2.0.20)
      actionpack (>= 7.1.0)
      railties (>= 7.1.0)
    tzinfo (2.0.6)
      concurrent-ruby (~> 1.0)
    unicode-display_width (3.2.0)
      unicode-emoji (~> 4.1)
-    unicode-emoji (4.1.0)
-    uri (1.0.4)
+    unicode-emoji (4.2.0)
+    uri (1.1.1)
    useragent (0.16.11)
    web-console (4.2.1)
      actionview (>= 6.0.0)
      activemodel (>= 6.0.0)
      bindex (>= 0.4.0)
      railties (>= 6.0.0)
+    webauthn (3.4.3)
+      android_key_attestation (~> 0.3.0)
+      bindata (~> 2.4)
+      cbor (~> 0.5.9)
+      cose (~> 1.1)
+      openssl (>= 2.2)
+      safety_net_attestation (~> 0.5.0)
+      tpm-key_attestation (~> 0.14.0)
    websocket (1.2.11)
    websocket-driver (0.8.0)
      base64
@@ -391,7 +437,7 @@ GEM
    websocket-extensions (0.1.5)
    xpath (3.2.0)
      nokogiri (~> 1.8)
-    zeitwerk (2.7.3)
+    zeitwerk (2.7.4)

 PLATFORMS
  aarch64-linux
@@ -414,25 +460,32 @@ DEPENDENCIES
  image_processing (~> 1.2)
  importmap-rails
  jbuilder
-  jwt (~> 2.9)
+  jwt (~> 3.1)
  kamal
+  letter_opener
+  minitest (< 6.0)
  propshaft
+  public_suffix (~> 7.0)
  puma (>= 5.0)
-  rails (~> 8.1.0)
+  rails (~> 8.1.1)
  rotp (~> 6.3)
-  rqrcode (~> 2.0)
-  rubocop-rails-omakase
+  rqrcode (~> 3.1)
  selenium-webdriver
+  sentry-rails (~> 6.2)
+  sentry-ruby (~> 6.2)
+  simplecov
  solid_cable
  solid_cache
-  solid_queue
+  solid_queue (~> 1.2)
  sqlite3 (>= 2.1)
+  standard
  stimulus-rails
  tailwindcss-rails
  thruster
  turbo-rails
  tzinfo-data
  web-console
+  webauthn (~> 3.0)

 BUNDLED WITH
-   2.7.2
+  4.0.3
--- a/LICENSE.txt
+++ b/LICENSE.txt
@@ -0,0 +1,21 @@
+MIT License
+
+Copyright (c) 2025 Dan Milne
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.
--- a/README.md
+++ b/README.md
@@ -1,12 +1,19 @@
 # Clinch
+## Position and Control for your Authentication
+> [!NOTE]
+> This software is experimental. If you'd like to try it out, find bugs, security flaws and improvements, please do.  

-**A lightweight, self-hosted identity & SSO portal**
+We do these things not because they're easy, but because we thought they'd be easy.

-Clinch gives you one place to manage users and lets any web app authenticate against it without maintaining its own user table.
+**A lightweight, self-hosted identity & SSO / IpD portal**
+
+Clinch gives you one place to manage users and lets any web app authenticate against it without managing its own users.

 ## Why Clinch?

-Do you host your own web apps? MeTube, Kavita, Audiobookshelf, Gitea? Rather than managing all those separate user accounts, set everyone up on Clinch and let it do the authentication and user management.
+Do you host your own web apps? MeTube, Kavita, Audiobookshelf, Gitea, Grafana, Proxmox? Rather than managing all those separate user accounts, set everyone up on Clinch and let it do the authentication and user management.
+
+Clinch runs as a single Docker container, using SQLite as the database, the job queue (Solid Queue) and the shared cache (Solid Cache). The webserver, Puma, runs the job queue in-process, avoiding the need for another container.

 Clinch sits in a sweet spot between two excellent open-source identity solutions:

@@ -18,6 +25,35 @@ Clinch sits in a sweet spot between two excellent open-source identity solutions

 ---

+## Screenshots
+
+### User Dashboard
+[![User Dashboard](docs/screenshots/thumbs/0-dashboard.png)](docs/screenshots/0-dashboard.png)
+
+### Sign In
+[![Sign In](docs/screenshots/thumbs/1-signin.png)](docs/screenshots/1-signin.png)
+
+### Sign In with 2FA
+[![Sign In with 2FA](docs/screenshots/thumbs/2-signin.png)](docs/screenshots/2-signin.png)
+
+### Users Management
+[![Users Management](docs/screenshots/thumbs/3-users.png)](docs/screenshots/3-users.png)
+
+### Welcome Screen
+[![Welcome Screen](docs/screenshots/thumbs/4-welcome.png)](docs/screenshots/4-welcome.png)
+
+### Welcome Setup
+[![Welcome Setup](docs/screenshots/thumbs/5-welcome-2.png)](docs/screenshots/5-welcome-2.png)
+
+### Setup 2FA
+[![Setup 2FA](docs/screenshots/thumbs/6-setup-2fa.png)](docs/screenshots/6-setup-2fa.png)
+
+### Forward Auth Example 1
+[![Forward Auth Example 1](docs/screenshots/thumbs/7-forward-auth-1.png)](docs/screenshots/7-forward-auth-1.png)
+
+### Forward Auth Example 2
+[![Forward Auth Example 2](docs/screenshots/thumbs/8-forward-auth-2.png)](docs/screenshots/8-forward-auth-2.png)
+
 ## Features

 ### User Management
@@ -27,30 +63,68 @@ Clinch sits in a sweet spot between two excellent open-source identity solutions
 - **User statuses** - Active, disabled, or pending invitation

 ### Authentication Methods
+- **WebAuthn/Passkeys** - Modern passwordless authentication using FIDO2 standards
 - **Password authentication** - Secure bcrypt-based password storage
- **Magic login links** - Passwordless login via email (15-minute expiry)
 - **TOTP 2FA** - Optional time-based one-time passwords with QR code setup
 - **Backup codes** - 10 single-use recovery codes per user
- **Configurable 2FA enforcement** - Admins can require TOTP for specific users/groups
+- **Configurable 2FA enforcement** - Admins can require TOTP for specific users

 ### SSO Protocols

+Apps that speak OIDC use the OIDC flow.
+Apps that only need "who is it?", or you want available from the internet behind authentication (MeTube, Jellyfin) use ForwardAuth.
+
 #### OpenID Connect (OIDC)
 Standard OAuth2/OIDC provider with endpoints:
 - `/.well-known/openid-configuration` - Discovery endpoint
- `/authorize` - Authorization endpoint
- `/token` - Token endpoint
+- `/authorize` - Authorization endpoint with PKCE support
+- `/token` - Token endpoint (authorization_code and refresh_token grants)
 - `/userinfo` - User info endpoint
+- `/revoke` - Token revocation endpoint (RFC 7009)

-Client apps (Audiobookshelf, Kavita, Grafana, etc.) redirect to Clinch for login and receive ID tokens and access tokens.
+Features:
+- **Refresh tokens** - Long-lived tokens (30 days default) with automatic rotation and revocation
+- **Token family tracking** - Advanced security detects token replay attacks and revokes compromised token families
+- **Configurable token expiry** - Set access token (5min-24hr), refresh token (1-90 days), and ID token TTL per application
+- **Token security** - All tokens HMAC-SHA256 hashed (suitable for 256-bit random data), automatic cleanup of expired tokens
+- **Pairwise subject identifiers** - Each user gets a unique, stable `sub` claim per application for enhanced privacy
+
+**ID Token Claims** (JWT with RS256 signature):
+
+| Claim | Description | Notes |
+|-------|-------------|-------|
+| Standard Claims | | |
+| `iss` | Issuer (Clinch URL) | From `CLINCH_HOST` |
+| `sub` | Subject (user identifier) | Pairwise SID - unique per app |
+| `aud` | Audience | OAuth client_id |
+| `exp` | Expiration timestamp | Configurable TTL |
+| `iat` | Issued-at timestamp | Token creation time |
+| `email` | User email | |
+| `email_verified` | Email verification | Always `true` |
+| `preferred_username` | Username/email | Fallback to email |
+| `name` | Display name | User's name or email |
+| `nonce` | Random value | From auth request (prevents replay) |
+| **Security Claims** | | |
+| `at_hash` | Access token hash | SHA-256 hash of access_token (OIDC Core §3.1.3.6) |
+| `auth_time` | Authentication time | Unix timestamp of when user logged in (OIDC Core §2) |
+| `acr` | Auth context class | `"1"` = password, `"2"` = 2FA/passkey (OIDC Core §2) |
+| `azp` | Authorized party | OAuth client_id (OIDC Core §2) |
+| Custom Claims | | |
+| `groups` | User's groups | Array of group names |
+| *custom* | Arbitrary key-values | From groups, users, or app-specific config |
+
+**Authentication Context Class Reference (`acr`):**
+- `"1"` - Something you know (password only)
+- `"2"` - Two-factor or phishing-resistant (TOTP, backup codes, WebAuthn/passkey)
+
+Client apps (Audiobookshelf, Kavita, Proxmox, Grafana, etc.) redirect to Clinch for login and receive ID tokens, access tokens, and refresh tokens.

 #### Trusted-Header SSO (ForwardAuth)
 Works with reverse proxies (Caddy, Traefik, Nginx):
 1. Proxy sends every request to `/api/verify`
-2. **200 OK** → Proxy injects headers (`Remote-User`, `Remote-Groups`, `Remote-Email`) and forwards to app
-3. **401/403** → Proxy redirects to Clinch login; after login, user returns to original URL
-
-Apps that speak OIDC use the OIDC flow; apps that only need "who is it?" headers use ForwardAuth.
+2. Response handling:
+   - **200 OK** → Proxy injects headers (`Remote-User`, `Remote-Groups`, `Remote-Email`) and forwards to app
+   - **Any other status** → Proxy returns that response directly to client (typically 302 redirect to login page)

 **Note:** ForwardAuth requires applications to run on the same domain as Clinch (e.g., `app.yourdomain.com` with Clinch at `auth.yourdomain.com`) for secure session cookie sharing. Take a look at Authentik if you need multi domain support.

@@ -58,7 +132,6 @@ Apps that speak OIDC use the OIDC flow; apps that only need "who is it?" headers
 Send emails for:
 - Invitation links (one-time token, 7-day expiry)
 - Password reset links (one-time token, 1-hour expiry)
- 2FA backup codes

 ### Session Management
 - **Device tracking** - See all active sessions with device names and IPs
@@ -66,9 +139,54 @@ Send emails for:
 - **Session revocation** - Users and admins can revoke individual sessions

 ### Access Control
- **Group-based allowlists** - Restrict applications to specific user groups
- **Per-application access** - Each app defines which groups can access it
- **Automatic enforcement** - Access checks during OIDC authorization and ForwardAuth
+
+#### Group-Based Application Access
+Clinch uses groups to control which users can access which applications:
+
+- **Create groups** - Organize users into logical groups (readers, editors, family, developers, etc.)
+- **Assign groups to applications** - Each app defines which groups are allowed to access it
+  - Example: Kavita app allows the "readers" group → only users in the "readers" group can sign in
+  - If no groups are assigned to an app → all active users can access it
+- **Automatic enforcement** - Access checks happen automatically:
+  - During OIDC authorization flow (before consent)
+  - During ForwardAuth verification (before proxying requests)
+  - Users not in allowed groups receive a "You do not have permission" error
+
+#### Group Claims in Tokens
+- **OIDC tokens include group membership** - ID tokens contain a `groups` claim with all user's groups
+- **Custom claims** - Add arbitrary key-value pairs to tokens via groups and users
+  - Group claims apply to all members (e.g., `{"role": "viewer"}`)
+  - User claims override group claims for fine-grained control
+  - Perfect for app-specific authorization (e.g., admin vs. read-only roles)
+
+#### Custom Claims Merging
+Custom claims from groups and users are merged into OIDC ID tokens with the following precedence:
+
+1. **Default OIDC claims** - Standard claims (`iss`, `sub`, `aud`, `exp`, `email`, etc.)
+2. **Standard Clinch claims** - `groups` array (list of user's group names)
+3. **Group custom claims** - Merged in order; later groups override earlier ones
+4. **User custom claims** - Override all group claims
+5. **Application-specific claims** - Highest priority; override all other claims
+
+**Example:**
+- Group "readers" has `{"role": "viewer", "max_items": 10}`
+- Group "premium" has `{"role": "subscriber", "max_items": 100}`
+- User (in both groups) has `{"max_items": 500}`
+- **Result:** `{"role": "subscriber", "max_items": 500}` (user overrides max_items, premium overrides role)
+
+#### Application-Specific Claims
+Configure different claims for different applications on a per-user basis:
+
+- **Per-app customization** - Each application can have unique claims for each user
+- **Highest precedence** - App-specific claims override group and user global claims
+- **Use case** - Different roles in different apps (e.g., admin in Kavita, user in Audiobookshelf)
+- **Admin UI** - Configure via Admin → Users → Edit User → App-Specific Claim Overrides
+
+**Example:**
+- User Alice, global claims: `{"theme": "dark"}`
+- Kavita app-specific: `{"kavita_groups": ["admin"]}`
+- Audiobookshelf app-specific: `{"abs_groups": ["user"]}`
+- **Result:** Kavita receives `{"theme": "dark", "kavita_groups": ["admin"]}`, Audiobookshelf receives `{"theme": "dark", "abs_groups": ["user"]}`

 ---

@@ -83,11 +201,13 @@ Send emails for:
 - TOTP secret and backup codes (encrypted)
 - TOTP enforcement flag
 - Status (active, disabled, pending_invitation)
+- Custom claims (JSON) - arbitrary key-value pairs added to OIDC tokens
 - Token generation for invitations, password resets, and magic logins

 **Group**
 - Name (unique, normalized to lowercase)
 - Description
+- Custom claims (JSON) - shared claims for all members (merged with user claims)
 - Many-to-many with Users and Applications

 **Session**
@@ -100,28 +220,34 @@ Send emails for:

 **Application**
 - Name and slug (URL-safe identifier)
- Type (oidc, trusted_header, saml)
- Client ID and secret (for OIDC)
- Redirect URIs (JSON array)
+- Type (oidc or forward_auth)
+- Client ID and secret (for OIDC apps)
+- Redirect URIs (for OIDC apps)
+- Domain pattern (for ForwardAuth apps, supports wildcards like *.example.com)
+- Headers config (for ForwardAuth apps, JSON configuration for custom header names)
+- Token TTL configuration (access_token_ttl, refresh_token_ttl, id_token_ttl)
 - Metadata (flexible JSON storage)
 - Active flag
 - Many-to-many with Groups (allowlist)

 **OIDC Tokens**
- Authorization codes (10-minute expiry, one-time use)
- Access tokens (1-hour expiry, revocable)
+- Authorization codes (opaque, HMAC-SHA256 hashed, 10-minute expiry, one-time use, PKCE support)
+- Access tokens (opaque, HMAC-SHA256 hashed, configurable expiry 5min-24hr, revocable)
+- Refresh tokens (opaque, HMAC-SHA256 hashed, configurable expiry 1-90 days, single-use with rotation)
+- ID tokens (JWT, signed with RS256, configurable expiry 5min-24hr)

 ---

 ## Authentication Flows

 ### OIDC Authorization Flow
-1. Client redirects user to `/authorize` with client_id, redirect_uri, scope
+1. Client redirects user to `/authorize` with client_id, redirect_uri, scope (optional PKCE)
 2. User authenticates with Clinch (username/password + optional TOTP)
 3. Access control check: Is user in an allowed group for this app?
 4. If allowed, generate authorization code and redirect to client
-5. Client exchanges code for access token at `/token`
-6. Client uses access token to fetch user info from `/userinfo`
+5. Client exchanges code at `/token` for ID token, access token, and refresh token
+6. Client uses access token to fetch fresh user info from `/userinfo`
+7. When access token expires, client uses refresh token to get new tokens (no re-authentication)

 ### ForwardAuth Flow
 1. User requests protected resource at `https://app.example.com/dashboard`
@@ -135,6 +261,24 @@ Send emails for:
   - Proxy redirects to Clinch login page
   - After login, redirect back to original URL

+#### Race Condition Handling
+
+After successful login, you may notice an `fa_token` query parameter appended to redirect URLs (e.g., `https://app.example.com/dashboard?fa_token=...`). This solves a timing issue:
+
+**The Problem:**
+1. User signs in → session cookie is set
+2. Browser gets redirected to protected resource
+3. Browser may not have processed the `Set-Cookie` header yet
+4. Reverse proxy checks `/api/verify` → no cookie yet → auth fails ❌
+
+**The Solution:**
+- A one-time token (`fa_token`) is added to the redirect URL as a query parameter
+- `/api/verify` checks for this token first, before checking cookies
+- Token is cached for 60 seconds and deleted immediately after use
+- This gives the browser's cookie handling time to catch up
+
+This is transparent to end users and requires no configuration.
+
 ---

 ## Setup & Installation
@@ -160,55 +304,210 @@ bin/rails db:migrate
 bin/dev
 ```

-### Docker Deployment
+---
+
+## Production Deployment
+
+### Docker Compose (Recommended)
+
+Create a `docker-compose.yml` file:
+
+```yaml
+services:
+  clinch:
+    image: ghcr.io/dkam/clinch:latest
+    ports:
+      - "127.0.0.1:3000:3000"  # Bind to localhost only (reverse proxy on same host)
+      # Use "3000:3000" if reverse proxy is in Docker network or different host
+    environment:
+      # Rails Configuration
+      RAILS_ENV: production
+      SECRET_KEY_BASE: ${SECRET_KEY_BASE}
+
+      # Application Configuration
+      CLINCH_HOST: ${CLINCH_HOST}
+      CLINCH_FROM_EMAIL: ${CLINCH_FROM_EMAIL:-noreply@example.com}
+
+      # SMTP Configuration
+      SMTP_ADDRESS: ${SMTP_ADDRESS}
+      SMTP_PORT: ${SMTP_PORT}
+      SMTP_DOMAIN: ${SMTP_DOMAIN}
+      SMTP_USERNAME: ${SMTP_USERNAME}
+      SMTP_PASSWORD: ${SMTP_PASSWORD}
+      SMTP_AUTHENTICATION: ${SMTP_AUTHENTICATION:-plain}
+      SMTP_ENABLE_STARTTLS: ${SMTP_ENABLE_STARTTLS:-true}
+
+      # OIDC Configuration (optional - generates temporary key if not provided)
+      OIDC_PRIVATE_KEY: ${OIDC_PRIVATE_KEY}
+
+      # Optional Configuration
+      FORCE_SSL: ${FORCE_SSL:-false}
+    volumes:
+      - ./storage:/rails/storage
+    restart: unless-stopped
+```
+
+Create a `.env` file in the same directory:
+
+**Generate required secrets first:**

 ```bash
-# Build image
-docker build -t clinch .
+# Generate SECRET_KEY_BASE (required)
+openssl rand -hex 64

-# Run container
-docker run -p 9000:9000 \
-  -v clinch-storage:/rails/storage \
-  -e SECRET_KEY_BASE=your-secret-key \
-  -e SMTP_ADDRESS=smtp.example.com \
-  -e SMTP_PORT=587 \
-  -e SMTP_USERNAME=your-username \
-  -e SMTP_PASSWORD=your-password \
-  clinch
+# Generate OIDC private key (optional - auto-generated if not provided)
+openssl genpkey -algorithm RSA -out private_key.pem -pkeyopt rsa_keygen_bits:2048
+cat private_key.pem  # Copy the output into OIDC_PRIVATE_KEY below
 ```

+**Then create `.env`:**
+
+```bash
+# Rails Secret (REQUIRED)
+SECRET_KEY_BASE=paste-output-from-openssl-rand-hex-64-here
+
+# Application URLs (REQUIRED)
+CLINCH_HOST=https://auth.yourdomain.com
+CLINCH_FROM_EMAIL=noreply@yourdomain.com
+
+# SMTP Settings (REQUIRED for invitations and password resets)
+SMTP_ADDRESS=smtp.example.com
+SMTP_PORT=587
+SMTP_DOMAIN=yourdomain.com
+SMTP_USERNAME=your-smtp-username
+SMTP_PASSWORD=your-smtp-password
+
+# OIDC Private Key (OPTIONAL - generates temporary key if not provided)
+# For production, generate a persistent key and paste the ENTIRE contents here
+OIDC_PRIVATE_KEY=
+
+# Optional: Force SSL redirects (only if NOT behind a reverse proxy handling SSL)
+FORCE_SSL=false
+```
+
+Start Clinch:
+
+```bash
+docker compose up -d
+```
+
+**First Run:**
+1. Visit `http://localhost:3000` (or your configured domain)
+2. Complete the first-run wizard to create your admin account
+3. Configure applications and invite users
+
+**Upgrading:**
+
+```bash
+# Pull latest image
+docker compose pull
+
+# Restart with new image (migrations run automatically)
+docker compose up -d
+```
+
+**Logs:**
+
+```bash
+# View logs
+docker compose logs -f clinch
+
+# View last 100 lines
+docker compose logs --tail=100 clinch
+```
+
+### Backup & Restore
+
+Clinch stores all persistent data in the `storage/` directory (or `/rails/storage` in Docker):
+- SQLite database (`production.sqlite3`)
+- Uploaded files via ActiveStorage (application icons)
+
+**Database Backup:**
+
+Use SQLite's `VACUUM INTO` command for safe, atomic backups of a running database:
+
+```bash
+# Local development
+sqlite3 storage/production.sqlite3 "VACUUM INTO 'backup.sqlite3';"
+```
+
+This creates an optimized copy of the database that's safe to make even while Clinch is running.
+
+**Full Backup (Database + Uploads):**
+
+For complete backups including uploaded files, backup the database and uploads separately:
+
+```bash
+# 1. Backup database (safe while running)
+sqlite3 storage/production.sqlite3 "VACUUM INTO 'backup-$(date +%Y%m%d).sqlite3';"
+
+# 2. Backup uploaded files (ActiveStorage files are immutable)
+tar -czf uploads-backup-$(date +%Y%m%d).tar.gz storage/uploads/
+
+# Docker Compose equivalent
+docker compose exec clinch sqlite3 /rails/storage/production.sqlite3 "VACUUM INTO '/rails/storage/backup-$(date +%Y%m%d).sqlite3';"
+docker compose exec clinch tar -czf /rails/storage/uploads-backup-$(date +%Y%m%d).tar.gz /rails/storage/uploads/
+```
+
+**Restore:**
+
+```bash
+# Stop Clinch first
+# Then restore database
+cp backup-YYYYMMDD.sqlite3 storage/production.sqlite3
+
+# Restore uploads
+tar -xzf uploads-backup-YYYYMMDD.tar.gz -C storage/
+```
+
+**Docker Volume Backup:**
+
+**Option 1: While Running (Online Backup)**
+
+a) **Mapped volumes** (recommended, e.g., `-v /host/path:/rails/storage`):
+```bash
+# Database backup (safe while running)
+sqlite3 /host/path/production.sqlite3 "VACUUM INTO '/host/path/backup-$(date +%Y%m%d).sqlite3';"
+
+# Then sync to off-server storage
+rsync -av /host/path/backup-*.sqlite3 /host/path/uploads/ remote:/backups/clinch/
+```
+
+b) **Docker volumes** (e.g., using named volumes in compose):
+```bash
+# Database backup (safe while running)
+docker compose exec clinch sqlite3 /rails/storage/production.sqlite3 "VACUUM INTO '/rails/storage/backup.sqlite3';"
+
+# Copy out of container
+docker compose cp clinch:/rails/storage/backup.sqlite3 ./backup-$(date +%Y%m%d).sqlite3
+```
+
+**Option 2: While Stopped (Offline Backup)**
+
+If Docker is stopped, you can copy the entire storage:
+```bash
+docker compose down
+
+# For mapped volumes
+tar -czf clinch-backup-$(date +%Y%m%d).tar.gz /host/path/
+
+# For docker volumes
+docker run --rm -v clinch_storage:/data -v $(pwd):/backup ubuntu \
+  tar czf /backup/clinch-backup-$(date +%Y%m%d).tar.gz /data
+
+docker compose up -d
+```
+
+**Important:** Do not use tar/snapshots on a running database - use `VACUUM INTO` instead or stop the container first.
+
 ---

 ## Configuration

-### Environment Variables
-
-Create a `.env` file (see `.env.example`):
-
-```bash
-# Rails
-SECRET_KEY_BASE=generate-with-bin-rails-secret
-RAILS_ENV=production
-
-# Database
-# SQLite database stored in storage/ directory (Docker volume mount point)
-
-# SMTP (for sending emails)
-SMTP_ADDRESS=smtp.example.com
-SMTP_PORT=587
-SMTP_DOMAIN=example.com
-SMTP_USERNAME=your-username
-SMTP_PASSWORD=your-password
-SMTP_AUTHENTICATION=plain
-SMTP_ENABLE_STARTTLS=true
-
-# Application
-CLINCH_HOST=https://auth.example.com
-CLINCH_FROM_EMAIL=noreply@example.com
-```
+All configuration is handled via environment variables (see the `.env` file in the Docker Compose section above).

 ### First Run
-1. Visit Clinch at `http://localhost:9000` (or your configured domain)
+1. Visit Clinch at `http://localhost:3000` (or your configured domain)
 2. First-run wizard creates initial admin user
 3. Admin can then:
   - Create groups
@@ -218,22 +517,255 @@ CLINCH_FROM_EMAIL=noreply@example.com

 ---

-## Roadmap
+## Rails Console

-### In Progress
- OIDC provider implementation
- ForwardAuth endpoint
- Admin UI for user/group/app management
- First-run wizard
+One advantage of being a Rails application is direct access to the Rails console for administrative tasks. This is particularly useful for debugging, emergency access, or bulk operations.

-### Planned Features
- **SAML support** - SAML 2.0 identity provider
- **Policy engine** - Rule-based access control
-  - Example: `IF user.email =~ "*@gmail.com" AND app.slug == "kavita" THEN DENY`
-  - Stored as JSON, evaluated after auth but before consent
- **Audit logging** - Track all authentication events
- **WebAuthn/Passkeys** - Hardware key support
- **LDAP sync** - Import users from LDAP/Active Directory
+### Starting the Console
+
+```bash
+# Docker / Docker Compose
+docker exec -it clinch bin/rails console
+# or
+docker compose exec -it clinch bin/rails console
+
+# Local development
+bin/rails console
+```
+
+### Finding Users
+
+```ruby
+# Find by email
+user = User.find_by(email_address: 'alice@example.com')
+
+# Find by username
+user = User.find_by(username: 'alice')
+
+# List all users
+User.all.pluck(:id, :email_address, :status)
+
+# Find admins
+User.admins.pluck(:email_address)
+
+# Find users in a specific status
+User.active.count
+User.disabled.pluck(:email_address)
+User.pending_invitation.pluck(:email_address)
+```
+
+### Creating Users
+
+```ruby
+# Create a regular user
+User.create!(
+  email_address: 'newuser@example.com',
+  password: 'secure-password-here',
+  status: :active
+)
+
+# Create an admin user
+User.create!(
+  email_address: 'admin@example.com',
+  password: 'secure-password-here',
+  status: :active,
+  admin: true
+)
+```
+
+### Managing Passwords
+
+```ruby
+user = User.find_by(email_address: 'alice@example.com')
+user.password = 'new-secure-password'
+user.save!
+```
+
+### Two-Factor Authentication (TOTP)
+
+```ruby
+user = User.find_by(email_address: 'alice@example.com')
+
+# Check if TOTP is enabled
+user.totp_enabled?
+
+# Get current TOTP code (useful for testing/debugging)
+puts user.console_totp
+
+# Enable TOTP (generates secret and backup codes)
+backup_codes = user.enable_totp!
+puts backup_codes  # Display backup codes to give to user
+
+# Disable TOTP
+user.disable_totp!
+
+# Force user to set up TOTP on next login
+user.update!(totp_required: true)
+```
+
+### Managing User Status
+
+```ruby
+user = User.find_by(email_address: 'alice@example.com')
+
+# Disable a user (prevents login)
+user.disabled!
+
+# Re-enable a user
+user.active!
+
+# Check current status
+user.status  # => "active", "disabled", or "pending_invitation"
+
+# Grant admin privileges
+user.update!(admin: true)
+
+# Revoke admin privileges
+user.update!(admin: false)
+```
+
+### Managing Groups
+
+```ruby
+user = User.find_by(email_address: 'alice@example.com')
+
+# View user's groups
+user.groups.pluck(:name)
+
+# Add user to a group
+family = Group.find_by(name: 'family')
+user.groups << family
+
+# Remove user from a group
+user.groups.delete(family)
+
+# Create a new group
+Group.create!(name: 'developers', description: 'Development team')
+```
+
+### Managing Sessions
+
+```ruby
+user = User.find_by(email_address: 'alice@example.com')
+
+# View active sessions
+user.sessions.pluck(:id, :device_name, :client_ip, :created_at)
+
+# Revoke all sessions (force logout everywhere)
+user.sessions.destroy_all
+
+# Revoke a specific session
+user.sessions.find(123).destroy
+```
+
+### Managing Applications
+
+```ruby
+# List all OIDC applications
+Application.oidc.pluck(:name, :client_id)
+
+# Find an application
+app = Application.find_by(slug: 'kavita')
+
+# Regenerate client secret
+new_secret = app.generate_new_client_secret!
+puts new_secret  # Display once - not stored in plain text
+
+# Check which users can access an app
+app.allowed_groups.flat_map(&:users).uniq.pluck(:email_address)
+
+# Revoke all tokens for an application
+app.oidc_access_tokens.destroy_all
+app.oidc_refresh_tokens.destroy_all
+```
+
+### Revoking OIDC Consents
+
+```ruby
+user = User.find_by(email_address: 'alice@example.com')
+app = Application.find_by(slug: 'kavita')
+
+# Revoke consent for a specific app
+user.revoke_consent!(app)
+
+# Revoke all OIDC consents
+user.revoke_all_consents!
+```
+
+---
+
+## Testing & Security
+
+### Running Tests
+
+Clinch has comprehensive test coverage with 341 tests covering integration, models, controllers, services, and system tests.
+
+```bash
+# Run all tests
+bin/rails test
+
+# Run specific test types
+bin/rails test:integration
+bin/rails test:models
+bin/rails test:controllers
+bin/rails test:system
+
+# Run with code coverage report
+COVERAGE=1 bin/rails test
+# View coverage report at coverage/index.html
+```
+
+### Security Scanning
+
+Clinch uses multiple automated security tools to ensure code quality and security:
+
+```bash
+# Run all security checks
+bin/rake security
+
+# Individual security scans
+bin/brakeman --no-pager              # Static security analysis
+bin/bundler-audit check --update     # Dependency vulnerability scan
+bin/importmap audit                  # JavaScript dependency scan
+```
+
+**Container Image Scanning:**
+
+```bash
+# Install Trivy
+brew install trivy  # macOS
+# or use Docker: alias trivy='docker run --rm -v /var/run/docker.sock:/var/run/docker.sock aquasec/trivy'
+
+# Build and scan image (CRITICAL and HIGH severity only, like CI)
+docker build -t clinch:local .
+trivy image --severity CRITICAL,HIGH --scanners vuln clinch:local
+
+# Scan only for fixable vulnerabilities
+trivy image --severity CRITICAL,HIGH --scanners vuln --ignore-unfixed clinch:local
+```
+
+**CI/CD Integration:**
+All security scans run automatically on every pull request and push to main via GitHub Actions.
+
+**Security Tools:**
+- **Brakeman** - Static analysis for Rails security vulnerabilities
+- **bundler-audit** - Checks gems for known CVEs
+- **Trivy** - Container image vulnerability scanning (OS/system packages)
+- **Dependabot** - Automated dependency updates
+- **GitHub Secret Scanning** - Detects leaked credentials with push protection
+- **SimpleCov** - Code coverage tracking
+- **RuboCop** - Code style and quality enforcement
+
+**Current Status:**
+- ✅ All security scans passing
+- ✅ 341 tests, 1349 assertions, 0 failures
+- ✅ No known dependency vulnerabilities
+- ✅ Phases 1-4 security hardening complete (18+ vulnerabilities fixed)
+- 🟡 3 outstanding security issues (all MEDIUM/LOW priority)
+
+**Security Documentation:**
+- [docs/security-todo.md](docs/security-todo.md) - Detailed vulnerability tracking and remediation history
+- [docs/beta-checklist.md](docs/beta-checklist.md) - Beta release readiness criteria

 ---

@@ -251,4 +783,3 @@ CLINCH_FROM_EMAIL=noreply@example.com
 ## License

 MIT
-
--- a/app/channels/application_cable/connection.rb
+++ b/app/channels/application_cable/connection.rb
@@ -7,10 +7,11 @@ module ApplicationCable
    end

    private
-      def set_current_user
-        if session = Session.find_by(id: cookies.signed[:session_id])
-          self.current_user = session.user
-        end
+
+    def set_current_user
+      if (session = Session.find_by(id: cookies.signed[:session_id]))
+        self.current_user = session.user
      end
+    end
  end
 end
--- a/app/controllers/active_sessions_controller.rb
+++ b/app/controllers/active_sessions_controller.rb
@@ -0,0 +1,101 @@
+class ActiveSessionsController < ApplicationController
+  def show
+    @user = Current.session.user
+    @active_sessions = @user.sessions.active.order(last_activity_at: :desc)
+    @connected_applications = @user.oidc_user_consents.includes(:application).order(granted_at: :desc)
+  end
+
+  def revoke_consent
+    @user = Current.session.user
+    application = Application.find(params[:application_id])
+
+    # Check if user has consent for this application
+    consent = @user.oidc_user_consents.find_by(application: application)
+    unless consent
+      redirect_to active_sessions_path, alert: "No consent found for this application."
+      return
+    end
+
+    # Send backchannel logout notification before revoking consent
+    if application.supports_backchannel_logout?
+      BackchannelLogoutJob.perform_later(
+        user_id: @user.id,
+        application_id: application.id,
+        consent_sid: consent.sid
+      )
+      Rails.logger.info "ActiveSessionsController: Enqueued backchannel logout for #{application.name}"
+    end
+
+    # Revoke all tokens for this user-application pair
+    now = Time.current
+    revoked_access_tokens = OidcAccessToken.where(application: application, user: @user, revoked_at: nil)
+      .update_all(revoked_at: now)
+    revoked_refresh_tokens = OidcRefreshToken.where(application: application, user: @user, revoked_at: nil)
+      .update_all(revoked_at: now)
+
+    Rails.logger.info "ActiveSessionsController: Revoked #{revoked_access_tokens} access tokens and #{revoked_refresh_tokens} refresh tokens for #{application.name}"
+
+    # Revoke the consent
+    consent.destroy
+    redirect_to active_sessions_path, notice: "Successfully revoked access to #{application.name}."
+  end
+
+  def logout_from_app
+    @user = Current.session.user
+    application = Application.find(params[:application_id])
+
+    # Check if user has consent for this application
+    consent = @user.oidc_user_consents.find_by(application: application)
+    unless consent
+      redirect_to root_path, alert: "No active session found for this application."
+      return
+    end
+
+    # Send backchannel logout notification
+    if application.supports_backchannel_logout?
+      BackchannelLogoutJob.perform_later(
+        user_id: @user.id,
+        application_id: application.id,
+        consent_sid: consent.sid
+      )
+      Rails.logger.info "ActiveSessionsController: Enqueued backchannel logout for #{application.name}"
+    end
+
+    # Revoke all tokens for this user-application pair
+    now = Time.current
+    revoked_access_tokens = OidcAccessToken.where(application: application, user: @user, revoked_at: nil)
+      .update_all(revoked_at: now)
+    revoked_refresh_tokens = OidcRefreshToken.where(application: application, user: @user, revoked_at: nil)
+      .update_all(revoked_at: now)
+
+    Rails.logger.info "ActiveSessionsController: Logged out from #{application.name} - revoked #{revoked_access_tokens} access tokens and #{revoked_refresh_tokens} refresh tokens"
+
+    # Keep the consent intact - this is the key difference from revoke_consent
+    redirect_to root_path, notice: "Successfully logged out of #{application.name}."
+  end
+
+  def revoke_all_consents
+    @user = Current.session.user
+    consents = @user.oidc_user_consents.includes(:application)
+    count = consents.count
+
+    if count > 0
+      # Send backchannel logout notifications before revoking consents
+      consents.each do |consent|
+        next unless consent.application.supports_backchannel_logout?
+
+        BackchannelLogoutJob.perform_later(
+          user_id: @user.id,
+          application_id: consent.application.id,
+          consent_sid: consent.sid
+        )
+      end
+      Rails.logger.info "ActiveSessionsController: Enqueued #{count} backchannel logout notifications"
+
+      @user.oidc_user_consents.destroy_all
+      redirect_to active_sessions_path, notice: "Successfully revoked access to #{count} applications."
+    else
+      redirect_to active_sessions_path, alert: "No applications to revoke."
+    end
+  end
+end
--- a/app/controllers/admin/applications_controller.rb
+++ b/app/controllers/admin/applications_controller.rb
@@ -17,6 +17,7 @@ module Admin

    def create
      @application = Application.new(application_params)
+      @available_groups = Group.order(:name)

      if @application.save
        # Handle group assignments
@@ -25,9 +26,21 @@ module Admin
          @application.allowed_groups = Group.where(id: group_ids)
        end

-        redirect_to admin_application_path(@application), notice: "Application created successfully."
+        # Get the plain text client secret to show one time (confidential clients only)
+        client_secret = nil
+        if @application.oidc? && @application.confidential_client?
+          client_secret = @application.generate_new_client_secret!
+        end
+
+        flash[:notice] = "Application created successfully."
+        if @application.oidc?
+          flash[:client_id] = @application.client_id
+          flash[:client_secret] = client_secret if client_secret
+          flash[:public_client] = true if @application.public_client?
+        end
+
+        redirect_to admin_application_path(@application)
      else
-        @available_groups = Group.order(:name)
        render :new, status: :unprocessable_entity
      end
    end
@@ -60,11 +73,22 @@ module Admin

    def regenerate_credentials
      if @application.oidc?
-        @application.update!(
-          client_id: SecureRandom.urlsafe_base64(32),
-          client_secret: SecureRandom.urlsafe_base64(48)
-        )
-        redirect_to admin_application_path(@application), notice: "Credentials regenerated successfully. Make sure to update your application configuration."
+        # Generate new client ID (always)
+        new_client_id = SecureRandom.urlsafe_base64(32)
+        @application.update!(client_id: new_client_id)
+
+        flash[:notice] = "Credentials regenerated successfully."
+        flash[:client_id] = @application.client_id
+
+        # Generate new client secret only for confidential clients
+        if @application.confidential_client?
+          client_secret = @application.generate_new_client_secret!
+          flash[:client_secret] = client_secret
+        else
+          flash[:public_client] = true
+        end
+
+        redirect_to admin_application_path(@application)
      else
        redirect_to admin_application_path(@application), alert: "Only OIDC applications have credentials."
      end
@@ -77,7 +101,24 @@ module Admin
    end

    def application_params
-      params.require(:application).permit(:name, :slug, :app_type, :active, :redirect_uris, :description, :metadata)
+      permitted = params.require(:application).permit(
+        :name, :slug, :app_type, :active, :redirect_uris, :description, :metadata,
+        :domain_pattern, :landing_url, :access_token_ttl, :refresh_token_ttl, :id_token_ttl,
+        :icon, :backchannel_logout_uri, :is_public_client, :require_pkce
+      )
+
+      # Handle headers_config - it comes as a JSON string from the text area
+      if params[:application][:headers_config].present?
+        begin
+          permitted[:headers_config] = JSON.parse(params[:application][:headers_config])
+        rescue JSON::ParserError
+          permitted[:headers_config] = {}
+        end
+      end
+
+      # Remove client_secret from params if present (shouldn't be updated via form)
+      permitted.delete(:client_secret)
+      permitted
    end
  end
 end
--- a/app/controllers/admin/forward_auth_rules_controller.rb
+++ b/app/controllers/admin/forward_auth_rules_controller.rb
@@ -1,71 +0,0 @@
-module Admin
-  class ForwardAuthRulesController < BaseController
-    before_action :set_forward_auth_rule, only: [:show, :edit, :update, :destroy]
-
-    def index
-      @forward_auth_rules = ForwardAuthRule.ordered
-    end
-
-    def show
-      @allowed_groups = @forward_auth_rule.allowed_groups
-    end
-
-    def new
-      @forward_auth_rule = ForwardAuthRule.new
-      @available_groups = Group.order(:name)
-    end
-
-    def create
-      @forward_auth_rule = ForwardAuthRule.new(forward_auth_rule_params)
-
-      if @forward_auth_rule.save
-        # Handle group assignments
-        if params[:forward_auth_rule][:group_ids].present?
-          group_ids = params[:forward_auth_rule][:group_ids].reject(&:blank?)
-          @forward_auth_rule.allowed_groups = Group.where(id: group_ids)
-        end
-
-        redirect_to admin_forward_auth_rule_path(@forward_auth_rule), notice: "Forward auth rule created successfully."
-      else
-        @available_groups = Group.order(:name)
-        render :new, status: :unprocessable_entity
-      end
-    end
-
-    def edit
-      @available_groups = Group.order(:name)
-    end
-
-    def update
-      if @forward_auth_rule.update(forward_auth_rule_params)
-        # Handle group assignments
-        if params[:forward_auth_rule][:group_ids].present?
-          group_ids = params[:forward_auth_rule][:group_ids].reject(&:blank?)
-          @forward_auth_rule.allowed_groups = Group.where(id: group_ids)
-        else
-          @forward_auth_rule.allowed_groups = []
-        end
-
-        redirect_to admin_forward_auth_rule_path(@forward_auth_rule), notice: "Forward auth rule updated successfully."
-      else
-        @available_groups = Group.order(:name)
-        render :edit, status: :unprocessable_entity
-      end
-    end
-
-    def destroy
-      @forward_auth_rule.destroy
-      redirect_to admin_forward_auth_rules_path, notice: "Forward auth rule deleted successfully."
-    end
-
-    private
-
-    def set_forward_auth_rule
-      @forward_auth_rule = ForwardAuthRule.find(params[:id])
-    end
-
-    def forward_auth_rule_params
-      params.require(:forward_auth_rule).permit(:domain_pattern, :active)
-    end
-  end
-end
--- a/app/controllers/admin/groups_controller.rb
+++ b/app/controllers/admin/groups_controller.rb
@@ -18,7 +18,25 @@ module Admin
    end

    def create
-      @group = Group.new(group_params)
+      create_params = group_params
+
+      # Parse custom_claims JSON if provided
+      if create_params[:custom_claims].present?
+        begin
+          create_params[:custom_claims] = JSON.parse(create_params[:custom_claims])
+        rescue JSON::ParserError
+          @group = Group.new
+          @group.errors.add(:custom_claims, "must be valid JSON")
+          @available_users = User.order(:email_address)
+          render :new, status: :unprocessable_entity
+          return
+        end
+      else
+        # If empty or blank, set to empty hash (NOT NULL constraint)
+        create_params[:custom_claims] = {}
+      end
+
+      @group = Group.new(create_params)

      if @group.save
        # Handle user assignments
@@ -39,7 +57,24 @@ module Admin
    end

    def update
-      if @group.update(group_params)
+      update_params = group_params
+
+      # Parse custom_claims JSON if provided
+      if update_params[:custom_claims].present?
+        begin
+          update_params[:custom_claims] = JSON.parse(update_params[:custom_claims])
+        rescue JSON::ParserError
+          @group.errors.add(:custom_claims, "must be valid JSON")
+          @available_users = User.order(:email_address)
+          render :edit, status: :unprocessable_entity
+          return
+        end
+      else
+        # If empty or blank, set to empty hash (NOT NULL constraint)
+        update_params[:custom_claims] = {}
+      end
+
+      if @group.update(update_params)
        # Handle user assignments
        if params[:group][:user_ids].present?
          user_ids = params[:group][:user_ids].reject(&:blank?)
@@ -67,7 +102,7 @@ module Admin
    end

    def group_params
-      params.require(:group).permit(:name, :description)
+      params.require(:group).permit(:name, :description, :custom_claims)
    end
  end
 end
--- a/app/controllers/admin/users_controller.rb
+++ b/app/controllers/admin/users_controller.rb
@@ -1,6 +1,6 @@
 module Admin
  class UsersController < BaseController
-    before_action :set_user, only: [:show, :edit, :update, :destroy]
+    before_action :set_user, only: [:show, :edit, :update, :destroy, :resend_invitation, :update_application_claims, :delete_application_claims]

    def index
      @users = User.order(created_at: :desc)
@@ -16,36 +16,59 @@ module Admin
    def create
      @user = User.new(user_params)
      @user.password = SecureRandom.alphanumeric(16) if user_params[:password].blank?
+      @user.status = :pending_invitation

      if @user.save
-        redirect_to admin_users_path, notice: "User created successfully."
+        InvitationsMailer.invite_user(@user).deliver_later
+        redirect_to admin_users_path, notice: "User created successfully. Invitation email sent to #{@user.email_address}."
      else
        render :new, status: :unprocessable_entity
      end
    end

    def edit
+      @applications = Application.active.order(:name)
    end

    def update
-      # Prevent changing params for the current user's email and admin status
-      # to avoid locking themselves out
-      update_params = user_params.dup
-
-      if @user == Current.session.user
-        update_params.delete(:admin)
-      end
+      update_params = user_params

      # Only update password if provided
      update_params.delete(:password) if update_params[:password].blank?

+      # Parse custom_claims JSON if provided
+      if update_params[:custom_claims].present?
+        begin
+          update_params[:custom_claims] = JSON.parse(update_params[:custom_claims])
+        rescue JSON::ParserError
+          @user.errors.add(:custom_claims, "must be valid JSON")
+          @applications = Application.active.order(:name)
+          render :edit, status: :unprocessable_entity
+          return
+        end
+      else
+        # If empty or blank, set to empty hash (NOT NULL constraint)
+        update_params[:custom_claims] = {}
+      end
+
      if @user.update(update_params)
        redirect_to admin_users_path, notice: "User updated successfully."
      else
+        @applications = Application.active.order(:name)
        render :edit, status: :unprocessable_entity
      end
    end

+    def resend_invitation
+      unless @user.pending_invitation?
+        redirect_to admin_users_path, alert: "Cannot send invitation. User is not pending invitation."
+        return
+      end
+
+      InvitationsMailer.invite_user(@user).deliver_later
+      redirect_to admin_users_path, notice: "Invitation email resent to #{@user.email_address}."
+    end
+
    def destroy
      # Prevent admin from deleting themselves
      if @user == Current.session.user
@@ -57,6 +80,41 @@ module Admin
      redirect_to admin_users_path, notice: "User deleted successfully."
    end

+    # POST /admin/users/:id/update_application_claims
+    def update_application_claims
+      application = Application.find(params[:application_id])
+
+      claims_json = params[:custom_claims].presence || "{}"
+      begin
+        claims = JSON.parse(claims_json)
+      rescue JSON::ParserError
+        redirect_to edit_admin_user_path(@user), alert: "Invalid JSON format for claims."
+        return
+      end
+
+      app_claim = @user.application_user_claims.find_or_initialize_by(application: application)
+      app_claim.custom_claims = claims
+
+      if app_claim.save
+        redirect_to edit_admin_user_path(@user), notice: "App-specific claims updated for #{application.name}."
+      else
+        error_message = app_claim.errors.full_messages.join(", ")
+        redirect_to edit_admin_user_path(@user), alert: "Failed to update claims: #{error_message}"
+      end
+    end
+
+    # DELETE /admin/users/:id/delete_application_claims
+    def delete_application_claims
+      application = Application.find(params[:application_id])
+      app_claim = @user.application_user_claims.find_by(application: application)
+
+      if app_claim&.destroy
+        redirect_to edit_admin_user_path(@user), notice: "App-specific claims removed for #{application.name}."
+      else
+        redirect_to edit_admin_user_path(@user), alert: "No claims found to remove."
+      end
+    end
+
    private

    def set_user
@@ -64,7 +122,15 @@ module Admin
    end

    def user_params
-      params.require(:user).permit(:email_address, :password, :admin, :status)
+      # Base attributes that all admins can modify
+      base_params = params.require(:user).permit(:email_address, :username, :name, :password, :status, :totp_required, :custom_claims)
+
+      # Only allow modifying admin status when editing other users (prevent self-demotion)
+      if params[:id] != Current.session.user.id.to_s
+        base_params[:admin] = params[:user][:admin] if params[:user][:admin].present?
+      end
+
+      base_params
    end
  end
 end
--- a/app/controllers/api/csp_controller.rb
+++ b/app/controllers/api/csp_controller.rb
@@ -0,0 +1,57 @@
+module Api
+  class CspController < ApplicationController
+    # CSP violation reports don't need authentication
+    skip_before_action :verify_authenticity_token
+    allow_unauthenticated_access
+
+    # POST /api/csp-violation-report
+    def violation_report
+      # Parse CSP violation report
+      report_data = JSON.parse(request.body.read)
+      csp_report = report_data["csp-report"]
+
+      # Validate that we have a proper CSP report
+      unless csp_report.is_a?(Hash) && csp_report.present?
+        Rails.logger.warn "Received empty or invalid CSP violation report"
+        head :bad_request
+        return
+      end
+
+      # Log the violation for security monitoring
+      Rails.logger.warn "CSP Violation Report:"
+      Rails.logger.warn "  Blocked URI: #{csp_report["blocked-uri"]}"
+      Rails.logger.warn "  Document URI: #{csp_report["document-uri"]}"
+      Rails.logger.warn "  Referrer: #{csp_report["referrer"]}"
+      Rails.logger.warn "  Violated Directive: #{csp_report["violated-directive"]}"
+      Rails.logger.warn "  Original Policy: #{csp_report["original-policy"]}"
+      Rails.logger.warn "  User Agent: #{request.user_agent}"
+      Rails.logger.warn "  IP Address: #{request.remote_ip}"
+
+      # Emit structured event for CSP violation
+      # This allows multiple subscribers to process the event (Sentry, local logging, etc.)
+      Rails.event.notify("csp.violation", {
+        blocked_uri: csp_report["blocked-uri"],
+        document_uri: csp_report["document-uri"],
+        referrer: csp_report["referrer"],
+        violated_directive: csp_report["violated-directive"],
+        original_policy: csp_report["original-policy"],
+        disposition: csp_report["disposition"],
+        effective_directive: csp_report["effective-directive"],
+        source_file: csp_report["source-file"],
+        line_number: csp_report["line-number"],
+        column_number: csp_report["column-number"],
+        status_code: csp_report["status-code"],
+        user_agent: request.user_agent,
+        ip_address: request.remote_ip,
+        current_user_id: Current.user&.id,
+        timestamp: Time.current,
+        session_id: Current.session&.id
+      })
+
+      head :no_content
+    rescue JSON::ParserError => e
+      Rails.logger.error "Invalid CSP violation report: #{e.message}"
+      head :bad_request
+    end
+  end
+end
--- a/app/controllers/api/forward_auth_controller.rb
+++ b/app/controllers/api/forward_auth_controller.rb
@@ -3,22 +3,27 @@ module Api
    # ForwardAuth endpoints need session storage for return URL
    allow_unauthenticated_access
    skip_before_action :verify_authenticity_token
+    # No rate limiting on forward_auth endpoint - proxy middleware hits this frequently

    # GET /api/verify
    # This endpoint is called by reverse proxies (Traefik, Caddy, nginx)
    # to verify if a user is authenticated and authorized to access a domain
    def verify
-      # Note: app_slug parameter is no longer used - we match domains directly with ForwardAuthRule
+      # Note: app_slug parameter is no longer used - we match domains directly with Application (forward_auth type)
+
+      # Check for one-time forward auth token first (to handle race condition)
+      session_id = check_forward_auth_token
+
+      # If no token found, try to get session from cookie
+      session_id ||= extract_session_id

-      # Get the session from cookie
-      session_id = extract_session_id
      unless session_id
-        # No session cookie - user is not authenticated
+        # No session cookie or token - user is not authenticated
        return render_unauthorized("No session cookie")
      end

-      # Find the session
-      session = Session.find_by(id: session_id)
+      # Find the session with user association (eager loading for performance)
+      session = Session.includes(:user).find_by(id: session_id)
      unless session
        # Invalid session
        return render_unauthorized("Invalid session")
@@ -30,52 +35,75 @@ module Api
        return render_unauthorized("Session expired")
      end

-      # Update last activity
+      # Update last activity (skip validations for performance)
      session.update_column(:last_activity_at, Time.current)

-      # Get the user
+      # Get the user (already loaded via includes(:user))
      user = session.user
      unless user.active?
        return render_unauthorized("User account is not active")
      end

-      # Check for forward auth rule authorization
+      # Check for forward auth application authorization
      # Get the forwarded host for domain matching
      forwarded_host = request.headers["X-Forwarded-Host"] || request.headers["Host"]

      if forwarded_host.present?
-        # Find matching forward auth rule for this domain
-        rule = ForwardAuthRule.active.find { |r| r.matches_domain?(forwarded_host) }
+        # Load all forward auth applications (including inactive ones) for security checks
+        # Preload groups to avoid N+1 queries in user_allowed? checks
+        apps = Application.forward_auth.includes(:allowed_groups)

-        unless rule
-          Rails.logger.warn "ForwardAuth: No rule found for domain: #{forwarded_host}"
+        # Find matching forward auth application for this domain
+        app = apps.find { |a| a.matches_domain?(forwarded_host) }
+
+        if app
+          # Check if application is active
+          unless app.active?
+            Rails.logger.info "ForwardAuth: Access denied to #{forwarded_host} - application is inactive"
+            return render_forbidden("No authentication rule configured for this domain")
+          end
+
+          # Check if user is allowed by this application
+          unless app.user_allowed?(user)
+            Rails.logger.info "ForwardAuth: User #{user.email_address} denied access to #{forwarded_host} by app #{app.domain_pattern}"
+            return render_forbidden("You do not have permission to access this domain")
+          end
+
+          Rails.logger.info "ForwardAuth: User #{user.email_address} granted access to #{forwarded_host} by app #{app.domain_pattern} (policy: #{app.policy_for_user(user)})"
+        else
+          # No application found - DENY by default (fail-closed security)
+          Rails.logger.info "ForwardAuth: Access denied to #{forwarded_host} - no authentication rule configured"
          return render_forbidden("No authentication rule configured for this domain")
        end
-
-        # Check if user is allowed by this rule
-        unless rule.user_allowed?(user)
-          Rails.logger.info "ForwardAuth: User #{user.email_address} denied access to #{forwarded_host} by rule #{rule.domain_pattern}"
-          return render_forbidden("You do not have permission to access this domain")
-        end
-
-        Rails.logger.info "ForwardAuth: User #{user.email_address} granted access to #{forwarded_host} by rule #{rule.domain_pattern} (policy: #{rule.policy_for_user(user)})"
      else
        Rails.logger.info "ForwardAuth: User #{user.email_address} authenticated (no domain specified)"
      end

      # User is authenticated and authorized
-      # Return 200 with user information headers
-      response.headers["Remote-User"] = user.email_address
-      response.headers["Remote-Email"] = user.email_address
-      response.headers["Remote-Name"] = user.email_address
-
-      # Add groups if user has any
-      if user.groups.any?
-        response.headers["Remote-Groups"] = user.groups.pluck(:name).join(",")
+      # Return 200 with user information headers using app-specific configuration
+      headers = if app
+        app.headers_for_user(user)
+      else
+        Application::DEFAULT_HEADERS.map { |key, header_name|
+          case key
+          when :user, :email, :name
+            [header_name, user.email_address]
+          when :groups
+            user.groups.any? ? [header_name, user.groups.pluck(:name).join(",")] : nil
+          when :admin
+            [header_name, user.admin? ? "true" : "false"]
+          end
+        }.compact.to_h
      end

-      # Add admin flag
-      response.headers["Remote-Admin"] = user.admin? ? "true" : "false"
+      headers.each { |key, value| response.headers[key] = value }
+
+      # Log what headers we're sending (helpful for debugging)
+      if headers.any?
+        Rails.logger.debug "ForwardAuth: Headers sent: #{headers.keys.join(", ")}"
+      else
+        Rails.logger.debug "ForwardAuth: No headers sent (access only)"
+      end

      # Return 200 OK with no body
      head :ok
@@ -83,6 +111,25 @@ module Api

    private

+    def check_forward_auth_token
+      # Check for one-time token in query parameters (for race condition handling)
+      token = params[:fa_token]
+      return nil unless token.present?
+
+      # Try to get session ID from cache
+      session_id = Rails.cache.read("forward_auth_token:#{token}")
+      return nil unless session_id
+
+      # Verify the session exists and is valid
+      session = Session.find_by(id: session_id)
+      return nil unless session && !session.expired?
+
+      # Delete the token immediately (one-time use)
+      Rails.cache.delete("forward_auth_token:#{token}")
+
+      session_id
+    end
+
    def extract_session_id
      # Extract session ID from cookie
      # Rails uses signed cookies by default
@@ -90,7 +137,7 @@ module Api
    end

    def extract_app_from_headers
-      # This method is deprecated since we now use ForwardAuthRule domain matching
+      # This method is deprecated since we now use Application (forward_auth type) domain matching
      # Keeping it for backward compatibility but it's no longer used
      nil
    end
@@ -98,11 +145,12 @@ module Api
    def render_unauthorized(reason = nil)
      Rails.logger.info "ForwardAuth: Unauthorized - #{reason}"

-      # Set header to help with debugging
-      response.headers["X-Auth-Reason"] = reason if reason
+      # Set auth reason header for debugging (like Authelia)
+      response.headers["X-Auth-Reason"] = reason if reason.present?

      # Get the redirect URL from query params or construct default
-      base_url = params[:rd] || "https://clinch.aapamilne.com"
+      redirect_url = validate_redirect_url(params[:rd])
+      base_url = determine_base_url(redirect_url)

      # Set the original URL that user was trying to access
      # This will be used after authentication
@@ -110,14 +158,14 @@ module Api
      original_uri = request.headers["X-Forwarded-Uri"] || request.headers["X-Forwarded-Path"] || "/"

      # Debug logging to see what headers we're getting
-      Rails.logger.info "ForwardAuth Headers: Host=#{request.headers['Host']}, X-Forwarded-Host=#{original_host}, X-Forwarded-Uri=#{request.headers['X-Forwarded-Uri']}, X-Forwarded-Path=#{request.headers['X-Forwarded-Path']}"
+      Rails.logger.info "ForwardAuth Headers: Host=#{request.headers["Host"]}, X-Forwarded-Host=#{original_host}, X-Forwarded-Uri=#{request.headers["X-Forwarded-Uri"]}, X-Forwarded-Path=#{request.headers["X-Forwarded-Path"]}"

      original_url = if original_host
-        # Use the forwarded host and URI
+        # Use the forwarded host and URI (original behavior)
        "https://#{original_host}#{original_uri}"
      else
-        # Fallback: just redirect to the root of the original host
-        "https://#{request.headers['Host']}"
+        # Fallback: use the validated redirect URL or default
+        redirect_url || "https://clinch.aapamilne.com"
      end

      # Debug: log what we're redirecting to after login
@@ -141,11 +189,67 @@ module Api
    def render_forbidden(reason = nil)
      Rails.logger.info "ForwardAuth: Forbidden - #{reason}"

-      # Set header to help with debugging
-      response.headers["X-Auth-Reason"] = reason if reason
+      # Set auth reason header for debugging (like Authelia)
+      response.headers["X-Auth-Reason"] = reason if reason.present?

      # Return 403 Forbidden
      head :forbidden
    end
+
+    def validate_redirect_url(url)
+      return nil unless url.present?
+
+      begin
+        uri = URI.parse(url)
+
+        # Only allow HTTP/HTTPS schemes
+        return nil unless uri.is_a?(URI::HTTP) || uri.is_a?(URI::HTTPS)
+
+        # Only allow HTTPS in production
+        return nil unless Rails.env.development? || uri.scheme == "https"
+
+        redirect_domain = uri.host.downcase
+        return nil unless redirect_domain.present?
+
+        # Check against our ForwardAuth applications
+        matching_app = Application.forward_auth.active.find do |app|
+          app.matches_domain?(redirect_domain)
+        end
+
+        matching_app ? url : nil
+      rescue URI::InvalidURIError
+        nil
+      end
+    end
+
+    def domain_has_forward_auth_rule?(domain)
+      return false if domain.blank?
+
+      Application.forward_auth.active.any? do |app|
+        app.matches_domain?(domain.downcase)
+      end
+    end
+
+    def determine_base_url(redirect_url)
+      # If we have a valid redirect URL, use it
+      return redirect_url if redirect_url.present?
+
+      # Try CLINCH_HOST environment variable first
+      if ENV["CLINCH_HOST"].present?
+        host = ENV["CLINCH_HOST"]
+        # Ensure URL has https:// protocol
+        host.match?(/^https?:\/\//) ? host : "https://#{host}"
+      else
+        # Fallback to the request host
+        request_host = request.host || request.headers["X-Forwarded-Host"]
+        if request_host.present?
+          Rails.logger.warn "ForwardAuth: CLINCH_HOST not set, using request host: #{request_host}"
+          "https://#{request_host}"
+        else
+          # No host information available - raise exception to force proper configuration
+          raise StandardError, "ForwardAuth: CLINCH_HOST environment variable not set and no request host available. Please configure CLINCH_HOST properly."
+        end
+      end
+    end
  end
 end
--- a/app/controllers/application_controller.rb
+++ b/app/controllers/application_controller.rb
@@ -1,8 +1,12 @@
 class ApplicationController < ActionController::Base
  include Authentication
+
  # Only allow modern browsers supporting webp images, web push, badges, import maps, CSS nesting, and CSS :has.
  allow_browser versions: :modern

  # Changes to the importmap will invalidate the etag for HTML responses
  stale_when_importmap_changes
+
+  # CSRF protection
+  protect_from_forgery with: :exception
 end
--- a/app/controllers/concerns/authentication.rb
+++ b/app/controllers/concerns/authentication.rb
@@ -1,3 +1,7 @@
+require "uri"
+require "public_suffix"
+require "ipaddr"
+
 module Authentication
  extend ActiveSupport::Concern

@@ -13,87 +17,149 @@ module Authentication
  end

  private
-    def authenticated?
-      resume_session
-    end

-    def require_authentication
-      resume_session || request_authentication
-    end
+  def authenticated?
+    resume_session
+  end

-    def resume_session
-      Current.session ||= find_session_by_cookie
-    end
+  def require_authentication
+    resume_session || request_authentication
+  end

-    def find_session_by_cookie
-      Session.find_by(id: cookies.signed[:session_id]) if cookies.signed[:session_id]
-    end
+  def resume_session
+    Current.session ||= find_session_by_cookie
+  end

-    def request_authentication
-      session[:return_to_after_authenticating] = request.url
-      redirect_to new_session_path
-    end
+  def find_session_by_cookie
+    Session.find_by(id: cookies.signed[:session_id]) if cookies.signed[:session_id]
+  end

-    def after_authentication_url
-      session.delete(:return_to_after_authenticating) || root_url
-    end
+  def request_authentication
+    session[:return_to_after_authenticating] = request.url
+    redirect_to signin_path
+  end

-    def start_new_session_for(user)
-      user.sessions.create!(user_agent: request.user_agent, ip_address: request.remote_ip).tap do |session|
-        Current.session = session
+  def after_authentication_url
+    session[:return_to_after_authenticating]
+    session.delete(:return_to_after_authenticating) || root_url
+  end

-        # Extract root domain for cross-subdomain cookies (required for forward auth)
-        domain = extract_root_domain(request.host)
+  def start_new_session_for(user, acr: "1")
+    user.update!(last_sign_in_at: Time.current)
+    user.sessions.create!(user_agent: request.user_agent, ip_address: request.remote_ip, acr: acr).tap do |session|
+      Current.session = session

-        cookie_options = {
+      # Extract root domain for cross-subdomain cookies (required for forward auth)
+      domain = extract_root_domain(request.host)
+
+      # Set cookie options based on environment
+      # Production: Use SameSite=None to allow cross-site cookies (needed for OIDC conformance testing)
+      # Development: Use SameSite=Lax since HTTPS might not be available
+      cookie_options = if Rails.env.production?
+        {
+          value: session.id,
+          httponly: true,
+          same_site: :none,  # Allow cross-site cookies for OIDC testing
+          secure: true        # Required for SameSite=None
+        }
+      else
+        {
          value: session.id,
          httponly: true,
          same_site: :lax,
-          secure: Rails.env.production?
+          secure: false
        }
-
-        # Set domain for cross-subdomain authentication if we can extract it
-        cookie_options[:domain] = domain if domain.present?
-
-        cookies.signed.permanent[:session_id] = cookie_options
-      end
-    end
-
-    def terminate_session
-      Current.session.destroy
-      cookies.delete(:session_id)
-    end
-
-    # Extract root domain for cross-subdomain cookies
-    # Examples:
-    # - clinch.aapamilne.com -> .aapamilne.com
-    # - app.example.co.uk -> .example.co.uk
-    # - localhost -> nil (no domain setting for local development)
-    def extract_root_domain(host)
-      return nil if host.blank? || host.match?(/^(localhost|127\.0\.0\.1|::1)$/)
-
-      # Split hostname into parts
-      parts = host.split('.')
-
-      # For normal domains like example.com, we need at least 2 parts
-      # For complex domains like co.uk, we need at least 3 parts
-      return nil if parts.length < 2
-
-      # Extract root domain with leading dot for cross-subdomain cookies
-      if parts.length >= 3
-        # Check if it's a known complex TLD
-        complex_tlds = %w[co.uk com.au co.nz co.za co.jp]
-        second_level = "#{parts[-2]}.#{parts[-1]}"
-
-        if complex_tlds.include?(second_level)
-          # For complex TLDs, include more parts: app.example.co.uk -> .example.co.uk
-          root_parts = parts[-3..-1]
-          return ".#{root_parts.join('.')}"
-        end
      end

-      # For regular domains: app.example.com -> .example.com
-      root_parts = parts[-2..-1]
-      ".#{root_parts.join('.')}"
+      # Set domain for cross-subdomain authentication if we can extract it
+      cookie_options[:domain] = domain if domain.present?
+
+      cookies.signed.permanent[:session_id] = cookie_options
+
+      # Create a one-time token for immediate forward auth after authentication
+      # This solves the race condition where browser hasn't processed cookie yet
+      create_forward_auth_token(session)
    end
+  end
+
+  def terminate_session
+    Current.session.destroy
+    cookies.delete(:session_id)
+  end
+
+  # Extract root domain for cross-subdomain cookies in SSO forward_auth system.
+  #
+  # PURPOSE: Enables a single authentication session to work across multiple subdomains
+  # by setting cookies with the domain parameter (e.g., .example.com allows access from
+  # both app.example.com and api.example.com).
+  #
+  # CRITICAL: Returns nil for IP addresses (IPv4 and IPv6) and localhost - this is intentional!
+  # When accessing services by IP, there are no subdomains to share cookies with,
+  # and setting a domain cookie would break authentication.
+  #
+  # Uses the Public Suffix List (industry standard maintained by Mozilla) to
+  # correctly handle complex domain patterns like co.uk, com.au, appspot.com, etc.
+  #
+  # Examples:
+  # - app.example.com -> .example.com (enables cross-subdomain SSO)
+  # - api.example.co.uk -> .example.co.uk (handles complex TLDs)
+  # - myapp.appspot.com -> .myapp.appspot.com (handles platform domains)
+  # - localhost -> nil (local development, no domain cookie)
+  # - 192.168.1.1 -> nil (IP access, no domain cookie - prevents SSO breakage)
+  #
+  # @param host [String] The request host (may include port)
+  # @return [String, nil] Root domain with leading dot for cookies, or nil for no domain setting
+  def extract_root_domain(host)
+    return nil if host.blank? || host.match?(/^(localhost|127\.0\.0\.1|::1)$/)
+
+    # Strip port number for domain parsing
+    host_without_port = host.split(":").first
+
+    # Check if it's an IP address (IPv4 or IPv6) - if so, don't set domain cookie
+    begin
+      return nil if IPAddr.new(host_without_port)
+    rescue
+      false
+    end
+
+    # Use Public Suffix List for accurate domain parsing
+    domain = PublicSuffix.parse(host_without_port)
+    ".#{domain.domain}"
+  rescue PublicSuffix::DomainInvalid
+    # Fallback for invalid domains or IPs
+    nil
+  end
+
+  # Create a one-time token for forward auth to handle the race condition
+  # where the browser hasn't processed the session cookie yet
+  def create_forward_auth_token(session_obj)
+    # Generate a secure random token
+    token = SecureRandom.urlsafe_base64(32)
+
+    # Store it with an expiry of 60 seconds
+    Rails.cache.write(
+      "forward_auth_token:#{token}",
+      session_obj.id,
+      expires_in: 60.seconds
+    )
+
+    # Set the token as a query parameter on the redirect URL
+    # We need to store this in the controller's session
+    controller_session = session
+    if controller_session[:return_to_after_authenticating].present?
+      original_url = controller_session[:return_to_after_authenticating]
+      uri = URI.parse(original_url)
+
+      # Skip adding fa_token for OAuth URLs (OAuth flow should not have forward auth tokens)
+      unless uri.path&.start_with?("/oauth/")
+        # Add token as query parameter
+        query_params = URI.decode_www_form(uri.query || "").to_h
+        query_params["fa_token"] = token
+        uri.query = URI.encode_www_form(query_params)
+
+        # Update the session with the tokenized URL
+        controller_session[:return_to_after_authenticating] = uri.to_s
+      end
+    end
+  end
 end
--- a/app/controllers/dashboard_controller.rb
+++ b/app/controllers/dashboard_controller.rb
@@ -8,5 +8,10 @@ class DashboardController < ApplicationController

    # User must be authenticated
    @user = Current.session.user
+
+    # Load user's accessible applications
+    @applications = Application.active.select do |app|
+      app.user_allowed?(@user)
+    end
  end
 end
--- a/app/controllers/invitations_controller.rb
+++ b/app/controllers/invitations_controller.rb
@@ -0,0 +1,52 @@
+class InvitationsController < ApplicationController
+  include Authentication
+
+  allow_unauthenticated_access
+  before_action :set_user_by_invitation_token, only: %i[show update]
+  rate_limit to: 10, within: 10.minutes, only: :update, with: -> { redirect_to signin_path, alert: "Too many attempts. Try again later." }
+
+  def show
+    # Show the password setup form
+  end
+
+  def update
+    # Validate password manually since empty passwords might not trigger validation
+    password = params[:password]
+    password_confirmation = params[:password_confirmation]
+
+    if password.blank? || password_confirmation.blank? || password != password_confirmation || password.length < 8
+      redirect_to invitation_path(params[:token]), alert: "Passwords did not match."
+      return
+    end
+
+    if @user.update(password: password, password_confirmation: password_confirmation)
+      @user.update!(status: :active)
+      @user.sessions.destroy_all
+      start_new_session_for @user
+      redirect_to root_path, notice: "Your account has been set up successfully. Welcome!"
+    else
+      redirect_to invitation_path(params[:token]), alert: "Passwords did not match."
+    end
+  end
+
+  private
+
+  def set_user_by_invitation_token
+    @user = User.find_by_token_for(:invitation_login, params[:token])
+
+    # Check if user is still pending invitation
+    if @user.nil?
+      redirect_to signin_path, alert: "Invitation link is invalid or has expired."
+      false
+    elsif @user.pending_invitation?
+      # User is valid and pending - proceed
+      true
+    else
+      redirect_to signin_path, alert: "This invitation has already been used or is no longer valid."
+      false
+    end
+  rescue ActiveSupport::MessageVerifier::InvalidSignature
+    redirect_to signin_path, alert: "Invitation link is invalid or has expired."
+    false
+  end
+end
--- a/app/controllers/oidc_controller.rb
+++ b/app/controllers/oidc_controller.rb
--- a/app/controllers/passwords_controller.rb
+++ b/app/controllers/passwords_controller.rb
@@ -1,17 +1,18 @@
 class PasswordsController < ApplicationController
  allow_unauthenticated_access
-  before_action :set_user_by_token, only: %i[ edit update ]
+  before_action :set_user_by_token, only: %i[edit update]
  rate_limit to: 10, within: 3.minutes, only: :create, with: -> { redirect_to new_password_path, alert: "Try again later." }
+  rate_limit to: 10, within: 10.minutes, only: :update, with: -> { redirect_to new_password_path, alert: "Too many attempts. Try again later." }

  def new
  end

  def create
-    if user = User.find_by(email_address: params[:email_address])
+    if (user = User.find_by(email_address: params[:email_address]))
      PasswordsMailer.reset(user).deliver_later
    end

-    redirect_to new_session_path, notice: "Password reset instructions sent (if user with that email address exists)."
+    redirect_to signin_path, notice: "Password reset instructions sent (if user with that email address exists)."
  end

  def edit
@@ -20,16 +21,18 @@ class PasswordsController < ApplicationController
  def update
    if @user.update(params.permit(:password, :password_confirmation))
      @user.sessions.destroy_all
-      redirect_to new_session_path, notice: "Password has been reset."
+      redirect_to signin_path, notice: "Password has been reset."
    else
      redirect_to edit_password_path(params[:token]), alert: "Passwords did not match."
    end
  end

  private
-    def set_user_by_token
-      @user = User.find_by_password_reset_token!(params[:token])
-    rescue ActiveSupport::MessageVerifier::InvalidSignature
-      redirect_to new_password_path, alert: "Password reset link is invalid or has expired."
-    end
+
+  def set_user_by_token
+    @user = User.find_by_token_for(:password_reset, params[:token])
+    redirect_to new_password_path, alert: "Password reset link is invalid or has expired." if @user.nil?
+  rescue ActiveSupport::MessageVerifier::InvalidSignature
+    redirect_to new_password_path, alert: "Password reset link is invalid or has expired."
+  end
 end
--- a/app/controllers/profiles_controller.rb
+++ b/app/controllers/profiles_controller.rb
@@ -1,7 +1,6 @@
 class ProfilesController < ApplicationController
  def show
    @user = Current.session.user
-    @active_sessions = @user.sessions.active.order(last_activity_at: :desc)
  end

  def update
@@ -11,7 +10,6 @@ class ProfilesController < ApplicationController
      # Updating password - requires current password
      unless @user.authenticate(params[:user][:current_password])
        @user.errors.add(:current_password, "is incorrect")
-        @active_sessions = @user.sessions.active.order(last_activity_at: :desc)
        render :show, status: :unprocessable_entity
        return
      end
@@ -19,17 +17,23 @@ class ProfilesController < ApplicationController
      if @user.update(password_params)
        redirect_to profile_path, notice: "Password updated successfully."
      else
-        @active_sessions = @user.sessions.active.order(last_activity_at: :desc)
        render :show, status: :unprocessable_entity
      end
-    else
-      # Updating email
+    elsif params[:user][:email_address].present?
+      # Updating email - requires current password (security: prevents account takeover)
+      unless @user.authenticate(params[:user][:current_password])
+        @user.errors.add(:current_password, "is required to change email")
+        render :show, status: :unprocessable_entity
+        return
+      end
+
      if @user.update(email_params)
        redirect_to profile_path, notice: "Email updated successfully."
      else
-        @active_sessions = @user.sessions.active.order(last_activity_at: :desc)
        render :show, status: :unprocessable_entity
      end
+    else
+      render :show, status: :unprocessable_entity
    end
  end

--- a/app/controllers/sessions_controller.rb
+++ b/app/controllers/sessions_controller.rb
@@ -1,11 +1,37 @@
 class SessionsController < ApplicationController
-  allow_unauthenticated_access only: %i[ new create verify_totp ]
-  rate_limit to: 10, within: 3.minutes, only: :create, with: -> { redirect_to signin_path, alert: "Too many attempts. Try again later." }
-  rate_limit to: 5, within: 3.minutes, only: :verify_totp, with: -> { redirect_to totp_verification_path, alert: "Too many attempts. Try again later." }
+  allow_unauthenticated_access only: %i[new create verify_totp webauthn_challenge webauthn_verify]
+  rate_limit to: 20, within: 3.minutes, only: :create, with: -> { redirect_to signin_path, alert: "Too many attempts. Try again later." }
+  rate_limit to: 10, within: 3.minutes, only: :verify_totp, with: -> { redirect_to totp_verification_path, alert: "Too many attempts. Try again later." }
+  rate_limit to: 10, within: 3.minutes, only: [:webauthn_challenge, :webauthn_verify], with: -> { render json: {error: "Too many attempts. Try again later."}, status: :too_many_requests }

  def new
    # Redirect to signup if this is first run
-    redirect_to signup_path if User.count.zero?
+    if User.count.zero?
+      respond_to do |format|
+        format.html { redirect_to signup_path }
+        format.json { render json: {error: "No users exist. Please complete initial setup."}, status: :service_unavailable }
+      end
+      return
+    end
+
+    # Extract login_hint from the return URL for pre-filling the email field (OIDC spec)
+    @login_hint = nil
+    if session[:return_to_after_authenticating].present?
+      begin
+        uri = URI.parse(session[:return_to_after_authenticating])
+        if uri.query.present?
+          query_params = CGI.parse(uri.query)
+          @login_hint = query_params["login_hint"]&.first
+        end
+      rescue URI::InvalidURIError
+        # Ignore parsing errors
+      end
+    end
+
+    respond_to do |format|
+      format.html # render HTML login page
+      format.json { render json: {error: "Authentication required"}, status: :unauthorized }
+    end
  end

  def create
@@ -16,32 +42,55 @@ class SessionsController < ApplicationController
      return
    end

-    # Store the redirect URL from forward auth if present
+    # Store the redirect URL from forward auth if present (after validation)
    if params[:rd].present?
-      session[:return_to_after_authenticating] = params[:rd]
+      validated_url = validate_redirect_url(params[:rd])
+      session[:return_to_after_authenticating] = validated_url if validated_url
    end

    # Check if user is active
    unless user.active?
-      redirect_to signin_path, alert: "Your account is not active. Please contact an administrator."
+      if user.pending_invitation?
+        redirect_to signin_path, alert: "Please check your email for an invitation to set up your account."
+      else
+        redirect_to signin_path, alert: "Your account is not active. Please contact an administrator."
+      end
      return
    end

-    # Check if TOTP is required
-    if user.totp_enabled?
+    # Check if TOTP is required or enabled
+    if user.totp_required? || user.totp_enabled?
+      # If TOTP is required but not yet set up, redirect to setup
+      if user.totp_required? && !user.totp_enabled?
+        # Store user ID in session for TOTP setup
+        session[:pending_totp_setup_user_id] = user.id
+        # Preserve the redirect URL through TOTP setup
+        if params[:rd].present?
+          validated_url = validate_redirect_url(params[:rd])
+          session[:totp_redirect_url] = validated_url if validated_url
+        end
+        redirect_to new_totp_path, alert: "Your administrator requires two-factor authentication. Please set it up now to continue."
+        return
+      end
+
+      # TOTP is enabled, proceed to verification
      # Store user ID in session temporarily for TOTP verification
      session[:pending_totp_user_id] = user.id
-      # Preserve the redirect URL through TOTP verification
+      # Preserve the redirect URL through TOTP verification (after validation)
      if params[:rd].present?
-        session[:totp_redirect_url] = params[:rd]
+        validated_url = validate_redirect_url(params[:rd])
+        session[:totp_redirect_url] = validated_url if validated_url
      end
      redirect_to totp_verification_path(rd: params[:rd])
      return
    end

-    # Sign in successful
-    start_new_session_for user
-    redirect_to after_authentication_url, notice: "Signed in successfully.", allow_other_host: true
+    # Sign in successful (password only)
+    start_new_session_for user, acr: "1"
+
+    # Use status: :see_other to ensure browser makes a GET request
+    # This prevents Turbo from converting it to a TURBO_STREAM request
+    redirect_to after_authentication_url, notice: "Signed in successfully.", allow_other_host: true, status: :see_other
  end

  def verify_totp
@@ -63,39 +112,51 @@ class SessionsController < ApplicationController
    if request.post?
      code = params[:code]&.strip

-      # Try TOTP verification first
+      # Check if user is already authenticated (prevent duplicate submissions)
+      if authenticated?
+        redirect_to root_path, notice: "Already signed in."
+        return
+      end
+
+      # Try TOTP verification first (password + TOTP = 2FA)
      if user.verify_totp(code)
        session.delete(:pending_totp_user_id)
        # Restore redirect URL if it was preserved
        if session[:totp_redirect_url].present?
          session[:return_to_after_authenticating] = session.delete(:totp_redirect_url)
        end
-        start_new_session_for user
+        start_new_session_for user, acr: "2"
        redirect_to after_authentication_url, notice: "Signed in successfully.", allow_other_host: true
        return
      end

-      # Try backup code verification
+      # Try backup code verification (password + backup code = 2FA)
      if user.verify_backup_code(code)
        session.delete(:pending_totp_user_id)
        # Restore redirect URL if it was preserved
        if session[:totp_redirect_url].present?
          session[:return_to_after_authenticating] = session.delete(:totp_redirect_url)
        end
-        start_new_session_for user
+        start_new_session_for user, acr: "2"
        redirect_to after_authentication_url, notice: "Signed in successfully using backup code.", allow_other_host: true
        return
      end

      # Invalid code
      redirect_to totp_verification_path, alert: "Invalid verification code. Please try again."
-      return
+      nil
    end

    # Just render the form
  end

  def destroy
+    # Send backchannel logout notifications before terminating session
+    if authenticated?
+      user = Current.session.user
+      send_backchannel_logout_notifications(user)
+    end
+
    terminate_session
    redirect_to signin_path, status: :see_other, notice: "Signed out successfully."
  end
@@ -103,6 +164,193 @@ class SessionsController < ApplicationController
  def destroy_other
    session = Current.session.user.sessions.find(params[:id])
    session.destroy
-    redirect_to profile_path, notice: "Session revoked successfully."
+    redirect_to active_sessions_path, notice: "Session revoked successfully."
+  end
+
+  # WebAuthn authentication methods
+  def webauthn_challenge
+    email = params[:email]&.strip&.downcase
+
+    if email.blank?
+      render json: {error: "Email is required"}, status: :unprocessable_entity
+      return
+    end
+
+    user = User.find_by(email_address: email)
+
+    if user.nil? || !user.can_authenticate_with_webauthn?
+      render json: {error: "User not found or WebAuthn not available"}, status: :unprocessable_entity
+      return
+    end
+
+    # Store user ID in session for verification
+    session[:pending_webauthn_user_id] = user.id
+
+    # Store redirect URL if present
+    if params[:rd].present?
+      validated_url = validate_redirect_url(params[:rd])
+      session[:webauthn_redirect_url] = validated_url if validated_url
+    end
+
+    begin
+      # Generate authentication options
+      # Decode the stored base64url credential IDs before passing to the gem
+      credential_ids = user.webauthn_credentials.pluck(:external_id).map do |encoded_id|
+        Base64.urlsafe_decode64(encoded_id)
+      end
+
+      options = WebAuthn::Credential.options_for_get(
+        allow: credential_ids,
+        user_verification: "preferred"
+      )
+
+      # Store challenge in session
+      session[:webauthn_challenge] = options.challenge
+
+      render json: options
+    rescue => e
+      Rails.logger.error "WebAuthn challenge generation error: #{e.message}"
+      render json: {error: "Failed to generate WebAuthn challenge"}, status: :internal_server_error
+    end
+  end
+
+  def webauthn_verify
+    # Get pending user from session
+    user_id = session[:pending_webauthn_user_id]
+    unless user_id
+      render json: {error: "Session expired. Please try again."}, status: :unprocessable_entity
+      return
+    end
+
+    user = User.find_by(id: user_id)
+    unless user
+      session.delete(:pending_webauthn_user_id)
+      render json: {error: "Session expired. Please try again."}, status: :unprocessable_entity
+      return
+    end
+
+    # Get the credential and assertion from params
+    credential_data = params[:credential]
+    if credential_data.blank?
+      render json: {error: "Credential data is required"}, status: :unprocessable_entity
+      return
+    end
+
+    # Get the challenge from session
+    challenge = session.delete(:webauthn_challenge)
+
+    if challenge.blank?
+      render json: {error: "Invalid or expired session"}, status: :unprocessable_entity
+      return
+    end
+
+    begin
+      # Decode the credential response
+      webauthn_credential = WebAuthn::Credential.from_get(credential_data)
+
+      # Find the stored credential
+      external_id = Base64.urlsafe_encode64(webauthn_credential.id)
+      stored_credential = user.webauthn_credential_for(external_id)
+
+      if stored_credential.nil?
+        render json: {error: "Credential not found"}, status: :unprocessable_entity
+        return
+      end
+
+      # Verify the assertion
+      stored_public_key = Base64.urlsafe_decode64(stored_credential.public_key)
+      webauthn_credential.verify(
+        challenge,
+        public_key: stored_public_key,
+        sign_count: stored_credential.sign_count
+      )
+
+      # Check for suspicious sign count (possible clone)
+      if stored_credential.suspicious_sign_count?(webauthn_credential.sign_count)
+        Rails.logger.warn "Suspicious WebAuthn sign count for user #{user.id}, credential #{stored_credential.id}"
+        # You might want to notify admins or temporarily disable the credential
+      end
+
+      # Update credential usage
+      stored_credential.update_usage!(
+        sign_count: webauthn_credential.sign_count,
+        ip_address: request.remote_ip,
+        user_agent: request.user_agent
+      )
+
+      # Clean up session
+      session.delete(:pending_webauthn_user_id)
+      if session[:webauthn_redirect_url].present?
+        session[:return_to_after_authenticating] = session.delete(:webauthn_redirect_url)
+      end
+
+      # Create session (WebAuthn/passkey = phishing-resistant, ACR = "2")
+      start_new_session_for user, acr: "2"
+
+      render json: {
+        success: true,
+        redirect_to: after_authentication_url,
+        message: "Signed in successfully with passkey"
+      }
+    rescue WebAuthn::Error => e
+      Rails.logger.error "WebAuthn verification error: #{e.message}"
+      render json: {error: "Authentication failed: #{e.message}"}, status: :unprocessable_entity
+    rescue JSON::ParserError => e
+      Rails.logger.error "WebAuthn JSON parsing error: #{e.message}"
+      render json: {error: "Invalid credential format"}, status: :unprocessable_entity
+    rescue => e
+      Rails.logger.error "Unexpected WebAuthn verification error: #{e.class} - #{e.message}"
+      render json: {error: "An unexpected error occurred"}, status: :internal_server_error
+    end
+  end
+
+  private
+
+  def validate_redirect_url(url)
+    return nil unless url.present?
+
+    begin
+      uri = URI.parse(url)
+
+      # Only allow HTTP/HTTPS schemes
+      return nil unless uri.is_a?(URI::HTTP) || uri.is_a?(URI::HTTPS)
+
+      # Only allow HTTPS in production
+      return nil unless Rails.env.development? || uri.scheme == "https"
+
+      redirect_domain = uri.host.downcase
+      return nil unless redirect_domain.present?
+
+      # Check against our forward auth applications
+      matching_app = Application.forward_auth.active.find do |app|
+        app.matches_domain?(redirect_domain)
+      end
+
+      matching_app ? url : nil
+    rescue URI::InvalidURIError
+      nil
+    end
+  end
+
+  def send_backchannel_logout_notifications(user)
+    # Find all active OIDC consents for this user
+    consents = OidcUserConsent.where(user: user).includes(:application)
+
+    consents.each do |consent|
+      # Skip if application doesn't support backchannel logout
+      next unless consent.application.supports_backchannel_logout?
+
+      # Enqueue background job to send logout notification
+      BackchannelLogoutJob.perform_later(
+        user_id: user.id,
+        application_id: consent.application.id,
+        consent_sid: consent.sid
+      )
+    end
+
+    Rails.logger.info "SessionsController: Enqueued #{consents.count} backchannel logout notifications for user #{user.id}"
+  rescue => e
+    # Log error but don't block logout
+    Rails.logger.error "SessionsController: Failed to enqueue backchannel logout: #{e.class} - #{e.message}"
  end
 end
--- a/app/controllers/totp_controller.rb
+++ b/app/controllers/totp_controller.rb
@@ -5,6 +5,9 @@ class TotpController < ApplicationController

  # GET /totp/new - Show QR code to set up TOTP
  def new
+    # Check if user is being forced to set up TOTP by admin
+    @totp_setup_required = session[:pending_totp_setup_user_id].present?
+
    # Generate TOTP secret but don't save yet
    @totp_secret = ROTP::Base32.random
    @provisioning_uri = ROTP::TOTP.new(@totp_secret, issuer: "Clinch").provisioning_uri(@user.email_address)
@@ -24,11 +27,22 @@ class TotpController < ApplicationController
    if totp.verify(code, drift_behind: 30, drift_ahead: 30)
      # Save the secret and generate backup codes
      @user.totp_secret = totp_secret
-      @user.backup_codes = generate_backup_codes
+      plain_codes = @user.send(:generate_backup_codes) # Use private method from User model
      @user.save!

-      # Redirect to backup codes page with success message
-      redirect_to backup_codes_totp_path, notice: "Two-factor authentication has been enabled successfully! Save these backup codes now."
+      # Store plain codes temporarily in session for display after redirect
+      session[:temp_backup_codes] = plain_codes
+
+      # Check if this was a required setup from login
+      if session[:pending_totp_setup_user_id].present?
+        session.delete(:pending_totp_setup_user_id)
+        # Mark that user should be auto-signed in after viewing backup codes
+        session[:auto_signin_after_forced_totp] = true
+        redirect_to backup_codes_totp_path, notice: "Two-factor authentication has been enabled successfully! Save these backup codes, then you'll be signed in."
+      else
+        # Regular setup from profile
+        redirect_to backup_codes_totp_path, notice: "Two-factor authentication has been enabled successfully! Save these backup codes now."
+      end
    else
      redirect_to new_totp_path, alert: "Invalid verification code. Please try again."
    end
@@ -36,8 +50,21 @@ class TotpController < ApplicationController

  # GET /totp/backup_codes - Show backup codes (requires password)
  def backup_codes
-    # This will be shown after password verification
-    @backup_codes = @user.parsed_backup_codes
+    # Check if we have temporary codes from TOTP setup
+    if session[:temp_backup_codes].present?
+      @backup_codes = session[:temp_backup_codes]
+      session.delete(:temp_backup_codes) # Clear after use
+
+      # Check if this was a forced TOTP setup during login
+      @auto_signin_pending = session[:auto_signin_after_forced_totp].present?
+      if @auto_signin_pending
+        session.delete(:auto_signin_after_forced_totp)
+      end
+    else
+      # This will be shown after password verification for existing users
+      # Since we can't display BCrypt hashes, redirect to regenerate
+      redirect_to regenerate_backup_codes_totp_path
+    end
  end

  # POST /totp/verify_password - Verify password before showing backup codes
@@ -49,6 +76,40 @@ class TotpController < ApplicationController
    end
  end

+  # GET /totp/regenerate_backup_codes - Regenerate backup codes (requires password)
+  def regenerate_backup_codes
+    # This will be shown after password verification
+  end
+
+  # POST /totp/regenerate_backup_codes - Actually regenerate backup codes
+  def create_new_backup_codes
+    unless @user.authenticate(params[:password])
+      redirect_to regenerate_backup_codes_totp_path, alert: "Incorrect password."
+      return
+    end
+
+    # Generate new backup codes and store BCrypt hashes
+    plain_codes = @user.send(:generate_backup_codes)
+    @user.save!
+
+    # Store plain codes temporarily in session for display
+    session[:temp_backup_codes] = plain_codes
+
+    redirect_to backup_codes_totp_path, notice: "New backup codes have been generated. Save them now!"
+  end
+
+  # POST /totp/complete_setup - Complete forced TOTP setup and sign in
+  def complete_setup
+    # Sign in the user after they've saved their backup codes
+    # This is only used when admin requires TOTP and user just set it up during login
+    if session[:totp_redirect_url].present?
+      session[:return_to_after_authenticating] = session.delete(:totp_redirect_url)
+    end
+
+    start_new_session_for @user
+    redirect_to after_authentication_url, notice: "Two-factor authentication enabled. Signed in successfully.", allow_other_host: true
+  end
+
  # DELETE /totp - Disable TOTP (requires password)
  def destroy
    unless @user.authenticate(params[:password])
@@ -56,6 +117,12 @@ class TotpController < ApplicationController
      return
    end

+    # Prevent disabling if admin requires TOTP
+    if @user.totp_required?
+      redirect_to profile_path, alert: "Two-factor authentication is required by your administrator and cannot be disabled."
+      return
+    end
+
    @user.disable_totp!
    redirect_to profile_path, notice: "Two-factor authentication has been disabled."
  end
@@ -67,7 +134,8 @@ class TotpController < ApplicationController
  end

  def redirect_if_totp_enabled
-    if @user.totp_enabled?
+    # Allow setup if admin requires it, even if already enabled (for regeneration)
+    if @user.totp_enabled? && !session[:pending_totp_setup_user_id].present?
      redirect_to profile_path, alert: "Two-factor authentication is already enabled."
    end
  end
@@ -77,8 +145,4 @@ class TotpController < ApplicationController
      redirect_to profile_path, alert: "Two-factor authentication is not enabled."
    end
  end
-
-  def generate_backup_codes
-    Array.new(10) { SecureRandom.alphanumeric(8).upcase }.to_json
-  end
 end
--- a/app/controllers/users_controller.rb
+++ b/app/controllers/users_controller.rb
@@ -1,6 +1,6 @@
 class UsersController < ApplicationController
-  allow_unauthenticated_access only: %i[ new create ]
-  before_action :ensure_first_run, only: %i[ new create ]
+  allow_unauthenticated_access only: %i[new create]
+  before_action :ensure_first_run, only: %i[new create]

  def new
    @user = User.new
--- a/app/controllers/webauthn_controller.rb
+++ b/app/controllers/webauthn_controller.rb
@@ -0,0 +1,192 @@
+class WebauthnController < ApplicationController
+  before_action :set_webauthn_credential, only: [:destroy]
+  skip_before_action :require_authentication, only: [:check]
+
+  # Rate limit check endpoint to prevent enumeration attacks
+  rate_limit to: 10, within: 1.minute, only: [:check], with: -> {
+    render json: {error: "Too many requests. Try again later."}, status: :too_many_requests
+  }
+
+  # GET /webauthn/new
+  def new
+    @webauthn_credential = WebauthnCredential.new
+  end
+
+  # POST /webauthn/challenge
+  # Generate registration challenge for creating a new passkey
+  def challenge
+    user = Current.session&.user
+    return render json: {error: "Not authenticated"}, status: :unauthorized unless user
+
+    registration_options = WebAuthn::Credential.options_for_create(
+      user: {
+        id: user.webauthn_user_handle,
+        name: user.email_address,
+        display_name: user.name || user.email_address
+      },
+      exclude: user.webauthn_credentials.pluck(:external_id),
+      authenticator_selection: {
+        userVerification: "preferred",
+        residentKey: "preferred",
+        authenticatorAttachment: "platform" # Prefer platform authenticators first
+      }
+    )
+
+    # Store challenge in session for verification
+    session[:webauthn_challenge] = registration_options.challenge
+
+    render json: registration_options
+  end
+
+  # POST /webauthn/create
+  # Verify and store the new credential
+  def create
+    credential_data, nickname = extract_credential_params
+
+    if credential_data.blank? || nickname.blank?
+      render json: {error: "Credential and nickname are required"}, status: :unprocessable_entity
+      return
+    end
+
+    # Retrieve the challenge from session
+    challenge = session.delete(:webauthn_challenge)
+
+    if challenge.blank?
+      render json: {error: "Invalid or expired session"}, status: :unprocessable_entity
+      return
+    end
+
+    begin
+      # Pass the credential hash directly to WebAuthn gem
+      webauthn_credential = WebAuthn::Credential.from_create(credential_data.to_h)
+
+      # Verify the credential against the challenge
+      webauthn_credential.verify(challenge)
+
+      # Extract credential metadata from the hash
+      response = credential_data.to_h
+      client_extension_results = response["clientExtensionResults"] || {}
+
+      authenticator_type = if response["response"]["authenticatorAttachment"] == "cross-platform"
+        "cross-platform"
+      else
+        "platform"
+      end
+
+      # Determine if this is a backup/synced credential
+      backup_eligible = client_extension_results["credProps"]&.dig("rk") || false
+      backup_state = client_extension_results["credProps"]&.dig("backup") || false
+
+      # Store the credential
+      user = Current.session&.user
+      return render json: {error: "Not authenticated"}, status: :unauthorized unless user
+
+      @webauthn_credential = user.webauthn_credentials.create!(
+        external_id: Base64.urlsafe_encode64(webauthn_credential.id),
+        public_key: Base64.urlsafe_encode64(webauthn_credential.public_key),
+        sign_count: webauthn_credential.sign_count,
+        nickname: nickname,
+        authenticator_type: authenticator_type,
+        backup_eligible: backup_eligible,
+        backup_state: backup_state
+      )
+
+      render json: {
+        success: true,
+        message: "Passkey '#{nickname}' registered successfully",
+        credential_id: @webauthn_credential.id
+      }
+    rescue WebAuthn::Error => e
+      Rails.logger.error "WebAuthn registration error: #{e.message}"
+      render json: {error: "Failed to register passkey: #{e.message}"}, status: :unprocessable_entity
+    rescue => e
+      Rails.logger.error "Unexpected WebAuthn registration error: #{e.class} - #{e.message}"
+      render json: {error: "An unexpected error occurred"}, status: :internal_server_error
+    end
+  end
+
+  # DELETE /webauthn/:id
+  # Remove a passkey
+  def destroy
+    nickname = @webauthn_credential.nickname
+    @webauthn_credential.destroy
+
+    respond_to do |format|
+      format.html {
+        redirect_to profile_path,
+          notice: "Passkey '#{nickname}' has been removed"
+      }
+      format.json {
+        render json: {
+          success: true,
+          message: "Passkey '#{nickname}' has been removed"
+        }
+      }
+    end
+  end
+
+  # GET /webauthn/check
+  # Check if user has WebAuthn credentials (for login page detection)
+  # Security: Returns identical responses for non-existent users to prevent enumeration
+  def check
+    email = params[:email]&.strip&.downcase
+
+    if email.blank?
+      render json: {has_webauthn: false, requires_webauthn: false}
+      return
+    end
+
+    user = User.find_by(email_address: email)
+
+    # Security: Return identical response for non-existent users
+    # Combined with rate limiting (10/min), this prevents account enumeration
+    if user.nil?
+      render json: {has_webauthn: false, requires_webauthn: false}
+      return
+    end
+
+    # Only return minimal necessary info - no user_id or preferred_method
+    render json: {
+      has_webauthn: user.can_authenticate_with_webauthn?,
+      requires_webauthn: user.require_webauthn?
+    }
+  end
+
+  private
+
+  def extract_credential_params
+    # Use require.permit which is working and reliable
+    # The JavaScript sends params both directly and wrapped in webauthn key
+
+    # Try direct parameters first
+    credential_params = params.require(:credential).permit(:id, :rawId, :type, response: {}, clientExtensionResults: {})
+    nickname = params.require(:nickname)
+    [credential_params, nickname]
+  rescue ActionController::ParameterMissing
+    Rails.logger.error("Using the fallback parameters")
+    # Fallback to webauthn-wrapped parameters
+    webauthn_params = params.require(:webauthn).permit(:nickname, credential: [:id, :rawId, :type, response: {}, clientExtensionResults: {}])
+    [webauthn_params[:credential], webauthn_params[:nickname]]
+  end
+
+  def set_webauthn_credential
+    user = Current.session&.user
+    return render json: {error: "Not authenticated"}, status: :unauthorized unless user
+    @webauthn_credential = user.webauthn_credentials.find(params[:id])
+  rescue ActiveRecord::RecordNotFound
+    respond_to do |format|
+      format.html { redirect_to profile_path, alert: "Passkey not found" }
+      format.json { render json: {error: "Passkey not found"}, status: :not_found }
+    end
+  end
+
+  # Helper method to convert Base64 to Base64URL if needed
+  def base64_to_base64url(str)
+    str.tr("+", "-").tr("/", "_").gsub(/=+$/, "")
+  end
+
+  # Helper method to convert Base64URL to Base64 if needed
+  def base64url_to_base64(str)
+    str.tr("-", "+").tr("_", "/") + "=" * (4 - str.length % 4) % 4
+  end
+end
--- a/app/helpers/application_helper.rb
+++ b/app/helpers/application_helper.rb
@@ -1,2 +1,32 @@
 module ApplicationHelper
+  def smtp_configured?
+    return true if Rails.env.test?
+
+    smtp_address = ENV["SMTP_ADDRESS"]
+    smtp_port = ENV["SMTP_PORT"]
+
+    smtp_address.present? &&
+      smtp_port.present? &&
+      smtp_address != "localhost" &&
+      !smtp_address.start_with?("127.0.0.1") &&
+      !smtp_address.start_with?("localhost")
+  end
+
+  def email_delivery_method
+    if Rails.env.development?
+      ActionMailer::Base.delivery_method
+    else
+      :smtp
+    end
+  end
+
+  def border_class_for(type)
+    case type.to_s
+    when "notice" then "border-green-200"
+    when "alert", "error" then "border-red-200"
+    when "warning" then "border-yellow-200"
+    when "info" then "border-blue-200"
+    else "border-gray-200"
+    end
+  end
 end
--- a/app/helpers/claims_helper.rb
+++ b/app/helpers/claims_helper.rb
@@ -0,0 +1,67 @@
+module ClaimsHelper
+  include ClaimsMerger
+
+  # Preview final merged claims for a user accessing an application
+  def preview_user_claims(user, application)
+    claims = {
+      # Standard OIDC claims
+      email: user.email_address,
+      email_verified: true,
+      preferred_username: user.username.presence || user.email_address,
+      name: user.name.presence || user.email_address
+    }
+
+    # Add groups
+    if user.groups.any?
+      claims[:groups] = user.groups.pluck(:name)
+    end
+
+    # Merge group custom claims (arrays are combined, not overwritten)
+    user.groups.each do |group|
+      claims = deep_merge_claims(claims, group.parsed_custom_claims)
+    end
+
+    # Merge user custom claims (arrays are combined, other values override)
+    claims = deep_merge_claims(claims, user.parsed_custom_claims)
+
+    # Merge app-specific claims (arrays are combined)
+    deep_merge_claims(claims, application.custom_claims_for_user(user))
+  end
+
+  # Get claim sources breakdown for display
+  def claim_sources(user, application)
+    sources = []
+
+    # Group claims
+    user.groups.each do |group|
+      if group.parsed_custom_claims.any?
+        sources << {
+          type: :group,
+          name: group.name,
+          claims: group.parsed_custom_claims
+        }
+      end
+    end
+
+    # User claims
+    if user.parsed_custom_claims.any?
+      sources << {
+        type: :user,
+        name: "User Override",
+        claims: user.parsed_custom_claims
+      }
+    end
+
+    # App-specific claims
+    app_claims = application.custom_claims_for_user(user)
+    if app_claims.any?
+      sources << {
+        type: :application,
+        name: "App-Specific (#{application.name})",
+        claims: app_claims
+      }
+    end
+
+    sources
+  end
+end
--- a/app/javascript/controllers/application_form_controller.js
+++ b/app/javascript/controllers/application_form_controller.js
@@ -0,0 +1,37 @@
+import { Controller } from "@hotwired/stimulus"
+
+export default class extends Controller {
+  static targets = ["appTypeSelect", "oidcFields", "forwardAuthFields", "pkceOptions"]
+
+  connect() {
+    this.updateFieldVisibility()
+  }
+
+  updateFieldVisibility() {
+    const appType = this.appTypeSelectTarget.value
+
+    if (appType === 'oidc') {
+      this.oidcFieldsTarget.classList.remove('hidden')
+      this.forwardAuthFieldsTarget.classList.add('hidden')
+    } else if (appType === 'forward_auth') {
+      this.oidcFieldsTarget.classList.add('hidden')
+      this.forwardAuthFieldsTarget.classList.remove('hidden')
+    } else {
+      this.oidcFieldsTarget.classList.add('hidden')
+      this.forwardAuthFieldsTarget.classList.add('hidden')
+    }
+  }
+
+  updatePkceVisibility(event) {
+    // Show PKCE options for confidential clients, hide for public clients
+    const isPublicClient = event.target.value === "true"
+
+    if (this.hasPkceOptionsTarget) {
+      if (isPublicClient) {
+        this.pkceOptionsTarget.classList.add('hidden')
+      } else {
+        this.pkceOptionsTarget.classList.remove('hidden')
+      }
+    }
+  }
+}
--- a/app/javascript/controllers/backup_codes_controller.js
+++ b/app/javascript/controllers/backup_codes_controller.js
@@ -0,0 +1,28 @@
+import { Controller } from "@hotwired/stimulus"
+
+export default class extends Controller {
+  static values = {
+    codes: Array
+  }
+
+  download() {
+    const content = "Clinch Backup Codes\n" +
+                    "===================\n\n" +
+                    this.codesValue.join("\n") +
+                    "\n\nSave these codes in a secure location."
+
+    const blob = new Blob([content], { type: 'text/plain' })
+    const url = window.URL.createObjectURL(blob)
+    const a = document.createElement('a')
+    a.href = url
+    a.download = 'clinch-backup-codes.txt'
+    document.body.appendChild(a)
+    a.click()
+    document.body.removeChild(a)
+    window.URL.revokeObjectURL(url)
+  }
+
+  print() {
+    window.print()
+  }
+}
--- a/app/javascript/controllers/file_drop_controller.js
+++ b/app/javascript/controllers/file_drop_controller.js
@@ -0,0 +1,96 @@
+import { Controller } from "@hotwired/stimulus"
+
+export default class extends Controller {
+  static targets = ["input", "dropzone", "preview", "previewImage", "filename", "filesize"]
+
+  connect() {
+    // Prevent default drag behaviors on the whole document
+    ["dragenter", "dragover", "dragleave", "drop"].forEach(eventName => {
+      document.body.addEventListener(eventName, this.preventDefaults, false)
+    })
+  }
+
+  disconnect() {
+    ["dragenter", "dragover", "dragleave", "drop"].forEach(eventName => {
+      document.body.removeEventListener(eventName, this.preventDefaults, false)
+    })
+  }
+
+  preventDefaults(e) {
+    e.preventDefault()
+    e.stopPropagation()
+  }
+
+  dragover(e) {
+    e.preventDefault()
+    e.stopPropagation()
+    this.dropzoneTarget.classList.add("border-blue-500", "bg-blue-50")
+  }
+
+  dragleave(e) {
+    e.preventDefault()
+    e.stopPropagation()
+    this.dropzoneTarget.classList.remove("border-blue-500", "bg-blue-50")
+  }
+
+  drop(e) {
+    e.preventDefault()
+    e.stopPropagation()
+    this.dropzoneTarget.classList.remove("border-blue-500", "bg-blue-50")
+
+    const files = e.dataTransfer.files
+    if (files.length > 0) {
+      // Set the file to the input element
+      this.inputTarget.files = files
+      this.handleFiles()
+    }
+  }
+
+  handleFiles() {
+    const file = this.inputTarget.files[0]
+    if (!file) return
+
+    // Validate file type
+    const validTypes = ["image/png", "image/jpg", "image/jpeg", "image/gif", "image/svg+xml"]
+    if (!validTypes.includes(file.type)) {
+      alert("Please upload a PNG, JPG, GIF, or SVG image")
+      this.clear()
+      return
+    }
+
+    // Validate file size (2MB)
+    if (file.size > 2 * 1024 * 1024) {
+      alert("File size must be less than 2MB")
+      this.clear()
+      return
+    }
+
+    // Show preview
+    this.filenameTarget.textContent = file.name
+    this.filesizeTarget.textContent = this.formatFileSize(file.size)
+
+    // Create preview image
+    const reader = new FileReader()
+    reader.onload = (e) => {
+      this.previewImageTarget.src = e.target.result
+      this.previewTarget.classList.remove("hidden")
+    }
+    reader.readAsDataURL(file)
+  }
+
+  clear(e) {
+    if (e) {
+      e.preventDefault()
+    }
+    this.inputTarget.value = ""
+    this.previewTarget.classList.add("hidden")
+  }
+
+  formatFileSize(bytes) {
+    if (bytes === 0) return "0 Bytes"
+    const k = 1024
+    const sizes = ["Bytes", "KB", "MB"]
+    const i = Math.floor(Math.log(bytes) / Math.log(k))
+    return Math.round(bytes / Math.pow(k, i) * 100) / 100 + " " + sizes[i]
+  }
+}
--- a/app/javascript/controllers/flash_controller.js
+++ b/app/javascript/controllers/flash_controller.js
@@ -0,0 +1,85 @@
+import { Controller } from "@hotwired/stimulus"
+
+/**
+ * Manages flash message display, auto-dismissal, and user interactions
+ * Supports different flash types with appropriate styling and behavior
+ */
+export default class extends Controller {
+  static values = {
+    autoDismiss: String, // "false" or delay in milliseconds
+    type: String
+  }
+
+  connect() {
+    // Auto-dismiss if enabled
+    if (this.autoDismissValue && this.autoDismissValue !== "false") {
+      this.scheduleAutoDismiss()
+    }
+
+    // Smooth entrance animation
+    this.element.classList.add('transition-all', 'duration-300', 'ease-out')
+    this.element.style.opacity = '0'
+    this.element.style.transform = 'translateY(-10px)'
+
+    // Animate in
+    requestAnimationFrame(() => {
+      this.element.style.opacity = '1'
+      this.element.style.transform = 'translateY(0)'
+    })
+  }
+
+  /**
+   * Dismisses the flash message with smooth animation
+   */
+  dismiss() {
+    // Add dismiss animation
+    this.element.classList.add('transition-all', 'duration-300', 'ease-in')
+    this.element.style.opacity = '0'
+    this.element.style.transform = 'translateY(-10px)'
+
+    // Remove from DOM after animation
+    setTimeout(() => {
+      this.element.remove()
+    }, 300)
+  }
+
+  /**
+   * Schedules auto-dismissal based on the configured delay
+   */
+  scheduleAutoDismiss() {
+    const delay = parseInt(this.autoDismissValue)
+    if (delay > 0) {
+      setTimeout(() => {
+        this.dismiss()
+      }, delay)
+    }
+  }
+
+  /**
+   * Pause auto-dismissal on hover (for user reading)
+   */
+  mouseEnter() {
+    if (this.autoDismissTimer) {
+      clearTimeout(this.autoDismissTimer)
+      this.autoDismissTimer = null
+    }
+  }
+
+  /**
+   * Resume auto-dismissal when hover ends
+   */
+  mouseLeave() {
+    if (this.autoDismissValue && this.autoDismissValue !== "false") {
+      this.scheduleAutoDismiss()
+    }
+  }
+
+  /**
+   * Handle keyboard interactions
+   */
+  keydown(event) {
+    if (event.key === 'Escape' || event.key === 'Enter') {
+      this.dismiss()
+    }
+  }
+}
--- a/app/javascript/controllers/form_errors_controller.js
+++ b/app/javascript/controllers/form_errors_controller.js
@@ -0,0 +1,89 @@
+import { Controller } from "@hotwired/stimulus"
+
+/**
+ * Manages form error display and dismissal
+ * Provides consistent error handling across all forms
+ */
+export default class extends Controller {
+  static targets = ["container"]
+
+  /**
+   * Dismisses the error container with a smooth fade-out animation
+   */
+  dismiss() {
+    if (!this.hasContainerTarget) return
+
+    // Add transition classes
+    this.containerTarget.classList.add('transition-all', 'duration-300', 'opacity-0', 'transform', 'scale-95')
+
+    // Remove from DOM after animation completes
+    setTimeout(() => {
+      this.containerTarget.remove()
+    }, 300)
+  }
+
+  /**
+   * Shows server-side validation errors after form submission
+   * Auto-focuses the first error field for better accessibility
+   */
+  connect() {
+    // Auto-focus first error field if errors exist
+    this.focusFirstErrorField()
+
+    // Scroll to errors if needed
+    this.scrollToErrors()
+  }
+
+  /**
+   * Focuses the first field with validation errors
+   */
+  focusFirstErrorField() {
+    if (!this.hasContainerTarget) return
+
+    // Find first form field with errors (look for error classes or aria-invalid)
+    const form = this.element.closest('form')
+    if (!form) return
+
+    const errorField = form.querySelector('[aria-invalid="true"], .border-red-500, .ring-red-500')
+    if (errorField) {
+      setTimeout(() => {
+        errorField.focus()
+        errorField.scrollIntoView({ behavior: 'smooth', block: 'center' })
+      }, 100)
+    }
+  }
+
+  /**
+   * Scrolls error container into view if it's not visible
+   */
+  scrollToErrors() {
+    if (!this.hasContainerTarget) return
+
+    const rect = this.containerTarget.getBoundingClientRect()
+    const isInViewport = rect.top >= 0 && rect.left >= 0 &&
+                        rect.bottom <= window.innerHeight &&
+                        rect.right <= window.innerWidth
+
+    if (!isInViewport) {
+      setTimeout(() => {
+        this.containerTarget.scrollIntoView({
+          behavior: 'smooth',
+          block: 'start',
+          inline: 'nearest'
+        })
+      }, 100)
+    }
+  }
+
+  /**
+   * Auto-dismisses success messages after a delay
+   * Can be called from other controllers
+   */
+  autoDismiss(delay = 5000) {
+    if (!this.hasContainerTarget) return
+
+    setTimeout(() => {
+      this.dismiss()
+    }, delay)
+  }
+}
--- a/app/javascript/controllers/form_submit_protection_controller.js
+++ b/app/javascript/controllers/form_submit_protection_controller.js
@@ -0,0 +1,68 @@
+import { Controller } from "@hotwired/stimulus"
+
+export default class extends Controller {
+  static targets = [ "submit" ]
+
+  connect() {
+    // Prevent form auto-submission when browser autofills TOTP
+    this.preventAutoSubmit()
+
+    // Add double-click protection
+    this.submitTarget.addEventListener('dblclick', (e) => {
+      e.preventDefault()
+      return false
+    })
+  }
+
+  submit() {
+    if (this.submitTarget.disabled) {
+      return false
+    }
+
+    // Disable submit button and show loading state
+    this.submitTarget.disabled = true
+    this.submitTarget.textContent = 'Verifying...'
+    this.submitTarget.classList.add('opacity-75', 'cursor-not-allowed')
+
+    // Re-enable after 10 seconds in case of network issues
+    setTimeout(() => {
+      this.submitTarget.disabled = false
+      this.submitTarget.textContent = 'Verify'
+      this.submitTarget.classList.remove('opacity-75', 'cursor-not-allowed')
+    }, 10000)
+
+    // Allow the form to submit normally
+    return true
+  }
+
+  preventAutoSubmit() {
+    // Some browsers auto-submit forms when TOTP fields are autofilled
+    // This prevents that behavior while still allowing manual submission
+    const codeInput = this.element.querySelector('input[name="code"]')
+
+    if (codeInput) {
+      let hasAutoSubmitted = false
+
+      codeInput.addEventListener('input', (e) => {
+        // Check if this looks like an auto-fill event
+        // Auto-fill typically fills the entire field at once
+        if (e.target.value.length >= 6 && !hasAutoSubmitted) {
+          // Don't auto-submit, let user click the button manually
+          hasAutoSubmitted = true
+
+          // Optionally, focus the submit button to make it obvious
+          this.submitTarget.focus()
+        }
+      })
+
+      // Also prevent Enter key submission on TOTP field
+      codeInput.addEventListener('keypress', (e) => {
+        if (e.key === 'Enter') {
+          e.preventDefault()
+          this.submitTarget.click()
+          return false
+        }
+      })
+    }
+  }
+}
--- a/app/javascript/controllers/hello_controller.js
+++ b/app/javascript/controllers/hello_controller.js
@@ -1,7 +0,0 @@
-import { Controller } from "@hotwired/stimulus"
-
-export default class extends Controller {
-  connect() {
-    this.element.textContent = "Hello World!"
-  }
-}
--- a/app/javascript/controllers/image_paste_controller.js
+++ b/app/javascript/controllers/image_paste_controller.js
@@ -0,0 +1,121 @@
+import { Controller } from "@hotwired/stimulus"
+
+export default class extends Controller {
+  static targets = ["input", "dropzone"]
+
+  connect() {
+    // Listen for paste events on the dropzone
+    this.dropzoneTarget.addEventListener("paste", this.handlePaste.bind(this))
+  }
+
+  disconnect() {
+    this.dropzoneTarget.removeEventListener("paste", this.handlePaste.bind(this))
+  }
+
+  handlePaste(e) {
+    e.preventDefault()
+    e.stopPropagation()
+
+    const clipboardData = e.clipboardData || e.originalEvent.clipboardData
+
+    // First, try to get image data
+    for (let item of clipboardData.items) {
+      if (item.type.indexOf("image") !== -1) {
+        const blob = item.getAsFile()
+        this.handleImageBlob(blob)
+        return
+      }
+    }
+
+    // If no image found, check for SVG text
+    const text = clipboardData.getData("text/plain")
+    if (text && this.isSVG(text)) {
+      this.handleSVGText(text)
+      return
+    }
+  }
+
+  isSVG(text) {
+    // Check if the text looks like SVG code
+    const trimmed = text.trim()
+    return trimmed.startsWith("<svg") && trimmed.includes("</svg>")
+  }
+
+  handleSVGText(svgText) {
+    // Validate file size (2MB)
+    const size = new Blob([svgText]).size
+    if (size > 2 * 1024 * 1024) {
+      alert("SVG code is too large (must be less than 2MB)")
+      return
+    }
+
+    // Create a blob from the SVG text
+    const blob = new Blob([svgText], { type: "image/svg+xml" })
+
+    // Create a File object
+    const file = new File([blob], `pasted-svg-${Date.now()}.svg`, {
+      type: "image/svg+xml"
+    })
+
+    // Create a DataTransfer object to set files on the input
+    const dataTransfer = new DataTransfer()
+    dataTransfer.items.add(file)
+    this.inputTarget.files = dataTransfer.files
+
+    // Trigger change event to update preview (file-drop controller will handle it)
+    const event = new Event("change", { bubbles: true })
+    this.inputTarget.dispatchEvent(event)
+
+    // Visual feedback
+    this.dropzoneTarget.classList.add("border-green-500", "bg-green-50")
+    setTimeout(() => {
+      this.dropzoneTarget.classList.remove("border-green-500", "bg-green-50")
+    }, 500)
+  }
+
+  handleImageBlob(blob) {
+    // Validate file type
+    const validTypes = ["image/png", "image/jpg", "image/jpeg", "image/gif", "image/svg+xml"]
+    if (!validTypes.includes(blob.type)) {
+      alert("Please paste a PNG, JPG, GIF, or SVG image")
+      return
+    }
+
+    // Validate file size (2MB)
+    if (blob.size > 2 * 1024 * 1024) {
+      alert("Image size must be less than 2MB")
+      return
+    }
+
+    // Create a File object from the blob with a default name
+    const file = new File([blob], `pasted-image-${Date.now()}.${this.getExtension(blob.type)}`, {
+      type: blob.type
+    })
+
+    // Create a DataTransfer object to set files on the input
+    const dataTransfer = new DataTransfer()
+    dataTransfer.items.add(file)
+    this.inputTarget.files = dataTransfer.files
+
+    // Trigger change event to update preview (file-drop controller will handle it)
+    const event = new Event("change", { bubbles: true })
+    this.inputTarget.dispatchEvent(event)
+
+    // Visual feedback
+    this.dropzoneTarget.classList.add("border-green-500", "bg-green-50")
+    setTimeout(() => {
+      this.dropzoneTarget.classList.remove("border-green-500", "bg-green-50")
+    }, 500)
+  }
+
+  getExtension(mimeType) {
+    const extensions = {
+      "image/png": "png",
+      "image/jpeg": "jpg",
+      "image/jpg": "jpg",
+      "image/gif": "gif",
+      "image/svg+xml": "svg"
+    }
+    return extensions[mimeType] || "png"
+  }
+}
--- a/app/javascript/controllers/json_validator_controller.js
+++ b/app/javascript/controllers/json_validator_controller.js
@@ -0,0 +1,81 @@
+import { Controller } from "@hotwired/stimulus"
+
+export default class extends Controller {
+  static targets = ["textarea", "status"]
+  static classes = ["valid", "invalid", "validStatus", "invalidStatus"]
+
+  connect() {
+    this.validate()
+  }
+
+  validate() {
+    const value = this.textareaTarget.value.trim()
+
+    if (!value) {
+      this.clearStatus()
+      return true
+    }
+
+    try {
+      JSON.parse(value)
+      this.showValid()
+      return true
+    } catch (error) {
+      this.showInvalid(error.message)
+      return false
+    }
+  }
+
+  format() {
+    const value = this.textareaTarget.value.trim()
+
+    if (!value) return
+
+    try {
+      const parsed = JSON.parse(value)
+      const formatted = JSON.stringify(parsed, null, 2)
+      this.textareaTarget.value = formatted
+      this.showValid()
+    } catch (error) {
+      this.showInvalid(error.message)
+    }
+  }
+
+  clearStatus() {
+    this.textareaTarget.classList.remove(...this.invalidClasses)
+    this.textareaTarget.classList.remove(...this.validClasses)
+    if (this.hasStatusTarget) {
+      this.statusTarget.textContent = ""
+      this.statusTarget.classList.remove(...this.validStatusClasses, ...this.invalidStatusClasses)
+    }
+  }
+
+  showValid() {
+    this.textareaTarget.classList.remove(...this.invalidClasses)
+    this.textareaTarget.classList.add(...this.validClasses)
+    if (this.hasStatusTarget) {
+      this.statusTarget.textContent = "✓ Valid JSON"
+      this.statusTarget.classList.remove(...this.invalidStatusClasses)
+      this.statusTarget.classList.add(...this.validStatusClasses)
+    }
+  }
+
+  showInvalid(errorMessage) {
+    this.textareaTarget.classList.remove(...this.validClasses)
+    this.textareaTarget.classList.add(...this.invalidClasses)
+    if (this.hasStatusTarget) {
+      this.statusTarget.textContent = `✗ Invalid JSON: ${errorMessage}`
+      this.statusTarget.classList.remove(...this.validStatusClasses)
+      this.statusTarget.classList.add(...this.invalidStatusClasses)
+    }
+  }
+
+  insertSample(event) {
+    event.preventDefault()
+    const sample = event.params.json || event.target.dataset.jsonSample
+    if (sample) {
+      this.textareaTarget.value = sample
+      this.format()
+    }
+  }
+}
--- a/app/javascript/controllers/login_form_controller.js
+++ b/app/javascript/controllers/login_form_controller.js
@@ -0,0 +1,92 @@
+import { Controller } from "@hotwired/stimulus"
+
+// Handles login form UI changes based on WebAuthn availability
+export default class extends Controller {
+  static targets = ["webauthnSection", "passwordSection", "statusMessage", "loadingOverlay"]
+
+  connect() {
+    // Listen for WebAuthn availability events from the webauthn controller
+    this.element.addEventListener('webauthn:webauthn-available', this.handleWebAuthnAvailable.bind(this));
+
+    // Listen for WebAuthn registration events (from profile page)
+    this.element.addEventListener('webauthn:passkey-registered', this.handlePasskeyRegistered.bind(this));
+
+    // Listen for authentication start/end to show/hide loading
+    document.addEventListener('webauthn:authenticate-start', this.showLoading.bind(this));
+    document.addEventListener('webauthn:authenticate-end', this.hideLoading.bind(this));
+  }
+
+  disconnect() {
+    // Clean up event listeners
+    document.removeEventListener('webauthn:authenticate-start', this.showLoading.bind(this));
+    document.removeEventListener('webauthn:authenticate-end', this.hideLoading.bind(this));
+  }
+
+  handleWebAuthnAvailable(event) {
+    const detail = event.detail;
+
+    if (!this.hasWebauthnSectionTarget || !this.hasPasswordSectionTarget) {
+      return;
+    }
+
+    if (detail.hasWebauthn) {
+      this.webauthnSectionTarget.classList.remove('hidden');
+
+      // If WebAuthn is required, hide password section
+      if (detail.requiresWebauthn) {
+        this.passwordSectionTarget.classList.add('hidden');
+      } else {
+        // Show both options with a divider
+        this.passwordSectionTarget.classList.add('border-t', 'pt-4', 'mt-4');
+        this.addOrDivider();
+      }
+    }
+  }
+
+  handlePasskeyRegistered(event) {
+    if (!this.hasStatusMessageTarget) {
+      return;
+    }
+
+    // Show success message
+    this.statusMessageTarget.className = 'mt-4 p-3 rounded-md bg-green-50 text-green-800 border border-green-200';
+    this.statusMessageTarget.textContent = 'Passkey registered successfully!';
+    this.statusMessageTarget.classList.remove('hidden');
+
+    // Hide after 3 seconds
+    setTimeout(() => {
+      this.statusMessageTarget.classList.add('hidden');
+    }, 3000);
+  }
+
+  showLoading() {
+    if (this.hasLoadingOverlayTarget) {
+      this.loadingOverlayTarget.classList.remove('hidden');
+    }
+  }
+
+  hideLoading() {
+    if (this.hasLoadingOverlayTarget) {
+      this.loadingOverlayTarget.classList.add('hidden');
+    }
+  }
+
+  addOrDivider() {
+    // Check if divider already exists
+    if (this.element.querySelector('.login-divider')) {
+      return;
+    }
+
+    const orDiv = document.createElement('div');
+    orDiv.className = 'relative my-4 login-divider';
+    orDiv.innerHTML = `
+      <div class="absolute inset-0 flex items-center">
+        <div class="w-full border-t border-gray-300"></div>
+      </div>
+      <div class="relative flex justify-center text-sm">
+        <span class="px-2 bg-white text-gray-500">Or</span>
+      </div>
+    `;
+    this.webauthnSectionTarget.parentNode.insertBefore(orDiv, this.passwordSectionTarget);
+  }
+}
--- a/app/javascript/controllers/mobile_sidebar_controller.js
+++ b/app/javascript/controllers/mobile_sidebar_controller.js
@@ -0,0 +1,48 @@
+import { Controller } from "@hotwired/stimulus";
+
+export default class extends Controller {
+  static targets = ["sidebarOverlay"];
+
+  connect() {
+    // Initialize mobile sidebar functionality
+    // Add escape key listener to close sidebar
+    this.boundHandleEscape = this.handleEscape.bind(this);
+    document.addEventListener('keydown', this.boundHandleEscape);
+  }
+
+  disconnect() {
+    // Clean up event listeners
+    document.removeEventListener('keydown', this.boundHandleEscape);
+  }
+
+  openSidebar() {
+    if (this.hasSidebarOverlayTarget) {
+      this.sidebarOverlayTarget.classList.remove('hidden');
+      // Prevent body scroll when sidebar is open
+      document.body.style.overflow = 'hidden';
+    }
+  }
+
+  closeSidebar() {
+    if (this.hasSidebarOverlayTarget) {
+      this.sidebarOverlayTarget.classList.add('hidden');
+      // Restore body scroll
+      document.body.style.overflow = '';
+    }
+  }
+
+  // Close sidebar when clicking on the overlay background
+  closeOnBackgroundClick(event) {
+    // Check if the click is on the overlay background (the semi-transparent layer)
+    if (event.target === this.sidebarOverlayTarget || event.target.classList.contains('bg-gray-900/80')) {
+      this.closeSidebar();
+    }
+  }
+
+  // Handle escape key to close sidebar
+  handleEscape(event) {
+    if (event.key === 'Escape' && this.hasSidebarOverlayTarget && !this.sidebarOverlayTarget.classList.contains('hidden')) {
+      this.closeSidebar();
+    }
+  }
+}
--- a/app/javascript/controllers/modal_controller.js
+++ b/app/javascript/controllers/modal_controller.js
@@ -0,0 +1,50 @@
+import { Controller } from "@hotwired/stimulus"
+
+// Generic modal controller for showing/hiding modal dialogs
+export default class extends Controller {
+  static targets = ["dialog"]
+
+  show(event) {
+    // If called from a button with data-modal-id, find and show that modal
+    const modalId = event.currentTarget?.dataset?.modalId;
+    if (modalId) {
+      const modal = document.getElementById(modalId);
+      if (modal) {
+        modal.classList.remove("hidden");
+      }
+    } else if (this.hasDialogTarget) {
+      // Otherwise show the dialog target
+      this.dialogTarget.classList.remove("hidden");
+    } else {
+      // Or show this element itself
+      this.element.classList.remove("hidden");
+    }
+  }
+
+  hide() {
+    // Find the currently visible modal to hide it
+    const visibleModal = document.querySelector('[data-controller="modal"] .fixed.inset-0:not(.hidden)');
+    if (visibleModal) {
+      visibleModal.classList.add("hidden");
+    } else if (this.hasDialogTarget) {
+      this.dialogTarget.classList.add("hidden");
+    } else {
+      this.element.classList.add("hidden");
+    }
+  }
+
+  // Close modal when clicking backdrop
+  closeOnBackdrop(event) {
+    // Only close if clicking directly on the backdrop (not child elements)
+    if (event.target === this.element || event.target.classList.contains('modal-backdrop')) {
+      this.hide();
+    }
+  }
+
+  // Close modal on Escape key
+  closeOnEscape(event) {
+    if (event.key === "Escape") {
+      this.hide();
+    }
+  }
+}
--- a/app/javascript/controllers/webauthn_controller.js
+++ b/app/javascript/controllers/webauthn_controller.js
@@ -0,0 +1,317 @@
+import { Controller } from "@hotwired/stimulus";
+
+export default class extends Controller {
+  static targets = ["nickname", "submitButton", "status", "error"];
+  static values = {
+    challengeUrl: String,
+    createUrl: String,
+    checkUrl: String
+  };
+
+  connect() {
+    // Check if WebAuthn is supported
+    if (!this.isWebAuthnSupported()) {
+      console.warn("WebAuthn is not supported in this browser");
+      return;
+    }
+  }
+
+  // Check if browser supports WebAuthn
+  isWebAuthnSupported() {
+    return (
+      window.PublicKeyCredential !== undefined &&
+      typeof window.PublicKeyCredential === "function"
+    );
+  }
+
+  // Check if user has passkeys (for login page)
+  async checkWebAuthnSupport(event) {
+    const email = event.target.value.trim();
+
+    if (!email || !this.isValidEmail(email)) {
+      return;
+    }
+
+    try {
+      const response = await fetch(`${this.checkUrlValue}?email=${encodeURIComponent(email)}`);
+      const data = await response.json();
+
+      console.debug("WebAuthn check response:", data);
+
+      if (data.has_webauthn) {
+        console.debug("Dispatching webauthn-available event");
+        // Trigger custom event for login form to show passkey option
+        this.dispatch("webauthn-available", {
+          detail: {
+            hasWebauthn: data.has_webauthn,
+            requiresWebauthn: data.requires_webauthn,
+            preferredMethod: data.preferred_method
+          }
+        });
+
+        // Auto-trigger passkey authentication if required
+        if (data.requires_webauthn) {
+          setTimeout(() => this.authenticate(), 100);
+        }
+      } else {
+        console.debug("No WebAuthn credentials found for this email");
+      }
+    } catch (error) {
+      console.error("Error checking WebAuthn support:", error);
+    }
+  }
+
+  // Start registration ceremony
+  async register(event) {
+    event.preventDefault();
+
+    if (!this.isWebAuthnSupported()) {
+      this.showError("WebAuthn is not supported in your browser");
+      return;
+    }
+
+    const nickname = this.nicknameTarget.value.trim();
+    if (!nickname) {
+      this.showError("Please enter a nickname for this passkey");
+      return;
+    }
+
+    this.setLoading(true);
+    this.clearMessages();
+
+    try {
+      // Get registration challenge from server
+      const challengeResponse = await fetch(this.challengeUrlValue, {
+        method: "POST",
+        headers: {
+          "Content-Type": "application/json",
+          "X-CSRF-Token": this.getCSRFToken()
+        }
+      });
+
+      if (!challengeResponse.ok) {
+        throw new Error("Failed to get registration challenge");
+      }
+
+      const credentialCreationOptions = await challengeResponse.json();
+
+      // Use modern Web Authentication API Level 3 to parse options
+      // This automatically handles all base64url encoding/decoding
+      const publicKeyOptions = PublicKeyCredential.parseCreationOptionsFromJSON(
+        credentialCreationOptions
+      );
+
+      // Create credential via WebAuthn API
+      const credential = await navigator.credentials.create({
+        publicKey: publicKeyOptions
+      });
+
+      if (!credential) {
+        throw new Error("Failed to create credential");
+      }
+
+      // Send credential to server for verification
+      // Use toJSON() to properly serialize the credential
+      const credentialResponse = await fetch(this.createUrlValue, {
+        method: "POST",
+        headers: {
+          "Content-Type": "application/json",
+          "X-CSRF-Token": this.getCSRFToken()
+        },
+        body: JSON.stringify({
+          credential: credential.toJSON(),
+          nickname: nickname
+        })
+      });
+
+      const result = await credentialResponse.json();
+
+      if (result.success) {
+        this.showSuccess(result.message);
+
+        // Clear the form
+        this.nicknameTarget.value = "";
+
+        // Dispatch event to refresh the passkey list
+        this.dispatch("passkey-registered", {
+          detail: {
+            nickname: nickname,
+            credentialId: result.credential_id
+          }
+        });
+
+        // Optionally close modal or redirect
+        setTimeout(() => {
+          if (window.location.pathname === "/webauthn/new") {
+            window.location.href = "/profile";
+          }
+        }, 1500);
+      } else {
+        this.showError(result.error || "Failed to register passkey");
+      }
+
+    } catch (error) {
+      console.error("WebAuthn registration error:", error);
+      this.showError(this.getErrorMessage(error));
+    } finally {
+      this.setLoading(false);
+    }
+  }
+
+  // Start authentication ceremony
+  async authenticate(event) {
+    if (event) {
+      event.preventDefault();
+    }
+
+    if (!this.isWebAuthnSupported()) {
+      this.showError("WebAuthn is not supported in your browser");
+      return;
+    }
+
+    this.setLoading(true);
+    this.clearMessages();
+
+    try {
+      // Get authentication challenge from server
+      const response = await fetch("/sessions/webauthn/challenge", {
+        method: "POST",
+        headers: {
+          "Content-Type": "application/json",
+          "X-CSRF-Token": this.getCSRFToken()
+        },
+        body: JSON.stringify({
+          email: this.getUserEmail()
+        })
+      });
+
+      if (!response.ok) {
+        throw new Error("Failed to get authentication challenge");
+      }
+
+      const credentialRequestOptions = await response.json();
+
+      // Use modern Web Authentication API Level 3 to parse options
+      // This automatically handles all base64url encoding/decoding
+      const publicKeyOptions = PublicKeyCredential.parseRequestOptionsFromJSON(
+        credentialRequestOptions
+      );
+
+      // Get credential via WebAuthn API
+      const credential = await navigator.credentials.get({
+        publicKey: publicKeyOptions
+      });
+
+      if (!credential) {
+        throw new Error("Failed to get credential");
+      }
+
+      // Send assertion to server for verification
+      // Use toJSON() to properly serialize the credential
+      const authResponse = await fetch("/sessions/webauthn/verify", {
+        method: "POST",
+        headers: {
+          "Content-Type": "application/json",
+          "X-CSRF-Token": this.getCSRFToken()
+        },
+        body: JSON.stringify({
+          credential: credential.toJSON(),
+          email: this.getUserEmail()
+        })
+      });
+
+      const result = await authResponse.json();
+
+      if (result.success) {
+        // Redirect to dashboard or intended URL
+        window.location.href = result.redirect_to || "/";
+      } else {
+        this.showError(result.error || "Authentication failed");
+      }
+
+    } catch (error) {
+      console.error("WebAuthn authentication error:", error);
+      this.showError(this.getErrorMessage(error));
+    } finally {
+      this.setLoading(false);
+    }
+  }
+
+  // UI helper methods
+  setLoading(isLoading) {
+    if (this.hasSubmitButtonTarget) {
+      this.submitButtonTarget.disabled = isLoading;
+      this.submitButtonTarget.textContent = isLoading ? "Registering..." : "Register Passkey";
+    }
+  }
+
+  showSuccess(message) {
+    if (this.hasStatusTarget) {
+      this.statusTarget.textContent = message;
+      this.statusTarget.className = "mt-2 text-sm text-green-600";
+      this.statusTarget.style.display = "block";
+    }
+  }
+
+  showError(message) {
+    if (this.hasErrorTarget) {
+      this.errorTarget.textContent = message;
+      this.errorTarget.className = "mt-2 text-sm text-red-600";
+      this.errorTarget.style.display = "block";
+    }
+  }
+
+  clearMessages() {
+    if (this.hasStatusTarget) {
+      this.statusTarget.style.display = "none";
+      this.statusTarget.textContent = "";
+    }
+    if (this.hasErrorTarget) {
+      this.errorTarget.style.display = "none";
+      this.errorTarget.textContent = "";
+    }
+  }
+
+  getCSRFToken() {
+    const meta = document.querySelector('meta[name="csrf-token"]');
+    return meta ? meta.getAttribute("content") : "";
+  }
+
+  getUserEmail() {
+    // Try multiple ways to get the user email from login form
+    let emailInput = document.querySelector('input[type="email"]');
+    if (!emailInput) {
+      emailInput = document.querySelector('input[name="email"]');
+    }
+    if (!emailInput) {
+      emailInput = document.querySelector('input[name="session[email_address]"]');
+    }
+    if (!emailInput) {
+      emailInput = document.querySelector('input[name="user[email_address]"]');
+    }
+    return emailInput ? emailInput.value.trim() : "";
+  }
+
+  isValidEmail(email) {
+    return /^[^\s@]+@[^\s@]+\.[^\s@]+$/.test(email);
+  }
+
+  getErrorMessage(error) {
+    // Common WebAuthn errors
+    if (error.name === "NotAllowedError") {
+      return "Authentication was cancelled or timed out. Please try again.";
+    }
+    if (error.name === "SecurityError") {
+      return "Security requirements not met. Make sure you're using HTTPS.";
+    }
+    if (error.name === "NotSupportedError") {
+      return "This device doesn't support the requested authentication method.";
+    }
+    if (error.name === "InvalidStateError") {
+      return "This authenticator has already been registered.";
+    }
+
+    // Fallback to error message
+    return error.message || "An unexpected error occurred";
+  }
+}
--- a/app/jobs/backchannel_logout_job.rb
+++ b/app/jobs/backchannel_logout_job.rb
@@ -0,0 +1,52 @@
+class BackchannelLogoutJob < ApplicationJob
+  queue_as :default
+
+  # Retry with exponential backoff: 1s, 5s, 25s
+  retry_on StandardError, wait: :exponentially_longer, attempts: 3
+
+  def perform(user_id:, application_id:, consent_sid:)
+    # Find the records
+    user = User.find_by(id: user_id)
+    application = Application.find_by(id: application_id)
+    consent = OidcUserConsent.find_by(sid: consent_sid)
+
+    # Validate we have all required data
+    unless user && application && consent
+      Rails.logger.warn "BackchannelLogout: Missing data - user: #{user.present?}, app: #{application.present?}, consent: #{consent.present?}"
+      return
+    end
+
+    # Skip if application doesn't support backchannel logout
+    unless application.supports_backchannel_logout?
+      Rails.logger.debug "BackchannelLogout: Application #{application.name} doesn't support backchannel logout"
+      return
+    end
+
+    # Generate the logout token
+    logout_token = OidcJwtService.generate_logout_token(user, application, consent)
+
+    # Send HTTP POST to the application's backchannel logout URI
+    uri = URI.parse(application.backchannel_logout_uri)
+
+    begin
+      response = Net::HTTP.start(uri.host, uri.port, use_ssl: uri.scheme == "https", open_timeout: 5, read_timeout: 5) do |http|
+        request = Net::HTTP::Post.new(uri.path.presence || "/")
+        request["Content-Type"] = "application/x-www-form-urlencoded"
+        request.set_form_data({logout_token: logout_token})
+        http.request(request)
+      end
+
+      if response.code.to_i == 200
+        Rails.logger.info "BackchannelLogout: Successfully sent logout notification to #{application.name} (#{application.backchannel_logout_uri})"
+      else
+        Rails.logger.warn "BackchannelLogout: Application #{application.name} returned HTTP #{response.code} from #{application.backchannel_logout_uri}"
+      end
+    rescue Net::OpenTimeout, Net::ReadTimeout => e
+      Rails.logger.warn "BackchannelLogout: Timeout sending logout to #{application.name} (#{application.backchannel_logout_uri}): #{e.message}"
+      raise # Retry on timeout
+    rescue => e
+      Rails.logger.error "BackchannelLogout: Failed to send logout to #{application.name} (#{application.backchannel_logout_uri}): #{e.class} - #{e.message}"
+      raise # Retry on error
+    end
+  end
+end
--- a/app/jobs/oidc_token_cleanup_job.rb
+++ b/app/jobs/oidc_token_cleanup_job.rb
@@ -0,0 +1,29 @@
+class OidcTokenCleanupJob < ApplicationJob
+  queue_as :default
+
+  def perform
+    # Delete expired access tokens (keep revoked ones for audit trail)
+    expired_access_tokens = OidcAccessToken.where("expires_at < ?", 7.days.ago)
+    deleted_count = expired_access_tokens.delete_all
+    Rails.logger.info "OIDC Token Cleanup: Deleted #{deleted_count} expired access tokens"
+
+    # Delete expired refresh tokens (keep revoked ones for audit trail)
+    expired_refresh_tokens = OidcRefreshToken.where("expires_at < ?", 7.days.ago)
+    deleted_count = expired_refresh_tokens.delete_all
+    Rails.logger.info "OIDC Token Cleanup: Deleted #{deleted_count} expired refresh tokens"
+
+    # Delete old revoked tokens (after 30 days for audit trail)
+    old_revoked_access_tokens = OidcAccessToken.where("revoked_at < ?", 30.days.ago)
+    deleted_count = old_revoked_access_tokens.delete_all
+    Rails.logger.info "OIDC Token Cleanup: Deleted #{deleted_count} old revoked access tokens"
+
+    old_revoked_refresh_tokens = OidcRefreshToken.where("revoked_at < ?", 30.days.ago)
+    deleted_count = old_revoked_refresh_tokens.delete_all
+    Rails.logger.info "OIDC Token Cleanup: Deleted #{deleted_count} old revoked refresh tokens"
+
+    # Delete old used authorization codes (after 7 days)
+    old_auth_codes = OidcAuthorizationCode.where("created_at < ?", 7.days.ago)
+    deleted_count = old_auth_codes.delete_all
+    Rails.logger.info "OIDC Token Cleanup: Deleted #{deleted_count} old authorization codes"
+  end
+end
--- a/app/mailers/application_mailer.rb
+++ b/app/mailers/application_mailer.rb
@@ -1,4 +1,4 @@
 class ApplicationMailer < ActionMailer::Base
-  default from: "from@example.com"
+  default from: ENV.fetch("CLINCH_FROM_EMAIL", "clinch@example.com")
  layout "mailer"
 end
--- a/app/mailers/invitations_mailer.rb
+++ b/app/mailers/invitations_mailer.rb
@@ -0,0 +1,6 @@
+class InvitationsMailer < ApplicationMailer
+  def invite_user(user)
+    @user = user
+    mail subject: "You're invited to join Clinch", to: user.email_address
+  end
+end
--- a/app/models/application.rb
+++ b/app/models/application.rb
@@ -1,32 +1,99 @@
 class Application < ApplicationRecord
+  has_secure_password :client_secret, validations: false
+
+  # Virtual attribute to control client type during creation
+  # When true, no client_secret will be generated (public client)
+  attr_accessor :is_public_client
+
+  has_one_attached :icon
+
+  # Fix SVG content type after attachment
+  after_save :fix_icon_content_type, if: -> { icon.attached? && saved_change_to_attribute?(:id) == false }
+
  has_many :application_groups, dependent: :destroy
  has_many :allowed_groups, through: :application_groups, source: :group
+  has_many :application_user_claims, dependent: :destroy
  has_many :oidc_authorization_codes, dependent: :destroy
  has_many :oidc_access_tokens, dependent: :destroy
+  has_many :oidc_refresh_tokens, dependent: :destroy
+  has_many :oidc_user_consents, dependent: :destroy

  validates :name, presence: true
-  validates :slug, presence: true, uniqueness: { case_sensitive: false },
-                  format: { with: /\A[a-z0-9\-]+\z/, message: "only lowercase letters, numbers, and hyphens" }
+  validates :slug, presence: true, uniqueness: {case_sensitive: false},
+    format: {with: /\A[a-z0-9-]+\z/, message: "only lowercase letters, numbers, and hyphens"}
  validates :app_type, presence: true,
-                      inclusion: { in: %w[oidc saml] }
-  validates :client_id, uniqueness: { allow_nil: true }
+    inclusion: {in: %w[oidc forward_auth]}
+  validates :client_id, uniqueness: {allow_nil: true}
+  validates :client_secret, presence: true, on: :create, if: -> { oidc? && confidential_client? }
+  validates :domain_pattern, presence: true, uniqueness: {case_sensitive: false}, if: :forward_auth?
+  validates :landing_url, format: {with: URI::RFC2396_PARSER.make_regexp(%w[http https]), allow_nil: true, message: "must be a valid URL"}
+  validates :backchannel_logout_uri, format: {
+    with: URI::RFC2396_PARSER.make_regexp(%w[http https]),
+    allow_nil: true,
+    message: "must be a valid HTTP or HTTPS URL"
+  }
+  validate :backchannel_logout_uri_must_be_https_in_production, if: -> { backchannel_logout_uri.present? }
+
+  # Icon validation using ActiveStorage validators
+  validate :icon_validation, if: -> { icon.attached? }
+
+  # Token TTL validations (for OIDC apps)
+  validates :access_token_ttl, numericality: {greater_than_or_equal_to: 300, less_than_or_equal_to: 86400}, if: :oidc?  # 5 min - 24 hours
+  validates :refresh_token_ttl, numericality: {greater_than_or_equal_to: 86400, less_than_or_equal_to: 7776000}, if: :oidc?  # 1 day - 90 days
+  validates :id_token_ttl, numericality: {greater_than_or_equal_to: 300, less_than_or_equal_to: 86400}, if: :oidc?  # 5 min - 24 hours

  normalizes :slug, with: ->(slug) { slug.strip.downcase }
+  normalizes :domain_pattern, with: ->(pattern) {
+    normalized = pattern&.strip&.downcase
+    normalized.blank? ? nil : normalized
+  }
+  normalizes :backchannel_logout_uri, with: ->(uri) {
+    normalized = uri&.strip
+    normalized.blank? ? nil : normalized
+  }

  before_validation :generate_client_credentials, on: :create, if: :oidc?

+  # Default header configuration for ForwardAuth
+  DEFAULT_HEADERS = {
+    user: "X-Remote-User",
+    email: "X-Remote-Email",
+    name: "X-Remote-Name",
+    groups: "X-Remote-Groups",
+    admin: "X-Remote-Admin"
+  }.freeze
+
  # Scopes
  scope :active, -> { where(active: true) }
  scope :oidc, -> { where(app_type: "oidc") }
-  scope :saml, -> { where(app_type: "saml") }
+  scope :forward_auth, -> { where(app_type: "forward_auth") }
+  scope :ordered, -> { order(domain_pattern: :asc) }

  # Type checks
  def oidc?
    app_type == "oidc"
  end

-  def saml?
-    app_type == "saml"
+  def forward_auth?
+    app_type == "forward_auth"
+  end
+
+  # Client type checks (for OIDC)
+  def public_client?
+    client_secret_digest.blank?
+  end
+
+  def confidential_client?
+    !public_client?
+  end
+
+  # PKCE requirement check
+  # Public clients MUST use PKCE (no client secret to protect auth code)
+  # Confidential clients can optionally require PKCE (OAuth 2.1 recommendation)
+  def requires_pkce?
+    return false unless oidc?
+    return true if public_client?  # Always require PKCE for public clients
+    require_pkce?  # Check the flag for confidential clients
  end

  # Access control
@@ -56,10 +123,190 @@ class Application < ApplicationRecord
    {}
  end

+  # ForwardAuth helpers
+  def parsed_headers_config
+    return {} unless headers_config.present?
+    headers_config.is_a?(Hash) ? headers_config : JSON.parse(headers_config)
+  rescue JSON::ParserError
+    {}
+  end
+
+  # Check if a domain matches this application's pattern (for ForwardAuth)
+  def matches_domain?(domain)
+    return false if domain.blank? || !forward_auth?
+
+    pattern = domain_pattern.gsub(".", '\.')
+    pattern = pattern.gsub("*", "[^.]*")
+
+    regex = Regexp.new("^#{pattern}$", Regexp::IGNORECASE)
+    regex.match?(domain.downcase)
+  end
+
+  # Policy determination based on user status (for ForwardAuth)
+  def policy_for_user(user)
+    return "deny" unless active?
+    return "deny" unless user.active?
+
+    # If no groups specified, bypass authentication
+    return "bypass" if allowed_groups.empty?
+
+    # If user is in allowed groups, determine auth level
+    if user_allowed?(user)
+      # Require 2FA if user has TOTP configured, otherwise one factor
+      user.totp_enabled? ? "two_factor" : "one_factor"
+    else
+      "deny"
+    end
+  end
+
+  # Get effective header configuration (for ForwardAuth)
+  def effective_headers
+    DEFAULT_HEADERS.merge(parsed_headers_config.symbolize_keys)
+  end
+
+  # Generate headers for a specific user (for ForwardAuth)
+  def headers_for_user(user)
+    headers = {}
+    effective = effective_headers
+
+    # Only generate headers that are configured (not set to nil/false)
+    effective.each do |key, header_name|
+      next unless header_name.present?  # Skip disabled headers
+
+      case key
+      when :user, :email
+        headers[header_name] = user.email_address
+      when :name
+        headers[header_name] = user.name.presence || user.email_address
+      when :groups
+        headers[header_name] = user.groups.pluck(:name).join(",") if user.groups.any?
+      when :admin
+        headers[header_name] = user.admin? ? "true" : "false"
+      end
+    end
+
+    headers
+  end
+
+  # Check if all headers are disabled (for ForwardAuth)
+  def headers_disabled?
+    headers_config.present? && effective_headers.values.all?(&:blank?)
+  end
+
+  # Generate and return a new client secret
+  def generate_new_client_secret!
+    secret = SecureRandom.urlsafe_base64(48)
+    self.client_secret = secret
+    save!
+    secret
+  end
+
+  # Token TTL helper methods (for OIDC)
+  def access_token_expiry
+    (access_token_ttl || 3600).seconds.from_now
+  end
+
+  def refresh_token_expiry
+    (refresh_token_ttl || 2592000).seconds.from_now
+  end
+
+  def id_token_expiry_seconds
+    id_token_ttl || 3600
+  end
+
+  # Human-readable TTL for display
+  def access_token_ttl_human
+    duration_to_human(access_token_ttl || 3600)
+  end
+
+  def refresh_token_ttl_human
+    duration_to_human(refresh_token_ttl || 2592000)
+  end
+
+  def id_token_ttl_human
+    duration_to_human(id_token_ttl || 3600)
+  end
+
+  # Get app-specific custom claims for a user
+  def custom_claims_for_user(user)
+    app_claim = application_user_claims.find_by(user: user)
+    app_claim&.parsed_custom_claims || {}
+  end
+
+  # Check if this application supports backchannel logout
+  def supports_backchannel_logout?
+    backchannel_logout_uri.present?
+  end
+
+  # Check if a user has an active session with this application
+  # (i.e., has valid, non-revoked tokens)
+  def user_has_active_session?(user)
+    oidc_access_tokens.where(user: user).valid.exists? ||
+      oidc_refresh_tokens.where(user: user).valid.exists?
+  end
+
  private

+  def fix_icon_content_type
+    return unless icon.attached?
+
+    # Fix SVG content type if it was detected incorrectly
+    if icon.filename.extension == "svg" && icon.content_type == "application/octet-stream"
+      icon.blob.update(content_type: "image/svg+xml")
+    end
+  end
+
+  def icon_validation
+    return unless icon.attached?
+
+    # Check content type
+    allowed_types = ["image/png", "image/jpg", "image/jpeg", "image/gif", "image/svg+xml"]
+    unless allowed_types.include?(icon.content_type)
+      errors.add(:icon, "must be a PNG, JPG, GIF, or SVG image")
+    end
+
+    # Check file size (2MB limit)
+    if icon.blob.byte_size > 2.megabytes
+      errors.add(:icon, "must be less than 2MB")
+    end
+  end
+
+  def duration_to_human(seconds)
+    if seconds < 3600
+      "#{seconds / 60} minutes"
+    elsif seconds < 86400
+      "#{seconds / 3600} hours"
+    else
+      "#{seconds / 86400} days"
+    end
+  end
+
  def generate_client_credentials
    self.client_id ||= SecureRandom.urlsafe_base64(32)
-    self.client_secret ||= SecureRandom.urlsafe_base64(48)
+    # Generate client secret only for confidential clients
+    # Public clients (is_public_client checked) don't get a secret - they use PKCE only
+    if new_record? && client_secret.blank? && !is_public_client_selected?
+      secret = SecureRandom.urlsafe_base64(48)
+      self.client_secret = secret
+    end
+  end
+
+  # Check if the user selected public client option
+  def is_public_client_selected?
+    ActiveModel::Type::Boolean.new.cast(is_public_client)
+  end
+
+  def backchannel_logout_uri_must_be_https_in_production
+    return unless Rails.env.production?
+    return unless backchannel_logout_uri.present?
+
+    begin
+      uri = URI.parse(backchannel_logout_uri)
+      unless uri.scheme == "https"
+        errors.add(:backchannel_logout_uri, "must use HTTPS in production")
+      end
+    rescue URI::InvalidURIError
+      # Let the format validator handle invalid URIs
+    end
  end
 end
--- a/app/models/application_group.rb
+++ b/app/models/application_group.rb
@@ -2,5 +2,5 @@ class ApplicationGroup < ApplicationRecord
  belongs_to :application
  belongs_to :group

-  validates :application_id, uniqueness: { scope: :group_id }
+  validates :application_id, uniqueness: {scope: :group_id}
 end
--- a/app/models/application_user_claim.rb
+++ b/app/models/application_user_claim.rb
@@ -0,0 +1,31 @@
+class ApplicationUserClaim < ApplicationRecord
+  belongs_to :application
+  belongs_to :user
+
+  # Reserved OIDC claim names that should not be overridden
+  RESERVED_CLAIMS = %w[
+    iss sub aud exp iat nbf jti nonce azp
+    email email_verified preferred_username name
+    groups
+  ].freeze
+
+  validates :user_id, uniqueness: {scope: :application_id}
+  validate :no_reserved_claim_names
+
+  # Parse custom_claims JSON field
+  def parsed_custom_claims
+    return {} if custom_claims.blank?
+    custom_claims.is_a?(Hash) ? custom_claims : {}
+  end
+
+  private
+
+  def no_reserved_claim_names
+    return if custom_claims.blank?
+
+    reserved_used = parsed_custom_claims.keys.map(&:to_s) & RESERVED_CLAIMS
+    if reserved_used.any?
+      errors.add(:custom_claims, "cannot override reserved OIDC claims: #{reserved_used.join(", ")}")
+    end
+  end
+end
--- a/app/models/forward_auth_rule.rb
+++ b/app/models/forward_auth_rule.rb
@@ -1,53 +0,0 @@
-class ForwardAuthRule < ApplicationRecord
-  has_many :forward_auth_rule_groups, dependent: :destroy
-  has_many :allowed_groups, through: :forward_auth_rule_groups, source: :group
-
-  validates :domain_pattern, presence: true, uniqueness: { case_sensitive: false }
-  validates :active, inclusion: { in: [true, false] }
-
-  normalizes :domain_pattern, with: ->(pattern) { pattern.strip.downcase }
-
-  # Scopes
-  scope :active, -> { where(active: true) }
-  scope :ordered, -> { order(domain_pattern: :asc) }
-
-  # Check if a domain matches this rule
-  def matches_domain?(domain)
-    return false if domain.blank?
-
-    pattern = domain_pattern.gsub('.', '\.')
-    pattern = pattern.gsub('*', '[^.]*')
-
-    regex = Regexp.new("^#{pattern}$", Regexp::IGNORECASE)
-    regex.match?(domain.downcase)
-  end
-
-  # Access control for forward auth
-  def user_allowed?(user)
-    return false unless active?
-    return false unless user.active?
-
-    # If no groups are specified, allow all active users (bypass)
-    return true if allowed_groups.empty?
-
-    # Otherwise, user must be in at least one of the allowed groups
-    (user.groups & allowed_groups).any?
-  end
-
-  # Policy determination based on user status and rule configuration
-  def policy_for_user(user)
-    return 'deny' unless active?
-    return 'deny' unless user.active?
-
-    # If no groups specified, bypass authentication
-    return 'bypass' if allowed_groups.empty?
-
-    # If user is in allowed groups, determine auth level
-    if user_allowed?(user)
-      # Require 2FA if user has TOTP configured, otherwise one factor
-      user.totp_enabled? ? 'two_factor' : 'one_factor'
-    else
-      'deny'
-    end
-  end
-end
--- a/app/models/forward_auth_rule_group.rb
+++ b/app/models/forward_auth_rule_group.rb
@@ -1,6 +0,0 @@
-class ForwardAuthRuleGroup < ApplicationRecord
-  belongs_to :forward_auth_rule
-  belongs_to :group
-
-  validates :forward_auth_rule_id, uniqueness: { scope: :group_id }
-end
--- a/app/models/group.rb
+++ b/app/models/group.rb
@@ -4,6 +4,31 @@ class Group < ApplicationRecord
  has_many :application_groups, dependent: :destroy
  has_many :applications, through: :application_groups

-  validates :name, presence: true, uniqueness: { case_sensitive: false }
+  # Reserved OIDC claim names that should not be overridden
+  RESERVED_CLAIMS = %w[
+    iss sub aud exp iat nbf jti nonce azp
+    email email_verified preferred_username name
+    groups
+  ].freeze
+
+  validates :name, presence: true, uniqueness: {case_sensitive: false}
  normalizes :name, with: ->(name) { name.strip.downcase }
+  validate :no_reserved_claim_names
+
+  # Parse custom_claims JSON field
+  def parsed_custom_claims
+    return {} if custom_claims.blank?
+    custom_claims.is_a?(Hash) ? custom_claims : {}
+  end
+
+  private
+
+  def no_reserved_claim_names
+    return if custom_claims.blank?
+
+    reserved_used = parsed_custom_claims.keys.map(&:to_s) & RESERVED_CLAIMS
+    if reserved_used.any?
+      errors.add(:custom_claims, "cannot override reserved OIDC claims: #{reserved_used.join(", ")}")
+    end
+  end
 end
--- a/app/models/oidc_access_token.rb
+++ b/app/models/oidc_access_token.rb
@@ -1,34 +1,61 @@
 class OidcAccessToken < ApplicationRecord
  belongs_to :application
  belongs_to :user
+  has_many :oidc_refresh_tokens, dependent: :destroy

  before_validation :generate_token, on: :create
  before_validation :set_expiry, on: :create

-  validates :token, presence: true, uniqueness: true
+  validates :token_hmac, presence: true, uniqueness: true

-  scope :valid, -> { where("expires_at > ?", Time.current) }
+  scope :valid, -> { where("expires_at > ?", Time.current).where(revoked_at: nil) }
  scope :expired, -> { where("expires_at <= ?", Time.current) }
+  scope :revoked, -> { where.not(revoked_at: nil) }
+  scope :active, -> { valid }
+
+  attr_accessor :plaintext_token  # Store plaintext temporarily for returning to client
+
+  # Find access token by plaintext token using HMAC verification
+  def self.find_by_token(plaintext_token)
+    return nil if plaintext_token.blank?
+
+    token_hmac = compute_token_hmac(plaintext_token)
+    find_by(token_hmac: token_hmac)
+  end
+
+  # Compute HMAC for token lookup
+  def self.compute_token_hmac(plaintext_token)
+    OpenSSL::HMAC.hexdigest("SHA256", TokenHmac::KEY, plaintext_token)
+  end

  def expired?
    expires_at <= Time.current
  end

+  def revoked?
+    revoked_at.present?
+  end
+
  def active?
-    !expired?
+    !expired? && !revoked?
  end

  def revoke!
-    update!(expires_at: Time.current)
+    update!(revoked_at: Time.current)
+    # Also revoke associated refresh tokens
+    oidc_refresh_tokens.each(&:revoke!)
  end

  private

  def generate_token
-    self.token ||= SecureRandom.urlsafe_base64(48)
+    # Generate random plaintext token
+    self.plaintext_token ||= SecureRandom.urlsafe_base64(48)
+    # Store HMAC in database (not plaintext)
+    self.token_hmac ||= self.class.compute_token_hmac(plaintext_token)
  end

  def set_expiry
-    self.expires_at ||= 1.hour.from_now
+    self.expires_at ||= application.access_token_expiry
  end
 end
--- a/app/models/oidc_authorization_code.rb
+++ b/app/models/oidc_authorization_code.rb
@@ -2,15 +2,32 @@ class OidcAuthorizationCode < ApplicationRecord
  belongs_to :application
  belongs_to :user

+  attr_accessor :plaintext_code
+
  before_validation :generate_code, on: :create
  before_validation :set_expiry, on: :create

-  validates :code, presence: true, uniqueness: true
+  validates :code_hmac, presence: true, uniqueness: true
  validates :redirect_uri, presence: true
+  validates :code_challenge_method, inclusion: {in: %w[plain S256], allow_nil: true}
+  validate :validate_code_challenge_format, if: -> { code_challenge.present? }

  scope :valid, -> { where(used: false).where("expires_at > ?", Time.current) }
  scope :expired, -> { where("expires_at <= ?", Time.current) }

+  # Find authorization code by plaintext code using HMAC verification
+  def self.find_by_plaintext(plaintext_code)
+    return nil if plaintext_code.blank?
+
+    code_hmac = compute_code_hmac(plaintext_code)
+    find_by(code_hmac: code_hmac)
+  end
+
+  # Compute HMAC for code lookup
+  def self.compute_code_hmac(plaintext_code)
+    OpenSSL::HMAC.hexdigest("SHA256", TokenHmac::KEY, plaintext_code)
+  end
+
  def expired?
    expires_at <= Time.current
  end
@@ -23,13 +40,27 @@ class OidcAuthorizationCode < ApplicationRecord
    update!(used: true)
  end

+  def uses_pkce?
+    code_challenge.present?
+  end
+
  private

  def generate_code
-    self.code ||= SecureRandom.urlsafe_base64(32)
+    # Generate random plaintext code
+    self.plaintext_code ||= SecureRandom.urlsafe_base64(32)
+    # Store HMAC in database (not plaintext)
+    self.code_hmac ||= self.class.compute_code_hmac(plaintext_code)
  end

  def set_expiry
    self.expires_at ||= 10.minutes.from_now
  end
+
+  def validate_code_challenge_format
+    # PKCE code challenge should be base64url-encoded, 43-128 characters
+    unless code_challenge.match?(/\A[A-Za-z0-9\-_]{43,128}\z/)
+      errors.add(:code_challenge, "must be 43-128 characters of base64url encoding")
+    end
+  end
 end
--- a/app/models/oidc_refresh_token.rb
+++ b/app/models/oidc_refresh_token.rb
@@ -0,0 +1,77 @@
+class OidcRefreshToken < ApplicationRecord
+  belongs_to :application
+  belongs_to :user
+  belongs_to :oidc_access_token
+
+  before_validation :generate_token, on: :create
+  before_validation :set_expiry, on: :create
+  before_validation :set_token_family_id, on: :create
+
+  validates :token_hmac, presence: true, uniqueness: true
+
+  scope :valid, -> { where("expires_at > ?", Time.current).where(revoked_at: nil) }
+  scope :expired, -> { where("expires_at <= ?", Time.current) }
+  scope :revoked, -> { where.not(revoked_at: nil) }
+  scope :active, -> { valid }
+
+  # For token rotation detection (prevents reuse attacks)
+  scope :in_family, ->(family_id) { where(token_family_id: family_id) }
+
+  attr_accessor :token  # Store plaintext token temporarily for returning to client
+
+  # Find refresh token by plaintext token using HMAC verification
+  def self.find_by_token(plaintext_token)
+    return nil if plaintext_token.blank?
+
+    token_hmac = compute_token_hmac(plaintext_token)
+    find_by(token_hmac: token_hmac)
+  end
+
+  # Compute HMAC for token lookup
+  def self.compute_token_hmac(plaintext_token)
+    OpenSSL::HMAC.hexdigest("SHA256", TokenHmac::KEY, plaintext_token)
+  end
+
+  def expired?
+    expires_at <= Time.current
+  end
+
+  def revoked?
+    revoked_at.present?
+  end
+
+  def active?
+    !expired? && !revoked?
+  end
+
+  def revoke!
+    update!(revoked_at: Time.current)
+  end
+
+  # Revoke all refresh tokens in the same family (token rotation security)
+  def revoke_family!
+    return unless token_family_id.present?
+
+    OidcRefreshToken.in_family(token_family_id).update_all(revoked_at: Time.current)
+  end
+
+  private
+
+  def generate_token
+    # Generate random plaintext token
+    self.token ||= SecureRandom.urlsafe_base64(48)
+    # Store HMAC in database (not plaintext)
+    self.token_hmac ||= self.class.compute_token_hmac(token)
+  end
+
+  def set_expiry
+    # Use application's configured refresh token TTL
+    self.expires_at ||= application.refresh_token_expiry
+  end
+
+  def set_token_family_id
+    # Use a random ID to group tokens in the same rotation chain
+    # This helps detect token reuse attacks
+    self.token_family_id ||= SecureRandom.random_number(2**31)
+  end
+end
--- a/app/models/oidc_user_consent.rb
+++ b/app/models/oidc_user_consent.rb
@@ -0,0 +1,62 @@
+class OidcUserConsent < ApplicationRecord
+  belongs_to :user
+  belongs_to :application
+
+  validates :user, :application, :scopes_granted, :granted_at, presence: true
+  validates :user_id, uniqueness: {scope: :application_id}
+
+  before_validation :set_granted_at, on: :create
+  before_validation :set_sid, on: :create
+
+  # Parse scopes_granted into an array
+  def scopes
+    scopes_granted.split(" ")
+  end
+
+  # Set scopes from an array
+  def scopes=(scope_array)
+    self.scopes_granted = Array(scope_array).uniq.join(" ")
+  end
+
+  # Check if this consent covers the requested scopes
+  def covers_scopes?(requested_scopes)
+    requested = Array(requested_scopes).map(&:to_s)
+    granted = scopes
+
+    # All requested scopes must be included in granted scopes
+    (requested - granted).empty?
+  end
+
+  # Get a human-readable list of scopes
+  def formatted_scopes
+    scopes.map do |scope|
+      case scope
+      when "openid"
+        "Basic authentication"
+      when "profile"
+        "Profile information"
+      when "email"
+        "Email address"
+      when "groups"
+        "Group membership"
+      else
+        scope.humanize
+      end
+    end.join(", ")
+  end
+
+  # Find consent by SID
+  def self.find_by_sid(sid)
+    find_by(sid: sid)
+  end
+
+  private
+
+  def set_granted_at
+    self.granted_at ||= Time.current
+  end
+
+  def set_sid
+    self.sid ||= SecureRandom.uuid
+  end
+end
--- a/app/models/user.rb
+++ b/app/models/user.rb
@@ -1,22 +1,44 @@
 class User < ApplicationRecord
+  # Encrypt TOTP secrets at rest (key derived from SECRET_KEY_BASE)
+  encrypts :totp_secret
+
  has_secure_password
  has_many :sessions, dependent: :destroy
  has_many :user_groups, dependent: :destroy
  has_many :groups, through: :user_groups
+  has_many :application_user_claims, dependent: :destroy
+  has_many :oidc_user_consents, dependent: :destroy
+  has_many :webauthn_credentials, dependent: :destroy

  # Token generation for passwordless flows
-  generates_token_for :invitation, expires_in: 7.days
-  generates_token_for :password_reset, expires_in: 1.hour
-  generates_token_for :magic_login, expires_in: 15.minutes
+  generates_token_for :invitation_login, expires_in: 24.hours do
+    updated_at
+  end
+
+  generates_token_for :password_reset, expires_in: 1.hour do
+    updated_at
+  end

  normalizes :email_address, with: ->(e) { e.strip.downcase }
+  normalizes :username, with: ->(u) { u.strip.downcase if u.present? }

-  validates :email_address, presence: true, uniqueness: { case_sensitive: false },
-                           format: { with: URI::MailTo::EMAIL_REGEXP }
-  validates :password, length: { minimum: 8 }, allow_nil: true
+  # Reserved OIDC claim names that should not be overridden
+  RESERVED_CLAIMS = %w[
+    iss sub aud exp iat nbf jti nonce azp
+    email email_verified preferred_username name
+    groups
+  ].freeze
+
+  validates :email_address, presence: true, uniqueness: {case_sensitive: false},
+    format: {with: URI::MailTo::EMAIL_REGEXP}
+  validates :username, uniqueness: {case_sensitive: false}, allow_nil: true,
+    format: {with: /\A[a-zA-Z0-9_-]+\z/, message: "can only contain letters, numbers, underscores, and hyphens"},
+    length: {minimum: 2, maximum: 30}
+  validates :password, length: {minimum: 8}, allow_nil: true
+  validate :no_reserved_claim_names

  # Enum - automatically creates scopes (User.active, User.disabled, etc.)
-  enum :status, { active: 0, disabled: 1, pending_invitation: 2 }
+  enum :status, {active: 0, disabled: 1, pending_invitation: 2}

  # Scopes
  scope :admins, -> { where(admin: true) }
@@ -34,7 +56,9 @@ class User < ApplicationRecord
  end

  def disable_totp!
-    update!(totp_secret: nil, totp_required: false, backup_codes: nil)
+    # Note: This does NOT clear totp_required flag
+    # Admins control that flag via admin panel, users cannot remove admin-required 2FA
+    update!(totp_secret: nil, backup_codes: nil)
  end

  def totp_provisioning_uri(issuer: "Clinch")
@@ -53,27 +77,170 @@ class User < ApplicationRecord
    totp.verify(code, drift_behind: 30, drift_ahead: 30)
  end

+  # Console/debug helper: get current TOTP code
+  def console_totp
+    return nil unless totp_enabled?
+
+    require "rotp"
+    ROTP::TOTP.new(totp_secret).now
+  end
+
  def verify_backup_code(code)
    return false unless backup_codes.present?

-    codes = JSON.parse(backup_codes)
-    if codes.include?(code)
-      codes.delete(code)
-      update(backup_codes: codes.to_json)
+    # Rate limiting: prevent brute force attacks on backup codes
+    if rate_limit_backup_code_verification?
+      Rails.logger.warn "Rate limit exceeded for backup code verification - User ID: #{id}"
+      return false
+    end
+
+    # backup_codes is now an Array (JSON column), no need to parse
+    # Find the matching hash by comparing with BCrypt
+    matching_hash = backup_codes.find do |hashed_code|
+      BCrypt::Password.new(hashed_code) == code
+    end
+
+    if matching_hash
+      # Remove the used hash from the array (single-use property)
+      backup_codes.delete(matching_hash)
+      save! # Save the updated array
+
+      # Log successful backup code usage for security monitoring
+      Rails.logger.info "Backup code used successfully - User ID: #{id}, IP: #{Current.session&.client_ip}"
      true
    else
+      # Increment failed attempt counter and log for security monitoring
+      increment_backup_code_failed_attempts
+      Rails.logger.warn "Failed backup code attempt - User ID: #{id}, IP: #{Current.session&.client_ip}"
      false
    end
  end

-  def parsed_backup_codes
-    return [] unless backup_codes.present?
-    JSON.parse(backup_codes)
+  # Rate limiting for backup code verification to prevent brute force attacks
+  def rate_limit_backup_code_verification?
+    # Use Rails.cache to track failed attempts
+    cache_key = "backup_code_failed_attempts_#{id}"
+    attempts = Rails.cache.read(cache_key) || 0
+
+    attempts >= 5
+  end
+
+  # Increment failed attempt counter
+  def increment_backup_code_failed_attempts
+    cache_key = "backup_code_failed_attempts_#{id}"
+    attempts = Rails.cache.read(cache_key) || 0
+    Rails.cache.write(cache_key, attempts + 1, expires_in: 1.hour)
+  end
+
+  # WebAuthn methods
+  def webauthn_enabled?
+    webauthn_credentials.exists?
+  end
+
+  def can_authenticate_with_webauthn?
+    webauthn_enabled? && active?
+  end
+
+  def require_webauthn?
+    webauthn_required? || (webauthn_enabled? && !password_digest.present?)
+  end
+
+  # Generate stable WebAuthn user handle on first use
+  def webauthn_user_handle
+    return webauthn_id if webauthn_id.present?
+
+    # Generate random 64-byte opaque identifier (base64url encoded)
+    handle = SecureRandom.urlsafe_base64(64)
+    update_column(:webauthn_id, handle)
+    handle
+  end
+
+  def platform_authenticators
+    webauthn_credentials.platform_authenticators
+  end
+
+  def roaming_authenticators
+    webauthn_credentials.roaming_authenticators
+  end
+
+  def webauthn_credential_for(external_id)
+    webauthn_credentials.find_by(external_id: external_id)
+  end
+
+  # Check if user has any backed up (synced) passkeys
+  def has_synced_passkeys?
+    webauthn_credentials.exists?(backup_eligible: true, backup_state: true)
+  end
+
+  # Preferred authentication method for login flow
+  def preferred_authentication_method
+    return :webauthn if require_webauthn?
+    return :webauthn if can_authenticate_with_webauthn? && preferred_2fa_method == "webauthn"
+    return :password if password_digest.present?
+    :webauthn
+  end
+
+  def has_oidc_consent?(application, requested_scopes)
+    oidc_user_consents
+      .where(application: application)
+      .find { |consent| consent.covers_scopes?(requested_scopes) }
+  end
+
+  def revoke_consent!(application)
+    consent = oidc_user_consents.find_by(application: application)
+    consent&.destroy
+  end
+
+  def revoke_all_consents!
+    oidc_user_consents.destroy_all
+  end
+
+  # Parse custom_claims JSON field
+  def parsed_custom_claims
+    return {} if custom_claims.blank?
+    custom_claims.is_a?(Hash) ? custom_claims : {}
+  end
+
+  # Get fully merged claims for a specific application
+  def merged_claims_for_application(application)
+    merged = {}
+
+    # Start with group claims (in order)
+    groups.each do |group|
+      merged.merge!(group.parsed_custom_claims)
+    end
+
+    # Merge user global claims
+    merged.merge!(parsed_custom_claims)
+
+    # Merge app-specific claims (highest priority)
+    merged.merge!(application.custom_claims_for_user(self))
+
+    merged
  end

  private

+  def no_reserved_claim_names
+    return if custom_claims.blank?
+
+    reserved_used = parsed_custom_claims.keys.map(&:to_s) & RESERVED_CLAIMS
+    if reserved_used.any?
+      errors.add(:custom_claims, "cannot override reserved OIDC claims: #{reserved_used.join(", ")}")
+    end
+  end
+
  def generate_backup_codes
-    Array.new(10) { SecureRandom.alphanumeric(8).upcase }.to_json
+    # Generate plain codes for user to see/save
+    plain_codes = Array.new(10) { SecureRandom.alphanumeric(8).upcase }
+
+    # Store BCrypt hashes of the codes
+    hashed_codes = plain_codes.map { |code| BCrypt::Password.create(code) }
+
+    # Return plain codes for display (will be shown to user once)
+    # Store only hashes in the database (as Array for JSON column)
+    self.backup_codes = hashed_codes
+
+    plain_codes
  end
 end
--- a/app/models/user_group.rb
+++ b/app/models/user_group.rb
@@ -2,5 +2,5 @@ class UserGroup < ApplicationRecord
  belongs_to :user
  belongs_to :group

-  validates :user_id, uniqueness: { scope: :group_id }
+  validates :user_id, uniqueness: {scope: :group_id}
 end
--- a/app/models/webauthn_credential.rb
+++ b/app/models/webauthn_credential.rb
@@ -0,0 +1,103 @@
+class WebauthnCredential < ApplicationRecord
+  belongs_to :user
+
+  # Set default authenticator_type if not provided
+  after_initialize :set_default_authenticator_type, if: :new_record?
+
+  # Validations
+  validates :external_id, presence: true, uniqueness: true
+  validates :public_key, presence: true
+  validates :sign_count, presence: true, numericality: {greater_than_or_equal_to: 0, only_integer: true}
+  validates :nickname, presence: true
+  validates :authenticator_type, inclusion: {in: %w[platform cross-platform]}
+
+  # Scopes for querying
+  scope :active, -> { where(nil) } # All credentials are active (we can add revoked_at later if needed)
+  scope :platform_authenticators, -> { where(authenticator_type: "platform") }
+  scope :roaming_authenticators, -> { where(authenticator_type: "cross-platform") }
+  scope :recently_used, -> { where.not(last_used_at: nil).order(last_used_at: :desc) }
+  scope :never_used, -> { where(last_used_at: nil) }
+
+  # Update last used timestamp and sign count after successful authentication
+  def update_usage!(sign_count:, ip_address: nil, user_agent: nil)
+    update!(
+      last_used_at: Time.current,
+      last_used_ip: ip_address,
+      sign_count: sign_count,
+      user_agent: user_agent
+    )
+  end
+
+  # Check if this is a platform authenticator (built-in device)
+  def platform_authenticator?
+    authenticator_type == "platform"
+  end
+
+  # Check if this is a roaming authenticator (USB/NFC/Bluetooth key)
+  def roaming_authenticator?
+    authenticator_type == "cross-platform"
+  end
+
+  # Check if this credential is backed up (synced passkeys)
+  def backed_up?
+    backup_eligible? && backup_state?
+  end
+
+  # Human readable description
+  def description
+    if nickname.present?
+      "#{nickname} (#{authenticator_type.humanize})"
+    else
+      "#{authenticator_type.humanize} Authenticator"
+    end
+  end
+
+  # Check if sign count is suspicious (clone detection)
+  def suspicious_sign_count?(new_sign_count)
+    return false if sign_count.zero? && new_sign_count > 0 # First use
+    return false if new_sign_count > sign_count # Normal increment
+
+    # Sign count didn't increase - possible clone
+    true
+  end
+
+  # Format for display in UI
+  def display_name
+    nickname || "#{authenticator_type&.humanize} Authenticator"
+  end
+
+  # When was this credential created?
+  def created_recently?
+    created_at > 1.week.ago
+  end
+
+  # How long ago was this last used?
+  def last_used_ago
+    return "Never" unless last_used_at
+
+    time_ago_in_words(last_used_at)
+  end
+
+  private
+
+  def set_default_authenticator_type
+    self.authenticator_type ||= "cross-platform"
+  end
+
+  def time_ago_in_words(time)
+    seconds = Time.current - time
+    minutes = seconds / 60
+    hours = minutes / 60
+    days = hours / 24
+
+    if days > 0
+      "#{days.floor} day#{"s" if days > 1} ago"
+    elsif hours > 0
+      "#{hours.floor} hour#{"s" if hours > 1} ago"
+    elsif minutes > 0
+      "#{minutes.floor} minute#{"s" if minutes > 1} ago"
+    else
+      "Just now"
+    end
+  end
+end
--- a/app/services/concerns/claims_merger.rb
+++ b/app/services/concerns/claims_merger.rb
@@ -0,0 +1,35 @@
+module ClaimsMerger
+  extend ActiveSupport::Concern
+
+  # Deep merge claims, combining arrays instead of overwriting them
+  # This ensures that array values (like roles) are combined across group/user/app claims
+  #
+  # Example:
+  #   base = { "roles" => ["user"], "level" => 1 }
+  #   incoming = { "roles" => ["admin"], "department" => "IT" }
+  #   deep_merge_claims(base, incoming)
+  #   # => { "roles" => ["user", "admin"], "level" => 1, "department" => "IT" }
+  def deep_merge_claims(base, incoming)
+    result = base.dup
+
+    incoming.each do |key, value|
+      result[key] = if result.key?(key)
+        # If both values are arrays, combine them (union to avoid duplicates)
+        if result[key].is_a?(Array) && value.is_a?(Array)
+          (result[key] + value).uniq
+        # If both values are hashes, recursively merge them
+        elsif result[key].is_a?(Hash) && value.is_a?(Hash)
+          deep_merge_claims(result[key], value)
+        else
+          # Otherwise, incoming value wins (override)
+          value
+        end
+      else
+        # New key, just add it
+        value
+      end
+    end
+
+    result
+  end
+end
--- a/app/services/oidc_jwt_service.rb
+++ b/app/services/oidc_jwt_service.rb
@@ -1,38 +1,101 @@
 class OidcJwtService
+  extend ClaimsMerger
+
  class << self
    # Generate an ID token (JWT) for the user
-    def generate_id_token(user, application, nonce: nil)
+    def generate_id_token(user, application, consent: nil, nonce: nil, access_token: nil, auth_time: nil, acr: nil, scopes: "openid")
      now = Time.current.to_i
+      # Use application's configured ID token TTL (defaults to 1 hour)
+      ttl = application.id_token_expiry_seconds

+      # Use pairwise SID from consent if available, fallback to user ID
+      subject = consent&.sid || user.id.to_s
+
+      # Parse scopes (space-separated string)
+      requested_scopes = scopes.to_s.split
+
+      # Required claims (always included per OIDC Core spec)
      payload = {
        iss: issuer_url,
-        sub: user.id.to_s,
+        sub: subject,
        aud: application.client_id,
-        exp: now + 3600, # 1 hour
-        iat: now,
-        email: user.email_address,
-        email_verified: true,
-        preferred_username: user.email_address,
-        name: user.email_address
+        exp: now + ttl,
+        iat: now
      }

+      # NOTE: Email and profile claims are NOT included in the ID token for authorization code flow
+      # Per OIDC Core spec §5.4, these claims should only be returned via the UserInfo endpoint
+      # For implicit flow (response_type=id_token), claims would be included here, but we only
+      # support authorization code flow, so these claims are omitted from the ID token.
+
      # Add nonce if provided (OIDC requires this for implicit flow)
      payload[:nonce] = nonce if nonce.present?

-      # Add groups if user has any
-      if user.groups.any?
+      # Add auth_time if provided (OIDC Core §2 - required when max_age is used)
+      payload[:auth_time] = auth_time if auth_time.present?
+
+      # Add acr if provided (OIDC Core §2 - authentication context class reference)
+      payload[:acr] = acr if acr.present?
+
+      # Add azp (authorized party) - the client_id this token was issued to
+      # OIDC Core §2 - required when aud has multiple values, optional but useful for single
+      payload[:azp] = application.client_id
+
+      # Add at_hash if access token is provided (OIDC Core spec §3.1.3.6)
+      # at_hash = left-most 128 bits of SHA-256 hash of access token, base64url encoded
+      if access_token.present?
+        sha256 = Digest::SHA256.digest(access_token)
+        at_hash = Base64.urlsafe_encode64(sha256[0..15], padding: false)
+        payload[:at_hash] = at_hash
+      end
+
+      # Groups claims (only if 'groups' scope requested)
+      if requested_scopes.include?("groups") && user.groups.any?
        payload[:groups] = user.groups.pluck(:name)
      end

-      # Add admin claim if user is admin
-      payload[:admin] = true if user.admin?
+      # Merge custom claims from groups (arrays are combined, not overwritten)
+      # Note: Custom claims from groups are always merged (not scope-dependent)
+      user.groups.each do |group|
+        payload = deep_merge_claims(payload, group.parsed_custom_claims)
+      end

-      JWT.encode(payload, private_key, "RS256", { kid: key_id, typ: "JWT" })
+      # Merge custom claims from user (arrays are combined, other values override)
+      payload = deep_merge_claims(payload, user.parsed_custom_claims)
+
+      # Merge app-specific custom claims (highest priority, arrays are combined)
+      payload = deep_merge_claims(payload, application.custom_claims_for_user(user))
+
+      JWT.encode(payload, private_key, "RS256", {kid: key_id, typ: "JWT"})
+    end
+
+    # Generate a backchannel logout token (JWT)
+    # Per OIDC Back-Channel Logout spec, this token:
+    # - MUST include iss, aud, iat, jti, events claims
+    # - MUST include sub or sid (or both) - we always include both
+    # - MUST NOT include nonce claim
+    def generate_logout_token(user, application, consent)
+      now = Time.current.to_i
+
+      payload = {
+        iss: issuer_url,
+        sub: consent.sid,  # Pairwise subject identifier
+        aud: application.client_id,
+        iat: now,
+        jti: SecureRandom.uuid,  # Unique identifier for this logout token
+        sid: consent.sid,  # Session ID - always included for granular logout
+        events: {
+          "http://schemas.openid.net/event/backchannel-logout" => {}
+        }
+      }
+
+      # Important: Do NOT include nonce in logout tokens (spec requirement)
+      JWT.encode(payload, private_key, "RS256", {kid: key_id, typ: "JWT"})
    end

    # Decode and verify an ID token
    def decode_id_token(token)
-      JWT.decode(token, public_key, true, { algorithm: "RS256" })
+      JWT.decode(token, public_key, true, {algorithm: "RS256"})
    end

    # Get the public key in JWK format for the JWKS endpoint
@@ -55,7 +118,14 @@ class OidcJwtService
    def issuer_url
      # In production, this should come from ENV or config
      # For now, we'll use a placeholder that can be overridden
-      ENV.fetch("CLINCH_HOST", "http://localhost:3000")
+      host = ENV.fetch("CLINCH_HOST", "localhost:3000")
+      # Ensure URL has protocol - use https:// in production, http:// in development
+      if host.match?(/^https?:\/\//)
+        host
+      else
+        protocol = Rails.env.production? ? "https" : "http"
+        "#{protocol}://#{host}"
+      end
    end

    private
@@ -63,17 +133,37 @@ class OidcJwtService
    # Get or generate RSA private key
    def private_key
      @private_key ||= begin
+        key_source = nil
+
        # Try ENV variable first (best for Docker/Kamal)
        if ENV["OIDC_PRIVATE_KEY"].present?
-          OpenSSL::PKey::RSA.new(ENV["OIDC_PRIVATE_KEY"])
+          key_source = ENV["OIDC_PRIVATE_KEY"]
        # Then try Rails credentials
        elsif Rails.application.credentials.oidc_private_key.present?
-          OpenSSL::PKey::RSA.new(Rails.application.credentials.oidc_private_key)
+          key_source = Rails.application.credentials.oidc_private_key
+        end
+
+        if key_source.present?
+          begin
+            # Handle both actual newlines and escaped \n sequences
+            # Some .env loaders may escape newlines, so we need to convert them back
+            key_data = key_source.gsub("\\n", "\n")
+            OpenSSL::PKey::RSA.new(key_data)
+          rescue OpenSSL::PKey::RSAError => e
+            Rails.logger.error "OIDC: Failed to load private key: #{e.message}"
+            Rails.logger.error "OIDC: Key source length: #{key_source.length}, starts with: #{key_source[0..50]}"
+            raise "Invalid OIDC private key format. Please ensure the key is in PEM format with proper newlines."
+          end
        else
-          # Generate a new key for development
-          # In production, you MUST set OIDC_PRIVATE_KEY env var or add to credentials
+          # In production, we should never generate a key on the fly
+          # because it would be different across servers/deployments
+          if Rails.env.production?
+            raise "OIDC private key not configured. Set OIDC_PRIVATE_KEY environment variable or add to Rails credentials."
+          end
+
+          # Generate a new key for development/test only
          Rails.logger.warn "OIDC: No private key found in ENV or credentials, generating new key (development only)"
-          Rails.logger.warn "OIDC: Set OIDC_PRIVATE_KEY environment variable in production!"
+          Rails.logger.warn "OIDC: Set OIDC_PRIVATE_KEY environment variable for consistency across restarts"
          OpenSSL::PKey::RSA.new(2048)
        end
      end
--- a/app/views/active_sessions/show.html.erb
+++ b/app/views/active_sessions/show.html.erb
@@ -0,0 +1,114 @@
+<div class="space-y-8">
+  <div>
+    <h1 class="text-3xl font-bold text-gray-900">Sessions</h1>
+    <p class="mt-2 text-sm text-gray-600">Manage your active sessions and connected applications.</p>
+  </div>
+
+  <!-- Connected Applications -->
+  <div class="bg-white shadow sm:rounded-lg">
+    <div class="px-4 py-5 sm:p-6">
+      <h3 class="text-lg font-medium leading-6 text-gray-900">Connected Applications</h3>
+      <div class="mt-2 max-w-xl text-sm text-gray-500">
+        <p>These applications have access to your account. You can revoke access at any time.</p>
+      </div>
+      <div class="mt-5">
+        <% if @connected_applications.any? %>
+          <ul role="list" class="divide-y divide-gray-200">
+            <% @connected_applications.each do |consent| %>
+              <li class="py-4">
+                <div class="flex items-center justify-between">
+                  <div class="flex flex-col">
+                    <p class="text-sm font-medium text-gray-900">
+                      <%= consent.application.name %>
+                    </p>
+                    <p class="mt-1 text-sm text-gray-500">
+                      Access to: <%= consent.formatted_scopes %>
+                    </p>
+                    <p class="mt-1 text-xs text-gray-400">
+                      Authorized <%= time_ago_in_words(consent.granted_at) %> ago
+                    </p>
+                  </div>
+                  <%= button_to "Revoke Access", revoke_consent_active_sessions_path(application_id: consent.application.id), method: :delete,
+                      class: "inline-flex items-center rounded-md border border-red-300 bg-white px-3 py-2 text-sm font-medium text-red-700 shadow-sm hover:bg-red-50 focus:outline-none focus:ring-2 focus:ring-red-500 focus:ring-offset-2",
+                      form: { data: { turbo_confirm: "Are you sure you want to revoke access to #{consent.application.name}? You'll need to re-authorize this application to use it again." } } %>
+                </div>
+              </li>
+            <% end %>
+          </ul>
+        <% else %>
+          <p class="text-sm text-gray-500">No connected applications.</p>
+        <% end %>
+
+        <% if @connected_applications.any? %>
+          <div class="mt-6 pt-6 border-t border-gray-200">
+            <div class="flex justify-end">
+              <div class="inline-block">
+                <%= button_to "Revoke All App Access", revoke_all_consents_active_sessions_path, method: :delete,
+                    class: "inline-flex items-center rounded-md border border-red-300 bg-white px-3 py-2 text-sm font-medium text-red-700 shadow-sm hover:bg-red-50 focus:outline-none focus:ring-2 focus:ring-red-500 focus:ring-offset-2 whitespace-nowrap",
+                    form: { data: { turbo_confirm: "This will revoke access from all connected applications. You'll need to re-authorize each application to use them again. Are you sure?" } } %>
+              </div>
+            </div>
+          </div>
+        <% end %>
+      </div>
+    </div>
+  </div>
+
+  <!-- Active Sessions -->
+  <div class="bg-white shadow sm:rounded-lg">
+    <div class="px-4 py-5 sm:p-6">
+      <h3 class="text-lg font-medium leading-6 text-gray-900">Active Sessions</h3>
+      <div class="mt-2 max-w-xl text-sm text-gray-500">
+        <p>These devices are currently signed in to your account. Revoke any sessions that you don't recognize.</p>
+      </div>
+      <div class="mt-5">
+        <% if @active_sessions.any? %>
+          <ul role="list" class="divide-y divide-gray-200">
+            <% @active_sessions.each do |session| %>
+              <li class="py-4">
+                <div class="flex items-center justify-between">
+                  <div class="flex flex-col">
+                    <p class="text-sm font-medium text-gray-900">
+                      <%= session.device_name || "Unknown Device" %>
+                      <% if session.id == Current.session.id %>
+                        <span class="ml-2 inline-flex items-center rounded-full bg-green-100 px-2.5 py-0.5 text-xs font-medium text-green-800">
+                          This device
+                        </span>
+                      <% end %>
+                    </p>
+                    <p class="mt-1 text-sm text-gray-500">
+                      <%= session.ip_address %>
+                    </p>
+                    <p class="mt-1 text-xs text-gray-400">
+                      Last active <%= time_ago_in_words(session.last_activity_at || session.updated_at) %> ago
+                    </p>
+                  </div>
+                  <% if session.id != Current.session.id %>
+                    <%= button_to "Revoke", session_path(session), method: :delete,
+                        class: "inline-flex items-center rounded-md border border-gray-300 bg-white px-3 py-2 text-sm font-medium text-gray-700 shadow-sm hover:bg-gray-50 focus:outline-none focus:ring-2 focus:ring-blue-500 focus:ring-offset-2",
+                        form: { data: { turbo_confirm: "Are you sure you want to revoke this session?" } } %>
+                  <% end %>
+                </div>
+              </li>
+            <% end %>
+          </ul>
+        <% else %>
+          <p class="text-sm text-gray-500">No other active sessions.</p>
+        <% end %>
+
+        <% if @active_sessions.count > 1 %>
+          <div class="mt-6 pt-6 border-t border-gray-200">
+            <div class="flex justify-end">
+              <div class="inline-block">
+                <%= button_to "Sign Out Everywhere Else", session_path(Current.session), method: :delete,
+                    class: "inline-flex items-center rounded-md border border-orange-300 bg-white px-3 py-2 text-sm font-medium text-orange-700 shadow-sm hover:bg-orange-50 focus:outline-none focus:ring-2 focus:ring-orange-500 focus:ring-offset-2 whitespace-nowrap",
+                    form: { data: { turbo_confirm: "This will sign you out from all other devices except this one. Are you sure?" } } %>
+              </div>
+            </div>
+          </div>
+        <% end %>
+      </div>
+    </div>
+  </div>
+
+  </div>
--- a/app/views/admin/applications/_form.html.erb
+++ b/app/views/admin/applications/_form.html.erb
@@ -1,22 +1,5 @@
-<%= form_with(model: [:admin, application], class: "space-y-6") do |form| %>
-  <% if application.errors.any? %>
-    <div class="rounded-md bg-red-50 p-4">
-      <div class="flex">
-        <div class="ml-3">
-          <h3 class="text-sm font-medium text-red-800">
-            <%= pluralize(application.errors.count, "error") %> prohibited this application from being saved:
-          </h3>
-          <div class="mt-2 text-sm text-red-700">
-            <ul class="list-disc pl-5 space-y-1">
-              <% application.errors.full_messages.each do |message| %>
-                <li><%= message %></li>
-              <% end %>
-            </ul>
-          </div>
-        </div>
-      </div>
-    </div>
-  <% end %>
+<%= form_with(model: [:admin, application], class: "space-y-6", data: { controller: "application-form form-errors" }) do |form| %>
+  <%= render "shared/form_errors", form: form %>

  <div>
    <%= form.label :name, class: "block text-sm font-medium text-gray-700" %>
@@ -34,23 +17,261 @@
    <%= form.text_area :description, rows: 3, class: "mt-1 block w-full rounded-md border-gray-300 shadow-sm focus:border-blue-500 focus:ring-blue-500 sm:text-sm", placeholder: "Optional description of this application" %>
  </div>

+  <div>
+    <div class="flex items-center justify-between">
+      <%= form.label :icon, "Application Icon", class: "block text-sm font-medium text-gray-700" %>
+      <a href="https://dashboardicons.com" target="_blank" rel="noopener noreferrer" class="text-xs text-blue-600 hover:text-blue-800 flex items-center gap-1">
+        <svg class="w-3 h-3" fill="none" stroke="currentColor" viewBox="0 0 24 24">
+          <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" d="M10 6H6a2 2 0 00-2 2v10a2 2 0 002 2h10a2 2 0 002-2v-4M14 4h6m0 0v6m0-6L10 14"></path>
+        </svg>
+        Browse icons at dashboardicons.com
+      </a>
+    </div>
+    <% if application.icon.attached? && application.persisted? %>
+      <% begin %>
+        <%# Only show icon if we can successfully get its URL (blob is persisted) %>
+        <% if application.icon.blob&.persisted? && application.icon.blob.key.present? %>
+          <div class="mt-2 mb-3 flex items-center gap-4">
+            <%= image_tag application.icon, class: "h-16 w-16 rounded-lg object-cover border border-gray-200", alt: "Current icon" %>
+            <div class="text-sm text-gray-600">
+              <p class="font-medium">Current icon</p>
+              <p class="text-xs"><%= number_to_human_size(application.icon.blob.byte_size) %></p>
+            </div>
+          </div>
+        <% end %>
+      <% rescue ArgumentError => e %>
+        <%# Handle case where icon attachment exists but can't generate signed_id %>
+        <% if e.message.include?("Cannot get a signed_id for a new record") %>
+          <div class="mt-2 mb-3 text-sm text-gray-600">
+            <p class="font-medium">Icon uploaded</p>
+            <p class="text-xs">File will be processed shortly</p>
+          </div>
+        <% else %>
+          <%# Re-raise if it's a different error %>
+          <% raise e %>
+        <% end %>
+      <% end %>
+    <% end %>
+
+    <div class="mt-2" data-controller="file-drop image-paste">
+      <div class="flex justify-center px-6 pt-5 pb-6 border-2 border-gray-300 border-dashed rounded-md hover:border-blue-400 transition-colors"
+           data-file-drop-target="dropzone"
+           data-image-paste-target="dropzone"
+           data-action="dragover->file-drop#dragover dragleave->file-drop#dragleave drop->file-drop#drop paste->image-paste#handlePaste"
+           tabindex="0">
+        <div class="space-y-1 text-center">
+          <svg class="mx-auto h-12 w-12 text-gray-400" stroke="currentColor" fill="none" viewBox="0 0 48 48">
+            <path d="M28 8H12a4 4 0 00-4 4v20m32-12v8m0 0v8a4 4 0 01-4 4H12a4 4 0 01-4-4v-4m32-4l-3.172-3.172a4 4 0 00-5.656 0L28 28M8 32l9.172-9.172a4 4 0 015.656 0L28 28m0 0l4 4m4-24h8m-4-4v8m-12 4h.02" stroke-width="2" stroke-linecap="round" stroke-linejoin="round" />
+          </svg>
+          <div class="flex text-sm text-gray-600">
+            <label for="<%= form.field_id(:icon) %>" class="relative cursor-pointer bg-white rounded-md font-medium text-blue-600 hover:text-blue-500 focus-within:outline-none focus-within:ring-2 focus-within:ring-offset-2 focus-within:ring-blue-500">
+              <span>Upload a file</span>
+              <%= form.file_field :icon,
+                  accept: "image/png,image/jpg,image/jpeg,image/gif,image/svg+xml",
+                  class: "sr-only",
+                  data: {
+                    file_drop_target: "input",
+                    image_paste_target: "input",
+                    action: "change->file-drop#handleFiles"
+                  } %>
+            </label>
+            <p class="pl-1">or drag and drop</p>
+          </div>
+          <p class="text-xs text-gray-500">PNG, JPG, GIF, or SVG up to 2MB</p>
+          <p class="text-xs text-blue-600 font-medium mt-2">💡 Tip: Click here and press Ctrl+V (or Cmd+V) to paste an image from your clipboard</p>
+        </div>
+      </div>
+      <div data-file-drop-target="preview" class="mt-3 hidden">
+        <div class="flex items-center gap-3 p-3 bg-blue-50 rounded-md border border-blue-200">
+          <img data-file-drop-target="previewImage" class="h-12 w-12 rounded object-cover" alt="Preview">
+          <div class="flex-1 min-w-0">
+            <p class="text-sm font-medium text-gray-900" data-file-drop-target="filename"></p>
+            <p class="text-xs text-gray-500" data-file-drop-target="filesize"></p>
+          </div>
+          <button type="button" data-action="click->file-drop#clear" class="text-gray-400 hover:text-gray-600">
+            <svg class="h-5 w-5" fill="currentColor" viewBox="0 0 20 20">
+              <path fill-rule="evenodd" d="M4.293 4.293a1 1 0 011.414 0L10 8.586l4.293-4.293a1 1 0 111.414 1.414L11.414 10l4.293 4.293a1 1 0 01-1.414 1.414L10 11.414l-4.293 4.293a1 1 0 01-1.414-1.414L8.586 10 4.293 5.707a1 1 0 010-1.414z" clip-rule="evenodd" />
+            </svg>
+          </button>
+        </div>
+      </div>
+    </div>
+  </div>
+
+  <div>
+    <%= form.label :landing_url, "Landing URL", class: "block text-sm font-medium text-gray-700" %>
+    <%= form.url_field :landing_url, class: "mt-1 block w-full rounded-md border-gray-300 shadow-sm focus:border-blue-500 focus:ring-blue-500 sm:text-sm", placeholder: "https://app.example.com" %>
+    <p class="mt-1 text-sm text-gray-500">The main URL users will visit to access this application. This will be shown as a link on their dashboard.</p>
+  </div>
+
  <div>
    <%= form.label :app_type, "Application Type", class: "block text-sm font-medium text-gray-700" %>
-    <%= form.select :app_type, [["OpenID Connect (OIDC)", "oidc"], ["SAML (Coming Soon)", "saml", { disabled: true }]], {}, class: "mt-1 block w-full rounded-md border-gray-300 shadow-sm focus:border-blue-500 focus:ring-blue-500 sm:text-sm", disabled: application.persisted? %>
+    <%= form.select :app_type, [["OpenID Connect (OIDC)", "oidc"], ["Forward Auth (Reverse Proxy)", "forward_auth"]], {}, {
+    class: "mt-1 block w-full rounded-md border-gray-300 shadow-sm focus:border-blue-500 focus:ring-blue-500 sm:text-sm",
+    disabled: application.persisted?,
+    data: { action: "change->application-form#updateFieldVisibility", application_form_target: "appTypeSelect" }
+  } %>
    <% if application.persisted? %>
      <p class="mt-1 text-sm text-gray-500">Application type cannot be changed after creation.</p>
    <% end %>
  </div>

  <!-- OIDC-specific fields -->
-  <div id="oidc-fields" class="space-y-6 border-t border-gray-200 pt-6" style="<%= 'display: none;' unless application.oidc? || !application.persisted? %>">
+  <div id="oidc-fields" class="space-y-6 border-t border-gray-200 pt-6 <%= 'hidden' unless application.oidc? || !application.persisted? %>" data-application-form-target="oidcFields">
    <h3 class="text-base font-semibold text-gray-900">OIDC Configuration</h3>

+    <!-- Client Type Selection (only for new applications) -->
+    <% unless application.persisted? %>
+    <div class="border border-gray-200 rounded-lg p-4 bg-gray-50">
+      <h4 class="text-sm font-semibold text-gray-900 mb-3">Client Type</h4>
+      <div class="space-y-3">
+        <div class="flex items-start">
+          <%= form.radio_button :is_public_client, "false", checked: !application.is_public_client, class: "mt-1 h-4 w-4 border-gray-300 text-blue-600 focus:ring-blue-500", data: { action: "change->application-form#updatePkceVisibility" } %>
+          <div class="ml-3">
+            <label for="application_is_public_client_false" class="block text-sm font-medium text-gray-900">Confidential Client (Recommended)</label>
+            <p class="text-sm text-gray-500">Backend server app that can securely store a client secret. Examples: traditional web apps, server-to-server APIs.</p>
+          </div>
+        </div>
+        <div class="flex items-start">
+          <%= form.radio_button :is_public_client, "true", checked: application.is_public_client, class: "mt-1 h-4 w-4 border-gray-300 text-blue-600 focus:ring-blue-500", data: { action: "change->application-form#updatePkceVisibility" } %>
+          <div class="ml-3">
+            <label for="application_is_public_client_true" class="block text-sm font-medium text-gray-900">Public Client</label>
+            <p class="text-sm text-gray-500">Frontend-only app that cannot store secrets securely. Examples: SPAs (React/Vue), mobile apps, CLI tools. <strong class="text-amber-600">PKCE is required.</strong></p>
+          </div>
+        </div>
+      </div>
+    </div>
+    <% else %>
+    <!-- Show client type for existing applications (read-only) -->
+    <div class="flex items-center gap-2 text-sm">
+      <span class="font-medium text-gray-700">Client Type:</span>
+      <% if application.public_client? %>
+        <span class="inline-flex items-center rounded-md bg-amber-50 px-2 py-1 text-xs font-medium text-amber-700 ring-1 ring-inset ring-amber-600/20">Public Client (PKCE Required)</span>
+      <% else %>
+        <span class="inline-flex items-center rounded-md bg-green-50 px-2 py-1 text-xs font-medium text-green-700 ring-1 ring-inset ring-green-600/20">Confidential Client</span>
+      <% end %>
+    </div>
+    <% end %>
+
+    <!-- PKCE Requirement (only for confidential clients) -->
+    <div id="pkce-options" data-application-form-target="pkceOptions" class="<%= 'hidden' if application.persisted? && application.public_client? %>">
+      <div class="flex items-center">
+        <%= form.check_box :require_pkce, class: "h-4 w-4 rounded border-gray-300 text-blue-600 focus:ring-blue-500" %>
+        <%= form.label :require_pkce, "Require PKCE (Proof Key for Code Exchange)", class: "ml-2 block text-sm font-medium text-gray-900" %>
+      </div>
+      <p class="ml-6 text-sm text-gray-500">
+        Recommended for enhanced security (OAuth 2.1 best practice).
+        <br><span class="text-xs text-gray-400">Note: Public clients always require PKCE regardless of this setting.</span>
+      </p>
+    </div>
+
    <div>
      <%= form.label :redirect_uris, "Redirect URIs", class: "block text-sm font-medium text-gray-700" %>
      <%= form.text_area :redirect_uris, rows: 4, class: "mt-1 block w-full rounded-md border-gray-300 shadow-sm focus:border-blue-500 focus:ring-blue-500 sm:text-sm font-mono", placeholder: "https://example.com/callback\nhttps://app.example.com/auth/callback" %>
      <p class="mt-1 text-sm text-gray-500">One URI per line. These are the allowed callback URLs for your application.</p>
    </div>
+
+    <div>
+      <%= form.label :backchannel_logout_uri, "Backchannel Logout URI (Optional)", class: "block text-sm font-medium text-gray-700" %>
+      <%= form.url_field :backchannel_logout_uri, class: "mt-1 block w-full rounded-md border-gray-300 shadow-sm focus:border-blue-500 focus:ring-blue-500 sm:text-sm font-mono", placeholder: "https://app.example.com/oidc/backchannel-logout" %>
+      <p class="mt-1 text-sm text-gray-500">
+        If the application supports OpenID Connect Backchannel Logout, enter the logout endpoint URL.
+        When users log out, Clinch will send logout notifications to this endpoint for immediate session termination.
+        Leave blank if the application doesn't support backchannel logout.
+      </p>
+    </div>
+
+    <div class="border-t border-gray-200 pt-4 mt-4">
+      <h4 class="text-sm font-semibold text-gray-900 mb-3">Token Expiration Settings</h4>
+      <p class="text-sm text-gray-500 mb-4">Configure how long tokens remain valid. Shorter times are more secure but require more frequent refreshes.</p>
+
+      <div class="grid grid-cols-1 md:grid-cols-3 gap-4">
+        <div>
+          <%= form.label :access_token_ttl, "Access Token TTL (seconds)", class: "block text-sm font-medium text-gray-700" %>
+          <%= form.number_field :access_token_ttl, value: application.access_token_ttl || 3600, min: 300, max: 86400, step: 60, class: "mt-1 block w-full rounded-md border-gray-300 shadow-sm focus:border-blue-500 focus:ring-blue-500 sm:text-sm" %>
+          <p class="mt-1 text-xs text-gray-500">
+            Range: 5 min - 24 hours
+            <br>Default: 1 hour (3600s)
+            <br>Current: <span class="font-medium"><%= application.access_token_ttl_human || "1 hour" %></span>
+          </p>
+        </div>
+
+        <div>
+          <%= form.label :refresh_token_ttl, "Refresh Token TTL (seconds)", class: "block text-sm font-medium text-gray-700" %>
+          <%= form.number_field :refresh_token_ttl, value: application.refresh_token_ttl || 2592000, min: 86400, max: 7776000, step: 86400, class: "mt-1 block w-full rounded-md border-gray-300 shadow-sm focus:border-blue-500 focus:ring-blue-500 sm:text-sm" %>
+          <p class="mt-1 text-xs text-gray-500">
+            Range: 1 day - 90 days
+            <br>Default: 30 days (2592000s)
+            <br>Current: <span class="font-medium"><%= application.refresh_token_ttl_human || "30 days" %></span>
+          </p>
+        </div>
+
+        <div>
+          <%= form.label :id_token_ttl, "ID Token TTL (seconds)", class: "block text-sm font-medium text-gray-700" %>
+          <%= form.number_field :id_token_ttl, value: application.id_token_ttl || 3600, min: 300, max: 86400, step: 60, class: "mt-1 block w-full rounded-md border-gray-300 shadow-sm focus:border-blue-500 focus:ring-blue-500 sm:text-sm" %>
+          <p class="mt-1 text-xs text-gray-500">
+            Range: 5 min - 24 hours
+            <br>Default: 1 hour (3600s)
+            <br>Current: <span class="font-medium"><%= application.id_token_ttl_human || "1 hour" %></span>
+          </p>
+        </div>
+      </div>
+
+      <details class="mt-3">
+        <summary class="cursor-pointer text-sm text-blue-600 hover:text-blue-800">Understanding Token Types</summary>
+        <div class="mt-2 ml-4 space-y-2 text-sm text-gray-600">
+          <p><strong>Access Token:</strong> Used to access protected resources (APIs). Shorter lifetime = more secure. Users won't notice automatic refreshes.</p>
+          <p><strong>Refresh Token:</strong> Used to get new access tokens without re-authentication. Longer lifetime = better UX (less re-logins).</p>
+          <p><strong>ID Token:</strong> Contains user identity information (JWT). Should match access token lifetime in most cases.</p>
+          <p class="text-xs italic mt-2">💡 Tip: Banking apps use 5-15 min access tokens. Internal tools use 1-4 hours.</p>
+        </div>
+      </details>
+    </div>
+  </div>
+
+  <!-- Forward Auth-specific fields -->
+  <div id="forward-auth-fields" class="space-y-6 border-t border-gray-200 pt-6 <%= 'hidden' unless application.forward_auth? %>" data-application-form-target="forwardAuthFields">
+    <h3 class="text-base font-semibold text-gray-900">Forward Auth Configuration</h3>
+
+    <div>
+      <%= form.label :domain_pattern, "Domain Pattern", class: "block text-sm font-medium text-gray-700" %>
+      <%= form.text_field :domain_pattern, class: "mt-1 block w-full rounded-md border-gray-300 shadow-sm focus:border-blue-500 focus:ring-blue-500 sm:text-sm font-mono", placeholder: "*.example.com or app.example.com" %>
+      <p class="mt-1 text-sm text-gray-500">Domain pattern to match. Use * for wildcard subdomains (e.g., *.example.com matches app.example.com, api.example.com, etc.)</p>
+    </div>
+
+    <div data-controller="json-validator" data-json-validator-valid-class="border-green-500 focus:border-green-500 focus:ring-green-500" data-json-validator-invalid-class="border-red-500 focus:border-red-500 focus:ring-red-500" data-json-validator-valid-status-class="text-green-600" data-json-validator-invalid-status-class="text-red-600">
+      <%= form.label :headers_config, "Custom Headers Configuration (JSON)", class: "block text-sm font-medium text-gray-700" %>
+      <%= form.text_area :headers_config, value: (application.headers_config.present? && application.headers_config.any? ? JSON.pretty_generate(application.headers_config) : ""), rows: 10,
+          class: "mt-1 block w-full rounded-md border-gray-300 shadow-sm focus:border-blue-500 focus:ring-blue-500 sm:text-sm font-mono",
+          placeholder: '{"user": "Remote-User", "groups": "Remote-Groups"}',
+          data: {
+            action: "input->json-validator#validate blur->json-validator#format",
+            json_validator_target: "textarea"
+          } %>
+      <div class="mt-2 text-sm text-gray-600 space-y-1">
+        <div class="flex items-center justify-between">
+          <p class="font-medium">Optional: Customize header names sent to your application.</p>
+          <div class="flex items-center gap-2">
+            <button type="button" data-action="json-validator#format" class="text-xs bg-gray-100 hover:bg-gray-200 px-2 py-1 rounded">Format JSON</button>
+            <button type="button" data-action="json-validator#insertSample" data-json-sample='{"user": "Remote-User", "groups": "Remote-Groups", "email": "Remote-Email", "name": "Remote-Name", "admin": "Remote-Admin"}' class="text-xs bg-blue-100 hover:bg-blue-200 text-blue-700 px-2 py-1 rounded">Insert Example</button>
+          </div>
+        </div>
+        <p><strong>Default headers:</strong> X-Remote-User, X-Remote-Email, X-Remote-Name, X-Remote-Groups, X-Remote-Admin</p>
+        <div data-json-validator-target="status" class="text-xs font-medium"></div>
+        <details class="mt-2">
+          <summary class="cursor-pointer text-blue-600 hover:text-blue-800">Show available header keys and what data they send</summary>
+          <div class="mt-2 ml-4 space-y-1 text-xs">
+            <p><code class="bg-gray-100 px-1 rounded">user</code> - User's email address</p>
+            <p><code class="bg-gray-100 px-1 rounded">email</code> - User's email address</p>
+            <p><code class="bg-gray-100 px-1 rounded">name</code> - User's display name (falls back to email if not set)</p>
+            <p><code class="bg-gray-100 px-1 rounded">groups</code> - Comma-separated list of group names (e.g., "admin,developers")</p>
+            <p><code class="bg-gray-100 px-1 rounded">admin</code> - "true" or "false" indicating admin status</p>
+            <p class="mt-2 italic">Example: <code class="bg-gray-100 px-1 rounded">{"user": "Remote-User", "groups": "Remote-Groups"}</code></p>
+            <p class="italic">Need custom user fields? Add them to user's custom_claims for OIDC tokens</p>
+          </div>
+        </details>
+      </div>
+    </div>
  </div>

  <div>
@@ -82,18 +303,3 @@
  </div>
 <% end %>

-<script>
-  // Show/hide OIDC fields based on app type selection
-  const appTypeSelect = document.querySelector('#application_app_type');
-  const oidcFields = document.querySelector('#oidc-fields');
-
-  if (appTypeSelect && oidcFields) {
-    appTypeSelect.addEventListener('change', function() {
-      if (this.value === 'oidc') {
-        oidcFields.style.display = 'block';
-      } else {
-        oidcFields.style.display = 'none';
-      }
-    });
-  }
-</script>
--- a/app/views/admin/applications/index.html.erb
+++ b/app/views/admin/applications/index.html.erb
@@ -1,7 +1,7 @@
 <div class="sm:flex sm:items-center">
  <div class="sm:flex-auto">
    <h1 class="text-2xl font-semibold text-gray-900">Applications</h1>
-    <p class="mt-2 text-sm text-gray-700">Manage OIDC applications.</p>
+    <p class="mt-2 text-sm text-gray-700">Manage OIDC Clients.</p>
  </div>
  <div class="mt-4 sm:mt-0 sm:ml-16 sm:flex-none">
    <%= link_to "New Application", new_admin_application_path, class: "block rounded-md bg-blue-600 px-3 py-2 text-center text-sm font-semibold text-white shadow-sm hover:bg-blue-500 focus-visible:outline focus-visible:outline-2 focus-visible:outline-offset-2 focus-visible:outline-blue-600" %>
@@ -14,7 +14,7 @@
      <table class="min-w-full divide-y divide-gray-300">
        <thead>
          <tr>
-            <th scope="col" class="py-3.5 pl-4 pr-3 text-left text-sm font-semibold text-gray-900 sm:pl-0">Name</th>
+            <th scope="col" class="py-3.5 pl-4 pr-3 text-left text-sm font-semibold text-gray-900 sm:pl-0">Application</th>
            <th scope="col" class="px-3 py-3.5 text-left text-sm font-semibold text-gray-900">Slug</th>
            <th scope="col" class="px-3 py-3.5 text-left text-sm font-semibold text-gray-900">Type</th>
            <th scope="col" class="px-3 py-3.5 text-left text-sm font-semibold text-gray-900">Status</th>
@@ -28,7 +28,18 @@
          <% @applications.each do |application| %>
            <tr>
              <td class="whitespace-nowrap py-4 pl-4 pr-3 text-sm font-medium text-gray-900 sm:pl-0">
-                <%= link_to application.name, admin_application_path(application), class: "text-blue-600 hover:text-blue-900" %>
+                <div class="flex items-center gap-3">
+                  <% if application.icon.attached? %>
+                    <%= image_tag application.icon, class: "h-10 w-10 rounded-lg object-cover border border-gray-200 flex-shrink-0", alt: "#{application.name} icon" %>
+                  <% else %>
+                    <div class="h-10 w-10 rounded-lg bg-gray-100 border border-gray-200 flex items-center justify-center flex-shrink-0">
+                      <svg class="h-6 w-6 text-gray-400" fill="none" viewBox="0 0 24 24" stroke="currentColor">
+                        <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" d="M4 16l4.586-4.586a2 2 0 012.828 0L16 16m-2-2l1.586-1.586a2 2 0 012.828 0L20 14m-6-6h.01M6 20h12a2 2 0 002-2V6a2 2 0 00-2-2H6a2 2 0 00-2 2v12a2 2 0 002 2z" />
+                      </svg>
+                    </div>
+                  <% end %>
+                  <%= link_to application.name, admin_application_path(application), class: "text-blue-600 hover:text-blue-900" %>
+                </div>
              </td>
              <td class="whitespace-nowrap px-3 py-4 text-sm text-gray-500">
                <code class="text-xs bg-gray-100 px-2 py-1 rounded"><%= application.slug %></code>
@@ -37,6 +48,8 @@
                <% case application.app_type %>
                <% when "oidc" %>
                  <span class="inline-flex items-center rounded-full bg-purple-100 px-2 py-1 text-xs font-medium text-purple-700">OIDC</span>
+                <% when "forward_auth" %>
+                  <span class="inline-flex items-center rounded-full bg-blue-100 px-2 py-1 text-xs font-medium text-blue-700">Forward Auth</span>
                <% when "saml" %>
                  <span class="inline-flex items-center rounded-full bg-orange-100 px-2 py-1 text-xs font-medium text-orange-700">SAML</span>
                <% end %>
@@ -56,9 +69,11 @@
                <% end %>
              </td>
              <td class="relative whitespace-nowrap py-4 pl-3 pr-4 text-right text-sm font-medium sm:pr-0">
-                <%= link_to "View", admin_application_path(application), class: "text-blue-600 hover:text-blue-900 mr-4" %>
-                <%= link_to "Edit", edit_admin_application_path(application), class: "text-blue-600 hover:text-blue-900 mr-4" %>
-                <%= button_to "Delete", admin_application_path(application), method: :delete, data: { turbo_confirm: "Are you sure you want to delete this application?" }, class: "text-red-600 hover:text-red-900" %>
+                <div class="flex justify-end space-x-3">
+                  <%= link_to "View", admin_application_path(application), class: "text-blue-600 hover:text-blue-900 whitespace-nowrap" %>
+                  <%= link_to "Edit", edit_admin_application_path(application), class: "text-blue-600 hover:text-blue-900 whitespace-nowrap" %>
+                  <%= button_to "Delete", admin_application_path(application), method: :delete, data: { turbo_confirm: "Are you sure you want to delete this application?" }, class: "text-red-600 hover:text-red-900 whitespace-nowrap" %>
+                </div>
              </td>
            </tr>
          <% end %>
--- a/app/views/admin/applications/show.html.erb
+++ b/app/views/admin/applications/show.html.erb
@@ -1,8 +1,49 @@
 <div class="mb-6">
-  <div class="sm:flex sm:items-center sm:justify-between">
-    <div>
-      <h1 class="text-2xl font-semibold text-gray-900"><%= @application.name %></h1>
-      <p class="mt-1 text-sm text-gray-500"><%= @application.description %></p>
+  <% if flash[:client_id] %>
+    <div class="bg-yellow-50 border border-yellow-200 rounded-md p-4 mb-6">
+      <h4 class="text-sm font-medium text-yellow-800 mb-2">🔐 OIDC Client Credentials</h4>
+      <% if flash[:public_client] %>
+        <p class="text-xs text-yellow-700 mb-3">This is a public client. Copy the client ID below.</p>
+      <% else %>
+        <p class="text-xs text-yellow-700 mb-3">Copy these credentials now. The client secret will not be shown again.</p>
+      <% end %>
+      <div class="space-y-2">
+        <div>
+          <span class="text-xs font-medium text-yellow-700">Client ID:</span>
+        </div>
+        <code class="block bg-yellow-100 px-3 py-2 rounded font-mono text-xs break-all"><%= flash[:client_id] %></code>
+        <% if flash[:client_secret] %>
+          <div class="mt-3">
+            <span class="text-xs font-medium text-yellow-700">Client Secret:</span>
+          </div>
+          <code class="block bg-yellow-100 px-3 py-2 rounded font-mono text-xs break-all"><%= flash[:client_secret] %></code>
+        <% elsif flash[:public_client] %>
+          <div class="mt-3">
+            <span class="text-xs font-medium text-yellow-700">Client Secret:</span>
+          </div>
+          <div class="bg-yellow-100 px-3 py-2 rounded text-xs text-yellow-600">
+            Public clients do not have a client secret. PKCE is required.
+          </div>
+        <% end %>
+      </div>
+    </div>
+  <% end %>
+
+  <div class="sm:flex sm:items-start sm:justify-between">
+    <div class="flex items-start gap-4">
+      <% if @application.icon.attached? %>
+        <%= image_tag @application.icon, class: "h-16 w-16 rounded-lg object-cover border border-gray-200 shrink-0", alt: "#{@application.name} icon" %>
+      <% else %>
+        <div class="h-16 w-16 rounded-lg bg-gray-100 border border-gray-200 flex items-center justify-center shrink-0">
+          <svg class="h-8 w-8 text-gray-400" fill="none" viewBox="0 0 24 24" stroke="currentColor">
+            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" d="M4 16l4.586-4.586a2 2 0 012.828 0L16 16m-2-2l1.586-1.586a2 2 0 012.828 0L20 14m-6-6h.01M6 20h12a2 2 0 002-2V6a2 2 0 00-2-2H6a2 2 0 00-2 2v12a2 2 0 002 2z" />
+          </svg>
+        </div>
+      <% end %>
+      <div>
+        <h1 class="text-2xl font-semibold text-gray-900"><%= @application.name %></h1>
+        <p class="mt-1 text-sm text-gray-500"><%= @application.description %></p>
+      </div>
    </div>
    <div class="mt-4 sm:mt-0 flex gap-3">
      <%= link_to "Edit", edit_admin_application_path(@application), class: "rounded-md bg-white px-3 py-2 text-sm font-semibold text-gray-900 shadow-sm ring-1 ring-inset ring-gray-300 hover:bg-gray-50" %>
@@ -27,8 +68,8 @@
            <% case @application.app_type %>
            <% when "oidc" %>
              <span class="inline-flex items-center rounded-full bg-purple-100 px-2 py-1 text-xs font-medium text-purple-700">OIDC</span>
-            <% when "saml" %>
-              <span class="inline-flex items-center rounded-full bg-orange-100 px-2 py-1 text-xs font-medium text-orange-700">SAML</span>
+            <% when "forward_auth" %>
+              <span class="inline-flex items-center rounded-full bg-blue-100 px-2 py-1 text-xs font-medium text-blue-700">Forward Auth</span>
            <% end %>
          </dd>
        </div>
@@ -42,6 +83,16 @@
            <% end %>
          </dd>
        </div>
+        <div class="sm:col-span-2">
+          <dt class="text-sm font-medium text-gray-500">Landing URL</dt>
+          <dd class="mt-1 text-sm text-gray-900">
+            <% if @application.landing_url.present? %>
+              <%= link_to @application.landing_url, @application.landing_url, target: "_blank", rel: "noopener noreferrer", class: "text-blue-600 hover:text-blue-800 underline" %>
+            <% else %>
+              <span class="text-gray-400 italic">Not configured</span>
+            <% end %>
+          </dd>
+        </div>
      </dl>
    </div>
  </div>
@@ -51,22 +102,62 @@
    <div class="bg-white shadow sm:rounded-lg">
      <div class="px-4 py-5 sm:p-6">
        <div class="flex items-center justify-between mb-4">
-          <h3 class="text-base font-semibold leading-6 text-gray-900">OIDC Credentials</h3>
+          <h3 class="text-base font-semibold leading-6 text-gray-900">OIDC Configuration</h3>
          <%= button_to "Regenerate Credentials", regenerate_credentials_admin_application_path(@application), method: :post, data: { turbo_confirm: "This will invalidate the current credentials. Continue?" }, class: "text-sm text-red-600 hover:text-red-900" %>
        </div>
        <dl class="space-y-4">
-          <div>
-            <dt class="text-sm font-medium text-gray-500">Client ID</dt>
-            <dd class="mt-1 text-sm text-gray-900">
-              <code class="block bg-gray-100 px-3 py-2 rounded font-mono text-xs break-all"><%= @application.client_id %></code>
-            </dd>
-          </div>
-          <div>
-            <dt class="text-sm font-medium text-gray-500">Client Secret</dt>
-            <dd class="mt-1 text-sm text-gray-900">
-              <code class="block bg-gray-100 px-3 py-2 rounded font-mono text-xs break-all"><%= @application.client_secret %></code>
-            </dd>
+          <div class="grid grid-cols-2 gap-4">
+            <div>
+              <dt class="text-sm font-medium text-gray-500">Client Type</dt>
+              <dd class="mt-1 text-sm text-gray-900">
+                <% if @application.public_client? %>
+                  <span class="inline-flex items-center rounded-full bg-blue-100 px-2 py-1 text-xs font-medium text-blue-700">Public</span>
+                <% else %>
+                  <span class="inline-flex items-center rounded-full bg-gray-100 px-2 py-1 text-xs font-medium text-gray-700">Confidential</span>
+                <% end %>
+              </dd>
+            </div>
+            <div>
+              <dt class="text-sm font-medium text-gray-500">PKCE</dt>
+              <dd class="mt-1 text-sm text-gray-900">
+                <% if @application.requires_pkce? %>
+                  <span class="inline-flex items-center rounded-full bg-green-100 px-2 py-1 text-xs font-medium text-green-700">Required</span>
+                <% else %>
+                  <span class="inline-flex items-center rounded-full bg-gray-100 px-2 py-1 text-xs font-medium text-gray-700">Optional</span>
+                <% end %>
+              </dd>
+            </div>
          </div>
+          <% unless flash[:client_id] %>
+            <div>
+              <dt class="text-sm font-medium text-gray-500">Client ID</dt>
+              <dd class="mt-1 text-sm text-gray-900">
+                <code class="block bg-gray-100 px-3 py-2 rounded font-mono text-xs break-all"><%= @application.client_id %></code>
+              </dd>
+            </div>
+            <% if @application.confidential_client? %>
+              <div>
+                <dt class="text-sm font-medium text-gray-500">Client Secret</dt>
+                <dd class="mt-1 text-sm text-gray-900">
+                  <div class="bg-gray-100 px-3 py-2 rounded text-xs text-gray-500 italic">
+                    🔒 Client secret is stored securely and cannot be displayed
+                  </div>
+                  <p class="mt-2 text-xs text-gray-500">
+                    To get a new client secret, use the "Regenerate Credentials" button above.
+                  </p>
+                </dd>
+              </div>
+            <% else %>
+              <div>
+                <dt class="text-sm font-medium text-gray-500">Client Secret</dt>
+                <dd class="mt-1 text-sm text-gray-900">
+                  <div class="bg-blue-50 px-3 py-2 rounded text-xs text-blue-600">
+                    Public clients do not use a client secret. PKCE is required for authorization.
+                  </div>
+                </dd>
+              </div>
+            <% end %>
+          <% end %>
          <div>
            <dt class="text-sm font-medium text-gray-500">Redirect URIs</dt>
            <dd class="mt-1 text-sm text-gray-900">
@@ -79,6 +170,56 @@
              <% end %>
            </dd>
          </div>
+          <div>
+            <dt class="text-sm font-medium text-gray-500">
+              Backchannel Logout URI
+              <% if @application.supports_backchannel_logout? %>
+                <span class="ml-2 inline-flex items-center rounded-full bg-green-100 px-2 py-0.5 text-xs font-medium text-green-700">Enabled</span>
+              <% end %>
+            </dt>
+            <dd class="mt-1 text-sm text-gray-900">
+              <% if @application.backchannel_logout_uri.present? %>
+                <code class="block bg-gray-100 px-3 py-2 rounded font-mono text-xs break-all"><%= @application.backchannel_logout_uri %></code>
+                <p class="mt-2 text-xs text-gray-500">
+                  When users log out, Clinch will send logout notifications to this endpoint for immediate session termination.
+                </p>
+              <% else %>
+                <span class="text-gray-400 italic">Not configured</span>
+                <p class="mt-1 text-xs text-gray-500">
+                  Backchannel logout is optional. Configure it if the application supports OpenID Connect Backchannel Logout.
+                </p>
+              <% end %>
+            </dd>
+          </div>
+        </dl>
+      </div>
+    </div>
+  <% end %>
+
+  <!-- Forward Auth Configuration (only for Forward Auth apps) -->
+  <% if @application.forward_auth? %>
+    <div class="bg-white shadow sm:rounded-lg">
+      <div class="px-4 py-5 sm:p-6">
+        <h3 class="text-base font-semibold leading-6 text-gray-900 mb-4">Forward Auth Configuration</h3>
+        <dl class="space-y-4">
+          <div>
+            <dt class="text-sm font-medium text-gray-500">Domain Pattern</dt>
+            <dd class="mt-1 text-sm text-gray-900">
+              <code class="block bg-gray-100 px-3 py-2 rounded font-mono text-xs"><%= @application.domain_pattern %></code>
+            </dd>
+          </div>
+          <div>
+            <dt class="text-sm font-medium text-gray-500">Headers Configuration</dt>
+            <dd class="mt-1 text-sm text-gray-900">
+              <% if @application.headers_config.present? && @application.headers_config.any? %>
+                <code class="block bg-gray-100 px-3 py-2 rounded font-mono text-xs whitespace-pre-wrap"><%= JSON.pretty_generate(@application.headers_config) %></code>
+              <% else %>
+                <div class="bg-gray-100 px-3 py-2 rounded text-xs text-gray-500">
+                  Using default headers: X-Remote-User, X-Remote-Email, X-Remote-Name, X-Remote-Groups, X-Remote-Admin
+                </div>
+              <% end %>
+            </dd>
+          </div>
        </dl>
      </div>
    </div>
--- a/app/views/admin/forward_auth_rules/edit.html.erb
+++ b/app/views/admin/forward_auth_rules/edit.html.erb
@@ -1,57 +0,0 @@
-<% content_for :title, "Edit Forward Auth Rule" %>
-
-<div class="md:flex md:items-center md:justify-between">
-  <div class="min-w-0 flex-1">
-    <h2 class="text-2xl font-bold leading-7 text-gray-900 sm:truncate sm:text-3xl sm:tracking-tight">
-      Edit Forward Auth Rule
-    </h2>
-  </div>
-</div>
-
-<div class="mt-8">
-  <%= form_with(model: [:admin, @forward_auth_rule], local: true, class: "space-y-6") do |form| %>
-    <%= render "shared/form_errors", form: form %>
-
-    <div class="bg-white shadow-sm ring-1 ring-gray-900/5 sm:rounded-xl md:col-span-2">
-      <div class="px-4 py-6 sm:p-8">
-        <div class="grid max-w-2xl grid-cols-1 gap-x-6 gap-y-8 sm:grid-cols-6">
-          <div class="sm:col-span-4">
-            <%= form.label :domain_pattern, class: "block text-sm font-medium leading-6 text-gray-900" %>
-            <div class="mt-2">
-              <%= form.text_field :domain_pattern, class: "block w-full rounded-md border-0 py-1.5 text-gray-900 shadow-sm ring-1 ring-inset ring-gray-300 placeholder:text-gray-400 focus:ring-2 focus:ring-inset focus:ring-blue-600 sm:text-sm sm:leading-6", placeholder: "*.example.com" %>
-            </div>
-            <p class="mt-3 text-sm leading-6 text-gray-600">
-              Use patterns like "*.example.com" or "api.example.com". Wildcards (*) are supported.
-            </p>
-          </div>
-
-          <div class="sm:col-span-4">
-            <%= form.label :active, class: "block text-sm font-medium leading-6 text-gray-900" %>
-            <div class="mt-2">
-              <%= form.select :active, options_for_select([["Active", true], ["Inactive", false]], @forward_auth_rule.active), { prompt: "Select status" }, { class: "block w-full rounded-md border-0 py-1.5 text-gray-900 shadow-sm ring-1 ring-inset ring-gray-300 focus:ring-2 focus:ring-inset focus:ring-blue-600 sm:max-w-xs sm:text-sm sm:leading-6" } %>
-            </div>
-          </div>
-
-          <div class="col-span-full">
-            <div class="block text-sm font-medium leading-6 text-gray-900 mb-4">
-              Groups
-            </div>
-            <div class="mt-2 space-y-2">
-              <%= form.collection_select :group_ids, @available_groups, :id, :name,
-                  { selected: @forward_auth_rule.allowed_groups.map(&:id), prompt: "Select groups (leave empty for bypass)" },
-                  { multiple: true, class: "block w-full rounded-md border-0 py-1.5 text-gray-900 shadow-sm ring-1 ring-inset ring-gray-300 focus:ring-2 focus:ring-inset focus:ring-blue-600 sm:text-sm sm:leading-6" } %>
-            </div>
-            <p class="mt-3 text-sm leading-6 text-gray-600">
-              Select groups that are allowed to access this domain. If no groups are selected, all authenticated users will be allowed access (bypass).
-            </p>
-          </div>
-        </div>
-      </div>
-    </div>
-
-    <div class="mt-6 flex items-center justify-end gap-x-6">
-      <%= link_to "Cancel", admin_forward_auth_rule_path(@forward_auth_rule), class: "text-sm font-semibold leading-6 text-gray-900 hover:text-gray-700" %>
-      <%= form.submit "Update Rule", class: "rounded-md bg-blue-600 px-3 py-2 text-sm font-semibold text-white shadow-sm hover:bg-blue-500 focus-visible:outline focus-visible:outline-2 focus-visible:outline-offset-2 focus-visible:outline-blue-600" %>
-    </div>
-  <% end %>
-</div>
--- a/app/views/admin/forward_auth_rules/index.html.erb
+++ b/app/views/admin/forward_auth_rules/index.html.erb
@@ -1,89 +0,0 @@
-<% content_for :title, "Forward Auth Rules" %>
-
-<div class="sm:flex sm:items-center">
-  <div class="sm:flex-auto">
-    <h1 class="text-base font-semibold leading-6 text-gray-900">Forward Auth Rules</h1>
-    <p class="mt-2 text-sm text-gray-700">A list of all forward authentication rules for domain-based access control.</p>
-  </div>
-  <div class="mt-4 sm:ml-16 sm:mt-0 sm:flex-none">
-    <%= link_to "Add rule", new_admin_forward_auth_rule_path, class: "block rounded-md bg-blue-600 px-3 py-2 text-center text-sm font-semibold text-white shadow-sm hover:bg-blue-500 focus-visible:outline focus-visible:outline-2 focus-visible:outline-offset-2 focus-visible:outline-blue-600" %>
-  </div>
-</div>
-
-<div class="mt-8 flow-root">
-  <div class="-mx-4 -my-2 overflow-x-auto sm:-mx-6 lg:-mx-8">
-    <div class="inline-block min-w-full py-2 align-middle sm:px-6 lg:px-8">
-      <% if @forward_auth_rules.any? %>
-        <div class="overflow-hidden shadow ring-1 ring-black ring-opacity-5 md:rounded-lg">
-          <table class="min-w-full divide-y divide-gray-300">
-            <thead class="bg-gray-50">
-              <tr>
-                <th scope="col" class="py-3.5 pl-4 pr-3 text-left text-sm font-semibold text-gray-900 sm:pl-6">Domain Pattern</th>
-                <th scope="col" class="px-3 py-3.5 text-left text-sm font-semibold text-gray-900">Groups</th>
-                <th scope="col" class="px-3 py-3.5 text-left text-sm font-semibold text-gray-900">Status</th>
-                <th scope="col" class="relative py-3.5 pl-3 pr-4 sm:pr-6">
-                  <span class="sr-only">Actions</span>
-                </th>
-              </tr>
-            </thead>
-            <tbody class="divide-y divide-gray-200 bg-white">
-              <% @forward_auth_rules.each do |rule| %>
-                <tr>
-                  <td class="whitespace-nowrap py-4 pl-4 pr-3 text-sm font-medium text-gray-900 sm:pl-6">
-                    <%= rule.domain_pattern %>
-                  </td>
-                  <td class="px-3 py-4 text-sm text-gray-500">
-                    <% if rule.allowed_groups.any? %>
-                      <div class="flex flex-wrap gap-1">
-                        <% rule.allowed_groups.each do |group| %>
-                          <span class="inline-flex items-center rounded-md bg-blue-50 px-2 py-1 text-xs font-medium text-blue-700">
-                            <%= group.name %>
-                          </span>
-                        <% end %>
-                      </div>
-                    <% else %>
-                      <span class="inline-flex items-center rounded-md bg-green-50 px-2 py-1 text-xs font-medium text-green-700">
-                        Bypass (All Users)
-                      </span>
-                    <% end %>
-                  </td>
-                  <td class="px-3 py-4 text-sm text-gray-500">
-                    <% if rule.active? %>
-                      <span class="inline-flex items-center rounded-md bg-green-50 px-2 py-1 text-xs font-medium text-green-700">
-                        Active
-                      </span>
-                    <% else %>
-                      <span class="inline-flex items-center rounded-md bg-red-50 px-2 py-1 text-xs font-medium text-red-700">
-                        Inactive
-                      </span>
-                    <% end %>
-                  </td>
-                  <td class="relative whitespace-nowrap py-4 pl-3 pr-4 text-right text-sm font-medium sm:pr-6">
-                    <%= link_to "Edit", edit_admin_forward_auth_rule_path(rule), class: "text-blue-600 hover:text-blue-900 mr-4" %>
-                    <%= link_to "Delete", admin_forward_auth_rule_path(rule),
-                        data: {
-                          turbo_method: :delete,
-                          turbo_confirm: "Are you sure you want to delete this forward auth rule?"
-                        },
-                        class: "text-red-600 hover:text-red-900" %>
-                  </td>
-                </tr>
-              <% end %>
-            </tbody>
-          </table>
-        </div>
-      <% else %>
-        <div class="text-center py-12">
-          <svg class="mx-auto h-12 w-12 text-gray-400" fill="none" viewBox="0 0 24 24" stroke="currentColor" aria-hidden="true">
-            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" d="M12 15v2m-6 4h12a2 2 0 002-2v-6a2 2 0 00-2-2H6a2 2 0 00-2 2v6a2 2 0 002 2zm10-10V7a4 4 0 00-8 0v4h8z" />
-          </svg>
-          <h3 class="mt-2 text-sm font-semibold text-gray-900">No forward auth rules</h3>
-          <p class="mt-1 text-sm text-gray-500">Get started by creating a new forward authentication rule.</p>
-          <div class="mt-6">
-            <%= link_to "Add rule", new_admin_forward_auth_rule_path, class: "inline-flex items-center rounded-md bg-blue-600 px-3 py-2 text-sm font-semibold text-white shadow-sm hover:bg-blue-500 focus-visible:outline focus-visible:outline-2 focus-visible:outline-offset-2 focus-visible:outline-blue-600" %>
-          </div>
-        </div>
-      <% end %>
-    </div>
-  </div>
-</div>
--- a/app/views/admin/forward_auth_rules/new.html.erb
+++ b/app/views/admin/forward_auth_rules/new.html.erb
@@ -1,57 +0,0 @@
-<% content_for :title, "New Forward Auth Rule" %>
-
-<div class="md:flex md:items-center md:justify-between">
-  <div class="min-w-0 flex-1">
-    <h2 class="text-2xl font-bold leading-7 text-gray-900 sm:truncate sm:text-3xl sm:tracking-tight">
-      New Forward Auth Rule
-    </h2>
-  </div>
-</div>
-
-<div class="mt-8">
-  <%= form_with(model: [:admin, @forward_auth_rule], local: true, class: "space-y-6") do |form| %>
-    <%= render "shared/form_errors", form: form %>
-
-    <div class="bg-white shadow-sm ring-1 ring-gray-900/5 sm:rounded-xl md:col-span-2">
-      <div class="px-4 py-6 sm:p-8">
-        <div class="grid max-w-2xl grid-cols-1 gap-x-6 gap-y-8 sm:grid-cols-6">
-          <div class="sm:col-span-4">
-            <%= form.label :domain_pattern, class: "block text-sm font-medium leading-6 text-gray-900" %>
-            <div class="mt-2">
-              <%= form.text_field :domain_pattern, class: "block w-full rounded-md border-0 py-1.5 text-gray-900 shadow-sm ring-1 ring-inset ring-gray-300 placeholder:text-gray-400 focus:ring-2 focus:ring-inset focus:ring-blue-600 sm:text-sm sm:leading-6", placeholder: "*.example.com" %>
-            </div>
-            <p class="mt-3 text-sm leading-6 text-gray-600">
-              Use patterns like "*.example.com" or "api.example.com". Wildcards (*) are supported.
-            </p>
-          </div>
-
-          <div class="sm:col-span-4">
-            <%= form.label :active, class: "block text-sm font-medium leading-6 text-gray-900" %>
-            <div class="mt-2">
-              <%= form.select :active, options_for_select([["Active", true], ["Inactive", false]], @forward_auth_rule.active), { prompt: "Select status" }, { class: "block w-full rounded-md border-0 py-1.5 text-gray-900 shadow-sm ring-1 ring-inset ring-gray-300 focus:ring-2 focus:ring-inset focus:ring-blue-600 sm:max-w-xs sm:text-sm sm:leading-6" } %>
-            </div>
-          </div>
-
-          <div class="col-span-full">
-            <div class="block text-sm font-medium leading-6 text-gray-900 mb-4">
-              Groups
-            </div>
-            <div class="mt-2 space-y-2">
-              <%= form.collection_select :group_ids, @available_groups, :id, :name,
-                  { prompt: "Select groups (leave empty for bypass)" },
-                  { multiple: true, class: "block w-full rounded-md border-0 py-1.5 text-gray-900 shadow-sm ring-1 ring-inset ring-gray-300 focus:ring-2 focus:ring-inset focus:ring-blue-600 sm:text-sm sm:leading-6" } %>
-            </div>
-            <p class="mt-3 text-sm leading-6 text-gray-600">
-              Select groups that are allowed to access this domain. If no groups are selected, all authenticated users will be allowed access (bypass).
-            </p>
-          </div>
-        </div>
-      </div>
-    </div>
-
-    <div class="mt-6 flex items-center justify-end gap-x-6">
-      <%= link_to "Cancel", admin_forward_auth_rules_path, class: "text-sm font-semibold leading-6 text-gray-900 hover:text-gray-700" %>
-      <%= form.submit "Create Rule", class: "rounded-md bg-blue-600 px-3 py-2 text-sm font-semibold text-white shadow-sm hover:bg-blue-500 focus-visible:outline focus-visible:outline-2 focus-visible:outline-offset-2 focus-visible:outline-blue-600" %>
-    </div>
-  <% end %>
-</div>
--- a/app/views/admin/forward_auth_rules/show.html.erb
+++ b/app/views/admin/forward_auth_rules/show.html.erb
@@ -1,111 +0,0 @@
-<% content_for :title, "Forward Auth Rule: #{@forward_auth_rule.domain_pattern}" %>
-
-<div class="md:flex md:items-center md:justify-between">
-  <div class="min-w-0 flex-1">
-    <h2 class="text-2xl font-bold leading-7 text-gray-900 sm:truncate sm:text-3xl sm:tracking-tight">
-      <%= @forward_auth_rule.domain_pattern %>
-    </h2>
-  </div>
-  <div class="mt-4 flex md:ml-4 md:mt-0">
-    <%= link_to "Edit", edit_admin_forward_auth_rule_path(@forward_auth_rule), class: "inline-flex items-center rounded-md bg-white px-3 py-2 text-sm font-semibold text-gray-900 shadow-sm ring-1 ring-inset ring-gray-300 hover:bg-gray-50" %>
-    <%= link_to "Delete", admin_forward_auth_rule_path(@forward_auth_rule),
-        data: {
-          turbo_method: :delete,
-          turbo_confirm: "Are you sure you want to delete this forward auth rule?"
-        },
-        class: "ml-3 inline-flex items-center rounded-md bg-red-600 px-3 py-2 text-sm font-semibold text-white shadow-sm hover:bg-red-500 focus-visible:outline focus-visible:outline-2 focus-visible:outline-offset-2 focus-visible:outline-red-600" %>
-  </div>
-</div>
-
-<div class="mt-8">
-  <div class="bg-white shadow overflow-hidden sm:rounded-lg">
-    <div class="px-4 py-5 sm:px-6">
-      <h3 class="text-lg leading-6 font-medium text-gray-900">Rule Details</h3>
-      <p class="mt-1 max-w-2xl text-sm text-gray-500">Forward authentication rule configuration.</p>
-    </div>
-    <div class="border-t border-gray-200">
-      <dl>
-        <div class="bg-gray-50 px-4 py-5 sm:grid sm:grid-cols-3 sm:gap-4 sm:px-6">
-          <dt class="text-sm font-medium text-gray-500">Domain Pattern</dt>
-          <dd class="mt-1 text-sm text-gray-900 sm:col-span-2 sm:mt-0">
-            <code class="bg-gray-100 px-2 py-1 rounded text-sm"><%= @forward_auth_rule.domain_pattern %></code>
-          </dd>
-        </div>
-        <div class="bg-white px-4 py-5 sm:grid sm:grid-cols-3 sm:gap-4 sm:px-6">
-          <dt class="text-sm font-medium text-gray-500">Status</dt>
-          <dd class="mt-1 text-sm text-gray-900 sm:col-span-2 sm:mt-0">
-            <% if @forward_auth_rule.active? %>
-              <span class="inline-flex items-center rounded-md bg-green-50 px-2 py-1 text-xs font-medium text-green-700">
-                Active
-              </span>
-            <% else %>
-              <span class="inline-flex items-center rounded-md bg-red-50 px-2 py-1 text-xs font-medium text-red-700">
-                Inactive
-              </span>
-            <% end %>
-          </dd>
-        </div>
-        <div class="bg-gray-50 px-4 py-5 sm:grid sm:grid-cols-3 sm:gap-4 sm:px-6">
-          <dt class="text-sm font-medium text-gray-500">Access Policy</dt>
-          <dd class="mt-1 text-sm text-gray-900 sm:col-span-2 sm:mt-0">
-            <% if @allowed_groups.any? %>
-              <div class="space-y-2">
-                <p class="text-sm">Only users in these groups are allowed access:</p>
-                <div class="flex flex-wrap gap-2">
-                  <% @allowed_groups.each do |group| %>
-                    <span class="inline-flex items-center rounded-md bg-blue-50 px-2 py-1 text-xs font-medium text-blue-700">
-                      <%= group.name %>
-                    </span>
-                  <% end %>
-                </div>
-              </div>
-            <% else %>
-              <span class="inline-flex items-center rounded-md bg-green-50 px-2 py-1 text-xs font-medium text-green-700">
-                Bypass - All authenticated users allowed
-              </span>
-            <% end %>
-          </dd>
-        </div>
-        <div class="bg-white px-4 py-5 sm:grid sm:grid-cols-3 sm:gap-4 sm:px-6">
-          <dt class="text-sm font-medium text-gray-500">Created</dt>
-          <dd class="mt-1 text-sm text-gray-900 sm:col-span-2 sm:mt-0">
-            <%= @forward_auth_rule.created_at.strftime("%B %d, %Y at %I:%M %p") %>
-          </dd>
-        </div>
-        <div class="bg-gray-50 px-4 py-5 sm:grid sm:grid-cols-3 sm:gap-4 sm:px-6">
-          <dt class="text-sm font-medium text-gray-500">Last Updated</dt>
-          <dd class="mt-1 text-sm text-gray-900 sm:col-span-2 sm:mt-0">
-            <%= @forward_auth_rule.updated_at.strftime("%B %d, %Y at %I:%M %p") %>
-          </dd>
-        </div>
-      </dl>
-    </div>
-  </div>
-</div>
-
-<div class="mt-8">
-  <div class="bg-blue-50 border-l-4 border-blue-400 p-4">
-    <div class="flex">
-      <div class="flex-shrink-0">
-        <svg class="h-5 w-5 text-blue-400" viewBox="0 0 20 20" fill="currentColor" aria-hidden="true">
-          <path fill-rule="evenodd" d="M18 10a8 8 0 11-16 0 8 8 0 0116 0zm-7-4a1 1 0 11-2 0 1 1 0 012 0zM9 9a1 1 0 000 2v3a1 1 0 001 1h1a1 1 0 100-2v-3a1 1 0 00-1-1H9z" clip-rule="evenodd" />
-        </svg>
-      </div>
-      <div class="ml-3">
-        <h3 class="text-sm font-medium text-blue-800">How this rule works</h3>
-        <div class="mt-2 text-sm text-blue-700">
-          <ul class="list-disc list-inside space-y-1">
-            <li>This rule matches domains that fit the pattern: <code class="bg-blue-100 px-1 rounded"><%= @forward_auth_rule.domain_pattern %></code></li>
-            <% if @allowed_groups.any? %>
-              <li>Only users belonging to the specified groups will be granted access</li>
-              <li>Users will be required to authenticate with password (and 2FA if enabled)</li>
-            <% else %>
-              <li>All authenticated users will be granted access (bypass mode)</li>
-            <% end %>
-            <li>Inactive rules are ignored during authentication</li>
-          </ul>
-        </div>
-      </div>
-    </div>
-  </div>
-</div>
--- a/app/views/admin/groups/_form.html.erb
+++ b/app/views/admin/groups/_form.html.erb
@@ -1,22 +1,5 @@
-<%= form_with(model: [:admin, group], class: "space-y-6") do |form| %>
-  <% if group.errors.any? %>
-    <div class="rounded-md bg-red-50 p-4">
-      <div class="flex">
-        <div class="ml-3">
-          <h3 class="text-sm font-medium text-red-800">
-            <%= pluralize(group.errors.count, "error") %> prohibited this group from being saved:
-          </h3>
-          <div class="mt-2 text-sm text-red-700">
-            <ul class="list-disc pl-5 space-y-1">
-              <% group.errors.full_messages.each do |message| %>
-                <li><%= message %></li>
-              <% end %>
-            </ul>
-          </div>
-        </div>
-      </div>
-    </div>
-  <% end %>
+<%= form_with(model: [:admin, group], class: "space-y-6", data: { controller: "form-errors" }) do |form| %>
+  <%= render "shared/form_errors", form: form %>

  <div>
    <%= form.label :name, class: "block text-sm font-medium text-gray-700" %>
@@ -49,6 +32,27 @@
    <p class="mt-1 text-sm text-gray-500">Select which users should be members of this group.</p>
  </div>

+  <div data-controller="json-validator" data-json-validator-valid-class="border-green-500 focus:border-green-500 focus:ring-green-500" data-json-validator-invalid-class="border-red-500 focus:border-red-500 focus:ring-red-500" data-json-validator-valid-status-class="text-green-600" data-json-validator-invalid-status-class="text-red-600">
+    <%= form.label :custom_claims, "Custom Claims (JSON)", class: "block text-sm font-medium text-gray-700" %>
+    <%= form.text_area :custom_claims, value: (group.custom_claims.present? ? JSON.pretty_generate(group.custom_claims) : ""), rows: 8,
+        class: "mt-1 block w-full rounded-md border-gray-300 shadow-sm focus:border-blue-500 focus:ring-blue-500 sm:text-sm font-mono",
+        placeholder: '{"roles": ["admin", "editor"]}',
+        data: {
+          action: "input->json-validator#validate blur->json-validator#format",
+          json_validator_target: "textarea"
+        } %>
+    <div class="mt-2 text-sm text-gray-600 space-y-1">
+      <div class="flex items-center justify-between">
+        <p>Optional: Custom claims to add to OIDC tokens for all members. These will be merged with user-level claims.</p>
+        <div class="flex items-center gap-2">
+          <button type="button" data-action="json-validator#format" class="text-xs bg-gray-100 hover:bg-gray-200 px-2 py-1 rounded">Format JSON</button>
+          <button type="button" data-action="json-validator#insertSample" data-json-sample='{"roles": ["admin", "editor"], "permissions": ["read", "write"], "team": "backend"}' class="text-xs bg-blue-100 hover:bg-blue-200 text-blue-700 px-2 py-1 rounded">Insert Example</button>
+        </div>
+      </div>
+      <div data-json-validator-target="status" class="text-xs font-medium"></div>
+    </div>
+  </div>
+
  <div class="flex gap-3">
    <%= form.submit group.persisted? ? "Update Group" : "Create Group", class: "rounded-md bg-blue-600 px-3 py-2 text-sm font-semibold text-white shadow-sm hover:bg-blue-500 focus-visible:outline focus-visible:outline-2 focus-visible:outline-offset-2 focus-visible:outline-blue-600" %>
    <%= link_to "Cancel", admin_groups_path, class: "rounded-md bg-white px-3 py-2 text-sm font-semibold text-gray-900 shadow-sm ring-1 ring-inset ring-gray-300 hover:bg-gray-50" %>
--- a/app/views/admin/groups/index.html.erb
+++ b/app/views/admin/groups/index.html.erb
@@ -39,9 +39,11 @@
                <%= pluralize(group.applications.count, "app") %>
              </td>
              <td class="relative whitespace-nowrap py-4 pl-3 pr-4 text-right text-sm font-medium sm:pr-0">
-                <%= link_to "View", admin_group_path(group), class: "text-blue-600 hover:text-blue-900 mr-4" %>
-                <%= link_to "Edit", edit_admin_group_path(group), class: "text-blue-600 hover:text-blue-900 mr-4" %>
-                <%= button_to "Delete", admin_group_path(group), method: :delete, data: { turbo_confirm: "Are you sure you want to delete this group?" }, class: "text-red-600 hover:text-red-900" %>
+                <div class="flex justify-end space-x-3">
+                  <%= link_to "View", admin_group_path(group), class: "text-blue-600 hover:text-blue-900 whitespace-nowrap" %>
+                  <%= link_to "Edit", edit_admin_group_path(group), class: "text-blue-600 hover:text-blue-900 whitespace-nowrap" %>
+                  <%= button_to "Delete", admin_group_path(group), method: :delete, data: { turbo_confirm: "Are you sure you want to delete this group?" }, class: "text-red-600 hover:text-red-900 whitespace-nowrap" %>
+                </div>
              </td>
            </tr>
          <% end %>
--- a/app/views/admin/users/_application_claims.html.erb
+++ b/app/views/admin/users/_application_claims.html.erb
@@ -0,0 +1,185 @@
+<% oidc_apps = applications.select(&:oidc?) %>
+<% forward_auth_apps = applications.select(&:forward_auth?) %>
+
+<!-- OIDC Apps: Custom Claims -->
+<% if oidc_apps.any? %>
+  <div class="mt-12 border-t pt-8">
+    <h2 class="text-xl font-semibold text-gray-900 mb-4">OIDC App-Specific Claims</h2>
+    <p class="text-sm text-gray-600 mb-6">
+      Configure custom claims that apply only to specific OIDC applications. These override both group and user global claims and are included in ID tokens.
+    </p>
+
+    <div class="space-y-6">
+      <% oidc_apps.each do |app| %>
+        <% app_claim = user.application_user_claims.find_by(application: app) %>
+        <details class="border rounded-lg" <%= "open" if app_claim&.custom_claims&.any? %>>
+          <summary class="cursor-pointer bg-gray-50 px-4 py-3 hover:bg-gray-100 rounded-t-lg flex items-center justify-between">
+            <div class="flex items-center gap-3">
+              <span class="font-medium text-gray-900"><%= app.name %></span>
+              <span class="text-xs px-2 py-1 rounded-full bg-blue-100 text-blue-700">
+                OIDC
+              </span>
+              <% if app_claim&.custom_claims&.any? %>
+                <span class="text-xs px-2 py-1 rounded-full bg-amber-100 text-amber-700">
+                  <%= app_claim.custom_claims.keys.count %> claim(s)
+                </span>
+              <% end %>
+            </div>
+            <svg class="h-5 w-5 text-gray-500" fill="none" stroke="currentColor" viewBox="0 0 24 24">
+              <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" d="M19 9l-7 7-7-7" />
+            </svg>
+          </summary>
+
+          <div class="p-4 space-y-4">
+            <%= form_with url: update_application_claims_admin_user_path(user), method: :post, class: "space-y-4", data: { controller: "json-validator" } do |form| %>
+              <%= hidden_field_tag :application_id, app.id %>
+
+              <div>
+                <label class="block text-sm font-medium text-gray-700 mb-2">Custom Claims (JSON)</label>
+                <%= text_area_tag :custom_claims,
+                    (app_claim&.custom_claims.present? ? JSON.pretty_generate(app_claim.custom_claims) : ""),
+                    rows: 8,
+                    class: "w-full rounded-md border-gray-300 shadow-sm focus:border-blue-500 focus:ring-blue-500 sm:text-sm font-mono",
+                    placeholder: '{"kavita_groups": ["admin"], "library_access": "all"}',
+                    data: {
+                      action: "input->json-validator#validate blur->json-validator#format",
+                      json_validator_target: "textarea"
+                    } %>
+                <div class="mt-2 space-y-1">
+                  <p class="text-xs text-gray-600">
+                    Example for <%= app.name %>: Add claims that this app specifically needs to read.
+                  </p>
+                  <p class="text-xs text-amber-600">
+                    <strong>Note:</strong> Do not use reserved claim names (<code class="bg-amber-50 px-1 rounded">groups</code>, <code class="bg-amber-50 px-1 rounded">email</code>, <code class="bg-amber-50 px-1 rounded">name</code>, etc.). Use app-specific names like <code class="bg-amber-50 px-1 rounded">kavita_groups</code> instead.
+                  </p>
+                  <div data-json-validator-target="status" class="text-xs font-medium"></div>
+                </div>
+              </div>
+
+              <div class="flex gap-3">
+                <%= button_tag type: :submit, class: "rounded-md bg-blue-600 px-3 py-2 text-sm font-semibold text-white shadow-sm hover:bg-blue-500" do %>
+                  <%= app_claim ? "Update" : "Add" %> Claims
+                <% end %>
+
+                <% if app_claim %>
+                  <%= button_to "Remove Override",
+                      delete_application_claims_admin_user_path(user, application_id: app.id),
+                      method: :delete,
+                      data: { turbo_confirm: "Remove app-specific claims for #{app.name}?" },
+                      class: "rounded-md bg-white px-3 py-2 text-sm font-semibold text-gray-900 shadow-sm ring-1 ring-inset ring-gray-300 hover:bg-gray-50" %>
+                <% end %>
+              </div>
+            <% end %>
+
+            <!-- Preview merged claims -->
+            <div class="mt-4 border-t pt-4">
+              <h4 class="text-sm font-medium text-gray-700 mb-2">Preview: Final ID Token Claims for <%= app.name %></h4>
+              <div class="bg-gray-50 rounded-lg p-3">
+                <pre class="text-xs font-mono text-gray-800 overflow-x-auto"><%= JSON.pretty_generate(preview_user_claims(user, app)) %></pre>
+              </div>
+
+              <details class="mt-2">
+                <summary class="cursor-pointer text-xs text-gray-600 hover:text-gray-900">Show claim sources</summary>
+                <div class="mt-2 space-y-1">
+                  <% claim_sources(user, app).each do |source| %>
+                    <div class="flex gap-2 items-start text-xs">
+                      <span class="px-2 py-1 rounded <%= source[:type] == :group ? 'bg-blue-100 text-blue-700' : (source[:type] == :user ? 'bg-green-100 text-green-700' : 'bg-amber-100 text-amber-700') %>">
+                        <%= source[:name] %>
+                      </span>
+                      <code class="text-gray-700"><%= source[:claims].to_json %></code>
+                    </div>
+                  <% end %>
+                </div>
+              </details>
+            </div>
+          </div>
+        </details>
+      <% end %>
+    </div>
+  </div>
+<% end %>
+
+<!-- ForwardAuth Apps: Headers Preview -->
+<% if forward_auth_apps.any? %>
+  <div class="mt-12 border-t pt-8">
+    <h2 class="text-xl font-semibold text-gray-900 mb-4">ForwardAuth Headers Preview</h2>
+    <p class="text-sm text-gray-600 mb-6">
+      ForwardAuth applications receive HTTP headers (not OIDC tokens). Headers are based on user's email, name, groups, and admin status.
+    </p>
+
+    <div class="space-y-6">
+      <% forward_auth_apps.each do |app| %>
+        <details class="border rounded-lg">
+          <summary class="cursor-pointer bg-gray-50 px-4 py-3 hover:bg-gray-100 rounded-t-lg flex items-center justify-between">
+            <div class="flex items-center gap-3">
+              <span class="font-medium text-gray-900"><%= app.name %></span>
+              <span class="text-xs px-2 py-1 rounded-full bg-green-100 text-green-700">
+                FORWARD AUTH
+              </span>
+              <span class="text-xs text-gray-500">
+                <%= app.domain_pattern %>
+              </span>
+            </div>
+            <svg class="h-5 w-5 text-gray-500" fill="none" stroke="currentColor" viewBox="0 0 24 24">
+              <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" d="M19 9l-7 7-7-7" />
+            </svg>
+          </summary>
+
+          <div class="p-4 space-y-4">
+            <div class="bg-blue-50 border border-blue-200 rounded-lg p-3">
+              <div class="flex items-start">
+                <svg class="h-5 w-5 text-blue-400 mr-2 flex-shrink-0 mt-0.5" fill="currentColor" viewBox="0 0 20 20">
+                  <path fill-rule="evenodd" d="M18 10a8 8 0 11-16 0 8 8 0 0116 0zm-7-4a1 1 0 11-2 0 1 1 0 012 0zM9 9a1 1 0 000 2v3a1 1 0 001 1h1a1 1 0 100-2v-3a1 1 0 00-1-1H9z" clip-rule="evenodd" />
+                </svg>
+              </div>
+            </div>
+
+            <div>
+              <h4 class="text-sm font-medium text-gray-700 mb-2">Headers Sent to <%= app.name %></h4>
+              <div class="bg-gray-50 rounded-lg p-3 border">
+                <% headers = app.headers_for_user(user) %>
+                <% if headers.any? %>
+                  <dl class="space-y-2 text-xs font-mono">
+                    <% headers.each do |header_name, value| %>
+                      <div class="flex">
+                        <dt class="text-blue-600 font-semibold w-48"><%= header_name %>:</dt>
+                        <dd class="text-gray-800 flex-1"><%= value %></dd>
+                      </div>
+                    <% end %>
+                  </dl>
+                <% else %>
+                  <p class="text-xs text-gray-500 italic">All headers disabled for this application.</p>
+                <% end %>
+              </div>
+              <p class="mt-2 text-xs text-gray-500">
+                These headers are configured in the application settings and sent by your reverse proxy (Caddy/Traefik) to the upstream application.
+              </p>
+            </div>
+
+            <% if user.groups.any? %>
+              <div>
+                <h4 class="text-sm font-medium text-gray-700 mb-2">User's Groups</h4>
+                <div class="flex flex-wrap gap-2">
+                  <% user.groups.each do |group| %>
+                    <span class="inline-flex items-center px-2.5 py-0.5 rounded-full text-xs font-medium bg-blue-100 text-blue-800">
+                      <%= group.name %>
+                    </span>
+                  <% end %>
+                </div>
+              </div>
+            <% end %>
+          </div>
+        </details>
+      <% end %>
+    </div>
+  </div>
+<% end %>
+
+<% if oidc_apps.empty? && forward_auth_apps.empty? %>
+  <div class="mt-12 border-t pt-8">
+    <div class="text-center py-12 bg-gray-50 rounded-lg">
+      <p class="text-gray-500">No active applications found.</p>
+      <p class="text-sm text-gray-400 mt-1">Create applications in the Admin panel first.</p>
+    </div>
+  </div>
+<% end %>
--- a/app/views/admin/users/_form.html.erb
+++ b/app/views/admin/users/_form.html.erb
@@ -1,28 +1,23 @@
-<%= form_with(model: [:admin, user], class: "space-y-6") do |form| %>
-  <% if user.errors.any? %>
-    <div class="rounded-md bg-red-50 p-4">
-      <div class="flex">
-        <div class="ml-3">
-          <h3 class="text-sm font-medium text-red-800">
-            <%= pluralize(user.errors.count, "error") %> prohibited this user from being saved:
-          </h3>
-          <div class="mt-2 text-sm text-red-700">
-            <ul class="list-disc pl-5 space-y-1">
-              <% user.errors.full_messages.each do |message| %>
-                <li><%= message %></li>
-              <% end %>
-            </ul>
-          </div>
-        </div>
-      </div>
-    </div>
-  <% end %>
+<%= form_with(model: [:admin, user], class: "space-y-6", data: { controller: "form-errors" }) do |form| %>
+  <%= render "shared/form_errors", form: form %>

  <div>
    <%= form.label :email_address, class: "block text-sm font-medium text-gray-700" %>
    <%= form.email_field :email_address, required: true, class: "mt-1 block w-full rounded-md border-gray-300 shadow-sm focus:border-blue-500 focus:ring-blue-500 sm:text-sm", placeholder: "user@example.com" %>
  </div>

+  <div>
+    <%= form.label :username, "Username (Optional)", class: "block text-sm font-medium text-gray-700" %>
+    <%= form.text_field :username, class: "mt-1 block w-full rounded-md border-gray-300 shadow-sm focus:border-blue-500 focus:ring-blue-500 sm:text-sm", placeholder: "jsmith" %>
+    <p class="mt-1 text-sm text-gray-500">Optional: Short username/handle for login. Can only contain letters, numbers, underscores, and hyphens.</p>
+  </div>
+
+  <div>
+    <%= form.label :name, "Display Name (Optional)", class: "block text-sm font-medium text-gray-700" %>
+    <%= form.text_field :name, class: "mt-1 block w-full rounded-md border-gray-300 shadow-sm focus:border-blue-500 focus:ring-blue-500 sm:text-sm", placeholder: "John Smith" %>
+    <p class="mt-1 text-sm text-gray-500">Optional: Full name shown in applications. Defaults to email address if not set.</p>
+  </div>
+
  <div>
    <%= form.label :password, class: "block text-sm font-medium text-gray-700" %>
    <%= form.password_field :password, class: "mt-1 block w-full rounded-md border-gray-300 shadow-sm focus:border-blue-500 focus:ring-blue-500 sm:text-sm", placeholder: user.persisted? ? "Leave blank to keep current password" : "Enter password" %>
@@ -46,6 +41,46 @@
    <% end %>
  </div>

+  <div>
+    <div class="flex items-center">
+      <%= form.check_box :totp_required, class: "h-4 w-4 rounded border-gray-300 text-blue-600 focus:ring-blue-500" %>
+      <%= form.label :totp_required, "Require Two-Factor Authentication", class: "ml-2 block text-sm text-gray-900" %>
+      <% if user.totp_required? && !user.totp_enabled? %>
+        <span class="ml-2 text-xs text-amber-600">(User has not set up 2FA yet)</span>
+      <% end %>
+    </div>
+    <% if user.totp_required? && !user.totp_enabled? %>
+      <p class="mt-1 text-sm text-amber-600">
+        <svg class="inline h-4 w-4" fill="currentColor" viewBox="0 0 20 20">
+          <path fill-rule="evenodd" d="M8.485 2.495c.673-1.167 2.357-1.167 3.03 0l6.28 10.875c.673 1.167-.17 2.625-1.516 2.625H3.72c-1.347 0-2.189-1.458-1.515-2.625L8.485 2.495zM10 5a.75.75 0 01.75.75v3.5a.75.75 0 01-1.5 0v-3.5A.75.75 0 0110 5zm0 9a1 1 0 100-2 1 1 0 000 2z" clip-rule="evenodd" />
+        </svg>
+        Warning: This user will be prompted to set up 2FA on their next login.
+      </p>
+    <% end %>
+    <p class="mt-1 text-sm text-gray-500">When enabled, this user must use two-factor authentication to sign in.</p>
+  </div>
+
+  <div data-controller="json-validator" data-json-validator-valid-class="border-green-500 focus:border-green-500 focus:ring-green-500" data-json-validator-invalid-class="border-red-500 focus:border-red-500 focus:ring-red-500" data-json-validator-valid-status-class="text-green-600" data-json-validator-invalid-status-class="text-red-600">
+    <%= form.label :custom_claims, "Custom Claims (JSON)", class: "block text-sm font-medium text-gray-700" %>
+    <%= form.text_area :custom_claims, value: (user.custom_claims.present? ? JSON.pretty_generate(user.custom_claims) : ""), rows: 8,
+        class: "mt-1 block w-full rounded-md border-gray-300 shadow-sm focus:border-blue-500 focus:ring-blue-500 sm:text-sm font-mono",
+        placeholder: '{"department": "engineering", "level": "senior"}',
+        data: {
+          action: "input->json-validator#validate blur->json-validator#format",
+          json_validator_target: "textarea"
+        } %>
+    <div class="mt-2 text-sm text-gray-600 space-y-1">
+      <div class="flex items-center justify-between">
+        <p>Optional: User-specific custom claims to add to OIDC tokens. These override group-level claims.</p>
+        <div class="flex items-center gap-2">
+          <button type="button" data-action="json-validator#format" class="text-xs bg-gray-100 hover:bg-gray-200 px-2 py-1 rounded">Format JSON</button>
+          <button type="button" data-action="json-validator#insertSample" data-json-sample='{"department": "engineering", "level": "senior", "location": "remote"}' class="text-xs bg-blue-100 hover:bg-blue-200 text-blue-700 px-2 py-1 rounded">Insert Example</button>
+        </div>
+      </div>
+      <div data-json-validator-target="status" class="text-xs font-medium"></div>
+    </div>
+  </div>
+
  <div class="flex gap-3">
    <%= form.submit user.persisted? ? "Update User" : "Create User", class: "rounded-md bg-blue-600 px-3 py-2 text-sm font-semibold text-white shadow-sm hover:bg-blue-500 focus-visible:outline focus-visible:outline-2 focus-visible:outline-offset-2 focus-visible:outline-blue-600" %>
    <%= link_to "Cancel", admin_users_path, class: "rounded-md bg-white px-3 py-2 text-sm font-semibold text-gray-900 shadow-sm ring-1 ring-inset ring-gray-300 hover:bg-gray-50" %>
--- a/app/views/admin/users/edit.html.erb
+++ b/app/views/admin/users/edit.html.erb
@@ -1,5 +1,12 @@
-<div class="max-w-2xl">
+<div class="max-w-4xl">
  <h1 class="text-2xl font-semibold text-gray-900 mb-6">Edit User</h1>
  <p class="text-sm text-gray-600 mb-6">Editing: <%= @user.email_address %></p>
-  <%= render "form", user: @user %>
+
+  <div class="max-w-2xl">
+    <%= render "form", user: @user %>
+  </div>
+
+  <% if @user.persisted? %>
+    <%= render "application_claims", user: @user, applications: @applications %>
+  <% end %>
 </div>
--- a/app/views/admin/users/index.html.erb
+++ b/app/views/admin/users/index.html.erb
@@ -8,6 +8,39 @@
  </div>
 </div>

+<% unless smtp_configured? %>
+  <div class="mt-6 rounded-md bg-yellow-50 p-4">
+    <div class="flex">
+      <div class="flex-shrink-0">
+        <svg class="h-5 w-5 text-yellow-400" viewBox="0 0 20 20" fill="currentColor" aria-hidden="true">
+          <path fill-rule="evenodd" d="M8.485 2.495c.673-1.167 2.357-1.167 3.03 0l6.28 10.875c.673 1.167-.17 2.625-1.516 2.625H3.72c-1.347 0-2.189-1.458-1.515-2.625L8.485 2.495zM10 5a.75.75 0 01.75.75v3.5a.75.75 0 01-1.5 0v-3.5A.75.75 0 0110 5zm0 9a1 1 0 100-2 1 1 0 000 2z" clip-rule="evenodd" />
+        </svg>
+      </div>
+      <div class="ml-3">
+        <h3 class="text-sm font-medium text-yellow-800">
+          Email delivery not configured
+        </h3>
+        <div class="mt-2 text-sm text-yellow-700">
+          <p>
+            <% if Rails.env.development? %>
+              Emails are being delivered using <span class="font-mono"><%= email_delivery_method %></span> and will open in your browser.
+            <% else %>
+              SMTP settings are not configured. Invitation emails and other notifications will not be sent.
+            <% end %>
+          </p>
+          <p class="mt-1">
+            <% if Rails.env.development? %>
+              To configure SMTP for production, set environment variables like <span class="font-mono">SMTP_ADDRESS</span>, <span class="font-mono">SMTP_PORT</span>, <span class="font-mono">SMTP_USERNAME</span>, etc.
+            <% else %>
+              Configure SMTP settings by setting environment variables: <span class="font-mono">SMTP_ADDRESS</span>, <span class="font-mono">SMTP_PORT</span>, <span class="font-mono">SMTP_USERNAME</span>, <span class="font-mono">SMTP_PASSWORD</span>, etc.
+            <% end %>
+          </p>
+        </div>
+      </div>
+    </div>
+  </div>
+<% end %>
+
 <div class="mt-8 flow-root">
  <div class="-mx-4 -my-2 overflow-x-auto sm:-mx-6 lg:-mx-8">
    <div class="inline-block min-w-full py-2 align-middle sm:px-6 lg:px-8">
@@ -52,22 +85,36 @@
                <% end %>
              </td>
              <td class="whitespace-nowrap px-3 py-4 text-sm text-gray-500">
-                <% if user.totp_enabled? %>
-                  <svg class="h-5 w-5 text-green-500" fill="none" stroke="currentColor" viewBox="0 0 24 24">
-                    <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" d="M9 12l2 2 4-4m6 2a9 9 0 11-18 0 9 9 0 0118 0z"></path>
-                  </svg>
-                <% else %>
-                  <svg class="h-5 w-5 text-gray-300" fill="none" stroke="currentColor" viewBox="0 0 24 24">
-                    <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" d="M10 14l2-2m0 0l2-2m-2 2l-2-2m2 2l2 2m7-2a9 9 0 11-18 0 9 9 0 0118 0z"></path>
-                  </svg>
-                <% end %>
+                <div class="flex items-center gap-2">
+                  <% if user.totp_enabled? %>
+                    <svg class="h-5 w-5 text-green-500" fill="none" stroke="currentColor" viewBox="0 0 24 24" title="2FA Enabled">
+                      <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" d="M9 12l2 2 4-4m6 2a9 9 0 11-18 0 9 9 0 0118 0z"></path>
+                    </svg>
+                  <% else %>
+                    <svg class="h-5 w-5 text-gray-300" fill="none" stroke="currentColor" viewBox="0 0 24 24" title="2FA Not Enabled">
+                      <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" d="M10 14l2-2m0 0l2-2m-2 2l-2-2m2 2l2 2m7-2a9 9 0 11-18 0 9 9 0 0118 0z"></path>
+                    </svg>
+                  <% end %>
+                  <% if user.totp_required? %>
+                    <span class="inline-flex items-center rounded-full bg-blue-100 px-2 py-1 text-xs font-medium text-blue-700" title="2FA Required by Admin">Required</span>
+                  <% end %>
+                </div>
              </td>
              <td class="whitespace-nowrap px-3 py-4 text-sm text-gray-500">
                <%= user.groups.count %>
              </td>
              <td class="relative whitespace-nowrap py-4 pl-3 pr-4 text-right text-sm font-medium sm:pr-0">
-                <%= link_to "Edit", edit_admin_user_path(user), class: "text-blue-600 hover:text-blue-900 mr-4" %>
-                <%= button_to "Delete", admin_user_path(user), method: :delete, data: { turbo_confirm: "Are you sure you want to delete this user?" }, class: "text-red-600 hover:text-red-900" %>
+                <div class="flex justify-end space-x-3">
+                  <% if user.pending_invitation? %>
+                    <%= link_to "Resend", resend_invitation_admin_user_path(user),
+                        data: { turbo_method: :post },
+                        class: "text-yellow-600 hover:text-yellow-900" %>
+                  <% end %>
+                  <%= link_to "Edit", edit_admin_user_path(user), class: "text-blue-600 hover:text-blue-900" %>
+                  <%= link_to "Delete", admin_user_path(user),
+                      data: { turbo_method: :delete, turbo_confirm: "Are you sure you want to delete this user?" },
+                      class: "text-red-600 hover:text-red-900" %>
+                </div>
              </td>
            </tr>
          <% end %>
--- a/app/views/dashboard/index.html.erb
+++ b/app/views/dashboard/index.html.erb
@@ -93,6 +93,82 @@
  <% end %>
 </div>

+<!-- Your Applications Section -->
+<div class="mt-8">
+  <h2 class="text-xl font-semibold text-gray-900 mb-4">Your Applications</h2>
+
+  <% if @applications.any? %>
+    <div class="grid grid-cols-1 gap-4 sm:grid-cols-2 lg:grid-cols-3">
+      <% @applications.each do |app| %>
+        <div class="bg-white rounded-lg border border-gray-200 shadow-sm hover:shadow-md transition">
+          <div class="p-6">
+            <div class="flex items-start gap-3 mb-4">
+              <% if app.icon.attached? %>
+                <%= image_tag app.icon, class: "h-12 w-12 rounded-lg object-cover border border-gray-200 shrink-0", alt: "#{app.name} icon" %>
+              <% else %>
+                <div class="h-12 w-12 rounded-lg bg-gray-100 border border-gray-200 flex items-center justify-center shrink-0">
+                  <svg class="h-6 w-6 text-gray-400" fill="none" viewBox="0 0 24 24" stroke="currentColor">
+                    <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" d="M4 16l4.586-4.586a2 2 0 012.828 0L16 16m-2-2l1.586-1.586a2 2 0 012.828 0L20 14m-6-6h.01M6 20h12a2 2 0 002-2V6a2 2 0 00-2-2H6a2 2 0 00-2 2v12a2 2 0 002 2z" />
+                  </svg>
+                </div>
+              <% end %>
+              <div class="flex-1 min-w-0">
+                <div class="flex items-start justify-between">
+                  <h3 class="text-lg font-semibold text-gray-900 truncate">
+                    <%= app.name %>
+                  </h3>
+                  <span class="ml-2 inline-flex items-center px-2.5 py-0.5 rounded-full text-xs font-medium shrink-0
+                    <% if app.oidc? %>
+                      bg-blue-100 text-blue-800
+                    <% else %>
+                      bg-green-100 text-green-800
+                    <% end %>">
+                    <%= app.app_type.humanize %>
+                  </span>
+                </div>
+                <% if app.description.present? %>
+                  <p class="text-sm text-gray-600 mt-1 line-clamp-2">
+                    <%= app.description %>
+                  </p>
+                <% end %>
+              </div>
+            </div>
+
+            <div class="space-y-2">
+              <% if app.landing_url.present? %>
+                <%= link_to "Open Application", app.landing_url,
+                    target: "_blank",
+                    rel: "noopener noreferrer",
+                    class: "w-full flex justify-center items-center px-4 py-2 border border-transparent text-sm font-medium rounded-md text-white bg-blue-600 hover:bg-blue-700 focus:outline-none focus:ring-2 focus:ring-offset-2 focus:ring-blue-500 transition" %>
+              <% else %>
+                <div class="text-sm text-gray-500 italic">
+                  No landing URL configured
+                </div>
+              <% end %>
+
+              <% if app.user_has_active_session?(@user) %>
+                <%= button_to "Logout", logout_from_app_active_sessions_path(application_id: app.id), method: :delete,
+                    class: "w-full flex justify-center items-center px-4 py-2 border border-orange-300 text-sm font-medium rounded-md text-orange-700 bg-white hover:bg-orange-50 focus:outline-none focus:ring-2 focus:ring-offset-2 focus:ring-orange-500 transition",
+                    form: { data: { turbo_confirm: "This will log you out of #{app.name}. You can sign back in without re-authorizing. Continue?" } } %>
+              <% end %>
+            </div>
+          </div>
+        </div>
+      <% end %>
+    </div>
+  <% else %>
+    <div class="bg-gray-50 rounded-lg border border-gray-200 p-8 text-center">
+      <svg class="mx-auto h-12 w-12 text-gray-400" fill="none" stroke="currentColor" viewBox="0 0 24 24">
+        <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" d="M19 11H5m14 0a2 2 0 012 2v6a2 2 0 01-2 2H5a2 2 0 01-2-2v-6a2 2 0 012-2m14 0V9a2 2 0 00-2-2M5 11V9a2 2 0 012-2m0 0V5a2 2 0 012-2h6a2 2 0 012 2v2M7 7h10"></path>
+      </svg>
+      <h3 class="mt-4 text-lg font-medium text-gray-900">No applications available</h3>
+      <p class="mt-2 text-sm text-gray-500">
+        You don't have access to any applications yet. Contact your administrator if you think this is an error.
+      </p>
+    </div>
+  <% end %>
+</div>
+
 <% if @user.admin? %>
  <div class="mt-8">
    <h2 class="text-xl font-semibold text-gray-900 mb-4">Admin Quick Actions</h2>
--- a/app/views/invitations/show.html.erb
+++ b/app/views/invitations/show.html.erb
@@ -0,0 +1,22 @@
+<div class="mx-auto md:w-2/3 w-full">
+  <% if alert = flash[:alert] %>
+    <p class="py-2 px-3 bg-red-50 mb-5 text-red-500 font-medium rounded-lg inline-block" id="alert"><%= alert %></p>
+  <% end %>
+
+  <h1 class="font-bold text-4xl">Welcome to Clinch!</h1>
+  <p class="mt-2 text-gray-600">You've been invited to join Clinch. Please create your password to complete your account setup.</p>
+
+  <%= form_with url: invitation_path(params[:token]), method: :put, class: "contents" do |form| %>
+    <div class="my-5">
+      <%= form.password_field :password, required: true, autocomplete: "new-password", placeholder: "Enter your password", maxlength: 72, class: "block shadow-sm rounded-md border border-gray-400 focus:outline-solid focus:outline-blue-600 px-3 py-2 mt-2 w-full" %>
+    </div>
+
+    <div class="my-5">
+      <%= form.password_field :password_confirmation, required: true, autocomplete: "new-password", placeholder: "Confirm your password", maxlength: 72, class: "block shadow-sm rounded-md border border-gray-400 focus:outline-solid focus:outline-blue-600 px-3 py-2 mt-2 w-full" %>
+    </div>
+
+    <div class="inline">
+      <%= form.submit "Create Account", class: "w-full sm:w-auto text-center rounded-md px-3.5 py-2.5 bg-blue-600 hover:bg-blue-500 text-white inline-block font-medium cursor-pointer" %>
+    </div>
+  <% end %>
+</div>
--- a/app/views/invitations_mailer/invite_user.html.erb
+++ b/app/views/invitations_mailer/invite_user.html.erb
@@ -0,0 +1,12 @@
+<p>
+  You've been invited to join Clinch! To set up your account and create your password, please visit
+  <%= link_to "this invitation page", invitation_url(@user.generate_token_for(:invitation_login)) %>.
+</p>
+
+<p>
+  This invitation link will expire in 24 hours.
+</p>
+
+<p>
+  If you didn't expect this invitation, you can safely ignore this email.
+</p>
--- a/app/views/invitations_mailer/invite_user.text.erb
+++ b/app/views/invitations_mailer/invite_user.text.erb
@@ -0,0 +1,8 @@
+You've been invited to join Clinch!
+
+To set up your account and create your password, please visit:
+#{invite_url(@user.invitation_login_token)}
+
+This invitation link will expire in #{distance_of_time_in_words(0, @user.invitation_login_token_expires_in)}.
+
+If you didn't expect this invitation, you can safely ignore this email.
--- a/app/views/layouts/application.html.erb
+++ b/app/views/layouts/application.html.erb
@@ -25,50 +25,37 @@

  <body>
    <% if authenticated? %>
-      <%= render "shared/sidebar" %>
-      <div class="lg:pl-64">
-        <!-- Mobile menu button -->
-        <div class="sticky top-0 z-40 flex h-16 shrink-0 items-center gap-x-4 border-b border-gray-200 bg-white px-4 shadow-sm sm:gap-x-6 sm:px-6 lg:hidden">
-          <button type="button" class="-m-2.5 p-2.5 text-gray-700" id="mobile-menu-button">
-            <span class="sr-only">Open sidebar</span>
-            <svg class="h-6 w-6" fill="none" viewBox="0 0 24 24" stroke-width="1.5" stroke="currentColor">
-              <path stroke-linecap="round" stroke-linejoin="round" d="M3.75 6.75h16.5M3.75 12h16.5m-16.5 5.25h16.5" />
-            </svg>
-          </button>
-        </div>
-
-        <main class="py-10">
-          <div class="px-4 sm:px-6 lg:px-8">
-            <%= render "shared/flash" %>
-            <%= yield %>
+      <div data-controller="mobile-sidebar">
+        <%= render "shared/sidebar" %>
+        <div class="lg:pl-64">
+          <!-- Mobile menu button -->
+          <div class="sticky top-0 z-40 flex h-16 shrink-0 items-center gap-x-4 border-b border-gray-200 bg-white px-4 shadow-sm sm:gap-x-6 sm:px-6 lg:hidden">
+            <button type="button"
+                    class="-m-2.5 p-2.5 text-gray-700"
+                    id="mobile-menu-button"
+                    data-action="click->mobile-sidebar#openSidebar">
+              <span class="sr-only">Open sidebar</span>
+              <svg class="h-6 w-6" fill="none" viewBox="0 0 24 24" stroke-width="1.5" stroke="currentColor">
+                <path stroke-linecap="round" stroke-linejoin="round" d="M3.75 6.75h16.5M3.75 12h16.5m-16.5 5.25h16.5" />
+              </svg>
+            </button>
          </div>
-        </main>
+
+          <main class="py-10">
+            <div class="px-4 sm:px-6 lg:px-8">
+              <%= render "shared/flash" %>
+              <%= yield %>
+            </div>
+          </main>
+        </div>
      </div>
    <% else %>
      <!-- Public layout (signup/signin) -->
-      <main class="container mx-auto mt-28 px-5 flex">
+      <main class="container mx-auto mt-28 px-5">
        <%= render "shared/flash" %>
        <%= yield %>
      </main>
    <% end %>

-    <script>
-      // Mobile sidebar toggle
-      const mobileMenuButton = document.getElementById('mobile-menu-button');
-      const mobileMenuClose = document.getElementById('mobile-menu-close');
-      const mobileSidebarOverlay = document.getElementById('mobile-sidebar-overlay');
-
-      if (mobileMenuButton) {
-        mobileMenuButton.addEventListener('click', () => {
-          mobileSidebarOverlay?.classList.remove('hidden');
-        });
-      }
-
-      if (mobileMenuClose) {
-        mobileMenuClose.addEventListener('click', () => {
-          mobileSidebarOverlay?.classList.add('hidden');
-        });
-      }
-    </script>
  </body>
 </html>
--- a/app/views/oidc/consent.html.erb
+++ b/app/views/oidc/consent.html.erb
@@ -1,6 +1,15 @@
 <div class="mx-auto max-w-md">
  <div class="bg-white py-8 px-6 shadow rounded-lg sm:px-10">
-    <div class="mb-8">
+    <div class="mb-8 text-center">
+      <% if @application.icon.attached? %>
+        <%= image_tag @application.icon, class: "mx-auto h-20 w-20 rounded-xl object-cover border-2 border-gray-200 shadow-sm mb-4", alt: "#{@application.name} icon" %>
+      <% else %>
+        <div class="mx-auto h-20 w-20 rounded-xl bg-gray-100 border-2 border-gray-200 flex items-center justify-center mb-4">
+          <svg class="h-10 w-10 text-gray-400" fill="none" viewBox="0 0 24 24" stroke="currentColor">
+            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" d="M4 16l4.586-4.586a2 2 0 012.828 0L16 16m-2-2l1.586-1.586a2 2 0 012.828 0L20 14m-6-6h.01M6 20h12a2 2 0 002-2V6a2 2 0 00-2-2H6a2 2 0 00-2 2v12a2 2 0 002 2z" />
+          </svg>
+        </div>
+      <% end %>
      <h2 class="text-2xl font-bold text-gray-900">Authorize Application</h2>
      <p class="mt-2 text-sm text-gray-600">
        <strong><%= @application.name %></strong> is requesting access to your account.
@@ -57,7 +66,7 @@
      </div>
    </div>

-    <%= form_with url: oauth_consent_path, method: :post, class: "space-y-3" do |form| %>
+    <%= form_with url: "/oauth/authorize/consent", method: :post, class: "space-y-3", data: { turbo: false }, local: true do |form| %>
      <%= form.submit "Authorize",
          class: "w-full flex justify-center py-2 px-4 border border-transparent rounded-md shadow-sm text-sm font-medium text-white bg-blue-600 hover:bg-blue-700 focus:outline-none focus:ring-2 focus:ring-offset-2 focus:ring-blue-500" %>

--- a/app/views/passwords/new.html.erb
+++ b/app/views/passwords/new.html.erb
@@ -5,7 +5,7 @@

  <h1 class="font-bold text-4xl">Forgot your password?</h1>

-  <%= form_with url: passwords_path, class: "contents" do |form| %>
+  <%= form_with url: passwords_path, class: "contents", data: { controller: "form-errors" } do |form| %>
    <div class="my-5">
      <%= form.email_field :email_address, required: true, autofocus: true, autocomplete: "username", placeholder: "Enter your email address", value: params[:email_address], class: "block shadow-sm rounded-md border border-gray-400 focus:outline-solid focus:outline-blue-600 px-3 py-2 mt-2 w-full" %>
    </div>
--- a/app/views/profiles/show.html.erb
+++ b/app/views/profiles/show.html.erb
@@ -1,7 +1,7 @@
-<div class="space-y-8">
+<div class="space-y-8" data-controller="modal">
  <div>
-    <h1 class="text-3xl font-bold text-gray-900">Profile & Settings</h1>
-    <p class="mt-2 text-sm text-gray-600">Manage your account settings and security preferences.</p>
+    <h1 class="text-3xl font-bold text-gray-900">Account Security</h1>
+    <p class="mt-2 text-sm text-gray-600">Manage your account settings, active sessions, and connected applications.</p>
  </div>

  <!-- Account Information -->
@@ -31,6 +31,15 @@
                class: "mt-1 block w-full rounded-md border-gray-300 shadow-sm focus:border-blue-500 focus:ring-blue-500 sm:text-sm" %>
          </div>

+          <div>
+            <%= form.label :current_password, "Current Password", class: "block text-sm font-medium text-gray-700" %>
+            <%= form.password_field :current_password,
+                autocomplete: "current-password",
+                placeholder: "Required to change email",
+                class: "mt-1 block w-full rounded-md border-gray-300 shadow-sm focus:border-blue-500 focus:ring-blue-500 sm:text-sm" %>
+            <p class="mt-1 text-sm text-gray-500">Enter your current password to confirm this change</p>
+          </div>
+
          <div>
            <%= form.submit "Update Email", class: "inline-flex justify-center rounded-md border border-transparent bg-blue-600 py-2 px-4 text-sm font-medium text-white shadow-sm hover:bg-blue-700 focus:outline-none focus:ring-2 focus:ring-blue-500 focus:ring-offset-2" %>
          </div>
@@ -98,17 +107,52 @@
                <p class="text-sm font-medium text-green-800">
                  Two-factor authentication is enabled
                </p>
+                <% if @user.totp_required? %>
+                  <p class="mt-1 text-sm text-green-700">
+                    <svg class="inline h-4 w-4" fill="currentColor" viewBox="0 0 20 20">
+                      <path fill-rule="evenodd" d="M5 9V7a5 5 0 0110 0v2a2 2 0 012 2v5a2 2 0 01-2 2H5a2 2 0 01-2-2v-5a2 2 0 012-2zm8-2v2H7V7a3 3 0 016 0z" clip-rule="evenodd" />
+                    </svg>
+                    Required by administrator
+                  </p>
+                <% end %>
              </div>
            </div>
          </div>
-          <div class="mt-4 flex gap-3">
-            <button type="button" onclick="showDisable2FAModal()" class="inline-flex items-center rounded-md border border-red-300 bg-white px-4 py-2 text-sm font-medium text-red-700 shadow-sm hover:bg-red-50 focus:outline-none focus:ring-2 focus:ring-red-500 focus:ring-offset-2">
-              Disable 2FA
-            </button>
-            <button type="button" onclick="showViewBackupCodesModal()" class="inline-flex items-center rounded-md border border-gray-300 bg-white px-4 py-2 text-sm font-medium text-gray-700 shadow-sm hover:bg-gray-50 focus:outline-none focus:ring-2 focus:ring-blue-500 focus:ring-offset-2">
-              View Backup Codes
-            </button>
-          </div>
+          <% if @user.totp_required? %>
+            <div class="mt-4 rounded-md bg-blue-50 p-4">
+              <div class="flex">
+                <svg class="h-5 w-5 text-blue-400 mr-2 flex-shrink-0" viewBox="0 0 20 20" fill="currentColor">
+                  <path fill-rule="evenodd" d="M18 10a8 8 0 11-16 0 8 8 0 0116 0zm-7-4a1 1 0 11-2 0 1 1 0 012 0zM9 9a1 1 0 000 2v3a1 1 0 001 1h1a1 1 0 100-2v-3a1 1 0 00-1-1H9z" clip-rule="evenodd" />
+                </svg>
+                <p class="text-sm text-blue-800">
+                  Your administrator requires two-factor authentication. You cannot disable it.
+                </p>
+              </div>
+            </div>
+            <div class="mt-4 flex gap-3">
+              <button type="button"
+                      data-action="click->modal#show"
+                      data-modal-id="view-backup-codes-modal"
+                      class="inline-flex items-center rounded-md border border-gray-300 bg-white px-4 py-2 text-sm font-medium text-gray-700 shadow-sm hover:bg-gray-50 focus:outline-none focus:ring-2 focus:ring-blue-500 focus:ring-offset-2">
+                View Backup Codes
+              </button>
+            </div>
+          <% else %>
+            <div class="mt-4 flex gap-3">
+              <button type="button"
+                      data-action="click->modal#show"
+                      data-modal-id="disable-2fa-modal"
+                      class="inline-flex items-center rounded-md border border-red-300 bg-white px-4 py-2 text-sm font-medium text-red-700 shadow-sm hover:bg-red-50 focus:outline-none focus:ring-2 focus:ring-red-500 focus:ring-offset-2">
+                Disable 2FA
+              </button>
+              <button type="button"
+                      data-action="click->modal#show"
+                      data-modal-id="view-backup-codes-modal"
+                      class="inline-flex items-center rounded-md border border-gray-300 bg-white px-4 py-2 text-sm font-medium text-gray-700 shadow-sm hover:bg-gray-50 focus:outline-none focus:ring-2 focus:ring-blue-500 focus:ring-offset-2">
+                View Backup Codes
+              </button>
+            </div>
+          <% end %>
        <% else %>
          <%= link_to new_totp_path, class: "inline-flex items-center rounded-md border border-transparent bg-blue-600 px-4 py-2 text-sm font-medium text-white shadow-sm hover:bg-blue-700 focus:outline-none focus:ring-2 focus:ring-blue-500 focus:ring-offset-2" do %>
            Enable 2FA
@@ -119,7 +163,9 @@
  </div>

  <!-- Disable 2FA Modal -->
-  <div id="disable-2fa-modal" class="hidden fixed inset-0 bg-gray-500 bg-opacity-75 flex items-center justify-center z-50">
+  <div id="disable-2fa-modal"
+       data-action="click->modal#closeOnBackdrop keyup@window->modal#closeOnEscape"
+       class="hidden fixed inset-0 bg-gray-500 bg-opacity-75 flex items-center justify-center z-50">
    <div class="bg-white rounded-lg px-4 pt-5 pb-4 shadow-xl max-w-md w-full">
      <div class="sm:flex sm:items-start">
        <div class="mx-auto flex h-12 w-12 flex-shrink-0 items-center justify-center rounded-full bg-red-100 sm:mx-0 sm:h-10 sm:w-10">
@@ -143,7 +189,9 @@
            <div class="mt-4 flex gap-3">
              <%= form.submit "Disable 2FA",
                  class: "inline-flex justify-center rounded-md border border-transparent bg-red-600 px-4 py-2 text-sm font-medium text-white shadow-sm hover:bg-red-700 focus:outline-none focus:ring-2 focus:ring-red-500 focus:ring-offset-2" %>
-              <button type="button" onclick="hideDisable2FAModal()" class="inline-flex justify-center rounded-md border border-gray-300 bg-white px-4 py-2 text-sm font-medium text-gray-700 shadow-sm hover:bg-gray-50 focus:outline-none focus:ring-2 focus:ring-blue-500 focus:ring-offset-2">
+              <button type="button"
+                      data-action="click->modal#hide"
+                      class="inline-flex justify-center rounded-md border border-gray-300 bg-white px-4 py-2 text-sm font-medium text-gray-700 shadow-sm hover:bg-gray-50 focus:outline-none focus:ring-2 focus:ring-blue-500 focus:ring-offset-2">
                Cancel
              </button>
            </div>
@@ -153,15 +201,27 @@
    </div>
  </div>

-  <!-- View Backup Codes Modal -->
-  <div id="view-backup-codes-modal" class="hidden fixed inset-0 bg-gray-500 bg-opacity-75 flex items-center justify-center z-50">
+  <!-- Regenerate Backup Codes Modal -->
+  <div id="view-backup-codes-modal"
+       data-action="click->modal#closeOnBackdrop keyup@window->modal#closeOnEscape"
+       class="hidden fixed inset-0 bg-gray-500 bg-opacity-75 flex items-center justify-center z-50">
    <div class="bg-white rounded-lg px-4 pt-5 pb-4 shadow-xl max-w-md w-full">
      <div>
-        <h3 class="text-lg font-medium leading-6 text-gray-900">View Backup Codes</h3>
+        <h3 class="text-lg font-medium leading-6 text-gray-900">Generate New Backup Codes</h3>
        <div class="mt-2">
-          <p class="text-sm text-gray-500">Enter your password to view your backup codes.</p>
+          <p class="text-sm text-gray-500">Due to security improvements, you need to generate new backup codes. Your old codes have been invalidated.</p>
        </div>
-        <%= form_with url: verify_password_totp_path, method: :post, class: "mt-4" do |form| %>
+        <div class="mt-3 p-3 bg-yellow-50 rounded-md">
+          <div class="flex">
+            <svg class="h-5 w-5 text-yellow-400 mr-2 flex-shrink-0" viewBox="0 0 20 20" fill="currentColor">
+              <path fill-rule="evenodd" d="M8.485 2.495c.673-1.167 2.357-1.167 3.03 0l6.28 10.875c.673 1.167-.17 2.625-1.516 2.625H3.72c-1.347 0-2.189-1.458-1.515-2.625L8.485 2.495zM10 5a.75.75 0 01.75.75v3.5a.75.75 0 01-1.5 0v-3.5A.75.75 0 0110 5zm0 9a1 1 0 100-2 1 1 0 000 2z" clip-rule="evenodd" />
+            </svg>
+            <p class="text-sm text-yellow-800">
+              <strong>Important:</strong> Save the new codes immediately after generation. You won't be able to see them again without regenerating.
+            </p>
+          </div>
+        </div>
+        <%= form_with url: create_new_backup_codes_totp_path, method: :post, class: "mt-4" do |form| %>
          <div>
            <%= password_field_tag :password, nil,
                placeholder: "Enter your password",
@@ -170,9 +230,11 @@
                class: "block w-full rounded-md border-gray-300 shadow-sm focus:border-blue-500 focus:ring-blue-500 sm:text-sm" %>
          </div>
          <div class="mt-4 flex gap-3">
-            <%= form.submit "View Codes",
+            <%= form.submit "Generate New Codes",
                class: "inline-flex justify-center rounded-md border border-transparent bg-blue-600 px-4 py-2 text-sm font-medium text-white shadow-sm hover:bg-blue-700 focus:outline-none focus:ring-2 focus:ring-blue-500 focus:ring-offset-2" %>
-            <button type="button" onclick="hideViewBackupCodesModal()" class="inline-flex justify-center rounded-md border border-gray-300 bg-white px-4 py-2 text-sm font-medium text-gray-700 shadow-sm hover:bg-gray-50 focus:outline-none focus:ring-2 focus:ring-blue-500 focus:ring-offset-2">
+            <button type="button"
+                    data-action="click->modal#hide"
+                    class="inline-flex justify-center rounded-md border border-gray-300 bg-white px-4 py-2 text-sm font-medium text-gray-700 shadow-sm hover:bg-gray-50 focus:outline-none focus:ring-2 focus:ring-blue-500 focus:ring-offset-2">
              Cancel
            </button>
          </div>
@@ -181,64 +243,123 @@
    </div>
  </div>

-  <script>
-    function showDisable2FAModal() {
-      document.getElementById('disable-2fa-modal').classList.remove('hidden');
-    }
-
-    function hideDisable2FAModal() {
-      document.getElementById('disable-2fa-modal').classList.add('hidden');
-    }
-
-    function showViewBackupCodesModal() {
-      document.getElementById('view-backup-codes-modal').classList.remove('hidden');
-    }
-
-    function hideViewBackupCodesModal() {
-      document.getElementById('view-backup-codes-modal').classList.add('hidden');
-    }
-  </script>
-
-  <!-- Active Sessions -->
+  <!-- Passkeys (WebAuthn) -->
  <div class="bg-white shadow sm:rounded-lg">
-    <div class="px-4 py-5 sm:p-6">
-      <h3 class="text-lg font-medium leading-6 text-gray-900">Active Sessions</h3>
+    <div class="px-4 py-5 sm:p-6" data-controller="webauthn" data-webauthn-challenge-url-value="/webauthn/challenge" data-webauthn-create-url-value="/webauthn/create">
+      <h3 class="text-lg font-medium leading-6 text-gray-900">Passkeys</h3>
      <div class="mt-2 max-w-xl text-sm text-gray-500">
-        <p>These devices are currently signed in to your account. Revoke any sessions that you don't recognize.</p>
+        <p>Use your fingerprint, face recognition, or security key to sign in without passwords.</p>
      </div>
+
+      <!-- Add Passkey Form -->
      <div class="mt-5">
-        <% if @active_sessions.any? %>
-          <ul role="list" class="divide-y divide-gray-200">
-            <% @active_sessions.each do |session| %>
-              <li class="py-4">
-                <div class="flex items-center justify-between">
-                  <div class="flex flex-col">
-                    <p class="text-sm font-medium text-gray-900">
-                      <%= session.device_name || "Unknown Device" %>
-                      <% if session.id == Current.session.id %>
-                        <span class="ml-2 inline-flex items-center rounded-full bg-green-100 px-2.5 py-0.5 text-xs font-medium text-green-800">
-                          This device
-                        </span>
-                      <% end %>
-                    </p>
-                    <p class="mt-1 text-sm text-gray-500">
-                      <%= session.ip_address %>
-                    </p>
-                    <p class="mt-1 text-xs text-gray-400">
-                      Last active <%= time_ago_in_words(session.last_activity_at || session.updated_at) %> ago
-                    </p>
+        <div id="add-passkey-form" class="space-y-4">
+          <div>
+            <label for="passkey-nickname" class="block text-sm font-medium text-gray-700">Passkey Name</label>
+            <input type="text"
+                   id="passkey-nickname"
+                   data-webauthn-target="nickname"
+                   placeholder="e.g., MacBook Touch ID, iPhone Face ID"
+                   class="mt-1 block w-full rounded-md border-gray-300 shadow-sm focus:border-blue-500 focus:ring-blue-500 sm:text-sm">
+            <p class="mt-1 text-sm text-gray-500">Give this passkey a memorable name so you can identify it later.</p>
+          </div>
+
+          <div>
+            <button type="button"
+                    data-action="click->webauthn#register"
+                    data-webauthn-target="submitButton"
+                    class="inline-flex items-center rounded-md border border-transparent bg-green-600 px-4 py-2 text-sm font-medium text-white shadow-sm hover:bg-green-700 focus:outline-none focus:ring-2 focus:ring-green-500 focus:ring-offset-2">
+              <svg class="w-4 h-4 mr-2" fill="none" stroke="currentColor" viewBox="0 0 24 24">
+                <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" d="M12 4v16m8-8H4"></path>
+              </svg>
+              Add New Passkey
+            </button>
+          </div>
+
+          <!-- Status Messages -->
+          <div data-webauthn-target="status" class="hidden mt-2 p-3 rounded-md text-sm"></div>
+          <div data-webauthn-target="error" class="hidden mt-2 p-3 rounded-md text-sm"></div>
+        </div>
+      </div>
+
+      <!-- Existing Passkeys List -->
+      <div class="mt-8">
+        <h4 class="text-md font-medium text-gray-900 mb-4">Your Passkeys</h4>
+        <% if @user.webauthn_credentials.exists? %>
+          <div class="space-y-3">
+            <% @user.webauthn_credentials.order(created_at: :desc).each do |credential| %>
+              <div class="flex items-center justify-between p-4 bg-gray-50 rounded-lg">
+                <div class="flex items-center space-x-3">
+                  <div class="flex-shrink-0">
+                    <% if credential.platform_authenticator? %>
+                      <!-- Platform authenticator icon -->
+                      <svg class="w-6 h-6 text-blue-500" fill="none" stroke="currentColor" viewBox="0 0 24 24">
+                        <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" d="M9.75 17L9 20l-1 1h8l-1-1-.75-3M3 13h18M5 17h14a2 2 0 002-2V5a2 2 0 00-2-2H5a2 2 0 00-2 2v10a2 2 0 002 2z"></path>
+                      </svg>
+                    <% else %>
+                      <!-- Roaming authenticator icon -->
+                      <svg class="w-6 h-6 text-green-500" fill="none" stroke="currentColor" viewBox="0 0 24 24">
+                        <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" d="M15 7a2 2 0 012 2m4 0a6 6 0 01-7.743 5.743L11 17H9v2H7v2H4a1 1 0 01-1-1v-2.586a1 1 0 01.293-.707l5.964-5.964A6 6 0 1121 9z"></path>
+                      </svg>
+                    <% end %>
                  </div>
-                  <% if session.id != Current.session.id %>
-                    <%= button_to "Revoke", session_path(session), method: :delete,
-                        class: "inline-flex items-center rounded-md border border-gray-300 bg-white px-3 py-2 text-sm font-medium text-gray-700 shadow-sm hover:bg-gray-50 focus:outline-none focus:ring-2 focus:ring-blue-500 focus:ring-offset-2",
-                        form: { data: { turbo_confirm: "Are you sure you want to revoke this session?" } } %>
+                  <div>
+                    <div class="text-sm font-medium text-gray-900">
+                      <%= credential.nickname %>
+                    </div>
+                    <div class="text-sm text-gray-500">
+                      <%= credential.authenticator_type.humanize %> •
+                      Last used <%= credential.last_used_ago %>
+                      <% if credential.backed_up? %>
+                        • <span class="text-green-600">Synced</span>
+                      <% end %>
+                    </div>
+                  </div>
+                </div>
+                <div class="flex items-center space-x-2">
+                  <% if credential.created_recently? %>
+                    <span class="inline-flex items-center px-2.5 py-0.5 rounded-full text-xs font-medium bg-green-100 text-green-800">
+                      New
+                    </span>
+                  <% end %>
+                  <%= link_to webauthn_credential_path(credential),
+                              method: :delete,
+                              data: {
+                                confirm: "Are you sure you want to delete '#{credential.nickname}'? You'll need to set it up again to sign in with this device.",
+                                turbo_method: :delete
+                              },
+                              class: "text-red-600 hover:text-red-800 text-sm font-medium" do %>
+                    <svg class="w-4 h-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
+                      <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" d="M19 7l-.867 12.142A2 2 0 0116.138 21H7.862a2 2 0 01-1.995-1.858L5 7m5 4v6m4-6v6m1-10V4a1 1 0 00-1-1h-4a1 1 0 00-1 1v3M4 7h16"></path>
+                    </svg>
                  <% end %>
                </div>
-              </li>
+              </div>
            <% end %>
-          </ul>
+          </div>
+
+          <div class="mt-4 p-3 bg-blue-50 rounded-lg">
+            <div class="flex">
+              <div class="flex-shrink-0">
+                <svg class="h-5 w-5 text-blue-400" viewBox="0 0 20 20" fill="currentColor">
+                  <path fill-rule="evenodd" d="M18 10a8 8 0 11-16 0 8 8 0 0116 0zm-7-4a1 1 0 11-2 0 1 1 0 012 0zM9 9a1 1 0 000 2v3a1 1 0 001 1h1a1 1 0 100-2v-3a1 1 0 00-1-1H9z" clip-rule="evenodd" />
+                </svg>
+              </div>
+              <div class="ml-3">
+                <p class="text-sm text-blue-800">
+                  <strong>Tip:</strong> Add passkeys on multiple devices for easy access. Platform authenticators (like Touch ID) are synced across your devices if you use iCloud Keychain or Google Password Manager.
+                </p>
+              </div>
+            </div>
+          </div>
        <% else %>
-          <p class="text-sm text-gray-500">No other active sessions.</p>
+          <div class="text-center py-8">
+            <svg class="mx-auto h-12 w-12 text-gray-400" fill="none" stroke="currentColor" viewBox="0 0 24 24">
+              <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" d="M15 7a2 2 0 012 2m4 0a6 6 0 01-7.743 5.743L11 17H9v2H7v2H4a1 1 0 01-1-1v-2.586a1 1 0 01.293-.707l5.964-5.964A6 6 0 1121 9z"></path>
+            </svg>
+            <h3 class="mt-2 text-sm font-medium text-gray-900">No passkeys</h3>
+            <p class="mt-1 text-sm text-gray-500">Get started by adding your first passkey for passwordless sign-in.</p>
+          </div>
        <% end %>
      </div>
    </div>
--- a/app/views/sessions/new.html.erb
+++ b/app/views/sessions/new.html.erb
@@ -1,9 +1,9 @@
-<div class="mx-auto md:w-2/3 w-full">
+<div class="mx-auto md:w-2/3 w-full" data-controller="webauthn login-form" data-webauthn-check-url-value="/webauthn/check">
  <div class="mb-8">
    <h1 class="font-bold text-4xl">Sign in to Clinch</h1>
  </div>

-  <%= form_with url: signin_path, class: "contents" do |form| %>
+  <%= form_with url: signin_path, class: "contents", data: { controller: "form-errors" } do |form| %>
    <%= hidden_field_tag :rd, params[:rd] if params[:rd].present? %>
    <div class="my-5">
      <%= form.label :email_address, "Email Address", class: "block font-medium text-sm text-gray-700" %>
@@ -12,27 +12,68 @@
          autofocus: true,
          autocomplete: "username",
          placeholder: "your@email.com",
-          value: params[:email_address],
+          value: @login_hint || params[:email_address],
+          data: { action: "blur->webauthn#checkWebAuthnSupport change->webauthn#checkWebAuthnSupport" },
          class: "block shadow-sm rounded-md border border-gray-400 focus:outline-blue-600 px-3 py-2 mt-2 w-full" %>
    </div>

-    <div class="my-5">
-      <%= form.label :password, class: "block font-medium text-sm text-gray-700" %>
-      <%= form.password_field :password,
-          required: true,
-          autocomplete: "current-password",
-          placeholder: "Enter your password",
-          maxlength: 72,
-          class: "block shadow-sm rounded-md border border-gray-400 focus:outline-blue-600 px-3 py-2 mt-2 w-full" %>
+    <!-- WebAuthn section - initially hidden -->
+    <div id="webauthn-section" data-login-form-target="webauthnSection" class="my-5 hidden">
+      <div class="bg-green-50 border border-green-200 rounded-lg p-4 mb-4">
+        <div class="flex items-center">
+          <svg class="w-5 h-5 text-green-600 mr-2" fill="none" stroke="currentColor" viewBox="0 0 24 24">
+            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" d="M9 12l2 2 4-4m6 2a9 9 0 11-18 0 9 9 0 0118 0z"></path>
+          </svg>
+          <p class="text-sm text-green-800">
+            <strong>Passkey detected!</strong> You can sign in without a password.
+          </p>
+        </div>
+      </div>
+
+      <button type="button"
+              data-action="click->webauthn#authenticate"
+              class="w-full rounded-md px-3.5 py-2.5 bg-green-600 hover:bg-green-500 text-white font-medium cursor-pointer flex items-center justify-center">
+        <svg class="w-5 h-5 mr-2" fill="none" stroke="currentColor" viewBox="0 0 24 24">
+          <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" d="M15 7a2 2 0 012 2m4 0a6 6 0 01-7.743 5.743L11 17H9v2H7v2H4a1 1 0 01-1-1v-2.586a1 1 0 01.293-.707l5.964-5.964A6 6 0 1121 9z"></path>
+        </svg>
+        Continue with Passkey
+      </button>
    </div>

-    <div class="my-5">
-      <%= form.submit "Sign in",
-          class: "w-full rounded-md px-3.5 py-2.5 bg-blue-600 hover:bg-blue-500 text-white font-medium cursor-pointer" %>
+    <!-- Password section - shown by default, hidden if WebAuthn is required -->
+    <div id="password-section" data-login-form-target="passwordSection">
+      <div class="my-5">
+        <%= form.label :password, class: "block font-medium text-sm text-gray-700" %>
+        <%= form.password_field :password,
+            required: true,
+            autocomplete: "current-password",
+            placeholder: "Enter your password",
+            maxlength: 72,
+            class: "block shadow-sm rounded-md border border-gray-400 focus:outline-blue-600 px-3 py-2 mt-2 w-full" %>
+      </div>
+
+      <div class="my-5">
+        <%= form.submit "Sign in",
+            class: "w-full rounded-md px-3.5 py-2.5 bg-blue-600 hover:bg-blue-500 text-white font-medium cursor-pointer" %>
+      </div>
    </div>

    <div class="mt-4 text-sm text-gray-600 text-center">
      <%= link_to "Forgot your password?", new_password_path, class: "text-blue-600 hover:text-blue-500 underline" %>
    </div>
  <% end %>
+
+  <!-- Loading overlay -->
+  <div id="loading-overlay" data-login-form-target="loadingOverlay" class="hidden fixed inset-0 bg-gray-600 bg-opacity-50 flex items-center justify-center z-50">
+    <div class="bg-white rounded-lg p-6 flex items-center">
+      <svg class="animate-spin -ml-1 mr-3 h-5 w-5 text-blue-600" fill="none" viewBox="0 0 24 24">
+        <circle class="opacity-25" cx="12" cy="12" r="10" stroke="currentColor" stroke-width="4"></circle>
+        <path class="opacity-75" fill="currentColor" d="M4 12a8 8 0 018-8V0C5.373 0 0 5.373 0 12h4zm2 5.291A7.962 7.962 0 014 12H0c0 3.042 1.135 5.824 3 7.938l3-2.647z"></path>
+      </svg>
+      <span>Authenticating...</span>
+    </div>
+  </div>
+
+  <!-- Status messages -->
+  <div id="status-message" data-login-form-target="statusMessage" class="hidden mt-4 p-3 rounded-md"></div>
 </div>
--- a/app/views/sessions/verify_totp.html.erb
+++ b/app/views/sessions/verify_totp.html.erb
@@ -7,7 +7,10 @@
      </p>
    </div>

-    <%= form_with url: totp_verification_path, method: :post, class: "space-y-6" do |form| %>
+    <%= form_with url: totp_verification_path, method: :post, class: "space-y-6", data: {
+      controller: "form-submit-protection",
+      turbo: false
+    } do |form| %>
    <%= hidden_field_tag :rd, params[:rd] if params[:rd].present? %>
      <div>
        <%= label_tag :code, "Verification Code", class: "block text-sm font-medium text-gray-700" %>
@@ -26,6 +29,7 @@

      <div>
        <%= form.submit "Verify",
+            data: { form_submit_protection_target: "submit" },
            class: "w-full flex justify-center py-2 px-4 border border-transparent rounded-md shadow-sm text-sm font-medium text-white bg-blue-600 hover:bg-blue-700 focus:outline-none focus:ring-2 focus:ring-offset-2 focus:ring-blue-500" %>
      </div>
    <% end %>
--- a/app/views/shared/_flash.html.erb
+++ b/app/views/shared/_flash.html.erb
@@ -1,29 +1,75 @@
-<% if flash[:alert] %>
-  <div class="mb-4 rounded-lg bg-red-50 p-4" role="alert">
-    <div class="flex">
-      <div class="flex-shrink-0">
-        <svg class="h-5 w-5 text-red-400" viewBox="0 0 20 20" fill="currentColor">
-          <path fill-rule="evenodd" d="M10 18a8 8 0 100-16 8 8 0 000 16zM8.707 7.293a1 1 0 00-1.414 1.414L8.586 10l-1.293 1.293a1 1 0 101.414 1.414L10 11.414l1.293 1.293a1 1 0 001.414-1.414L11.414 10l1.293-1.293a1 1 0 00-1.414-1.414L10 8.586 8.707 7.293z" clip-rule="evenodd"/>
-        </svg>
-      </div>
-      <div class="ml-3">
-        <p class="text-sm font-medium text-red-800"><%= flash[:alert] %></p>
-      </div>
-    </div>
-  </div>
-<% end %>
+<%# Enhanced Flash Messages with Support for Multiple Types and Auto-Dismiss %>
+<% flash.each do |type, message| %>
+  <% next if message.blank? %>
+  <%# Skip credential-related flash messages - they're displayed in a special credentials box %>
+  <% next if %w[client_id client_secret public_client].include?(type.to_s) %>

-<% if flash[:notice] %>
-  <div class="mb-4 rounded-lg bg-green-50 p-4" role="alert">
+  <%
+    # Map flash types to styling
+    case type.to_s
+    when 'notice'
+      bg_class = 'bg-green-50'
+      text_class = 'text-green-800'
+      icon_class = 'text-green-400'
+      icon_path = 'M10 18a8 8 0 100-16 8 8 0 000 16zm3.707-9.293a1 1 0 00-1.414-1.414L9 10.586 7.707 9.293a1 1 0 00-1.414 1.414l2 2a1 1 0 001.414 0l4-4z'
+      auto_dismiss = true
+    when 'alert', 'error'
+      bg_class = 'bg-red-50'
+      text_class = 'text-red-800'
+      icon_class = 'text-red-400'
+      icon_path = 'M10 18a8 8 0 100-16 8 8 0 000 16zM8.707 7.293a1 1 0 00-1.414 1.414L8.586 10l-1.293 1.293a1 1 0 101.414 1.414L10 11.414l1.293 1.293a1 1 0 001.414-1.414L11.414 10l1.293-1.293a1 1 0 00-1.414-1.414L10 8.586 8.707 7.293z'
+      auto_dismiss = false
+    when 'warning'
+      bg_class = 'bg-yellow-50'
+      text_class = 'text-yellow-800'
+      icon_class = 'text-yellow-400'
+      icon_path = 'M8.257 3.099c.765-1.36 2.722-1.36 3.486 0l5.58 9.92c.75 1.334-.213 2.98-1.742 2.98H4.42c-1.53 0-2.493-1.646-1.743-2.98l5.58-9.92zM11 13a1 1 0 11-2 0 1 1 0 012 0zm-1-8a1 1 0 00-1 1v3a1 1 0 002 0V6a1 1 0 00-1-1z'
+      auto_dismiss = false
+    when 'info'
+      bg_class = 'bg-blue-50'
+      text_class = 'text-blue-800'
+      icon_class = 'text-blue-400'
+      icon_path = 'M18 10a8 8 0 11-16 0 8 8 0 0116 0zm-7-4a1 1 0 11-2 0 1 1 0 012 0zM9 9a1 1 0 000 2v3a1 1 0 001 1h1a1 1 0 100-2v-3a1 1 0 00-1-1H9z'
+      auto_dismiss = true
+    else
+      # Default styling for unknown types
+      bg_class = 'bg-gray-50'
+      text_class = 'text-gray-800'
+      icon_class = 'text-gray-400'
+      icon_path = 'M18 10a8 8 0 11-16 0 8 8 0 0116 0zm-7-4a1 1 0 11-2 0 1 1 0 012 0zM9 9a1 1 0 000 2v3a1 1 0 001 1h1a1 1 0 100-2v-3a1 1 0 00-1-1H9z'
+      auto_dismiss = false
+    end
+  %>
+
+  <div class="mb-4 rounded-lg <%= bg_class %> p-4 border border-opacity-20 <%= border_class_for(type) %>"
+       role="alert"
+       data-controller="flash"
+       data-flash-auto-dismiss-value="<%= auto_dismiss ? '5000' : 'false' %>"
+       data-flash-type-value="<%= type %>">
    <div class="flex">
-      <div class="flex-shrink-0">
-        <svg class="h-5 w-5 text-green-400" viewBox="0 0 20 20" fill="currentColor">
-          <path fill-rule="evenodd" d="M10 18a8 8 0 100-16 8 8 0 000 16zm3.707-9.293a1 1 0 00-1.414-1.414L9 10.586 7.707 9.293a1 1 0 00-1.414 1.414l2 2a1 1 0 001.414 0l4-4z" clip-rule="evenodd"/>
+      <div class="shrink-0">
+        <svg class="h-5 w-5 <%= icon_class %>" viewBox="0 0 20 20" fill="currentColor" aria-hidden="true">
+          <path fill-rule="evenodd" d="<%= icon_path %>" clip-rule="evenodd"/>
        </svg>
      </div>
-      <div class="ml-3">
-        <p class="text-sm font-medium text-green-800"><%= flash[:notice] %></p>
+      <div class="ml-3 flex-1">
+        <p class="text-sm font-medium <%= text_class %>"><%= message %></p>
      </div>
+      <% if auto_dismiss || type.to_s != 'alert' %>
+        <div class="ml-auto pl-3">
+          <div class="-mx-1.5 -my-1.5">
+            <button type="button"
+                    data-action="click->flash#dismiss"
+                    class="inline-flex rounded-md <%= bg_class %> p-1.5 <%= icon_class %> hover:bg-opacity-70 focus:outline-none focus:ring-2 focus:ring-offset-2 focus:ring-offset-<%= bg_class.gsub('bg-', '') %>"
+                    aria-label="Dismiss">
+              <span class="sr-only">Dismiss</span>
+              <svg class="h-5 w-5" viewBox="0 0 20 20" fill="currentColor">
+                <path d="M6.28 5.22a.75.75 0 00-1.06 1.06L8.94 10l-3.72 3.72a.75.75 0 101.06 1.06L10 11.06l3.72 3.72a.75.75 0 101.06-1.06L11.06 10l3.72-3.72a.75.75 0 00-1.06-1.06L10 8.94 6.28 5.22z"/>
+              </svg>
+            </button>
+          </div>
+        </div>
+      <% end %>
    </div>
  </div>
 <% end %>
--- a/app/views/shared/_form_errors.html.erb
+++ b/app/views/shared/_form_errors.html.erb
@@ -1,23 +1,36 @@
-<% if form.object.errors.any? %>
-  <div class="rounded-md bg-red-50 p-4">
+<%# Usage: render "shared/form_errors", object: @user %>
+<%# Usage: render "shared/form_errors", form: form %>
+
+<% form_object = form.respond_to?(:object) ? form.object : (object || form) %>
+<% if form_object&.errors&.any? %>
+  <div class="rounded-md bg-red-50 p-4 mb-6 border border-red-200" role="alert" aria-labelledby="form-errors-title" data-form-errors-target="container">
    <div class="flex">
      <div class="flex-shrink-0">
        <svg class="h-5 w-5 text-red-400" viewBox="0 0 20 20" fill="currentColor" aria-hidden="true">
-          <path fill-rule="evenodd" d="M10 18a8 8 0 100-16 8 8 0 000 16zM8.28 7.22a.75.75 0 00-1.06 1.06L8.94 10l-1.72 1.72a.75.75 0 101.06 1.06L10 11.06l1.72 1.72a.75.75 0 101.06-1.06L11.06 10l1.72-1.72a.75.75 0 00-1.06-1.06L10 8.94 8.28 7.22z" clip-rule="evenodd" />
+          <path fill-rule="evenodd" d="M10 18a8 8 0 100-16 8 8 0 000 16zM8.707 7.293a1 1 0 00-1.414 1.414L8.586 10l-1.293 1.293a1 1 0 101.414 1.414L10 11.414l1.293 1.293a1 1 0 001.414-1.414L11.414 10l1.293-1.293a1 1 0 00-1.414-1.414L10 8.586 8.707 7.293z" clip-rule="evenodd"/>
        </svg>
      </div>
-      <div class="ml-3">
-        <h3 class="text-sm font-medium text-red-800">
-          There were <%= pluralize(form.object.errors.count, "error") %> with your submission:
+      <div class="ml-3 flex-1">
+        <h3 id="form-errors-title" class="text-sm font-medium text-red-800">
+          <%= pluralize(form_object.errors.count, "error") %> prohibited this <%= form_object.class.name.downcase.gsub(/^admin::/, '') %> from being saved:
        </h3>
-        <div class="mt-2 text-sm text-red-700">
-          <ul class="list-disc space-y-1 pl-5">
-            <% form.object.errors.full_messages.each do |message| %>
+        <div class="mt-2">
+          <ul class="list-disc space-y-1 pl-5 text-sm text-red-700">
+            <% form_object.errors.full_messages.each do |message| %>
              <li><%= message %></li>
            <% end %>
          </ul>
        </div>
      </div>
+      <div class="ml-auto pl-3">
+        <div class="-mx-1.5 -my-1.5">
+          <button type="button" data-action="click->form-errors#dismiss" class="inline-flex rounded-md bg-red-50 p-1.5 text-red-500 hover:bg-red-100 focus:outline-none focus:ring-2 focus:ring-red-600 focus:ring-offset-2 focus:ring-offset-red-50" aria-label="Dismiss">
+            <svg class="h-5 w-5" viewBox="0 0 20 20" fill="currentColor" aria-hidden="true">
+              <path d="M6.28 5.22a.75.75 0 00-1.06 1.06L8.94 10l-3.72 3.72a.75.75 0 101.06 1.06L10 11.06l3.72 3.72a.75.75 0 101.06-1.06L11.06 10l3.72-3.72a.75.75 0 00-1.06-1.06L10 8.94 6.28 5.22z" />
+            </svg>
+          </button>
+        </div>
+      </div>
    </div>
  </div>
 <% end %>
--- a/app/views/shared/_sidebar.html.erb
+++ b/app/views/shared/_sidebar.html.erb
@@ -57,16 +57,6 @@
                  <% end %>
                </li>

-                <!-- Admin: Forward Auth Rules -->
-                <li>
-                  <%= link_to admin_forward_auth_rules_path, class: "group flex gap-x-3 rounded-md p-2 text-sm font-semibold leading-6 #{ current_path.start_with?('/admin/forward_auth_rules') ? 'bg-gray-50 text-blue-600' : 'text-gray-700 hover:text-blue-600 hover:bg-gray-50' }" do %>
-                    <svg class="h-6 w-6 shrink-0" fill="none" viewBox="0 0 24 24" stroke-width="1.5" stroke="currentColor">
-                      <path stroke-linecap="round" stroke-linejoin="round" d="M12 15v2m-6 4h12a2 2 0 002-2v-6a2 2 0 00-2-2H6a2 2 0 00-2 2v6a2 2 0 002 2zm10-10V7a4 4 0 00-8 0v4h8z" />
-                    </svg>
-                    Forward Auth Rules
-                  <% end %>
-                </li>
-
                <!-- Admin: Groups -->
                <li>
                  <%= link_to admin_groups_path, class: "group flex gap-x-3 rounded-md p-2 text-sm font-semibold leading-6 #{ current_path.start_with?('/admin/groups') ? 'bg-gray-50 text-blue-600' : 'text-gray-700 hover:text-blue-600 hover:bg-gray-50' }" do %>
@@ -88,9 +78,19 @@
                <% end %>
              </li>

+              <!-- Sessions -->
+              <li>
+                <%= link_to active_sessions_path, class: "group flex gap-x-3 rounded-md p-2 text-sm font-semibold leading-6 #{ current_path == '/active_sessions' ? 'bg-gray-50 text-blue-600' : 'text-gray-700 hover:text-blue-600 hover:bg-gray-50' }" do %>
+                  <svg class="h-6 w-6 shrink-0" fill="none" viewBox="0 0 24 24" stroke-width="1.5" stroke="currentColor">
+                    <path stroke-linecap="round" stroke-linejoin="round" d="M12 18v-5.25m0 0a6.01 6.01 0 001.5-.189m-1.5.189a6.01 6.01 0 01-1.5-.189m3.75 7.478a12.06 12.06 0 01-4.5 0m3.75 2.383a14.406 14.406 0 01-3 0M14.25 18v-.192c0-.983.658-1.823 1.508-2.316a7.5 7.5 0 10-7.517 0c.85.493 1.509 1.333 1.509 2.316V18" />
+                  </svg>
+                  Sessions
+                <% end %>
+              </li>
+
              <!-- Sign Out -->
              <li>
-                <%= link_to signout_path, data: { turbo_method: :delete }, class: "group flex gap-x-3 rounded-md p-2 text-sm font-semibold leading-6 text-red-600 hover:text-red-700 hover:bg-red-50" do %>
+                <%= link_to signout_path, data: { turbo_method: :delete, action: "click->mobile-sidebar#closeSidebar" }, class: "group flex gap-x-3 rounded-md p-2 text-sm font-semibold leading-6 text-red-600 hover:text-red-700 hover:bg-red-50" do %>
                  <svg class="h-6 w-6 shrink-0" fill="none" viewBox="0 0 24 24" stroke-width="1.5" stroke="currentColor">
                    <path stroke-linecap="round" stroke-linejoin="round" d="M15.75 9V5.25A2.25 2.25 0 0013.5 3h-6a2.25 2.25 0 00-2.25 2.25v13.5A2.25 2.25 0 007.5 21h6a2.25 2.25 0 002.25-2.25V15M12 9l-3 3m0 0l3 3m-3-3h12.75" />
                  </svg>
@@ -105,12 +105,18 @@
  </div>

  <!-- Mobile sidebar overlay -->
-  <div class="relative z-50 lg:hidden hidden" id="mobile-sidebar-overlay">
+  <div class="relative z-50 lg:hidden hidden"
+       data-mobile-sidebar-target="sidebarOverlay"
+       id="mobile-sidebar-overlay"
+       data-action="click->mobile-sidebar#closeOnBackgroundClick">
    <div class="fixed inset-0 bg-gray-900/80"></div>
    <div class="fixed inset-0 flex">
      <div class="relative mr-16 flex w-full max-w-xs flex-1">
        <div class="absolute left-full top-0 flex w-16 justify-center pt-5">
-          <button type="button" class="-m-2.5 p-2.5" id="mobile-menu-close">
+          <button type="button"
+                  class="-m-2.5 p-2.5"
+                  id="mobile-menu-close"
+                  data-action="click->mobile-sidebar#closeSidebar">
            <span class="sr-only">Close sidebar</span>
            <svg class="h-6 w-6 text-white" fill="none" viewBox="0 0 24 24" stroke-width="1.5" stroke="currentColor">
              <path stroke-linecap="round" stroke-linejoin="round" d="M6 18L18 6M6 6l12 12" />
@@ -138,7 +144,7 @@
            <!-- Same nav items as desktop -->
            <ul role="list" class="-mx-2 space-y-1">
              <li>
-                <%= link_to root_path, class: "group flex gap-x-3 rounded-md p-2 text-sm font-semibold leading-6 text-gray-700 hover:text-blue-600 hover:bg-gray-50" do %>
+                <%= link_to root_path, class: "group flex gap-x-3 rounded-md p-2 text-sm font-semibold leading-6 #{ current_path == '/' ? 'bg-gray-50 text-blue-600' : 'text-gray-700 hover:text-blue-600 hover:bg-gray-50' }", data: { action: "click->mobile-sidebar#closeSidebar" } do %>
                  <svg class="h-6 w-6 shrink-0" fill="none" viewBox="0 0 24 24" stroke-width="1.5" stroke="currentColor">
                    <path stroke-linecap="round" stroke-linejoin="round" d="M2.25 12l8.954-8.955c.44-.439 1.152-.439 1.591 0L21.75 12M4.5 9.75v10.125c0 .621.504 1.125 1.125 1.125H9.75v-4.875c0-.621.504-1.125 1.125-1.125h2.25c.621 0 1.125.504 1.125 1.125V21h4.125c.621 0 1.125-.504 1.125-1.125V9.75M8.25 21h8.25" />
                  </svg>
@@ -147,7 +153,7 @@
              </li>
              <% if user.admin? %>
                <li>
-                  <%= link_to admin_users_path, class: "group flex gap-x-3 rounded-md p-2 text-sm font-semibold leading-6 text-gray-700 hover:text-blue-600 hover:bg-gray-50" do %>
+                  <%= link_to admin_users_path, class: "group flex gap-x-3 rounded-md p-2 text-sm font-semibold leading-6 #{ current_path.start_with?('/admin/users') ? 'bg-gray-50 text-blue-600' : 'text-gray-700 hover:text-blue-600 hover:bg-gray-50' }", data: { action: "click->mobile-sidebar#closeSidebar" } do %>
                    <svg class="h-6 w-6 shrink-0" fill="none" viewBox="0 0 24 24" stroke-width="1.5" stroke="currentColor">
                      <path stroke-linecap="round" stroke-linejoin="round" d="M15 19.128a9.38 9.38 0 002.625.372 9.337 9.337 0 004.121-.952 4.125 4.125 0 00-7.533-2.493M15 19.128v-.003c0-1.113-.285-2.16-.786-3.07M15 19.128v.106A12.318 12.318 0 018.624 21c-2.331 0-4.512-.645-6.374-1.766l-.001-.109a6.375 6.375 0 0111.964-3.07M12 6.375a3.375 3.375 0 11-6.75 0 3.375 3.375 0 016.75 0zm8.25 2.25a2.625 2.625 0 11-5.25 0 2.625 2.625 0 015.25 0z" />
                    </svg>
@@ -155,7 +161,7 @@
                  <% end %>
                </li>
                <li>
-                  <%= link_to admin_applications_path, class: "group flex gap-x-3 rounded-md p-2 text-sm font-semibold leading-6 text-gray-700 hover:text-blue-600 hover:bg-gray-50" do %>
+                  <%= link_to admin_applications_path, class: "group flex gap-x-3 rounded-md p-2 text-sm font-semibold leading-6 #{ current_path.start_with?('/admin/applications') ? 'bg-gray-50 text-blue-600' : 'text-gray-700 hover:text-blue-600 hover:bg-gray-50' }", data: { action: "click->mobile-sidebar#closeSidebar" } do %>
                    <svg class="h-6 w-6 shrink-0" fill="none" viewBox="0 0 24 24" stroke-width="1.5" stroke="currentColor">
                      <path stroke-linecap="round" stroke-linejoin="round" d="M3.75 6A2.25 2.25 0 016 3.75h2.25A2.25 2.25 0 0110.5 6v2.25a2.25 2.25 0 01-2.25 2.25H6a2.25 2.25 0 01-2.25-2.25V6zM3.75 15.75A2.25 2.25 0 016 13.5h2.25a2.25 2.25 0 012.25 2.25V18a2.25 2.25 0 01-2.25 2.25H6A2.25 2.25 0 013.75 18v-2.25zM13.5 6a2.25 2.25 0 012.25-2.25H18A2.25 2.25 0 0120.25 6v2.25A2.25 2.25 0 0118 10.5h-2.25a2.25 2.25 0 01-2.25-2.25V6zM13.5 15.75a2.25 2.25 0 012.25-2.25H18a2.25 2.25 0 012.25 2.25V18A2.25 2.25 0 0118 20.25h-2.25A2.25 2.25 0 0113.5 18v-2.25z" />
                    </svg>
@@ -163,24 +169,16 @@
                  <% end %>
                </li>
                <li>
-                  <%= link_to admin_groups_path, class: "group flex gap-x-3 rounded-md p-2 text-sm font-semibold leading-6 text-gray-700 hover:text-blue-600 hover:bg-gray-50" do %>
+                  <%= link_to admin_groups_path, class: "group flex gap-x-3 rounded-md p-2 text-sm font-semibold leading-6 #{ current_path.start_with?('/admin/groups') ? 'bg-gray-50 text-blue-600' : 'text-gray-700 hover:text-blue-600 hover:bg-gray-50' }", data: { action: "click->mobile-sidebar#closeSidebar" } do %>
                    <svg class="h-6 w-6 shrink-0" fill="none" viewBox="0 0 24 24" stroke-width="1.5" stroke="currentColor">
                      <path stroke-linecap="round" stroke-linejoin="round" d="M18 18.72a9.094 9.094 0 003.741-.479 3 3 0 00-4.682-2.72m.94 3.198l.001.031c0 .225-.012.447-.037.666A11.944 11.944 0 0112 21c-2.17 0-4.207-.576-5.963-1.584A6.062 6.062 0 016 18.719m12 0a5.971 5.971 0 00-.941-3.197m0 0A5.995 5.995 0 0012 12.75a5.995 5.995 0 00-5.058 2.772m0 0a3 3 0 00-4.681 2.72 8.986 8.986 0 003.74.477m.94-3.197a5.971 5.971 0 00-.94 3.197M15 6.75a3 3 0 11-6 0 3 3 0 016 0zm6 3a2.25 2.25 0 11-4.5 0 2.25 2.25 0 014.5 0zm-13.5 0a2.25 2.25 0 11-4.5 0 2.25 2.25 0 014.5 0z" />
                    </svg>
                    Groups
                  <% end %>
                </li>
-                <li>
-                  <%= link_to admin_forward_auth_rules_path, class: "group flex gap-x-3 rounded-md p-2 text-sm font-semibold leading-6 text-gray-700 hover:text-blue-600 hover:bg-gray-50" do %>
-                    <svg class="h-6 w-6 shrink-0" fill="none" viewBox="0 0 24 24" stroke-width="1.5" stroke="currentColor">
-                      <path stroke-linecap="round" stroke-linejoin="round" d="M12 15v2m-6 4h12a2 2 0 002-2v-6a2 2 0 00-2-2H6a2 2 0 00-2 2v6a2 2 0 002 2zm10-10V7a4 4 0 00-8 0v4h8z" />
-                    </svg>
-                    Forward Auth Rules
-                  <% end %>
-                </li>
              <% end %>
              <li>
-                <%= link_to profile_path, class: "group flex gap-x-3 rounded-md p-2 text-sm font-semibold leading-6 text-gray-700 hover:text-blue-600 hover:bg-gray-50" do %>
+                <%= link_to profile_path, class: "group flex gap-x-3 rounded-md p-2 text-sm font-semibold leading-6 #{ current_path == '/profile' ? 'bg-gray-50 text-blue-600' : 'text-gray-700 hover:text-blue-600 hover:bg-gray-50' }", data: { action: "click->mobile-sidebar#closeSidebar" } do %>
                  <svg class="h-6 w-6 shrink-0" fill="none" viewBox="0 0 24 24" stroke-width="1.5" stroke="currentColor">
                    <path stroke-linecap="round" stroke-linejoin="round" d="M17.982 18.725A7.488 7.488 0 0012 15.75a7.488 7.488 0 00-5.982 2.975m11.963 0a9 9 0 10-11.963 0m11.963 0A8.966 8.966 0 0112 21a8.966 8.966 0 01-5.982-2.275M15 9.75a3 3 0 11-6 0 3 3 0 016 0z" />
                  </svg>
@@ -188,7 +186,15 @@
                <% end %>
              </li>
              <li>
-                <%= link_to signout_path, data: { turbo_method: :delete }, class: "group flex gap-x-3 rounded-md p-2 text-sm font-semibold leading-6 text-red-600 hover:text-red-700 hover:bg-red-50" do %>
+                <%= link_to active_sessions_path, class: "group flex gap-x-3 rounded-md p-2 text-sm font-semibold leading-6 #{ current_path == '/active_sessions' ? 'bg-gray-50 text-blue-600' : 'text-gray-700 hover:text-blue-600 hover:bg-gray-50' }", data: { action: "click->mobile-sidebar#closeSidebar" } do %>
+                  <svg class="h-6 w-6 shrink-0" fill="none" viewBox="0 0 24 24" stroke-width="1.5" stroke="currentColor">
+                    <path stroke-linecap="round" stroke-linejoin="round" d="M12 18v-5.25m0 0a6.01 6.01 0 001.5-.189m-1.5.189a6.01 6.01 0 01-1.5-.189m3.75 7.478a12.06 12.06 0 01-4.5 0m3.75 2.383a14.406 14.406 0 01-3 0M14.25 18v-.192c0-.983.658-1.823 1.508-2.316a7.5 7.5 0 10-7.517 0c.85.493 1.509 1.333 1.509 2.316V18" />
+                  </svg>
+                  Sessions
+                <% end %>
+              </li>
+              <li>
+                <%= link_to signout_path, data: { turbo_method: :delete, action: "click->mobile-sidebar#closeSidebar" }, class: "group flex gap-x-3 rounded-md p-2 text-sm font-semibold leading-6 text-red-600 hover:text-red-700 hover:bg-red-50" do %>
                  <svg class="h-6 w-6 shrink-0" fill="none" viewBox="0 0 24 24" stroke-width="1.5" stroke="currentColor">
                    <path stroke-linecap="round" stroke-linejoin="round" d="M15.75 9V5.25A2.25 2.25 0 0013.5 3h-6a2.25 2.25 0 00-2.25 2.25v13.5A2.25 2.25 0 007.5 21h6a2.25 2.25 0 002.25-2.25V15M12 9l-3 3m0 0l3 3m-3-3h12.75" />
                  </svg>
--- a/app/views/totp/backup_codes.html.erb
+++ b/app/views/totp/backup_codes.html.erb
@@ -1,4 +1,4 @@
-<div class="max-w-2xl mx-auto">
+<div class="max-w-2xl mx-auto" data-controller="backup-codes" data-backup-codes-codes-value="<%= @backup_codes.to_json %>">
  <div class="mb-8">
    <h1 class="text-3xl font-bold text-gray-900">Backup Codes</h1>
    <p class="mt-2 text-sm text-gray-600">
@@ -29,14 +29,14 @@
      </div>

      <div class="mt-6 flex gap-3">
-        <button onclick="downloadBackupCodes()" class="inline-flex items-center rounded-md border border-gray-300 bg-white py-2 px-4 text-sm font-medium text-gray-700 shadow-sm hover:bg-gray-50 focus:outline-none focus:ring-2 focus:ring-blue-500 focus:ring-offset-2">
+        <button data-action="click->backup-codes#download" class="inline-flex items-center rounded-md border border-gray-300 bg-white py-2 px-4 text-sm font-medium text-gray-700 shadow-sm hover:bg-gray-50 focus:outline-none focus:ring-2 focus:ring-blue-500 focus:ring-offset-2">
          <svg class="h-4 w-4 mr-2" fill="none" viewBox="0 0 24 24" stroke="currentColor">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" d="M4 16v1a3 3 0 003 3h10a3 3 0 003-3v-1m-4-4l-4 4m0 0l-4-4m4 4V4" />
          </svg>
          Download Codes
        </button>

-        <button onclick="printBackupCodes()" class="inline-flex items-center rounded-md border border-gray-300 bg-white py-2 px-4 text-sm font-medium text-gray-700 shadow-sm hover:bg-gray-50 focus:outline-none focus:ring-2 focus:ring-blue-500 focus:ring-offset-2">
+        <button data-action="click->backup-codes#print" class="inline-flex items-center rounded-md border border-gray-300 bg-white py-2 px-4 text-sm font-medium text-gray-700 shadow-sm hover:bg-gray-50 focus:outline-none focus:ring-2 focus:ring-blue-500 focus:ring-offset-2">
          <svg class="h-4 w-4 mr-2" fill="none" viewBox="0 0 24 24" stroke="currentColor">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" d="M17 17h2a2 2 0 002-2v-4a2 2 0 00-2-2H5a2 2 0 00-2 2v4a2 2 0 002 2h2m2 4h6a2 2 0 002-2v-4a2 2 0 00-2-2H9a2 2 0 00-2 2v4a2 2 0 002 2zm8-12V5a2 2 0 00-2-2H9a2 2 0 00-2 2v4h10z" />
          </svg>
@@ -45,34 +45,15 @@
      </div>

      <div class="mt-8">
-        <%= link_to "Done", profile_path,
-            class: "inline-flex justify-center rounded-md border border-transparent bg-blue-600 py-2 px-4 text-sm font-medium text-white shadow-sm hover:bg-blue-700 focus:outline-none focus:ring-2 focus:ring-blue-500 focus:ring-offset-2" %>
+        <% if @auto_signin_pending %>
+          <%= button_to "Continue to Sign In", complete_totp_setup_path, method: :post,
+              class: "inline-flex justify-center rounded-md border border-transparent bg-blue-600 py-2 px-4 text-sm font-medium text-white shadow-sm hover:bg-blue-700 focus:outline-none focus:ring-2 focus:ring-blue-500 focus:ring-offset-2" %>
+        <% else %>
+          <%= link_to "Done", profile_path,
+              class: "inline-flex justify-center rounded-md border border-transparent bg-blue-600 py-2 px-4 text-sm font-medium text-white shadow-sm hover:bg-blue-700 focus:outline-none focus:ring-2 focus:ring-blue-500 focus:ring-offset-2" %>
+        <% end %>
      </div>
    </div>
  </div>
 </div>

-<script>
-  const backupCodes = <%= raw @backup_codes.to_json %>;
-
-  function downloadBackupCodes() {
-    const content = "Clinch Backup Codes\n" +
-                    "===================\n\n" +
-                    backupCodes.join("\n") +
-                    "\n\nSave these codes in a secure location.";
-
-    const blob = new Blob([content], { type: 'text/plain' });
-    const url = window.URL.createObjectURL(blob);
-    const a = document.createElement('a');
-    a.href = url;
-    a.download = 'clinch-backup-codes.txt';
-    document.body.appendChild(a);
-    a.click();
-    document.body.removeChild(a);
-    window.URL.revokeObjectURL(url);
-  }
-
-  function printBackupCodes() {
-    window.print();
-  }
-</script>
--- a/app/views/totp/regenerate_backup_codes.html.erb
+++ b/app/views/totp/regenerate_backup_codes.html.erb
@@ -0,0 +1,45 @@
+<div class="max-w-2xl mx-auto">
+  <div class="mb-8">
+    <h1 class="text-3xl font-bold text-gray-900">Regenerate Backup Codes</h1>
+    <p class="mt-2 text-sm text-gray-600">
+      This will invalidate all existing backup codes and generate new ones.
+    </p>
+  </div>
+
+  <div class="bg-white shadow sm:rounded-lg">
+    <div class="px-4 py-5 sm:p-6">
+      <div class="rounded-md bg-yellow-50 p-4 mb-6">
+        <div class="flex">
+          <svg class="h-5 w-5 text-yellow-400 mr-3 flex-shrink-0" viewBox="0 0 20 20" fill="currentColor">
+            <path fill-rule="evenodd" d="M8.485 2.495c.673-1.167 2.357-1.167 3.03 0l6.28 10.875c.673 1.167-.17 2.625-1.516 2.625H3.72c-1.347 0-2.189-1.458-1.515-2.625L8.485 2.495zM10 5a.75.75 0 01.75.75v3.5a.75.75 0 01-1.5 0v-3.5A.75.75 0 0110 5zm0 9a1 1 0 100-2 1 1 0 000 2z" clip-rule="evenodd" />
+          </svg>
+          <div class="text-sm text-yellow-800">
+            <p class="font-medium">Important Security Notice</p>
+            <p class="mt-1">All your current backup codes will become invalid after this action. Make sure you're ready to save the new codes.</p>
+          </div>
+        </div>
+      </div>
+
+      <%= form_with(url: create_new_backup_codes_totp_path, method: :post, class: "space-y-6") do |form| %>
+        <div>
+          <%= form.label :password, "Enter your password to confirm", class: "block text-sm font-medium text-gray-700" %>
+          <div class="mt-1">
+            <%= form.password_field :password, required: true,
+                class: "block w-full appearance-none rounded-md border border-gray-300 px-3 py-2 placeholder-gray-400 shadow-sm focus:border-blue-500 focus:outline-none focus:ring-blue-500 sm:text-sm" %>
+          </div>
+          <p class="mt-2 text-sm text-gray-500">
+            This is required to verify your identity before regenerating backup codes.
+          </p>
+        </div>
+
+        <div class="flex gap-3">
+          <%= form.submit "Generate New Backup Codes",
+              class: "inline-flex justify-center rounded-md border border-transparent bg-blue-600 py-2 px-4 text-sm font-medium text-white shadow-sm hover:bg-blue-700 focus:outline-none focus:ring-2 focus:ring-blue-500 focus:ring-offset-2" %>
+
+          <%= link_to "Cancel", profile_path,
+              class: "inline-flex justify-center rounded-md border border-gray-300 bg-white py-2 px-4 text-sm font-medium text-gray-700 shadow-sm hover:bg-gray-50 focus:outline-none focus:ring-2 focus:ring-blue-500 focus:ring-offset-2" %>
+        </div>
+      <% end %>
+    </div>
+  </div>
+</div>
--- a/app/views/users/new.html.erb
+++ b/app/views/users/new.html.erb
@@ -4,17 +4,8 @@
    <p class="mt-2 text-gray-600">Create your admin account to get started</p>
  </div>

-  <%= form_with model: @user, url: signup_path, class: "contents" do |form| %>
-    <% if @user.errors.any? %>
-      <div class="bg-red-50 text-red-500 px-3 py-2 font-medium rounded-lg mt-3">
-        <h2><%= pluralize(@user.errors.count, "error") %> prohibited this account from being saved:</h2>
-        <ul class="list-disc list-inside">
-          <% @user.errors.each do |error| %>
-            <li><%= error.full_message %></li>
-          <% end %>
-        </ul>
-      </div>
-    <% end %>
+  <%= form_with model: @user, url: signup_path, class: "contents", data: { controller: "form-errors" } do |form| %>
+    <%= render "shared/form_errors", form: form %>

    <div class="my-5">
      <%= form.label :email_address, class: "block font-medium text-sm text-gray-700" %>
--- a/bin/brakeman
+++ b/bin/brakeman
@@ -2,6 +2,4 @@
 require "rubygems"
 require "bundler/setup"

-ARGV.unshift("--ensure-latest")
-
 load Gem.bin_path("brakeman", "brakeman")
--- a/bin/standardrb
+++ b/bin/standardrb
@@ -0,0 +1,5 @@
+#!/usr/bin/env ruby
+require "rubygems"
+require "bundler/setup"
+
+load Gem.bin_path("standard", "standardrb")
--- a/config/application.rb
+++ b/config/application.rb
@@ -23,5 +23,18 @@ module Clinch
    #
    # config.time_zone = "Central Time (US & Canada)"
    # config.eager_load_paths << Rails.root.join("extras")
+
+    # Configure SMTP settings using environment variables
+    config.action_mailer.delivery_method = :smtp
+    config.action_mailer.smtp_settings = {
+      address: ENV.fetch("SMTP_ADDRESS", "localhost"),
+      port: ENV.fetch("SMTP_PORT", 587),
+      domain: ENV.fetch("SMTP_DOMAIN", "localhost"),
+      user_name: ENV.fetch("SMTP_USERNAME", nil),
+      password: ENV.fetch("SMTP_PASSWORD", nil),
+      authentication: ENV.fetch("SMTP_AUTHENTICATION", "plain").to_sym,
+      enable_starttls_auto: ENV.fetch("SMTP_STARTTLS_AUTO", "true") == "true",
+      openssl_verify_mode: OpenSSL::SSL::VERIFY_PEER
+    }
  end
 end
--- a/config/environments/development.rb
+++ b/config/environments/development.rb
@@ -20,7 +20,7 @@ Rails.application.configure do
  if Rails.root.join("tmp/caching-dev.txt").exist?
    config.action_controller.perform_caching = true
    config.action_controller.enable_fragment_cache_logging = true
-    config.public_file_server.headers = { "cache-control" => "public, max-age=#{2.days.to_i}" }
+    config.public_file_server.headers = {"cache-control" => "public, max-age=#{2.days.to_i}"}
  else
    config.action_controller.perform_caching = false
  end
@@ -31,17 +31,18 @@ Rails.application.configure do
  # Store uploaded files on the local file system (see config/storage.yml for options).
  config.active_storage.service = :local

-  # Don't care if the mailer can't send.
-  config.action_mailer.raise_delivery_errors = false
+  # Preview emails in browser using letter_opener
+  config.action_mailer.delivery_method = :letter_opener
+  config.action_mailer.perform_deliveries = true

  # Make template changes take effect immediately.
  config.action_mailer.perform_caching = false

  # Set localhost to be used by links generated in mailer templates.
-  config.action_mailer.default_url_options = { host: "localhost", port: 3000 }
+  config.action_mailer.default_url_options = {host: "localhost", port: 3000}

  # Log with request_id as a tag (same as production).
-  config.log_tags = [ :request_id ]
+  config.log_tags = [:request_id]

  # Print deprecation notices to the Rails logger.
  config.active_support.deprecation = :log
@@ -58,10 +59,8 @@ Rails.application.configure do
  # Highlight code that enqueued background job in logs.
  config.active_job.verbose_enqueue_logs = true

-  # Use Solid Queue for background jobs (same as production).
-  config.active_job.queue_adapter = :solid_queue
-  config.solid_queue.connects_to = { database: { writing: :queue } }
-  
+  # Use async processor for background jobs in development
+  config.active_job.queue_adapter = :async

  # Highlight code that triggered redirect in logs.
  config.action_dispatch.verbose_redirect_logs = true
@@ -83,4 +82,14 @@ Rails.application.configure do

  # Apply autocorrection by RuboCop to files generated by `bin/rails generate`.
  # config.generators.apply_rubocop_autocorrect_after_generate!
+
+  # Sentry configuration for development
+  # Only enabled if SENTRY_DSN environment variable is set and explicitly enabled
+  if ENV["SENTRY_DSN"].present? && ENV["SENTRY_ENABLED_IN_DEVELOPMENT"] == "true"
+    config.sentry.enabled = true
+
+    # High sample rates for development debugging
+    config.sentry.traces_sample_rate = ENV.fetch("SENTRY_TRACES_SAMPLE_RATE", 0.5).to_f
+    config.sentry.profiles_sample_rate = ENV.fetch("SENTRY_PROFILES_SAMPLE_RATE", 0.2).to_f
+  end
 end
--- a/config/environments/production.rb
+++ b/config/environments/production.rb
@@ -16,7 +16,7 @@ Rails.application.configure do
  config.action_controller.perform_caching = true

  # Cache assets for far-future expiry since they are all digest stamped.
-  config.public_file_server.headers = { "cache-control" => "public, max-age=#{1.year.to_i}" }
+  config.public_file_server.headers = {"cache-control" => "public, max-age=#{1.year.to_i}"}

  # Enable serving of images, stylesheets, and JavaScripts from an asset server.
  # config.asset_host = "http://assets.example.com"
@@ -30,12 +30,20 @@ Rails.application.configure do
  # Force all access to the app over SSL, use Strict-Transport-Security, and use secure cookies.
  config.force_ssl = true

+  # Additional security headers (beyond Rails defaults)
+  # Note: Rails already sets X-Content-Type-Options: nosniff by default
+  # Note: Permissions-Policy is configured in config/initializers/permissions_policy.rb
+  config.action_dispatch.default_headers.merge!(
+    "X-Frame-Options" => "DENY",  # Override default SAMEORIGIN to prevent clickjacking
+    "Referrer-Policy" => "strict-origin-when-cross-origin"  # Control referrer information
+  )
+
  # Skip http-to-https redirect for the default health check endpoint.
  # config.ssl_options = { redirect: { exclude: ->(request) { request.path == "/up" } } }

  # Log to STDOUT with the current request id as a default log tag.
-  config.log_tags = [ :request_id ]
-  config.logger   = ActiveSupport::TaggedLogging.logger(STDOUT)
+  config.log_tags = [:request_id]
+  config.logger = ActiveSupport::TaggedLogging.logger($stdout)

  # Change to "debug" to log everything (including potentially personally-identifiable information!).
  config.log_level = ENV.fetch("RAILS_LOG_LEVEL", "info")
@@ -49,16 +57,17 @@ Rails.application.configure do
  # Replace the default in-process memory cache store with a durable alternative.
  config.cache_store = :solid_cache_store

-  # Replace the default in-process and non-durable queuing backend for Active Job.
+  # Use Solid Queue for background jobs
  config.active_job.queue_adapter = :solid_queue
-  config.solid_queue.connects_to = { database: { writing: :queue } }

  # Ignore bad email addresses and do not raise email delivery errors.
  # Set this to true and configure the email server for immediate delivery to raise delivery errors.
  # config.action_mailer.raise_delivery_errors = false

  # Set host to be used by links generated in mailer templates.
-  config.action_mailer.default_url_options = { host: "example.com" }
+  config.action_mailer.default_url_options = {
+    host: ENV.fetch("CLINCH_HOST", "example.com")
+  }

  # Specify outgoing SMTP server. Remember to add smtp/* credentials via bin/rails credentials:edit.
  # config.action_mailer.smtp_settings = {
@@ -77,14 +86,87 @@ Rails.application.configure do
  config.active_record.dump_schema_after_migration = false

  # Only use :id for inspections in production.
-  config.active_record.attributes_for_inspect = [ :id ]
+  config.active_record.attributes_for_inspect = [:id]
+
+  # Helper method to extract domain from CLINCH_HOST (removes protocol if present)
+  def self.extract_domain(host)
+    return host if host.blank?
+    # Remove protocol (http:// or https://) if present
+    host.gsub(/^https?:\/\//, "")
+  end
+
+  # Helper method to ensure URL has https:// protocol
+  def self.ensure_https(url)
+    return url if url.blank?
+    # Add https:// if no protocol is present
+    url.match?(/^https?:\/\//) ? url : "https://#{url}"
+  end

  # Enable DNS rebinding protection and other `Host` header attacks.
-  # config.hosts = [
-  #   "example.com",     # Allow requests from example.com
-  #   /.*\.example\.com/ # Allow requests from subdomains like `www.example.com`
-  # ]
-  #
+  # Configure allowed hosts based on deployment scenario
+  allowed_hosts = [
+    extract_domain(ENV.fetch("CLINCH_HOST", "auth.example.com"))  # External domain (auth service itself)
+  ]
+
+  # Use PublicSuffix to extract registrable domain and allow all subdomains
+  host_domain = extract_domain(ENV.fetch("CLINCH_HOST", "auth.example.com"))
+  if host_domain.present?
+    begin
+      # Use PublicSuffix to properly extract the domain
+      domain = PublicSuffix.parse(host_domain)
+      registrable_domain = domain.domain  # Gets "example.com" from "auth.example.com"
+
+      if registrable_domain.present?
+        # Create regex to allow any subdomain of the registrable domain
+        allowed_hosts << /.*#{Regexp.escape(registrable_domain)}/
+      end
+    rescue PublicSuffix::DomainInvalid
+      # Fallback to simple domain extraction if PublicSuffix fails
+      Rails.logger.warn "Could not parse domain '#{host_domain}' with PublicSuffix, using fallback"
+      base_domain = host_domain.split(".").last(2).join(".")
+      allowed_hosts << /.*#{Regexp.escape(base_domain)}/
+    end
+  end
+
+  # Allow Docker service names if running in same compose
+  if ENV["CLINCH_DOCKER_SERVICE_NAME"]
+    allowed_hosts << ENV["CLINCH_DOCKER_SERVICE_NAME"]
+  end
+
+  # Allow internal IP access for cross-compose or host networking
+  if ENV["CLINCH_ALLOW_INTERNAL_IPS"] == "true"
+    # Specific host IP
+    allowed_hosts << "192.168.2.246"
+
+    # Private IP ranges for internal network access
+    allowed_hosts += [
+      /192\.168\.\d+\.\d+/,    # 192.168.0.0/16 private network
+      /10\.\d+\.\d+\.\d+/,     # 10.0.0.0/8 private network
+      /172\.(1[6-9]|2[0-9]|3[0-1])\.\d+\.\d+/  # 172.16.0.0/12 private network
+    ]
+  end
+
+  # Local development fallbacks
+  if ENV["CLINCH_ALLOW_LOCALHOST"] == "true"
+    allowed_hosts += ["localhost", "127.0.0.1", "0.0.0.0"]
+  end
+
+  config.hosts = allowed_hosts
+
  # Skip DNS rebinding protection for the default health check endpoint.
-  # config.host_authorization = { exclude: ->(request) { request.path == "/up" } }
+  config.host_authorization = {exclude: ->(request) { request.path == "/up" }}
+
+  # Sentry configuration for production
+  # Only enabled if SENTRY_DSN environment variable is set
+  if ENV["SENTRY_DSN"].present?
+    config.sentry.enabled = true
+
+    # Performance monitoring: sample 20% of transactions for traces
+    # Adjust based on your traffic volume and Sentry plan limits
+    config.sentry.traces_sample_rate = ENV.fetch("SENTRY_TRACES_SAMPLE_RATE", 0.2).to_f
+
+    # Continuous profiling: disabled by default in production due to cost
+    # Enable temporarily for performance investigations if needed
+    config.sentry.profiles_sample_rate = ENV.fetch("SENTRY_PROFILES_SAMPLE_RATE", 0.0).to_f
+  end
 end
--- a/config/environments/test.rb
+++ b/config/environments/test.rb
@@ -16,7 +16,7 @@ Rails.application.configure do
  config.eager_load = ENV["CI"].present?

  # Configure public file server for tests with cache-control for performance.
-  config.public_file_server.headers = { "cache-control" => "public, max-age=3600" }
+  config.public_file_server.headers = {"cache-control" => "public, max-age=3600"}

  # Show full error reports.
  config.consider_all_requests_local = true
@@ -37,7 +37,7 @@ Rails.application.configure do
  config.action_mailer.delivery_method = :test

  # Set host to be used by links generated in mailer templates.
-  config.action_mailer.default_url_options = { host: "example.com" }
+  config.action_mailer.default_url_options = {host: "example.com"}

  # Print deprecation notices to the stderr.
  config.active_support.deprecation = :stderr
@@ -50,4 +50,8 @@ Rails.application.configure do

  # Raise error when a before_action's only/except options reference missing actions.
  config.action_controller.raise_on_missing_callback_actions = true
+
+  # Disable Sentry in test environment to avoid interference with tests
+  # Sentry can be explicitly enabled for integration testing if needed
+  ENV["SENTRY_ENABLED_IN_DEVELOPMENT"] = "false"
 end
--- a/Show More
+++ b/Show More
@@ -1 +1 @@
 .4.6
 .4.8