From 653d7a9be19c68c0b89af73e9263139b7948edb7 Mon Sep 17 00:00:00 2001
From: Celia Amador <camadorg@redhat.com>
Date: Fri, 7 Nov 2025 09:59:15 +0100
Subject: [PATCH 1/5] Add support for static k8s provider

---
 .../src/app/components/Login/LoginPage.tsx    | 175 +++++++++++++
 .../standalone/src/app/context/AuthContext.ts |   6 +
 apps/standalone/src/app/routes.tsx            |   5 +
 apps/standalone/src/app/utils/apiCalls.ts     |   4 +-
 libs/types/index.ts                           |  20 +-
 libs/types/models/AapProviderSpec.ts          |  34 +++
 libs/types/models/AuthConfig.ts               |  22 +-
 .../AuthDynamicOrganizationAssignment.ts      |  26 ++
 .../types/models/AuthDynamicRoleAssignment.ts |  18 ++
 .../models/AuthOrganizationAssignment.ts      |  12 +
 libs/types/models/AuthOrganizationsConfig.ts  |  14 -
 .../AuthPerUserOrganizationAssignment.ts      |  22 ++
 libs/types/models/AuthProvider.ts             |  22 ++
 libs/types/models/AuthProviderList.ts         |  25 ++
 libs/types/models/AuthProviderSpec.ts         |  10 +
 libs/types/models/AuthRoleAssignment.ts       |  11 +
 .../AuthStaticOrganizationAssignment.ts       |  18 ++
 libs/types/models/AuthStaticRoleAssignment.ts |  18 ++
 libs/types/models/DeviceStatus.ts             |   7 +-
 libs/types/models/K8sProviderSpec.ts          |  38 +++
 libs/types/models/OAuth2ProviderSpec.ts       |  58 +++++
 libs/types/models/OIDCProviderSpec.ts         |  46 ++++
 libs/types/models/ResourceKind.ts             |   1 +
 libs/types/models/SystemdActiveStateType.ts   |  17 ++
 libs/types/models/SystemdEnableStateType.ts   |  22 ++
 libs/types/models/SystemdLoadStateType.ts     |  16 ++
 libs/types/models/SystemdUnitStatus.ts        |  25 ++
 proxy/auth/auth.go                            |  28 ++
 proxy/auth/common.go                          |  19 ++
 proxy/auth/k8s.go                             | 239 ++++++++++++++++++
 30 files changed, 951 insertions(+), 27 deletions(-)
 create mode 100644 apps/standalone/src/app/components/Login/LoginPage.tsx
 create mode 100644 libs/types/models/AapProviderSpec.ts
 create mode 100644 libs/types/models/AuthDynamicOrganizationAssignment.ts
 create mode 100644 libs/types/models/AuthDynamicRoleAssignment.ts
 create mode 100644 libs/types/models/AuthOrganizationAssignment.ts
 delete mode 100644 libs/types/models/AuthOrganizationsConfig.ts
 create mode 100644 libs/types/models/AuthPerUserOrganizationAssignment.ts
 create mode 100644 libs/types/models/AuthProvider.ts
 create mode 100644 libs/types/models/AuthProviderList.ts
 create mode 100644 libs/types/models/AuthProviderSpec.ts
 create mode 100644 libs/types/models/AuthRoleAssignment.ts
 create mode 100644 libs/types/models/AuthStaticOrganizationAssignment.ts
 create mode 100644 libs/types/models/AuthStaticRoleAssignment.ts
 create mode 100644 libs/types/models/K8sProviderSpec.ts
 create mode 100644 libs/types/models/OAuth2ProviderSpec.ts
 create mode 100644 libs/types/models/OIDCProviderSpec.ts
 create mode 100644 libs/types/models/SystemdActiveStateType.ts
 create mode 100644 libs/types/models/SystemdEnableStateType.ts
 create mode 100644 libs/types/models/SystemdLoadStateType.ts
 create mode 100644 libs/types/models/SystemdUnitStatus.ts
 create mode 100644 proxy/auth/k8s.go

diff --git a/apps/standalone/src/app/components/Login/LoginPage.tsx b/apps/standalone/src/app/components/Login/LoginPage.tsx
new file mode 100644
index 000000000..dc165e8ed
--- /dev/null
+++ b/apps/standalone/src/app/components/Login/LoginPage.tsx
@@ -0,0 +1,175 @@
+import * as React from 'react';
+import {
+  Alert,
+  Bullseye,
+  Button,
+  Card,
+  CardBody,
+  CardFooter,
+  FormGroup,
+  FormHelperText,
+  FormSection,
+  HelperText,
+  HelperTextItem,
+  Stack,
+  StackItem,
+  Text,
+  TextArea,
+  TextContent,
+  TextVariants,
+  Title,
+} from '@patternfly/react-core';
+import { useTranslation } from 'react-i18next';
+
+import { ORGANIZATION_STORAGE_KEY } from '@flightctl/ui-components/src/utils/organizationStorage';
+import FlightCtlForm from '@flightctl/ui-components/src/components/form/FlightCtlForm';
+import { loginAPI } from '../../utils/apiCalls';
+
+const EXPIRATION = 'expiration';
+
+const nowInSeconds = () => Math.floor(Date.now() / 1000);
+
+// Simple JWT format validation - checks if token has 3 parts separated by dots
+export const isValidJwtTokenFormat = (token: string): boolean => {
+  if (!token) return false;
+  const parts = token.split('.');
+  if (parts.length !== 3) return false;
+  // Check that each part contains only valid base64url characters
+  const base64urlPattern = /^[A-Za-z0-9_-]+$/;
+  return parts.every((part) => part.length > 0 && base64urlPattern.test(part));
+};
+
+export const LoginPage = () => {
+  const { t } = useTranslation();
+  const [token, setToken] = React.useState('');
+  const [validationError, setValidationError] = React.useState<string>('');
+  const [isSubmitting, setIsSubmitting] = React.useState(false);
+  const [submitError, setSubmitError] = React.useState<string>();
+
+  const handleSubmit = async (e: React.FormEvent) => {
+    e.preventDefault();
+    setSubmitError(undefined);
+    setIsSubmitting(true);
+
+    try {
+      localStorage.removeItem(EXPIRATION);
+      localStorage.removeItem(ORGANIZATION_STORAGE_KEY);
+
+      const resp = await fetch(loginAPI, {
+        headers: {
+          'Content-Type': 'application/json',
+        },
+        credentials: 'include',
+        method: 'POST',
+        body: JSON.stringify({
+          token: token.trim(),
+        }),
+      });
+
+      if (!resp.ok) {
+        const errorData = await resp.json().catch(() => ({}));
+        setSubmitError(errorData.error || 'Authentication failed');
+        setIsSubmitting(false);
+        return;
+      }
+
+      const expiration = (await resp.json()) as { expiresIn: number };
+      if (expiration.expiresIn) {
+        const now = nowInSeconds();
+        localStorage.setItem(EXPIRATION, `${now + expiration.expiresIn}`);
+      }
+
+      // Redirect to home page after successful login
+      window.location.href = '/';
+    } catch (err) {
+      setSubmitError(t('Failed to authenticate. Please check your token and try again.'));
+      setIsSubmitting(false);
+    }
+  };
+
+  return (
+    <Bullseye>
+      <Card isLarge>
+        <CardBody>
+          <Stack hasGutter style={{ '--pf-v5-l-stack--m-gutter--Gap': '1.5rem' } as React.CSSProperties}>
+            <StackItem>
+              <Title headingLevel="h2" size="xl">
+                {t('Enter your Kubernetes token')}
+              </Title>
+            </StackItem>
+
+            <StackItem>
+              <TextContent>
+                <Text>{t('Enter your Kubernetes service account token to authenticate with the cluster.')}</Text>
+                <Text component={TextVariants.small}>
+                  {t('You can find this token in your Kubernetes service account credentials.')}
+                </Text>
+              </TextContent>
+            </StackItem>
+            <StackItem>
+              <FlightCtlForm>
+                <FormGroup label={t('Service account token')} isRequired>
+                  <TextArea
+                    id="accessToken"
+                    value={token}
+                    onChange={(_event, value) => {
+                      const tokenVal = value.trim();
+                      if (tokenVal && !isValidJwtTokenFormat(tokenVal)) {
+                        setValidationError(
+                          t('Invalid token format. Expected a JWT token with format: header.payload.signature'),
+                        );
+                      } else {
+                        setValidationError('');
+                      }
+                      if (submitError) {
+                        setSubmitError(undefined);
+                      }
+                      setToken(tokenVal);
+                    }}
+                    placeholder={t('Enter your Kubernetes token...')}
+                    rows={10}
+                    isRequired
+                    isDisabled={isSubmitting}
+                    autoFocus
+                    validated={validationError ? 'error' : 'default'}
+                  />
+                  {validationError && (
+                    <FormHelperText>
+                      <HelperText>
+                        <HelperTextItem variant="error">{validationError}</HelperTextItem>
+                      </HelperText>
+                    </FormHelperText>
+                  )}
+                </FormGroup>
+
+                <Alert variant="warning" title={t('Keep your token secure')} isInline>
+                  {t(
+                    'Never share your service account token. It provides full access to your Kubernetes cluster resources.',
+                  )}
+                </Alert>
+
+                {submitError && (
+                  <FormSection>
+                    <Alert variant="danger" title={t('Authentication failed')} isInline>
+                      {submitError}
+                    </Alert>
+                  </FormSection>
+                )}
+              </FlightCtlForm>
+            </StackItem>
+          </Stack>
+        </CardBody>
+        <CardFooter>
+          <Button
+            variant="primary"
+            isDisabled={!token || !!validationError || isSubmitting}
+            isLoading={isSubmitting}
+            onClick={handleSubmit}
+          >
+            {isSubmitting ? t('Authenticating...') : t('Login')}
+          </Button>
+        </CardFooter>
+      </Card>
+    </Bullseye>
+  );
+};
diff --git a/apps/standalone/src/app/context/AuthContext.ts b/apps/standalone/src/app/context/AuthContext.ts
index 59e45708e..c1c1cfcef 100644
--- a/apps/standalone/src/app/context/AuthContext.ts
+++ b/apps/standalone/src/app/context/AuthContext.ts
@@ -34,6 +34,12 @@ export const useAuthContext = () => {
 
   React.useEffect(() => {
     const getUserInfo = async () => {
+      // Skip auth check if we're on the login page
+      if (window.location.pathname === '/login') {
+        setLoading(false);
+        return;
+      }
+
       let callbackErr: string | null = null;
       if (window.location.pathname === '/callback') {
         localStorage.removeItem(EXPIRATION);
diff --git a/apps/standalone/src/app/routes.tsx b/apps/standalone/src/app/routes.tsx
index a01bb916f..a8f4387ea 100644
--- a/apps/standalone/src/app/routes.tsx
+++ b/apps/standalone/src/app/routes.tsx
@@ -24,6 +24,7 @@ import ErrorBoundary from '@flightctl/ui-components/src/components/common/ErrorB
 import AppLayout from './components/AppLayout/AppLayout';
 import NotFound from './components/AppLayout/NotFound';
 import { AuthContext } from './context/AuthContext';
+import { LoginPage } from './components/Login/LoginPage';
 
 const EnrollmentRequestDetails = React.lazy(
   () =>
@@ -341,6 +342,10 @@ const AppRouter = () => {
   }
 
   const router = createBrowserRouter([
+    {
+      path: '/login',
+      element: <LoginPage />,
+    },
     {
       path: '/',
       element: <AppLayout />,
diff --git a/apps/standalone/src/app/utils/apiCalls.ts b/apps/standalone/src/app/utils/apiCalls.ts
index 3165f288c..32fd61f98 100644
--- a/apps/standalone/src/app/utils/apiCalls.ts
+++ b/apps/standalone/src/app/utils/apiCalls.ts
@@ -58,7 +58,9 @@ export const logout = async () => {
 export const redirectToLogin = async () => {
   const response = await fetch(loginAPI);
   const { url } = (await response.json()) as { url: string };
-  window.location.href = url;
+  // If URL is empty, it means token-based auth (k8s) - redirect to login page
+  // Otherwise, it's OAuth - redirect to external provider
+  window.location.href = url || '/login';
 };
 
 const handleApiJSONResponse = async <R>(response: Response): Promise<R> => {
diff --git a/libs/types/index.ts b/libs/types/index.ts
index 84a3bdf98..7f3af2f18 100644
--- a/libs/types/index.ts
+++ b/libs/types/index.ts
@@ -3,6 +3,7 @@
 /* tslint:disable */
 /* eslint-disable */
 
+export type { AapProviderSpec } from './models/AapProviderSpec';
 export type { AbsolutePath } from './models/AbsolutePath';
 export type { ApplicationContent } from './models/ApplicationContent';
 export type { ApplicationEnvVars } from './models/ApplicationEnvVars';
@@ -13,9 +14,17 @@ export type { ApplicationVolume } from './models/ApplicationVolume';
 export type { ApplicationVolumeProviderSpec } from './models/ApplicationVolumeProviderSpec';
 export type { ApplicationVolumeStatus } from './models/ApplicationVolumeStatus';
 export { AppType } from './models/AppType';
-export type { ArtifactApplicationProviderSpec } from './models/ArtifactApplicationProviderSpec';
 export type { AuthConfig } from './models/AuthConfig';
-export type { AuthOrganizationsConfig } from './models/AuthOrganizationsConfig';
+export type { AuthDynamicOrganizationAssignment } from './models/AuthDynamicOrganizationAssignment';
+export type { AuthDynamicRoleAssignment } from './models/AuthDynamicRoleAssignment';
+export type { AuthOrganizationAssignment } from './models/AuthOrganizationAssignment';
+export type { AuthPerUserOrganizationAssignment } from './models/AuthPerUserOrganizationAssignment';
+export type { AuthProvider } from './models/AuthProvider';
+export type { AuthProviderList } from './models/AuthProviderList';
+export type { AuthProviderSpec } from './models/AuthProviderSpec';
+export type { AuthRoleAssignment } from './models/AuthRoleAssignment';
+export type { AuthStaticOrganizationAssignment } from './models/AuthStaticOrganizationAssignment';
+export type { AuthStaticRoleAssignment } from './models/AuthStaticRoleAssignment';
 export type { Batch } from './models/Batch';
 export type { BatchSequence } from './models/BatchSequence';
 export type { CertificateSigningRequest } from './models/CertificateSigningRequest';
@@ -114,6 +123,7 @@ export type { InlineApplicationProviderSpec } from './models/InlineApplicationPr
 export type { InlineConfigProviderSpec } from './models/InlineConfigProviderSpec';
 export type { InternalTaskFailedDetails } from './models/InternalTaskFailedDetails';
 export type { InternalTaskPermanentlyFailedDetails } from './models/InternalTaskPermanentlyFailedDetails';
+export type { K8sProviderSpec } from './models/K8sProviderSpec';
 export type { KubernetesSecretProviderSpec } from './models/KubernetesSecretProviderSpec';
 export type { LabelList } from './models/LabelList';
 export type { LabelSelector } from './models/LabelSelector';
@@ -121,8 +131,10 @@ export type { ListMeta } from './models/ListMeta';
 export { MatchExpression } from './models/MatchExpression';
 export type { MatchExpressions } from './models/MatchExpressions';
 export type { MemoryResourceMonitorSpec } from './models/MemoryResourceMonitorSpec';
+export type { OAuth2ProviderSpec } from './models/OAuth2ProviderSpec';
 export type { ObjectMeta } from './models/ObjectMeta';
 export type { ObjectReference } from './models/ObjectReference';
+export type { OIDCProviderSpec } from './models/OIDCProviderSpec';
 export type { Organization } from './models/Organization';
 export type { OrganizationList } from './models/OrganizationList';
 export type { OrganizationSpec } from './models/OrganizationSpec';
@@ -152,6 +164,10 @@ export { RolloutStrategy } from './models/RolloutStrategy';
 export type { SshConfig } from './models/SshConfig';
 export type { SshRepoSpec } from './models/SshRepoSpec';
 export type { Status } from './models/Status';
+export { SystemdActiveStateType } from './models/SystemdActiveStateType';
+export { SystemdEnableStateType } from './models/SystemdEnableStateType';
+export { SystemdLoadStateType } from './models/SystemdLoadStateType';
+export type { SystemdUnitStatus } from './models/SystemdUnitStatus';
 export type { TemplateVersion } from './models/TemplateVersion';
 export type { TemplateVersionList } from './models/TemplateVersionList';
 export type { TemplateVersionSpec } from './models/TemplateVersionSpec';
diff --git a/libs/types/models/AapProviderSpec.ts b/libs/types/models/AapProviderSpec.ts
new file mode 100644
index 000000000..823b43902
--- /dev/null
+++ b/libs/types/models/AapProviderSpec.ts
@@ -0,0 +1,34 @@
+/* generated using openapi-typescript-codegen -- do no edit */
+/* istanbul ignore file */
+/* tslint:disable */
+/* eslint-disable */
+import type { AuthOrganizationAssignment } from './AuthOrganizationAssignment';
+import type { AuthRoleAssignment } from './AuthRoleAssignment';
+/**
+ * AapProviderSpec describes an Ansible Automation Platform (AAP) provider configuration.
+ */
+export type AapProviderSpec = {
+  /**
+   * The type of authentication provider.
+   */
+  providerType: 'aap';
+  /**
+   * Human-readable display name for the provider.
+   */
+  displayName?: string;
+  /**
+   * The internal AAP API URL.
+   */
+  apiUrl: string;
+  /**
+   * The external AAP API URL (for external access).
+   */
+  externalApiUrl?: string;
+  /**
+   * Whether this AAP provider is enabled.
+   */
+  enabled?: boolean;
+  organizationAssignment: AuthOrganizationAssignment;
+  roleAssignment: AuthRoleAssignment;
+};
+
diff --git a/libs/types/models/AuthConfig.ts b/libs/types/models/AuthConfig.ts
index e4a46ef1c..bbfa1aa68 100644
--- a/libs/types/models/AuthConfig.ts
+++ b/libs/types/models/AuthConfig.ts
@@ -2,19 +2,23 @@
 /* istanbul ignore file */
 /* tslint:disable */
 /* eslint-disable */
-import type { AuthOrganizationsConfig } from './AuthOrganizationsConfig';
-/**
- * Auth config.
- */
+import type { AuthProvider } from './AuthProvider';
 export type AuthConfig = {
   /**
-   * Auth type.
+   * APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources.
    */
-  authType: string;
+  apiVersion: string;
   /**
-   * Auth URL.
+   * List of all available authentication providers.
    */
-  authURL: string;
-  authOrganizationsConfig: AuthOrganizationsConfig;
+  providers?: Array<AuthProvider>;
+  /**
+   * Name of the default authentication provider.
+   */
+  defaultProvider?: string;
+  /**
+   * Whether organizations are enabled for authentication.
+   */
+  organizationsEnabled?: boolean;
 };
 
diff --git a/libs/types/models/AuthDynamicOrganizationAssignment.ts b/libs/types/models/AuthDynamicOrganizationAssignment.ts
new file mode 100644
index 000000000..8173b6eed
--- /dev/null
+++ b/libs/types/models/AuthDynamicOrganizationAssignment.ts
@@ -0,0 +1,26 @@
+/* generated using openapi-typescript-codegen -- do no edit */
+/* istanbul ignore file */
+/* tslint:disable */
+/* eslint-disable */
+/**
+ * AuthDynamicOrganizationAssignment assigns users to organizations based on auth provider claims.
+ */
+export type AuthDynamicOrganizationAssignment = {
+  /**
+   * The type of organization assignment.
+   */
+  type: 'dynamic';
+  /**
+   * The JSON path to the claim that contains the organization identifier (e.g., ["groups", "0"] or ["custom", "org"]).
+   */
+  claimPath: Array<string>;
+  /**
+   * The prefix for the organization name (e.g., "org-").
+   */
+  organizationNamePrefix?: string;
+  /**
+   * The suffix for the organization name (e.g., "-org").
+   */
+  organizationNameSuffix?: string;
+};
+
diff --git a/libs/types/models/AuthDynamicRoleAssignment.ts b/libs/types/models/AuthDynamicRoleAssignment.ts
new file mode 100644
index 000000000..16ba118c4
--- /dev/null
+++ b/libs/types/models/AuthDynamicRoleAssignment.ts
@@ -0,0 +1,18 @@
+/* generated using openapi-typescript-codegen -- do no edit */
+/* istanbul ignore file */
+/* tslint:disable */
+/* eslint-disable */
+/**
+ * AuthDynamicRoleAssignment extracts roles from auth provider claims using a JSON path.
+ */
+export type AuthDynamicRoleAssignment = {
+  /**
+   * The type of role assignment.
+   */
+  type: 'dynamic';
+  /**
+   * The JSON path to the role/group claim (e.g., ["groups"], ["roles"], ["realm_access", "roles"]).
+   */
+  claimPath: Array<string>;
+};
+
diff --git a/libs/types/models/AuthOrganizationAssignment.ts b/libs/types/models/AuthOrganizationAssignment.ts
new file mode 100644
index 000000000..953b4a99b
--- /dev/null
+++ b/libs/types/models/AuthOrganizationAssignment.ts
@@ -0,0 +1,12 @@
+/* generated using openapi-typescript-codegen -- do no edit */
+/* istanbul ignore file */
+/* tslint:disable */
+/* eslint-disable */
+import type { AuthDynamicOrganizationAssignment } from './AuthDynamicOrganizationAssignment';
+import type { AuthPerUserOrganizationAssignment } from './AuthPerUserOrganizationAssignment';
+import type { AuthStaticOrganizationAssignment } from './AuthStaticOrganizationAssignment';
+/**
+ * AuthOrganizationAssignment defines how users from this auth provider are assigned to organizations.
+ */
+export type AuthOrganizationAssignment = (AuthStaticOrganizationAssignment | AuthDynamicOrganizationAssignment | AuthPerUserOrganizationAssignment);
+
diff --git a/libs/types/models/AuthOrganizationsConfig.ts b/libs/types/models/AuthOrganizationsConfig.ts
deleted file mode 100644
index 84e12643a..000000000
--- a/libs/types/models/AuthOrganizationsConfig.ts
+++ /dev/null
@@ -1,14 +0,0 @@
-/* generated using openapi-typescript-codegen -- do no edit */
-/* istanbul ignore file */
-/* tslint:disable */
-/* eslint-disable */
-/**
- * Auth related organizations configuration.
- */
-export type AuthOrganizationsConfig = {
-  /**
-   * If true, support for IdP provided organizations is enabled.
-   */
-  enabled: boolean;
-};
-
diff --git a/libs/types/models/AuthPerUserOrganizationAssignment.ts b/libs/types/models/AuthPerUserOrganizationAssignment.ts
new file mode 100644
index 000000000..b18dcbbfd
--- /dev/null
+++ b/libs/types/models/AuthPerUserOrganizationAssignment.ts
@@ -0,0 +1,22 @@
+/* generated using openapi-typescript-codegen -- do no edit */
+/* istanbul ignore file */
+/* tslint:disable */
+/* eslint-disable */
+/**
+ * AuthPerUserOrganizationAssignment creates a separate organization for each user.
+ */
+export type AuthPerUserOrganizationAssignment = {
+  /**
+   * The type of organization assignment.
+   */
+  type: 'perUser';
+  /**
+   * The prefix for the user-specific organization name (e.g., "user-org-").
+   */
+  organizationNamePrefix?: string;
+  /**
+   * The suffix for the user-specific organization name (e.g., "-org").
+   */
+  organizationNameSuffix?: string;
+};
+
diff --git a/libs/types/models/AuthProvider.ts b/libs/types/models/AuthProvider.ts
new file mode 100644
index 000000000..0dd652264
--- /dev/null
+++ b/libs/types/models/AuthProvider.ts
@@ -0,0 +1,22 @@
+/* generated using openapi-typescript-codegen -- do no edit */
+/* istanbul ignore file */
+/* tslint:disable */
+/* eslint-disable */
+import type { AuthProviderSpec } from './AuthProviderSpec';
+import type { ObjectMeta } from './ObjectMeta';
+/**
+ * AuthProvider represents an authentication provider configuration supporting both OIDC and OAuth2.
+ */
+export type AuthProvider = {
+  /**
+   * APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources.
+   */
+  apiVersion: string;
+  /**
+   * Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds.
+   */
+  kind: string;
+  metadata: ObjectMeta;
+  spec: AuthProviderSpec;
+};
+
diff --git a/libs/types/models/AuthProviderList.ts b/libs/types/models/AuthProviderList.ts
new file mode 100644
index 000000000..57bfe36f6
--- /dev/null
+++ b/libs/types/models/AuthProviderList.ts
@@ -0,0 +1,25 @@
+/* generated using openapi-typescript-codegen -- do no edit */
+/* istanbul ignore file */
+/* tslint:disable */
+/* eslint-disable */
+import type { AuthProvider } from './AuthProvider';
+import type { ListMeta } from './ListMeta';
+/**
+ * AuthProviderList is a list of auth providers.
+ */
+export type AuthProviderList = {
+  /**
+   * APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources.
+   */
+  apiVersion: string;
+  /**
+   * Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds.
+   */
+  kind: string;
+  metadata: ListMeta;
+  /**
+   * List of auth providers.
+   */
+  items: Array<AuthProvider>;
+};
+
diff --git a/libs/types/models/AuthProviderSpec.ts b/libs/types/models/AuthProviderSpec.ts
new file mode 100644
index 000000000..79a85eb37
--- /dev/null
+++ b/libs/types/models/AuthProviderSpec.ts
@@ -0,0 +1,10 @@
+/* generated using openapi-typescript-codegen -- do no edit */
+/* istanbul ignore file */
+/* tslint:disable */
+/* eslint-disable */
+import type { AapProviderSpec } from './AapProviderSpec';
+import type { K8sProviderSpec } from './K8sProviderSpec';
+import type { OAuth2ProviderSpec } from './OAuth2ProviderSpec';
+import type { OIDCProviderSpec } from './OIDCProviderSpec';
+export type AuthProviderSpec = (OIDCProviderSpec | OAuth2ProviderSpec | AapProviderSpec | K8sProviderSpec);
+
diff --git a/libs/types/models/AuthRoleAssignment.ts b/libs/types/models/AuthRoleAssignment.ts
new file mode 100644
index 000000000..7349541b9
--- /dev/null
+++ b/libs/types/models/AuthRoleAssignment.ts
@@ -0,0 +1,11 @@
+/* generated using openapi-typescript-codegen -- do no edit */
+/* istanbul ignore file */
+/* tslint:disable */
+/* eslint-disable */
+import type { AuthDynamicRoleAssignment } from './AuthDynamicRoleAssignment';
+import type { AuthStaticRoleAssignment } from './AuthStaticRoleAssignment';
+/**
+ * AuthRoleAssignment defines how roles are assigned to users from this auth provider.
+ */
+export type AuthRoleAssignment = (AuthStaticRoleAssignment | AuthDynamicRoleAssignment);
+
diff --git a/libs/types/models/AuthStaticOrganizationAssignment.ts b/libs/types/models/AuthStaticOrganizationAssignment.ts
new file mode 100644
index 000000000..03fe0b616
--- /dev/null
+++ b/libs/types/models/AuthStaticOrganizationAssignment.ts
@@ -0,0 +1,18 @@
+/* generated using openapi-typescript-codegen -- do no edit */
+/* istanbul ignore file */
+/* tslint:disable */
+/* eslint-disable */
+/**
+ * AuthStaticOrganizationAssignment assigns all users from this auth provider to a single static organization.
+ */
+export type AuthStaticOrganizationAssignment = {
+  /**
+   * The type of organization assignment.
+   */
+  type: 'static';
+  /**
+   * The name of the organization where all users will be assigned.
+   */
+  organizationName: string;
+};
+
diff --git a/libs/types/models/AuthStaticRoleAssignment.ts b/libs/types/models/AuthStaticRoleAssignment.ts
new file mode 100644
index 000000000..b8c9dcc2e
--- /dev/null
+++ b/libs/types/models/AuthStaticRoleAssignment.ts
@@ -0,0 +1,18 @@
+/* generated using openapi-typescript-codegen -- do no edit */
+/* istanbul ignore file */
+/* tslint:disable */
+/* eslint-disable */
+/**
+ * AuthStaticRoleAssignment assigns a static set of roles to all users from this auth provider.
+ */
+export type AuthStaticRoleAssignment = {
+  /**
+   * The type of role assignment.
+   */
+  type: 'static';
+  /**
+   * The list of role names to assign to all users.
+   */
+  roles: Array<string>;
+};
+
diff --git a/libs/types/models/DeviceStatus.ts b/libs/types/models/DeviceStatus.ts
index 43cb73fef..f76336968 100644
--- a/libs/types/models/DeviceStatus.ts
+++ b/libs/types/models/DeviceStatus.ts
@@ -13,6 +13,7 @@ import type { DeviceResourceStatus } from './DeviceResourceStatus';
 import type { DeviceSummaryStatus } from './DeviceSummaryStatus';
 import type { DeviceSystemInfo } from './DeviceSystemInfo';
 import type { DeviceUpdatedStatus } from './DeviceUpdatedStatus';
+import type { SystemdUnitStatus } from './SystemdUnitStatus';
 /**
  * DeviceStatus represents information about the status of a device. Status may trail the actual state of a device.
  */
@@ -23,7 +24,11 @@ export type DeviceStatus = {
   conditions: Array<Condition>;
   systemInfo: DeviceSystemInfo;
   /**
-   * List of device application status.
+   * List of systemd unit statuses.
+   */
+  systemd?: Array<SystemdUnitStatus>;
+  /**
+   * List of device application statuses.
    */
   applications: Array<DeviceApplicationStatus>;
   applicationsSummary: DeviceApplicationsSummaryStatus;
diff --git a/libs/types/models/K8sProviderSpec.ts b/libs/types/models/K8sProviderSpec.ts
new file mode 100644
index 000000000..16f8767e0
--- /dev/null
+++ b/libs/types/models/K8sProviderSpec.ts
@@ -0,0 +1,38 @@
+/* generated using openapi-typescript-codegen -- do no edit */
+/* istanbul ignore file */
+/* tslint:disable */
+/* eslint-disable */
+import type { AuthOrganizationAssignment } from './AuthOrganizationAssignment';
+import type { AuthRoleAssignment } from './AuthRoleAssignment';
+/**
+ * K8sProviderSpec describes a Kubernetes/OpenShift provider configuration.
+ */
+export type K8sProviderSpec = {
+  /**
+   * The type of authentication provider.
+   */
+  providerType: 'k8s';
+  /**
+   * Human-readable display name for the provider.
+   */
+  displayName?: string;
+  /**
+   * The internal Kubernetes API URL.
+   */
+  apiUrl: string;
+  /**
+   * The external OpenShift API URL (for external access).
+   */
+  externalOpenShiftApiUrl?: string;
+  /**
+   * The RBAC namespace for permissions.
+   */
+  rbacNs?: string;
+  /**
+   * Whether this K8s provider is enabled.
+   */
+  enabled?: boolean;
+  organizationAssignment: AuthOrganizationAssignment;
+  roleAssignment: AuthRoleAssignment;
+};
+
diff --git a/libs/types/models/OAuth2ProviderSpec.ts b/libs/types/models/OAuth2ProviderSpec.ts
new file mode 100644
index 000000000..48fbec472
--- /dev/null
+++ b/libs/types/models/OAuth2ProviderSpec.ts
@@ -0,0 +1,58 @@
+/* generated using openapi-typescript-codegen -- do no edit */
+/* istanbul ignore file */
+/* tslint:disable */
+/* eslint-disable */
+import type { AuthOrganizationAssignment } from './AuthOrganizationAssignment';
+import type { AuthRoleAssignment } from './AuthRoleAssignment';
+/**
+ * OAuth2ProviderSpec describes an OAuth2 provider configuration.
+ */
+export type OAuth2ProviderSpec = {
+  /**
+   * The type of authentication provider.
+   */
+  providerType: 'oauth2';
+  /**
+   * Human-readable display name for the provider.
+   */
+  displayName?: string;
+  /**
+   * The OAuth2 issuer identifier (used for issuer identification in tokens).
+   */
+  issuer?: string;
+  /**
+   * The OAuth2 authorization endpoint URL.
+   */
+  authorizationUrl: string;
+  /**
+   * The OAuth2 token endpoint URL.
+   */
+  tokenUrl: string;
+  /**
+   * The OAuth2 userinfo endpoint URL.
+   */
+  userinfoUrl: string;
+  /**
+   * The OAuth2 client ID.
+   */
+  clientId: string;
+  /**
+   * The OAuth2 client secret.
+   */
+  clientSecret: string;
+  /**
+   * Whether this OAuth2 provider is enabled.
+   */
+  enabled?: boolean;
+  /**
+   * List of OAuth2 scopes to request.
+   */
+  scopes?: Array<string>;
+  organizationAssignment: AuthOrganizationAssignment;
+  /**
+   * JSON path to the username claim in the userinfo response as an array of path segments (e.g., ["preferred_username"], ["email"], ["sub"]).
+   */
+  usernameClaim?: Array<string>;
+  roleAssignment: AuthRoleAssignment;
+};
+
diff --git a/libs/types/models/OIDCProviderSpec.ts b/libs/types/models/OIDCProviderSpec.ts
new file mode 100644
index 000000000..c196a98ae
--- /dev/null
+++ b/libs/types/models/OIDCProviderSpec.ts
@@ -0,0 +1,46 @@
+/* generated using openapi-typescript-codegen -- do no edit */
+/* istanbul ignore file */
+/* tslint:disable */
+/* eslint-disable */
+import type { AuthOrganizationAssignment } from './AuthOrganizationAssignment';
+import type { AuthRoleAssignment } from './AuthRoleAssignment';
+/**
+ * OIDCProviderSpec describes an OIDC provider configuration.
+ */
+export type OIDCProviderSpec = {
+  /**
+   * The type of authentication provider.
+   */
+  providerType: 'oidc';
+  /**
+   * Human-readable display name for the provider.
+   */
+  displayName?: string;
+  /**
+   * The OIDC issuer URL (e.g., https://accounts.google.com).
+   */
+  issuer: string;
+  /**
+   * The OIDC client ID.
+   */
+  clientId: string;
+  /**
+   * The OIDC client secret.
+   */
+  clientSecret: string;
+  /**
+   * Whether this OIDC provider is enabled.
+   */
+  enabled?: boolean;
+  /**
+   * List of OIDC scopes to request.
+   */
+  scopes?: Array<string>;
+  organizationAssignment: AuthOrganizationAssignment;
+  /**
+   * JSON path to the username claim in the JWT token as an array of path segments (e.g., ["preferred_username"], ["email"], ["sub"]).
+   */
+  usernameClaim?: Array<string>;
+  roleAssignment: AuthRoleAssignment;
+};
+
diff --git a/libs/types/models/ResourceKind.ts b/libs/types/models/ResourceKind.ts
index 39cfae6e3..2896ebc9e 100644
--- a/libs/types/models/ResourceKind.ts
+++ b/libs/types/models/ResourceKind.ts
@@ -13,4 +13,5 @@ export enum ResourceKind {
   REPOSITORY = 'Repository',
   RESOURCE_SYNC = 'ResourceSync',
   TEMPLATE_VERSION = 'TemplateVersion',
+  AUTH_PROVIDER = 'AuthProvider',
 }
diff --git a/libs/types/models/SystemdActiveStateType.ts b/libs/types/models/SystemdActiveStateType.ts
new file mode 100644
index 000000000..93e3d9a31
--- /dev/null
+++ b/libs/types/models/SystemdActiveStateType.ts
@@ -0,0 +1,17 @@
+/* generated using openapi-typescript-codegen -- do no edit */
+/* istanbul ignore file */
+/* tslint:disable */
+/* eslint-disable */
+/**
+ * The high-level unit activation state.
+ */
+export enum SystemdActiveStateType {
+  SystemdActiveStateActive = 'active',
+  SystemdActiveStateReloading = 'reloading',
+  SystemdActiveStateInactive = 'inactive',
+  SystemdActiveStateFailed = 'failed',
+  SystemdActiveStateActivating = 'activating',
+  SystemdActiveStateDeactivating = 'deactivating',
+  SystemdActiveStateMaintenance = 'maintenance',
+  SystemdActiveStateRefreshing = 'refreshing',
+}
diff --git a/libs/types/models/SystemdEnableStateType.ts b/libs/types/models/SystemdEnableStateType.ts
new file mode 100644
index 000000000..31e6f1d98
--- /dev/null
+++ b/libs/types/models/SystemdEnableStateType.ts
@@ -0,0 +1,22 @@
+/* generated using openapi-typescript-codegen -- do no edit */
+/* istanbul ignore file */
+/* tslint:disable */
+/* eslint-disable */
+/**
+ * The enable state of the unit file.
+ */
+export enum SystemdEnableStateType {
+  SystemdEnableStateEnabled = 'enabled',
+  SystemdEnableStateEnabledRuntime = 'enabled-runtime',
+  SystemdEnableStateLinked = 'linked',
+  SystemdEnableStateLinkedRuntime = 'linked-runtime',
+  SystemdEnableStateAlias = 'alias',
+  SystemdEnableStateMasked = 'masked',
+  SystemdEnableStateMaskedRuntime = 'masked-runtime',
+  SystemdEnableStateStatic = 'static',
+  SystemdEnableStateDisabled = 'disabled',
+  SystemdEnableStateIndirect = 'indirect',
+  SystemdEnableStateGenerated = 'generated',
+  SystemdEnableStateTransient = 'transient',
+  SystemdEnableStateBad = 'bad',
+}
diff --git a/libs/types/models/SystemdLoadStateType.ts b/libs/types/models/SystemdLoadStateType.ts
new file mode 100644
index 000000000..bbf87dbd6
--- /dev/null
+++ b/libs/types/models/SystemdLoadStateType.ts
@@ -0,0 +1,16 @@
+/* generated using openapi-typescript-codegen -- do no edit */
+/* istanbul ignore file */
+/* tslint:disable */
+/* eslint-disable */
+/**
+ * The load state of the unit file.
+ */
+export enum SystemdLoadStateType {
+  SystemdLoadStateStub = 'stub',
+  SystemdLoadStateLoaded = 'loaded',
+  SystemdLoadStateNotFound = 'not-found',
+  SystemdLoadStateBadSetting = 'bad-setting',
+  SystemdLoadStateError = 'error',
+  SystemdLoadStateMerged = 'merged',
+  SystemdLoadStateMasked = 'masked',
+}
diff --git a/libs/types/models/SystemdUnitStatus.ts b/libs/types/models/SystemdUnitStatus.ts
new file mode 100644
index 000000000..5cb5800bb
--- /dev/null
+++ b/libs/types/models/SystemdUnitStatus.ts
@@ -0,0 +1,25 @@
+/* generated using openapi-typescript-codegen -- do no edit */
+/* istanbul ignore file */
+/* tslint:disable */
+/* eslint-disable */
+import type { SystemdActiveStateType } from './SystemdActiveStateType';
+import type { SystemdEnableStateType } from './SystemdEnableStateType';
+import type { SystemdLoadStateType } from './SystemdLoadStateType';
+export type SystemdUnitStatus = {
+  /**
+   * The unit name (e.g., "sshd.service").
+   */
+  unit: string;
+  /**
+   * The human-readable description for the unit.
+   */
+  description: string;
+  enableState: SystemdEnableStateType;
+  loadState: SystemdLoadStateType;
+  activeState: SystemdActiveStateType;
+  /**
+   * The low-level, unit-type-specific state.
+   */
+  subState: string;
+};
+
diff --git a/proxy/auth/auth.go b/proxy/auth/auth.go
index 1e2a37646..722346093 100644
--- a/proxy/auth/auth.go
+++ b/proxy/auth/auth.go
@@ -45,6 +45,8 @@ func NewAuth(apiTlsConfig *tls.Config) (*AuthHandler, error) {
 		auth.provider, err = getAAPAuthHandler(authConfig.AuthURL, internalAuthUrl)
 	case "OIDC":
 		auth.provider, err = getOIDCAuthHandler(authConfig.AuthURL, internalAuthUrl)
+	case "k8s":
+		auth.provider, err = getK8sAuthHandler(authConfig.AuthURL, internalAuthUrl)
 	default:
 		err = fmt.Errorf("unknown auth type: %s", authConfig.AuthType)
 	}
@@ -64,6 +66,32 @@ func (a AuthHandler) Login(w http.ResponseWriter, r *http.Request) {
 			return
 		}
 
+		// Check if this is a token-based auth provider (k8s)
+		if tokenProvider, ok := a.provider.(*TokenAuthProvider); ok {
+			var loginParams TokenLoginParameters
+			err = json.Unmarshal(body, &loginParams)
+			if err != nil {
+				log.GetLogger().WithError(err).Warn("Failed to unmarshal request body")
+				w.WriteHeader(http.StatusBadRequest)
+				return
+			}
+
+			if loginParams.Token == "" {
+				w.WriteHeader(http.StatusBadRequest)
+				return
+			}
+
+			tokenData, expires, err := tokenProvider.ValidateToken(loginParams.Token)
+			if err != nil {
+				log.GetLogger().WithError(err).Warn("Token validation failed")
+				w.WriteHeader(http.StatusUnauthorized)
+				return
+			}
+			respondWithToken(w, tokenData, expires)
+			return
+		}
+
+		// OAuth-based providers (OIDC, AAP)
 		loginParams := LoginParameters{}
 		err = json.Unmarshal(body, &loginParams)
 		if err != nil {
diff --git a/proxy/auth/common.go b/proxy/auth/common.go
index fd42d0dbe..169dae10c 100644
--- a/proxy/auth/common.go
+++ b/proxy/auth/common.go
@@ -18,6 +18,7 @@ import (
 type TokenData struct {
 	Token        string `json:"token"`
 	RefreshToken string `json:"refreshToken"`
+	Provider     string `json:"provider,omitempty"`
 }
 
 type LoginParameters struct {
@@ -117,3 +118,21 @@ func getToken(r *http.Request) (string, error) {
 	token = strings.TrimSpace(token)
 	return token, nil
 }
+
+type ErrorResponse struct {
+	Error string `json:"error"`
+}
+
+func respondWithError(w http.ResponseWriter, statusCode int, message string) {
+	w.Header().Set("Content-Type", "application/json")
+	w.WriteHeader(statusCode)
+	errorResp := ErrorResponse{Error: message}
+	response, err := json.Marshal(errorResp)
+	if err != nil {
+		log.GetLogger().WithError(err).Warn("Failed to marshal error response")
+		return
+	}
+	if _, err := w.Write(response); err != nil {
+		log.GetLogger().WithError(err).Warn("Failed to write error response")
+	}
+}
diff --git a/proxy/auth/k8s.go b/proxy/auth/k8s.go
new file mode 100644
index 000000000..a2d67e3e7
--- /dev/null
+++ b/proxy/auth/k8s.go
@@ -0,0 +1,239 @@
+package auth
+
+import (
+	"crypto/tls"
+	"encoding/base64"
+	"encoding/json"
+	"fmt"
+	"net/http"
+	"strings"
+	"time"
+
+	"github.com/flightctl/flightctl-ui/bridge"
+	"github.com/flightctl/flightctl-ui/config"
+	"github.com/flightctl/flightctl-ui/log"
+)
+
+type TokenAuthProvider struct {
+	apiTlsConfig *tls.Config
+	authURL      string
+}
+
+type TokenLoginParameters struct {
+	Token string `json:"token"`
+}
+
+func NewTokenAuthProvider(apiTlsConfig *tls.Config, authURL string) *TokenAuthProvider {
+	return &TokenAuthProvider{
+		apiTlsConfig: apiTlsConfig,
+		authURL:      authURL,
+	}
+}
+
+// GetToken does not exist for token auth
+func (t *TokenAuthProvider) GetToken(loginParams LoginParameters) (TokenData, *int64, error) {
+	return TokenData{}, nil, fmt.Errorf("token auth does not use OAuth code flow")
+}
+
+// ValidateToken validates a K8s token by calling the backend API
+func (t *TokenAuthProvider) ValidateToken(token string) (TokenData, *int64, error) {
+	client := &http.Client{Transport: &http.Transport{
+		TLSClientConfig: t.apiTlsConfig,
+	}}
+
+	// Call a basic API endpoint to validate the token
+	validateUrl := config.FctlApiUrl + "/api/v1/fleets?limit=1"
+
+	req, err := http.NewRequest(http.MethodGet, validateUrl, nil)
+	if err != nil {
+		log.GetLogger().WithError(err).Warn("Failed to create token validation request")
+		return TokenData{}, nil, err
+	}
+
+	req.Header.Add("Authorization", "Bearer "+token)
+
+	resp, err := client.Do(req)
+	if err != nil {
+		return TokenData{}, nil, err
+	}
+	defer resp.Body.Close()
+
+	if resp.StatusCode == http.StatusUnauthorized || resp.StatusCode == http.StatusForbidden {
+		// Check if the token is expired by examining the exp claim
+		expiresIn := extractTokenExpiration(token)
+		if expiresIn != nil && *expiresIn == 0 {
+			return TokenData{}, nil, fmt.Errorf("Token has expired")
+		}
+		return TokenData{}, nil, fmt.Errorf("Token is invalid or unauthorized")
+	}
+
+	// Accept any successful response (2xx) or even some 4xx errors that aren't auth-related
+	if resp.StatusCode < 200 || resp.StatusCode >= 500 {
+		return TokenData{}, nil, fmt.Errorf("Token validation failed")
+	}
+
+	// Store the validated K8s JWT token
+	tokenData := TokenData{
+		Token:        token,
+		RefreshToken: "",
+	}
+
+	expiresIn := extractTokenExpiration(token)
+	return tokenData, expiresIn, nil
+}
+
+// extractTokenExpiration extracts the expiration time from a JWT token
+// Returns the number of seconds until expiration, or nil if no expiration is set
+func extractTokenExpiration(token string) *int64 {
+	claims, err := extractJwtTokenClaims(token)
+	if err != nil {
+		return nil
+	}
+
+	// Look for the "exp" claim (standard JWT expiration claim)
+	exp, ok := claims["exp"]
+	if !ok {
+		return nil
+	}
+
+	// The exp claim is typically a float64 (Unix timestamp)
+	var expTimestamp int64
+	switch v := exp.(type) {
+	case float64:
+		expTimestamp = int64(v)
+	case int64:
+		expTimestamp = v
+	case int:
+		expTimestamp = int64(v)
+	default:
+		return nil
+	}
+
+	now := time.Now().Unix()
+	expiresIn := expTimestamp - now
+
+	if expiresIn < 0 {
+		expiresIn = 0
+	}
+
+	return &expiresIn
+}
+
+// extractJwtTokenClaims extracts the claims from a JWT token
+func extractJwtTokenClaims(token string) (map[string]interface{}, error) {
+	// K8s tokens have the format: <header>.<payload>.<signature>
+	parts := strings.Split(token, ".")
+	if len(parts) != 3 {
+		return nil, fmt.Errorf("invalid token format")
+	}
+
+	// Decode the payload (second part)
+	payload, err := base64.RawURLEncoding.DecodeString(parts[1])
+	if err != nil {
+		return nil, fmt.Errorf("failed to decode token payload: %w", err)
+	}
+
+	// Parse the JSON payload
+	var claims map[string]interface{}
+	if err := json.Unmarshal(payload, &claims); err != nil {
+		return nil, fmt.Errorf("failed to unmarshal token claims: %w", err)
+	}
+
+	return claims, nil
+}
+
+// extractUsernameFromClaims extracts the username from JWT claims
+func extractUsernameFromClaims(claims map[string]interface{}) (string, bool) {
+	// Prefer the short service account name over the full sub claim
+	if k8sInfo, ok := claims["kubernetes.io"].(map[string]interface{}); ok {
+		if sa, ok := k8sInfo["serviceaccount"].(map[string]interface{}); ok {
+			if saName, ok := sa["name"].(string); ok && saName != "" {
+				return saName, true
+			}
+		}
+	}
+
+	// Try to extract the service account name from the old flat claim structure
+	if saName, ok := claims["kubernetes.io/serviceaccount/service-account.name"].(string); ok && saName != "" {
+		return saName, true
+	}
+
+	// Fallback to sub claim (which contains the full system:serviceaccount:namespace:name format)
+	if username, ok := claims["sub"].(string); ok && username != "" {
+		// Try to extract just the service account name from sub if it's in the right format
+		parts := strings.Split(username, ":")
+		if len(parts) == 4 && parts[0] == "system" && parts[1] == "serviceaccount" {
+			return parts[3], true // Return just the service account name
+		}
+		return username, true
+	}
+
+	return "", false
+}
+
+// ExtractUsernameFromToken extracts the username from a K8s JWT token
+func ExtractUsernameFromToken(token string) (string, error) {
+	claims, err := extractJwtTokenClaims(token)
+	if err != nil {
+		return "", err
+	}
+
+	username, ok := extractUsernameFromClaims(claims)
+	if !ok {
+		return "", fmt.Errorf("could not extract username from token claims")
+	}
+
+	return username, nil
+}
+
+// GetUserInfo retrieves user information from the provided JWT token
+func (t *TokenAuthProvider) GetUserInfo(token string) (string, *http.Response, error) {
+	// For K8s, extract username from the JWT token
+	if token == "" {
+		return "", nil, fmt.Errorf("token is required for K8s userinfo")
+	}
+
+	username, err := ExtractUsernameFromToken(token)
+	if err != nil {
+		log.GetLogger().WithError(err).Warn("Failed to extract username from token")
+		return "", nil, err
+	}
+
+	resp := &http.Response{
+		StatusCode: http.StatusOK,
+	}
+
+	return username, resp, nil
+}
+
+// RefreshToken is not applicable for K8s token auth
+func (t *TokenAuthProvider) RefreshToken(refreshToken string) (TokenData, *int64, error) {
+	return TokenData{}, nil, fmt.Errorf("token refresh not supported for K8s token auth")
+}
+
+// Logout for token auth just clears the session
+func (t *TokenAuthProvider) Logout(token string) (string, error) {
+	// No special logout URL for token auth
+	return "", nil
+}
+
+// GetLoginRedirectURL is not applicable for token auth
+func (t *TokenAuthProvider) GetLoginRedirectURL() string {
+	return ""
+}
+
+// getK8sAuthHandler creates a new K8s token authentication handler
+func getK8sAuthHandler(authURL string, internalAuthURL *string) (*TokenAuthProvider, error) {
+	// Use API TLS config since we're calling the FlightCtl API to validate tokens
+	tlsConfig, err := bridge.GetTlsConfig()
+	if err != nil {
+		return nil, err
+	}
+
+	url := authURL
+	if internalAuthURL != nil {
+		url = *internalAuthURL
+	}
+
+	return NewTokenAuthProvider(tlsConfig, url), nil
+}

From 5de39e85633577a7c9c18c9d30ff05acf9c8ec5a Mon Sep 17 00:00:00 2001
From: Celia Amador <camadorg@redhat.com>
Date: Fri, 7 Nov 2025 10:18:20 +0100
Subject: [PATCH 2/5] Handle k8s token expired

---
 .../src/app/components/Login/LoginPage.tsx      |  9 ++++-----
 apps/standalone/src/app/context/AuthContext.ts  | 10 +++++++++-
 apps/standalone/src/app/utils/apiCalls.ts       |  5 ++++-
 libs/i18n/locales/en/translation.json           | 12 ++++++++++++
 proxy/auth/auth.go                              | 17 ++++++++++++++---
 proxy/auth/common.go                            | 13 +++++++++++++
 proxy/auth/k8s.go                               | 17 +++++++++++++----
 7 files changed, 69 insertions(+), 14 deletions(-)

diff --git a/apps/standalone/src/app/components/Login/LoginPage.tsx b/apps/standalone/src/app/components/Login/LoginPage.tsx
index dc165e8ed..c2bcd1b93 100644
--- a/apps/standalone/src/app/components/Login/LoginPage.tsx
+++ b/apps/standalone/src/app/components/Login/LoginPage.tsx
@@ -19,10 +19,10 @@ import {
   TextVariants,
   Title,
 } from '@patternfly/react-core';
-import { useTranslation } from 'react-i18next';
 
 import { ORGANIZATION_STORAGE_KEY } from '@flightctl/ui-components/src/utils/organizationStorage';
 import FlightCtlForm from '@flightctl/ui-components/src/components/form/FlightCtlForm';
+import { useTranslation } from '@flightctl/ui-components/src/hooks/useTranslation';
 import { loginAPI } from '../../utils/apiCalls';
 
 const EXPIRATION = 'expiration';
@@ -67,8 +67,8 @@ export const LoginPage = () => {
       });
 
       if (!resp.ok) {
-        const errorData = await resp.json().catch(() => ({}));
-        setSubmitError(errorData.error || 'Authentication failed');
+        const errorData = (await resp.json()) as { error?: string };
+        setSubmitError(errorData.error || t('Authentication failed'));
         setIsSubmitting(false);
         return;
       }
@@ -112,8 +112,7 @@ export const LoginPage = () => {
                   <TextArea
                     id="accessToken"
                     value={token}
-                    onChange={(_event, value) => {
-                      const tokenVal = value.trim();
+                    onChange={(_event, tokenVal) => {
                       if (tokenVal && !isValidJwtTokenFormat(tokenVal)) {
                         setValidationError(
                           t('Invalid token format. Expected a JWT token with format: header.payload.signature'),
diff --git a/apps/standalone/src/app/context/AuthContext.ts b/apps/standalone/src/app/context/AuthContext.ts
index c1c1cfcef..68d32224d 100644
--- a/apps/standalone/src/app/context/AuthContext.ts
+++ b/apps/standalone/src/app/context/AuthContext.ts
@@ -80,7 +80,10 @@ export const useAuthContext = () => {
             return;
           }
           if (resp.status === 401) {
-            await redirectToLogin();
+            // Don't redirect if we're already on the login page
+            if (window.location.pathname !== '/login') {
+              await redirectToLogin();
+            }
             return;
           }
           if (resp.status !== 200) {
@@ -103,6 +106,11 @@ export const useAuthContext = () => {
 
   React.useEffect(() => {
     if (!loading) {
+      // Don't schedule refresh if we're on login page
+      if (window.location.pathname === '/login') {
+        return;
+      }
+
       const scheduleRefresh = () => {
         if (!authEnabled) {
           return;
diff --git a/apps/standalone/src/app/utils/apiCalls.ts b/apps/standalone/src/app/utils/apiCalls.ts
index 32fd61f98..4798c7ef5 100644
--- a/apps/standalone/src/app/utils/apiCalls.ts
+++ b/apps/standalone/src/app/utils/apiCalls.ts
@@ -75,7 +75,10 @@ const handleApiJSONResponse = async <R>(response: Response): Promise<R> => {
   }
 
   if (response.status === 401) {
-    await redirectToLogin();
+    // Don't redirect if we're already on the login page
+    if (window.location.pathname !== '/login') {
+      await redirectToLogin();
+    }
   }
 
   throw new Error(await getErrorMsgFromApiResponse(response));
diff --git a/libs/i18n/locales/en/translation.json b/libs/i18n/locales/en/translation.json
index 84fbae4be..661bbfbf2 100644
--- a/libs/i18n/locales/en/translation.json
+++ b/libs/i18n/locales/en/translation.json
@@ -13,6 +13,18 @@
   "404 Page not found": "404 Page not found",
   "We didn't find a page that matches the address you navigated to.": "We didn't find a page that matches the address you navigated to.",
   "Take me home": "Take me home",
+  "Authentication failed": "Authentication failed",
+  "Failed to authenticate. Please check your token and try again.": "Failed to authenticate. Please check your token and try again.",
+  "Enter your Kubernetes token": "Enter your Kubernetes token",
+  "Enter your Kubernetes service account token to authenticate with the cluster.": "Enter your Kubernetes service account token to authenticate with the cluster.",
+  "You can find this token in your Kubernetes service account credentials.": "You can find this token in your Kubernetes service account credentials.",
+  "Service account token": "Service account token",
+  "Invalid token format. Expected a JWT token with format: header.payload.signature": "Invalid token format. Expected a JWT token with format: header.payload.signature",
+  "Enter your Kubernetes token...": "Enter your Kubernetes token...",
+  "Keep your token secure": "Keep your token secure",
+  "Never share your service account token. It provides full access to your Kubernetes cluster resources.": "Never share your service account token. It provides full access to your Kubernetes cluster resources.",
+  "Authenticating...": "Authenticating...",
+  "Login": "Login",
   "404 Page Not Found": "404 Page Not Found",
   "Error page - details should be displayed here": "Error page - details should be displayed here",
   "Overview": "Overview",
diff --git a/proxy/auth/auth.go b/proxy/auth/auth.go
index 722346093..1c9d7959d 100644
--- a/proxy/auth/auth.go
+++ b/proxy/auth/auth.go
@@ -126,13 +126,15 @@ func (a AuthHandler) Refresh(w http.ResponseWriter, r *http.Request) {
 	}
 	tokenData, err := ParseSessionCookie(r)
 	if err != nil {
-		w.WriteHeader(http.StatusInternalServerError)
+		clearCookie(w)
+		w.WriteHeader(http.StatusUnauthorized)
 		return
 	}
 
 	tokenData, expires, err := a.provider.RefreshToken(tokenData.RefreshToken)
 	if err != nil {
-		w.WriteHeader(http.StatusInternalServerError)
+		clearCookie(w)
+		w.WriteHeader(http.StatusUnauthorized)
 		return
 	}
 	respondWithToken(w, tokenData, expires)
@@ -162,6 +164,7 @@ func (a AuthHandler) GetUserInfo(w http.ResponseWriter, r *http.Request) {
 
 	token, err := getToken(r)
 	if token == "" || err != nil {
+		clearCookie(w)
 		w.WriteHeader(http.StatusUnauthorized)
 		return
 	}
@@ -169,10 +172,18 @@ func (a AuthHandler) GetUserInfo(w http.ResponseWriter, r *http.Request) {
 	username, resp, err := a.provider.GetUserInfo(token)
 	if err != nil {
 		log.GetLogger().WithError(err).Warn("Failed to get user info")
-		w.WriteHeader(http.StatusInternalServerError)
+		if resp != nil && resp.StatusCode == http.StatusUnauthorized {
+			clearCookie(w)
+			w.WriteHeader(http.StatusUnauthorized)
+		} else {
+			w.WriteHeader(http.StatusInternalServerError)
+		}
 		return
 	}
 	if resp.StatusCode != http.StatusOK {
+		if resp.StatusCode == http.StatusUnauthorized {
+			clearCookie(w)
+		}
 		w.WriteHeader(resp.StatusCode)
 		return
 	}
diff --git a/proxy/auth/common.go b/proxy/auth/common.go
index 169dae10c..7d7924e48 100644
--- a/proxy/auth/common.go
+++ b/proxy/auth/common.go
@@ -50,6 +50,19 @@ func setCookie(w http.ResponseWriter, value TokenData) error {
 	return nil
 }
 
+func clearCookie(w http.ResponseWriter) {
+	cookie := http.Cookie{
+		Name:     common.CookieSessionName,
+		Value:    "",
+		Secure:   config.TlsCertPath != "",
+		HttpOnly: true,
+		SameSite: http.SameSiteStrictMode,
+		Path:     "/",
+		MaxAge:   -1,
+	}
+	http.SetCookie(w, &cookie)
+}
+
 func ParseSessionCookie(r *http.Request) (TokenData, error) {
 	tokenData := TokenData{}
 	cookie, err := r.Cookie(common.CookieSessionName)
diff --git a/proxy/auth/k8s.go b/proxy/auth/k8s.go
index a2d67e3e7..0f5dd87ba 100644
--- a/proxy/auth/k8s.go
+++ b/proxy/auth/k8s.go
@@ -41,8 +41,8 @@ func (t *TokenAuthProvider) ValidateToken(token string) (TokenData, *int64, erro
 		TLSClientConfig: t.apiTlsConfig,
 	}}
 
-	// Call a basic API endpoint to validate the token
-	validateUrl := config.FctlApiUrl + "/api/v1/fleets?limit=1"
+	// Verify that the token is valid for the Flight Control API
+	validateUrl := config.FctlApiUrl + "/api/v1/auth/validate"
 
 	req, err := http.NewRequest(http.MethodGet, validateUrl, nil)
 	if err != nil {
@@ -67,8 +67,8 @@ func (t *TokenAuthProvider) ValidateToken(token string) (TokenData, *int64, erro
 		return TokenData{}, nil, fmt.Errorf("Token is invalid or unauthorized")
 	}
 
-	// Accept any successful response (2xx) or even some 4xx errors that aren't auth-related
-	if resp.StatusCode < 200 || resp.StatusCode >= 500 {
+	// Accept only successful responses
+	if resp.StatusCode < 200 || resp.StatusCode >= 300 {
 		return TokenData{}, nil, fmt.Errorf("Token validation failed")
 	}
 
@@ -193,6 +193,15 @@ func (t *TokenAuthProvider) GetUserInfo(token string) (string, *http.Response, e
 		return "", nil, fmt.Errorf("token is required for K8s userinfo")
 	}
 
+	// Check if token is expired
+	expiresIn := extractTokenExpiration(token)
+	if expiresIn != nil && *expiresIn == 0 {
+		resp := &http.Response{
+			StatusCode: http.StatusUnauthorized,
+		}
+		return "", resp, fmt.Errorf("token has expired")
+	}
+
 	username, err := ExtractUsernameFromToken(token)
 	if err != nil {
 		log.GetLogger().WithError(err).Warn("Failed to extract username from token")

From ebba7e8901ce3db7984c34866866820efd20649a Mon Sep 17 00:00:00 2001
From: Celia Amador <camadorg@redhat.com>
Date: Wed, 12 Nov 2025 17:40:28 +0100
Subject: [PATCH 3/5] Use lestrrat-go/jwx to obtain the info from token claims

---
 proxy/auth/k8s.go | 72 ++++++++++++++++++-----------------------------
 proxy/go.mod      |  9 ++++++
 proxy/go.sum      | 20 +++++++++++++
 3 files changed, 56 insertions(+), 45 deletions(-)

diff --git a/proxy/auth/k8s.go b/proxy/auth/k8s.go
index 0f5dd87ba..dc7cb8307 100644
--- a/proxy/auth/k8s.go
+++ b/proxy/auth/k8s.go
@@ -2,8 +2,6 @@ package auth
 
 import (
 	"crypto/tls"
-	"encoding/base64"
-	"encoding/json"
 	"fmt"
 	"net/http"
 	"strings"
@@ -12,6 +10,7 @@ import (
 	"github.com/flightctl/flightctl-ui/bridge"
 	"github.com/flightctl/flightctl-ui/config"
 	"github.com/flightctl/flightctl-ui/log"
+	"github.com/lestrrat-go/jwx/v2/jwt"
 )
 
 type TokenAuthProvider struct {
@@ -85,14 +84,13 @@ func (t *TokenAuthProvider) ValidateToken(token string) (TokenData, *int64, erro
 // extractTokenExpiration extracts the expiration time from a JWT token
 // Returns the number of seconds until expiration, or nil if no expiration is set
 func extractTokenExpiration(token string) *int64 {
-	claims, err := extractJwtTokenClaims(token)
+	parsedToken, err := jwt.ParseInsecure([]byte(token))
 	if err != nil {
 		return nil
 	}
 
-	// Look for the "exp" claim (standard JWT expiration claim)
-	exp, ok := claims["exp"]
-	if !ok {
+	exp, exists := parsedToken.Get("exp")
+	if !exists {
 		return nil
 	}
 
@@ -119,53 +117,36 @@ func extractTokenExpiration(token string) *int64 {
 	return &expiresIn
 }
 
-// extractJwtTokenClaims extracts the claims from a JWT token
-func extractJwtTokenClaims(token string) (map[string]interface{}, error) {
-	// K8s tokens have the format: <header>.<payload>.<signature>
-	parts := strings.Split(token, ".")
-	if len(parts) != 3 {
-		return nil, fmt.Errorf("invalid token format")
-	}
-
-	// Decode the payload (second part)
-	payload, err := base64.RawURLEncoding.DecodeString(parts[1])
-	if err != nil {
-		return nil, fmt.Errorf("failed to decode token payload: %w", err)
-	}
-
-	// Parse the JSON payload
-	var claims map[string]interface{}
-	if err := json.Unmarshal(payload, &claims); err != nil {
-		return nil, fmt.Errorf("failed to unmarshal token claims: %w", err)
-	}
-
-	return claims, nil
-}
-
 // extractUsernameFromClaims extracts the username from JWT claims
-func extractUsernameFromClaims(claims map[string]interface{}) (string, bool) {
+func extractUsernameFromClaims(parsedToken jwt.Token) (string, bool) {
 	// Prefer the short service account name over the full sub claim
-	if k8sInfo, ok := claims["kubernetes.io"].(map[string]interface{}); ok {
-		if sa, ok := k8sInfo["serviceaccount"].(map[string]interface{}); ok {
-			if saName, ok := sa["name"].(string); ok && saName != "" {
-				return saName, true
+	if k8sInfo, exists := parsedToken.Get("kubernetes.io"); exists {
+		if k8sInfoMap, ok := k8sInfo.(map[string]interface{}); ok {
+			if sa, ok := k8sInfoMap["serviceaccount"].(map[string]interface{}); ok {
+				if saName, ok := sa["name"].(string); ok && saName != "" {
+					return saName, true
+				}
 			}
 		}
 	}
 
 	// Try to extract the service account name from the old flat claim structure
-	if saName, ok := claims["kubernetes.io/serviceaccount/service-account.name"].(string); ok && saName != "" {
-		return saName, true
+	if saName, exists := parsedToken.Get("kubernetes.io/serviceaccount/service-account.name"); exists {
+		if saNameStr, ok := saName.(string); ok && saNameStr != "" {
+			return saNameStr, true
+		}
 	}
 
 	// Fallback to sub claim (which contains the full system:serviceaccount:namespace:name format)
-	if username, ok := claims["sub"].(string); ok && username != "" {
-		// Try to extract just the service account name from sub if it's in the right format
-		parts := strings.Split(username, ":")
-		if len(parts) == 4 && parts[0] == "system" && parts[1] == "serviceaccount" {
-			return parts[3], true // Return just the service account name
+	if username, exists := parsedToken.Get("sub"); exists {
+		if usernameStr, ok := username.(string); ok && usernameStr != "" {
+			// Try to extract just the service account name from sub if it's in the right format
+			parts := strings.Split(usernameStr, ":")
+			if len(parts) == 4 && parts[0] == "system" && parts[1] == "serviceaccount" {
+				return parts[3], true // Return just the service account name
+			}
+			return usernameStr, true
 		}
-		return username, true
 	}
 
 	return "", false
@@ -173,12 +154,13 @@ func extractUsernameFromClaims(claims map[string]interface{}) (string, bool) {
 
 // ExtractUsernameFromToken extracts the username from a K8s JWT token
 func ExtractUsernameFromToken(token string) (string, error) {
-	claims, err := extractJwtTokenClaims(token)
+	// Parse the token without signature validation (we only need to extract claims)
+	parsedToken, err := jwt.ParseInsecure([]byte(token))
 	if err != nil {
-		return "", err
+		return "", fmt.Errorf("failed to parse JWT token: %w", err)
 	}
 
-	username, ok := extractUsernameFromClaims(claims)
+	username, ok := extractUsernameFromClaims(parsedToken)
 	if !ok {
 		return "", fmt.Errorf("could not extract username from token claims")
 	}
diff --git a/proxy/go.mod b/proxy/go.mod
index 04eea7ba3..a8d6f73d7 100644
--- a/proxy/go.mod
+++ b/proxy/go.mod
@@ -9,12 +9,14 @@ require (
 	github.com/gorilla/handlers v1.5.2
 	github.com/gorilla/mux v1.8.1
 	github.com/gorilla/websocket v1.5.3
+	github.com/lestrrat-go/jwx/v2 v2.1.4
 	github.com/openshift/osincli v0.0.0-20160924135400-fababb0555f2
 	github.com/sirupsen/logrus v1.9.3
 )
 
 require (
 	github.com/apapsch/go-jsonmerge/v2 v2.0.0 // indirect
+	github.com/decred/dcrd/dcrec/secp256k1/v4 v4.4.0 // indirect
 	github.com/felixge/httpsnoop v1.0.4 // indirect
 	github.com/fxamacker/cbor/v2 v2.7.0 // indirect
 	github.com/getkin/kin-openapi v0.131.0 // indirect
@@ -22,11 +24,17 @@ require (
 	github.com/go-logr/logr v1.4.3 // indirect
 	github.com/go-openapi/jsonpointer v0.21.0 // indirect
 	github.com/go-openapi/swag v0.23.0 // indirect
+	github.com/goccy/go-json v0.10.5 // indirect
 	github.com/gogo/protobuf v1.3.2 // indirect
 	github.com/google/gofuzz v1.2.0 // indirect
 	github.com/google/uuid v1.6.0 // indirect
 	github.com/josharian/intern v1.0.0 // indirect
 	github.com/json-iterator/go v1.1.12 // indirect
+	github.com/lestrrat-go/blackmagic v1.0.2 // indirect
+	github.com/lestrrat-go/httpcc v1.0.1 // indirect
+	github.com/lestrrat-go/httprc v1.0.6 // indirect
+	github.com/lestrrat-go/iter v1.0.2 // indirect
+	github.com/lestrrat-go/option v1.0.1 // indirect
 	github.com/mailru/easyjson v0.7.7 // indirect
 	github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd // indirect
 	github.com/modern-go/reflect2 v1.0.2 // indirect
@@ -38,6 +46,7 @@ require (
 	github.com/robfig/cron/v3 v3.0.1 // indirect
 	github.com/samber/lo v1.49.1 // indirect
 	github.com/secure-systems-lab/go-securesystemslib v0.8.0 // indirect
+	github.com/segmentio/asm v1.2.0 // indirect
 	github.com/x448/float16 v0.8.4 // indirect
 	go.yaml.in/yaml/v2 v2.4.2 // indirect
 	golang.org/x/crypto v0.39.0 // indirect
diff --git a/proxy/go.sum b/proxy/go.sum
index b81ed7245..861747d62 100644
--- a/proxy/go.sum
+++ b/proxy/go.sum
@@ -6,6 +6,8 @@ github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSs
 github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
 github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc h1:U9qPSI2PIWSS1VwoXQT9A3Wy9MM3WgvqSxFWenqJduM=
 github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
+github.com/decred/dcrd/dcrec/secp256k1/v4 v4.4.0 h1:NMZiJj8QnKe1LgsbDayM4UoHwbvwDRwnI3hwNaAHRnc=
+github.com/decred/dcrd/dcrec/secp256k1/v4 v4.4.0/go.mod h1:ZXNYxsqcloTdSy/rNShjYzMhyjf0LaoftYK0p+A3h40=
 github.com/felixge/httpsnoop v1.0.4 h1:NFTV2Zj1bL4mc9sqWACXbQFVBBg2W3GPvqp8/ESS2Wg=
 github.com/felixge/httpsnoop v1.0.4/go.mod h1:m8KPJKqk1gH5J9DgRY2ASl2lWCfGKXixSwevea8zH2U=
 github.com/flightctl/flightctl v0.10.0-rc1 h1:S/wrWnjjoa4WAQ7Lukl1FFA6NHTUG90fI9BU7wlMgGc=
@@ -26,6 +28,8 @@ github.com/go-task/slim-sprig/v3 v3.0.0 h1:sUs3vkvUymDpBKi3qH1YSqBQk9+9D/8M2mN1v
 github.com/go-task/slim-sprig/v3 v3.0.0/go.mod h1:W848ghGpv3Qj3dhTPRyJypKRiqCdHZiAzKg9hl15HA8=
 github.com/go-test/deep v1.1.0 h1:WOcxcdHcvdgThNXjw0t76K42FXTU7HpNQWHpA2HHNlg=
 github.com/go-test/deep v1.1.0/go.mod h1:5C2ZWiW0ErCdrYzpqxLbTX7MG14M9iiw8DgHncVwcsE=
+github.com/goccy/go-json v0.10.5 h1:Fq85nIqj+gXn/S5ahsiTlK3TmC85qgirsdTP/+DeaC4=
+github.com/goccy/go-json v0.10.5/go.mod h1:oq7eo15ShAhp70Anwd5lgX2pLfOS3QCiwU/PULtXL6M=
 github.com/gogo/protobuf v1.3.2 h1:Ov1cvc58UF3b5XjBnZv7+opcTcQFZebYjWzi34vdm4Q=
 github.com/gogo/protobuf v1.3.2/go.mod h1:P1XiOD3dCwIKUDQYPy72D8LYyHL2YPYrpS2s69NZV8Q=
 github.com/google/go-cmp v0.5.9/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY=
@@ -55,6 +59,18 @@ github.com/kr/pretty v0.3.1 h1:flRD4NNwYAUpkphVc1HcthR4KEIFJ65n8Mw5qdRn3LE=
 github.com/kr/pretty v0.3.1/go.mod h1:hoEshYVHaxMs3cyo3Yncou5ZscifuDolrwPKZanG3xk=
 github.com/kr/text v0.2.0 h1:5Nx0Ya0ZqY2ygV366QzturHI13Jq95ApcVaJBhpS+AY=
 github.com/kr/text v0.2.0/go.mod h1:eLer722TekiGuMkidMxC/pM04lWEeraHUUmBw8l2grE=
+github.com/lestrrat-go/blackmagic v1.0.2 h1:Cg2gVSc9h7sz9NOByczrbUvLopQmXrfFx//N+AkAr5k=
+github.com/lestrrat-go/blackmagic v1.0.2/go.mod h1:UrEqBzIR2U6CnzVyUtfM6oZNMt/7O7Vohk2J0OGSAtU=
+github.com/lestrrat-go/httpcc v1.0.1 h1:ydWCStUeJLkpYyjLDHihupbn2tYmZ7m22BGkcvZZrIE=
+github.com/lestrrat-go/httpcc v1.0.1/go.mod h1:qiltp3Mt56+55GPVCbTdM9MlqhvzyuL6W/NMDA8vA5E=
+github.com/lestrrat-go/httprc v1.0.6 h1:qgmgIRhpvBqexMJjA/PmwSvhNk679oqD1RbovdCGW8k=
+github.com/lestrrat-go/httprc v1.0.6/go.mod h1:mwwz3JMTPBjHUkkDv/IGJ39aALInZLrhBp0X7KGUZlo=
+github.com/lestrrat-go/iter v1.0.2 h1:gMXo1q4c2pHmC3dn8LzRhJfP1ceCbgSiT9lUydIzltI=
+github.com/lestrrat-go/iter v1.0.2/go.mod h1:Momfcq3AnRlRjI5b5O8/G5/BvpzrhoFTZcn06fEOPt4=
+github.com/lestrrat-go/jwx/v2 v2.1.4 h1:uBCMmJX8oRZStmKuMMOFb0Yh9xmEMgNJLgjuKKt4/qc=
+github.com/lestrrat-go/jwx/v2 v2.1.4/go.mod h1:nWRbDFR1ALG2Z6GJbBXzfQaYyvn751KuuyySN2yR6is=
+github.com/lestrrat-go/option v1.0.1 h1:oAzP2fvZGQKWkvHa1/SAcFolBEca1oN+mQ7eooNBEYU=
+github.com/lestrrat-go/option v1.0.1/go.mod h1:5ZHFbivi4xwXxhxY9XHDe2FHo6/Z7WWmtT7T5nBBp3I=
 github.com/mailru/easyjson v0.7.7 h1:UGYAvKxe3sBsEDzO8ZeWOSlIQfWFlxbzLZe7hwFURr0=
 github.com/mailru/easyjson v0.7.7/go.mod h1:xzfreul335JAWq5oZzymOObrkdz5UnU4kGfJJLY9Nlc=
 github.com/modern-go/concurrent v0.0.0-20180228061459-e0a39a4cb421/go.mod h1:6dJC0mAP4ikYIbvyc7fijjWJddQyLn8Ig3JB5CqoB9Q=
@@ -89,6 +105,8 @@ github.com/samber/lo v1.49.1 h1:4BIFyVfuQSEpluc7Fua+j1NolZHiEHEpaSEKdsH0tew=
 github.com/samber/lo v1.49.1/go.mod h1:dO6KHFzUKXgP8LDhU0oI8d2hekjXnGOu0DB8Jecxd6o=
 github.com/secure-systems-lab/go-securesystemslib v0.8.0 h1:mr5An6X45Kb2nddcFlbmfHkLguCE9laoZCUzEEpIZXA=
 github.com/secure-systems-lab/go-securesystemslib v0.8.0/go.mod h1:UH2VZVuJfCYR8WgMlCU1uFsOUU+KeyrTWcSS73NBOzU=
+github.com/segmentio/asm v1.2.0 h1:9BQrFxC+YOHJlTlHGkTrFWf59nbL3XnCoFLTwDCI7ys=
+github.com/segmentio/asm v1.2.0/go.mod h1:BqMnlJP91P8d+4ibuonYZw9mfnzI9HfxselHZr5aAcs=
 github.com/sirupsen/logrus v1.9.3 h1:dueUQJ1C2q9oE3F7wvmSGAaVtTmUizReu6fjN8uqzbQ=
 github.com/sirupsen/logrus v1.9.3/go.mod h1:naHLuLoDiP4jHNo9R0sCBMtWGeIprob74mVsIT4qYEQ=
 github.com/spf13/pflag v1.0.6 h1:jFzHGLGAlb3ruxLB8MhbI6A8+AQX/2eW4qeyNZXNp2o=
@@ -96,7 +114,9 @@ github.com/spf13/pflag v1.0.6/go.mod h1:McXfInJRrz4CZXVZOBLb0bTZqETkiAhM9Iw0y3An
 github.com/spkg/bom v0.0.0-20160624110644-59b7046e48ad/go.mod h1:qLr4V1qq6nMqFKkMo8ZTx3f+BZEkzsRUY10Xsm2mwU0=
 github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
 github.com/stretchr/testify v1.3.0/go.mod h1:M5WIy9Dh21IEIfnGCwXGc5bZfKNJtfHm1UVUgZn+9EI=
+github.com/stretchr/testify v1.6.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
 github.com/stretchr/testify v1.7.0/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
+github.com/stretchr/testify v1.7.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
 github.com/stretchr/testify v1.10.0 h1:Xv5erBjTwe/5IxqUQTdXv5kgmIvbHo3QQyRwhJsOfJA=
 github.com/stretchr/testify v1.10.0/go.mod h1:r2ic/lqez/lEtzL7wO/rwa5dbSLXVDPFyf8C91i36aY=
 github.com/ugorji/go/codec v1.2.11 h1:BMaWp1Bb6fHwEtbplGBGJ498wD+LKlNSl25MjdZY4dU=

From f8ee7caac330f4125a07004bce939790b6149698 Mon Sep 17 00:00:00 2001
From: Celia Amador <camadorg@redhat.com>
Date: Thu, 13 Nov 2025 09:44:38 +0100
Subject: [PATCH 4/5] Displaying better error messages

---
 .../src/app/components/Login/LoginPage.tsx    | 20 +++++++++++++++++--
 proxy/auth/auth.go                            |  2 +-
 2 files changed, 19 insertions(+), 3 deletions(-)

diff --git a/apps/standalone/src/app/components/Login/LoginPage.tsx b/apps/standalone/src/app/components/Login/LoginPage.tsx
index c2bcd1b93..9c78ebd78 100644
--- a/apps/standalone/src/app/components/Login/LoginPage.tsx
+++ b/apps/standalone/src/app/components/Login/LoginPage.tsx
@@ -67,8 +67,24 @@ export const LoginPage = () => {
       });
 
       if (!resp.ok) {
-        const errorData = (await resp.json()) as { error?: string };
-        setSubmitError(errorData.error || t('Authentication failed'));
+        let errorMessage = t('Authentication failed');
+        try {
+          const contentType = resp.headers.get('content-type');
+          if (contentType && contentType.includes('application/json')) {
+            const errorData = (await resp.json()) as { error?: string };
+            errorMessage = errorData.error || errorMessage;
+          } else {
+            // Fallback for non-JSON responses
+            const text = await resp.text();
+            if (text) {
+              errorMessage = text;
+            }
+          }
+        } catch (parseErr) {
+          // If parsing fails, use default error message
+          errorMessage = t('Authentication failed');
+        }
+        setSubmitError(errorMessage);
         setIsSubmitting(false);
         return;
       }
diff --git a/proxy/auth/auth.go b/proxy/auth/auth.go
index 1c9d7959d..19ff05967 100644
--- a/proxy/auth/auth.go
+++ b/proxy/auth/auth.go
@@ -84,7 +84,7 @@ func (a AuthHandler) Login(w http.ResponseWriter, r *http.Request) {
 			tokenData, expires, err := tokenProvider.ValidateToken(loginParams.Token)
 			if err != nil {
 				log.GetLogger().WithError(err).Warn("Token validation failed")
-				w.WriteHeader(http.StatusUnauthorized)
+				respondWithError(w, http.StatusUnauthorized, err.Error())
 				return
 			}
 			respondWithToken(w, tokenData, expires)

From 2d3fdb10fea64d34b2bce7a07ab7ab7e62c9eac3 Mon Sep 17 00:00:00 2001
From: Celia Amador <camadorg@redhat.com>
Date: Thu, 13 Nov 2025 12:09:02 +0100
Subject: [PATCH 5/5] Adapt to new AuthConfig response for the default provider

---
 Containerfile                                 |  4 +-
 Containerfile.ocp                             |  4 +-
 README.md                                     |  2 +-
 libs/i18n/locales/en/translation.json         |  1 +
 libs/types/models/ApplicationProviderSpec.ts  |  3 +-
 .../models/ArtifactApplicationProviderSpec.ts | 11 ---
 .../EditDeviceWizard/deviceSpecUtils.ts       | 42 ++++----
 .../OverviewPage/Cards/Alerts/AlertsCard.tsx  |  2 +
 libs/ui-components/src/types/deviceSpec.ts    |  3 -
 libs/ui-components/src/types/extraTypes.ts    |  3 +-
 proxy/auth/auth.go                            | 97 ++++++++++++++++++-
 proxy/go.mod                                  | 17 ++--
 proxy/go.sum                                  | 31 +++---
 13 files changed, 145 insertions(+), 75 deletions(-)
 delete mode 100644 libs/types/models/ArtifactApplicationProviderSpec.ts

diff --git a/Containerfile b/Containerfile
index 433ecfe17..542683d44 100644
--- a/Containerfile
+++ b/Containerfile
@@ -12,13 +12,13 @@ ENV NODE_OPTIONS='--max-old-space-size=8192'
 RUN npm ci
 RUN npm run build
 
-FROM registry.access.redhat.com/ubi9/go-toolset:1.23.9-1751538372 as proxy-build
+FROM registry.access.redhat.com/ubi9/go-toolset:1.24.6-1762373805 as proxy-build
 WORKDIR /app
 COPY proxy /app
 USER 0
 RUN CGO_ENABLED=1 CGO_CFLAGS=-flto GOEXPERIMENT=strictfipsruntime go build
 
-FROM quay.io/flightctl/flightctl-base:9.6-1758714456
+FROM quay.io/flightctl/flightctl-base:9.6-1762316544
 COPY --from=ui-build /app/apps/standalone/dist /app/proxy/dist
 COPY --from=proxy-build /app/flightctl-ui /app/proxy
 WORKDIR /app/proxy
diff --git a/Containerfile.ocp b/Containerfile.ocp
index d62b004a5..6d68bc148 100644
--- a/Containerfile.ocp
+++ b/Containerfile.ocp
@@ -12,13 +12,13 @@ ENV NODE_OPTIONS='--max-old-space-size=8192'
 RUN npm ci
 RUN npm run build:ocp
 
-FROM registry.access.redhat.com/ubi9/go-toolset:1.23.9-1751538372 as proxy-build
+FROM registry.access.redhat.com/ubi9/go-toolset:1.24.6-1762373805 as proxy-build
 WORKDIR /app
 COPY proxy /app
 USER 0
 RUN CGO_ENABLED=1 CGO_CFLAGS=-flto GOEXPERIMENT=strictfipsruntime go build
 
-FROM quay.io/flightctl/flightctl-base:9.6-1758714456
+FROM quay.io/flightctl/flightctl-base:9.6-1762316544
 COPY --from=ui-build /app/apps/ocp-plugin/dist /app/proxy/dist
 COPY --from=proxy-build /app/flightctl-ui /app/proxy
 WORKDIR /app/proxy
diff --git a/README.md b/README.md
index 736e752dd..de16ea5b8 100644
--- a/README.md
+++ b/README.md
@@ -4,7 +4,7 @@ Monorepo containing UIs for [Flight Control](https://github.com/flightctl/flight
 
 ## Prerequisites
 
-- `Git`, `Node.js v22.x`, `npm v10.x`, `rsync`, `go` (>= 1.23)
+- `Git`, `Node.js v22.x`, `npm v10.x`, `rsync`, `go` (>= 1.24)
 
 ## Building
 
diff --git a/libs/i18n/locales/en/translation.json b/libs/i18n/locales/en/translation.json
index 661bbfbf2..70f6ff3e1 100644
--- a/libs/i18n/locales/en/translation.json
+++ b/libs/i18n/locales/en/translation.json
@@ -696,6 +696,7 @@
   "Resource was deleted successfully": "Resource was deleted successfully",
   "Enrollment request": "Enrollment request",
   "Template version": "Template version",
+  "Auth provider": "Auth provider",
   "Loading alerts...": "Loading alerts...",
   "Error loading alerts": "Error loading alerts",
   "Alerts": "Alerts",
diff --git a/libs/types/models/ApplicationProviderSpec.ts b/libs/types/models/ApplicationProviderSpec.ts
index fd0c4f83d..d3583be37 100644
--- a/libs/types/models/ApplicationProviderSpec.ts
+++ b/libs/types/models/ApplicationProviderSpec.ts
@@ -4,7 +4,6 @@
 /* eslint-disable */
 import type { ApplicationEnvVars } from './ApplicationEnvVars';
 import type { AppType } from './AppType';
-import type { ArtifactApplicationProviderSpec } from './ArtifactApplicationProviderSpec';
 import type { ImageApplicationProviderSpec } from './ImageApplicationProviderSpec';
 import type { InlineApplicationProviderSpec } from './InlineApplicationProviderSpec';
 export type ApplicationProviderSpec = (ApplicationEnvVars & {
@@ -13,5 +12,5 @@ export type ApplicationProviderSpec = (ApplicationEnvVars & {
    */
   name?: string;
   appType?: AppType;
-} & (ImageApplicationProviderSpec | ArtifactApplicationProviderSpec | InlineApplicationProviderSpec));
+} & (ImageApplicationProviderSpec | InlineApplicationProviderSpec));
 
diff --git a/libs/types/models/ArtifactApplicationProviderSpec.ts b/libs/types/models/ArtifactApplicationProviderSpec.ts
deleted file mode 100644
index 9243ba7ee..000000000
--- a/libs/types/models/ArtifactApplicationProviderSpec.ts
+++ /dev/null
@@ -1,11 +0,0 @@
-/* generated using openapi-typescript-codegen -- do no edit */
-/* istanbul ignore file */
-/* tslint:disable */
-/* eslint-disable */
-export type ArtifactApplicationProviderSpec = {
-  /**
-   * Reference to an OCI artifact for the application package.
-   */
-  artifact: string;
-};
-
diff --git a/libs/ui-components/src/components/Device/EditDeviceWizard/deviceSpecUtils.ts b/libs/ui-components/src/components/Device/EditDeviceWizard/deviceSpecUtils.ts
index 0a79e6b62..eec85c9cd 100644
--- a/libs/ui-components/src/components/Device/EditDeviceWizard/deviceSpecUtils.ts
+++ b/libs/ui-components/src/components/Device/EditDeviceWizard/deviceSpecUtils.ts
@@ -25,7 +25,6 @@ import {
   InlineConfigTemplate,
   KubeSecretTemplate,
   SpecConfigTemplate,
-  isArtifactAppProvider,
   isGitConfigTemplate,
   isGitProviderSpec,
   isHttpConfigTemplate,
@@ -285,7 +284,6 @@ export const getApplicationPatches = (
       value: updatedApps.map(toAPIApplication),
     });
   } else {
-    // TODO EDM-2451: Add support for artifact applications
     const needsPatch = currentApps.some((currentApp, index) => {
       const updatedApp = updatedApps[index];
       const isCurrentImageApp = isImageAppProvider(currentApp);
@@ -309,9 +307,6 @@ export const getApplicationPatches = (
       if (isCurrentImageApp) {
         return (updatedApp as ImageAppForm).image !== currentApp.image;
       }
-      if (isArtifactAppProvider(currentApp)) {
-        return false;
-      }
       return hasInlineApplicationChanged(currentApp, updatedApp as InlineAppForm);
     });
     if (needsPatch) {
@@ -390,31 +385,28 @@ const getAppFormVolumes = (app: ApplicationProviderSpecFixed) =>
 
 export const getApplicationValues = (deviceSpec?: DeviceSpec): AppForm[] => {
   const apps = deviceSpec?.applications || [];
-  return apps
-    .filter((app) => !isArtifactAppProvider(app))
-    .map((app) => {
-      if (isImageAppProvider(app)) {
-        return {
-          specType: AppSpecType.OCI_IMAGE,
-          name: app.name || '',
-          image: app.image,
-          variables: getAppFormVariables(app),
-          volumes: getAppFormVolumes(app),
-        };
-      }
-      // TODO EDM-2451: Add support for artifact applications
+  return apps.map((app) => {
+    if (isImageAppProvider(app)) {
       return {
-        specType: AppSpecType.INLINE,
+        specType: AppSpecType.OCI_IMAGE,
         name: app.name || '',
-        files: (app as InlineApplicationProviderSpec).inline.map((file) => ({
-          path: file.path || '',
-          content: file.content,
-          base64: file.contentEncoding === EncodingType.EncodingBase64,
-        })),
+        image: app.image,
         variables: getAppFormVariables(app),
         volumes: getAppFormVolumes(app),
       };
-    });
+    }
+    return {
+      specType: AppSpecType.INLINE,
+      name: app.name || '',
+      files: (app as InlineApplicationProviderSpec).inline.map((file) => ({
+        path: file.path || '',
+        content: file.content,
+        base64: file.contentEncoding === EncodingType.EncodingBase64,
+      })),
+      variables: getAppFormVariables(app),
+      volumes: getAppFormVolumes(app),
+    };
+  });
 };
 
 export const getConfigTemplatesValues = (deviceSpec?: DeviceSpec, registerMicroShift?: boolean) => {
diff --git a/libs/ui-components/src/components/OverviewPage/Cards/Alerts/AlertsCard.tsx b/libs/ui-components/src/components/OverviewPage/Cards/Alerts/AlertsCard.tsx
index 7d9da0a06..8edf89acc 100644
--- a/libs/ui-components/src/components/OverviewPage/Cards/Alerts/AlertsCard.tsx
+++ b/libs/ui-components/src/components/OverviewPage/Cards/Alerts/AlertsCard.tsx
@@ -114,6 +114,8 @@ const resourceKindLabel = (t: TFunction, resourceKind: ResourceKind | undefined)
       return t('Resource sync');
     case ResourceKind.TEMPLATE_VERSION:
       return t('Template version');
+    case ResourceKind.AUTH_PROVIDER:
+      return t('Auth provider');
   }
 };
 const getAlertTitle = (alert: AlertManagerAlert, defaultTitle: string) => {
diff --git a/libs/ui-components/src/types/deviceSpec.ts b/libs/ui-components/src/types/deviceSpec.ts
index ad5fba64a..47e68ae06 100644
--- a/libs/ui-components/src/types/deviceSpec.ts
+++ b/libs/ui-components/src/types/deviceSpec.ts
@@ -1,5 +1,4 @@
 import {
-  ArtifactApplicationProviderSpec,
   ConfigProviderSpec,
   DisruptionBudget,
   GitConfigProviderSpec,
@@ -88,8 +87,6 @@ export const isInlineAppProvider = (app: ApplicationProviderSpecFixed): app is I
   'inline' in app;
 export const isImageAppProvider = (app: ApplicationProviderSpecFixed): app is ImageApplicationProviderSpec =>
   'image' in app;
-export const isArtifactAppProvider = (app: ApplicationProviderSpecFixed): app is ArtifactApplicationProviderSpec =>
-  'artifact' in app;
 
 export const isImageAppForm = (app: AppBase): app is ImageAppForm => app.specType === AppSpecType.OCI_IMAGE;
 export const isInlineAppForm = (app: AppBase): app is InlineAppForm => app.specType === AppSpecType.INLINE;
diff --git a/libs/ui-components/src/types/extraTypes.ts b/libs/ui-components/src/types/extraTypes.ts
index 674c785eb..22344b714 100644
--- a/libs/ui-components/src/types/extraTypes.ts
+++ b/libs/ui-components/src/types/extraTypes.ts
@@ -2,7 +2,6 @@ import {
   AppType,
   ApplicationEnvVars,
   ApplicationVolumeProviderSpec,
-  ArtifactApplicationProviderSpec,
   ConditionType,
   Device,
   EnrollmentRequest,
@@ -46,7 +45,7 @@ export type ApplicationProviderSpecFixed = ApplicationEnvVars &
   ApplicationVolumeProviderSpec & {
     name?: string;
     appType?: AppType;
-  } & (ImageApplicationProviderSpec | ArtifactApplicationProviderSpec | { inline: InlineApplicationFileFixed[] });
+  } & (ImageApplicationProviderSpec | { inline: InlineApplicationFileFixed[] });
 
 type CliArtifact = {
   os: string;
diff --git a/proxy/auth/auth.go b/proxy/auth/auth.go
index 19ff05967..a2d7836c0 100644
--- a/proxy/auth/auth.go
+++ b/proxy/auth/auth.go
@@ -40,15 +40,20 @@ func NewAuth(apiTlsConfig *tls.Config) (*AuthHandler, error) {
 		return &auth, nil
 	}
 
-	switch authConfig.AuthType {
+	providerType, authURL, err := extractProviderInfo(authConfig)
+	if err != nil {
+		return nil, err
+	}
+
+	switch providerType {
 	case "AAPGateway":
-		auth.provider, err = getAAPAuthHandler(authConfig.AuthURL, internalAuthUrl)
+		auth.provider, err = getAAPAuthHandler(authURL, internalAuthUrl)
 	case "OIDC":
-		auth.provider, err = getOIDCAuthHandler(authConfig.AuthURL, internalAuthUrl)
+		auth.provider, err = getOIDCAuthHandler(authURL, internalAuthUrl)
 	case "k8s":
-		auth.provider, err = getK8sAuthHandler(authConfig.AuthURL, internalAuthUrl)
+		auth.provider, err = getK8sAuthHandler(authURL, internalAuthUrl)
 	default:
-		err = fmt.Errorf("unknown auth type: %s", authConfig.AuthType)
+		err = fmt.Errorf("unknown auth type: %s", providerType)
 	}
 	return &auth, err
 }
@@ -275,3 +280,85 @@ func getAuthInfo(apiTlsConfig *tls.Config) (*v1alpha1.AuthConfig, *string, error
 	}
 	return authConfig, &config.InternalAuthUrl, nil
 }
+
+// extractProviderInfo extracts the provider type and URL from the default provider in AuthConfig.
+// It currently only handles the provider marked as the default one.
+func extractProviderInfo(authConfig *v1alpha1.AuthConfig) (string, string, error) {
+	if authConfig.DefaultProvider == nil || *authConfig.DefaultProvider == "" {
+		return "", "", fmt.Errorf("no default provider specified")
+	}
+
+	if authConfig.Providers == nil || len(*authConfig.Providers) == 0 {
+		return "", "", fmt.Errorf("no auth providers configured")
+	}
+
+	// Find the default provider by name
+	var defaultProvider *v1alpha1.AuthProvider
+	for i := range *authConfig.Providers {
+		provider := &(*authConfig.Providers)[i]
+		if provider.Metadata.Name != nil && *provider.Metadata.Name == *authConfig.DefaultProvider {
+			defaultProvider = provider
+			break
+		}
+	}
+
+	if defaultProvider == nil {
+		return "", "", fmt.Errorf("default provider '%s' not found in providers list", *authConfig.DefaultProvider)
+	}
+
+	// Extract provider type and URL based on the provider spec
+	// We only need the discriminator and URL fields, so we parse the union JSON directly
+	discriminator, err := defaultProvider.Spec.Discriminator()
+	if err != nil {
+		return "", "", fmt.Errorf("failed to determine provider type: %w", err)
+	}
+
+	var providerType string
+	var authURL string
+
+	// Parse only the fields we need from the spec union
+	// Marshal the spec to get the raw JSON, then unmarshal into a map
+	specJSON, err := json.Marshal(defaultProvider.Spec)
+	if err != nil {
+		return "", "", fmt.Errorf("failed to marshal provider spec: %w", err)
+	}
+	var specMap map[string]interface{}
+	if err := json.Unmarshal(specJSON, &specMap); err != nil {
+		return "", "", fmt.Errorf("failed to parse provider spec: %w", err)
+	}
+
+	switch discriminator {
+	case "oidc":
+		providerType = "OIDC"
+		if issuer, ok := specMap["issuer"].(string); ok {
+			authURL = issuer
+		} else {
+			return "", "", fmt.Errorf("issuer not found in OIDC provider spec")
+		}
+	case "aap":
+		providerType = "AAPGateway"
+		// Prefer external URL if available, otherwise use internal API URL
+		if extURL, ok := specMap["externalApiUrl"].(string); ok && extURL != "" {
+			authURL = extURL
+		} else if apiURL, ok := specMap["apiUrl"].(string); ok {
+			authURL = apiURL
+		} else {
+			return "", "", fmt.Errorf("apiUrl not found in AAP provider spec")
+		}
+	case "k8s":
+		providerType = "k8s"
+		if apiURL, ok := specMap["apiUrl"].(string); ok {
+			authURL = apiURL
+		} else {
+			return "", "", fmt.Errorf("apiUrl not found in K8s provider spec")
+		}
+	default:
+		return "", "", fmt.Errorf("unsupported provider type: %s", discriminator)
+	}
+
+	if authURL == "" {
+		return "", "", fmt.Errorf("auth URL not found for provider type: %s", discriminator)
+	}
+
+	return providerType, authURL, nil
+}
diff --git a/proxy/go.mod b/proxy/go.mod
index a8d6f73d7..b9837c97c 100644
--- a/proxy/go.mod
+++ b/proxy/go.mod
@@ -1,11 +1,11 @@
 module github.com/flightctl/flightctl-ui
 
-go 1.23.0
+go 1.24.0
 
-toolchain go1.23.9
+toolchain go1.24.6
 
 require (
-	github.com/flightctl/flightctl v0.10.0-rc1
+	github.com/flightctl/flightctl v1.0.0-main.0.20251113083308-3f1bc5ade635
 	github.com/gorilla/handlers v1.5.2
 	github.com/gorilla/mux v1.8.1
 	github.com/gorilla/websocket v1.5.3
@@ -16,10 +16,11 @@ require (
 
 require (
 	github.com/apapsch/go-jsonmerge/v2 v2.0.0 // indirect
+	github.com/coreos/go-systemd/v22 v22.5.0 // indirect
 	github.com/decred/dcrd/dcrec/secp256k1/v4 v4.4.0 // indirect
 	github.com/felixge/httpsnoop v1.0.4 // indirect
 	github.com/fxamacker/cbor/v2 v2.7.0 // indirect
-	github.com/getkin/kin-openapi v0.131.0 // indirect
+	github.com/getkin/kin-openapi v0.132.0 // indirect
 	github.com/go-chi/chi/v5 v5.2.2 // indirect
 	github.com/go-logr/logr v1.4.3 // indirect
 	github.com/go-openapi/jsonpointer v0.21.0 // indirect
@@ -49,11 +50,11 @@ require (
 	github.com/segmentio/asm v1.2.0 // indirect
 	github.com/x448/float16 v0.8.4 // indirect
 	go.yaml.in/yaml/v2 v2.4.2 // indirect
-	golang.org/x/crypto v0.39.0 // indirect
+	golang.org/x/crypto v0.43.0 // indirect
 	golang.org/x/exp v0.0.0-20250106191152-7588d65b2ba8 // indirect
-	golang.org/x/net v0.41.0 // indirect
-	golang.org/x/sys v0.34.0 // indirect
-	golang.org/x/text v0.26.0 // indirect
+	golang.org/x/net v0.46.0 // indirect
+	golang.org/x/sys v0.37.0 // indirect
+	golang.org/x/text v0.30.0 // indirect
 	gopkg.in/inf.v0 v0.9.1 // indirect
 	gopkg.in/yaml.v3 v3.0.1 // indirect
 	k8s.io/apimachinery v0.32.3 // indirect
diff --git a/proxy/go.sum b/proxy/go.sum
index 861747d62..6e8afc186 100644
--- a/proxy/go.sum
+++ b/proxy/go.sum
@@ -2,6 +2,8 @@ github.com/RaveNoX/go-jsoncommentstrip v1.0.0/go.mod h1:78ihd09MekBnJnxpICcwzCMz
 github.com/apapsch/go-jsonmerge/v2 v2.0.0 h1:axGnT1gRIfimI7gJifB699GoE/oq+F2MU7Dml6nw9rQ=
 github.com/apapsch/go-jsonmerge/v2 v2.0.0/go.mod h1:lvDnEdqiQrp0O42VQGgmlKpxL1AP2+08jFMw88y4klk=
 github.com/bmatcuk/doublestar v1.1.1/go.mod h1:UD6OnuiIn0yFxxA2le/rnRU1G4RaI4UvFv1sNto9p6w=
+github.com/coreos/go-systemd/v22 v22.5.0 h1:RrqgGjYQKalulkV8NGVIfkXQf6YYmOyiJKk8iXXhfZs=
+github.com/coreos/go-systemd/v22 v22.5.0/go.mod h1:Y58oyj3AT4RCenI/lSvhwexgC+NSVTIJ3seZv2GcEnc=
 github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
 github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
 github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc h1:U9qPSI2PIWSS1VwoXQT9A3Wy9MM3WgvqSxFWenqJduM=
@@ -10,12 +12,12 @@ github.com/decred/dcrd/dcrec/secp256k1/v4 v4.4.0 h1:NMZiJj8QnKe1LgsbDayM4UoHwbvw
 github.com/decred/dcrd/dcrec/secp256k1/v4 v4.4.0/go.mod h1:ZXNYxsqcloTdSy/rNShjYzMhyjf0LaoftYK0p+A3h40=
 github.com/felixge/httpsnoop v1.0.4 h1:NFTV2Zj1bL4mc9sqWACXbQFVBBg2W3GPvqp8/ESS2Wg=
 github.com/felixge/httpsnoop v1.0.4/go.mod h1:m8KPJKqk1gH5J9DgRY2ASl2lWCfGKXixSwevea8zH2U=
-github.com/flightctl/flightctl v0.10.0-rc1 h1:S/wrWnjjoa4WAQ7Lukl1FFA6NHTUG90fI9BU7wlMgGc=
-github.com/flightctl/flightctl v0.10.0-rc1/go.mod h1:IV50KCB3/CL8f+STkRxLAqvfpZ4aEcCX8T4cYwTPP8g=
+github.com/flightctl/flightctl v1.0.0-main.0.20251113083308-3f1bc5ade635 h1:v6Qw29IXC/Qmh41R4UK80XO0s212cLyOiguGLzKMA9Y=
+github.com/flightctl/flightctl v1.0.0-main.0.20251113083308-3f1bc5ade635/go.mod h1:+ZOPs3gV3QH9S4K5SGNWs0l3nP/UTPmVTCORNtYA9tA=
 github.com/fxamacker/cbor/v2 v2.7.0 h1:iM5WgngdRBanHcxugY4JySA0nk1wZorNOpTgCMedv5E=
 github.com/fxamacker/cbor/v2 v2.7.0/go.mod h1:pxXPTn3joSm21Gbwsv0w9OSA2y1HFR9qXEeXQVeNoDQ=
-github.com/getkin/kin-openapi v0.131.0 h1:NO2UeHnFKRYhZ8wg6Nyh5Cq7dHk4suQQr72a4pMrDxE=
-github.com/getkin/kin-openapi v0.131.0/go.mod h1:3OlG51PCYNsPByuiMB0t4fjnNlIDnaEDsjiKUV8nL58=
+github.com/getkin/kin-openapi v0.132.0 h1:3ISeLMsQzcb5v26yeJrBcdTCEQTag36ZjaGk7MIRUwk=
+github.com/getkin/kin-openapi v0.132.0/go.mod h1:3OlG51PCYNsPByuiMB0t4fjnNlIDnaEDsjiKUV8nL58=
 github.com/go-chi/chi/v5 v5.2.2 h1:CMwsvRVTbXVytCk1Wd72Zy1LAsAh9GxMmSNWLHCG618=
 github.com/go-chi/chi/v5 v5.2.2/go.mod h1:L2yAIGWB3H+phAw1NxKwWM+7eUH/lU8pOMm5hHcoops=
 github.com/go-logr/logr v1.4.3 h1:CjnDlHq8ikf6E492q6eKboGOC0T8CDaOvkHCIg8idEI=
@@ -30,6 +32,7 @@ github.com/go-test/deep v1.1.0 h1:WOcxcdHcvdgThNXjw0t76K42FXTU7HpNQWHpA2HHNlg=
 github.com/go-test/deep v1.1.0/go.mod h1:5C2ZWiW0ErCdrYzpqxLbTX7MG14M9iiw8DgHncVwcsE=
 github.com/goccy/go-json v0.10.5 h1:Fq85nIqj+gXn/S5ahsiTlK3TmC85qgirsdTP/+DeaC4=
 github.com/goccy/go-json v0.10.5/go.mod h1:oq7eo15ShAhp70Anwd5lgX2pLfOS3QCiwU/PULtXL6M=
+github.com/godbus/dbus/v5 v5.0.4/go.mod h1:xhWf0FNVPg57R7Z0UbKHbJfkEywrmjJnf7w5xrFpKfA=
 github.com/gogo/protobuf v1.3.2 h1:Ov1cvc58UF3b5XjBnZv7+opcTcQFZebYjWzi34vdm4Q=
 github.com/gogo/protobuf v1.3.2/go.mod h1:P1XiOD3dCwIKUDQYPy72D8LYyHL2YPYrpS2s69NZV8Q=
 github.com/google/go-cmp v0.5.9/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY=
@@ -132,8 +135,8 @@ go.yaml.in/yaml/v3 v3.0.4/go.mod h1:DhzuOOF2ATzADvBadXxruRBLzYTpT36CKvDb3+aBEFg=
 golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w=
 golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
 golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto=
-golang.org/x/crypto v0.39.0 h1:SHs+kF4LP+f+p14esP5jAoDpHU8Gu/v9lFRK6IT5imM=
-golang.org/x/crypto v0.39.0/go.mod h1:L+Xg3Wf6HoL4Bn4238Z6ft6KfEpN0tJGo53AAPC632U=
+golang.org/x/crypto v0.43.0 h1:dduJYIi3A3KOfdGOHX8AVZ/jGiyPa3IbBozJ5kNuE04=
+golang.org/x/crypto v0.43.0/go.mod h1:BFbav4mRNlXJL4wNeejLpWxB7wMbc79PdRGhWKncxR0=
 golang.org/x/exp v0.0.0-20250106191152-7588d65b2ba8 h1:yqrTHse8TCMW1M1ZCP+VAR/l0kKxwaAIqN/il7x4voA=
 golang.org/x/exp v0.0.0-20250106191152-7588d65b2ba8/go.mod h1:tujkw807nyEEAamNbDrEGzRav+ilXA7PCRAd6xsmwiU=
 golang.org/x/mod v0.2.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
@@ -142,8 +145,8 @@ golang.org/x/net v0.0.0-20190404232315-eb5bcb51f2a3/go.mod h1:t9HGtf8HONx5eT2rtn
 golang.org/x/net v0.0.0-20190620200207-3b0461eec859/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
 golang.org/x/net v0.0.0-20200226121028-0de0cce0169b/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
 golang.org/x/net v0.0.0-20201021035429-f5854403a974/go.mod h1:sp8m0HH+o8qH0wwXwYZr8TS3Oi6o0r6Gce1SSxlDquU=
-golang.org/x/net v0.41.0 h1:vBTly1HeNPEn3wtREYfy4GZ/NECgw2Cnl+nK6Nz3uvw=
-golang.org/x/net v0.41.0/go.mod h1:B/K4NNqkfmg07DQYrbwvSluqCJOOXwUjeb/5lOisjbA=
+golang.org/x/net v0.46.0 h1:giFlY12I07fugqwPuWJi68oOnpfqFnJIJzaIIm2JVV4=
+golang.org/x/net v0.46.0/go.mod h1:Q9BGdFy1y4nkUwiLvT5qtyhAnEHgnQ/zd8PfU6nc210=
 golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20190911185100-cd5d95a43a6e/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20201020160332-67f06af15bc9/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
@@ -151,18 +154,18 @@ golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5h
 golang.org/x/sys v0.0.0-20190412213103-97732733099d/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20200930185726-fdedc70b468f/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20220715151400-c0bba94af5f8/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.34.0 h1:H5Y5sJ2L2JRdyv7ROF1he/lPdvFsd0mJHFw2ThKHxLA=
-golang.org/x/sys v0.34.0/go.mod h1:BJP2sWEmIv4KK5OTEluFJCKSidICx8ciO85XgH3Ak8k=
+golang.org/x/sys v0.37.0 h1:fdNQudmxPjkdUTPnLn5mdQv7Zwvbvpaxqs831goi9kQ=
+golang.org/x/sys v0.37.0/go.mod h1:OgkHotnGiDImocRcuBABYBEXf8A9a87e/uXjp9XT3ks=
 golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
 golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
-golang.org/x/text v0.26.0 h1:P42AVeLghgTYr4+xUnTRKDMqpar+PtX7KWuNQL21L8M=
-golang.org/x/text v0.26.0/go.mod h1:QK15LZJUUQVJxhz7wXgxSy/CJaTFjd0G+YLonydOVQA=
+golang.org/x/text v0.30.0 h1:yznKA/E9zq54KzlzBEAWn1NXSQ8DIp/NYMy88xJjl4k=
+golang.org/x/text v0.30.0/go.mod h1:yDdHFIX9t+tORqspjENWgzaCVXgk0yYnYuSZ8UzzBVM=
 golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
 golang.org/x/tools v0.0.0-20191119224855-298f0cb1881e/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo=
 golang.org/x/tools v0.0.0-20200619180055-7c47624df98f/go.mod h1:EkVYQZoAsY45+roYkvgYkIh4xh/qjgUK9TdY2XT94GE=
 golang.org/x/tools v0.0.0-20210106214847-113979e3529a/go.mod h1:emZCQorbCU4vsT4fOWvOPXz4eW1wZW4PmDk9uLelYpA=
-golang.org/x/tools v0.34.0 h1:qIpSLOxeCYGg9TrcJokLBG4KFA6d795g0xkBkiESGlo=
-golang.org/x/tools v0.34.0/go.mod h1:pAP9OwEaY1CAW3HOmg3hLZC5Z0CCmzjAF2UQMSqNARg=
+golang.org/x/tools v0.38.0 h1:Hx2Xv8hISq8Lm16jvBZ2VQf+RLmbd7wVUsALibYI/IQ=
+golang.org/x/tools v0.38.0/go.mod h1:yEsQ/d/YK8cjh0L6rZlY8tgtlKiBNTL14pGDJPJpYQs=
 golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 golang.org/x/xerrors v0.0.0-20191011141410-1b5146add898/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=