diff --git a/CONFIGURATION.md b/CONFIGURATION.md
index 61066dbbd..99d86a17e 100644
--- a/CONFIGURATION.md
+++ b/CONFIGURATION.md
@@ -19,9 +19,7 @@ This document describes all environment variables and configuration options avai
 | `FLIGHTCTL_SERVER_INSECURE_SKIP_VERIFY` | Skip backend server TLS verification | `false`                  | `true`, `false`                        |
 | `FLIGHTCTL_CLI_ARTIFACTS_SERVER`        | CLI artifacts server URL             | `http://localhost:8090`  | `https://cli.flightctl.example.com`    |
 | `FLIGHTCTL_ALERTMANAGER_PROXY`          | AlertManager proxy server URL        | `https://localhost:8443` | `https://alerts.flightctl.example.com` |
-| `INTERNAL_AUTH_URL`                     | Internal authentication URL          | _(empty)_                | `https://auth.internal.example.com`    |
 | `AUTH_INSECURE_SKIP_VERIFY`             | Skip auth server TLS verification    | `false`                  | `true`, `false`                        |
-| `AUTH_CLIENT_ID`                        | OAuth client ID for authentication   | `flightctl`              | Custom client ID                       |
 | `TLS_CERT`                              | Path to TLS certificate              | _(empty)_                | `/path/to/server.crt`                  |
 | `TLS_KEY`                               | Path to TLS private key              | _(empty)_                | `/path/to/server.key`                  |
 | `API_PORT`                              | UI proxy server port                 | `3001`                   | `8080`, `3000`, etc.                   |
diff --git a/apps/ocp-plugin/src/components/AppContext/AppContext.tsx b/apps/ocp-plugin/src/components/AppContext/AppContext.tsx
index 074e095d1..eba8c9e15 100644
--- a/apps/ocp-plugin/src/components/AppContext/AppContext.tsx
+++ b/apps/ocp-plugin/src/components/AppContext/AppContext.tsx
@@ -53,7 +53,12 @@ const appRoutes = {
   [ROUTE.RESOURCE_SYNC_DETAILS]: '/edge/resourcesyncs',
   [ROUTE.ENROLLMENT_REQUESTS]: '/edge/enrollmentrequests',
   [ROUTE.ENROLLMENT_REQUEST_DETAILS]: '/edge/enrollmentrequests',
+  // Unimplemented UI routes for OCP plugin
   [ROUTE.COMMAND_LINE_TOOLS]: '/', // CLI downloads are shown embedded in OCP's CLI downloads page and not as an independent route
+  [ROUTE.AUTH_PROVIDERS]: '/', // Authentication providers must be defined in the OpenShift Console, not through Flight Control
+  [ROUTE.AUTH_PROVIDER_CREATE]: '/',
+  [ROUTE.AUTH_PROVIDER_EDIT]: '/',
+  [ROUTE.AUTH_PROVIDER_DETAILS]: '/',
 };
 
 export const useValuesAppContext = (): AppContextProps => {
diff --git a/apps/ocp-plugin/src/utils/apiCalls.ts b/apps/ocp-plugin/src/utils/apiCalls.ts
index 0e7396341..99fce6370 100644
--- a/apps/ocp-plugin/src/utils/apiCalls.ts
+++ b/apps/ocp-plugin/src/utils/apiCalls.ts
@@ -63,8 +63,10 @@ const handleAlertsJSONResponse = async <R>(response: Response): Promise<R> => {
     throw new Error(`Error ${response.status}: ${response.statusText}`);
   }
 
-  // For 500/501 errors, return the status code for detection
-  if (response.status === 500 || response.status === 501) {
+  // The UI proxy should convert alert errors 401 to 501, but we guard against 401 here as well.
+  const isAlertsDisabled = response.status === 500 || response.status === 501 || response.status === 401;
+  if (isAlertsDisabled) {
+    // Return the status code to correctly detect that alerts are disabled
     throw new Error(`${response.status}`);
   }
 
diff --git a/apps/standalone/src/app/components/Login/LoginPage.tsx b/apps/standalone/src/app/components/Login/LoginPage.tsx
index 9c78ebd78..8e52da6be 100644
--- a/apps/standalone/src/app/components/Login/LoginPage.tsx
+++ b/apps/standalone/src/app/components/Login/LoginPage.tsx
@@ -1,190 +1,166 @@
 import * as React from 'react';
-import {
-  Alert,
-  Bullseye,
-  Button,
-  Card,
-  CardBody,
-  CardFooter,
-  FormGroup,
-  FormHelperText,
-  FormSection,
-  HelperText,
-  HelperTextItem,
-  Stack,
-  StackItem,
-  Text,
-  TextArea,
-  TextContent,
-  TextVariants,
-  Title,
-} from '@patternfly/react-core';
-
-import { ORGANIZATION_STORAGE_KEY } from '@flightctl/ui-components/src/utils/organizationStorage';
-import FlightCtlForm from '@flightctl/ui-components/src/components/form/FlightCtlForm';
+import { Alert, Bullseye, Spinner } from '@patternfly/react-core';
+
+import { AuthConfig, AuthProvider } from '@flightctl/types';
+import { ProviderType } from '@flightctl/ui-components/src/types/extraTypes';
+import ProviderSelector from '@flightctl/ui-components/src/components/Login/ProviderSelector';
+import TokenLoginForm from '@flightctl/ui-components/src/components/Login/TokenLoginForm';
+import { useFetch } from '@flightctl/ui-components/src/hooks/useFetch';
 import { useTranslation } from '@flightctl/ui-components/src/hooks/useTranslation';
+import { getProviderDisplayName } from '@flightctl/ui-components/src/utils/authProvider';
+
+import LoginPageLayout from './LoginPageLayout';
 import { loginAPI } from '../../utils/apiCalls';
 
-const EXPIRATION = 'expiration';
+const redirectToProviderLogin = async (provider: AuthProvider) => {
+  const response = await fetch(`${loginAPI}?provider=${provider.metadata.name}`);
 
-const nowInSeconds = () => Math.floor(Date.now() / 1000);
+  if (!response.ok) {
+    throw new Error(`Login redirect failed with status ${response.status}`);
+  }
 
-// Simple JWT format validation - checks if token has 3 parts separated by dots
-export const isValidJwtTokenFormat = (token: string): boolean => {
-  if (!token) return false;
-  const parts = token.split('.');
-  if (parts.length !== 3) return false;
-  // Check that each part contains only valid base64url characters
-  const base64urlPattern = /^[A-Za-z0-9_-]+$/;
-  return parts.every((part) => part.length > 0 && base64urlPattern.test(part));
+  const { url } = (await response.json()) as { url?: string };
+  if (!url) {
+    throw new Error('Login redirect URL missing in response');
+  }
+  window.location.href = url;
 };
 
-export const LoginPage = () => {
+const LoginPage = () => {
   const { t } = useTranslation();
-  const [token, setToken] = React.useState('');
-  const [validationError, setValidationError] = React.useState<string>('');
-  const [isSubmitting, setIsSubmitting] = React.useState(false);
-  const [submitError, setSubmitError] = React.useState<string>();
-
-  const handleSubmit = async (e: React.FormEvent) => {
-    e.preventDefault();
-    setSubmitError(undefined);
-    setIsSubmitting(true);
-
-    try {
-      localStorage.removeItem(EXPIRATION);
-      localStorage.removeItem(ORGANIZATION_STORAGE_KEY);
-
-      const resp = await fetch(loginAPI, {
-        headers: {
-          'Content-Type': 'application/json',
-        },
-        credentials: 'include',
-        method: 'POST',
-        body: JSON.stringify({
-          token: token.trim(),
-        }),
-      });
-
-      if (!resp.ok) {
-        let errorMessage = t('Authentication failed');
-        try {
-          const contentType = resp.headers.get('content-type');
-          if (contentType && contentType.includes('application/json')) {
-            const errorData = (await resp.json()) as { error?: string };
-            errorMessage = errorData.error || errorMessage;
-          } else {
-            // Fallback for non-JSON responses
-            const text = await resp.text();
-            if (text) {
-              errorMessage = text;
+  const { get } = useFetch();
+  const [loading, setLoading] = React.useState(true);
+  const [error, setError] = React.useState<string>();
+  const [providers, setProviders] = React.useState<AuthProvider[]>([]);
+  const [userSelectedProvider, setUserSelectedProvider] = React.useState<AuthProvider | null>(null);
+  const [defaultProviderName, setDefaultProviderName] = React.useState<string>('');
+  const [isRedirecting, setIsRedirecting] = React.useState(false);
+
+  const handleProviderSelect = async (provider: AuthProvider) => {
+    // Prevent multiple clicks while redirect is in progress
+    if (isRedirecting) {
+      return;
+    }
+
+    setUserSelectedProvider(provider);
+
+    // For k8s token providers, we will show the TokenLoginForm.
+    // For other providers, we will redirect to their OAuth flow.
+    if (provider.spec.providerType !== ProviderType.K8s) {
+      setIsRedirecting(true);
+      try {
+        await redirectToProviderLogin(provider);
+      } catch (err) {
+        setIsRedirecting(false);
+        setUserSelectedProvider(null);
+        setError(
+          t('Failed to initiate login with {{ providerName}} ', {
+            providerName: getProviderDisplayName(provider, t) || (provider.metadata.name as string),
+          }),
+        );
+      }
+    }
+  };
+
+  React.useEffect(() => {
+    const loadAuthConfig = async () => {
+      try {
+        const config = await get<AuthConfig>('auth/config');
+        const providers = (config?.providers || [])
+          .filter((provider) => provider.spec.enabled !== false)
+          .sort((a, b) => {
+            if (a.metadata.name === config.defaultProvider) {
+              return -1;
+            }
+            if (b.metadata.name === config.defaultProvider) {
+              return 1;
+            }
+            return 0;
+          });
+        if (providers.length > 0) {
+          setProviders(providers);
+          setDefaultProviderName(config.defaultProvider || '');
+          if (providers.length === 1 && providers[0].spec.providerType !== ProviderType.K8s) {
+            setIsRedirecting(true);
+            try {
+              await redirectToProviderLogin(providers[0]);
+            } catch (err) {
+              setIsRedirecting(false);
+              setError(t('Failed to initiate login'));
             }
           }
-        } catch (parseErr) {
-          // If parsing fails, use default error message
-          errorMessage = t('Authentication failed');
+        } else {
+          setError(t('No authentication providers found. Please contact your administrator.'));
         }
-        setSubmitError(errorMessage);
-        setIsSubmitting(false);
-        return;
+      } catch (err) {
+        setError(t('Failed to load the authentication providers'));
+      } finally {
+        setLoading(false);
       }
+    };
 
-      const expiration = (await resp.json()) as { expiresIn: number };
-      if (expiration.expiresIn) {
-        const now = nowInSeconds();
-        localStorage.setItem(EXPIRATION, `${now + expiration.expiresIn}`);
-      }
+    void loadAuthConfig();
+    // Prevent the UI going to a loop
+    // eslint-disable-next-line react-hooks/exhaustive-deps
+  }, []);
+
+  if (loading) {
+    return (
+      <Bullseye>
+        <Spinner size="xl" />
+      </Bullseye>
+    );
+  }
+
+  if (error) {
+    return (
+      <Bullseye>
+        <Alert variant="danger" title="Error" isInline>
+          {error}
+        </Alert>
+      </Bullseye>
+    );
+  }
 
-      // Redirect to home page after successful login
-      window.location.href = '/';
-    } catch (err) {
-      setSubmitError(t('Failed to authenticate. Please check your token and try again.'));
-      setIsSubmitting(false);
+  let content: React.ReactNode = null;
+
+  const selectedProvider = userSelectedProvider || (providers.length === 1 ? providers[0] : null);
+  if (selectedProvider) {
+    if (selectedProvider.spec.providerType === ProviderType.K8s) {
+      content = (
+        <TokenLoginForm
+          provider={selectedProvider}
+          onBack={
+            userSelectedProvider
+              ? () => {
+                  setUserSelectedProvider(null);
+                }
+              : undefined
+          }
+        />
+      );
+    } else {
+      content = (
+        <>
+          {t('Redirecting to login for {{ provider }}...', {
+            provider: getProviderDisplayName(selectedProvider, t) || selectedProvider.metadata.name,
+          })}
+          <Spinner size="lg" />
+        </>
+      );
     }
-  };
+  } else {
+    content = (
+      <ProviderSelector
+        providers={providers}
+        defaultProviderName={defaultProviderName}
+        onProviderSelect={handleProviderSelect}
+        disabled={isRedirecting}
+      />
+    );
+  }
 
-  return (
-    <Bullseye>
-      <Card isLarge>
-        <CardBody>
-          <Stack hasGutter style={{ '--pf-v5-l-stack--m-gutter--Gap': '1.5rem' } as React.CSSProperties}>
-            <StackItem>
-              <Title headingLevel="h2" size="xl">
-                {t('Enter your Kubernetes token')}
-              </Title>
-            </StackItem>
-
-            <StackItem>
-              <TextContent>
-                <Text>{t('Enter your Kubernetes service account token to authenticate with the cluster.')}</Text>
-                <Text component={TextVariants.small}>
-                  {t('You can find this token in your Kubernetes service account credentials.')}
-                </Text>
-              </TextContent>
-            </StackItem>
-            <StackItem>
-              <FlightCtlForm>
-                <FormGroup label={t('Service account token')} isRequired>
-                  <TextArea
-                    id="accessToken"
-                    value={token}
-                    onChange={(_event, tokenVal) => {
-                      if (tokenVal && !isValidJwtTokenFormat(tokenVal)) {
-                        setValidationError(
-                          t('Invalid token format. Expected a JWT token with format: header.payload.signature'),
-                        );
-                      } else {
-                        setValidationError('');
-                      }
-                      if (submitError) {
-                        setSubmitError(undefined);
-                      }
-                      setToken(tokenVal);
-                    }}
-                    placeholder={t('Enter your Kubernetes token...')}
-                    rows={10}
-                    isRequired
-                    isDisabled={isSubmitting}
-                    autoFocus
-                    validated={validationError ? 'error' : 'default'}
-                  />
-                  {validationError && (
-                    <FormHelperText>
-                      <HelperText>
-                        <HelperTextItem variant="error">{validationError}</HelperTextItem>
-                      </HelperText>
-                    </FormHelperText>
-                  )}
-                </FormGroup>
-
-                <Alert variant="warning" title={t('Keep your token secure')} isInline>
-                  {t(
-                    'Never share your service account token. It provides full access to your Kubernetes cluster resources.',
-                  )}
-                </Alert>
-
-                {submitError && (
-                  <FormSection>
-                    <Alert variant="danger" title={t('Authentication failed')} isInline>
-                      {submitError}
-                    </Alert>
-                  </FormSection>
-                )}
-              </FlightCtlForm>
-            </StackItem>
-          </Stack>
-        </CardBody>
-        <CardFooter>
-          <Button
-            variant="primary"
-            isDisabled={!token || !!validationError || isSubmitting}
-            isLoading={isSubmitting}
-            onClick={handleSubmit}
-          >
-            {isSubmitting ? t('Authenticating...') : t('Login')}
-          </Button>
-        </CardFooter>
-      </Card>
-    </Bullseye>
-  );
+  return <LoginPageLayout>{content}</LoginPageLayout>;
 };
+
+export default LoginPage;
diff --git a/apps/standalone/src/app/components/Login/LoginPageLayout.tsx b/apps/standalone/src/app/components/Login/LoginPageLayout.tsx
new file mode 100644
index 000000000..d5f073897
--- /dev/null
+++ b/apps/standalone/src/app/components/Login/LoginPageLayout.tsx
@@ -0,0 +1,43 @@
+import * as React from 'react';
+import { Bullseye, Page, PageSection } from '@patternfly/react-core';
+import { updateThemeClass } from '@flightctl/ui-components/src/hooks/useThemePreferences';
+
+// Hook to detect browser's theme preference for login page (before user has preferences)
+const useBrowserTheme = () => {
+  const [isDark, setIsDark] = React.useState(() => {
+    return window.matchMedia('(prefers-color-scheme: dark)').matches;
+  });
+
+  React.useEffect(() => {
+    const darkThemeMq = window.matchMedia('(prefers-color-scheme: dark)');
+    updateThemeClass(document.documentElement, darkThemeMq.matches ? 'dark' : 'light');
+
+    // Listen for changes
+    const listener = (e: MediaQueryListEvent) => {
+      setIsDark(e.matches);
+      updateThemeClass(document.documentElement, e.matches ? 'dark' : 'light');
+    };
+
+    darkThemeMq.addEventListener('change', listener);
+
+    return () => {
+      darkThemeMq.removeEventListener('change', listener);
+    };
+  }, []);
+
+  return isDark ? 'dark' : 'light';
+};
+
+const LoginPageLayout = ({ children }: React.PropsWithChildren) => {
+  const theme = useBrowserTheme();
+
+  return (
+    <Page>
+      <PageSection variant={theme} isFilled>
+        <Bullseye>{children}</Bullseye>
+      </PageSection>
+    </Page>
+  );
+};
+
+export default LoginPageLayout;
diff --git a/apps/standalone/src/app/context/AuthContext.ts b/apps/standalone/src/app/context/AuthContext.ts
index 68d32224d..98895f08b 100644
--- a/apps/standalone/src/app/context/AuthContext.ts
+++ b/apps/standalone/src/app/context/AuthContext.ts
@@ -46,9 +46,17 @@ export const useAuthContext = () => {
         localStorage.removeItem(ORGANIZATION_STORAGE_KEY);
         const searchParams = new URLSearchParams(window.location.search);
         const code = searchParams.get('code');
+        const state = searchParams.get('state');
         callbackErr = searchParams.get('error');
-        if (code) {
-          const resp = await fetch(loginAPI, {
+        if (code && state) {
+          // Extract provider name from the state parameter
+          // The state format is: "provider:<providerName>" or "provider:<providerName>:<encoded_verifier>"
+          const providerName = state.startsWith('provider:') ? state.substring(9).split(':')[0] : state;
+
+          // CELIA-WIP WE SHOULD ONLY USE PROVIDER HERE, THE OTHER SHOULD BE WITH THE PKCE FLOW
+          // Backend retrieves code_verifier from cookie automatically, or from state as fallback
+          // Pass state in query parameter so backend can extract code_verifier if cookie fails
+          const resp = await fetch(`${loginAPI}?provider=${providerName}&state=${encodeURIComponent(state)}`, {
             headers: {
               'Content-Type': 'application/json',
             },
@@ -58,6 +66,29 @@ export const useAuthContext = () => {
               code: code,
             }),
           });
+
+          if (!resp.ok) {
+            let errorMessage = 'Authentication failed';
+            try {
+              const contentType = resp.headers.get('content-type');
+              if (contentType && contentType.includes('application/json')) {
+                const errorData = (await resp.json()) as { error?: string };
+                errorMessage = errorData.error || errorMessage;
+              } else {
+                const text = await resp.text();
+                if (text) {
+                  errorMessage = text;
+                }
+              }
+            } catch (parseErr) {
+              // If parsing fails, use default error message
+              errorMessage = 'Authentication failed';
+            }
+            setError(errorMessage);
+            setLoading(false);
+            return;
+          }
+
           const expiration = (await resp.json()) as { expiresIn: number };
           if (expiration.expiresIn) {
             const now = nowInSeconds();
@@ -67,6 +98,7 @@ export const useAuthContext = () => {
         } else if (callbackErr) {
           setError(callbackErr);
           setLoading(false);
+          return;
         }
       }
       if (!callbackErr) {
@@ -80,14 +112,49 @@ export const useAuthContext = () => {
             return;
           }
           if (resp.status === 401) {
+            // Extract error message from response if available
+            let errorMessage = 'Authentication failed. Please try logging in again.';
+            try {
+              const contentType = resp.headers.get('content-type');
+              if (contentType && contentType.includes('application/json')) {
+                const errorData = (await resp.json()) as { error?: string };
+                errorMessage = errorData.error || errorMessage;
+              } else {
+                const text = await resp.text();
+                if (text) {
+                  errorMessage = text;
+                }
+              }
+            } catch (parseErr) {
+              // If parsing fails, use default error message
+            }
+            setError(errorMessage);
             // Don't redirect if we're already on the login page
             if (window.location.pathname !== '/login') {
-              await redirectToLogin();
+              redirectToLogin();
             }
+            setLoading(false);
             return;
           }
           if (resp.status !== 200) {
-            setError('Failed to get user info');
+            // Extract error message from response if available
+            let errorMessage = 'Failed to get user info';
+            try {
+              const contentType = resp.headers.get('content-type');
+              if (contentType && contentType.includes('application/json')) {
+                const errorData = (await resp.json()) as { error?: string };
+                errorMessage = errorData.error || errorMessage;
+              } else {
+                const text = await resp.text();
+                if (text) {
+                  errorMessage = text;
+                }
+              }
+            } catch (parseErr) {
+              // If parsing fails, use default error message
+            }
+            setError(errorMessage);
+            setLoading(false);
             return;
           }
           const info = (await resp.json()) as { username: string };
@@ -96,7 +163,9 @@ export const useAuthContext = () => {
         } catch (err) {
           // eslint-disable-next-line
           console.log(err);
-          setError('Failed to get user info');
+          const errorMessage = err instanceof Error ? err.message : 'Failed to get user info';
+          setError(errorMessage);
+          setLoading(false);
         }
       }
     };
diff --git a/apps/standalone/src/app/routes.tsx b/apps/standalone/src/app/routes.tsx
index a8f4387ea..fbbb4687a 100644
--- a/apps/standalone/src/app/routes.tsx
+++ b/apps/standalone/src/app/routes.tsx
@@ -23,8 +23,8 @@ import ErrorBoundary from '@flightctl/ui-components/src/components/common/ErrorB
 
 import AppLayout from './components/AppLayout/AppLayout';
 import NotFound from './components/AppLayout/NotFound';
+import LoginPage from './components/Login/LoginPage';
 import { AuthContext } from './context/AuthContext';
-import { LoginPage } from './components/Login/LoginPage';
 
 const EnrollmentRequestDetails = React.lazy(
   () =>
@@ -69,6 +69,15 @@ const PendingEnrollmentRequestsBadge = React.lazy(
 const CommandLineToolsPage = React.lazy(
   () => import('@flightctl/ui-components/src/components/Masthead/CommandLineToolsPage'),
 );
+const AuthProvidersPage = React.lazy(
+  () => import('@flightctl/ui-components/src/components/AuthProvider/AuthProvidersPage'),
+);
+const CreateAuthProvider = React.lazy(
+  () => import('@flightctl/ui-components/src/components/AuthProvider/CreateAuthProvider/CreateAuthProvider'),
+);
+const AuthProviderDetails = React.lazy(
+  () => import('@flightctl/ui-components/src/components/AuthProvider/AuthProviderDetails/AuthProviderDetails'),
+);
 
 export type ExtendedRouteObject = RouteObject & {
   title?: string;
@@ -305,12 +314,49 @@ const getAppRoutes = (t: TFunction): ExtendedRouteObject[] => [
       </TitledRoute>
     ),
   },
+  {
+    path: '/admin/authproviders',
+    title: t('Authentication Providers'),
+    element: (
+      <TitledRoute title={t('Authentication Providers')}>
+        <AuthProvidersPage />
+      </TitledRoute>
+    ),
+  },
+  {
+    path: '/admin/authproviders/create',
+    title: t('Create Authentication Provider'),
+    element: (
+      <TitledRoute title={t('Create Authentication Provider')}>
+        <CreateAuthProvider />
+      </TitledRoute>
+    ),
+  },
+  {
+    path: '/admin/authproviders/edit/:authProviderId',
+    title: t('Edit Authentication Provider'),
+    element: (
+      <TitledRoute title={t('Edit Authentication Provider')}>
+        <CreateAuthProvider />
+      </TitledRoute>
+    ),
+  },
+  {
+    path: '/admin/authproviders/:authProviderId/*',
+    title: t('Authentication Provider Details'),
+    element: (
+      <TitledRoute title={t('Authentication Provider Details')}>
+        <AuthProviderDetails />
+      </TitledRoute>
+    ),
+  },
 ];
 
 const AppRouter = () => {
   const { t } = useTranslation();
 
-  const { loading, error } = React.useContext(AuthContext);
+  const { username, loading, authEnabled, error } = React.useContext(AuthContext);
+
   if (error) {
     return (
       <Bullseye>
@@ -341,11 +387,26 @@ const AppRouter = () => {
     );
   }
 
+  // Check if user needs to authenticate
+  const isAuthenticated = !authEnabled || !!username;
+  const isLoginPage = window.location.pathname === '/login';
+  const isCallbackPage = window.location.pathname === '/callback';
+
+  // Redirect to login if not authenticated and not already on login/callback page
+  if (!isAuthenticated && !isLoginPage && !isCallbackPage) {
+    window.location.href = '/login';
+    return null;
+  }
+
   const router = createBrowserRouter([
     {
       path: '/login',
       element: <LoginPage />,
     },
+    {
+      path: '/callback',
+      element: <Navigate to="/" replace />,
+    },
     {
       path: '/',
       element: <AppLayout />,
diff --git a/apps/standalone/src/app/utils/apiCalls.ts b/apps/standalone/src/app/utils/apiCalls.ts
index 4798c7ef5..7f785bc7c 100644
--- a/apps/standalone/src/app/utils/apiCalls.ts
+++ b/apps/standalone/src/app/utils/apiCalls.ts
@@ -55,12 +55,8 @@ export const logout = async () => {
   url ? (window.location.href = url) : window.location.reload();
 };
 
-export const redirectToLogin = async () => {
-  const response = await fetch(loginAPI);
-  const { url } = (await response.json()) as { url: string };
-  // If URL is empty, it means token-based auth (k8s) - redirect to login page
-  // Otherwise, it's OAuth - redirect to external provider
-  window.location.href = url || '/login';
+export const redirectToLogin = () => {
+  window.location.href = '/login';
 };
 
 const handleApiJSONResponse = async <R>(response: Response): Promise<R> => {
@@ -75,10 +71,7 @@ const handleApiJSONResponse = async <R>(response: Response): Promise<R> => {
   }
 
   if (response.status === 401) {
-    // Don't redirect if we're already on the login page
-    if (window.location.pathname !== '/login') {
-      await redirectToLogin();
-    }
+    redirectToLogin();
   }
 
   throw new Error(await getErrorMsgFromApiResponse(response));
@@ -94,12 +87,10 @@ const handleAlertsJSONResponse = async <R>(response: Response): Promise<R> => {
     throw new Error(`Error ${response.status}: ${response.statusText}`);
   }
 
-  if (response.status === 401) {
-    await redirectToLogin();
-  }
-
-  // For 500/501 errors, return the status code for detection
-  if (response.status === 500 || response.status === 501) {
+  // The UI proxy should convert alert errors 401 to 501, but we guard against 401 here as well.
+  const isAlertsDisabled = response.status === 500 || response.status === 501 || response.status === 401;
+  if (isAlertsDisabled) {
+    // Return the status code to correctly detect that alerts are disabled
     throw new Error(`${response.status}`);
   }
 
diff --git a/libs/ansible/src/const.ts b/libs/ansible/src/const.ts
index 0f7a4c6b7..5782fab1d 100644
--- a/libs/ansible/src/const.ts
+++ b/libs/ansible/src/const.ts
@@ -17,5 +17,10 @@ export const appRoutes = {
   [ROUTE.RESOURCE_SYNC_DETAILS]: '/edge/resourcesyncs',
   [ROUTE.ENROLLMENT_REQUESTS]: '/edge/enrollmentrequests',
   [ROUTE.ENROLLMENT_REQUEST_DETAILS]: '/edge/enrollmentrequests',
-  [ROUTE.COMMAND_LINE_TOOLS]: '/', // TODO - TBD where to show the CLI downloads?
+  // Unimplemented UI routes
+  [ROUTE.COMMAND_LINE_TOOLS]: '/',
+  [ROUTE.AUTH_PROVIDERS]: '/',
+  [ROUTE.AUTH_PROVIDER_CREATE]: '/',
+  [ROUTE.AUTH_PROVIDER_EDIT]: '/',
+  [ROUTE.AUTH_PROVIDER_DETAILS]: '/',
 };
diff --git a/libs/i18n/locales/en/translation.json b/libs/i18n/locales/en/translation.json
index cdb7f36ad..dfa622f65 100644
--- a/libs/i18n/locales/en/translation.json
+++ b/libs/i18n/locales/en/translation.json
@@ -13,18 +13,11 @@
   "404 Page not found": "404 Page not found",
   "We didn't find a page that matches the address you navigated to.": "We didn't find a page that matches the address you navigated to.",
   "Take me home": "Take me home",
-  "Authentication failed": "Authentication failed",
-  "Failed to authenticate. Please check your token and try again.": "Failed to authenticate. Please check your token and try again.",
-  "Enter your Kubernetes token": "Enter your Kubernetes token",
-  "Enter your Kubernetes service account token to authenticate with the cluster.": "Enter your Kubernetes service account token to authenticate with the cluster.",
-  "You can find this token in your Kubernetes service account credentials.": "You can find this token in your Kubernetes service account credentials.",
-  "Service account token": "Service account token",
-  "Invalid token format. Expected a JWT token with format: header.payload.signature": "Invalid token format. Expected a JWT token with format: header.payload.signature",
-  "Enter your Kubernetes token...": "Enter your Kubernetes token...",
-  "Keep your token secure": "Keep your token secure",
-  "Never share your service account token. It provides full access to your Kubernetes cluster resources.": "Never share your service account token. It provides full access to your Kubernetes cluster resources.",
-  "Authenticating...": "Authenticating...",
-  "Login": "Login",
+  "Failed to initiate login with {{ providerName}} ": "Failed to initiate login with {{ providerName}} ",
+  "Failed to initiate login": "Failed to initiate login",
+  "No authentication providers found. Please contact your administrator.": "No authentication providers found. Please contact your administrator.",
+  "Failed to load the authentication providers": "Failed to load the authentication providers",
+  "Redirecting to login for {{ provider }}...": "Redirecting to login for {{ provider }}...",
   "404 Page Not Found": "404 Page Not Found",
   "Error page - details should be displayed here": "Error page - details should be displayed here",
   "Overview": "Overview",
@@ -44,8 +37,147 @@
   "Edit repository": "Edit repository",
   "Repository Details": "Repository Details",
   "Resource sync": "Resource sync",
+  "Authentication Providers": "Authentication Providers",
+  "Create Authentication Provider": "Create Authentication Provider",
+  "Edit Authentication Provider": "Edit Authentication Provider",
+  "Authentication Provider Details": "Authentication Provider Details",
   "Failed to login": "Failed to login",
   "Try again": "Try again",
+  "Authentication providers": "Authentication providers",
+  "Edit authentication provider": "Edit authentication provider",
+  "Delete authentication provider": "Delete authentication provider",
+  "Details": "Details",
+  "YAML": "YAML",
+  "Provider overview": "Provider overview",
+  "Name": "Name",
+  "Display name": "Display name",
+  "Type": "Type",
+  "Status": "Status",
+  "Enabled": "Enabled",
+  "Disabled": "Disabled",
+  "{{ providerType }} configuration": "{{ providerType }} configuration",
+  "Authorization URL": "Authorization URL",
+  "Token URL": "Token URL",
+  "Userinfo URL": "Userinfo URL",
+  "Issuer URL": "Issuer URL",
+  "Client & claims configuration": "Client & claims configuration",
+  "Client ID": "Client ID",
+  "Scopes": "Scopes",
+  "Username claim path": "Username claim path",
+  "Resulting username claim": "Resulting username claim",
+  "Default": "Default",
+  "Role assignment": "Role assignment",
+  "Organization assignment": "Organization assignment",
+  "Assignment type": "Assignment type",
+  "Organization": "Organization",
+  "Claim path": "Claim path",
+  "Prefix": "Prefix",
+  "Suffix": "Suffix",
+  "Delete authentication provider?": "Delete authentication provider?",
+  "This will permanently delete the authentication provider <1>{authProviderId}</1> and remove all associated configurations.": "This will permanently delete the authentication provider <1>{authProviderId}</1> and remove all associated configurations.",
+  "Users who currently authenticate through this provider will lose access until alternative authentication is configured.": "Users who currently authenticate through this provider will lose access until alternative authentication is configured.",
+  "Authentication provider deletion failed": "Authentication provider deletion failed",
+  "Type <1>{authProviderId}</1> to confirm deletion:": "Type <1>{authProviderId}</1> to confirm deletion:",
+  "Confirmation text": "Confirmation text",
+  "Cancel": "Cancel",
+  "Separator": "Separator",
+  "View details": "View details",
+  "Edit": "Edit",
+  "Delete": "Delete",
+  "Issuer/Authorization URL": "Issuer/Authorization URL",
+  "Add authentication provider": "Add authentication provider",
+  "Add your first authentication providers": "Add your first authentication providers",
+  "Connect OIDC and Oauth2 providers to enable additional secure authentication options for your users.": "Connect OIDC and Oauth2 providers to enable additional secure authentication options for your users.",
+  "Authentication providers list": "Authentication providers list",
+  "Authentication": "Authentication",
+  "Manage authentication providers": "Manage authentication providers",
+  "Static": "Static",
+  "Dynamic": "Dynamic",
+  "Per user": "Per user",
+  "External organization name": "External organization name",
+  "Users from this provider will be assigned to this organization": "Users from this provider will be assigned to this organization",
+  "Enter the path segments to the claim (e.g., [\"groups\"], [\"custom_claims\", \"org_id\"])": "Enter the path segments to the claim (e.g., [\"groups\"], [\"custom_claims\", \"org_id\"])",
+  "Add path segment": "Add path segment",
+  "Organization name prefix": "Organization name prefix",
+  "Optional prefix for the organization name": "Optional prefix for the organization name",
+  "Organization name suffix": "Organization name suffix",
+  "Optional suffix for the organization name": "Optional suffix for the organization name",
+  "Optional prefix for the user-specific organization name": "Optional prefix for the user-specific organization name",
+  "Optional suffix for the user-specific organization name": "Optional suffix for the user-specific organization name",
+  "Purpose": "Purpose",
+  "Scopes define the permissions your application requests from the provider.": "Scopes define the permissions your application requests from the provider.",
+  "Configuration": "Configuration",
+  "Check your provider's documentation for required scopes.": "Check your provider's documentation for required scopes.",
+  "Common examples": "Common examples",
+  "openid, profile, email, groups.": "openid, profile, email, groups.",
+  "The claim field that contains the username.": "The claim field that contains the username.",
+  "Format": "Format",
+  "Enter each segment of the claim path as a separate item. Simple claims like \"email\" require only one segment. For nested claims like \"user.name\", add multiple segments in order: first \"user\", then \"name\".": "Enter each segment of the claim path as a separate item. Simple claims like \"email\" require only one segment. For nested claims like \"user.name\", add multiple segments in order: first \"user\", then \"name\".",
+  "Requirements": "Requirements",
+  "Each segment must start with a letter or underscore and contain only letters, numbers, dots or underscores.": "Each segment must start with a letter or underscore and contain only letters, numbers, dots or underscores.",
+  "The claim field that contains user roles or group memberships for authorization.": "The claim field that contains user roles or group memberships for authorization.",
+  "Refer to your provider's documentation for the correct claim path.": "Refer to your provider's documentation for the correct claim path.",
+  "Use an array of path segments (e.g., [\"groups\"], [\"roles\"], [\"realm_access\", \"roles\"]).": "Use an array of path segments (e.g., [\"groups\"], [\"roles\"], [\"realm_access\", \"roles\"]).",
+  "[\"groups\"], [\"roles\"], [\"authorities\"]": "[\"groups\"], [\"roles\"], [\"authorities\"]",
+  "Separator for org:role format (default: \":\"). Roles containing the separator are split into organization-scoped roles. Roles without separator are global and apply to all organizations. Example: \"org1:admin\" becomes org-scoped role \"admin\" for organization \"org1\", while \"admin\" becomes a global role.": "Separator for org:role format (default: \":\"). Roles containing the separator are split into organization-scoped roles. Roles without separator are global and apply to all organizations. Example: \"org1:admin\" becomes org-scoped role \"admin\" for organization \"org1\", while \"admin\" becomes a global role.",
+  "An error occurred": "An error occurred",
+  "Failed to retrieve authentication provider details": "Failed to retrieve authentication provider details",
+  "Set up how users will sign in and which organization they'll be assigned to.": "Set up how users will sign in and which organization they'll be assigned to.",
+  "OIDC": "OIDC",
+  "OAuth2": "OAuth2",
+  "Turn this on to let users sign in with this provider.": "Turn this on to let users sign in with this provider.",
+  "You can turn it off anytime without losing your settings.": "You can turn it off anytime without losing your settings.",
+  "Test provider": "Test provider",
+  "GitHub with secret": "GitHub with secret",
+  "GitHub without secret": "GitHub without secret",
+  "Google": "Google",
+  "Clear": "Clear",
+  "Provider name": "Provider name",
+  "You can't change the provider name after it's created": "You can't change the provider name after it's created",
+  "Display name for this provider": "Display name for this provider",
+  "Client secret": "Client secret",
+  "User identity & authorization": "User identity & authorization",
+  "Add scopes required to access username and role claims from your authentication provider.": "Add scopes required to access username and role claims from your authentication provider.",
+  "Add scope": "Add scope",
+  "Enter the path segments to the username claim": "Enter the path segments to the username claim",
+  "Test connection failed": "Test connection failed",
+  "Save": "Save",
+  "Create authentication provider": "Create authentication provider",
+  "Test connection": "Test connection",
+  "System administrator": "System administrator",
+  "Organization administrator": "Organization administrator",
+  "Operator": "Operator",
+  "Installer": "Installer",
+  "Viewer": "Viewer",
+  "List of roles to assign to all users from this provider": "List of roles to assign to all users from this provider",
+  "Add role": "Add role",
+  "Roles": "Roles",
+  "Role claim path": "Role claim path",
+  "Path segments to the role/group claim (e.g., [\"groups\"], [\"roles\"], [\"realm_access\", \"roles\"])": "Path segments to the role/group claim (e.g., [\"groups\"], [\"roles\"], [\"realm_access\", \"roles\"])",
+  "Provider type is required": "Provider type is required",
+  "Client ID is required": "Client ID is required",
+  "Client secret is required": "Client secret is required",
+  "Please remove duplicate scopes": "Please remove duplicate scopes",
+  "At least one claim path segment is required for dynamic role assignment": "At least one claim path segment is required for dynamic role assignment",
+  "At least one role is required for static role assignment": "At least one role is required for static role assignment",
+  "Organization assignment type is required": "Organization assignment type is required",
+  "Issuer is required": "Issuer is required",
+  "Must be a valid URL": "Must be a valid URL",
+  "Authorization URL is required": "Authorization URL is required",
+  "Token URL is required": "Token URL is required",
+  "Userinfo URL is required": "Userinfo URL is required",
+  "Static organization assignment requires an organization name": "Static organization assignment requires an organization name",
+  "At least one claim path segment is required": "At least one claim path segment is required",
+  "Claim path is required": "Claim path is required",
+  "Test connection results": "Test connection results",
+  "Connection test successful": "Connection test successful",
+  "Great! We successfully connected to your provider. Here's what we found:": "Great! We successfully connected to your provider. Here's what we found:",
+  "Connection partially successful": "Connection partially successful",
+  "Connection test unsuccessful": "Connection test unsuccessful",
+  "We found some issues with your configuration. Here's what needs your attention:": "We found some issues with your configuration. Here's what needs your attention:",
+  "Field": "Field",
+  "Value": "Value",
+  "Close": "Close",
   "No devices": "No devices",
   "Restricted Access": "Restricted Access",
   "You don't have access to this section.": "You don't have access to this section.",
@@ -60,7 +192,6 @@
   "Toggle Tab action between insert Tab character and move focus out of editor": "Toggle Tab action between insert Tab character and move focus out of editor",
   "View document outline": "View document outline",
   "View property descriptions": "View property descriptions",
-  "Save": "Save",
   "{{ resourceName }} has been updated to version {{ version }}": "{{ resourceName }} has been updated to version {{ version }}",
   "Yaml could not be saved": "Yaml could not be saved",
   "A newer version of the resource has been detected.": "A newer version of the resource has been detected.",
@@ -76,7 +207,6 @@
   "Start from scratch": "Start from scratch",
   "Start editing": "Start editing",
   "Reload": "Reload",
-  "Cancel": "Cancel",
   "Download": "Download",
   "Copy text": "Copy text",
   "New label": "New label",
@@ -95,6 +225,7 @@
   "Continue": "Continue",
   "Select Organization": "Select Organization",
   "Change Organization": "Change Organization",
+  "Settings": "Settings",
   "Technology preview features provide early access to upcoming product innovations, enabling you to test functionality and provide feedback during the development process.": "Technology preview features provide early access to upcoming product innovations, enabling you to test functionality and provide feedback during the development process.",
   "Technology preview description": "Technology preview description",
   "Technology preview": "Technology preview",
@@ -116,12 +247,9 @@
   "Actions dropdown": "Actions dropdown",
   "Actions": "Actions",
   "Device applications table": "Device applications table",
-  "Name": "Name",
-  "Status": "Status",
   "Ready": "Ready",
   "Restarts": "Restarts",
   "No applications found": "No applications found",
-  "Type": "Type",
   "Reason": "Reason",
   "Message": "Message",
   "No conditions found": "No conditions found",
@@ -137,7 +265,6 @@
   "Create, sign and publish a bootable OS disk image": "Create, sign and publish a bootable OS disk image",
   "Boot your device into the OS disk image": "Boot your device into the OS disk image",
   "Learn more about adding devices": "Learn more about adding devices",
-  "Close": "Close",
   "Untitled": "Untitled",
   "Alias": "Alias",
   "Edit alias": "Edit alias",
@@ -145,8 +272,6 @@
   "Applications": "Applications",
   "Delete forever": "Delete forever",
   "You are about to resume <1>{deviceNameOrAlias}</1>": "You are about to resume <1>{deviceNameOrAlias}</1>",
-  "Details": "Details",
-  "YAML": "YAML",
   "Terminal": "Terminal",
   "Events": "Events",
   "Edit device configurations": "Edit device configurations",
@@ -203,7 +328,6 @@
   "Filter by labels and fleets": "Filter by labels and fleets",
   "Decommission devices": "Decommission devices",
   "Enrolled devices table": "Enrolled devices table",
-  "An error occurred": "An error occurred",
   "Device is non-editable": "Device is non-editable",
   "General info": "General info",
   "Device template": "Device template",
@@ -230,7 +354,6 @@
   "The unique identifier for this application.": "The unique identifier for this application.",
   "If not specified, the image name will be used. Application name must be unique.": "If not specified, the image name will be used. Application name must be unique.",
   "Variable {{ number }}": "Variable {{ number }}",
-  "Value": "Value",
   "Delete variable": "Delete variable",
   "Add an application variable": "Add an application variable",
   "Application workloads": "Application workloads",
@@ -277,7 +400,6 @@
   "Path in the repository where the configuration files are located.": "Path in the repository where the configuration files are located.",
   "Full HTTP service URL: <1>{fullURL}</1>": "Full HTTP service URL: <1>{fullURL}</1>",
   "Select a repository to generate the full URL": "Select a repository to generate the full URL",
-  "Suffix": "Suffix",
   "Suffix that will be combined with the repository's base URL to invoke the HTTP service. Can include query parameters.": "Suffix that will be combined with the repository's base URL to invoke the HTTP service. Can include query parameters.",
   "File path": "File path",
   "Path of the file where the response will be stored in the device filesystem.": "Path of the file where the response will be stored in the device filesystem.",
@@ -334,7 +456,6 @@
   "No enrollment requests here!": "No enrollment requests here!",
   "Created": "Created",
   "Devices pending approval": "Devices pending approval",
-  "Delete": "Delete",
   "Table for devices pending approval": "Table for devices pending approval",
   "Search by name": "Search by name",
   "{{ count }} devices pending approval_one": "{{ count }} device pending approval",
@@ -517,12 +638,13 @@
   "Target revision": "Target revision",
   "Fleets will appear in the fleets table list and their status will be reflecting the resource sync process status. After a few minutes, they should be synced and enabled.": "Fleets will appear in the fleets table list and their status will be reflecting the resource sync process status. After a few minutes, they should be synced and enabled.",
   "Invalid {{ itemType }}": "Invalid {{ itemType }}",
+  "Add item": "Add item",
+  "Resolved": "Resolved",
   "Name must be unique": "Name must be unique",
   "Max file size {{ maxFileSize }} MB": "Max file size {{ maxFileSize }} MB",
   "Content exceeds max file size of {{ maxFileSize }} MB": "Content exceeds max file size of {{ maxFileSize }} MB",
   "Drag a file or browse to upload": "Drag a file or browse to upload",
   "Browse...": "Browse...",
-  "Clear": "Clear",
   "Content loaded from: {{ filename }}": "Content loaded from: {{ filename }}",
   "Starts and ends with a letter or a number.": "Starts and ends with a letter or a number.",
   "Contains only letters, numbers, dashes (-), dots (.), and underscores (_).": "Contains only letters, numbers, dashes (-), dots (.), and underscores (_).",
@@ -594,6 +716,20 @@
   "pending device": "pending device",
   "resource sync": "resource sync",
   "You are about to resume device <1>{deviceName}</1>": "You are about to resume device <1>{deviceName}</1>",
+  "Choose login method": "Choose login method",
+  "Log in with {{ providerName }}": "Log in with {{ providerName }}",
+  "Authentication failed": "Authentication failed",
+  "Back to login options": "Back to login options",
+  "Enter your Kubernetes token": "Enter your Kubernetes token",
+  "Enter your Kubernetes service account token to authenticate with the cluster.": "Enter your Kubernetes service account token to authenticate with the cluster.",
+  "You can find this token in your Kubernetes service account credentials.": "You can find this token in your Kubernetes service account credentials.",
+  "Service account token": "Service account token",
+  "Invalid token format. Expected a JWT token with format: header.payload.signature": "Invalid token format. Expected a JWT token with format: header.payload.signature",
+  "Enter your Kubernetes token...": "Enter your Kubernetes token...",
+  "Keep your token secure": "Keep your token secure",
+  "Never share your service account token. It provides full access to your Kubernetes cluster resources.": "Never share your service account token. It provides full access to your Kubernetes cluster resources.",
+  "Authenticating...": "Authenticating...",
+  "Login": "Login",
   "No {{ productName }} command line tools were found for this deployment at this time.": "No {{ productName }} command line tools were found for this deployment at this time.",
   "Could not list the {{ productName }} command line tools": "Could not list the {{ productName }} command line tools",
   "Download flightctl CLI for {{ os }} for {{ arch }}": "Download flightctl CLI for {{ os }} for {{ arch }}",
@@ -697,7 +833,7 @@
   "Resource was deleted successfully": "Resource was deleted successfully",
   "Enrollment request": "Enrollment request",
   "Template version": "Template version",
-  "Auth provider": "Auth provider",
+  "Authentication provider": "Authentication provider",
   "Loading alerts...": "Loading alerts...",
   "Error loading alerts": "Error loading alerts",
   "Alerts": "Alerts",
@@ -841,6 +977,9 @@
   "Product UUID": "Product UUID",
   "TPM vendor info": "TPM vendor info",
   "Websocket error occured": "Websocket error occured",
+  "OpenShift": "OpenShift",
+  "Kubernetes": "Kubernetes",
+  "Ansible Automation Platform": "Ansible Automation Platform",
   "{{count}} years ago_one": "{{count}} year ago",
   "{{count}} years ago_other": "{{count}} years ago",
   "{{count}} months ago_one": "{{count}} month ago",
diff --git a/libs/types/index.ts b/libs/types/index.ts
index 2a0da734a..9f6996ed6 100644
--- a/libs/types/index.ts
+++ b/libs/types/index.ts
@@ -7,7 +7,10 @@ export type { AapProviderSpec } from './models/AapProviderSpec';
 export type { AbsolutePath } from './models/AbsolutePath';
 export type { ApplicationContent } from './models/ApplicationContent';
 export type { ApplicationEnvVars } from './models/ApplicationEnvVars';
+export type { ApplicationPort } from './models/ApplicationPort';
 export type { ApplicationProviderSpec } from './models/ApplicationProviderSpec';
+export type { ApplicationResourceLimits } from './models/ApplicationResourceLimits';
+export type { ApplicationResources } from './models/ApplicationResources';
 export { ApplicationsSummaryStatusType } from './models/ApplicationsSummaryStatusType';
 export { ApplicationStatusType } from './models/ApplicationStatusType';
 export type { ApplicationVolume } from './models/ApplicationVolume';
@@ -116,6 +119,7 @@ export type { HttpConfig } from './models/HttpConfig';
 export type { HttpConfigProviderSpec } from './models/HttpConfigProviderSpec';
 export type { HttpRepoSpec } from './models/HttpRepoSpec';
 export type { ImageApplicationProviderSpec } from './models/ImageApplicationProviderSpec';
+export type { ImageMountVolumeProviderSpec } from './models/ImageMountVolumeProviderSpec';
 export { ImagePullPolicy } from './models/ImagePullPolicy';
 export type { ImageVolumeProviderSpec } from './models/ImageVolumeProviderSpec';
 export type { ImageVolumeSource } from './models/ImageVolumeSource';
@@ -131,10 +135,12 @@ export type { ListMeta } from './models/ListMeta';
 export { MatchExpression } from './models/MatchExpression';
 export type { MatchExpressions } from './models/MatchExpressions';
 export type { MemoryResourceMonitorSpec } from './models/MemoryResourceMonitorSpec';
+export type { MountVolumeProviderSpec } from './models/MountVolumeProviderSpec';
 export type { OAuth2ProviderSpec } from './models/OAuth2ProviderSpec';
 export type { ObjectMeta } from './models/ObjectMeta';
 export type { ObjectReference } from './models/ObjectReference';
 export type { OIDCProviderSpec } from './models/OIDCProviderSpec';
+export type { OpenShiftProviderSpec } from './models/OpenShiftProviderSpec';
 export type { Organization } from './models/Organization';
 export type { OrganizationList } from './models/OrganizationList';
 export type { OrganizationSpec } from './models/OrganizationSpec';
@@ -175,5 +181,9 @@ export type { TemplateVersionList } from './models/TemplateVersionList';
 export type { TemplateVersionSpec } from './models/TemplateVersionSpec';
 export type { TemplateVersionStatus } from './models/TemplateVersionStatus';
 export type { TimeZone } from './models/TimeZone';
+export { TokenRequest } from './models/TokenRequest';
+export { TokenResponse } from './models/TokenResponse';
 export type { UpdateSchedule } from './models/UpdateSchedule';
+export type { UserInfoResponse } from './models/UserInfoResponse';
 export type { Version } from './models/Version';
+export type { VolumeMount } from './models/VolumeMount';
diff --git a/libs/types/models/AppType.ts b/libs/types/models/AppType.ts
index 570034184..94a10a258 100644
--- a/libs/types/models/AppType.ts
+++ b/libs/types/models/AppType.ts
@@ -8,4 +8,5 @@
 export enum AppType {
   AppTypeCompose = 'compose',
   AppTypeQuadlet = 'quadlet',
+  AppTypeContainer = 'container',
 }
diff --git a/libs/types/models/ApplicationPort.ts b/libs/types/models/ApplicationPort.ts
new file mode 100644
index 000000000..d34b1342a
--- /dev/null
+++ b/libs/types/models/ApplicationPort.ts
@@ -0,0 +1,8 @@
+/* generated using openapi-typescript-codegen -- do no edit */
+/* istanbul ignore file */
+/* tslint:disable */
+/* eslint-disable */
+/**
+ * Port mapping in format "hostPort:containerPort" (e.g., "8080:80").
+ */
+export type ApplicationPort = string;
diff --git a/libs/types/models/ApplicationResourceLimits.ts b/libs/types/models/ApplicationResourceLimits.ts
new file mode 100644
index 000000000..adf58f01e
--- /dev/null
+++ b/libs/types/models/ApplicationResourceLimits.ts
@@ -0,0 +1,18 @@
+/* generated using openapi-typescript-codegen -- do no edit */
+/* istanbul ignore file */
+/* tslint:disable */
+/* eslint-disable */
+/**
+ * Resource limits for the application.
+ */
+export type ApplicationResourceLimits = {
+  /**
+   * CPU limit in cores (e.g., "1", "0.75").
+   */
+  cpu?: string;
+  /**
+   * Memory limit with unit (e.g., "256m", "2g") using Podman format (b=bytes, k=kibibytes, m=mebibytes, g=gibibytes).
+   */
+  memory?: string;
+};
+
diff --git a/libs/types/models/ApplicationResources.ts b/libs/types/models/ApplicationResources.ts
new file mode 100644
index 000000000..bb5cbe5e8
--- /dev/null
+++ b/libs/types/models/ApplicationResources.ts
@@ -0,0 +1,12 @@
+/* generated using openapi-typescript-codegen -- do no edit */
+/* istanbul ignore file */
+/* tslint:disable */
+/* eslint-disable */
+import type { ApplicationResourceLimits } from './ApplicationResourceLimits';
+/**
+ * Resource constraints for the application.
+ */
+export type ApplicationResources = {
+  limits?: ApplicationResourceLimits;
+};
+
diff --git a/libs/types/models/ApplicationVolume.ts b/libs/types/models/ApplicationVolume.ts
index b219681f3..b6c2635db 100644
--- a/libs/types/models/ApplicationVolume.ts
+++ b/libs/types/models/ApplicationVolume.ts
@@ -3,10 +3,9 @@
 /* tslint:disable */
 /* eslint-disable */
 import type { ImageVolumeProviderSpec } from './ImageVolumeProviderSpec';
-export type ApplicationVolume = ({
+export type ApplicationVolume = {
   /**
    * Unique name of the volume used within the application.
    */
   name: string;
-} & ImageVolumeProviderSpec);
-
+} & ImageVolumeProviderSpec;
diff --git a/libs/types/models/AuthDynamicRoleAssignment.ts b/libs/types/models/AuthDynamicRoleAssignment.ts
index 16ba118c4..39d6e1110 100644
--- a/libs/types/models/AuthDynamicRoleAssignment.ts
+++ b/libs/types/models/AuthDynamicRoleAssignment.ts
@@ -14,5 +14,9 @@ export type AuthDynamicRoleAssignment = {
    * The JSON path to the role/group claim (e.g., ["groups"], ["roles"], ["realm_access", "roles"]).
    */
   claimPath: Array<string>;
+  /**
+   * Separator for org:role format (default ':'). Roles containing the separator are split into organization-scoped roles. Roles without separator are global and apply to all organizations.
+   */
+  separator?: string;
 };
 
diff --git a/libs/types/models/AuthProviderSpec.ts b/libs/types/models/AuthProviderSpec.ts
index 79a85eb37..8c2d8ce57 100644
--- a/libs/types/models/AuthProviderSpec.ts
+++ b/libs/types/models/AuthProviderSpec.ts
@@ -6,5 +6,6 @@ import type { AapProviderSpec } from './AapProviderSpec';
 import type { K8sProviderSpec } from './K8sProviderSpec';
 import type { OAuth2ProviderSpec } from './OAuth2ProviderSpec';
 import type { OIDCProviderSpec } from './OIDCProviderSpec';
-export type AuthProviderSpec = (OIDCProviderSpec | OAuth2ProviderSpec | AapProviderSpec | K8sProviderSpec);
+import type { OpenShiftProviderSpec } from './OpenShiftProviderSpec';
+export type AuthProviderSpec = (OIDCProviderSpec | OAuth2ProviderSpec | OpenShiftProviderSpec | AapProviderSpec | K8sProviderSpec);
 
diff --git a/libs/types/models/ImageApplicationProviderSpec.ts b/libs/types/models/ImageApplicationProviderSpec.ts
index 4b5a9b563..8f814ceff 100644
--- a/libs/types/models/ImageApplicationProviderSpec.ts
+++ b/libs/types/models/ImageApplicationProviderSpec.ts
@@ -2,11 +2,18 @@
 /* istanbul ignore file */
 /* tslint:disable */
 /* eslint-disable */
+import type { ApplicationPort } from './ApplicationPort';
+import type { ApplicationResources } from './ApplicationResources';
 import type { ApplicationVolumeProviderSpec } from './ApplicationVolumeProviderSpec';
 export type ImageApplicationProviderSpec = (ApplicationVolumeProviderSpec & {
   /**
    * Reference to the container image for the application package.
    */
   image: string;
+  /**
+   * Port mappings.
+   */
+  ports?: Array<ApplicationPort>;
+  resources?: ApplicationResources;
 });
 
diff --git a/libs/types/models/ImageMountVolumeProviderSpec.ts b/libs/types/models/ImageMountVolumeProviderSpec.ts
new file mode 100644
index 000000000..e21043fcc
--- /dev/null
+++ b/libs/types/models/ImageMountVolumeProviderSpec.ts
@@ -0,0 +1,14 @@
+/* generated using openapi-typescript-codegen -- do no edit */
+/* istanbul ignore file */
+/* tslint:disable */
+/* eslint-disable */
+import type { ImageVolumeSource } from './ImageVolumeSource';
+import type { VolumeMount } from './VolumeMount';
+/**
+ * Volume from OCI image mounted at specified path.
+ */
+export type ImageMountVolumeProviderSpec = {
+  image: ImageVolumeSource;
+  mount: VolumeMount;
+};
+
diff --git a/libs/types/models/K8sProviderSpec.ts b/libs/types/models/K8sProviderSpec.ts
index 16f8767e0..20d3aa201 100644
--- a/libs/types/models/K8sProviderSpec.ts
+++ b/libs/types/models/K8sProviderSpec.ts
@@ -20,10 +20,6 @@ export type K8sProviderSpec = {
    * The internal Kubernetes API URL.
    */
   apiUrl: string;
-  /**
-   * The external OpenShift API URL (for external access).
-   */
-  externalOpenShiftApiUrl?: string;
   /**
    * The RBAC namespace for permissions.
    */
diff --git a/libs/types/models/MountVolumeProviderSpec.ts b/libs/types/models/MountVolumeProviderSpec.ts
new file mode 100644
index 000000000..1f25c1cbc
--- /dev/null
+++ b/libs/types/models/MountVolumeProviderSpec.ts
@@ -0,0 +1,12 @@
+/* generated using openapi-typescript-codegen -- do no edit */
+/* istanbul ignore file */
+/* tslint:disable */
+/* eslint-disable */
+import type { VolumeMount } from './VolumeMount';
+/**
+ * Named volume mount configuration.
+ */
+export type MountVolumeProviderSpec = {
+  mount: VolumeMount;
+};
+
diff --git a/libs/types/models/OpenShiftProviderSpec.ts b/libs/types/models/OpenShiftProviderSpec.ts
new file mode 100644
index 000000000..c901378c2
--- /dev/null
+++ b/libs/types/models/OpenShiftProviderSpec.ts
@@ -0,0 +1,50 @@
+/* generated using openapi-typescript-codegen -- do no edit */
+/* istanbul ignore file */
+/* tslint:disable */
+/* eslint-disable */
+/**
+ * OpenShiftProviderSpec describes an OpenShift OAuth provider configuration.
+ */
+export type OpenShiftProviderSpec = {
+  /**
+   * The type of authentication provider.
+   */
+  providerType: 'openshift';
+  /**
+   * Human-readable display name for the provider.
+   */
+  displayName?: string;
+  /**
+   * The OAuth2 issuer identifier (used for issuer identification in tokens).
+   */
+  issuer?: string;
+  /**
+   * The OAuth2 authorization endpoint URL.
+   */
+  authorizationUrl?: string;
+  /**
+   * The OAuth2 token endpoint URL.
+   */
+  tokenUrl?: string;
+  /**
+   * The OAuth2 client ID.
+   */
+  clientId?: string;
+  /**
+   * The OAuth2 client secret.
+   */
+  clientSecret?: string;
+  /**
+   * Whether this OpenShift provider is enabled.
+   */
+  enabled?: boolean;
+  /**
+   * List of OAuth2 scopes to request.
+   */
+  scopes?: Array<string>;
+  /**
+   * The OpenShift cluster control plane URL.
+   */
+  clusterControlPlaneUrl?: string;
+};
+
diff --git a/libs/types/models/TokenRequest.ts b/libs/types/models/TokenRequest.ts
new file mode 100644
index 000000000..51f262f77
--- /dev/null
+++ b/libs/types/models/TokenRequest.ts
@@ -0,0 +1,47 @@
+/* generated using openapi-typescript-codegen -- do no edit */
+/* istanbul ignore file */
+/* tslint:disable */
+/* eslint-disable */
+/**
+ * OAuth2 token request
+ */
+export type TokenRequest = {
+  /**
+   * OAuth2 grant type.
+   */
+  grant_type: TokenRequest.grant_type;
+  /**
+   * OAuth2 client identifier.
+   */
+  client_id: string;
+  /**
+   * Refresh token for refresh_token grant.
+   */
+  refresh_token?: string | null;
+  /**
+   * Authorization code for authorization_code grant.
+   */
+  code?: string | null;
+  /**
+   * OAuth2 scope.
+   */
+  scope?: string | null;
+  /**
+   * PKCE code verifier.
+   */
+  code_verifier?: string | null;
+  /**
+   * OAuth2 redirect URI (required for authorization_code grant if included in authorization request).
+   */
+  redirect_uri?: string | null;
+};
+export namespace TokenRequest {
+  /**
+   * OAuth2 grant type.
+   */
+  export enum grant_type {
+    REFRESH_TOKEN = 'refresh_token',
+    AUTHORIZATION_CODE = 'authorization_code',
+  }
+}
+
diff --git a/libs/types/models/TokenResponse.ts b/libs/types/models/TokenResponse.ts
new file mode 100644
index 000000000..1a2ab3a3a
--- /dev/null
+++ b/libs/types/models/TokenResponse.ts
@@ -0,0 +1,42 @@
+/* generated using openapi-typescript-codegen -- do no edit */
+/* istanbul ignore file */
+/* tslint:disable */
+/* eslint-disable */
+/**
+ * OAuth2 token response
+ */
+export type TokenResponse = {
+  /**
+   * OAuth2 access token.
+   */
+  access_token?: string;
+  /**
+   * Token type.
+   */
+  token_type?: TokenResponse.token_type;
+  /**
+   * OAuth2 refresh token.
+   */
+  refresh_token?: string;
+  /**
+   * Token expiration time in seconds.
+   */
+  expires_in?: number;
+  /**
+   * OAuth2 error code.
+   */
+  error?: string;
+  /**
+   * OAuth2 error description.
+   */
+  error_description?: string;
+};
+export namespace TokenResponse {
+  /**
+   * Token type.
+   */
+  export enum token_type {
+    BEARER = 'Bearer',
+  }
+}
+
diff --git a/libs/types/models/UserInfoResponse.ts b/libs/types/models/UserInfoResponse.ts
new file mode 100644
index 000000000..7485d26a4
--- /dev/null
+++ b/libs/types/models/UserInfoResponse.ts
@@ -0,0 +1,31 @@
+/* generated using openapi-typescript-codegen -- do no edit */
+/* istanbul ignore file */
+/* tslint:disable */
+/* eslint-disable */
+import type { Organization } from './Organization';
+/**
+ * OIDC UserInfo response
+ */
+export type UserInfoResponse = {
+  /**
+   * Subject identifier.
+   */
+  sub?: string;
+  /**
+   * Preferred username.
+   */
+  preferred_username?: string;
+  /**
+   * Full name.
+   */
+  name?: string;
+  /**
+   * User organizations.
+   */
+  organizations?: Array<Organization>;
+  /**
+   * Error code.
+   */
+  error?: string;
+};
+
diff --git a/libs/types/models/VolumeMount.ts b/libs/types/models/VolumeMount.ts
new file mode 100644
index 000000000..ebe34a373
--- /dev/null
+++ b/libs/types/models/VolumeMount.ts
@@ -0,0 +1,14 @@
+/* generated using openapi-typescript-codegen -- do no edit */
+/* istanbul ignore file */
+/* tslint:disable */
+/* eslint-disable */
+/**
+ * Mount configuration for a volume.
+ */
+export type VolumeMount = {
+  /**
+   * Mount path in the container with support for options.
+   */
+  path: string;
+};
+
diff --git a/libs/ui-components/src/components/AuthProvider/AuthProviderDetails/AuthProviderDetails.tsx b/libs/ui-components/src/components/AuthProvider/AuthProviderDetails/AuthProviderDetails.tsx
new file mode 100644
index 000000000..081173ca5
--- /dev/null
+++ b/libs/ui-components/src/components/AuthProvider/AuthProviderDetails/AuthProviderDetails.tsx
@@ -0,0 +1,111 @@
+import * as React from 'react';
+import { DropdownItem, DropdownList, Nav, NavList } from '@patternfly/react-core';
+
+import { AuthProvider } from '@flightctl/types';
+
+import { useFetchPeriodically } from '../../../hooks/useFetchPeriodically';
+import DetailsPage from '../../DetailsPage/DetailsPage';
+import DetailsPageActions from '../../DetailsPage/DetailsPageActions';
+import AuthProviderDetailsTab from './AuthProviderDetailsTab';
+import DeleteAuthProviderModal from './DeleteAuthProviderModal';
+import { useTranslation } from '../../../hooks/useTranslation';
+import { ROUTE, useNavigate } from '../../../hooks/useNavigate';
+import { useAppContext } from '../../../hooks/useAppContext';
+import { RESOURCE, VERB } from '../../../types/rbac';
+import PageWithPermissions from '../../common/PageWithPermissions';
+import { usePermissionsContext } from '../../common/PermissionsContext';
+import YamlEditor from '../../common/CodeEditor/YamlEditor';
+import NavItem from '../../NavItem/NavItem';
+
+const authProviderDetailsPermissions = [
+  { kind: RESOURCE.AUTH_PROVIDER, verb: VERB.DELETE },
+  { kind: RESOURCE.AUTH_PROVIDER, verb: VERB.PATCH },
+];
+
+const AuthProviderDetails = () => {
+  const { t } = useTranslation();
+  const {
+    router: { useParams, Routes, Route, Navigate },
+  } = useAppContext();
+  const { authProviderId } = useParams() as { authProviderId: string };
+  const [authProviderDetails, isLoading, error, refetch] = useFetchPeriodically<Required<AuthProvider>>({
+    endpoint: `authproviders/${authProviderId}`,
+  });
+  const [isDeleteModalOpen, setIsDeleteModalOpen] = React.useState<boolean>(false);
+
+  const navigate = useNavigate();
+
+  const onDeleteSuccess = () => {
+    navigate(ROUTE.AUTH_PROVIDERS);
+  };
+
+  const { checkPermissions } = usePermissionsContext();
+  const [canDelete, canEdit] = checkPermissions(authProviderDetailsPermissions);
+
+  return (
+    <DetailsPage
+      loading={isLoading}
+      error={error}
+      id={authProviderId}
+      title={authProviderDetails?.metadata.name as string}
+      resourceLink={ROUTE.AUTH_PROVIDERS}
+      resourceType="Authentication providers"
+      resourceTypeLabel={t('Authentication providers')}
+      actions={
+        (canDelete || canEdit) && (
+          <DetailsPageActions>
+            <DropdownList>
+              {canEdit && (
+                <DropdownItem onClick={() => navigate({ route: ROUTE.AUTH_PROVIDER_EDIT, postfix: authProviderId })}>
+                  {t('Edit authentication provider')}
+                </DropdownItem>
+              )}
+              {canDelete && (
+                <DropdownItem onClick={() => setIsDeleteModalOpen(true)}>
+                  {t('Delete authentication provider')}
+                </DropdownItem>
+              )}
+            </DropdownList>
+          </DetailsPageActions>
+        )
+      }
+      nav={
+        <Nav variant="tertiary">
+          <NavList>
+            <NavItem to="details">{t('Details')}</NavItem>
+            <NavItem to="yaml">{t('YAML')}</NavItem>
+          </NavList>
+        </Nav>
+      }
+    >
+      {authProviderDetails && (
+        <>
+          <Routes>
+            <Route index element={<Navigate to="details" replace />} />
+            <Route path="details" element={<AuthProviderDetailsTab authProvider={authProviderDetails} />} />
+            <Route path="yaml" element={<YamlEditor apiObj={authProviderDetails} refetch={refetch} />} />
+          </Routes>
+          {isDeleteModalOpen && (
+            <DeleteAuthProviderModal
+              onClose={() => setIsDeleteModalOpen(false)}
+              onDeleteSuccess={onDeleteSuccess}
+              authProviderId={authProviderId}
+            />
+          )}
+        </>
+      )}
+    </DetailsPage>
+  );
+};
+
+const AuthProviderDetailsWithPermissions = () => {
+  const { checkPermissions, loading } = usePermissionsContext();
+  const [allowed] = checkPermissions([{ kind: RESOURCE.AUTH_PROVIDER, verb: VERB.GET }]);
+  return (
+    <PageWithPermissions allowed={allowed} loading={loading}>
+      <AuthProviderDetails />
+    </PageWithPermissions>
+  );
+};
+
+export default AuthProviderDetailsWithPermissions;
diff --git a/libs/ui-components/src/components/AuthProvider/AuthProviderDetails/AuthProviderDetailsTab.tsx b/libs/ui-components/src/components/AuthProvider/AuthProviderDetails/AuthProviderDetailsTab.tsx
new file mode 100644
index 000000000..0b1061d3d
--- /dev/null
+++ b/libs/ui-components/src/components/AuthProvider/AuthProviderDetails/AuthProviderDetailsTab.tsx
@@ -0,0 +1,239 @@
+import * as React from 'react';
+import {
+  Card,
+  CardBody,
+  ClipboardCopy,
+  DescriptionList,
+  DescriptionListDescription,
+  DescriptionListGroup,
+  DescriptionListTerm,
+  Divider,
+  Label,
+  LabelGroup,
+  Stack,
+  StackItem,
+  Text,
+  TextContent,
+  TextVariants,
+  Title,
+} from '@patternfly/react-core';
+import { AuthProvider } from '@flightctl/types';
+
+import { useTranslation } from '../../../hooks/useTranslation';
+import { DEFAULT_USERNAME_CLAIM, OrgAssignmentType, isOAuth2Provider } from '../CreateAuthProvider/types';
+import { getAssignmentTypeLabel, getProviderTypeLabel } from '../CreateAuthProvider/utils';
+import RoleAssigmentDetails from './RoleAssigmentDetails';
+import { DynamicAuthProviderSpec } from '../../../types/extraTypes';
+
+const Scopes = ({ scopes }: { scopes: string[] | undefined }) => {
+  if (!scopes || scopes.length === 0) {
+    return 'N/A';
+  }
+  return (
+    <LabelGroup>
+      {scopes.map((scope, index) => (
+        <Label key={`${scope}-${index}`}>{scope}</Label>
+      ))}
+    </LabelGroup>
+  );
+};
+
+const CopyUrl = ({ url }: { url: string }) => {
+  return (
+    <ClipboardCopy variant="inline-compact" isCode>
+      {url || 'N/A'}
+    </ClipboardCopy>
+  );
+};
+
+const AuthProviderDetailsTab = ({ authProvider }: { authProvider: AuthProvider }) => {
+  const { t } = useTranslation();
+  // Dynamic auth providers can only be OAuth2 or OIDC
+  const spec = authProvider.spec as DynamicAuthProviderSpec;
+  const isOAuth2 = isOAuth2Provider(spec);
+  const orgAssignment = spec.organizationAssignment;
+  const isEnabled = spec.enabled ?? true;
+
+  return (
+    <Stack hasGutter>
+      {/* Provider Overview Card */}
+      <StackItem>
+        <Card>
+          <CardBody>
+            <Title headingLevel="h2" size="lg" className="pf-v5-u-mb-md">
+              {t('Provider overview')}
+            </Title>
+            <DescriptionList columnModifier={{ default: '2Col' }}>
+              <DescriptionListGroup>
+                <DescriptionListTerm>{t('Name')}</DescriptionListTerm>
+                <DescriptionListDescription>
+                  <strong>{authProvider.metadata.name}</strong>
+                </DescriptionListDescription>
+              </DescriptionListGroup>
+
+              <DescriptionListGroup>
+                <DescriptionListTerm>{t('Display name')}</DescriptionListTerm>
+                <DescriptionListDescription>{spec.displayName || 'N/A'}</DescriptionListDescription>
+              </DescriptionListGroup>
+
+              <DescriptionListGroup>
+                <DescriptionListTerm>{t('Type')}</DescriptionListTerm>
+                <DescriptionListDescription>
+                  <Label color="blue">{getProviderTypeLabel(spec.providerType, t)}</Label>
+                </DescriptionListDescription>
+              </DescriptionListGroup>
+
+              <DescriptionListGroup>
+                <DescriptionListTerm>{t('Status')}</DescriptionListTerm>
+                <DescriptionListDescription>
+                  <Label color={isEnabled ? 'green' : 'grey'}>{isEnabled ? t('Enabled') : t('Disabled')}</Label>
+                </DescriptionListDescription>
+              </DescriptionListGroup>
+            </DescriptionList>
+
+            <Divider style={{ margin: '24px 0' }} />
+
+            <DescriptionList>
+              <Title headingLevel="h2" className="pf-v5-u-mb-md">
+                {t('{{ providerType }} configuration', { providerType: spec.providerType })}
+              </Title>
+              {isOAuth2 && (
+                <>
+                  <DescriptionListGroup>
+                    <DescriptionListTerm>{t('Authorization URL')}</DescriptionListTerm>
+                    <DescriptionListDescription>
+                      <CopyUrl url={spec.authorizationUrl} />
+                    </DescriptionListDescription>
+                  </DescriptionListGroup>
+
+                  <DescriptionListGroup>
+                    <DescriptionListTerm>{t('Token URL')}</DescriptionListTerm>
+                    <DescriptionListDescription>
+                      <CopyUrl url={spec.tokenUrl} />
+                    </DescriptionListDescription>
+                  </DescriptionListGroup>
+
+                  <DescriptionListGroup>
+                    <DescriptionListTerm>{t('Userinfo URL')}</DescriptionListTerm>
+                    <DescriptionListDescription>
+                      <CopyUrl url={spec.userinfoUrl} />
+                    </DescriptionListDescription>
+                  </DescriptionListGroup>
+                </>
+              )}
+
+              <DescriptionListGroup>
+                <DescriptionListTerm>{t('Issuer URL')}</DescriptionListTerm>
+                <DescriptionListDescription>
+                  {spec.issuer ? <CopyUrl url={spec.issuer} /> : 'N/A'}
+                </DescriptionListDescription>
+              </DescriptionListGroup>
+            </DescriptionList>
+          </CardBody>
+        </Card>
+      </StackItem>
+
+      <StackItem>
+        <Card>
+          <CardBody>
+            <Title headingLevel="h2" size="lg" className="pf-v5-u-mb-md">
+              {t('Client & claims configuration')}
+            </Title>
+            <DescriptionList columnModifier={{ default: '2Col' }}>
+              <DescriptionListGroup>
+                <DescriptionListTerm>{t('Client ID')}</DescriptionListTerm>
+                <DescriptionListDescription>{spec.clientId}</DescriptionListDescription>
+              </DescriptionListGroup>
+
+              <DescriptionListGroup>
+                <DescriptionListTerm>{t('Scopes')}</DescriptionListTerm>
+                <DescriptionListDescription>
+                  <Scopes scopes={spec.scopes} />
+                </DescriptionListDescription>
+              </DescriptionListGroup>
+              <DescriptionListGroup>
+                <DescriptionListTerm>{t('Username claim path')}</DescriptionListTerm>
+                <DescriptionListDescription>
+                  {spec.usernameClaim?.length ? (
+                    <>
+                      <LabelGroup>{spec.usernameClaim?.map((claim) => <Label key={claim}>{claim}</Label>)}</LabelGroup>
+                      <TextContent>
+                        <Text component={TextVariants.small}>
+                          {t('Resulting username claim')}: <strong>{spec.usernameClaim.join('.')}</strong>
+                        </Text>
+                      </TextContent>
+                    </>
+                  ) : (
+                    <Label color="grey">{`${DEFAULT_USERNAME_CLAIM} - (${t('Default')})`}</Label>
+                  )}
+                </DescriptionListDescription>
+              </DescriptionListGroup>
+
+              <DescriptionListGroup>
+                <DescriptionListTerm>{t('Role assignment')}</DescriptionListTerm>
+                <DescriptionListDescription>
+                  <RoleAssigmentDetails roleAssignment={spec.roleAssignment} />
+                </DescriptionListDescription>
+              </DescriptionListGroup>
+            </DescriptionList>
+          </CardBody>
+        </Card>
+      </StackItem>
+
+      <StackItem>
+        <Card>
+          <CardBody>
+            <Title headingLevel="h2" size="lg" className="pf-v5-u-mb-md">
+              {t('Organization assignment')}
+            </Title>
+            <DescriptionList isHorizontal>
+              <DescriptionListGroup>
+                <DescriptionListTerm>{t('Assignment type')}</DescriptionListTerm>
+                <DescriptionListDescription>
+                  <Label color="purple">{getAssignmentTypeLabel(orgAssignment.type, t)}</Label>
+                </DescriptionListDescription>
+              </DescriptionListGroup>
+              {orgAssignment.type === OrgAssignmentType.Static && (
+                <DescriptionListGroup>
+                  <DescriptionListTerm>{t('Organization')}</DescriptionListTerm>
+                  <DescriptionListDescription>{orgAssignment.organizationName || 'N/A'}</DescriptionListDescription>
+                </DescriptionListGroup>
+              )}
+              {orgAssignment.type === OrgAssignmentType.Dynamic && (
+                <DescriptionListGroup>
+                  <DescriptionListTerm>{t('Claim path')}</DescriptionListTerm>
+                  <DescriptionListDescription>
+                    <LabelGroup>
+                      {orgAssignment.claimPath.map((pathSegment, index) => (
+                        <Label key={`${pathSegment}-${index}`}>{pathSegment}</Label>
+                      ))}
+                    </LabelGroup>
+                  </DescriptionListDescription>
+                </DescriptionListGroup>
+              )}
+              {(orgAssignment.type === OrgAssignmentType.Dynamic ||
+                orgAssignment.type === OrgAssignmentType.PerUser) && (
+                <>
+                  <DescriptionListGroup>
+                    <DescriptionListTerm>{t('Prefix')}</DescriptionListTerm>
+                    <DescriptionListDescription>
+                      {orgAssignment.organizationNamePrefix || 'N/A'}
+                    </DescriptionListDescription>
+                  </DescriptionListGroup>
+                  <DescriptionListGroup>
+                    <DescriptionListTerm>{t('Suffix')}</DescriptionListTerm>
+                    <DescriptionListDescription>
+                      {orgAssignment.organizationNameSuffix || 'N/A'}
+                    </DescriptionListDescription>
+                  </DescriptionListGroup>
+                </>
+              )}
+            </DescriptionList>
+          </CardBody>
+        </Card>
+      </StackItem>
+    </Stack>
+  );
+};
+
+export default AuthProviderDetailsTab;
diff --git a/libs/ui-components/src/components/AuthProvider/AuthProviderDetails/DeleteAuthProviderModal.tsx b/libs/ui-components/src/components/AuthProvider/AuthProviderDetails/DeleteAuthProviderModal.tsx
new file mode 100644
index 000000000..236833bdf
--- /dev/null
+++ b/libs/ui-components/src/components/AuthProvider/AuthProviderDetails/DeleteAuthProviderModal.tsx
@@ -0,0 +1,95 @@
+import * as React from 'react';
+import { Alert, Button, Stack, StackItem, TextInput } from '@patternfly/react-core';
+import { Modal, ModalBody, ModalFooter, ModalHeader, ModalVariant } from '@patternfly/react-core/next';
+import { Trans } from 'react-i18next';
+
+import { useFetch } from '../../../hooks/useFetch';
+import { getErrorMessage } from '../../../utils/error';
+import { useTranslation } from '../../../hooks/useTranslation';
+
+type DeleteAuthProviderModalProps = {
+  authProviderId: string;
+  onClose: VoidFunction;
+  onDeleteSuccess: VoidFunction;
+};
+
+const DeleteAuthProviderModal = ({ authProviderId, onClose, onDeleteSuccess }: DeleteAuthProviderModalProps) => {
+  const { t } = useTranslation();
+  const { remove } = useFetch();
+  const [error, setError] = React.useState<string>();
+  const [isLoading, setIsLoading] = React.useState(false);
+  const [confirmationText, setConfirmationText] = React.useState('');
+
+  const handleDelete = async () => {
+    setError(undefined);
+    setIsLoading(true);
+    try {
+      await remove(`authproviders/${authProviderId}`);
+      onDeleteSuccess();
+    } catch (e) {
+      setError(getErrorMessage(e));
+    } finally {
+      setIsLoading(false);
+    }
+  };
+
+  return (
+    <Modal variant={ModalVariant.medium} isOpen onClose={onClose}>
+      <ModalHeader title={t('Delete authentication provider?')} titleIconVariant="warning" />
+      <ModalBody>
+        <Stack hasGutter>
+          <StackItem>
+            <Trans t={t}>
+              This will permanently delete the authentication provider <strong>{authProviderId}</strong> and remove all
+              associated configurations.
+            </Trans>
+          </StackItem>
+          <StackItem>
+            <Alert
+              variant="warning"
+              isInline
+              title={t(
+                'Users who currently authenticate through this provider will lose access until alternative authentication is configured.',
+              )}
+            />
+          </StackItem>
+
+          {error && (
+            <StackItem>
+              <Alert isInline variant="danger" title={t('Authentication provider deletion failed')}>
+                {error}
+              </Alert>
+            </StackItem>
+          )}
+          <StackItem>
+            <Trans t={t}>
+              Type <strong>{authProviderId}</strong> to confirm deletion:
+            </Trans>
+          </StackItem>
+          <TextInput
+            value={confirmationText}
+            onChange={(_event, value) => setConfirmationText(value)}
+            placeholder={`Type "${authProviderId}" to confirm`}
+            aria-label={t('Confirmation text')}
+          />
+        </Stack>
+      </ModalBody>
+      <ModalFooter>
+        <Button
+          key="delete"
+          variant="danger"
+          onClick={handleDelete}
+          isLoading={isLoading}
+          isDisabled={isLoading || confirmationText !== authProviderId}
+        >
+          {t('Delete authentication provider')}
+        </Button>
+        <Button key="cancel" variant="link" onClick={onClose} isDisabled={isLoading}>
+          {t('Cancel')}
+        </Button>
+      </ModalFooter>
+    </Modal>
+  );
+};
+
+export default DeleteAuthProviderModal;
diff --git a/libs/ui-components/src/components/AuthProvider/AuthProviderDetails/RoleAssigmentDetails.tsx b/libs/ui-components/src/components/AuthProvider/AuthProviderDetails/RoleAssigmentDetails.tsx
new file mode 100644
index 000000000..1d0854c76
--- /dev/null
+++ b/libs/ui-components/src/components/AuthProvider/AuthProviderDetails/RoleAssigmentDetails.tsx
@@ -0,0 +1,53 @@
+import * as React from 'react';
+import { Label, LabelGroup } from '@patternfly/react-core';
+
+import { AuthRoleAssignment } from '@flightctl/types';
+import { getAssignmentTypeLabel } from '../CreateAuthProvider/utils';
+import { useTranslation } from '../../../hooks/useTranslation';
+import {
+  DEFAULT_ROLE_CLAIM,
+  DEFAULT_ROLE_SEPARATOR,
+  isRoleAssignmentDynamic,
+  isRoleAssignmentStatic,
+} from '../CreateAuthProvider/types';
+
+const RoleAssigmentDetails = ({ roleAssignment }: { roleAssignment: AuthRoleAssignment }) => {
+  const { t } = useTranslation();
+
+  let values: string[] = [];
+  let separator: string | undefined;
+  if (isRoleAssignmentStatic(roleAssignment)) {
+    values = roleAssignment.roles;
+  } else if (isRoleAssignmentDynamic(roleAssignment)) {
+    values = [roleAssignment.claimPath.join('.')];
+    separator = roleAssignment.separator;
+  } else {
+    values = [`"${DEFAULT_ROLE_CLAIM}" - (${t('Default')})`];
+  }
+
+  return (
+    <>
+      <Label color="purple">{getAssignmentTypeLabel(roleAssignment.type, t)}</Label>
+      <LabelGroup className="pf-v5-u-mt-sm">
+        {values.map((role, index) => (
+          <Label key={`${role}-${index}`}>{role}</Label>
+        ))}
+      </LabelGroup>
+      {separator && (
+        <>
+          <br />
+          <LabelGroup className="pf-v5-u-mt-sm">
+            <Label color="purple">{t('Separator')}</Label>
+
+            <Label key="separator" color="blue">
+              {separator}
+              {separator === DEFAULT_ROLE_SEPARATOR ? ' (colon) ' : ''}
+            </Label>
+          </LabelGroup>
+        </>
+      )}
+    </>
+  );
+};
+
+export default RoleAssigmentDetails;
diff --git a/libs/ui-components/src/components/AuthProvider/AuthProviderRow.tsx b/libs/ui-components/src/components/AuthProvider/AuthProviderRow.tsx
new file mode 100644
index 000000000..bf9b1e187
--- /dev/null
+++ b/libs/ui-components/src/components/AuthProvider/AuthProviderRow.tsx
@@ -0,0 +1,84 @@
+import * as React from 'react';
+import { ActionsColumn, Td, Tr } from '@patternfly/react-table';
+import { Label } from '@patternfly/react-core';
+
+import { AuthProvider } from '@flightctl/types';
+import { useTranslation } from '../../hooks/useTranslation';
+import { Link, ROUTE, useNavigate } from '../../hooks/useNavigate';
+import { RESOURCE, VERB } from '../../types/rbac';
+import { DynamicAuthProviderSpec } from '../../types/extraTypes';
+import { isOAuth2Provider } from './CreateAuthProvider/types';
+import { getProviderTypeLabel } from './CreateAuthProvider/utils';
+import { usePermissionsContext } from '../common/PermissionsContext';
+
+const authProviderPermissions = [
+  { kind: RESOURCE.AUTH_PROVIDER, verb: VERB.UPDATE },
+  { kind: RESOURCE.AUTH_PROVIDER, verb: VERB.DELETE },
+];
+
+const AuthProviderRow = ({ provider, onDeleteClick }: { provider: AuthProvider; onDeleteClick: VoidFunction }) => {
+  const { t } = useTranslation();
+  const navigate = useNavigate();
+  const providerName = provider.metadata.name || '';
+  const providerSpec = provider.spec as DynamicAuthProviderSpec;
+
+  const { checkPermissions } = usePermissionsContext();
+  const [canEdit, canDelete] = checkPermissions(authProviderPermissions);
+
+  const actions = [
+    {
+      title: t('View details'),
+      onClick: () => navigate({ route: ROUTE.AUTH_PROVIDER_DETAILS, postfix: providerName }),
+    },
+  ];
+
+  if (canEdit) {
+    actions.push({
+      title: t('Edit'),
+      onClick: () => navigate({ route: ROUTE.AUTH_PROVIDER_EDIT, postfix: providerName }),
+    });
+  }
+
+  if (canDelete) {
+    actions.push({
+      title: t('Delete'),
+      onClick: onDeleteClick,
+    });
+  }
+
+  let url: string = 'N/A';
+  let urlTitle: string = '';
+  if (isOAuth2Provider(providerSpec)) {
+    url = providerSpec.authorizationUrl;
+    urlTitle = t('Authorization URL');
+  } else {
+    url = providerSpec.issuer;
+    urlTitle = t('Issuer URL');
+  }
+
+  const isEnabled = providerSpec.enabled ?? true;
+
+  return (
+    <Tr>
+      <Td dataLabel={t('Name')}>
+        <Link to={{ route: ROUTE.AUTH_PROVIDER_DETAILS, postfix: providerName }}>
+          <strong>{providerName}</strong>
+        </Link>
+      </Td>
+      <Td dataLabel={t('Type')}>
+        <Label color="blue">{getProviderTypeLabel(providerSpec.providerType, t)}</Label>
+      </Td>
+      <Td dataLabel={urlTitle}>{url || 'N/A'}</Td>
+      <Td dataLabel={t('Enabled')}>
+        <Label color={isEnabled ? 'green' : 'grey'} isDisabled={!isEnabled}>
+          {isEnabled ? t('Enabled') : t('Disabled')}
+        </Label>
+      </Td>
+      <Td isActionCell>
+        <ActionsColumn items={actions} />
+      </Td>
+    </Tr>
+  );
+};
+
+export default AuthProviderRow;
diff --git a/libs/ui-components/src/components/AuthProvider/AuthProvidersPage.tsx b/libs/ui-components/src/components/AuthProvider/AuthProvidersPage.tsx
new file mode 100644
index 000000000..c9a436ed6
--- /dev/null
+++ b/libs/ui-components/src/components/AuthProvider/AuthProvidersPage.tsx
@@ -0,0 +1,168 @@
+import * as React from 'react';
+import {
+  Button,
+  EmptyStateActions,
+  EmptyStateBody,
+  EmptyStateFooter,
+  PageSection,
+  Stack,
+  StackItem,
+  Text,
+  TextContent,
+  TextVariants,
+  Title,
+  Toolbar,
+  ToolbarContent,
+  ToolbarItem,
+} from '@patternfly/react-core';
+import { Tbody } from '@patternfly/react-table';
+import { TFunction } from 'i18next';
+import { CubesIcon } from '@patternfly/react-icons/dist/js/icons/cubes-icon';
+
+import ListPageBody from '../ListPage/ListPageBody';
+import Table, { ApiSortTableColumn } from '../Table/Table';
+import { useTranslation } from '../../hooks/useTranslation';
+import AuthProviderRow from './AuthProviderRow';
+import { useAuthProviders } from './useAuthProviders';
+import ResourceListEmptyState from '../common/ResourceListEmptyState';
+import PageWithPermissions from '../common/PageWithPermissions';
+import { usePermissionsContext } from '../common/PermissionsContext';
+import { RESOURCE, VERB } from '../../types/rbac';
+import { ROUTE, useNavigate } from '../../hooks/useNavigate';
+import DeleteAuthProviderModal from './AuthProviderDetails/DeleteAuthProviderModal';
+
+const getColumns = (t: TFunction): ApiSortTableColumn[] => [
+  {
+    name: t('Name'),
+  },
+  {
+    name: t('Type'),
+  },
+  {
+    name: t('Issuer/Authorization URL'),
+  },
+  {
+    name: t('Status'),
+  },
+];
+
+const CreateAuthProviderButton = () => {
+  const { t } = useTranslation();
+  const navigate = useNavigate();
+  const { checkPermissions } = usePermissionsContext();
+  const [canCreate] = checkPermissions([{ kind: RESOURCE.AUTH_PROVIDER, verb: VERB.CREATE }]);
+
+  return (
+    canCreate && (
+      <Button variant="primary" onClick={() => navigate(ROUTE.AUTH_PROVIDER_CREATE)}>
+        {t('Add authentication provider')}
+      </Button>
+    )
+  );
+};
+
+const AuthProviderEmptyState = () => {
+  const { t } = useTranslation();
+  return (
+    <ResourceListEmptyState icon={CubesIcon} titleText={t('Add your first authentication providers')}>
+      <EmptyStateBody>
+        {t('Connect OIDC and Oauth2 providers to enable additional secure authentication options for your users.')}
+      </EmptyStateBody>
+      <EmptyStateFooter>
+        <EmptyStateActions>
+          <CreateAuthProviderButton />
+        </EmptyStateActions>
+      </EmptyStateFooter>
+    </ResourceListEmptyState>
+  );
+};
+
+const AuthProvidersTable = () => {
+  const { t } = useTranslation();
+
+  const providerColumns = React.useMemo(() => getColumns(t), [t]);
+  const { providers, isLoading, error, isUpdating, refetch } = useAuthProviders();
+  const [deleteModalProviderId, setDeleteModalProviderId] = React.useState<string>();
+
+  return (
+    <ListPageBody error={error} loading={isLoading}>
+      <Table
+        aria-label={t('Authentication providers list')}
+        loading={isUpdating}
+        columns={providerColumns}
+        emptyData={providers.length === 0}
+      >
+        <Tbody>
+          {providers.map((provider) => {
+            const providerId = provider.metadata.name as string;
+            return (
+              <AuthProviderRow
+                key={providerId}
+                provider={provider}
+                onDeleteClick={() => {
+                  setDeleteModalProviderId(providerId);
+                }}
+              />
+            );
+          })}
+        </Tbody>
+      </Table>
+      {!isUpdating && providers.length === 0 && <AuthProviderEmptyState />}
+      {deleteModalProviderId && (
+        <DeleteAuthProviderModal
+          authProviderId={deleteModalProviderId}
+          onClose={() => setDeleteModalProviderId(undefined)}
+          onDeleteSuccess={() => {
+            setDeleteModalProviderId(undefined);
+            refetch();
+          }}
+        />
+      )}
+    </ListPageBody>
+  );
+};
+
+const AuthProvidersPage = () => {
+  const { t } = useTranslation();
+
+  const { checkPermissions, loading } = usePermissionsContext();
+  const [canList] = checkPermissions([{ kind: RESOURCE.AUTH_PROVIDER, verb: VERB.LIST }]);
+  const navigate = useNavigate();
+
+  return (
+    <PageWithPermissions allowed={canList} loading={loading}>
+      <PageSection variant="light" type="breadcrumb">
+        <Stack hasGutter>
+          <StackItem>
+            <Title headingLevel="h1" size="3xl">
+              {t('Authentication')}
+            </Title>
+            <TextContent>
+              <Text component={TextVariants.small}>{t('Manage authentication providers')}</Text>
+            </TextContent>
+          </StackItem>
+          <StackItem>
+            <Toolbar>
+              <ToolbarContent>
+                <ToolbarItem>
+                  <Title headingLevel="h2" size="lg">
+                    {t('Authentication providers')}
+                  </Title>
+                </ToolbarItem>
+                <ToolbarItem variant="separator" />
+                <ToolbarItem>
+                  <Button variant="primary" onClick={() => navigate(ROUTE.AUTH_PROVIDER_CREATE)}>
+                    {t('Add authentication provider')}
+                  </Button>
+                </ToolbarItem>
+              </ToolbarContent>
+            </Toolbar>
+          </StackItem>
+          <AuthProvidersTable />
+        </Stack>
+      </PageSection>
+    </PageWithPermissions>
+  );
+};
+
+export default AuthProvidersPage;
diff --git a/libs/ui-components/src/components/AuthProvider/CreateAuthProvider/AuthOrganizationAssignment.tsx b/libs/ui-components/src/components/AuthProvider/CreateAuthProvider/AuthOrganizationAssignment.tsx
new file mode 100644
index 000000000..a6c2060d8
--- /dev/null
+++ b/libs/ui-components/src/components/AuthProvider/CreateAuthProvider/AuthOrganizationAssignment.tsx
@@ -0,0 +1,102 @@
+import * as React from 'react';
+import { FormGroup, FormSection, Split, SplitItem } from '@patternfly/react-core';
+import { useFormikContext } from 'formik';
+
+import { useTranslation } from '../../../hooks/useTranslation';
+import RadioField from '../../form/RadioField';
+import TextField from '../../form/TextField';
+import ListItemField from '../../form/ListItemField';
+import { AuthProviderFormValues, OrgAssignmentType } from './types';
+
+const OrganizationAssignmentSection = () => {
+  const { t } = useTranslation();
+  const { values } = useFormikContext<AuthProviderFormValues>();
+
+  return (
+    <FormSection title={t('Organization assignment')} className="pf-v5-u-mt-md">
+      <Split hasGutter>
+        <SplitItem>
+          <RadioField
+            id="orgAssignmentStatic"
+            name="orgAssignmentType"
+            label={t('Static')}
+            checkedValue={OrgAssignmentType.Static}
+          />
+        </SplitItem>
+        <SplitItem>
+          <RadioField
+            id="orgAssignmentDynamic"
+            name="orgAssignmentType"
+            label={t('Dynamic')}
+            checkedValue={OrgAssignmentType.Dynamic}
+          />
+        </SplitItem>
+        <SplitItem>
+          <RadioField
+            id="orgAssignmentPerUser"
+            name="orgAssignmentType"
+            label={t('Per user')}
+            checkedValue={OrgAssignmentType.PerUser}
+          />
+        </SplitItem>
+      </Split>
+
+      {values.orgAssignmentType === OrgAssignmentType.Static && (
+        <FormGroup label={t('External organization name')} isRequired>
+          <TextField
+            name="orgName"
+            aria-label={t('External organization name')}
+            helperText={t('Users from this provider will be assigned to this organization')}
+          />
+        </FormGroup>
+      )}
+
+      {values.orgAssignmentType === OrgAssignmentType.Dynamic && (
+        <>
+          <FormGroup label={t('Claim path')} isRequired>
+            <ListItemField
+              name="claimPath"
+              helperText={t('Enter the path segments to the claim (e.g., ["groups"], ["custom_claims", "org_id"])')}
+              addButtonText={t('Add path segment')}
+            />
+          </FormGroup>
+          <FormGroup label={t('Organization name prefix')}>
+            <TextField
+              name="orgNamePrefix"
+              aria-label={t('Organization name prefix')}
+              helperText={t('Optional prefix for the organization name')}
+            />
+          </FormGroup>
+          <FormGroup label={t('Organization name suffix')}>
+            <TextField
+              name="orgNameSuffix"
+              aria-label={t('Organization name suffix')}
+              helperText={t('Optional suffix for the organization name')}
+            />
+          </FormGroup>
+        </>
+      )}
+
+      {values.orgAssignmentType === OrgAssignmentType.PerUser && (
+        <>
+          <FormGroup label={t('Organization name prefix')}>
+            <TextField
+              name="orgNamePrefix"
+              aria-label={t('Organization name prefix')}
+              helperText={t('Optional prefix for the user-specific organization name')}
+            />
+          </FormGroup>
+          <FormGroup label={t('Organization name suffix')}>
+            <TextField
+              name="orgNameSuffix"
+              aria-label={t('Organization name suffix')}
+              helperText={t('Optional suffix for the user-specific organization name')}
+            />
+          </FormGroup>
+        </>
+      )}
+    </FormSection>
+  );
+};
+
+export default OrganizationAssignmentSection;
diff --git a/libs/ui-components/src/components/AuthProvider/CreateAuthProvider/AuthProviderHelperText.tsx b/libs/ui-components/src/components/AuthProvider/CreateAuthProvider/AuthProviderHelperText.tsx
new file mode 100644
index 000000000..8b11de4e4
--- /dev/null
+++ b/libs/ui-components/src/components/AuthProvider/CreateAuthProvider/AuthProviderHelperText.tsx
@@ -0,0 +1,78 @@
+import * as React from 'react';
+import { useTranslation } from '../../../hooks/useTranslation';
+
+export const ScopesHelperText = () => {
+  const { t } = useTranslation();
+  return (
+    <div>
+      <p>
+        <strong>{t('Purpose')}:</strong>
+        {t('Scopes define the permissions your application requests from the provider.')}
+      </p>
+      <p>
+        <strong>{t('Configuration')}:</strong> {t("Check your provider's documentation for required scopes.")}
+      </p>
+      <p>
+        <strong>{t('Common examples')}:</strong> {t('openid, profile, email, groups.')}
+      </p>
+    </div>
+  );
+};
+
+export const UsernameClaimHelperText = () => {
+  const { t } = useTranslation();
+  return (
+    <div>
+      <p>
+        <strong>{t('Purpose')}:</strong> {t('The claim field that contains the username.')}
+      </p>
+      <p>
+        <strong>{t('Format')}:</strong>{' '}
+        {t(
+          'Enter each segment of the claim path as a separate item. Simple claims like "email" require only one segment. For nested claims like "user.name", add multiple segments in order: first "user", then "name".',
+        )}
+      </p>
+      <p>
+        <strong>{t('Requirements')}:</strong>{' '}
+        {t(
+          'Each segment must start with a letter or underscore and contain only letters, numbers, dots or underscores.',
+        )}
+      </p>
+    </div>
+  );
+};
+
+export const RoleClaimHelperText = () => {
+  const { t } = useTranslation();
+  return (
+    <div>
+      <p>
+        <strong>{t('Purpose')}:</strong>{' '}
+        {t('The claim field that contains user roles or group memberships for authorization.')}
+      </p>
+      <p>
+        <strong>{t('Configuration')}:</strong> {t("Refer to your provider's documentation for the correct claim path.")}
+      </p>
+      <p>
+        <strong>{t('Format')}:</strong>{' '}
+        {t('Use an array of path segments (e.g., ["groups"], ["roles"], ["realm_access", "roles"]).')}
+      </p>
+      <p>
+        <strong>{t('Common examples')}:</strong> {t('["groups"], ["roles"], ["authorities"]')}
+      </p>
+    </div>
+  );
+};
+
+export const RoleSeparatorHelperText = () => {
+  const { t } = useTranslation();
+  return (
+    <div>
+      <p>
+        {t(
+          'Separator for org:role format (default: ":"). Roles containing the separator are split into organization-scoped roles. Roles without separator are global and apply to all organizations. Example: "org1:admin" becomes org-scoped role "admin" for organization "org1", while "admin" becomes a global role.',
+        )}
+      </p>
+    </div>
+  );
+};
diff --git a/libs/ui-components/src/components/AuthProvider/CreateAuthProvider/CreateAuthProvider.tsx b/libs/ui-components/src/components/AuthProvider/CreateAuthProvider/CreateAuthProvider.tsx
new file mode 100644
index 000000000..99365a1fb
--- /dev/null
+++ b/libs/ui-components/src/components/AuthProvider/CreateAuthProvider/CreateAuthProvider.tsx
@@ -0,0 +1,145 @@
+import * as React from 'react';
+import {
+  Alert,
+  Breadcrumb,
+  BreadcrumbItem,
+  Bullseye,
+  PageSection,
+  PageSectionVariants,
+  Spinner,
+  Text,
+  TextContent,
+  TextVariants,
+  Title,
+} from '@patternfly/react-core';
+
+import { AuthProvider } from '@flightctl/types';
+
+import { useTranslation } from '../../../hooks/useTranslation';
+import { useFetch } from '../../../hooks/useFetch';
+import { Link, ROUTE, useNavigate } from '../../../hooks/useNavigate';
+import { useAppContext } from '../../../hooks/useAppContext';
+import { RESOURCE, VERB } from '../../../types/rbac';
+import { isDynamicAuthProvider } from '../../../types/extraTypes';
+import { getErrorMessage } from '../../../utils/error';
+import PageWithPermissions from '../../common/PageWithPermissions';
+import { usePermissionsContext } from '../../common/PermissionsContext';
+
+import CreateAuthProviderForm from './CreateAuthProviderForm';
+
+const CreateAuthProvider = ({ authProviderId }: { authProviderId: string | undefined }) => {
+  const { t } = useTranslation();
+  const { get } = useFetch();
+  const [error, setError] = React.useState<string>();
+  const [isLoading, setIsLoading] = React.useState(!!authProviderId);
+  const [authProviderDetails, setAuthProviderDetails] = React.useState<AuthProvider>();
+  const navigate = useNavigate();
+
+  React.useEffect(() => {
+    const fetchAuthProvider = async () => {
+      setIsLoading(true);
+      try {
+        const provider = await get<AuthProvider>(`authproviders/${authProviderId}`);
+        // API should not return non-dynamic providers, but we add the check for safety
+        if (!isDynamicAuthProvider(provider)) {
+          throw new Error('Authentication providers of type ' + provider.spec.providerType + ' cannot be modified');
+        }
+        setAuthProviderDetails(provider);
+      } catch (e) {
+        setError(getErrorMessage(e));
+      } finally {
+        setIsLoading(false);
+      }
+    };
+
+    if (authProviderId) {
+      void fetchAuthProvider();
+    }
+  }, [get, authProviderId]);
+
+  let content: React.ReactNode;
+  if (error) {
+    content = (
+      <Alert isInline variant="danger" title={t('An error occurred')}>
+        <div>
+          {t('Failed to retrieve authentication provider details')}: {error}
+        </div>
+      </Alert>
+    );
+  } else if (isLoading) {
+    content = (
+      <Bullseye>
+        <Spinner />
+      </Bullseye>
+    );
+  } else {
+    content = (
+      <CreateAuthProviderForm
+        authProvider={authProviderDetails}
+        onClose={() => navigate(ROUTE.AUTH_PROVIDERS)}
+        onSuccess={(authProvider) =>
+          navigate({ route: ROUTE.AUTH_PROVIDER_DETAILS, postfix: authProvider.metadata.name })
+        }
+      />
+    );
+  }
+
+  let title: string;
+  if (!!authProviderDetails) {
+    title = t('Edit authentication provider');
+  } else {
+    title = t('Add authentication provider');
+  }
+
+  return (
+    <>
+      <PageSection variant="light" type="breadcrumb">
+        <Breadcrumb>
+          <BreadcrumbItem>
+            <Link to={ROUTE.AUTH_PROVIDERS}>{t('Authentication providers')}</Link>
+          </BreadcrumbItem>
+          {authProviderId && (
+            <BreadcrumbItem>
+              <Link to={{ route: ROUTE.AUTH_PROVIDER_DETAILS, postfix: authProviderId }}>{authProviderId}</Link>
+            </BreadcrumbItem>
+          )}
+          <BreadcrumbItem isActive>{title}</BreadcrumbItem>
+        </Breadcrumb>
+      </PageSection>
+      <PageSection variant={PageSectionVariants.light}>
+        <Title headingLevel="h1" size="3xl">
+          {title}
+        </Title>
+        <TextContent>
+          <Text component={TextVariants.small}>
+            {t("Set up how users will sign in and which organization they'll be assigned to.")}
+          </Text>
+        </TextContent>
+      </PageSection>
+      <PageSection variant={PageSectionVariants.light} className="pf-v5-u-pt-0">
+        {content}
+      </PageSection>
+    </>
+  );
+};
+
+const createAuthProviderPermissions = [
+  { kind: RESOURCE.AUTH_PROVIDER, verb: VERB.CREATE },
+  { kind: RESOURCE.AUTH_PROVIDER, verb: VERB.PATCH },
+];
+
+const CreateAuthProviderWithPermissions = () => {
+  const {
+    router: { useParams },
+  } = useAppContext();
+  const { authProviderId } = useParams<{ authProviderId: string }>();
+  const { checkPermissions, loading } = usePermissionsContext();
+  const [createAllowed, patchAllowed] = checkPermissions(createAuthProviderPermissions);
+  return (
+    <PageWithPermissions allowed={authProviderId ? patchAllowed : createAllowed} loading={loading}>
+      <CreateAuthProvider authProviderId={authProviderId} />
+    </PageWithPermissions>
+  );
+};
+
+export default CreateAuthProviderWithPermissions;
diff --git a/libs/ui-components/src/components/AuthProvider/CreateAuthProvider/CreateAuthProviderForm.tsx b/libs/ui-components/src/components/AuthProvider/CreateAuthProvider/CreateAuthProviderForm.tsx
new file mode 100644
index 000000000..79bea8903
--- /dev/null
+++ b/libs/ui-components/src/components/AuthProvider/CreateAuthProvider/CreateAuthProviderForm.tsx
@@ -0,0 +1,394 @@
+import * as React from 'react';
+import { Alert, Button, FormGroup, FormSection, Grid, Popover, Split, SplitItem } from '@patternfly/react-core';
+import { OutlinedQuestionCircleIcon } from '@patternfly/react-icons/dist/js/icons/outlined-question-circle-icon';
+import { Formik, useFormikContext } from 'formik';
+import * as Yup from 'yup';
+
+import { AuthProvider } from '@flightctl/types';
+import { useTranslation } from '../../../hooks/useTranslation';
+import { useFetch } from '../../../hooks/useFetch';
+import NameField from '../../form/NameField';
+import TextField from '../../form/TextField';
+import RadioField from '../../form/RadioField';
+import SwitchField from '../../form/SwitchField';
+import ListItemField from '../../form/ListItemField';
+import FlightCtlForm from '../../form/FlightCtlForm';
+import FlightCtlActionGroup from '../../form/FlightCtlActionGroup';
+import { getDnsSubdomainValidations } from '../../form/validations';
+import { AuthProviderFormValues, FieldValidationResult, OrgAssignmentType, RoleAssignmentType } from './types';
+import { ProviderType } from '../../../types/extraTypes';
+
+import { authProviderSchema, getAuthProvider, getAuthProviderPatches, getInitValues } from './utils';
+import { getErrorMessage } from '../../../utils/error';
+import LeaveFormConfirmation from '../../common/LeaveFormConfirmation';
+import { FormGroupWithHelperText } from '../../common/WithHelperText';
+
+import Oauth2ProviderFields from './Oauth2ProviderFields';
+import OrganizationAssignmentSection from './AuthOrganizationAssignment';
+import RoleAssignmentSection from './RoleAssignmentSection';
+import TestConnectionModal from '../TestConnectionModal/TestConnectionModal';
+import { ScopesHelperText, UsernameClaimHelperText } from './AuthProviderHelperText';
+
+const appWithSecretClientId = 'CLIENT-ID-1';
+const appWithoutSecretClientId = 'CLIENT-ID-2';
+
+const secretAppClientSecret = 'CLIENT-SECRET-1';
+
+const githubValues = {
+  name: 'github-test',
+  providerType: ProviderType.OAuth2,
+  authorizationUrl: 'https://github.com/login/oauth/authorize',
+  tokenUrl: 'https://github.com/login/oauth/access_token',
+  userinfoUrl: 'https://api.github.com/user',
+  issuer: 'https://api.github.com/user',
+  clientId: appWithoutSecretClientId,
+  clientSecret: secretAppClientSecret,
+  scopes: ['read:user', 'user:email'],
+  usernameClaim: ['login'],
+  roleAssignmentType: RoleAssignmentType.Static,
+  roleClaimPath: [],
+  staticRoles: ['admin'],
+  orgAssignmentType: OrgAssignmentType.Static,
+  orgName: 'default',
+  claimPath: [],
+  orgNamePrefix: '',
+  orgNameSuffix: '',
+};
+
+const googleValues = {
+  name: 'google-oidc',
+  providerType: ProviderType.OIDC,
+  authorizationUrl: '',
+  tokenUrl: '',
+  userinfoUrl: '',
+  issuer: 'https://accounts.google.com',
+  clientId: 'YOUR_CLIENT_ID.apps.googleusercontent.com',
+  clientSecret: 'YOUR_CLIENT_SECRET',
+  scopes: ['openid', 'email', 'profile'],
+  usernameClaim: ['email'],
+  roleAssignmentType: RoleAssignmentType.Static,
+  roleClaimPath: [],
+  staticRoles: [],
+  orgAssignmentType: OrgAssignmentType.Static,
+  orgName: 'default',
+  claimPath: [],
+  orgNamePrefix: '',
+  orgNameSuffix: '',
+};
+
+const ProviderTypeSection = () => {
+  const { t } = useTranslation();
+
+  return (
+    <Split hasGutter>
+      <SplitItem>
+        <RadioField id="oidc-provider-radio" name="providerType" label={t('OIDC')} checkedValue={ProviderType.OIDC} />
+      </SplitItem>
+      <SplitItem>
+        <RadioField
+          id="oauth2-provider-radio"
+          name="providerType"
+          label={t('OAuth2')}
+          checkedValue={ProviderType.OAuth2}
+        />
+      </SplitItem>
+    </Split>
+  );
+};
+
+const EnabledHelpText = () => {
+  const { t } = useTranslation();
+  return (
+    <Popover
+      bodyContent={
+        <div>
+          <p>{t('Turn this on to let users sign in with this provider.')}</p>
+          <p>{t('You can turn it off anytime without losing your settings.')}</p>
+        </div>
+      }
+      withFocusTrap
+      triggerAction="click"
+    >
+      <Button
+        component="a"
+        className="fctl-helper-text__icon"
+        isInline
+        variant="plain"
+        onClick={(ev) => {
+          ev.preventDefault();
+          ev.stopPropagation();
+        }}
+        aria-label="Enabled help text"
+      >
+        <OutlinedQuestionCircleIcon />
+      </Button>
+    </Popover>
+  );
+};
+
+export const AuthProviderForm = ({ isEdit }: { isEdit?: boolean }) => {
+  const { t } = useTranslation();
+  const { values, setValues, initialValues } = useFormikContext<AuthProviderFormValues>();
+
+  const isOidcProvider = values.providerType === ProviderType.OIDC;
+
+  const onClearTestProvider = () => {
+    setValues({
+      ...values,
+      ...initialValues,
+    });
+  };
+  return (
+    <>
+      <div style={{ border: '2px solid blue', padding: '2rem' }}>
+        <FormGroup label={t('Test provider')}>
+          <RadioField
+            id="github-test-provider-radio"
+            name="testProvider"
+            label={t('GitHub with secret')}
+            checkedValue="githubWithSecret"
+            onChangeCustom={(value) => {
+              if (value) {
+                setValues({
+                  ...values,
+                  ...githubValues,
+                  ...{
+                    name: 'github-test-with-secret',
+                    displayName: 'GitHub with secret',
+                    clientId: appWithSecretClientId,
+                    clientSecret: secretAppClientSecret,
+                  },
+                });
+              }
+            }}
+          />
+          <RadioField
+            id="github-test-provider-radio"
+            name="testProvider"
+            label={t('GitHub without secret')}
+            checkedValue="githubWithoutSecret"
+            onChangeCustom={(value) => {
+              if (value) {
+                setValues({
+                  ...values,
+                  ...githubValues,
+                  ...{
+                    name: 'github-test-without-secret',
+                    displayName: 'GitHub without secret',
+                    clientId: appWithoutSecretClientId,
+                    clientSecret: 'fake-secret',
+                  },
+                });
+              }
+            }}
+          />
+          <RadioField
+            id="google-test-provider-radio"
+            name="testProvider"
+            label={t('Google')}
+            checkedValue="google"
+            onChangeCustom={(value) => {
+              if (value) {
+                setValues({
+                  ...values,
+                  ...googleValues,
+                });
+              }
+            }}
+          />
+        </FormGroup>
+        <Button variant="secondary" onClick={onClearTestProvider}>
+          {t('Clear')}
+        </Button>
+      </div>
+
+      <SwitchField name="enabled" label={t('Enabled')} labelIcon={<EnabledHelpText />} />
+
+      <NameField
+        name="name"
+        aria-label={t('Provider name')}
+        isRequired
+        isDisabled={isEdit}
+        resourceType="authproviders"
+        validations={getDnsSubdomainValidations(t)}
+        helperText={t("You can't change the provider name after it's created")}
+      />
+
+      <FormGroup label={t('Display name')}>
+        <TextField name="displayName" aria-label={t('Display name')} helperText={t('Display name for this provider')} />
+      </FormGroup>
+
+      <ProviderTypeSection />
+
+      {values.providerType === ProviderType.OAuth2 && <Oauth2ProviderFields />}
+
+      <FormGroup label={t('Issuer URL')} isRequired={isOidcProvider}>
+        <TextField name="issuer" aria-label={t('Issuer URL')} />
+      </FormGroup>
+
+      <FormGroup label={t('Client ID')} isRequired>
+        <TextField name="clientId" aria-label={t('Client ID')} />
+      </FormGroup>
+
+      <FormGroup label={t('Client secret')} isRequired>
+        <TextField name="clientSecret" aria-label={t('Client secret')} type="password" />
+      </FormGroup>
+
+      <FormSection title={t('User identity & authorization')}>
+        <FormGroupWithHelperText label={t('Scopes')} content={<ScopesHelperText />}>
+          <ListItemField
+            name="scopes"
+            helperText={t('Add scopes required to access username and role claims from your authentication provider.')}
+            addButtonText={t('Add scope')}
+          />
+        </FormGroupWithHelperText>
+
+        <FormGroupWithHelperText label={t('Username claim path')} content={<UsernameClaimHelperText />}>
+          <ListItemField
+            name="usernameClaim"
+            helperText={t('Enter the path segments to the username claim')}
+            addButtonText={t('Add path segment')}
+            resolvedValue={(items) => items.join('.')}
+            resolvedLabel={t('Resulting username claim')}
+          />
+        </FormGroupWithHelperText>
+      </FormSection>
+
+      <RoleAssignmentSection />
+
+      <OrganizationAssignmentSection />
+    </>
+  );
+};
+
+const CreateAuthProviderFormContent = ({
+  isEdit,
+  onClose,
+  children,
+}: React.PropsWithChildren<{
+  onClose: VoidFunction;
+  isEdit: boolean;
+}>) => {
+  const { t } = useTranslation();
+  const { isValid, dirty, submitForm, isSubmitting, values } = useFormikContext<AuthProviderFormValues>();
+  const { proxyFetch } = useFetch();
+
+  const [isTesting, setIsTesting] = React.useState(false);
+  const [testResults, setTestResults] = React.useState<FieldValidationResult[] | null>(null);
+  const [testError, setTestError] = React.useState<string>();
+  const isSubmitDisabled = isSubmitting || !isValid || !dirty;
+  const isTestingDisabled = isSubmitting || !isValid || isTesting || (!isEdit && !dirty);
+
+  const handleTestConnection = async () => {
+    setIsTesting(true);
+    setTestError(undefined);
+
+    try {
+      const requestBody = {
+        providerType: values.providerType,
+        issuer: values.issuer,
+        authorizationUrl: values.authorizationUrl,
+        tokenUrl: values.tokenUrl,
+        userinfoUrl: values.userinfoUrl,
+        clientId: values.clientId,
+      };
+
+      const response = await proxyFetch('test-auth-provider-connection', {
+        method: 'POST',
+        headers: {
+          'Content-Type': 'application/json',
+        },
+        body: JSON.stringify(requestBody),
+      });
+
+      if (!response.ok) {
+        const errorText = await response.text();
+        throw new Error(errorText || `HTTP ${response.status}`);
+      }
+
+      const data = (await response.json()) as { results: FieldValidationResult[] };
+      setTestResults(data.results);
+    } catch (err) {
+      setTestError(getErrorMessage(err));
+    } finally {
+      setIsTesting(false);
+    }
+  };
+
+  return (
+    <FlightCtlForm>
+      <Grid hasGutter span={8}>
+        <AuthProviderForm isEdit={isEdit} />
+      </Grid>
+      {children}
+      {testError && (
+        <Alert isInline variant="danger" title={t('Test connection failed')}>
+          {testError}
+        </Alert>
+      )}
+      <FlightCtlActionGroup>
+        <Button variant="primary" onClick={submitForm} isLoading={isSubmitting} isDisabled={isSubmitDisabled}>
+          {isEdit ? t('Save') : t('Create authentication provider')}
+        </Button>
+        <Button variant="secondary" onClick={handleTestConnection} isLoading={isTesting} isDisabled={isTestingDisabled}>
+          {t('Test connection')}
+        </Button>
+        <Button variant="link" isDisabled={isSubmitting} onClick={onClose}>
+          {t('Cancel')}
+        </Button>
+      </FlightCtlActionGroup>
+      {testResults && <TestConnectionModal onClose={() => setTestResults(null)} results={testResults} />}
+    </FlightCtlForm>
+  );
+};
+
+export type CreateAuthProviderFormProps = {
+  onClose: VoidFunction;
+  onSuccess: (authProvider: AuthProvider) => void;
+  authProvider?: AuthProvider;
+};
+
+const CreateAuthProviderForm = ({ authProvider, onClose, onSuccess }: CreateAuthProviderFormProps) => {
+  const { t } = useTranslation();
+  const { patch, post } = useFetch();
+  const [error, setError] = React.useState<string>();
+
+  return (
+    <Formik<AuthProviderFormValues>
+      initialValues={getInitValues(authProvider)}
+      validationSchema={Yup.lazy(authProviderSchema(t))}
+      onSubmit={async (values) => {
+        setError(undefined);
+        if (authProvider) {
+          const patches = getAuthProviderPatches(values, authProvider);
+          try {
+            if (patches.length) {
+              await patch<AuthProvider>(`authproviders/${authProvider.metadata.name}`, patches);
+              onSuccess(authProvider);
+            }
+          } catch (e) {
+            setError(getErrorMessage(e));
+          }
+        } else {
+          try {
+            const provider = await post<AuthProvider>('authproviders', getAuthProvider(values));
+            onSuccess(provider);
+          } catch (e) {
+            setError(getErrorMessage(e));
+          }
+        }
+      }}
+    >
+      <CreateAuthProviderFormContent isEdit={!!authProvider} onClose={onClose}>
+        {error && (
+          <Alert isInline variant="danger" title={t('An error occurred')}>
+            {error}
+          </Alert>
+        )}
+        <LeaveFormConfirmation />
+      </CreateAuthProviderFormContent>
+    </Formik>
+  );
+};
+
+export default CreateAuthProviderForm;
diff --git a/libs/ui-components/src/components/AuthProvider/CreateAuthProvider/Oauth2ProviderFields.tsx b/libs/ui-components/src/components/AuthProvider/CreateAuthProvider/Oauth2ProviderFields.tsx
new file mode 100644
index 000000000..d222e4edf
--- /dev/null
+++ b/libs/ui-components/src/components/AuthProvider/CreateAuthProvider/Oauth2ProviderFields.tsx
@@ -0,0 +1,24 @@
+import * as React from 'react';
+import { FormGroup } from '@patternfly/react-core';
+
+import { useTranslation } from '../../../hooks/useTranslation';
+import TextField from '../../form/TextField';
+
+const OAuth2ProviderFields = () => {
+  const { t } = useTranslation();
+  return (
+    <>
+      <FormGroup label={t('Authorization URL')} isRequired>
+        <TextField name="authorizationUrl" aria-label={t('Authorization URL')} />
+      </FormGroup>
+      <FormGroup label={t('Token URL')} isRequired>
+        <TextField name="tokenUrl" aria-label={t('Token URL')} />
+      </FormGroup>
+      <FormGroup label={t('Userinfo URL')} isRequired>
+        <TextField name="userinfoUrl" aria-label={t('Userinfo URL')} />
+      </FormGroup>
+    </>
+  );
+};
+
+export default OAuth2ProviderFields;
diff --git a/libs/ui-components/src/components/AuthProvider/CreateAuthProvider/RoleAssignmentSection.tsx b/libs/ui-components/src/components/AuthProvider/CreateAuthProvider/RoleAssignmentSection.tsx
new file mode 100644
index 000000000..cc66def2b
--- /dev/null
+++ b/libs/ui-components/src/components/AuthProvider/CreateAuthProvider/RoleAssignmentSection.tsx
@@ -0,0 +1,165 @@
+import * as React from 'react';
+import { TFunction } from 'react-i18next';
+import {
+  FormGroup,
+  FormSection,
+  Label,
+  LabelGroup,
+  MenuToggle,
+  Select,
+  SelectList,
+  SelectOption,
+  Split,
+  SplitItem,
+} from '@patternfly/react-core';
+import { useField, useFormikContext } from 'formik';
+
+import { useTranslation } from '../../../hooks/useTranslation';
+import RadioField from '../../form/RadioField';
+import ListItemField from '../../form/ListItemField';
+import TextField from '../../form/TextField';
+import ErrorHelperText, { DefaultHelperText } from '../../form/FieldHelperText';
+import { AuthProviderFormValues, RoleAssignmentType } from './types';
+import { FormGroupWithHelperText } from '../../common/WithHelperText';
+import { RoleClaimHelperText, RoleSeparatorHelperText } from './AuthProviderHelperText';
+
+const getAvailableRoles = (t: TFunction): Record<string, string> => ({
+  admin: t('System administrator'),
+  'org-admin': t('Organization administrator'),
+  operator: t('Operator'),
+  installer: t('Installer'),
+  viewer: t('Viewer'),
+});
+
+const RoleSelector = () => {
+  const { t } = useTranslation();
+  const [{ value: roles }, meta, { setValue }] = useField<string[]>('staticRoles');
+  const [isOpen, setIsOpen] = React.useState(false);
+
+  const allRoles = React.useMemo(() => {
+    return getAvailableRoles(t);
+  }, [t]);
+
+  const availableRoles = React.useMemo(() => {
+    return Object.entries(allRoles)
+      .filter(([roleCode]) => !roles.includes(roleCode))
+      .map(([roleCode, roleLabel]) => ({
+        value: roleCode,
+        label: roleLabel,
+      }));
+  }, [roles, allRoles]);
+
+  const onAddRole = (role: string) => {
+    if (!roles.includes(role)) {
+      setValue([...roles, role], true);
+    }
+    setIsOpen(false);
+  };
+
+  const onDelete = (role: string) => {
+    setValue(
+      roles.filter((r) => r !== role),
+      true,
+    );
+  };
+
+  const hasAvailableRoles = availableRoles.length > 0;
+
+  return (
+    <>
+      <DefaultHelperText helperText={t('List of roles to assign to all users from this provider')} />
+      <LabelGroup
+        numLabels={5}
+        isEditable
+        addLabelControl={
+          <Select
+            isOpen={isOpen}
+            onOpenChange={setIsOpen}
+            onSelect={(_, value) => onAddRole(value as string)}
+            toggle={(toggleRef) => (
+              <MenuToggle
+                ref={toggleRef}
+                isDisabled={!hasAvailableRoles}
+                onClick={() => setIsOpen(!isOpen)}
+                isExpanded={isOpen}
+                className="pf-v5-u-ml-xs"
+              >
+                {t('Add role')}
+              </MenuToggle>
+            )}
+            shouldFocusToggleOnSelect
+          >
+            <SelectList>
+              {availableRoles.map((role) => (
+                <SelectOption key={role.value} value={role.value}>
+                  {role.label}
+                </SelectOption>
+              ))}
+            </SelectList>
+          </Select>
+        }
+      >
+        {roles.map((roleCode) => (
+          <Label key={roleCode} onClose={() => onDelete(roleCode)} textMaxWidth="18ch" isEditable>
+            {allRoles[roleCode]}
+          </Label>
+        ))}
+      </LabelGroup>
+      <ErrorHelperText meta={meta} touchRequired={false} />
+    </>
+  );
+};
+
+const RoleAssignmentSection = () => {
+  const { t } = useTranslation();
+  const { values } = useFormikContext<AuthProviderFormValues>();
+
+  return (
+    <FormSection title={t('Role assignment')} className="pf-v5-u-mt-md">
+      <Split hasGutter>
+        <SplitItem>
+          <RadioField
+            id="roleAssignmentStatic"
+            name="roleAssignmentType"
+            label={t('Static')}
+            checkedValue={RoleAssignmentType.Static}
+          />
+        </SplitItem>
+        <SplitItem>
+          <RadioField
+            id="roleAssignmentDynamic"
+            name="roleAssignmentType"
+            label={t('Dynamic')}
+            checkedValue={RoleAssignmentType.Dynamic}
+          />
+        </SplitItem>
+      </Split>
+
+      {values.roleAssignmentType === RoleAssignmentType.Static && (
+        <FormGroup label={t('Roles')} isRequired>
+          <RoleSelector />
+        </FormGroup>
+      )}
+
+      {values.roleAssignmentType === RoleAssignmentType.Dynamic && (
+        <>
+          <FormGroupWithHelperText label={t('Role claim path')} content={<RoleClaimHelperText />}>
+            <ListItemField
+              name="roleClaimPath"
+              helperText={t(
+                'Path segments to the role/group claim (e.g., ["groups"], ["roles"], ["realm_access", "roles"])',
+              )}
+              addButtonText={t('Add path segment')}
+            />
+          </FormGroupWithHelperText>
+
+          <FormGroupWithHelperText label={t('Separator')} content={<RoleSeparatorHelperText />}>
+            <TextField name="roleSeparator" id="roleSeparator" aria-label={t('Separator')} placeholder=":" />
+          </FormGroupWithHelperText>
+        </>
+      )}
+    </FormSection>
+  );
+};
+
+export default RoleAssignmentSection;
diff --git a/libs/ui-components/src/components/AuthProvider/CreateAuthProvider/types.ts b/libs/ui-components/src/components/AuthProvider/CreateAuthProvider/types.ts
new file mode 100644
index 000000000..fd23b9b8e
--- /dev/null
+++ b/libs/ui-components/src/components/AuthProvider/CreateAuthProvider/types.ts
@@ -0,0 +1,96 @@
+import {
+  AuthDynamicOrganizationAssignment,
+  AuthDynamicRoleAssignment,
+  AuthOrganizationAssignment,
+  AuthPerUserOrganizationAssignment,
+  AuthProviderSpec,
+  AuthRoleAssignment,
+  AuthStaticOrganizationAssignment,
+  AuthStaticRoleAssignment,
+  OAuth2ProviderSpec,
+  OIDCProviderSpec,
+} from '@flightctl/types';
+import { ProviderType } from '../../../types/extraTypes';
+
+export enum OrgAssignmentType {
+  Static = 'static',
+  Dynamic = 'dynamic',
+  PerUser = 'perUser',
+}
+
+export const DEFAULT_USERNAME_CLAIM = 'preferred_username';
+export const DEFAULT_ROLE_CLAIM = 'groups';
+export const DEFAULT_ROLE_SEPARATOR = ':';
+
+export const isOidcProvider = (providerSpec: AuthProviderSpec): providerSpec is OIDCProviderSpec =>
+  providerSpec.providerType === ProviderType.OIDC;
+
+export const isOAuth2Provider = (providerSpec: AuthProviderSpec): providerSpec is OAuth2ProviderSpec =>
+  providerSpec.providerType === ProviderType.OAuth2;
+
+export const isOrgAssignmentStatic = (
+  orgAssignment: AuthOrganizationAssignment,
+): orgAssignment is AuthStaticOrganizationAssignment => orgAssignment.type === OrgAssignmentType.Static;
+
+export const isOrgAssignmentDynamic = (
+  orgAssignment: AuthOrganizationAssignment,
+): orgAssignment is AuthDynamicOrganizationAssignment => orgAssignment.type === OrgAssignmentType.Dynamic;
+
+export const isOrgAssignmentPerUser = (
+  orgAssignment: AuthOrganizationAssignment,
+): orgAssignment is AuthPerUserOrganizationAssignment => orgAssignment.type === OrgAssignmentType.PerUser;
+
+export enum RoleAssignmentType {
+  Static = 'static',
+  Dynamic = 'dynamic',
+}
+
+export const isRoleAssignmentStatic = (
+  roleAssignment: AuthRoleAssignment,
+): roleAssignment is AuthStaticRoleAssignment => roleAssignment.type === RoleAssignmentType.Static;
+
+export const isRoleAssignmentDynamic = (
+  roleAssignment: AuthRoleAssignment,
+): roleAssignment is AuthDynamicRoleAssignment => roleAssignment.type === RoleAssignmentType.Dynamic;
+
+export type AuthProviderFormValues = {
+  exists: boolean;
+  name: string;
+  displayName?: string;
+  providerType: ProviderType;
+  issuer: string;
+  clientId: string;
+  clientSecret: string;
+  enabled: boolean;
+  scopes: string[];
+  usernameClaim?: string[]; // Array of path segments (e.g., ["preferred_username"] or ["custom", "user_id"])
+  roleAssignmentType?: RoleAssignmentType;
+  roleClaimPath?: string[]; // For dynamic role assignment
+  roleSeparator?: string; // For dynamic role assignment - separator for org:role format
+  staticRoles?: string[]; // For static role assignment
+
+  // OAuth2 specific fields
+  authorizationUrl?: string;
+  tokenUrl?: string;
+  userinfoUrl?: string;
+
+  orgAssignmentType: OrgAssignmentType;
+  orgName?: string; // OrgAssignment: Static only
+  claimPath?: string[]; // OrgAssignment: Dynamic only - array of path segments
+  orgNamePrefix?: string; // OrgAssignment: Dynamic and perUser
+  orgNameSuffix?: string; // OrgAssignment: Dynamic and perUser
+};
+
+// Test connection types
+export type FieldValidation = {
+  valid: boolean;
+  value?: string;
+  notes?: string[];
+};
+
+export type FieldValidationResult = {
+  field: string;
+  valid: boolean;
+  value?: string;
+  notes?: string[];
+};
diff --git a/libs/ui-components/src/components/AuthProvider/CreateAuthProvider/utils.ts b/libs/ui-components/src/components/AuthProvider/CreateAuthProvider/utils.ts
new file mode 100644
index 000000000..b79cb9338
--- /dev/null
+++ b/libs/ui-components/src/components/AuthProvider/CreateAuthProvider/utils.ts
@@ -0,0 +1,556 @@
+import * as Yup from 'yup';
+import { TFunction } from 'i18next';
+import {
+  AuthDynamicRoleAssignment,
+  AuthOrganizationAssignment,
+  AuthProvider,
+  AuthProviderSpec,
+  AuthRoleAssignment,
+  AuthStaticRoleAssignment,
+  OAuth2ProviderSpec,
+  PatchRequest,
+} from '@flightctl/types';
+import { appendJSONPatch } from '../../../utils/patch';
+import {
+  AuthProviderFormValues,
+  DEFAULT_ROLE_SEPARATOR,
+  OrgAssignmentType,
+  RoleAssignmentType,
+  isOAuth2Provider,
+  isOrgAssignmentDynamic,
+  isOrgAssignmentPerUser,
+  isOrgAssignmentStatic,
+  isRoleAssignmentDynamic,
+  isRoleAssignmentStatic,
+} from './types';
+import { validKubernetesDnsSubdomain } from '../../form/validations';
+import { DynamicAuthProviderSpec, ProviderType } from '../../../types/extraTypes';
+
+export const getAssignmentTypeLabel = (
+  type: AuthOrganizationAssignment['type'] | AuthRoleAssignment['type'] | undefined,
+  t: TFunction,
+) => {
+  switch (type) {
+    case OrgAssignmentType.Static: {
+      return t('Static');
+    }
+    case OrgAssignmentType.Dynamic: {
+      return t('Dynamic');
+    }
+    case OrgAssignmentType.PerUser: {
+      return t('Per user');
+    }
+    default: {
+      return 'N/A';
+    }
+  }
+};
+
+export const getProviderTypeLabel = (type: AuthProviderSpec['providerType'], t: TFunction) => {
+  switch (type) {
+    case ProviderType.OIDC: {
+      return t('OIDC');
+    }
+    case ProviderType.OAuth2: {
+      return t('OAuth2');
+    }
+    default: {
+      return 'N/A';
+    }
+  }
+};
+
+export const getInitValues = (authProvider?: AuthProvider): AuthProviderFormValues => {
+  if (!authProvider) {
+    return {
+      exists: false,
+      enabled: true,
+      name: '',
+      displayName: '',
+      providerType: ProviderType.OIDC,
+      issuer: '',
+      clientId: '',
+      clientSecret: '',
+      scopes: [],
+      usernameClaim: [],
+      roleAssignmentType: RoleAssignmentType.Static,
+      roleClaimPath: [],
+      roleSeparator: DEFAULT_ROLE_SEPARATOR,
+      staticRoles: [],
+      orgAssignmentType: OrgAssignmentType.Static,
+      orgName: '',
+      claimPath: [],
+      orgNamePrefix: '',
+      orgNameSuffix: '',
+    };
+  }
+
+  let orgAssignmentType: OrgAssignmentType;
+  let orgName = '';
+  let claimPath: string[] = [];
+  let orgNamePrefix = '';
+  let orgNameSuffix = '';
+
+  const spec = authProvider.spec as DynamicAuthProviderSpec;
+
+  const orgAssignment = spec.organizationAssignment;
+  if (isOrgAssignmentDynamic(orgAssignment)) {
+    orgAssignmentType = OrgAssignmentType.Dynamic;
+    claimPath = orgAssignment.claimPath || [];
+    orgNamePrefix = orgAssignment.organizationNamePrefix || '';
+    orgNameSuffix = orgAssignment.organizationNameSuffix || '';
+  } else if (isOrgAssignmentPerUser(orgAssignment)) {
+    orgAssignmentType = OrgAssignmentType.PerUser;
+    orgNamePrefix = orgAssignment.organizationNamePrefix || '';
+    orgNameSuffix = orgAssignment.organizationNameSuffix || '';
+  } else {
+    orgAssignmentType = OrgAssignmentType.Static;
+    orgName = orgAssignment.organizationName;
+  }
+
+  let roleAssignmentType: RoleAssignmentType = RoleAssignmentType.Dynamic;
+  let roleClaimPath: string[] = [];
+  let roleSeparator: string = DEFAULT_ROLE_SEPARATOR;
+  let staticRoles: string[] = [];
+
+  const roleAssignment = spec.roleAssignment;
+  if (isRoleAssignmentStatic(roleAssignment)) {
+    roleAssignmentType = RoleAssignmentType.Static;
+    staticRoles = roleAssignment.roles || [];
+  } else if (isRoleAssignmentDynamic(roleAssignment)) {
+    roleAssignmentType = RoleAssignmentType.Dynamic;
+    roleClaimPath = roleAssignment.claimPath || [];
+    roleSeparator = roleAssignment.separator || DEFAULT_ROLE_SEPARATOR;
+  }
+
+  const isOAuth2 = isOAuth2Provider(spec);
+  return {
+    exists: true,
+    name: authProvider.metadata.name as string,
+    displayName: spec.displayName,
+    providerType: spec.providerType as ProviderType,
+    issuer: spec.issuer || '',
+    clientId: spec.clientId,
+    clientSecret: spec.clientSecret,
+    enabled: spec.enabled ?? true,
+    authorizationUrl: isOAuth2 ? spec.authorizationUrl : undefined,
+    tokenUrl: isOAuth2 ? spec.tokenUrl : undefined,
+    userinfoUrl: isOAuth2 ? spec.userinfoUrl : undefined,
+    scopes: spec.scopes || [],
+    usernameClaim: spec.usernameClaim || [],
+    roleAssignmentType,
+    roleClaimPath,
+    roleSeparator,
+    staticRoles,
+    orgAssignmentType,
+    orgName,
+    claimPath,
+    orgNamePrefix,
+    orgNameSuffix,
+  };
+};
+
+const getOrgAssignment = (values: AuthProviderFormValues): AuthOrganizationAssignment => {
+  if (values.orgAssignmentType === OrgAssignmentType.Static) {
+    return {
+      type: OrgAssignmentType.Static,
+      organizationName: values.orgName || '',
+    };
+  }
+
+  let orgAssignment: AuthOrganizationAssignment;
+  if (values.orgAssignmentType === OrgAssignmentType.PerUser) {
+    orgAssignment = {
+      type: OrgAssignmentType.PerUser,
+      organizationNamePrefix: values.orgNamePrefix,
+      organizationNameSuffix: values.orgNameSuffix,
+    };
+  } else {
+    orgAssignment = {
+      type: OrgAssignmentType.Dynamic,
+      claimPath: values.claimPath || [],
+      organizationNamePrefix: values.orgNamePrefix,
+      organizationNameSuffix: values.orgNameSuffix,
+    };
+  }
+
+  return orgAssignment;
+};
+
+/**
+ * Deep equality check for AuthOrganizationAssignment objects.
+ * Compares objects by their type and relevant fields, handling arrays properly.
+ */
+const isOrgAssignmentEqual = (a: AuthOrganizationAssignment, b: AuthOrganizationAssignment): boolean => {
+  if (a.type !== b.type) {
+    return false;
+  }
+
+  switch (a.type) {
+    case OrgAssignmentType.Static: {
+      if (!isOrgAssignmentStatic(b)) {
+        return false;
+      }
+      return (a.organizationName || '') === (b.organizationName || '');
+    }
+    case OrgAssignmentType.Dynamic: {
+      if (!isOrgAssignmentDynamic(b)) {
+        return false;
+      }
+      const aClaimPath = a.claimPath || [];
+      const bClaimPath = b.claimPath || [];
+      if (aClaimPath.length !== bClaimPath.length) {
+        return false;
+      }
+      if (!aClaimPath.every((val, idx) => val === bClaimPath[idx])) {
+        return false;
+      }
+      return (
+        (a.organizationNamePrefix || '') === (b.organizationNamePrefix || '') &&
+        (a.organizationNameSuffix || '') === (b.organizationNameSuffix || '')
+      );
+    }
+    case OrgAssignmentType.PerUser: {
+      if (!isOrgAssignmentPerUser(b)) {
+        return false;
+      }
+      return (
+        (a.organizationNamePrefix || '') === (b.organizationNamePrefix || '') &&
+        (a.organizationNameSuffix || '') === (b.organizationNameSuffix || '')
+      );
+    }
+    default: {
+      return false;
+    }
+  }
+};
+
+/**
+ * Deep equality check for AuthRoleAssignment objects.
+ * Compares objects by their type and relevant fields, handling arrays properly.
+ */
+const isRoleAssignmentEqual = (a: AuthRoleAssignment, b: AuthRoleAssignment): boolean => {
+  if (a.type !== b.type) {
+    return false;
+  }
+
+  switch (a.type) {
+    case RoleAssignmentType.Static: {
+      if (!isRoleAssignmentStatic(b)) {
+        return false;
+      }
+      const aRoles = a.roles || [];
+      const bRoles = b.roles || [];
+      if (aRoles.length !== bRoles.length) {
+        return false;
+      }
+      // Compare roles arrays (order matters for roles)
+      return aRoles.every((val, idx) => val === bRoles[idx]);
+    }
+    case RoleAssignmentType.Dynamic: {
+      if (!isRoleAssignmentDynamic(b)) {
+        return false;
+      }
+      const aClaimPath = a.claimPath || [];
+      const bClaimPath = b.claimPath || [];
+      if (aClaimPath.length !== bClaimPath.length) {
+        return false;
+      }
+      // Compare claim path arrays (order matters)
+      if (!aClaimPath.every((val, idx) => val === bClaimPath[idx])) {
+        return false;
+      }
+      return (a.separator || DEFAULT_ROLE_SEPARATOR) === (b.separator || DEFAULT_ROLE_SEPARATOR);
+    }
+    default: {
+      return false;
+    }
+  }
+};
+
+const getRoleAssignment = (values: AuthProviderFormValues): AuthRoleAssignment => {
+  if (values.roleAssignmentType === RoleAssignmentType.Static) {
+    const staticAssignment: AuthStaticRoleAssignment = {
+      type: RoleAssignmentType.Static,
+      roles: values.staticRoles || [],
+    };
+    return staticAssignment as AuthRoleAssignment;
+  } else {
+    const dynamicAssignment: AuthDynamicRoleAssignment = {
+      type: RoleAssignmentType.Dynamic,
+      claimPath: values.roleClaimPath || [],
+      separator: values.roleSeparator || DEFAULT_ROLE_SEPARATOR,
+    };
+    return dynamicAssignment as AuthRoleAssignment;
+  }
+};
+
+export const getAuthProvider = (values: AuthProviderFormValues): AuthProvider => {
+  const baseSpec = {
+    providerType: values.providerType,
+    displayName: values.displayName,
+    clientId: values.clientId,
+    clientSecret: values.clientSecret,
+    enabled: values.enabled,
+    issuer: values.issuer,
+    scopes: values.scopes,
+    usernameClaim: values.usernameClaim || [],
+    roleAssignment: getRoleAssignment(values),
+    organizationAssignment: getOrgAssignment(values),
+  };
+
+  let spec: AuthProviderSpec;
+  if (values.providerType === ProviderType.OAuth2) {
+    spec = {
+      ...baseSpec,
+      providerType: ProviderType.OAuth2,
+      authorizationUrl: values.authorizationUrl || '',
+      tokenUrl: values.tokenUrl || '',
+      userinfoUrl: values.userinfoUrl || '',
+    };
+  } else {
+    spec = {
+      ...baseSpec,
+      providerType: ProviderType.OIDC,
+    };
+  }
+
+  return {
+    apiVersion: 'v1alpha1',
+    kind: 'AuthProvider',
+    metadata: {
+      name: values.name,
+    },
+    spec,
+  };
+};
+
+const patchAuthProviderFields = (
+  patches: PatchRequest,
+  spec: DynamicAuthProviderSpec,
+  newSpec: DynamicAuthProviderSpec,
+  options: { skipSecrets?: boolean } = {},
+) => {
+  const { skipSecrets = false } = options;
+
+  appendJSONPatch({
+    patches,
+    originalValue: spec.issuer,
+    newValue: newSpec.issuer,
+    path: '/spec/issuer',
+  });
+
+  appendJSONPatch({
+    patches,
+    originalValue: spec.clientId,
+    newValue: newSpec.clientId,
+    path: '/spec/clientId',
+  });
+
+  if (!skipSecrets) {
+    appendJSONPatch({
+      patches,
+      originalValue: spec.clientSecret,
+      newValue: newSpec.clientSecret,
+      path: '/spec/clientSecret',
+    });
+  }
+
+  appendJSONPatch({
+    patches,
+    originalValue: spec.enabled ?? true,
+    newValue: newSpec.enabled ?? true,
+    path: '/spec/enabled',
+  });
+
+  if (JSON.stringify(spec.scopes) !== JSON.stringify(newSpec.scopes)) {
+    appendJSONPatch({
+      patches,
+      originalValue: spec.scopes,
+      newValue: newSpec.scopes,
+      path: '/spec/scopes',
+    });
+  }
+
+  const orgAssignmentChanged = !isOrgAssignmentEqual(spec.organizationAssignment, newSpec.organizationAssignment);
+  if (orgAssignmentChanged) {
+    appendJSONPatch({
+      patches,
+      originalValue: spec.organizationAssignment,
+      newValue: newSpec.organizationAssignment,
+      path: '/spec/organizationAssignment',
+    });
+  }
+
+  appendJSONPatch({
+    patches,
+    originalValue: spec.displayName,
+    newValue: newSpec.displayName,
+    path: '/spec/displayName',
+  });
+
+  appendJSONPatch({
+    patches,
+    originalValue: spec.usernameClaim,
+    newValue: newSpec.usernameClaim,
+    path: '/spec/usernameClaim',
+  });
+
+  const roleAssignmentChanged = !isRoleAssignmentEqual(spec.roleAssignment, newSpec.roleAssignment);
+  if (roleAssignmentChanged) {
+    appendJSONPatch({
+      patches,
+      originalValue: spec.roleAssignment,
+      newValue: newSpec.roleAssignment,
+      path: '/spec/roleAssignment',
+    });
+  }
+};
+
+const patchProviderTypeSpecificFields = (patches: PatchRequest, spec: AuthProviderSpec, newSpec: AuthProviderSpec) => {
+  const oauth2Fields: Array<keyof OAuth2ProviderSpec> = ['authorizationUrl', 'tokenUrl', 'userinfoUrl'];
+
+  const wasOAuth2Before = isOAuth2Provider(spec);
+  const isNowOAuth2 = isOAuth2Provider(newSpec);
+
+  if (isNowOAuth2) {
+    oauth2Fields.forEach((field) => {
+      appendJSONPatch({
+        patches,
+        originalValue: wasOAuth2Before ? spec[field] : undefined,
+        newValue: newSpec[field],
+        path: `/spec/${field}`,
+      });
+    });
+  } else if (wasOAuth2Before) {
+    // Changing from Oauth2 to OIDC, we need to remove the Oauth2 specific fields
+    oauth2Fields.forEach((field) => {
+      patches.push({ op: 'remove', path: `/spec/${field}` });
+    });
+  }
+};
+
+export const getAuthProviderPatches = (values: AuthProviderFormValues, authProvider: AuthProvider): PatchRequest => {
+  const patches: PatchRequest = [];
+  const prevSpec = authProvider.spec as DynamicAuthProviderSpec;
+
+  const newAuthProvider = getAuthProvider(values);
+  const newSpec = newAuthProvider.spec as DynamicAuthProviderSpec;
+
+  const providerTypeChanged = prevSpec.providerType !== newSpec.providerType;
+  const secretWasChanged = prevSpec.clientSecret !== newSpec.clientSecret;
+
+  // If provider type changed AND user provided a new secret, we can do a full replace
+  if (providerTypeChanged && secretWasChanged) {
+    patches.push({
+      op: 'replace',
+      path: '/spec',
+      value: newSpec,
+    });
+    return patches;
+  }
+
+  // In every other case, we need to patch the fields individually
+  if (providerTypeChanged) {
+    patches.push({
+      op: 'replace',
+      path: '/spec/providerType',
+      value: newSpec.providerType,
+    });
+  }
+
+  // Patch all common fields
+  patchAuthProviderFields(patches, prevSpec, newSpec, { skipSecrets: !secretWasChanged });
+
+  // Handle provider-specific fields (OAuth2 vs OIDC)
+  patchProviderTypeSpecificFields(patches, prevSpec, newSpec);
+
+  return patches;
+};
+
+export const authProviderSchema = (t: TFunction) => (values: AuthProviderFormValues) => {
+  const baseSchema = {
+    name: validKubernetesDnsSubdomain(t, { isRequired: true }),
+    providerType: Yup.string().oneOf(Object.values(ProviderType)).required(t('Provider type is required')),
+    clientId: Yup.string().required(t('Client ID is required')),
+    clientSecret: Yup.string().required(t('Client secret is required')),
+    enabled: Yup.boolean(),
+    scopes: Yup.array()
+      .of(Yup.string())
+      .test('unique-scopes', t('Please remove duplicate scopes'), (scopes) => {
+        const uniqueScopes = new Set(scopes || []);
+        return uniqueScopes.size === scopes?.length;
+      }),
+    usernameClaim: Yup.array().of(Yup.string()),
+    roleAssignmentType: Yup.string().oneOf(Object.values(RoleAssignmentType)),
+    roleClaimPath: Yup.array()
+      .of(Yup.string())
+      .when('roleAssignmentType', (roleAssignmentType, schema) => {
+        const roleType = (
+          Array.isArray(roleAssignmentType) ? roleAssignmentType[0] : roleAssignmentType
+        ) as RoleAssignmentType;
+        return roleType === RoleAssignmentType.Dynamic
+          ? schema.min(1, t('At least one claim path segment is required for dynamic role assignment'))
+          : schema;
+      }),
+    roleSeparator: Yup.string().optional().nullable(),
+    staticRoles: Yup.array()
+      .of(Yup.string())
+      .when('roleAssignmentType', (roleAssignmentType, schema) => {
+        const roleType = (
+          Array.isArray(roleAssignmentType) ? roleAssignmentType[0] : roleAssignmentType
+        ) as RoleAssignmentType;
+        return roleType === RoleAssignmentType.Static
+          ? schema.min(1, t('At least one role is required for static role assignment'))
+          : schema;
+      }),
+    orgAssignmentType: Yup.string()
+      .oneOf(Object.values(OrgAssignmentType))
+      .required(t('Organization assignment type is required')),
+  };
+
+  let schema: Record<string, Yup.Schema> = { ...baseSchema };
+
+  // Issuer validation is provider-type specific
+  if (values.providerType === ProviderType.OIDC) {
+    // OIDC: issuer is required
+    schema = {
+      ...schema,
+      issuer: Yup.string().required(t('Issuer is required')).url(t('Must be a valid URL')),
+    };
+  } else if (values.providerType === ProviderType.OAuth2) {
+    // OAuth2: issuer is optional but must be a valid URL if provided
+    schema = {
+      ...schema,
+      issuer: Yup.string().url(t('Must be a valid URL')),
+      authorizationUrl: Yup.string().required(t('Authorization URL is required')).url(t('Must be a valid URL')),
+      tokenUrl: Yup.string().required(t('Token URL is required')).url(t('Must be a valid URL')),
+      userinfoUrl: Yup.string().required(t('Userinfo URL is required')).url(t('Must be a valid URL')),
+    };
+  }
+
+  if (values.orgAssignmentType === OrgAssignmentType.Static) {
+    schema = {
+      ...schema,
+      orgName: Yup.string().required(t('Static organization assignment requires an organization name')),
+    };
+  } else if (values.orgAssignmentType === OrgAssignmentType.Dynamic) {
+    schema = {
+      ...schema,
+      claimPath: Yup.array()
+        .of(Yup.string())
+        .min(1, t('At least one claim path segment is required'))
+        .required(t('Claim path is required')),
+      orgNamePrefix: Yup.string(),
+      orgNameSuffix: Yup.string(),
+    };
+  } else if (values.orgAssignmentType === OrgAssignmentType.PerUser) {
+    schema = {
+      ...schema,
+      orgNamePrefix: Yup.string(),
+      orgNameSuffix: Yup.string(),
+    };
+  }
+
+  return Yup.object().shape(schema);
+};
diff --git a/libs/ui-components/src/components/AuthProvider/TestConnectionModal/TestConnectionModal.tsx b/libs/ui-components/src/components/AuthProvider/TestConnectionModal/TestConnectionModal.tsx
new file mode 100644
index 000000000..940352e97
--- /dev/null
+++ b/libs/ui-components/src/components/AuthProvider/TestConnectionModal/TestConnectionModal.tsx
@@ -0,0 +1,136 @@
+import * as React from 'react';
+import {
+  Alert,
+  Button,
+  Icon,
+  List,
+  ListItem,
+  Stack,
+  StackItem,
+  Text,
+  TextContent,
+  TextVariants,
+} from '@patternfly/react-core';
+import { Modal, ModalBody, ModalFooter, ModalHeader } from '@patternfly/react-core/next';
+import { Table, Tbody, Td, Th, Thead, Tr } from '@patternfly/react-table';
+import { CheckCircleIcon } from '@patternfly/react-icons/dist/js/icons/check-circle-icon';
+import { ExclamationTriangleIcon } from '@patternfly/react-icons/dist/js/icons/exclamation-triangle-icon';
+
+import { useTranslation } from '../../../hooks/useTranslation';
+import { FieldValidationResult } from '../CreateAuthProvider/types';
+
+type TestConnectionModalProps = {
+  onClose: VoidFunction;
+  results: FieldValidationResult[];
+};
+
+const getStatusIcon = (valid: boolean) => {
+  if (valid) {
+    return (
+      <Icon status="success">
+        <CheckCircleIcon />
+      </Icon>
+    );
+  }
+  return (
+    <Icon status="warning">
+      <ExclamationTriangleIcon />
+    </Icon>
+  );
+};
+
+const getFieldDisplayName = (fieldName: string, t: (key: string) => string): string => {
+  const fieldMap: Record<string, string> = {
+    issuer: t('Issuer URL'),
+    authorizationUrl: t('Authorization URL'),
+    tokenUrl: t('Token URL'),
+    userinfoUrl: t('Userinfo URL'),
+  };
+  return fieldMap[fieldName] || fieldName;
+};
+
+const NotesCell = ({ notes }: { notes?: string[] }) => {
+  if (!notes || notes.length === 0) {
+    return <>-</>;
+  }
+
+  return (
+    <List isPlain>
+      {notes.map((note, idx) => (
+        <ListItem key={idx}>{note}</ListItem>
+      ))}
+    </List>
+  );
+};
+
+const TestConnectionModal = ({ onClose, results }: TestConnectionModalProps) => {
+  const { t } = useTranslation();
+
+  const allValid = results.every((validation) => validation.valid);
+  const hasValid = results.some((validation) => validation.valid);
+
+  return (
+    <Modal isOpen onClose={onClose} variant="medium">
+      <ModalHeader title={t('Test connection results')} />
+      <ModalBody>
+        <Stack hasGutter>
+          {allValid ? (
+            <>
+              <StackItem>
+                <Alert variant="success" title={t('Connection test successful')} />
+              </StackItem>
+              <StackItem>
+                <TextContent>
+                  <Text component={TextVariants.small}>
+                    {t("Great! We successfully connected to your provider. Here's what we found:")}
+                  </Text>
+                </TextContent>
+              </StackItem>
+            </>
+          ) : (
+            <StackItem>
+              <Alert
+                isInline
+                variant={hasValid ? 'warning' : 'danger'}
+                title={hasValid ? t('Connection partially successful') : t('Connection test unsuccessful')}
+              >
+                {t("We found some issues with your configuration. Here's what needs your attention:")}
+              </Alert>
+            </StackItem>
+          )}
+          <StackItem>
+            <Table variant="compact">
+              <Thead>
+                <Tr>
+                  <Th>{t('Field')}</Th>
+                  <Th>{t('Value')}</Th>
+                  <Th>{t('Status')}</Th>
+                  <Th>{t('Details')}</Th>
+                </Tr>
+              </Thead>
+              <Tbody>
+                {results.map((result) => (
+                  <Tr key={result.field}>
+                    <Td>{getFieldDisplayName(result.field, t)}</Td>
+                    <Td style={{ wordBreak: 'break-all' }}>{result.value || '-'}</Td>
+                    <Td>{getStatusIcon(result.valid)}</Td>
+                    <Td>
+                      <NotesCell notes={result.notes} />
+                    </Td>
+                  </Tr>
+                ))}
+              </Tbody>
+            </Table>
+          </StackItem>
+        </Stack>
+      </ModalBody>
+      <ModalFooter>
+        <Button variant="primary" onClick={onClose}>
+          {t('Close')}
+        </Button>
+      </ModalFooter>
+    </Modal>
+  );
+};
+
+export default TestConnectionModal;
diff --git a/libs/ui-components/src/components/AuthProvider/useAuthProviders.ts b/libs/ui-components/src/components/AuthProvider/useAuthProviders.ts
new file mode 100644
index 000000000..4d92a8f43
--- /dev/null
+++ b/libs/ui-components/src/components/AuthProvider/useAuthProviders.ts
@@ -0,0 +1,18 @@
+import { useFetchPeriodically } from '../../hooks/useFetchPeriodically';
+import { AuthProviderList } from '@flightctl/types';
+
+export const useAuthProviders = () => {
+  const [data, isLoading, error, refetch, isUpdating] = useFetchPeriodically<AuthProviderList>({
+    endpoint: 'authproviders',
+  });
+
+  const providers = data?.items || [];
+
+  return {
+    providers,
+    isLoading,
+    error,
+    refetch,
+    isUpdating,
+  };
+};
diff --git a/libs/ui-components/src/components/DetailsPage/DetailsPage.tsx b/libs/ui-components/src/components/DetailsPage/DetailsPage.tsx
index dd03765f0..331f719aa 100644
--- a/libs/ui-components/src/components/DetailsPage/DetailsPage.tsx
+++ b/libs/ui-components/src/components/DetailsPage/DetailsPage.tsx
@@ -26,7 +26,7 @@ export type DetailsPageProps = {
   children: React.ReactNode;
   error: unknown;
   loading: boolean;
-  resourceType: 'Fleets' | 'Devices' | 'Repositories' | 'Enrollment requests';
+  resourceType: 'Fleets' | 'Devices' | 'Repositories' | 'Enrollment requests' | 'Authentication providers';
   resourceTypeLabel: string;
   resourceLink: Route;
   actions?: React.ReactNode;
diff --git a/libs/ui-components/src/components/Login/ProviderSelector.tsx b/libs/ui-components/src/components/Login/ProviderSelector.tsx
new file mode 100644
index 000000000..52c4ab2c4
--- /dev/null
+++ b/libs/ui-components/src/components/Login/ProviderSelector.tsx
@@ -0,0 +1,114 @@
+import * as React from 'react';
+import { Button, Card, CardBody, CardTitle, Stack, StackItem, Title } from '@patternfly/react-core';
+
+import { AuthProvider } from '@flightctl/types';
+import fcLogo from '@fctl-assets/bgimages/flight-control-logo.svg';
+import rhemLogo from '@fctl-assets/bgimages/RHEM-logo.svg';
+
+import { useTranslation } from '../../hooks/useTranslation';
+import { useAppContext } from '../../hooks/useAppContext';
+import { isOAuth2Provider } from '../AuthProvider/CreateAuthProvider/types';
+import { getProviderDisplayName } from '../../utils/authProvider';
+import { DynamicAuthProviderSpec } from '../../types/extraTypes';
+
+type ProviderSelectorProps = {
+  providers: AuthProvider[];
+  defaultProviderName: string;
+  onProviderSelect: (provider: AuthProvider) => void;
+  disabled?: boolean;
+};
+
+// Returns a unique key for a provider.
+// Theoretically there could be multiple providers with the same name across different organizations.
+const getProviderKey = (provider: AuthProvider): string => {
+  const name = provider.metadata.name as string;
+  const issuerUrl = 'issuer' in provider.spec ? provider.spec.issuer : 'issuer';
+  const clientId = 'clientId' in provider.spec ? provider.spec.clientId : 'clientId';
+  return `${name}-${issuerUrl}-${clientId}`;
+};
+
+const ProviderSelector = ({
+  providers,
+  defaultProviderName,
+  onProviderSelect,
+  disabled = false,
+}: ProviderSelectorProps) => {
+  const { t } = useTranslation();
+  const { settings } = useAppContext();
+
+  const duplicateProviderNames = React.useMemo(() => {
+    // Record of provider names and display names that are duplicates
+    const result: Record<string, boolean> = {};
+
+    providers.forEach((provider) => {
+      const displayName = getProviderDisplayName(provider, t) || (provider.metadata.name as string);
+      if (result[displayName] === undefined) {
+        result[displayName] = false;
+      } else {
+        result[displayName] = true;
+      }
+    });
+
+    return result;
+  }, [providers, t]);
+
+  return (
+    <>
+      <Card isLarge>
+        <CardBody>
+          <Stack hasGutter>
+            <StackItem>
+              <img
+                src={settings.isRHEM ? (rhemLogo as string) : (fcLogo as string)}
+                alt={settings.isRHEM ? 'Red Hat Edge Manager' : 'Flight Control'}
+              />
+            </StackItem>
+
+            <StackItem>
+              <CardTitle>
+                <Title headingLevel="h2" size="lg">
+                  {t('Choose login method')}
+                </Title>
+              </CardTitle>
+            </StackItem>
+
+            <StackItem>
+              <Stack hasGutter>
+                {providers.map((provider) => {
+                  const displayName = getProviderDisplayName(provider, t);
+
+                  const isDuplicateName = duplicateProviderNames[displayName];
+                  let details: string | undefined;
+                  if (isDuplicateName) {
+                    const spec = provider.spec as DynamicAuthProviderSpec;
+                    if (isOAuth2Provider(spec)) {
+                      details = spec.authorizationUrl || spec.clientId || '';
+                    } else {
+                      details = spec.issuer || spec.clientId || '';
+                    }
+                  }
+                  return (
+                    <StackItem key={getProviderKey(provider)}>
+                      <Button
+                        variant={defaultProviderName === provider.metadata.name ? 'primary' : 'secondary'}
+                        isBlock
+                        size="lg"
+                        onClick={() => onProviderSelect(provider)}
+                        isDisabled={disabled}
+                      >
+                        {t('Log in with {{ providerName }}', { providerName: getProviderDisplayName(provider, t) })}
+                      </Button>
+                      {isDuplicateName && <small>{details}</small>}
+                    </StackItem>
+                  );
+                })}
+              </Stack>
+            </StackItem>
+          </Stack>
+        </CardBody>
+      </Card>
+    </>
+  );
+};
+
+export default ProviderSelector;
diff --git a/libs/ui-components/src/components/Login/TokenLoginForm.tsx b/libs/ui-components/src/components/Login/TokenLoginForm.tsx
new file mode 100644
index 000000000..109bac8c0
--- /dev/null
+++ b/libs/ui-components/src/components/Login/TokenLoginForm.tsx
@@ -0,0 +1,201 @@
+import * as React from 'react';
+import {
+  Alert,
+  Bullseye,
+  Button,
+  Card,
+  CardBody,
+  CardFooter,
+  CardHeader,
+  FormGroup,
+  FormHelperText,
+  FormSection,
+  HelperText,
+  HelperTextItem,
+  Stack,
+  StackItem,
+  Text,
+  TextArea,
+  TextContent,
+  TextVariants,
+  Title,
+} from '@patternfly/react-core';
+import ArrowLeftIcon from '@patternfly/react-icons/dist/js/icons/arrow-left-icon';
+
+import { AuthProvider } from '@flightctl/types';
+import { ORGANIZATION_STORAGE_KEY } from '../../utils/organizationStorage';
+import { isValidJwtTokenFormat } from '../../utils/k8sProvider';
+import { useTranslation } from '../../hooks/useTranslation';
+import { useFetch } from '../../hooks/useFetch';
+import { getErrorMessage } from '../../utils/error';
+import FlightCtlForm from '../../components/form/FlightCtlForm';
+
+const EXPIRATION = 'expiration';
+
+const nowInSeconds = () => Math.floor(Date.now() / 1000);
+
+type TokenLoginFormProps = {
+  provider: AuthProvider;
+  onBack?: VoidFunction;
+};
+
+const TokenLoginForm = ({ provider, onBack }: TokenLoginFormProps) => {
+  const { t } = useTranslation();
+  const { proxyFetch } = useFetch();
+  const [token, setToken] = React.useState('');
+  const [validationError, setValidationError] = React.useState<string>('');
+  const [isSubmitting, setIsSubmitting] = React.useState(false);
+  const [submitError, setSubmitError] = React.useState<string>();
+
+  const handleSubmit = async (e: React.FormEvent) => {
+    e.preventDefault();
+    setIsSubmitting(true);
+    setSubmitError(undefined);
+
+    try {
+      localStorage.removeItem(EXPIRATION);
+      localStorage.removeItem(ORGANIZATION_STORAGE_KEY);
+
+      const resp = await proxyFetch(`login?provider=${provider.metadata.name}`, {
+        method: 'POST',
+        body: JSON.stringify({ token: token.trim() }),
+      });
+
+      if (!resp.ok) {
+        let errorMessage = t('Authentication failed');
+        try {
+          const contentType = resp.headers.get('content-type');
+          if (contentType && contentType.includes('application/json')) {
+            const errorData = (await resp.json()) as { error?: string };
+            errorMessage = errorData.error || errorMessage;
+          } else {
+            // Fallback for non-JSON responses
+            const text = await resp.text();
+            if (text) {
+              errorMessage = text;
+            }
+          }
+        } catch (parseErr) {
+          // If parsing fails, use default error message
+          errorMessage = t('Authentication failed');
+        }
+        setSubmitError(errorMessage);
+        setIsSubmitting(false);
+        return;
+      }
+
+      const expiration = (await resp.json()) as { expiresIn: number };
+      if (expiration.expiresIn) {
+        const now = nowInSeconds();
+        localStorage.setItem(EXPIRATION, `${now + expiration.expiresIn}`);
+      }
+
+      // Redirect to home page after successful login
+      window.location.href = '/';
+    } catch (err) {
+      setSubmitError(getErrorMessage(err));
+      setIsSubmitting(false);
+    }
+  };
+
+  return (
+    <Bullseye>
+      <Card isLarge>
+        {onBack && (
+          <CardHeader>
+            <Button
+              variant="link"
+              className="pf-v5-u-size-sm"
+              onClick={onBack}
+              isInline
+              isDisabled={isSubmitting}
+              icon={<ArrowLeftIcon />}
+            >
+              {t('Back to login options')}
+            </Button>
+          </CardHeader>
+        )}
+        <CardBody>
+          <Stack hasGutter style={{ '--pf-v5-l-stack--m-gutter--Gap': '1.5rem' } as React.CSSProperties}>
+            <StackItem>
+              <Title headingLevel="h2" size="xl">
+                {t('Enter your Kubernetes token')}
+              </Title>
+            </StackItem>
+
+            <StackItem>
+              <TextContent>
+                <Text>{t('Enter your Kubernetes service account token to authenticate with the cluster.')}</Text>
+                <Text component={TextVariants.small}>
+                  {t('You can find this token in your Kubernetes service account credentials.')}
+                </Text>
+              </TextContent>
+            </StackItem>
+            <StackItem>
+              <FlightCtlForm>
+                <FormGroup label={t('Service account token')} isRequired>
+                  <TextArea
+                    id="accessToken"
+                    value={token}
+                    onChange={(_event, tokenVal) => {
+                      if (tokenVal && !isValidJwtTokenFormat(tokenVal)) {
+                        setValidationError(
+                          t('Invalid token format. Expected a JWT token with format: header.payload.signature'),
+                        );
+                      } else {
+                        setValidationError('');
+                      }
+                      if (submitError) {
+                        setSubmitError(undefined);
+                      }
+                      setToken(tokenVal);
+                    }}
+                    placeholder={t('Enter your Kubernetes token...')}
+                    rows={10}
+                    isRequired
+                    isDisabled={isSubmitting}
+                    autoFocus
+                    validated={validationError ? 'error' : 'default'}
+                  />
+                  {validationError && (
+                    <FormHelperText>
+                      <HelperText>
+                        <HelperTextItem variant="error">{validationError}</HelperTextItem>
+                      </HelperText>
+                    </FormHelperText>
+                  )}
+                </FormGroup>
+
+                <Alert variant="warning" title={t('Keep your token secure')} isInline>
+                  {t(
+                    'Never share your service account token. It provides full access to your Kubernetes cluster resources.',
+                  )}
+                </Alert>
+
+                {submitError && (
+                  <FormSection>
+                    <Alert variant="danger" title={t('Authentication failed')} isInline>
+                      {submitError}
+                    </Alert>
+                  </FormSection>
+                )}
+              </FlightCtlForm>
+            </StackItem>
+          </Stack>
+        </CardBody>
+        <CardFooter>
+          <Button
+            variant="primary"
+            isDisabled={!token || !!validationError || isSubmitting}
+            isLoading={isSubmitting}
+            onClick={handleSubmit}
+          >
+            {isSubmitting ? t('Authenticating...') : t('Login')}
+          </Button>
+        </CardFooter>
+      </Card>
+    </Bullseye>
+  );
+};
+
+export default TokenLoginForm;
diff --git a/libs/ui-components/src/components/OverviewPage/Cards/Alerts/AlertsCard.tsx b/libs/ui-components/src/components/OverviewPage/Cards/Alerts/AlertsCard.tsx
index 8edf89acc..e1bb5ae58 100644
--- a/libs/ui-components/src/components/OverviewPage/Cards/Alerts/AlertsCard.tsx
+++ b/libs/ui-components/src/components/OverviewPage/Cards/Alerts/AlertsCard.tsx
@@ -115,7 +115,7 @@ const resourceKindLabel = (t: TFunction, resourceKind: ResourceKind | undefined)
     case ResourceKind.TEMPLATE_VERSION:
       return t('Template version');
     case ResourceKind.AUTH_PROVIDER:
-      return t('Auth provider');
+      return t('Authentication provider');
   }
 };
 const getAlertTitle = (alert: AlertManagerAlert, defaultTitle: string) => {
diff --git a/libs/ui-components/src/components/common/CodeEditor/YamlEditor.tsx b/libs/ui-components/src/components/common/CodeEditor/YamlEditor.tsx
index 55b5e24ae..359f31cfc 100644
--- a/libs/ui-components/src/components/common/CodeEditor/YamlEditor.tsx
+++ b/libs/ui-components/src/components/common/CodeEditor/YamlEditor.tsx
@@ -5,7 +5,7 @@ import { dump, load } from 'js-yaml';
 import { compare } from 'fast-json-patch';
 import type * as monacoEditor from 'monaco-editor/esm/vs/editor/editor.api';
 
-import { Device, Fleet, PatchRequest, Repository, ResourceKind } from '@flightctl/types';
+import { AuthProvider, Device, Fleet, PatchRequest, Repository, ResourceKind } from '@flightctl/types';
 import { fromAPILabel } from '../../../utils/labels';
 import { getLabelPatches } from '../../../utils/patch';
 import { getErrorMessage, isResourceVersionTestFailure } from '../../../utils/error';
@@ -16,7 +16,7 @@ import YamlEditorBase from './YamlEditorBase';
 
 import './YamlEditor.css';
 
-type FlightCtlYamlResource = Fleet | Device | Repository;
+type FlightCtlYamlResource = Fleet | Device | Repository | AuthProvider;
 
 type YamlEditorProps<R extends FlightCtlYamlResource> = Partial<Omit<PfCodeEditorProps, 'ref' | 'code'>> & {
   /** FlightCtl resource to display in the editor. */
@@ -51,6 +51,8 @@ const getResourceEndpoint = (obj: FlightCtlYamlResource) => {
       return `devices/${resourceName}`;
     case ResourceKind.REPOSITORY:
       return `repositories/${resourceName}`;
+    case ResourceKind.AUTH_PROVIDER:
+      return `authproviders/${resourceName}`;
     default:
       throw new Error(`Unsupported resource kind: ${kind}`);
   }
diff --git a/libs/ui-components/src/components/common/PageNavigation.tsx b/libs/ui-components/src/components/common/PageNavigation.tsx
index 42a985e2a..c8c8a0afb 100644
--- a/libs/ui-components/src/components/common/PageNavigation.tsx
+++ b/libs/ui-components/src/components/common/PageNavigation.tsx
@@ -1,5 +1,6 @@
 import * as React from 'react';
 import {
+  Button,
   Dropdown,
   DropdownItem,
   DropdownList,
@@ -11,10 +12,15 @@ import {
   Toolbar,
   ToolbarContent,
   ToolbarItem,
+  Tooltip,
 } from '@patternfly/react-core';
+import CogIcon from '@patternfly/react-icons/dist/js/icons/cog-icon';
 import { useTranslation } from '../../hooks/useTranslation';
+import { ROUTE, useNavigate } from '../../hooks/useNavigate';
 import { useOrganizationGuardContext } from './OrganizationGuard';
 import OrganizationSelector from './OrganizationSelector';
+import { RESOURCE, VERB } from '../../types/rbac';
+import { usePermissionsContext } from './PermissionsContext';
 
 type OrganizationDropdownProps = {
   organizationName?: string;
@@ -56,16 +62,22 @@ const OrganizationDropdown = ({ organizationName, onSwitchOrganization }: Organi
 };
 
 const PageNavigation = () => {
+  const { t } = useTranslation();
+  const navigate = useNavigate();
   const { currentOrganization, availableOrganizations } = useOrganizationGuardContext();
+  const { checkPermissions } = usePermissionsContext();
+  const [isAdmin] = checkPermissions([{ kind: RESOURCE.AUTH_PROVIDER, verb: VERB.CREATE }]);
   const [showOrganizationModal, setShowOrganizationModal] = React.useState(false);
-
   const showOrganizationSelection = availableOrganizations.length > 1;
-  if (!showOrganizationSelection) {
+  const currentOrgDisplayName = currentOrganization?.spec?.displayName || currentOrganization?.metadata?.name || '';
+
+  // Show navigation bar if there's either org selection OR admin button to show
+  const shouldShowNavigation = showOrganizationSelection || isAdmin;
+
+  if (!shouldShowNavigation) {
     return null;
   }
 
-  const currentOrgDisplayName = currentOrganization?.spec?.displayName || currentOrganization?.metadata?.name || '';
-
   return (
     <>
       <PageSection variant="light" padding={{ default: 'noPadding' }}>
@@ -83,6 +95,20 @@ const PageNavigation = () => {
                     />
                   </ToolbarItem>
                 )}
+                {isAdmin && (
+                  <ToolbarItem>
+                    <Tooltip content={t('Manage authentication providers')}>
+                      <Button
+                        variant="link"
+                        aria-label={t('Settings')}
+                        onClick={() => navigate(ROUTE.AUTH_PROVIDERS)}
+                        icon={<CogIcon />}
+                      >
+                        {t('Settings')}
+                      </Button>
+                    </Tooltip>
+                  </ToolbarItem>
+                )}
               </ToolbarContent>
             </Toolbar>
           </MastheadContent>
diff --git a/libs/ui-components/src/components/form/ListItemField.tsx b/libs/ui-components/src/components/form/ListItemField.tsx
new file mode 100644
index 000000000..e9aed211d
--- /dev/null
+++ b/libs/ui-components/src/components/form/ListItemField.tsx
@@ -0,0 +1,123 @@
+import * as React from 'react';
+import { useField } from 'formik';
+import { Label, LabelGroup, Text, TextVariants } from '@patternfly/react-core';
+
+import EditableLabelControl from '../common/EditableLabelControl';
+import ErrorHelperText, { DefaultHelperText } from './FieldHelperText';
+import { useTranslation } from '../../hooks/useTranslation';
+
+type ListItemFieldProps = {
+  name: string;
+  isLoading?: boolean;
+  helperText?: React.ReactNode;
+  addButtonText?: string;
+  resolvedValue?: string | ((items: string[]) => string);
+  resolvedLabel?: string;
+};
+
+const maxWidthLabel = '18ch';
+
+const ListItemField = ({
+  name,
+  helperText,
+  isLoading,
+  addButtonText,
+  resolvedValue,
+  resolvedLabel,
+}: ListItemFieldProps) => {
+  const { t } = useTranslation();
+  const [{ value: items }, meta, { setValue: setItems }] = useField<string[]>(name);
+
+  const updateItems = async (newItems: string[]) => {
+    await setItems(newItems, true);
+  };
+
+  const onDelete = async (_ev: React.MouseEvent<Element, MouseEvent>, index: number) => {
+    if (isLoading) {
+      return;
+    }
+    const newItems = [...items];
+    newItems.splice(index, 1);
+    await updateItems(newItems);
+  };
+
+  const onAdd = async (text: string) => {
+    if (!text || !text.trim()) {
+      return;
+    }
+    const trimmedText = text.trim();
+    const newItems = [...items, trimmedText];
+    await updateItems(newItems);
+  };
+
+  const onEdit = async (index: number, nextText: string) => {
+    const trimmedText = nextText.trim();
+    if (!trimmedText) {
+      return;
+    }
+
+    const newItems = [...items];
+    newItems.splice(index, 1, trimmedText);
+    await updateItems(newItems);
+  };
+
+  const getResolvedValue = () => {
+    if (!resolvedValue || items.length === 0) {
+      return null;
+    }
+    if (typeof resolvedValue === 'function') {
+      return resolvedValue(items);
+    }
+    return resolvedValue;
+  };
+
+  const displayedResolvedValue = getResolvedValue();
+
+  return (
+    <>
+      <DefaultHelperText helperText={helperText} />
+
+      <LabelGroup
+        numLabels={5}
+        isEditable={!isLoading}
+        addLabelControl={
+          <EditableLabelControl
+            defaultLabel=""
+            addButtonText={addButtonText || t('Add item')}
+            onAddLabel={onAdd}
+            isEditable={!isLoading}
+          />
+        }
+      >
+        {items.map((item, index) => {
+          const elKey = `${item}__${index}`;
+          const closeButtonProps = isLoading ? { isDisabled: true } : undefined;
+          const isItemEditable = !isLoading;
+
+          return (
+            <Label
+              key={elKey}
+              textMaxWidth={maxWidthLabel}
+              closeBtnProps={closeButtonProps}
+              onClose={(e) => onDelete(e, index)}
+              onEditCancel={(_, prevText) => onEdit(index, prevText)}
+              onEditComplete={(_, newText) => onEdit(index, newText)}
+              title={isItemEditable ? item : undefined}
+              isEditable={isItemEditable}
+            >
+              {item}
+            </Label>
+          );
+        })}
+      </LabelGroup>
+      {displayedResolvedValue && (
+        <Text component={TextVariants.small} style={{ marginTop: '0.5rem', color: 'var(--pf-v5-global--Color--200)' }}>
+          {resolvedLabel || t('Resolved')}: <strong>{displayedResolvedValue}</strong>
+        </Text>
+      )}
+      <ErrorHelperText meta={meta} touchRequired={false} />
+    </>
+  );
+};
+
+export default ListItemField;
diff --git a/libs/ui-components/src/components/form/NameField.tsx b/libs/ui-components/src/components/form/NameField.tsx
index 0a9d37138..543abe783 100644
--- a/libs/ui-components/src/components/form/NameField.tsx
+++ b/libs/ui-components/src/components/form/NameField.tsx
@@ -7,6 +7,7 @@ import { useFetch } from '../../hooks/useFetch';
 import { useTranslation } from '../../hooks/useTranslation';
 import RichValidationTextField, { RichValidationTextFieldProps } from './RichValidationTextField';
 import { TextFieldProps } from './TextField';
+import { DefaultHelperText } from './FieldHelperText';
 
 type NameFieldProps = TextFieldProps & {
   resourceType: string;
@@ -71,13 +72,14 @@ const NameField = ({ name, validations, resourceType, ...rest }: NameFieldProps)
   return <RichValidationTextField fieldName={name} validations={allValidations} {...rest} />;
 };
 
-const NameFieldWrapper = ({ name, isDisabled, validations, resourceType, ...rest }: NameFieldProps) => {
+const NameFieldWrapper = ({ name, isDisabled, validations, resourceType, helperText, ...rest }: NameFieldProps) => {
   const [{ value }] = useField<string>(name);
 
   if (isDisabled) {
     return (
       <FormGroup label={rest?.['aria-label']} isRequired={rest.isRequired}>
         <TextInput value={value} {...rest} isDisabled />
+        {helperText && <DefaultHelperText helperText={helperText} />}
       </FormGroup>
     );
   }
diff --git a/libs/ui-components/src/components/form/SwitchField.tsx b/libs/ui-components/src/components/form/SwitchField.tsx
index 0a7cba3fd..17a879ca6 100644
--- a/libs/ui-components/src/components/form/SwitchField.tsx
+++ b/libs/ui-components/src/components/form/SwitchField.tsx
@@ -5,10 +5,11 @@ import ErrorHelperText, { DefaultHelperText } from './FieldHelperText';
 
 export interface SwitchFieldProps extends Omit<SwitchProps, 'onChange' | 'ref' | 'checked' | 'id'> {
   name: string;
+  labelIcon?: React.ReactElement;
   helperText?: React.ReactNode;
 }
 
-const SwitchField = ({ helperText, name, ...props }: SwitchFieldProps) => {
+const SwitchField = ({ label, labelIcon, helperText, name, ...props }: SwitchFieldProps) => {
   const [field, meta, { setValue, setTouched }] = useField({
     name,
   });
@@ -21,7 +22,7 @@ const SwitchField = ({ helperText, name, ...props }: SwitchFieldProps) => {
   const fieldId = `switchfield-${name}`;
 
   return (
-    <FormGroup id={`form-control__${fieldId}`} fieldId={fieldId}>
+    <FormGroup id={`form-control__${fieldId}`} fieldId={fieldId} label={label} labelIcon={labelIcon}>
       <Switch {...field} {...props} id={fieldId} onChange={onChange} isChecked={!!field.value} />
       <DefaultHelperText helperText={helperText} />
       <ErrorHelperText meta={meta} />
diff --git a/libs/ui-components/src/hooks/useAlertsEnabled.ts b/libs/ui-components/src/hooks/useAlertsEnabled.ts
index 1b24ade78..c37955645 100644
--- a/libs/ui-components/src/hooks/useAlertsEnabled.ts
+++ b/libs/ui-components/src/hooks/useAlertsEnabled.ts
@@ -3,9 +3,13 @@ import { RESOURCE, VERB } from '../types/rbac';
 import { usePermissionsContext } from '../components/common/PermissionsContext';
 import { useFetch } from './useFetch';
 
-// Alerts are considered disabled if the service returns either 501 (Not Implemented) or 500
-const isDisabledAlertManagerService = (error: Error): boolean =>
-  Number(error.message) === 501 || Number(error.message) === 500;
+// Alerts are considered disabled if:
+// - Service returns 501 (Not Implemented) or 500 (Internal Server Error)
+// - Service returns 401 (Unauthorized) - authentication issue with alerts service
+const isDisabledAlertManagerService = (error: Error): boolean => {
+  const errorCode = Number(error.message);
+  return errorCode === 501 || errorCode === 500 || errorCode === 401;
+};
 
 export const useAlertsEnabled = (): boolean => {
   const { get } = useFetch();
diff --git a/libs/ui-components/src/hooks/useAppContext.tsx b/libs/ui-components/src/hooks/useAppContext.tsx
index d32ff755b..23bfac9dd 100644
--- a/libs/ui-components/src/hooks/useAppContext.tsx
+++ b/libs/ui-components/src/hooks/useAppContext.tsx
@@ -33,6 +33,10 @@ export const appRoutes = {
   [ROUTE.ENROLLMENT_REQUESTS]: '/devicemanagement/enrollmentrequests',
   [ROUTE.ENROLLMENT_REQUEST_DETAILS]: '/devicemanagement/enrollmentrequests',
   [ROUTE.COMMAND_LINE_TOOLS]: '/command-line-tools',
+  [ROUTE.AUTH_PROVIDERS]: '/admin/authproviders',
+  [ROUTE.AUTH_PROVIDER_CREATE]: '/admin/authproviders/create',
+  [ROUTE.AUTH_PROVIDER_EDIT]: '/admin/authproviders/edit',
+  [ROUTE.AUTH_PROVIDER_DETAILS]: '/admin/authproviders',
 };
 
 export type NavLinkFC = React.FC<{ to: string; children: (props: { isActive: boolean }) => React.ReactNode }>;
diff --git a/libs/ui-components/src/hooks/useNavigate.tsx b/libs/ui-components/src/hooks/useNavigate.tsx
index fccd44586..8ba1523e0 100644
--- a/libs/ui-components/src/hooks/useNavigate.tsx
+++ b/libs/ui-components/src/hooks/useNavigate.tsx
@@ -25,6 +25,10 @@ export enum ROUTE {
   ENROLLMENT_REQUESTS = 'ENROLLMENT_REQUESTS',
   ENROLLMENT_REQUEST_DETAILS = 'ENROLLMENT_REQUEST_DETAILS',
   COMMAND_LINE_TOOLS = 'COMMAND_LINE_TOOLS',
+  AUTH_PROVIDERS = 'AUTH_PROVIDERS',
+  AUTH_PROVIDER_CREATE = 'AUTH_PROVIDER_CREATE',
+  AUTH_PROVIDER_EDIT = 'AUTH_PROVIDER_EDIT',
+  AUTH_PROVIDER_DETAILS = 'AUTH_PROVIDER_DETAILS',
 }
 
 export type RouteWithPostfix =
@@ -35,7 +39,9 @@ export type RouteWithPostfix =
   | ROUTE.REPO_EDIT
   | ROUTE.DEVICE_DETAILS
   | ROUTE.DEVICE_EDIT
-  | ROUTE.ENROLLMENT_REQUEST_DETAILS;
+  | ROUTE.ENROLLMENT_REQUEST_DETAILS
+  | ROUTE.AUTH_PROVIDER_EDIT
+  | ROUTE.AUTH_PROVIDER_DETAILS;
 export type Route = Exclude<ROUTE, RouteWithPostfix>;
 
 type ToObj = { route: RouteWithPostfix; postfix: string | undefined };
diff --git a/libs/ui-components/src/types/extraTypes.ts b/libs/ui-components/src/types/extraTypes.ts
index 22344b714..3806ee2a8 100644
--- a/libs/ui-components/src/types/extraTypes.ts
+++ b/libs/ui-components/src/types/extraTypes.ts
@@ -2,12 +2,15 @@ import {
   AppType,
   ApplicationEnvVars,
   ApplicationVolumeProviderSpec,
+  AuthProvider,
   ConditionType,
   Device,
   EnrollmentRequest,
   FileContent,
   Fleet,
   ImageApplicationProviderSpec,
+  OAuth2ProviderSpec,
+  OIDCProviderSpec,
   RelativePath,
   ResourceSync,
 } from '@flightctl/types';
@@ -75,3 +78,18 @@ export type AlertManagerAlert = {
   };
   receivers: Array<{ name: string }>;
 };
+
+// AuthProviders that can be added dynamically to the system can only be OAuth2 or OIDC.
+export type DynamicAuthProviderSpec = OIDCProviderSpec | OAuth2ProviderSpec;
+export type DynamicAuthProvider = AuthProvider & { spec: DynamicAuthProviderSpec };
+
+export const isDynamicAuthProvider = (provider: AuthProvider): provider is DynamicAuthProvider =>
+  provider.spec.providerType === ProviderType.OIDC || provider.spec.providerType === ProviderType.OAuth2;
+
+export enum ProviderType {
+  OIDC = 'oidc',
+  OAuth2 = 'oauth2',
+  K8s = 'k8s',
+  AAP = 'aap',
+  OpenShift = 'openshift',
+}
diff --git a/libs/ui-components/src/types/rbac.ts b/libs/ui-components/src/types/rbac.ts
index 7e9352e82..3c069d04a 100644
--- a/libs/ui-components/src/types/rbac.ts
+++ b/libs/ui-components/src/types/rbac.ts
@@ -19,4 +19,5 @@ export enum RESOURCE {
   ENROLLMENT_REQUEST = 'enrollmentrequests',
   ENROLLMENT_REQUEST_APPROVAL = 'enrollmentrequests/approval',
   ALERTS = 'alerts',
+  AUTH_PROVIDER = 'authproviders',
 }
diff --git a/libs/ui-components/src/utils/authProvider.ts b/libs/ui-components/src/utils/authProvider.ts
new file mode 100644
index 000000000..219178b83
--- /dev/null
+++ b/libs/ui-components/src/utils/authProvider.ts
@@ -0,0 +1,20 @@
+import { TFunction } from 'react-i18next';
+import { AuthProvider } from '@flightctl/types';
+import { ProviderType } from '../types/extraTypes';
+
+export const getProviderDisplayName = (provider: AuthProvider, t: TFunction): string => {
+  const spec = provider.spec;
+  if ('displayName' in spec && spec.displayName) {
+    return spec.displayName;
+  }
+  if (provider.spec.providerType === ProviderType.OpenShift) {
+    return t('OpenShift');
+  }
+  if (provider.spec.providerType === ProviderType.K8s) {
+    return t('Kubernetes');
+  }
+  if (provider.spec.providerType === ProviderType.AAP) {
+    return t('Ansible Automation Platform');
+  }
+  return provider.metadata.name as string;
+};
diff --git a/libs/ui-components/src/utils/k8sProvider.ts b/libs/ui-components/src/utils/k8sProvider.ts
new file mode 100644
index 000000000..945a0ebac
--- /dev/null
+++ b/libs/ui-components/src/utils/k8sProvider.ts
@@ -0,0 +1,11 @@
+// Simple JWT format validation - checks if token has 3 parts separated by dots
+export const isValidJwtTokenFormat = (token: string): boolean => {
+  if (!token) return false;
+  const parts = token.split('.');
+  if (parts.length !== 3) return false;
+  // Check that each part contains only valid base64url characters
+  const base64urlPattern = /^[A-Za-z0-9_-]+$/;
+  return parts.every((part) => part.length > 0 && base64urlPattern.test(part));
+};
+
+export const nowInSeconds = () => Math.round(Date.now() / 1000);
diff --git a/libs/ui-components/src/utils/patch.ts b/libs/ui-components/src/utils/patch.ts
index ea2f332d6..ead955aae 100644
--- a/libs/ui-components/src/utils/patch.ts
+++ b/libs/ui-components/src/utils/patch.ts
@@ -36,7 +36,9 @@ export const appendJSONPatch = <V = unknown>({
   if (newValue === originalValue) {
     return;
   }
-  if (!newValue && originalValue) {
+  // For boolean values, we should never remove them, only set them to true or false
+  // For other values, if newValue is falsy and originalValue exists, remove the field
+  if (!newValue && originalValue && typeof newValue !== 'boolean') {
     patches.push({
       op: 'remove',
       path,
diff --git a/proxy/app.go b/proxy/app.go
index 0ebe70c30..98bfe66e0 100644
--- a/proxy/app.go
+++ b/proxy/app.go
@@ -61,6 +61,9 @@ func main() {
 	terminalBridge := bridge.TerminalBridge{TlsConfig: tlsConfig}
 	apiRouter.HandleFunc("/terminal/{forward:.*}", terminalBridge.HandleTerminal)
 
+	testAuthHandler := bridge.NewTestAuthHandler(tlsConfig)
+	apiRouter.HandleFunc("/test-auth-provider-connection", testAuthHandler.TestConnection)
+
 	// Simple endpoint to check if organizations are enabled
 	if config.IsOrganizationsEnabled() {
 		apiRouter.HandleFunc("/organizations-enabled", func(w http.ResponseWriter, r *http.Request) {
diff --git a/proxy/auth/aap.go b/proxy/auth/aap.go
index cac7b709f..c87817eac 100644
--- a/proxy/auth/aap.go
+++ b/proxy/auth/aap.go
@@ -3,7 +3,6 @@ package auth
 import (
 	"bytes"
 	"crypto/tls"
-	"encoding/json"
 	"fmt"
 	"net/http"
 	"net/url"
@@ -11,6 +10,7 @@ import (
 	"github.com/flightctl/flightctl-ui/bridge"
 	"github.com/flightctl/flightctl-ui/config"
 	"github.com/flightctl/flightctl-ui/log"
+	"github.com/flightctl/flightctl/api/v1alpha1"
 	"github.com/openshift/osincli"
 )
 
@@ -19,7 +19,10 @@ type AAPAuthHandler struct {
 	internalClient  *osincli.Client
 	tlsConfig       *tls.Config
 	authURL         string
+	tokenURL        string
 	internalAuthURL string
+	clientId        string
+	providerName    string
 }
 
 type AAPUser struct {
@@ -47,13 +50,32 @@ func (c *AAPRoundTripper) RoundTrip(req *http.Request) (*http.Response, error) {
 	return resp, nil
 }
 
-func getAAPAuthHandler(authURL string, internalAuthURL *string) (*AAPAuthHandler, error) {
+func getAAPAuthHandler(provider *v1alpha1.AuthProvider, aapSpec *v1alpha1.AapProviderSpec) (*AAPAuthHandler, error) {
+	providerName := extractProviderName(provider)
+
+	// Validate required fields
+	if aapSpec.ApiUrl == "" {
+		return nil, fmt.Errorf("AAP provider %s missing ApiUrl", providerName)
+	}
+
+	// Use externalApiUrl if available, otherwise use apiUrl
+	authURL := aapSpec.ApiUrl
+	if aapSpec.ExternalApiUrl != nil && *aapSpec.ExternalApiUrl != "" {
+		authURL = *aapSpec.ExternalApiUrl
+	}
+
+	// AAP OAuth typically uses a default client ID or requires it to be configured
+	// Since the new spec doesn't include ClientId, we'll use a default or make it configurable
+	// For now, using a default client ID that AAP typically uses
+	clientId := "flightctl-ui"        // Default client ID for AAP
+	internalAuthURL := aapSpec.ApiUrl // Use internal URL for token exchange
+
 	tlsConfig, err := bridge.GetAuthTlsConfig()
 	if err != nil {
 		return nil, err
 	}
 
-	client, err := getClient(authURL, tlsConfig)
+	client, err := getClient(authURL, tlsConfig, clientId)
 	if err != nil {
 		return nil, err
 	}
@@ -63,24 +85,33 @@ func getAAPAuthHandler(authURL string, internalAuthURL *string) (*AAPAuthHandler
 		internalClient:  client,
 		tlsConfig:       tlsConfig,
 		authURL:         authURL,
-		internalAuthURL: authURL,
+		tokenURL:        fmt.Sprintf("%s/o/token/", internalAuthURL),
+		internalAuthURL: internalAuthURL,
+		clientId:        clientId,
+		providerName:    providerName,
 	}
 
-	if internalAuthURL != nil {
-		internalClient, err := getClient(*internalAuthURL, tlsConfig)
+	// If we have both external and internal URLs, create separate clients
+	if aapSpec.ExternalApiUrl != nil && *aapSpec.ExternalApiUrl != "" && *aapSpec.ExternalApiUrl != aapSpec.ApiUrl {
+		internalClient, err := getClient(internalAuthURL, tlsConfig, clientId)
 		if err != nil {
 			return nil, err
 		}
 		handler.internalClient = internalClient
-		handler.internalAuthURL = *internalAuthURL
+		handler.tokenURL = fmt.Sprintf("%s/o/token/", internalAuthURL)
 	}
 
 	return handler, nil
 }
 
-func getClient(url string, tlsConfig *tls.Config) (*osincli.Client, error) {
+func getClient(url string, tlsConfig *tls.Config, clientId string) (*osincli.Client, error) {
+	// Use provided clientId, require it to be non-empty
+	if clientId == "" {
+		return nil, fmt.Errorf("clientId is required for AAP provider")
+	}
+
 	oidcClientConfig := &osincli.ClientConfig{
-		ClientId:                 config.AuthClientId,
+		ClientId:                 clientId,
 		AuthorizeUrl:             fmt.Sprintf("%s/o/authorize/", url),
 		TokenUrl:                 fmt.Sprintf("%s/o/token/", url),
 		RedirectUrl:              config.BaseUiUrl + "/callback",
@@ -104,37 +135,20 @@ func getClient(url string, tlsConfig *tls.Config) (*osincli.Client, error) {
 }
 
 func (a *AAPAuthHandler) GetToken(loginParams LoginParameters) (TokenData, *int64, error) {
-	return exchangeToken(loginParams, a.internalClient)
+	// UI proxy uses PKCE only - client_secret is not used
+	return exchangeToken(loginParams, a.internalClient, a.tokenURL, a.clientId, config.BaseUiUrl+"/callback")
 }
 
-func (a *AAPAuthHandler) GetUserInfo(token string) (string, *http.Response, error) {
-	userInfoEndpoint := fmt.Sprintf("%s/api/gateway/v1/me/", a.internalAuthURL)
-	body, resp, err := getUserInfo(token, a.tlsConfig, a.authURL, userInfoEndpoint)
-
-	if err != nil {
-		log.GetLogger().WithError(err).Warn("Failed to get user info")
-		return "", resp, err
-	}
-
-	if body != nil {
-		userInfo := AAPUserInfo{}
-		if err := json.Unmarshal(*body, &userInfo); err != nil {
-			log.GetLogger().WithError(err).Warn("Failed to unmarshal user info")
-			return "", resp, err
-		}
-
-		if len(userInfo.Results) == 0 {
-			log.GetLogger().Warn("No user results available")
-			return "", resp, fmt.Errorf("no user available")
-		}
-		return userInfo.Results[0].Username, resp, nil
+func (a *AAPAuthHandler) GetUserInfo(tokenData TokenData) (string, *http.Response, error) {
+	resp := &http.Response{
+		StatusCode: http.StatusInternalServerError,
 	}
-	return "", resp, nil
+	return "", resp, fmt.Errorf("User information should be retrieved through the flightctl API")
 }
 
 func (a *AAPAuthHandler) Logout(token string) (string, error) {
 	data := url.Values{}
-	data.Set("client_id", config.AuthClientId)
+	data.Set("client_id", a.clientId)
 	data.Set("token", token)
 
 	httpClient := http.Client{
@@ -162,6 +176,6 @@ func (a *AAPAuthHandler) RefreshToken(refreshToken string) (TokenData, *int64, e
 	return refreshOAuthToken(refreshToken, a.internalClient)
 }
 
-func (a *AAPAuthHandler) GetLoginRedirectURL() string {
-	return loginRedirect(a.client)
+func (a *AAPAuthHandler) GetLoginRedirectURL(codeChallenge string, codeVerifier string) string {
+	return loginRedirect(a.client, a.providerName, codeChallenge, codeVerifier)
 }
diff --git a/proxy/auth/api_client.go b/proxy/auth/api_client.go
new file mode 100644
index 000000000..5ebb1e11c
--- /dev/null
+++ b/proxy/auth/api_client.go
@@ -0,0 +1,219 @@
+package auth
+
+import (
+	"bytes"
+	"crypto/tls"
+	"encoding/json"
+	"fmt"
+	"io"
+	"net/http"
+	"strings"
+	"time"
+
+	"github.com/flightctl/flightctl-ui/config"
+	"github.com/flightctl/flightctl-ui/log"
+	"github.com/flightctl/flightctl/api/v1alpha1"
+)
+
+// k8s service account prefix
+const k8sServiceAccountPrefix = "system:serviceaccount:"
+
+// exchangeTokenWithApiServer allows us to perform the token exchange through the Flight Control API
+func exchangeTokenWithApiServer(apiTlsConfig *tls.Config, providerName string, tokenReq *v1alpha1.TokenRequest) (*v1alpha1.TokenResponse, error) {
+	client := &http.Client{
+		Transport: &http.Transport{
+			TLSClientConfig: apiTlsConfig,
+		},
+		Timeout: 30 * time.Second,
+	}
+
+	tokenURL := config.FctlApiUrl + "/api/v1/auth/" + providerName + "/token"
+
+	// Marshal request body
+	reqBody, err := json.Marshal(tokenReq)
+	if err != nil {
+		return nil, fmt.Errorf("failed to marshal token request: %w", err)
+	}
+
+	req, err := http.NewRequest(http.MethodPost, tokenURL, bytes.NewReader(reqBody))
+	if err != nil {
+		return nil, fmt.Errorf("failed to create token request: %w", err)
+	}
+
+	req.Header.Set("Content-Type", "application/json")
+	req.Header.Set("Accept", "application/json")
+
+	// Log request details
+	log.GetLogger().Infof("API server token request: method=%s, url=%s, grant_type=%s, provider_name=%s, client_id=%s, body=%s", req.Method, req.URL.String(), tokenReq.GrantType, providerName, tokenReq.ClientId, string(reqBody))
+
+	resp, err := client.Do(req)
+	if err != nil {
+		return nil, fmt.Errorf("failed to call API server token endpoint: %w", err)
+	}
+	defer resp.Body.Close()
+
+	body, err := io.ReadAll(resp.Body)
+	if err != nil {
+		return nil, fmt.Errorf("failed to read token response: %w", err)
+	}
+
+	// Log API server response for debugging
+	log.GetLogger().Infof("API server token response: status=%d, content-type=%s, body=%s", resp.StatusCode, resp.Header.Get("Content-Type"), string(body))
+
+	// Check HTTP status code first before trying to parse JSON
+	if resp.StatusCode == http.StatusTeapot {
+		// 418 indicates auth not configured
+		return nil, fmt.Errorf("auth not configured")
+	}
+
+	if resp.StatusCode != http.StatusOK {
+		// Try to parse as JSON first (OAuth2 errors are usually JSON)
+		var tokenResp v1alpha1.TokenResponse
+		if err := json.Unmarshal(body, &tokenResp); err == nil {
+			// Successfully parsed as JSON, check for OAuth2 error fields
+			if tokenResp.Error != nil {
+				errorDesc := ""
+				if tokenResp.ErrorDescription != nil {
+					errorDesc = *tokenResp.ErrorDescription
+				}
+				return &tokenResp, fmt.Errorf("oauth2 error: %s - %s", *tokenResp.Error, errorDesc)
+			}
+			return &tokenResp, fmt.Errorf("API server returned status %d", resp.StatusCode)
+		}
+		// Not JSON, return the plain text error
+		return nil, fmt.Errorf("API server returned status %d: %s", resp.StatusCode, string(body))
+	}
+
+	// Status is OK, parse as JSON
+	var tokenResp v1alpha1.TokenResponse
+	if err := json.Unmarshal(body, &tokenResp); err != nil {
+		return nil, fmt.Errorf("failed to parse API server token response: %w (body: %s)", err, string(body))
+	}
+
+	// Check for errors in response (even with 200 status)
+	if tokenResp.Error != nil {
+		errorDesc := ""
+		if tokenResp.ErrorDescription != nil {
+			errorDesc = *tokenResp.ErrorDescription
+		}
+		return &tokenResp, fmt.Errorf("oauth2 error: %s - %s", *tokenResp.Error, errorDesc)
+	}
+
+	return &tokenResp, nil
+}
+
+// getUserInfoFromApiServer allows us to get the user info from the Flight Control API
+func getUserInfoFromApiServer(apiTlsConfig *tls.Config, token string) (string, error) {
+	client := &http.Client{
+		Transport: &http.Transport{
+			TLSClientConfig: apiTlsConfig,
+		},
+		Timeout: 30 * time.Second,
+	}
+
+	userInfoURL := config.FctlApiUrl + "/api/v1/auth/userinfo"
+
+	req, err := http.NewRequest(http.MethodGet, userInfoURL, nil)
+	if err != nil {
+		return "", fmt.Errorf("failed to create userinfo request: %w", err)
+	}
+
+	req.Header.Set("Authorization", "Bearer "+token)
+	req.Header.Set("Accept", "application/json")
+
+	// Log request details including Authorization header preview
+	authHeader := req.Header.Get("Authorization")
+	authHeaderPreview := ""
+	if len(authHeader) > 60 {
+		authHeaderPreview = authHeader[:60] + "..."
+	} else {
+		authHeaderPreview = authHeader
+	}
+	log.GetLogger().Infof("Backend userinfo request: method=%s, url=%s, token_length=%d, auth_header_preview=%s",
+		req.Method, req.URL.String(), len(token), authHeaderPreview)
+
+	resp, err := client.Do(req)
+	if err != nil {
+		return "", fmt.Errorf("failed to call backend userinfo endpoint: %w", err)
+	}
+	defer resp.Body.Close()
+
+	body, err := io.ReadAll(resp.Body)
+	if err != nil {
+		return "", fmt.Errorf("failed to read userinfo response: %w", err)
+	}
+
+	// Log backend response for debugging
+	log.GetLogger().Infof("Backend userinfo response: status=%d, content-type=%s, body=%s", resp.StatusCode, resp.Header.Get("Content-Type"), string(body))
+
+	// Check HTTP status code first before trying to parse JSON
+	if resp.StatusCode == http.StatusTeapot {
+		// 418 indicates auth not configured
+		return "", fmt.Errorf("auth not configured")
+	}
+
+	if resp.StatusCode != http.StatusOK {
+		// Try to parse as JSON first
+		var userInfoResp v1alpha1.UserInfoResponse
+		if err := json.Unmarshal(body, &userInfoResp); err == nil {
+			// Successfully parsed as JSON, check for error field
+			if userInfoResp.Error != nil {
+				return "", fmt.Errorf("userinfo error: %s", *userInfoResp.Error)
+			}
+			return "", fmt.Errorf("backend returned status %d", resp.StatusCode)
+		}
+		// Not JSON, return the plain text error
+		return "", fmt.Errorf("backend returned status %d: %s", resp.StatusCode, string(body))
+	}
+
+	// Status is OK, parse as JSON
+	var userInfoResp v1alpha1.UserInfoResponse
+	if err := json.Unmarshal(body, &userInfoResp); err != nil {
+		return "", fmt.Errorf("failed to parse userinfo response: %w (body: %s)", err, string(body))
+	}
+
+	// Check for errors in response (even with 200 status)
+	if userInfoResp.Error != nil {
+		return "", fmt.Errorf("userinfo error: %s", *userInfoResp.Error)
+	}
+
+	// Extract and strip the k8s service account prefix from preferred_username if present
+	if userInfoResp.PreferredUsername == nil {
+		return "", fmt.Errorf("userinfo response missing preferred_username")
+	}
+
+	username := *userInfoResp.PreferredUsername
+	if strings.HasPrefix(username, k8sServiceAccountPrefix) {
+		username = strings.TrimPrefix(username, k8sServiceAccountPrefix)
+	}
+
+	return username, nil
+}
+
+// convertTokenResponseToTokenData converts TokenResponse to proxy TokenData
+func convertTokenResponseToTokenData(tokenResp *v1alpha1.TokenResponse, providerName string) (TokenData, *int64) {
+	tokenData := TokenData{
+		Provider: providerName,
+	}
+
+	if tokenResp.AccessToken != nil {
+		tokenData.AccessToken = *tokenResp.AccessToken
+		// For OIDC, if we don't have a separate id_token, use access_token as IDToken
+		// The API server will return id_token in access_token field for OIDC if needed
+		// For now, we'll set both - GetAuthToken() will prefer IDToken if present
+		tokenData.IDToken = *tokenResp.AccessToken
+	}
+
+	if tokenResp.RefreshToken != nil {
+		tokenData.RefreshToken = *tokenResp.RefreshToken
+	}
+
+	var expiresIn *int64
+	if tokenResp.ExpiresIn != nil {
+		// Convert from *int to *int64
+		expiresInVal := int64(*tokenResp.ExpiresIn)
+		expiresIn = &expiresInVal
+	}
+
+	return tokenData, expiresIn
+}
diff --git a/proxy/auth/auth.go b/proxy/auth/auth.go
index a2d7836c0..7fec11a25 100644
--- a/proxy/auth/auth.go
+++ b/proxy/auth/auth.go
@@ -25,12 +25,16 @@ type RedirectResponse struct {
 }
 
 type AuthHandler struct {
-	provider AuthProvider
+	provider       AuthProvider
+	apiTlsConfig   *tls.Config
+	authConfigData *v1alpha1.AuthConfig
 }
 
 func NewAuth(apiTlsConfig *tls.Config) (*AuthHandler, error) {
-	auth := AuthHandler{}
-	authConfig, internalAuthUrl, err := getAuthInfo(apiTlsConfig)
+	auth := AuthHandler{
+		apiTlsConfig: apiTlsConfig,
+	}
+	authConfig, err := getAuthInfo(apiTlsConfig)
 	if err != nil {
 		return nil, err
 	}
@@ -40,40 +44,245 @@ func NewAuth(apiTlsConfig *tls.Config) (*AuthHandler, error) {
 		return &auth, nil
 	}
 
-	providerType, authURL, err := extractProviderInfo(authConfig)
+	// Store the full auth config for later use
+	auth.authConfigData = authConfig
+
+	return &auth, nil
+}
+
+// findProviderConfig finds a provider config by name from the auth config
+func findProviderConfig(authConfig *v1alpha1.AuthConfig, providerName string) (*v1alpha1.AuthProvider, error) {
+	if authConfig == nil || authConfig.Providers == nil {
+		return nil, fmt.Errorf("no providers configured")
+	}
+
+	for i, pc := range *authConfig.Providers {
+		if pc.Metadata.Name != nil && *pc.Metadata.Name == providerName {
+			return &(*authConfig.Providers)[i], nil
+		}
+	}
+
+	return nil, fmt.Errorf("provider not found: %s", providerName)
+}
+
+// getProviderInstance creates a provider instance by fetching the latest auth config
+// Returns both the provider instance and the provider config to avoid duplicate API calls
+func (a *AuthHandler) getProviderInstance(providerName string) (AuthProvider, *v1alpha1.AuthProvider, error) {
+	authConfig, err := getAuthInfo(a.apiTlsConfig)
 	if err != nil {
-		return nil, err
+		return nil, nil, fmt.Errorf("failed to get auth config: %w", err)
 	}
 
-	switch providerType {
-	case "AAPGateway":
-		auth.provider, err = getAAPAuthHandler(authURL, internalAuthUrl)
-	case "OIDC":
-		auth.provider, err = getOIDCAuthHandler(authURL, internalAuthUrl)
-	case "k8s":
-		auth.provider, err = getK8sAuthHandler(authURL, internalAuthUrl)
+	providerConfig, err := findProviderConfig(authConfig, providerName)
+	if err != nil {
+		return nil, nil, err
+	}
+
+	// Get the provider type from the spec discriminator
+	providerTypeStr, err := providerConfig.Spec.Discriminator()
+	if err != nil {
+		return nil, nil, fmt.Errorf("failed to determine provider type for %s: %w", providerName, err)
+	}
+
+	// Create provider based on type
+	var provider AuthProvider
+
+	switch providerTypeStr {
+	case ProviderTypeOpenShift:
+		openshiftSpec, err := providerConfig.Spec.AsOpenShiftProviderSpec()
+		if err != nil {
+			return nil, nil, fmt.Errorf("failed to parse OpenShift provider spec for %s: %w", providerName, err)
+		}
+		openshiftHandler, err := getOpenShiftAuthHandlerFromSpec(providerConfig, &openshiftSpec)
+		if err != nil {
+			return nil, nil, fmt.Errorf("failed to create OpenShift provider %s: %w", providerName, err)
+		}
+		provider = openshiftHandler
+	case ProviderTypeK8s:
+		k8sSpec, err := providerConfig.Spec.AsK8sProviderSpec()
+		if err != nil {
+			return nil, nil, fmt.Errorf("failed to parse K8s provider spec for %s: %w", providerName, err)
+		}
+		// This is regular k8s token auth
+		provider, err = getK8sAuthHandler(providerConfig, &k8sSpec)
+		if err != nil {
+			return nil, nil, fmt.Errorf("failed to create K8s provider %s: %w", providerName, err)
+		}
+	case ProviderTypeOIDC:
+		oidcSpec, err := providerConfig.Spec.AsOIDCProviderSpec()
+		if err != nil {
+			return nil, nil, fmt.Errorf("failed to parse OIDC provider spec for %s: %w", providerName, err)
+		}
+		oidcHandler, err := getOIDCAuthHandler(providerConfig, &oidcSpec)
+		if err != nil {
+			return nil, nil, fmt.Errorf("failed to create OIDC provider %s: %w", providerName, err)
+		}
+		provider = oidcHandler
+	case ProviderTypeAAP:
+		aapSpec, err := providerConfig.Spec.AsAapProviderSpec()
+		if err != nil {
+			return nil, nil, fmt.Errorf("failed to parse AAP provider spec for %s: %w", providerName, err)
+		}
+		aapHandler, err := getAAPAuthHandler(providerConfig, &aapSpec)
+		if err != nil {
+			return nil, nil, fmt.Errorf("failed to create AAP provider %s: %w", providerName, err)
+		}
+		provider = aapHandler
+	case ProviderTypeOAuth2:
+		oauth2Spec, err := providerConfig.Spec.AsOAuth2ProviderSpec()
+		if err != nil {
+			return nil, nil, fmt.Errorf("failed to parse OAuth2 provider spec for %s: %w", providerName, err)
+		}
+		oauth2Handler, err := getOAuth2AuthHandler(providerConfig, &oauth2Spec)
+		if err != nil {
+			return nil, nil, fmt.Errorf("failed to create OAuth2 provider %s: %w", providerName, err)
+		}
+		provider = oauth2Handler
 	default:
-		err = fmt.Errorf("unknown auth type: %s", providerType)
+		return nil, nil, fmt.Errorf("unknown provider type: %s for provider: %s", providerTypeStr, providerName)
 	}
-	return &auth, err
+
+	return provider, providerConfig, nil
+}
+
+// getClientIdFromProviderConfig extracts the client_id from a provider config
+func getClientIdFromProviderConfig(providerConfig *v1alpha1.AuthProvider) (string, error) {
+	providerTypeStr, err := providerConfig.Spec.Discriminator()
+	if err != nil {
+		return "", fmt.Errorf("failed to determine provider type: %w", err)
+	}
+
+	switch providerTypeStr {
+	case ProviderTypeOIDC:
+		oidcSpec, err := providerConfig.Spec.AsOIDCProviderSpec()
+		if err != nil {
+			return "", fmt.Errorf("failed to parse OIDC provider spec: %w", err)
+		}
+		return oidcSpec.ClientId, nil
+	case ProviderTypeOAuth2:
+		oauth2Spec, err := providerConfig.Spec.AsOAuth2ProviderSpec()
+		if err != nil {
+			return "", fmt.Errorf("failed to parse OAuth2 provider spec: %w", err)
+		}
+		return oauth2Spec.ClientId, nil
+	case ProviderTypeAAP:
+		return "", fmt.Errorf("AAP providers client_id needs to be retrieved")
+	case ProviderTypeOpenShift:
+		openshiftSpec, err := providerConfig.Spec.AsOpenShiftProviderSpec()
+		if err != nil {
+			return "", fmt.Errorf("failed to parse OpenShift provider spec: %w", err)
+		}
+		if openshiftSpec.ClientId == nil || *openshiftSpec.ClientId == "" {
+			return "", fmt.Errorf("OpenShift provider missing required ClientId")
+		}
+		return *openshiftSpec.ClientId, nil
+	case ProviderTypeK8s:
+		// Regular K8s token providers don't use this endpoint
+		return "", fmt.Errorf("K8s token providers don't use token exchange endpoint")
+	default:
+		return "", fmt.Errorf("unknown provider type: %s", providerTypeStr)
+	}
+}
+
+// isProviderWithCustomerToken determines if a provider uses customer-provided tokens (K8s)
+// Returns true for K8s token providers (they use direct validation)
+// Returns false for OIDC, OAuth2, AAP, and OpenShift providers (they use backend BFF)
+func isProviderWithCustomerToken(provider AuthProvider) bool {
+	// K8s token providers use direct validation, not OAuth2 flow
+	if _, ok := provider.(*TokenAuthProvider); ok {
+		return true
+	}
+	// All other providers (OIDC, OAuth2, AAP, OpenShift) use backend BFF
+	return false
 }
 
 func (a AuthHandler) Login(w http.ResponseWriter, r *http.Request) {
-	if a.provider == nil {
+	// Check if auth is completely disabled (no config at all)
+	if a.authConfigData == nil {
 		w.WriteHeader(http.StatusTeapot)
 		return
 	}
-	if r.Method == http.MethodPost {
-		body, err := io.ReadAll(r.Body)
+
+	// For GET requests, extract provider from query parameter
+	var provider AuthProvider
+	var err error
+	if r.Method == http.MethodGet {
+		providerName := r.URL.Query().Get("provider")
+		if providerName == "" {
+			respondWithError(w, http.StatusBadRequest, "provider query parameter is required")
+			return
+		}
+
+		provider, _, err = a.getProviderInstance(providerName)
 		if err != nil {
-			log.GetLogger().WithError(err).Warn("Failed to read request body")
-			w.WriteHeader(http.StatusBadRequest)
+			log.GetLogger().WithError(err).Warnf("Could not find provider: %s", providerName)
+			respondWithError(w, http.StatusBadRequest, fmt.Sprintf("Invalid authentication provider: %s", providerName))
+			return
+		}
+
+		// Check if this is a token-based auth provider (k8s) - token providers don't use PKCE flow
+		if _, ok := provider.(*TokenAuthProvider); ok {
+			// Token providers don't need a redirect URL - they handle login via POST with token
+			loginUrl := provider.GetLoginRedirectURL("", "")
+			response, err := json.Marshal(RedirectResponse{Url: loginUrl})
+			if err != nil {
+				log.GetLogger().WithError(err).Warn("Failed to marshal response")
+				w.WriteHeader(http.StatusInternalServerError)
+				return
+			}
+			if _, err := w.Write(response); err != nil {
+				log.GetLogger().WithError(err).Warn("Failed to write response")
+			}
+			return
+		}
+
+		// Generate PKCE parameters (code verifier and challenge)
+		// PKCE is required - fail if generation fails
+		codeVerifier, err := generateCodeVerifier()
+		if err != nil {
+			log.GetLogger().WithError(err).Error("Failed to generate PKCE code verifier - PKCE is required")
+			respondWithError(w, http.StatusInternalServerError, "Failed to initialize PKCE authentication flow")
+			return
+		}
+
+		codeChallenge := generateCodeChallenge(codeVerifier)
+
+		// Store code verifier in cookie for later use during token exchange
+		setPKCEVerifierCookie(w, providerName, codeVerifier)
+
+		// Also encode code_verifier in state parameter as fallback if cookie fails
+		loginUrl := provider.GetLoginRedirectURL(codeChallenge, codeVerifier)
+		response, err := json.Marshal(RedirectResponse{Url: loginUrl})
+		if err != nil {
+			log.GetLogger().WithError(err).Warn("Failed to marshal response")
+			w.WriteHeader(http.StatusInternalServerError)
+			return
+		}
+		if _, err := w.Write(response); err != nil {
+			log.GetLogger().WithError(err).Warn("Failed to write response")
+		}
+	} else if r.Method == http.MethodPost {
+		// For POST requests (OAuth callback), extract provider from query parameter
+		providerName := r.URL.Query().Get("provider")
+		log.GetLogger().Infof("Provider name: %s", providerName)
+		if providerName == "" {
+			respondWithError(w, http.StatusBadRequest, "provider query parameter is required")
+			return
+		}
+
+		var providerConfig *v1alpha1.AuthProvider
+		provider, providerConfig, err = a.getProviderInstance(providerName)
+		if err != nil {
+			log.GetLogger().WithError(err).Warnf("Could not find provider: %s", providerName)
+			respondWithError(w, http.StatusBadRequest, fmt.Sprintf("Invalid authentication provider: %s", providerName))
 			return
 		}
 
-		// Check if this is a token-based auth provider (k8s)
-		if tokenProvider, ok := a.provider.(*TokenAuthProvider); ok {
+		// Check if this is a token-based auth provider (K8s)
+		if isProviderWithCustomerToken(provider) {
+			tokenProvider := provider.(*TokenAuthProvider)
 			var loginParams TokenLoginParameters
+			body, err := io.ReadAll(r.Body)
 			err = json.Unmarshal(body, &loginParams)
 			if err != nil {
 				log.GetLogger().WithError(err).Warn("Failed to unmarshal request body")
@@ -92,11 +301,20 @@ func (a AuthHandler) Login(w http.ResponseWriter, r *http.Request) {
 				respondWithError(w, http.StatusUnauthorized, err.Error())
 				return
 			}
+			// Store the provider name in the token data so we can route to it later
+			tokenData.Provider = providerName
 			respondWithToken(w, tokenData, expires)
 			return
 		}
 
-		// OAuth-based providers (OIDC, AAP)
+		// Flow for all providers except K8s token providers
+		body, err := io.ReadAll(r.Body)
+		if err != nil {
+			log.GetLogger().WithError(err).Warn("Failed to read request body")
+			w.WriteHeader(http.StatusBadRequest)
+			return
+		}
+
 		loginParams := LoginParameters{}
 		err = json.Unmarshal(body, &loginParams)
 		if err != nil {
@@ -104,45 +322,143 @@ func (a AuthHandler) Login(w http.ResponseWriter, r *http.Request) {
 			w.WriteHeader(http.StatusBadRequest)
 			return
 		}
-		tokenData, expires, err := a.provider.GetToken(loginParams)
-		if err != nil {
-			w.WriteHeader(http.StatusInternalServerError)
+
+		// PKCE is required - retrieve code_verifier from cookie or state
+		if loginParams.CodeVerifier == "" {
+			// First try cookie
+			codeVerifier, err := getPKCEVerifierCookie(r, providerName)
+			if err != nil {
+				log.GetLogger().WithError(err).Warnf("Failed to get PKCE verifier from cookie for provider %s", providerName)
+			} else if codeVerifier != "" {
+				loginParams.CodeVerifier = codeVerifier
+				log.GetLogger().Infof("Retrieved PKCE verifier from cookie for provider %s", providerName)
+			} else {
+				// Fallback: try to extract from state parameter
+				state := r.URL.Query().Get("state")
+				if state != "" {
+					codeVerifier = extractCodeVerifierFromState(state, providerName)
+					if codeVerifier != "" {
+						loginParams.CodeVerifier = codeVerifier
+						log.GetLogger().Infof("Retrieved PKCE verifier from state parameter for provider %s", providerName)
+					}
+				}
+			}
+		}
+
+		// PKCE is required - fail if code_verifier is missing
+		if loginParams.CodeVerifier == "" {
+			log.GetLogger().Errorf("PKCE code_verifier is required but not available for provider %s", providerName)
+			respondWithError(w, http.StatusBadRequest, "PKCE code verifier is required but not found. Please restart the login flow.")
 			return
 		}
-		respondWithToken(w, tokenData, expires)
-	} else {
-		loginUrl := a.provider.GetLoginRedirectURL()
-		response, err := json.Marshal(RedirectResponse{Url: loginUrl})
+
+		// Clear PKCE verifier cookie after use (success or failure)
+		clearPKCEVerifierCookie(w, providerName)
+
+		clientId, err := getClientIdFromProviderConfig(providerConfig)
 		if err != nil {
-			log.GetLogger().WithError(err).Warn("Failed to marshal response")
-			w.WriteHeader(http.StatusInternalServerError)
+			log.GetLogger().WithError(err).Warnf("Failed to get client_id for provider %s", providerName)
+			respondWithError(w, http.StatusInternalServerError, "Failed to get client_id from provider configuration")
 			return
 		}
-		if _, err := w.Write(response); err != nil {
-			log.GetLogger().WithError(err).Warn("Failed to write response")
+
+		redirectURI := config.BaseUiUrl + "/callback"
+		tokenReq := &v1alpha1.TokenRequest{
+			GrantType:    v1alpha1.AuthorizationCode,
+			ClientId:     clientId,
+			Code:         &loginParams.Code,
+			CodeVerifier: &loginParams.CodeVerifier,
+			RedirectUri:  &redirectURI,
+		}
+
+		tokenResp, err := exchangeTokenWithApiServer(a.apiTlsConfig, providerName, tokenReq)
+		if err != nil {
+			log.GetLogger().WithError(err).Warn("Failed to exchange token with backend")
+			handleOAuthErrorResponse(w, tokenResp, "Failed to exchange authorization code for token")
+			return
 		}
+
+		tokenData, expiresIn := convertTokenResponseToTokenData(tokenResp, providerName)
+		respondWithToken(w, tokenData, expiresIn)
+	} else {
+		respondWithError(w, http.StatusMethodNotAllowed, "Method not allowed")
 	}
 }
 
 func (a AuthHandler) Refresh(w http.ResponseWriter, r *http.Request) {
-	if a.provider == nil {
+	if a.authConfigData == nil {
 		w.WriteHeader(http.StatusTeapot)
 		return
 	}
 	tokenData, err := ParseSessionCookie(r)
 	if err != nil {
-		clearCookie(w)
-		w.WriteHeader(http.StatusUnauthorized)
+		w.WriteHeader(http.StatusInternalServerError)
+		return
+	}
+
+	// Check if provider is specified
+	if tokenData.Provider == "" {
+		w.WriteHeader(http.StatusBadRequest)
+		return
+	}
+
+	// Get provider to determine routing
+	var providerConfig *v1alpha1.AuthProvider
+	provider, providerConfig, err := a.getProviderInstance(tokenData.Provider)
+	if err != nil {
+		log.GetLogger().WithError(err).Warnf("Failed to get provider: %s", tokenData.Provider)
+		w.WriteHeader(http.StatusInternalServerError)
+		return
+	}
+
+	if isProviderWithCustomerToken(provider) {
+		// K8s token providers don't support refresh
+		w.WriteHeader(http.StatusBadRequest)
+		respondWithError(w, http.StatusBadRequest, "Token refresh not supported for K8s token providers")
+		return
+	}
+
+	if tokenData.RefreshToken == "" {
+		w.WriteHeader(http.StatusBadRequest)
 		return
 	}
 
-	tokenData, expires, err := a.provider.RefreshToken(tokenData.RefreshToken)
+	clientId, err := getClientIdFromProviderConfig(providerConfig)
+	if err != nil {
+		log.GetLogger().WithError(err).Warnf("Failed to get client_id for provider %s", tokenData.Provider)
+		w.WriteHeader(http.StatusInternalServerError)
+		return
+	}
+
+	tokenReq := &v1alpha1.TokenRequest{
+		GrantType:    v1alpha1.RefreshToken,
+		ClientId:     clientId,
+		RefreshToken: &tokenData.RefreshToken,
+	}
+
+	tokenResp, err := exchangeTokenWithApiServer(a.apiTlsConfig, tokenData.Provider, tokenReq)
 	if err != nil {
-		clearCookie(w)
-		w.WriteHeader(http.StatusUnauthorized)
+		log.GetLogger().WithError(err).Warn("Failed to refresh token with backend")
+		handleOAuthErrorResponse(w, tokenResp, "Failed to refresh token")
 		return
 	}
-	respondWithToken(w, tokenData, expires)
+
+	// Convert backend response to TokenData
+	newTokenData, expiresIn := convertTokenResponseToTokenData(tokenResp, tokenData.Provider)
+	respondWithToken(w, newTokenData, expiresIn)
+}
+
+// handleOAuthErrorResponse handles OAuth2 error responses from token exchange/refresh
+func handleOAuthErrorResponse(w http.ResponseWriter, tokenResp *v1alpha1.TokenResponse, defaultMessage string) {
+	if tokenResp != nil && tokenResp.Error != nil {
+		errorDesc := ""
+		if tokenResp.ErrorDescription != nil {
+			errorDesc = *tokenResp.ErrorDescription
+		}
+		respondWithError(w, http.StatusBadRequest, fmt.Sprintf("OAuth2 error: %s - %s", *tokenResp.Error, errorDesc))
+	} else {
+		respondWithError(w, http.StatusInternalServerError, defaultMessage)
+	}
 }
 
 func respondWithToken(w http.ResponseWriter, tokenData TokenData, expires *int64) {
@@ -162,36 +478,57 @@ func respondWithToken(w http.ResponseWriter, tokenData TokenData, expires *int64
 }
 
 func (a AuthHandler) GetUserInfo(w http.ResponseWriter, r *http.Request) {
-	if a.provider == nil {
+	// Check if auth is completely disabled (no config at all)
+	if a.authConfigData == nil {
 		w.WriteHeader(http.StatusTeapot)
 		return
 	}
 
-	token, err := getToken(r)
-	if token == "" || err != nil {
-		clearCookie(w)
-		w.WriteHeader(http.StatusUnauthorized)
+	// Get token and provider from session cookie
+	tokenData, err := ParseSessionCookie(r)
+	if err != nil {
+		clearSessionCookie(w, r)
+		respondWithError(w, http.StatusUnauthorized, "Invalid or missing session cookie")
+		return
+	}
+
+	// If no provider specified, clear the cookie and force a new login
+	if tokenData.Provider == "" {
+		clearSessionCookie(w, r)
+		respondWithError(w, http.StatusUnauthorized, "No authentication provider specified in session")
+		return
+	}
+
+	token := tokenData.GetAuthToken()
+	if token == "" {
+		log.GetLogger().Warn("No token found in session cookie")
+		clearSessionCookie(w, r)
+		respondWithError(w, http.StatusUnauthorized, "No authentication token found in session")
 		return
 	}
 
-	username, resp, err := a.provider.GetUserInfo(token)
+	// Route ALL providers to API server userinfo endpoint
+	username, err := getUserInfoFromApiServer(a.apiTlsConfig, token)
 	if err != nil {
-		log.GetLogger().WithError(err).Warn("Failed to get user info")
-		if resp != nil && resp.StatusCode == http.StatusUnauthorized {
-			clearCookie(w)
-			w.WriteHeader(http.StatusUnauthorized)
-		} else {
-			w.WriteHeader(http.StatusInternalServerError)
-		}
+		log.GetLogger().WithError(err).Warnf("Failed to get user info from API server for provider %s", tokenData.Provider)
+		// If user info retrieval fails (including timeouts), treat as authentication failure
+		clearSessionCookie(w, r)
+		respondWithError(w, http.StatusUnauthorized, fmt.Sprintf("Failed to get user info: %v", err))
 		return
 	}
-	if resp.StatusCode != http.StatusOK {
-		if resp.StatusCode == http.StatusUnauthorized {
-			clearCookie(w)
-		}
-		w.WriteHeader(resp.StatusCode)
+
+	if username == "" {
+		log.GetLogger().Warnf("API server userinfo returned empty username for provider %s", tokenData.Provider)
+		respondWithError(w, http.StatusInternalServerError, "User info response missing username")
 		return
 	}
+
+	log.GetLogger().Debugf("Successfully retrieved username '%s' from backend for provider %s", username, tokenData.Provider)
+	a.respondWithUserInfo(w, username)
+}
+
+// respondWithUserInfo is a helper to send the UserInfoResponse
+func (a AuthHandler) respondWithUserInfo(w http.ResponseWriter, username string) {
 	userInfo := UserInfoResponse{Username: username}
 	res, err := json.Marshal(userInfo)
 	if err != nil {
@@ -205,24 +542,45 @@ func (a AuthHandler) GetUserInfo(w http.ResponseWriter, r *http.Request) {
 }
 
 func (a AuthHandler) Logout(w http.ResponseWriter, r *http.Request) {
-	if a.provider == nil {
+	// Check if auth is completely disabled (no config at all)
+	if a.authConfigData == nil {
 		w.WriteHeader(http.StatusTeapot)
 		return
 	}
 
-	token, err := getToken(r)
-	if token == "" || err != nil {
-		w.WriteHeader(http.StatusUnauthorized)
+	// Get token and provider from session cookie
+	tokenData, err := ParseSessionCookie(r)
+	if err != nil {
+		// No valid session, but still clear cookies and return success
+		w.Header().Set("Clear-Site-Data", `"cookies"`)
+		response, _ := json.Marshal(RedirectResponse{})
+		w.Write(response)
 		return
 	}
 
-	redirectUrl, err := a.provider.Logout(token)
-	if err != nil {
-		log.GetLogger().WithError(err).Warn("Failed to logout")
-		w.WriteHeader(http.StatusInternalServerError)
-		return
+	var redirectUrl string
+
+	// If we have a provider, call its Logout method
+	if tokenData.Provider != "" {
+		authToken := tokenData.GetAuthToken()
+		if authToken == "" {
+			// No valid session, but still clear cookies and return success
+			w.Header().Set("Clear-Site-Data", `"cookies"`)
+			response, _ := json.Marshal(RedirectResponse{})
+			w.Write(response)
+			return
+		}
+
+		provider, _, err := a.getProviderInstance(tokenData.Provider)
+		if err == nil {
+			redirectUrl, err = provider.Logout(authToken)
+			if err != nil {
+				log.GetLogger().WithError(err).Warn("Failed to logout from provider")
+			}
+		}
 	}
 
+	// In any case, we proceed to clear the cookies
 	w.Header().Set("Clear-Site-Data", `"cookies"`)
 	redirectResp := RedirectResponse{}
 	if redirectUrl != "" {
@@ -239,7 +597,7 @@ func (a AuthHandler) Logout(w http.ResponseWriter, r *http.Request) {
 	}
 }
 
-func getAuthInfo(apiTlsConfig *tls.Config) (*v1alpha1.AuthConfig, *string, error) {
+func getAuthInfo(apiTlsConfig *tls.Config) (*v1alpha1.AuthConfig, error) {
 	client := &http.Client{Transport: &http.Transport{
 		TLSClientConfig: apiTlsConfig,
 	}}
@@ -248,117 +606,32 @@ func getAuthInfo(apiTlsConfig *tls.Config) (*v1alpha1.AuthConfig, *string, error
 	req, err := http.NewRequest(http.MethodGet, authConfigUrl, nil)
 	if err != nil {
 		log.GetLogger().WithError(err).Warn("Could not create request")
-		return nil, nil, err
+		return nil, err
 	}
 
 	resp, err := client.Do(req)
 	if err != nil {
 		log.GetLogger().WithError(err).Warn("Failed to get auth config")
-		return nil, nil, err
+		return nil, err
 	}
 
 	if resp.StatusCode == http.StatusTeapot {
-		return nil, nil, nil
+		return nil, nil
 	}
 
 	defer resp.Body.Close()
 	body, err := io.ReadAll(resp.Body)
 	if err != nil {
 		log.GetLogger().WithError(err).Warn("Failed to read terminal session response")
-		return nil, nil, err
+		return nil, err
 	}
 
 	authConfig := &v1alpha1.AuthConfig{}
 	err = json.Unmarshal(body, authConfig)
 	if err != nil {
 		log.GetLogger().WithError(err).Warn("Failed to unmarshal auth config")
-		return nil, nil, err
-	}
-
-	if config.InternalAuthUrl == "" {
-		return authConfig, nil, nil
-	}
-	return authConfig, &config.InternalAuthUrl, nil
-}
-
-// extractProviderInfo extracts the provider type and URL from the default provider in AuthConfig.
-// It currently only handles the provider marked as the default one.
-func extractProviderInfo(authConfig *v1alpha1.AuthConfig) (string, string, error) {
-	if authConfig.DefaultProvider == nil || *authConfig.DefaultProvider == "" {
-		return "", "", fmt.Errorf("no default provider specified")
-	}
-
-	if authConfig.Providers == nil || len(*authConfig.Providers) == 0 {
-		return "", "", fmt.Errorf("no auth providers configured")
-	}
-
-	// Find the default provider by name
-	var defaultProvider *v1alpha1.AuthProvider
-	for i := range *authConfig.Providers {
-		provider := &(*authConfig.Providers)[i]
-		if provider.Metadata.Name != nil && *provider.Metadata.Name == *authConfig.DefaultProvider {
-			defaultProvider = provider
-			break
-		}
-	}
-
-	if defaultProvider == nil {
-		return "", "", fmt.Errorf("default provider '%s' not found in providers list", *authConfig.DefaultProvider)
-	}
-
-	// Extract provider type and URL based on the provider spec
-	// We only need the discriminator and URL fields, so we parse the union JSON directly
-	discriminator, err := defaultProvider.Spec.Discriminator()
-	if err != nil {
-		return "", "", fmt.Errorf("failed to determine provider type: %w", err)
-	}
-
-	var providerType string
-	var authURL string
-
-	// Parse only the fields we need from the spec union
-	// Marshal the spec to get the raw JSON, then unmarshal into a map
-	specJSON, err := json.Marshal(defaultProvider.Spec)
-	if err != nil {
-		return "", "", fmt.Errorf("failed to marshal provider spec: %w", err)
-	}
-	var specMap map[string]interface{}
-	if err := json.Unmarshal(specJSON, &specMap); err != nil {
-		return "", "", fmt.Errorf("failed to parse provider spec: %w", err)
-	}
-
-	switch discriminator {
-	case "oidc":
-		providerType = "OIDC"
-		if issuer, ok := specMap["issuer"].(string); ok {
-			authURL = issuer
-		} else {
-			return "", "", fmt.Errorf("issuer not found in OIDC provider spec")
-		}
-	case "aap":
-		providerType = "AAPGateway"
-		// Prefer external URL if available, otherwise use internal API URL
-		if extURL, ok := specMap["externalApiUrl"].(string); ok && extURL != "" {
-			authURL = extURL
-		} else if apiURL, ok := specMap["apiUrl"].(string); ok {
-			authURL = apiURL
-		} else {
-			return "", "", fmt.Errorf("apiUrl not found in AAP provider spec")
-		}
-	case "k8s":
-		providerType = "k8s"
-		if apiURL, ok := specMap["apiUrl"].(string); ok {
-			authURL = apiURL
-		} else {
-			return "", "", fmt.Errorf("apiUrl not found in K8s provider spec")
-		}
-	default:
-		return "", "", fmt.Errorf("unsupported provider type: %s", discriminator)
-	}
-
-	if authURL == "" {
-		return "", "", fmt.Errorf("auth URL not found for provider type: %s", discriminator)
+		return nil, err
 	}
 
-	return providerType, authURL, nil
+	return authConfig, nil
 }
diff --git a/proxy/auth/common.go b/proxy/auth/common.go
index 7d7924e48..637ebfdeb 100644
--- a/proxy/auth/common.go
+++ b/proxy/auth/common.go
@@ -1,36 +1,78 @@
 package auth
 
 import (
+	"crypto/rand"
+	"crypto/sha256"
 	"crypto/tls"
 	b64 "encoding/base64"
 	"encoding/json"
 	"errors"
+	"fmt"
 	"io"
 	"net/http"
 	"net/url"
+	"reflect"
+	"strconv"
 	"strings"
 
 	"github.com/flightctl/flightctl-ui/common"
 	"github.com/flightctl/flightctl-ui/config"
 	"github.com/flightctl/flightctl-ui/log"
+	"github.com/flightctl/flightctl/api/v1alpha1"
+	"github.com/openshift/osincli"
+)
+
+// Provider type constants - use backend constants instead of hardcoding
+var (
+	ProviderTypeK8s       = string(v1alpha1.K8s)
+	ProviderTypeOIDC      = string(v1alpha1.Oidc)
+	ProviderTypeAAP       = string(v1alpha1.Aap)
+	ProviderTypeOAuth2    = string(v1alpha1.Oauth2)
+	ProviderTypeOpenShift = string(v1alpha1.Openshift)
+)
+
+// Default claim constants
+const (
+	DefaultUsernameClaim = "preferred_username"
+	DefaultRoleClaim     = "roles"
 )
 
 type TokenData struct {
-	Token        string `json:"token"`
+	// IDToken (JWT token)
+	//   - OIDC: Used for API authentication
+	//   - K8s: Used for API authentication and GetUserInfo
+	//   - OAuth2/AAP: Not used
+	IDToken string `json:"idToken"`
+
+	// AccessToken (opaque token)
+	//   - OIDC: Used for GetUserInfo endpoint
+	//   - OAuth2/AAP: Used for API authentication and GetUserInfo
+	//   - K8s: Not used
+	AccessToken string `json:"accessToken"`
+
 	RefreshToken string `json:"refreshToken"`
 	Provider     string `json:"provider,omitempty"`
 }
 
+// GetAuthToken returns the token to use for API authentication.
+func (t TokenData) GetAuthToken() string {
+	if t.IDToken != "" {
+		return t.IDToken
+	}
+	return t.AccessToken
+}
+
 type LoginParameters struct {
-	Code string `json:"code"`
+	Code         string `json:"code"`
+	CodeVerifier string `json:"codeVerifier,omitempty"` // Optional, will be retrieved from cookie if not provided
 }
 
 type AuthProvider interface {
 	GetToken(loginParams LoginParameters) (TokenData, *int64, error)
-	GetUserInfo(token string) (string, *http.Response, error)
+	GetUserInfo(tokenData TokenData) (string, *http.Response, error)
 	RefreshToken(refreshToken string) (TokenData, *int64, error)
 	Logout(token string) (string, error)
-	GetLoginRedirectURL() string
+	GetLoginRedirectURL(codeChallenge string, codeVerifier string) string
 }
 
 func setCookie(w http.ResponseWriter, value TokenData) error {
@@ -50,35 +92,30 @@ func setCookie(w http.ResponseWriter, value TokenData) error {
 	return nil
 }
 
-func clearCookie(w http.ResponseWriter) {
-	cookie := http.Cookie{
-		Name:     common.CookieSessionName,
-		Value:    "",
-		Secure:   config.TlsCertPath != "",
-		HttpOnly: true,
-		SameSite: http.SameSiteStrictMode,
-		Path:     "/",
-		MaxAge:   -1,
-	}
-	http.SetCookie(w, &cookie)
-}
-
 func ParseSessionCookie(r *http.Request) (TokenData, error) {
 	tokenData := TokenData{}
 	cookie, err := r.Cookie(common.CookieSessionName)
 	if err != nil && !errors.Is(err, http.ErrNoCookie) {
+		log.GetLogger().Debugf("Error getting session cookie: %v", err)
 		return tokenData, err
 	}
 
 	if cookie != nil {
 		val, err := b64.StdEncoding.DecodeString(cookie.Value)
 		if err != nil {
+			log.GetLogger().Debugf("Error decoding session cookie: %v", err)
 			return tokenData, err
 		}
 
 		err = json.Unmarshal(val, &tokenData)
+		if err != nil {
+			log.GetLogger().Debugf("Error unmarshaling session cookie: %v", err)
+			return tokenData, err
+		}
+		log.GetLogger().Debugf("Parsed session cookie (provider: %s, id token length: %d, access token length: %d)", tokenData.Provider, len(tokenData.IDToken), len(tokenData.AccessToken))
 		return tokenData, err
 	}
+	log.GetLogger().Debug("No session cookie found in request")
 	return tokenData, nil
 }
 
@@ -149,3 +186,602 @@ func respondWithError(w http.ResponseWriter, statusCode int, message string) {
 		log.GetLogger().WithError(err).Warn("Failed to write error response")
 	}
 }
+
+// exchangeToken exchanges an authorization code for an access token
+// PKCE is required - code_verifier must be present. The function extracts the token URL
+// and TLS config from the osincli client and manually constructs the token exchange request
+// with PKCE parameters.
+// If tokenURL, clientID, and redirectURI are provided, they will be used instead of reflection.
+func exchangeToken(loginParams LoginParameters, client *osincli.Client, tokenURL string, clientID string, redirectURI string) (TokenData, *int64, error) {
+	// PKCE is required - fail if code_verifier is missing
+	if loginParams.CodeVerifier == "" {
+		return TokenData{}, nil, fmt.Errorf("PKCE code_verifier is required but not provided")
+	}
+
+	// Manually construct the token request with PKCE parameters
+	// Use provided config values if available, otherwise extract from client using reflection
+	var configValue reflect.Value
+	if tokenURL == "" || clientID == "" || redirectURI == "" {
+		// Extract token URL from client config using reflection
+		// osincli.Client.Config is not exported, so we use reflection to access it
+		clientValue := reflect.ValueOf(client)
+		if clientValue.Kind() == reflect.Ptr {
+			if clientValue.IsNil() {
+				return TokenData{}, nil, fmt.Errorf("client is nil")
+			}
+			clientValue = clientValue.Elem()
+		}
+
+		configField := clientValue.FieldByName("Config")
+		if !configField.IsValid() {
+			// Try alternative field names (in case the structure changed)
+			configField = clientValue.FieldByName("config")
+			if !configField.IsValid() {
+				// Log available fields for debugging
+				fieldNames := make([]string, 0, clientValue.NumField())
+				for i := 0; i < clientValue.NumField(); i++ {
+					fieldNames = append(fieldNames, clientValue.Type().Field(i).Name)
+				}
+				log.GetLogger().Warnf("Failed to find Config field in osincli.Client. Available fields: %v", fieldNames)
+				return TokenData{}, nil, fmt.Errorf("failed to access client config for PKCE flow: Config field not found")
+			}
+		}
+
+		// Handle both pointer and non-pointer Config field
+		configValue = configField
+		if configField.Kind() == reflect.Ptr {
+			if configField.IsNil() {
+				return TokenData{}, nil, fmt.Errorf("client config is nil")
+			}
+			configValue = configField.Elem()
+		}
+
+		if tokenURL == "" {
+			tokenURLField := configValue.FieldByName("TokenUrl")
+			if !tokenURLField.IsValid() {
+				// Try alternative field name
+				tokenURLField = configValue.FieldByName("tokenUrl")
+				if !tokenURLField.IsValid() {
+					return TokenData{}, nil, fmt.Errorf("failed to access token URL from client config for PKCE flow")
+				}
+			}
+			tokenURL = tokenURLField.String()
+		}
+
+		if clientID == "" {
+			// Extract client ID from config
+			clientIDField := configValue.FieldByName("ClientId")
+			if !clientIDField.IsValid() {
+				// Try alternative field name
+				clientIDField = configValue.FieldByName("clientId")
+				if !clientIDField.IsValid() {
+					return TokenData{}, nil, fmt.Errorf("failed to access client ID from client config for PKCE flow")
+				}
+			}
+			clientID = clientIDField.String()
+		}
+
+		if redirectURI == "" {
+			// Extract redirect URI from config
+			redirectURIField := configValue.FieldByName("RedirectUrl")
+			if !redirectURIField.IsValid() {
+				// Try alternative field name
+				redirectURIField = configValue.FieldByName("redirectUrl")
+				if !redirectURIField.IsValid() {
+					return TokenData{}, nil, fmt.Errorf("failed to access redirect URI from client config for PKCE flow")
+				}
+			}
+			redirectURI = redirectURIField.String()
+		}
+	}
+
+	// Extract TLS config from client's Transport
+	var tlsConfig *tls.Config
+	if client.Transport != nil {
+		transportValue := reflect.ValueOf(client.Transport)
+		// Handle both *http.Transport and wrapped transports (like AAPRoundTripper)
+		if transportValue.Kind() == reflect.Ptr {
+			transportValue = transportValue.Elem()
+		}
+		// Check if it's an http.Transport or has a Transport field (for wrapped transports)
+		tlsConfigField := transportValue.FieldByName("TLSClientConfig")
+		if tlsConfigField.IsValid() && tlsConfigField.Kind() == reflect.Ptr {
+			if !tlsConfigField.IsNil() {
+				tlsConfig = tlsConfigField.Interface().(*tls.Config)
+			}
+		} else {
+			// Try to get Transport field for wrapped transports
+			transportField := transportValue.FieldByName("Transport")
+			if transportField.IsValid() {
+				nestedTransport := transportField.Interface()
+				nestedValue := reflect.ValueOf(nestedTransport)
+				if nestedValue.Kind() == reflect.Ptr {
+					nestedValue = nestedValue.Elem()
+				}
+				tlsConfigField = nestedValue.FieldByName("TLSClientConfig")
+				if tlsConfigField.IsValid() && tlsConfigField.Kind() == reflect.Ptr {
+					if !tlsConfigField.IsNil() {
+						tlsConfig = tlsConfigField.Interface().(*tls.Config)
+					}
+				}
+			}
+		}
+	}
+
+	// Manually construct the token exchange request with PKCE parameters
+	ret := TokenData{}
+
+	// Prepare form data for token request
+	data := url.Values{}
+	data.Set("grant_type", "authorization_code")
+	data.Set("code", loginParams.Code)
+	data.Set("code_verifier", loginParams.CodeVerifier)
+	data.Set("client_id", clientID)
+	data.Set("redirect_uri", redirectURI)
+
+	// Log the exact request being sent (without sensitive code/verifier values)
+	log.GetLogger().Infof("Token exchange request (PKCE): grant_type=authorization_code, client_id=%s, redirect_uri=%s, code_verifier length=%d, code length=%d, token_url=%s", clientID, redirectURI, len(loginParams.CodeVerifier), len(loginParams.Code), tokenURL)
+	log.GetLogger().Debugf("Token exchange form data (sanitized): grant_type=%s, client_id=%s, redirect_uri=%s, code_verifier=[REDACTED], code=[REDACTED]", data.Get("grant_type"), data.Get("client_id"), data.Get("redirect_uri"))
+
+	// Create HTTP request
+	req, err := http.NewRequest(http.MethodPost, tokenURL, strings.NewReader(data.Encode()))
+	if err != nil {
+		return ret, nil, fmt.Errorf("failed to create token request: %w", err)
+	}
+
+	req.Header.Set("Content-Type", "application/x-www-form-urlencoded")
+	req.Header.Set("Accept", "application/json") // Request JSON response
+
+	// Create HTTP client with TLS config
+	httpClient := &http.Client{
+		Transport: &http.Transport{
+			TLSClientConfig: tlsConfig,
+		},
+	}
+
+	// Execute request
+	resp, err := httpClient.Do(req)
+	if err != nil {
+		return ret, nil, fmt.Errorf("failed to exchange token: %w", err)
+	}
+	defer resp.Body.Close()
+
+	// Read response body
+	body, err := io.ReadAll(resp.Body)
+	if err != nil {
+		return ret, nil, fmt.Errorf("failed to read token response: %w", err)
+	}
+
+	// Check for HTTP error status
+	if resp.StatusCode != http.StatusOK {
+		// Log the full response for debugging
+		log.GetLogger().Warnf("Token exchange failed with status %d. Response body: %s", resp.StatusCode, string(body))
+		return ret, nil, fmt.Errorf("token exchange failed with status %d: %s", resp.StatusCode, string(body))
+	}
+
+	// Check content type to determine response format
+	contentType := resp.Header.Get("Content-Type")
+	bodyPreview := string(body)
+	if len(bodyPreview) > 200 {
+		bodyPreview = bodyPreview[:200] + "..."
+	}
+	log.GetLogger().Infof("Token response Content-Type: %s, Body length: %d, Body preview: %s", contentType, len(body), bodyPreview)
+
+	// Parse response based on content type
+	var tokenResponse map[string]interface{}
+
+	// GitHub and some OAuth providers return form-encoded responses
+	if strings.Contains(contentType, "application/x-www-form-urlencoded") {
+		// Parse as form-encoded
+		values, err := url.ParseQuery(string(body))
+		if err != nil {
+			log.GetLogger().Warnf("Failed to parse form-encoded token response. Status: %d, Content-Type: %s, Body: %s", resp.StatusCode, contentType, string(body))
+			return ret, nil, fmt.Errorf("failed to parse form-encoded token response: %w (response body: %s)", err, string(body))
+		}
+
+		// Log all parsed values for debugging
+		log.GetLogger().Debugf("Parsed form-encoded response values: %v", values)
+
+		// Check for errors in form-encoded response
+		errorParam := values.Get("error")
+		if errorParam != "" {
+			errorDesc := values.Get("error_description")
+			errorURI := values.Get("error_uri")
+			log.GetLogger().Warnf("OAuth provider returned error in form-encoded response: error=%s, error_description=%s, error_uri=%s", errorParam, errorDesc, errorURI)
+			return ret, nil, fmt.Errorf("oauth error: %s - %s", errorParam, errorDesc)
+		}
+
+		// Convert form values to map
+		tokenResponse = make(map[string]interface{})
+		for k, v := range values {
+			if len(v) > 0 {
+				tokenResponse[k] = v[0]
+			}
+		}
+		log.GetLogger().Debugf("Parsed form-encoded token response. Keys: %v", getMapKeys(tokenResponse))
+	} else {
+		// Try to parse as JSON
+		if err := json.Unmarshal(body, &tokenResponse); err != nil {
+			log.GetLogger().Warnf("Failed to parse token response as JSON. Status: %d, Content-Type: %s, Body: %s", resp.StatusCode, contentType, string(body))
+			return ret, nil, fmt.Errorf("failed to parse token response: %w (response body: %s)", err, string(body))
+		}
+		log.GetLogger().Debugf("Parsed JSON token response. Keys: %v", getMapKeys(tokenResponse))
+
+		// Check for errors in JSON response (some providers return JSON error responses)
+		if errorParam, ok := tokenResponse["error"].(string); ok && errorParam != "" {
+			errorDesc := ""
+			if desc, ok := tokenResponse["error_description"].(string); ok {
+				errorDesc = desc
+			}
+			errorURI := ""
+			if uri, ok := tokenResponse["error_uri"].(string); ok {
+				errorURI = uri
+			}
+			log.GetLogger().Warnf("OAuth provider returned error in JSON response: error=%s, error_description=%s, error_uri=%s", errorParam, errorDesc, errorURI)
+			return ret, nil, fmt.Errorf("oauth error: %s - %s", errorParam, errorDesc)
+		}
+	}
+
+	// Extract tokens
+	if accessToken, ok := tokenResponse["access_token"].(string); ok {
+		ret.AccessToken = accessToken
+		log.GetLogger().Debugf("Extracted access_token (length: %d)", len(accessToken))
+	} else {
+		log.GetLogger().Warnf("access_token not found in token response. Available keys: %v", getMapKeys(tokenResponse))
+	}
+
+	if idToken, ok := tokenResponse["id_token"].(string); ok {
+		ret.IDToken = idToken
+		log.GetLogger().Debugf("Extracted id_token (length: %d)", len(idToken))
+	}
+
+	if refreshToken, ok := tokenResponse["refresh_token"].(string); ok {
+		ret.RefreshToken = refreshToken
+		log.GetLogger().Debugf("Extracted refresh_token (length: %d)", len(refreshToken))
+	}
+
+	// Extract expires_in
+	expiresIn, err := getExpiresIn(osincli.ResponseData(tokenResponse))
+	if err != nil {
+		return ret, nil, fmt.Errorf("failed to parse expires_in: %w", err)
+	}
+
+	return ret, expiresIn, nil
+}
+
+// refreshOAuthToken refreshes an access token using a refresh token
+func refreshOAuthToken(refreshToken string, client *osincli.Client) (TokenData, *int64, error) {
+	req := client.NewAccessRequest(osincli.REFRESH_TOKEN, &osincli.AuthorizeData{Code: refreshToken})
+	return executeOAuthFlow(req)
+}
+
+// loginRedirect generates the OAuth login redirect URL with provider state and PKCE parameters
+// If codeChallenge is empty, it will be generated automatically
+// codeVerifier can be optionally passed to encode it in the state parameter as a fallback
+func loginRedirect(client *osincli.Client, providerName string, codeChallenge string, codeVerifier string) string {
+	authorizeRequest := client.NewAuthorizeRequest(osincli.CODE)
+	authURL := authorizeRequest.GetAuthorizeUrl()
+
+	// Log the redirect_uri used in authorization request for debugging
+	// The redirect_uri is included in the authorization URL query parameters
+	parsedAuthURL, _ := url.Parse(authURL.String())
+	redirectURI := parsedAuthURL.Query().Get("redirect_uri")
+	if redirectURI == "" {
+		// Fallback: use the configured redirect URI from config
+		redirectURI = config.BaseUiUrl + "/callback"
+	}
+	log.GetLogger().Infof("Authorization request for provider %s: redirect_uri=%s", providerName, redirectURI)
+
+	// Include provider name in state parameter so callback can identify which provider to use
+	// Format: "provider:<providerName>" to match frontend expectations
+	// If codeVerifier is provided, encode it in state as a fallback if cookie fails
+	state := fmt.Sprintf("provider:%s", providerName)
+	if codeVerifier != "" {
+		// Encode code_verifier in state as base64url for fallback retrieval
+		// Format: "provider:<providerName>:<base64url_encoded_verifier>"
+		encodedVerifier := b64.URLEncoding.WithPadding(b64.NoPadding).EncodeToString([]byte(codeVerifier))
+		state = fmt.Sprintf("provider:%s:%s", providerName, encodedVerifier)
+	}
+
+	// Parse the URL and add state parameter
+	parsedURL, err := url.Parse(authURL.String())
+	if err != nil {
+		// If parsing fails, return original URL
+		return authURL.String()
+	}
+
+	// Add state to query parameters
+	query := parsedURL.Query()
+	query.Set("state", state)
+
+	// PKCE is required - codeChallenge must be provided
+	// Note: codeChallenge should be generated by the caller (auth.go) before calling this function
+	if codeChallenge == "" {
+		log.GetLogger().Error("PKCE code_challenge is required but not provided - this should not happen")
+		// This is a programming error - codeChallenge should always be provided by auth.go
+		// The flow will fail when the provider requires PKCE or when token exchange happens
+	}
+
+	// Add PKCE parameters (required)
+	query.Set("code_challenge", codeChallenge)
+	query.Set("code_challenge_method", "S256")
+
+	parsedURL.RawQuery = query.Encode()
+
+	return parsedURL.String()
+}
+
+// executeOAuthFlow executes the OAuth token exchange flow
+func executeOAuthFlow(req *osincli.AccessRequest) (TokenData, *int64, error) {
+	ret := TokenData{}
+	// Exchange refresh token for a new access token
+	accessData, err := req.GetToken()
+	if err != nil {
+		return ret, nil, fmt.Errorf("failed to refresh token: %w", err)
+	}
+
+	expiresIn, err := getExpiresIn(accessData.ResponseData)
+	if err != nil {
+		return ret, nil, fmt.Errorf("failed to refresh token: %w", err)
+	}
+
+	// Always store the access_token
+	ret.AccessToken = accessData.AccessToken
+
+	// For OIDC flows, check if id_token is present in the response
+	// OIDC providers return both access_token and id_token:
+	// - id_token (JWT) is used for API authentication
+	// - access_token (opaque) is used for userinfo endpoint
+	if idTokenRaw, exists := accessData.ResponseData["id_token"]; exists {
+		if idToken, ok := idTokenRaw.(string); ok && idToken != "" {
+			ret.IDToken = idToken
+		}
+	}
+
+	ret.RefreshToken = accessData.RefreshToken
+
+	return ret, expiresIn, nil
+}
+
+// getExpiresIn extracts the expires_in value from OAuth response data
+// Based on GetToken() from osincli which parses the expires_in to int32 that may overflow
+func getExpiresIn(ret osincli.ResponseData) (*int64, error) {
+	expires_in_raw, ok := ret["expires_in"]
+	if ok {
+		rv := reflect.ValueOf(expires_in_raw)
+		switch rv.Kind() {
+		case reflect.Float64:
+			expiration := int64(rv.Float())
+			return &expiration, nil
+		case reflect.String:
+			// if string convert to integer
+			ei, err := strconv.ParseInt(rv.String(), 10, 64)
+			if err != nil {
+				return nil, err
+			}
+			return &ei, nil
+		default:
+			return nil, errors.New("invalid parameter value")
+		}
+	}
+	return nil, nil
+}
+
+// buildScopeParam builds a space-separated scope string from provider scopes or default scopes
+// If providerScopes is provided and non-empty, it uses those scopes.
+// Otherwise, if defaultScopes is provided (as a space-separated string), it uses defaultScopes.
+// Returns the space-separated scope string.
+func buildScopeParam(providerScopes *[]string, defaultScopes string) string {
+	// Use provider scopes if available and non-empty
+	if providerScopes != nil && len(*providerScopes) > 0 {
+		return strings.Join(*providerScopes, " ")
+	}
+	return defaultScopes
+}
+
+// getValueByPath extracts a value from a map using an array path (e.g., ["user", "name"])
+// Path segments are used directly as map keys, so dots and other special characters
+// are treated as literal characters (e.g., ["kubernetes.io", "some-field"] works correctly)
+// Returns the value and whether it was found
+func getValueByPath(data map[string]interface{}, path []string) (interface{}, bool) {
+	if len(path) == 0 {
+		return nil, false
+	}
+
+	current := data
+
+	for i, part := range path {
+		if i == len(path)-1 {
+			// Last part - extract the value
+			if value, exists := current[part]; exists {
+				return value, true
+			}
+			return nil, false
+		}
+
+		// Navigate deeper into the object
+		if next, exists := current[part]; exists {
+			if nextMap, ok := next.(map[string]interface{}); ok {
+				current = nextMap
+			} else {
+				return nil, false
+			}
+		} else {
+			return nil, false
+		}
+	}
+
+	return nil, false
+}
+
+// extractUsernameFromUserInfo extracts username from userinfo map using the specified claim path
+// Supports both simple field names (e.g., ["preferred_username"]) and nested paths (e.g., ["user", "name"])
+func extractUsernameFromUserInfo(userInfo map[string]interface{}, usernameClaimPath []string) string {
+	// Try the specified claim path first
+	if len(usernameClaimPath) > 0 {
+		if val, exists := getValueByPath(userInfo, usernameClaimPath); exists {
+			if str, ok := val.(string); ok && str != "" {
+				return str
+			}
+		}
+	}
+
+	// Fallback to common OAuth2/OIDC username fields
+	commonClaims := [][]string{
+		{DefaultUsernameClaim},
+		{"email"},
+		{"sub"},
+		{"name"},
+		{"username"},
+	}
+	for _, claimPath := range commonClaims {
+		if val, exists := getValueByPath(userInfo, claimPath); exists {
+			if str, ok := val.(string); ok && str != "" {
+				return str
+			}
+		}
+	}
+
+	return ""
+}
+
+// getMapKeys returns the keys of a map as a slice of strings
+func getMapKeys(m map[string]interface{}) []string {
+	keys := make([]string, 0, len(m))
+	for k := range m {
+		keys = append(keys, k)
+	}
+	return keys
+}
+
+// extractProviderName extracts the provider name from AuthProvider metadata
+func extractProviderName(provider *v1alpha1.AuthProvider) string {
+	if provider != nil && provider.Metadata.Name != nil {
+		return *provider.Metadata.Name
+	}
+	return ""
+}
+
+// PKCE cookie name prefix
+const pkceCookiePrefix = "pkce_verifier_"
+
+// generateCodeVerifier generates a cryptographically random code verifier
+// Returns a base64url-encoded string of 32 random bytes (43-128 characters per RFC 7636)
+func generateCodeVerifier() (string, error) {
+	// Generate 32 random bytes
+	randomBytes := make([]byte, 32)
+	if _, err := rand.Read(randomBytes); err != nil {
+		return "", fmt.Errorf("failed to generate random bytes: %w", err)
+	}
+
+	// Base64URL encode (RFC 4648 Section 5)
+	// Replace '+' with '-', '/' with '_', and remove padding '='
+	encoded := b64.URLEncoding.WithPadding(b64.NoPadding).EncodeToString(randomBytes)
+	return encoded, nil
+}
+
+// generateCodeChallenge generates a code challenge from a code verifier using SHA-256
+// Returns a base64url-encoded SHA-256 hash of the verifier
+func generateCodeChallenge(codeVerifier string) string {
+	// SHA-256 hash of the code verifier
+	hash := sha256.Sum256([]byte(codeVerifier))
+	// Base64URL encode without padding
+	return b64.URLEncoding.WithPadding(b64.NoPadding).EncodeToString(hash[:])
+}
+
+// setPKCEVerifierCookie stores the code verifier in a cookie
+func setPKCEVerifierCookie(w http.ResponseWriter, providerName string, codeVerifier string) {
+	cookieName := pkceCookiePrefix + providerName
+	cookie := http.Cookie{
+		Name:     cookieName,
+		Value:    codeVerifier,
+		Secure:   config.TlsCertPath != "",
+		HttpOnly: true,
+		SameSite: http.SameSiteLaxMode, // Use Lax instead of Strict to allow cookie on redirect from OAuth provider
+		Path:     "/",
+		MaxAge:   600, // 10 minutes (same as authorization code expiration)
+		// Don't set Domain - let browser use default (current domain)
+	}
+	http.SetCookie(w, &cookie)
+	log.GetLogger().Infof("Set PKCE verifier cookie for provider %s (cookie: %s, value length: %d, secure: %v, path: %s, sameSite: %v)",
+		providerName, cookieName, len(codeVerifier), cookie.Secure, cookie.Path, cookie.SameSite)
+}
+
+// getPKCEVerifierCookie retrieves the code verifier from a cookie
+func getPKCEVerifierCookie(r *http.Request, providerName string) (string, error) {
+	cookieName := pkceCookiePrefix + providerName
+
+	// Log all cookies for debugging
+	allCookies := r.Cookies()
+	cookieNames := make([]string, len(allCookies))
+	for i, c := range allCookies {
+		cookieNames[i] = c.Name
+	}
+	log.GetLogger().Infof("Looking for PKCE cookie %s. Available cookies: %v (total: %d). Request host: %s, request path: %s, request method: %s",
+		cookieName, cookieNames, len(allCookies), r.Host, r.URL.Path, r.Method)
+
+	cookie, err := r.Cookie(cookieName)
+	if err != nil {
+		if errors.Is(err, http.ErrNoCookie) {
+			log.GetLogger().Warnf("PKCE verifier cookie not found: %s (this will cause token exchange to fail)", cookieName)
+			return "", nil
+		}
+		return "", err
+	}
+	if cookie.Value == "" {
+		log.GetLogger().Warnf("PKCE verifier cookie is empty: %s", cookieName)
+		return "", nil
+	}
+	log.GetLogger().Debugf("Found PKCE verifier cookie for provider %s (length: %d)", providerName, len(cookie.Value))
+	return cookie.Value, nil
+}
+
+// clearPKCEVerifierCookie removes the PKCE verifier cookie
+func clearPKCEVerifierCookie(w http.ResponseWriter, providerName string) {
+	cookieName := pkceCookiePrefix + providerName
+	cookie := http.Cookie{
+		Name:     cookieName,
+		Value:    "",
+		MaxAge:   -1,
+		Path:     "/",
+		Secure:   config.TlsCertPath != "",
+		HttpOnly: true,
+		SameSite: http.SameSiteLaxMode, // Use Lax to match the set cookie
+	}
+	http.SetCookie(w, &cookie)
+}
+
+// clearSessionCookie removes the session cookie
+func clearSessionCookie(w http.ResponseWriter, r *http.Request) {
+	// TODO EDM-2612 Setting cookie here was not working, removed the code - needs to be investigated.
+	// Set Clear-Site-Data header to instruct browser to clear cookies
+	w.Header().Set("Clear-Site-Data", `"cookies"`)
+}
+
+// extractCodeVerifierFromState extracts code_verifier from state parameter if it was encoded there
+// State format: "provider:<providerName>:<base64url_encoded_verifier>"
+// Also handles legacy format: "provider:<providerName>" (no verifier)
+func extractCodeVerifierFromState(state string, providerName string) string {
+	prefix := fmt.Sprintf("provider:%s", providerName)
+	if !strings.HasPrefix(state, prefix) {
+		return ""
+	}
+
+	// Check if state has the encoded verifier (format: "provider:<name>:<encoded>")
+	if strings.HasPrefix(state, prefix+":") {
+		encodedVerifier := strings.TrimPrefix(state, prefix+":")
+		if encodedVerifier == "" {
+			return ""
+		}
+		// Decode base64url encoded verifier
+		decoded, err := b64.URLEncoding.WithPadding(b64.NoPadding).DecodeString(encodedVerifier)
+		if err != nil {
+			log.GetLogger().Debugf("Failed to decode code_verifier from state: %v", err)
+			return ""
+		}
+		return string(decoded)
+	}
+
+	// Legacy format without verifier
+	return ""
+}
diff --git a/proxy/auth/k8s.go b/proxy/auth/k8s.go
index dc7cb8307..870085712 100644
--- a/proxy/auth/k8s.go
+++ b/proxy/auth/k8s.go
@@ -10,22 +10,25 @@ import (
 	"github.com/flightctl/flightctl-ui/bridge"
 	"github.com/flightctl/flightctl-ui/config"
 	"github.com/flightctl/flightctl-ui/log"
+	"github.com/flightctl/flightctl/api/v1alpha1"
 	"github.com/lestrrat-go/jwx/v2/jwt"
 )
 
 type TokenAuthProvider struct {
 	apiTlsConfig *tls.Config
 	authURL      string
+	providerName string
 }
 
 type TokenLoginParameters struct {
 	Token string `json:"token"`
 }
 
-func NewTokenAuthProvider(apiTlsConfig *tls.Config, authURL string) *TokenAuthProvider {
+func NewTokenAuthProvider(apiTlsConfig *tls.Config, authURL string, providerName string) *TokenAuthProvider {
 	return &TokenAuthProvider{
 		apiTlsConfig: apiTlsConfig,
 		authURL:      authURL,
+		providerName: providerName,
 	}
 }
 
@@ -73,7 +76,7 @@ func (t *TokenAuthProvider) ValidateToken(token string) (TokenData, *int64, erro
 
 	// Store the validated K8s JWT token
 	tokenData := TokenData{
-		Token:        token,
+		IDToken:      token,
 		RefreshToken: "",
 	}
 
@@ -169,32 +172,11 @@ func ExtractUsernameFromToken(token string) (string, error) {
 }
 
 // GetUserInfo retrieves user information from the provided JWT token
-func (t *TokenAuthProvider) GetUserInfo(token string) (string, *http.Response, error) {
-	// For K8s, extract username from the JWT token
-	if token == "" {
-		return "", nil, fmt.Errorf("token is required for K8s userinfo")
-	}
-
-	// Check if token is expired
-	expiresIn := extractTokenExpiration(token)
-	if expiresIn != nil && *expiresIn == 0 {
-		resp := &http.Response{
-			StatusCode: http.StatusUnauthorized,
-		}
-		return "", resp, fmt.Errorf("token has expired")
-	}
-
-	username, err := ExtractUsernameFromToken(token)
-	if err != nil {
-		log.GetLogger().WithError(err).Warn("Failed to extract username from token")
-		return "", nil, err
-	}
-
+func (t *TokenAuthProvider) GetUserInfo(tokenData TokenData) (string, *http.Response, error) {
 	resp := &http.Response{
-		StatusCode: http.StatusOK,
+		StatusCode: http.StatusInternalServerError,
 	}
-
-	return username, resp, nil
+	return "", resp, fmt.Errorf("User information should be retrieved through the flightctl API")
 }
 
 // RefreshToken is not applicable for K8s token auth
@@ -209,22 +191,23 @@ func (t *TokenAuthProvider) Logout(token string) (string, error) {
 }
 
 // GetLoginRedirectURL is not applicable for token auth
-func (t *TokenAuthProvider) GetLoginRedirectURL() string {
+func (t *TokenAuthProvider) GetLoginRedirectURL(codeChallenge string, codeVerifier string) string {
 	return ""
 }
 
 // getK8sAuthHandler creates a new K8s token authentication handler
-func getK8sAuthHandler(authURL string, internalAuthURL *string) (*TokenAuthProvider, error) {
+func getK8sAuthHandler(provider *v1alpha1.AuthProvider, k8sSpec *v1alpha1.K8sProviderSpec) (*TokenAuthProvider, error) {
+	providerName := extractProviderName(provider)
+
 	// Use API TLS config since we're calling the FlightCtl API to validate tokens
 	tlsConfig, err := bridge.GetTlsConfig()
 	if err != nil {
 		return nil, err
 	}
 
-	url := authURL
-	if internalAuthURL != nil {
-		url = *internalAuthURL
-	}
+	// For K8s token auth, we don't need authURL for the provider itself
+	// The token validation happens against the FlightCtl API
+	authURL := ""
 
-	return NewTokenAuthProvider(tlsConfig, url), nil
+	return NewTokenAuthProvider(tlsConfig, authURL, providerName), nil
 }
diff --git a/proxy/auth/oauth.go b/proxy/auth/oauth.go
deleted file mode 100644
index 99ae15373..000000000
--- a/proxy/auth/oauth.go
+++ /dev/null
@@ -1,70 +0,0 @@
-package auth
-
-import (
-	"errors"
-	"fmt"
-	"reflect"
-	"strconv"
-
-	"github.com/openshift/osincli"
-)
-
-func exchangeToken(loginParams LoginParameters, client *osincli.Client) (TokenData, *int64, error) {
-	req := client.NewAccessRequest(osincli.AUTHORIZATION_CODE, &osincli.AuthorizeData{
-		Code: loginParams.Code,
-	})
-
-	return executeOAuthFlow(req)
-}
-
-func refreshOAuthToken(refreshToken string, client *osincli.Client) (TokenData, *int64, error) {
-	req := client.NewAccessRequest(osincli.REFRESH_TOKEN, &osincli.AuthorizeData{Code: refreshToken})
-	return executeOAuthFlow(req)
-}
-
-func loginRedirect(client *osincli.Client) string {
-	authorizeRequest := client.NewAuthorizeRequest(osincli.CODE)
-	return authorizeRequest.GetAuthorizeUrl().String()
-}
-
-func executeOAuthFlow(req *osincli.AccessRequest) (TokenData, *int64, error) {
-	ret := TokenData{}
-	// Exchange refresh token for a new access token
-	accessData, err := req.GetToken()
-	if err != nil {
-		return ret, nil, fmt.Errorf("failed to refresh token: %w", err)
-	}
-
-	expiresIn, err := getExpiresIn(accessData.ResponseData)
-	if err != nil {
-		return ret, nil, fmt.Errorf("failed to refresh token: %w", err)
-	}
-
-	ret.Token = accessData.AccessToken
-	ret.RefreshToken = accessData.RefreshToken // May be empty if not returned
-
-	return ret, expiresIn, nil
-}
-
-// based on GetToken() from osincli which parses the expires_in to int32 that may overflow
-func getExpiresIn(ret osincli.ResponseData) (*int64, error) {
-	expires_in_raw, ok := ret["expires_in"]
-	if ok {
-		rv := reflect.ValueOf(expires_in_raw)
-		switch rv.Kind() {
-		case reflect.Float64:
-			expiration := int64(rv.Float())
-			return &expiration, nil
-		case reflect.String:
-			// if string convert to integer
-			ei, err := strconv.ParseInt(rv.String(), 10, 64)
-			if err != nil {
-				return nil, err
-			}
-			return &ei, nil
-		default:
-			return nil, errors.New("invalid parameter value")
-		}
-	}
-	return nil, nil
-}
diff --git a/proxy/auth/oauth2.go b/proxy/auth/oauth2.go
new file mode 100644
index 000000000..3e3831591
--- /dev/null
+++ b/proxy/auth/oauth2.go
@@ -0,0 +1,104 @@
+package auth
+
+import (
+	"crypto/tls"
+	"fmt"
+	"net/http"
+
+	"github.com/flightctl/flightctl-ui/bridge"
+	"github.com/flightctl/flightctl-ui/config"
+	"github.com/flightctl/flightctl/api/v1alpha1"
+	"github.com/openshift/osincli"
+)
+
+type OAuth2AuthHandler struct {
+	tlsConfig        *tls.Config
+	client           *osincli.Client
+	internalClient   *osincli.Client
+	userInfoEndpoint string
+	authURL          string
+	tokenURL         string
+	clientId         string
+	providerName     string
+}
+
+// getOAuth2AuthHandler creates an OAuth2 handler using explicit endpoints
+func getOAuth2AuthHandler(provider *v1alpha1.AuthProvider, oauth2Spec *v1alpha1.OAuth2ProviderSpec) (*OAuth2AuthHandler, error) {
+	providerName := extractProviderName(provider)
+
+	if oauth2Spec.AuthorizationUrl == "" || oauth2Spec.TokenUrl == "" || oauth2Spec.UserinfoUrl == "" || oauth2Spec.ClientId == "" || oauth2Spec.Scopes == nil || len(*oauth2Spec.Scopes) == 0 {
+		return nil, fmt.Errorf("OAuth2 provider %s missing required fields", providerName)
+	}
+
+	authURL := oauth2Spec.AuthorizationUrl
+	tokenURL := oauth2Spec.TokenUrl
+	userinfoURL := oauth2Spec.UserinfoUrl
+	clientId := oauth2Spec.ClientId
+
+	tlsConfig, err := bridge.GetAuthTlsConfig()
+	if err != nil {
+		return nil, err
+	}
+
+	// Build scope string (no default scopes for OAuth2 - scopes are mandatory)
+	scope := buildScopeParam(oauth2Spec.Scopes, "")
+
+	// Create OAuth2 client config
+	oauth2ClientConfig := &osincli.ClientConfig{
+		ClientId:                 clientId,
+		ClientSecret:             "", // Not needed with PKCE for public clients
+		AuthorizeUrl:             authURL,
+		TokenUrl:                 tokenURL,
+		RedirectUrl:              config.BaseUiUrl + "/callback",
+		ErrorsInStatusCode:       true,
+		SendClientSecretInParams: false, // PKCE is used instead of client secret
+		Scope:                    scope,
+	}
+
+	client, err := osincli.NewClient(oauth2ClientConfig)
+	if err != nil {
+		return nil, fmt.Errorf("failed to create OAuth2 client: %w", err)
+	}
+
+	client.Transport = &http.Transport{
+		TLSClientConfig: tlsConfig,
+	}
+
+	handler := &OAuth2AuthHandler{
+		tlsConfig:        tlsConfig,
+		internalClient:   client,
+		client:           client,
+		userInfoEndpoint: userinfoURL,
+		authURL:          authURL,
+		tokenURL:         tokenURL,
+		clientId:         clientId,
+		providerName:     providerName,
+	}
+
+	return handler, nil
+}
+
+func (o *OAuth2AuthHandler) GetToken(loginParams LoginParameters) (TokenData, *int64, error) {
+	return exchangeToken(loginParams, o.internalClient, o.tokenURL, o.clientId, config.BaseUiUrl+"/callback")
+}
+
+func (o *OAuth2AuthHandler) GetUserInfo(tokenData TokenData) (string, *http.Response, error) {
+	resp := &http.Response{
+		StatusCode: http.StatusInternalServerError,
+	}
+	return "", resp, fmt.Errorf("User information should be retrieved through the flightctl API")
+}
+
+func (o *OAuth2AuthHandler) Logout(token string) (string, error) {
+	// OAuth2 providers typically don't have a standardized logout endpoint
+	// Return empty string to indicate no logout URL
+	return "", nil
+}
+
+func (o *OAuth2AuthHandler) RefreshToken(refreshToken string) (TokenData, *int64, error) {
+	return refreshOAuthToken(refreshToken, o.internalClient)
+}
+
+func (o *OAuth2AuthHandler) GetLoginRedirectURL(codeChallenge string, codeVerifier string) string {
+	return loginRedirect(o.client, o.providerName, codeChallenge, codeVerifier)
+}
diff --git a/proxy/auth/oidc.go b/proxy/auth/oidc.go
index 547d6213f..fffd86b0c 100644
--- a/proxy/auth/oidc.go
+++ b/proxy/auth/oidc.go
@@ -11,13 +11,10 @@ import (
 	"github.com/flightctl/flightctl-ui/bridge"
 	"github.com/flightctl/flightctl-ui/config"
 	"github.com/flightctl/flightctl-ui/log"
+	"github.com/flightctl/flightctl/api/v1alpha1"
 	"github.com/openshift/osincli"
 )
 
-type OIDCUserInfo struct {
-	Username string `json:"preferred_username,omitempty"`
-}
-
 type OIDCAuthHandler struct {
 	tlsConfig          *tls.Config
 	client             *osincli.Client
@@ -25,6 +22,9 @@ type OIDCAuthHandler struct {
 	endSessionEndpoint string
 	userInfoEndpoint   string
 	authURL            string
+	tokenEndpoint      string
+	clientId           string
+	providerName       string
 }
 
 type oidcServerResponse struct {
@@ -34,7 +34,21 @@ type oidcServerResponse struct {
 	EndSessionEndpoint string `json:"end_session_endpoint"`
 }
 
-func getOIDCAuthHandler(authURL string, internalAuthURL *string) (*OIDCAuthHandler, error) {
+func getOIDCAuthHandler(provider *v1alpha1.AuthProvider, oidcSpec *v1alpha1.OIDCProviderSpec) (*OIDCAuthHandler, error) {
+	providerName := extractProviderName(provider)
+
+	if oidcSpec.Issuer == "" {
+		return nil, fmt.Errorf("OIDC provider %s missing Issuer", providerName)
+	}
+
+	if oidcSpec.ClientId == "" {
+		return nil, fmt.Errorf("OIDC provider %s missing ClientId", providerName)
+	}
+
+	authURL := oidcSpec.Issuer
+	clientId := oidcSpec.ClientId
+	internalAuthURL := (*string)(nil) // OIDC doesn't use internalAuthURL for now
+
 	tlsConfig, err := bridge.GetAuthTlsConfig()
 	if err != nil {
 		return nil, err
@@ -73,7 +87,7 @@ func getOIDCAuthHandler(authURL string, internalAuthURL *string) (*OIDCAuthHandl
 		return nil, fmt.Errorf("failed to parse oidc config: %w", err)
 	}
 
-	internalClient, err := getOIDCClient(oidcResponse, tlsConfig)
+	internalClient, err := getOIDCClient(oidcResponse, tlsConfig, clientId, oidcSpec.Scopes)
 	if err != nil {
 		return nil, err
 	}
@@ -85,6 +99,9 @@ func getOIDCAuthHandler(authURL string, internalAuthURL *string) (*OIDCAuthHandl
 		endSessionEndpoint: oidcResponse.EndSessionEndpoint,
 		userInfoEndpoint:   oidcResponse.UserInfoEndpoint,
 		authURL:            authURL,
+		tokenEndpoint:      oidcResponse.TokenEndpoint,
+		clientId:           clientId,
+		providerName:       providerName,
 	}
 
 	if internalAuthURL != nil {
@@ -94,12 +111,13 @@ func getOIDCAuthHandler(authURL string, internalAuthURL *string) (*OIDCAuthHandl
 			UserInfoEndpoint:   replaceBaseURL(oidcResponse.UserInfoEndpoint, *internalAuthURL, authURL),
 			EndSessionEndpoint: replaceBaseURL(oidcResponse.EndSessionEndpoint, *internalAuthURL, authURL),
 		}
-		client, err := getOIDCClient(extConfig, tlsConfig)
+		client, err := getOIDCClient(extConfig, tlsConfig, clientId, oidcSpec.Scopes)
 		if err != nil {
 			return nil, err
 		}
 		handler.client = client
 		handler.endSessionEndpoint = extConfig.EndSessionEndpoint
+		handler.tokenEndpoint = extConfig.TokenEndpoint
 	}
 
 	return handler, nil
@@ -125,14 +143,15 @@ func replaceBaseURL(endpoint, oldBase, newBase string) string {
 	return endpointURL.String()
 }
 
-func getOIDCClient(oidcConfig oidcServerResponse, tlsConfig *tls.Config) (*osincli.Client, error) {
-	scope := "openid"
+func getOIDCClient(oidcConfig oidcServerResponse, tlsConfig *tls.Config, clientId string, providerScopes *[]string) (*osincli.Client, error) {
+	defaultScopes := "openid profile email"
 	if config.IsOrganizationsEnabled() {
-		scope = "openid organization:*"
+		defaultScopes += " organization:*"
 	}
+	scope := buildScopeParam(providerScopes, defaultScopes)
 
 	oidcClientConfig := &osincli.ClientConfig{
-		ClientId:                 config.AuthClientId,
+		ClientId:                 clientId,
 		AuthorizeUrl:             oidcConfig.AuthEndpoint,
 		TokenUrl:                 oidcConfig.TokenEndpoint,
 		RedirectUrl:              config.BaseUiUrl + "/callback",
@@ -154,26 +173,14 @@ func getOIDCClient(oidcConfig oidcServerResponse, tlsConfig *tls.Config) (*osinc
 }
 
 func (a *OIDCAuthHandler) GetToken(loginParams LoginParameters) (TokenData, *int64, error) {
-	return exchangeToken(loginParams, a.internalClient)
+	return exchangeToken(loginParams, a.internalClient, a.tokenEndpoint, a.clientId, config.BaseUiUrl+"/callback")
 }
 
-func (o *OIDCAuthHandler) GetUserInfo(token string) (string, *http.Response, error) {
-	body, resp, err := getUserInfo(token, o.tlsConfig, o.authURL, o.userInfoEndpoint)
-
-	if err != nil {
-		log.GetLogger().WithError(err).Warn("Failed to get user info")
-		return "", resp, err
+func (o *OIDCAuthHandler) GetUserInfo(tokenData TokenData) (string, *http.Response, error) {
+	resp := &http.Response{
+		StatusCode: http.StatusInternalServerError,
 	}
-
-	if body != nil {
-		userInfo := OIDCUserInfo{}
-		if err := json.Unmarshal(*body, &userInfo); err != nil {
-			return "", resp, fmt.Errorf("failed to unmarshal OIDC user response: %w", err)
-		}
-		return userInfo.Username, resp, nil
-	}
-
-	return "", resp, nil
+	return "", resp, fmt.Errorf("User information should be retrieved through the flightctl API")
 }
 
 func (o *OIDCAuthHandler) Logout(token string) (string, error) {
@@ -185,7 +192,7 @@ func (o *OIDCAuthHandler) Logout(token string) (string, error) {
 
 	uq := u.Query()
 	uq.Add("post_logout_redirect_uri", config.BaseUiUrl)
-	uq.Add("client_id", config.AuthClientId)
+	uq.Add("client_id", o.clientId)
 	u.RawQuery = uq.Encode()
 	return u.String(), nil
 }
@@ -194,6 +201,6 @@ func (o *OIDCAuthHandler) RefreshToken(refreshToken string) (TokenData, *int64,
 	return refreshOAuthToken(refreshToken, o.internalClient)
 }
 
-func (a *OIDCAuthHandler) GetLoginRedirectURL() string {
-	return loginRedirect(a.client)
+func (a *OIDCAuthHandler) GetLoginRedirectURL(codeChallenge string, codeVerifier string) string {
+	return loginRedirect(a.client, a.providerName, codeChallenge, codeVerifier)
 }
diff --git a/proxy/auth/openshift.go b/proxy/auth/openshift.go
new file mode 100644
index 000000000..69d54b430
--- /dev/null
+++ b/proxy/auth/openshift.go
@@ -0,0 +1,199 @@
+package auth
+
+import (
+	"crypto/tls"
+	"encoding/json"
+	"fmt"
+	"io"
+	"net/http"
+	"net/url"
+	"strings"
+
+	"github.com/flightctl/flightctl-ui/bridge"
+	"github.com/flightctl/flightctl-ui/config"
+	"github.com/flightctl/flightctl-ui/log"
+	"github.com/flightctl/flightctl/api/v1alpha1"
+	"github.com/openshift/osincli"
+)
+
+type OpenShiftAuthHandler struct {
+	tlsConfig      *tls.Config
+	client         *osincli.Client
+	internalClient *osincli.Client
+	authURL        string
+	tokenURL       string
+	apiServerURL   string
+	clientId       string
+	providerName   string
+}
+
+type openshiftOAuthDiscovery struct {
+	Issuer                string `json:"issuer"`
+	AuthorizationEndpoint string `json:"authorization_endpoint"`
+	TokenEndpoint         string `json:"token_endpoint"`
+}
+
+// getOpenShiftAuthHandlerFromSpec creates an OpenShift auth handler from OpenShiftProviderSpec
+func getOpenShiftAuthHandlerFromSpec(provider *v1alpha1.AuthProvider, openshiftSpec *v1alpha1.OpenShiftProviderSpec) (*OpenShiftAuthHandler, error) {
+	providerName := extractProviderName(provider)
+
+	// Determine the API server URL - prefer ClusterControlPlaneUrl, fallback to authorization URL base
+	apiServerURL := ""
+	if openshiftSpec.ClusterControlPlaneUrl != nil && *openshiftSpec.ClusterControlPlaneUrl != "" {
+		apiServerURL = *openshiftSpec.ClusterControlPlaneUrl
+	} else if openshiftSpec.AuthorizationUrl != nil && *openshiftSpec.AuthorizationUrl != "" {
+		// Extract base URL from authorization URL (remove /oauth/authorize if present)
+		authURL := *openshiftSpec.AuthorizationUrl
+		parsedURL, err := url.Parse(authURL)
+		if err == nil {
+			// Remove /oauth/authorize path if present
+			if parsedURL.Path == "/oauth/authorize" || strings.HasSuffix(parsedURL.Path, "/oauth/authorize") {
+				parsedURL.Path = strings.TrimSuffix(parsedURL.Path, "/oauth/authorize")
+			}
+			apiServerURL = parsedURL.String()
+		} else {
+			apiServerURL = authURL
+		}
+	} else {
+		return nil, fmt.Errorf("OpenShift provider %s missing ClusterControlPlaneUrl or AuthorizationUrl", providerName)
+	}
+
+	// Determine authorization URL
+	authURL := ""
+	if openshiftSpec.AuthorizationUrl != nil && *openshiftSpec.AuthorizationUrl != "" {
+		authURL = *openshiftSpec.AuthorizationUrl
+	} else {
+		// Default to {apiServerURL}/oauth/authorize
+		authURL = fmt.Sprintf("%s/oauth/authorize", apiServerURL)
+	}
+
+	// Determine token URL
+	tokenURL := ""
+	if openshiftSpec.TokenUrl != nil && *openshiftSpec.TokenUrl != "" {
+		tokenURL = *openshiftSpec.TokenUrl
+	} else {
+		// Default to {apiServerURL}/oauth/token
+		tokenURL = fmt.Sprintf("%s/oauth/token", apiServerURL)
+	}
+
+	// Determine client ID - required, no default
+	if openshiftSpec.ClientId == nil || *openshiftSpec.ClientId == "" {
+		return nil, fmt.Errorf("OpenShift provider %s missing required ClientId", providerName)
+	}
+	clientId := *openshiftSpec.ClientId
+
+	tlsConfig, err := bridge.GetAuthTlsConfig()
+	if err != nil {
+		return nil, err
+	}
+
+	// Determine scopes
+	scope := "user:full" // Default scope
+	if openshiftSpec.Scopes != nil && len(*openshiftSpec.Scopes) > 0 {
+		scope = buildScopeParam(openshiftSpec.Scopes, scope)
+	}
+
+	// Create OAuth2 client config for OpenShift
+	oauthClientConfig := &osincli.ClientConfig{
+		ClientId:                 clientId,
+		AuthorizeUrl:             authURL,
+		TokenUrl:                 tokenURL,
+		RedirectUrl:              config.BaseUiUrl + "/callback",
+		ErrorsInStatusCode:       true,
+		SendClientSecretInParams: false,
+		Scope:                    scope,
+	}
+
+	client, err := osincli.NewClient(oauthClientConfig)
+	if err != nil {
+		return nil, fmt.Errorf("failed to create OpenShift OAuth client: %w", err)
+	}
+
+	client.Transport = &http.Transport{
+		TLSClientConfig: tlsConfig,
+	}
+
+	handler := &OpenShiftAuthHandler{
+		tlsConfig:      tlsConfig,
+		internalClient: client,
+		client:         client,
+		authURL:        authURL,
+		tokenURL:       tokenURL,
+		apiServerURL:   apiServerURL,
+		clientId:       clientId,
+		providerName:   providerName,
+	}
+
+	return handler, nil
+}
+
+func (o *OpenShiftAuthHandler) GetToken(loginParams LoginParameters) (TokenData, *int64, error) {
+	// OpenShift typically doesn't require client_secret with PKCE
+	return exchangeToken(loginParams, o.internalClient, o.tokenURL, o.clientId, config.BaseUiUrl+"/callback")
+}
+
+func (o *OpenShiftAuthHandler) GetUserInfo(tokenData TokenData) (string, *http.Response, error) {
+	resp := &http.Response{
+		StatusCode: http.StatusInternalServerError,
+	}
+	return "", resp, fmt.Errorf("User information should be retrieved through the flightctl API")
+}
+
+func (o *OpenShiftAuthHandler) RefreshToken(refreshToken string) (TokenData, *int64, error) {
+	return refreshOAuthToken(refreshToken, o.internalClient)
+}
+
+func (o *OpenShiftAuthHandler) Logout(token string) (string, error) {
+	// OpenShift OAuth logout endpoint is typically at {issuer}/logout
+	// Try to discover it from the OAuth discovery endpoint
+	discoveryURL := fmt.Sprintf("%s/.well-known/oauth-authorization-server", o.apiServerURL)
+	req, err := http.NewRequest(http.MethodGet, discoveryURL, nil)
+	if err != nil {
+		log.GetLogger().WithError(err).Debug("Failed to create discovery request for logout URL")
+		return "", nil
+	}
+
+	httpClient := http.Client{
+		Transport: &http.Transport{
+			TLSClientConfig: o.tlsConfig,
+		},
+	}
+
+	res, err := httpClient.Do(req)
+	if err != nil {
+		log.GetLogger().WithError(err).Debug("Failed to fetch OAuth discovery for logout URL")
+		return "", nil
+	}
+	defer res.Body.Close()
+
+	if res.StatusCode != http.StatusOK {
+		log.GetLogger().Debugf("OAuth discovery returned status %d", res.StatusCode)
+		return "", nil
+	}
+
+	bodyBytes, err := io.ReadAll(res.Body)
+	if err != nil {
+		log.GetLogger().WithError(err).Debug("Failed to read OAuth discovery response")
+		return "", nil
+	}
+
+	var discovery openshiftOAuthDiscovery
+	if err := json.Unmarshal(bodyBytes, &discovery); err != nil {
+		log.GetLogger().WithError(err).Debug("Failed to parse OAuth discovery response")
+		return "", nil
+	}
+
+	if discovery.Issuer != "" {
+		logoutURL, err := url.Parse(discovery.Issuer)
+		if err == nil {
+			logoutURL.Path = "/logout"
+			return logoutURL.String(), nil
+		}
+	}
+
+	return "", nil
+}
+
+func (o *OpenShiftAuthHandler) GetLoginRedirectURL(codeChallenge string, codeVerifier string) string {
+	return loginRedirect(o.client, o.providerName, codeChallenge, codeVerifier)
+}
diff --git a/proxy/bridge/handler.go b/proxy/bridge/handler.go
index 39222d092..eb4a8deae 100644
--- a/proxy/bridge/handler.go
+++ b/proxy/bridge/handler.go
@@ -44,6 +44,45 @@ func createReverseProxy(apiURL string) (*url.URL, *httputil.ReverseProxy) {
 		for _, h := range filterHeaders {
 			r.Header.Del(h)
 		}
+
+		// If the backend returns 401 Unauthorized, clear the session cookie
+		// This handles the case where the token in the cookie has expired
+		if r.StatusCode == http.StatusUnauthorized {
+			r.Header.Set("Clear-Site-Data", `"cookies"`)
+			log.GetLogger().Debug("Backend returned 401, clearing session cookies")
+		}
+
+		return nil
+	}
+	return target, proxy
+}
+
+func createAlertsReverseProxy(apiURL string) (*url.URL, *httputil.ReverseProxy) {
+	target, err := url.Parse(apiURL)
+	if err != nil {
+		log.GetLogger().WithError(err).Errorf("Failed to parse URL '%s'", apiURL)
+		os.Exit(1)
+	}
+	proxy := httputil.NewSingleHostReverseProxy(target)
+	proxy.ModifyResponse = func(r *http.Response) error {
+		filterHeaders := []string{
+			"Access-Control-Allow-Headers",
+			"Access-Control-Allow-Methods",
+			"Access-Control-Allow-Origin",
+			"Access-Control-Expose-Headers",
+		}
+		for _, h := range filterHeaders {
+			r.Header.Del(h)
+		}
+
+		// For alerts API, we may sometimes receive 401 instead of 403.
+		// To prevent login out the user, we convert 401 to 501.
+		if r.StatusCode == http.StatusUnauthorized {
+			r.StatusCode = http.StatusNotImplemented
+			r.Status = "501 Not Implemented"
+			log.GetLogger().Debug("Alerts API returned 401, converting to 501 (disabled)")
+		}
+
 		return nil
 	}
 	return target, proxy
@@ -70,7 +109,7 @@ func NewFlightCtlCliArtifactsHandler(tlsConfig *tls.Config) handler {
 }
 
 func NewAlertManagerHandler(tlsConfig *tls.Config) handler {
-	target, proxy := createReverseProxy(config.AlertManagerApiUrl)
+	target, proxy := createAlertsReverseProxy(config.AlertManagerApiUrl)
 
 	proxy.Transport = &http.Transport{
 		TLSClientConfig: tlsConfig,
diff --git a/proxy/bridge/testauth.go b/proxy/bridge/testauth.go
new file mode 100644
index 000000000..ba5139b4d
--- /dev/null
+++ b/proxy/bridge/testauth.go
@@ -0,0 +1,425 @@
+package bridge
+
+import (
+	"crypto/tls"
+	"encoding/json"
+	"fmt"
+	"io"
+	"net"
+	"net/http"
+	"net/url"
+	"strings"
+	"time"
+
+	"github.com/flightctl/flightctl-ui/log"
+)
+
+type FieldValidation struct {
+	Valid bool     `json:"valid"`
+	Value string   `json:"value,omitempty"`
+	Notes []string `json:"notes,omitempty"`
+}
+
+type TestConnectionRequest struct {
+	ProviderType     string `json:"providerType"`
+	Issuer           string `json:"issuer,omitempty"`
+	AuthorizationUrl string `json:"authorizationUrl,omitempty"`
+	TokenUrl         string `json:"tokenUrl,omitempty"`
+	UserinfoUrl      string `json:"userinfoUrl,omitempty"`
+	ClientId         string `json:"clientId,omitempty"`
+}
+
+type FieldValidationResult struct {
+	Field string   `json:"field"`
+	Valid bool     `json:"valid"`
+	Value string   `json:"value,omitempty"`
+	Notes []string `json:"notes,omitempty"`
+}
+
+type TestConnectionResponse struct {
+	Results []FieldValidationResult `json:"results"`
+}
+
+type oidcDiscoveryDocument struct {
+	Issuer                string `json:"issuer"`
+	AuthorizationEndpoint string `json:"authorization_endpoint"`
+	TokenEndpoint         string `json:"token_endpoint"`
+	UserinfoEndpoint      string `json:"userinfo_endpoint"`
+}
+
+type TestAuthHandler struct {
+	tlsConfig *tls.Config
+}
+
+func NewTestAuthHandler(tlsConfig *tls.Config) *TestAuthHandler {
+	return &TestAuthHandler{
+		tlsConfig: tlsConfig,
+	}
+}
+
+func (h *TestAuthHandler) TestConnection(w http.ResponseWriter, r *http.Request) {
+	if r.Method != http.MethodPost {
+		http.Error(w, "Method not allowed", http.StatusMethodNotAllowed)
+		return
+	}
+
+	var req TestConnectionRequest
+	if err := json.NewDecoder(r.Body).Decode(&req); err != nil {
+		http.Error(w, fmt.Sprintf("Invalid request body: %v", err), http.StatusBadRequest)
+		return
+	}
+
+	response := TestConnectionResponse{
+		Results: make([]FieldValidationResult, 0),
+	}
+
+	httpClient := &http.Client{
+		Transport: &http.Transport{
+			TLSClientConfig: h.tlsConfig,
+		},
+		Timeout: 10 * time.Second,
+	}
+
+	if req.ProviderType == "oidc" {
+		h.validateOIDCProvider(&req, &response, httpClient)
+	} else if req.ProviderType == "oauth2" {
+		h.validateOAuth2Provider(&req, &response, httpClient)
+	} else {
+		http.Error(w, "Invalid provider type", http.StatusBadRequest)
+		return
+	}
+
+	w.Header().Set("Content-Type", "application/json")
+	json.NewEncoder(w).Encode(response)
+}
+
+func (h *TestAuthHandler) validateOIDCProvider(req *TestConnectionRequest, response *TestConnectionResponse, httpClient *http.Client) {
+	if req.Issuer == "" {
+		response.Results = append(response.Results, FieldValidationResult{
+			Field: "issuer",
+			Valid: false,
+			Value: "",
+			Notes: []string{"Issuer URL is required for OIDC providers"},
+		})
+		return
+	}
+
+	// Minimal SSRF protection for issuer URL
+	if err := validateURLForSSRF(req.Issuer); err != nil {
+		response.Results = append(response.Results, FieldValidationResult{
+			Field: "issuer",
+			Valid: false,
+			Value: req.Issuer,
+			Notes: []string{fmt.Sprintf("Issuer URL cannot be validated with this utility: %v", err)},
+		})
+		return
+	}
+
+	// Fetch OIDC discovery document
+	discoveryUrl := fmt.Sprintf("%s/.well-known/openid-configuration", req.Issuer)
+	httpReq, err := http.NewRequest(http.MethodGet, discoveryUrl, nil)
+	if err != nil {
+		response.Results = append(response.Results, FieldValidationResult{
+			Field: "issuer",
+			Valid: false,
+			Value: req.Issuer,
+			Notes: []string{fmt.Sprintf("Failed to create request: %v", err)},
+		})
+		return
+	}
+
+	resp, err := httpClient.Do(httpReq)
+	if err != nil {
+		response.Results = append(response.Results, FieldValidationResult{
+			Field: "issuer",
+			Valid: false,
+			Value: req.Issuer,
+			Notes: []string{fmt.Sprintf("Failed to fetch OIDC discovery document: %v", err)},
+		})
+		return
+	}
+	defer resp.Body.Close()
+
+	if resp.StatusCode != http.StatusOK {
+		response.Results = append(response.Results, FieldValidationResult{
+			Field: "issuer",
+			Valid: false,
+			Value: req.Issuer,
+			Notes: []string{fmt.Sprintf("OIDC discovery endpoint returned status %d", resp.StatusCode)},
+		})
+		return
+	}
+
+	bodyBytes, err := io.ReadAll(resp.Body)
+	if err != nil {
+		response.Results = append(response.Results, FieldValidationResult{
+			Field: "issuer",
+			Valid: false,
+			Value: req.Issuer,
+			Notes: []string{fmt.Sprintf("Failed to read discovery document: %v", err)},
+		})
+		return
+	}
+
+	var discovery oidcDiscoveryDocument
+	if err := json.Unmarshal(bodyBytes, &discovery); err != nil {
+		response.Results = append(response.Results, FieldValidationResult{
+			Field: "issuer",
+			Valid: false,
+			Value: req.Issuer,
+			Notes: []string{fmt.Sprintf("Failed to parse discovery document: %v", err)},
+		})
+		return
+	}
+
+	// Validate issuer field in discovery document
+	issuerNotes := []string{}
+	hasErrors := false
+
+	if discovery.Issuer != req.Issuer {
+		issuerNotes = append(issuerNotes, fmt.Sprintf("Discovery document issuer (%s) does not match provided issuer (%s)", discovery.Issuer, req.Issuer))
+	}
+
+	if discovery.AuthorizationEndpoint == "" {
+		issuerNotes = append(issuerNotes, "Discovery document is missing authorization_endpoint")
+		hasErrors = true
+	}
+
+	if discovery.TokenEndpoint == "" {
+		issuerNotes = append(issuerNotes, "Discovery document is missing token_endpoint")
+		hasErrors = true
+	}
+
+	if discovery.UserinfoEndpoint == "" {
+		issuerNotes = append(issuerNotes, "Discovery document is missing userinfo_endpoint (optional)")
+	}
+
+	if !hasErrors && len(issuerNotes) == 0 {
+		issuerNotes = append(issuerNotes, "Successfully discovered OIDC configuration from .well-known/openid_configuration")
+	}
+
+	// For OIDC: issuer first, then the rest
+	response.Results = append(response.Results, FieldValidationResult{
+		Field: "issuer",
+		Valid: !hasErrors,
+		Value: req.Issuer,
+		Notes: issuerNotes,
+	})
+
+	// Verify the discovered endpoints are reachable
+	// Skip SSRF validation since these come from the validated issuer
+	if discovery.AuthorizationEndpoint != "" {
+		validation := h.checkEndpointReachability(discovery.AuthorizationEndpoint, "Authorization endpoint", httpClient, false, true)
+		response.Results = append(response.Results, FieldValidationResult{
+			Field: "authorizationUrl",
+			Valid: validation.Valid,
+			Value: validation.Value,
+			Notes: validation.Notes,
+		})
+	}
+
+	if discovery.TokenEndpoint != "" {
+		validation := h.checkEndpointReachability(discovery.TokenEndpoint, "Token endpoint", httpClient, true, true)
+		response.Results = append(response.Results, FieldValidationResult{
+			Field: "tokenUrl",
+			Valid: validation.Valid,
+			Value: validation.Value,
+			Notes: validation.Notes,
+		})
+	}
+
+	if discovery.UserinfoEndpoint != "" {
+		validation := h.checkEndpointReachability(discovery.UserinfoEndpoint, "Userinfo endpoint", httpClient, false, true)
+		response.Results = append(response.Results, FieldValidationResult{
+			Field: "userinfoUrl",
+			Valid: validation.Valid,
+			Value: validation.Value,
+			Notes: validation.Notes,
+		})
+	}
+}
+
+func (h *TestAuthHandler) validateOAuth2Provider(req *TestConnectionRequest, response *TestConnectionResponse, httpClient *http.Client) {
+	// For OAuth2: other fields first, then issuer last
+	if req.AuthorizationUrl != "" {
+		validation := h.checkEndpointReachability(req.AuthorizationUrl, "Authorization URL", httpClient, false, false)
+		response.Results = append(response.Results, FieldValidationResult{
+			Field: "authorizationUrl",
+			Valid: validation.Valid,
+			Value: validation.Value,
+			Notes: validation.Notes,
+		})
+	} else {
+		response.Results = append(response.Results, FieldValidationResult{
+			Field: "authorizationUrl",
+			Valid: false,
+			Value: "",
+			Notes: []string{"Authorization URL is required"},
+		})
+	}
+
+	if req.TokenUrl != "" {
+		validation := h.checkEndpointReachability(req.TokenUrl, "Token URL", httpClient, true, false)
+		response.Results = append(response.Results, FieldValidationResult{
+			Field: "tokenUrl",
+			Valid: validation.Valid,
+			Value: validation.Value,
+			Notes: validation.Notes,
+		})
+	} else {
+		response.Results = append(response.Results, FieldValidationResult{
+			Field: "tokenUrl",
+			Valid: false,
+			Value: "",
+			Notes: []string{"Token URL is required"},
+		})
+	}
+
+	if req.UserinfoUrl != "" {
+		validation := h.checkEndpointReachability(req.UserinfoUrl, "Userinfo URL", httpClient, false, false)
+		response.Results = append(response.Results, FieldValidationResult{
+			Field: "userinfoUrl",
+			Valid: validation.Valid,
+			Value: validation.Value,
+			Notes: validation.Notes,
+		})
+	} else {
+		response.Results = append(response.Results, FieldValidationResult{
+			Field: "userinfoUrl",
+			Valid: false,
+			Value: "",
+			Notes: []string{"Userinfo URL is required"},
+		})
+	}
+
+	// Validate issuer if provided (optional for OAuth2) - add last
+	if req.Issuer != "" {
+		validation := h.checkEndpointReachability(req.Issuer, "Issuer URL", httpClient, false, false)
+		response.Results = append(response.Results, FieldValidationResult{
+			Field: "issuer",
+			Valid: validation.Valid,
+			Value: validation.Value,
+			Notes: validation.Notes,
+		})
+	}
+}
+
+// isPrivateIP checks if an IP address is in a private/local range
+func isPrivateIP(ip net.IP) bool {
+	if ip == nil {
+		return false
+	}
+	if ip.IsLoopback() || ip.IsLinkLocalUnicast() || ip.IsLinkLocalMulticast() {
+		return true
+	}
+	return ip.IsPrivate()
+}
+
+// validateURLForSSRF performs minimal SSRF protection by blocking localhost and private IPs
+func validateURLForSSRF(rawURL string) error {
+	parsed, err := url.Parse(rawURL)
+	if err != nil {
+		return fmt.Errorf("invalid URL: %v", err)
+	}
+
+	host := parsed.Hostname()
+	if host == "" {
+		return fmt.Errorf("missing hostname")
+	}
+
+	// Check for localhost hostnames
+	hostLower := strings.ToLower(host)
+	if hostLower == "localhost" || strings.HasSuffix(hostLower, ".localhost") {
+		return fmt.Errorf("localhost URLs are not allowed")
+	}
+
+	// Parse IP address if host is an IP
+	if ip := net.ParseIP(host); ip != nil {
+		if isPrivateIP(ip) {
+			return fmt.Errorf("private IP addresses are not allowed")
+		}
+	}
+
+	return nil
+}
+
+func (h *TestAuthHandler) checkEndpointReachability(urlStr string, fieldName string, httpClient *http.Client, isTokenEndpoint bool, skipSSRF bool) FieldValidation {
+	// Minimal SSRF protection (skip for discovered endpoints from validated issuer)
+	if !skipSSRF {
+		if err := validateURLForSSRF(urlStr); err != nil {
+			return FieldValidation{
+				Valid: false,
+				Value: urlStr,
+				Notes: []string{fmt.Sprintf("%s: %v", fieldName, err)},
+			}
+		}
+	}
+
+	parsed, err := url.Parse(urlStr)
+	if err != nil || (parsed.Scheme != "http" && parsed.Scheme != "https") || parsed.Host == "" {
+		return FieldValidation{
+			Valid: false,
+			Value: urlStr,
+			Notes: []string{fmt.Sprintf("%s must be a valid http(s) URL", fieldName)},
+		}
+	}
+	req, err := http.NewRequest(http.MethodGet, parsed.String(), nil)
+	if err != nil {
+		return FieldValidation{
+			Valid: false,
+			Value: urlStr,
+			Notes: []string{fmt.Sprintf("Failed to create request: %v", err)},
+		}
+	}
+
+	resp, err := httpClient.Do(req)
+	if err != nil {
+		log.GetLogger().Warnf("Endpoint test failed for %s: %v", urlStr, err)
+		return FieldValidation{
+			Valid: false,
+			Value: urlStr,
+			Notes: []string{fmt.Sprintf("%s is not reachable: %v", fieldName, err)},
+		}
+	}
+	defer resp.Body.Close()
+
+	// Evaluate endpoint reachability based on HTTP status
+	notes := []string{}
+	valid := true
+
+	if resp.StatusCode >= 200 && resp.StatusCode < 500 {
+		// 2xx, 3xx, 4xx: endpoint is reachable
+		if resp.StatusCode == http.StatusNotFound {
+			// 404 on token endpoints is acceptable (they only accept POST)
+			// 404 on other endpoints means not found
+			if isTokenEndpoint {
+				notes = append(notes, fmt.Sprintf("%s is reachable (HTTP 404 for GET - endpoint likely accepts POST)", fieldName))
+			} else {
+				notes = append(notes, fmt.Sprintf("%s returned HTTP 404 - endpoint not found", fieldName))
+				valid = false
+			}
+		} else if resp.StatusCode == http.StatusMethodNotAllowed {
+			// 405 Method Not Allowed - endpoint exists but GET not supported (expected for some endpoints)
+			notes = append(notes, fmt.Sprintf("%s is reachable (HTTP 405 - endpoint exists, GET not supported)", fieldName))
+		} else if resp.StatusCode == http.StatusUnauthorized || resp.StatusCode == http.StatusForbidden {
+			// 401/403 - endpoint exists and requires authentication (expected)
+			notes = append(notes, fmt.Sprintf("%s is reachable (HTTP %d - authentication required, as expected)", fieldName, resp.StatusCode))
+		} else if resp.StatusCode == http.StatusBadRequest {
+			// 400 - endpoint exists but request is invalid (expected without auth)
+			notes = append(notes, fmt.Sprintf("%s is reachable (HTTP 400 - endpoint exists)", fieldName))
+		} else {
+			// All other 2xx, 3xx, 4xx responses indicate the endpoint is reachable
+			notes = append(notes, fmt.Sprintf("%s is reachable (HTTP %d)", fieldName, resp.StatusCode))
+		}
+	} else {
+		// 5xx server errors
+		notes = append(notes, fmt.Sprintf("%s returned HTTP %d - server error", fieldName, resp.StatusCode))
+		valid = false
+	}
+
+	return FieldValidation{
+		Valid: valid,
+		Value: urlStr,
+		Notes: notes,
+	}
+}
diff --git a/proxy/config/config.go b/proxy/config/config.go
index debe82fb1..734aec98b 100644
--- a/proxy/config/config.go
+++ b/proxy/config/config.go
@@ -13,9 +13,7 @@ var (
 	AlertManagerApiUrl   = getEnvUrlVar("FLIGHTCTL_ALERTMANAGER_PROXY", "https://localhost:8443")
 	TlsKeyPath           = getEnvVar("TLS_KEY", "")
 	TlsCertPath          = getEnvVar("TLS_CERT", "")
-	AuthClientId         = getEnvVar("AUTH_CLIENT_ID", "flightctl")
 	BaseUiUrl            = getEnvUrlVar("BASE_UI_URL", "http://localhost:9000")
-	InternalAuthUrl      = getEnvUrlVar("INTERNAL_AUTH_URL", "")
 	AuthInsecure         = getEnvVar("AUTH_INSECURE_SKIP_VERIFY", "")
 	OcpPlugin            = getEnvVar("IS_OCP_PLUGIN", "false")
 	IsRHEM               = getEnvVar("IS_RHEM", "")
diff --git a/proxy/go.mod b/proxy/go.mod
index b9837c97c..bf9b22b92 100644
--- a/proxy/go.mod
+++ b/proxy/go.mod
@@ -5,7 +5,7 @@ go 1.24.0
 toolchain go1.24.6
 
 require (
-	github.com/flightctl/flightctl v1.0.0-main.0.20251113083308-3f1bc5ade635
+	github.com/flightctl/flightctl v1.0.0-main.0.20251119121430-1919682154b5
 	github.com/gorilla/handlers v1.5.2
 	github.com/gorilla/mux v1.8.1
 	github.com/gorilla/websocket v1.5.3
diff --git a/proxy/go.sum b/proxy/go.sum
index 6e8afc186..ee4b81127 100644
--- a/proxy/go.sum
+++ b/proxy/go.sum
@@ -12,8 +12,8 @@ github.com/decred/dcrd/dcrec/secp256k1/v4 v4.4.0 h1:NMZiJj8QnKe1LgsbDayM4UoHwbvw
 github.com/decred/dcrd/dcrec/secp256k1/v4 v4.4.0/go.mod h1:ZXNYxsqcloTdSy/rNShjYzMhyjf0LaoftYK0p+A3h40=
 github.com/felixge/httpsnoop v1.0.4 h1:NFTV2Zj1bL4mc9sqWACXbQFVBBg2W3GPvqp8/ESS2Wg=
 github.com/felixge/httpsnoop v1.0.4/go.mod h1:m8KPJKqk1gH5J9DgRY2ASl2lWCfGKXixSwevea8zH2U=
-github.com/flightctl/flightctl v1.0.0-main.0.20251113083308-3f1bc5ade635 h1:v6Qw29IXC/Qmh41R4UK80XO0s212cLyOiguGLzKMA9Y=
-github.com/flightctl/flightctl v1.0.0-main.0.20251113083308-3f1bc5ade635/go.mod h1:+ZOPs3gV3QH9S4K5SGNWs0l3nP/UTPmVTCORNtYA9tA=
+github.com/flightctl/flightctl v1.0.0-main.0.20251119121430-1919682154b5 h1:aLP6In+L7qRtubwket/8wdHj9C2RnubgX2hlhey5iog=
+github.com/flightctl/flightctl v1.0.0-main.0.20251119121430-1919682154b5/go.mod h1:V9peeoF0VazgcV19mzGsFHhaNp1GY3LdQSx452LXF3k=
 github.com/fxamacker/cbor/v2 v2.7.0 h1:iM5WgngdRBanHcxugY4JySA0nk1wZorNOpTgCMedv5E=
 github.com/fxamacker/cbor/v2 v2.7.0/go.mod h1:pxXPTn3joSm21Gbwsv0w9OSA2y1HFR9qXEeXQVeNoDQ=
 github.com/getkin/kin-openapi v0.132.0 h1:3ISeLMsQzcb5v26yeJrBcdTCEQTag36ZjaGk7MIRUwk=
diff --git a/proxy/middleware/auth.go b/proxy/middleware/auth.go
index 252c9ea4a..7f6bf0200 100644
--- a/proxy/middleware/auth.go
+++ b/proxy/middleware/auth.go
@@ -14,8 +14,11 @@ func AuthMiddleware(next http.Handler) http.Handler {
 		tokenData, err := auth.ParseSessionCookie(r)
 		if err != nil {
 			log.GetLogger().Warn(err.Error())
-		} else if tokenData.Token != "" {
-			r.Header.Add(common.AuthHeaderKey, "Bearer "+tokenData.Token)
+		} else {
+			token := tokenData.GetAuthToken()
+			if token != "" {
+				r.Header.Add(common.AuthHeaderKey, "Bearer "+token)
+			}
 		}
 		next.ServeHTTP(w, r)
 	})
diff --git a/proxy/middleware/organization.go b/proxy/middleware/organization.go
index 824fd6a7c..c5eda224b 100644
--- a/proxy/middleware/organization.go
+++ b/proxy/middleware/organization.go
@@ -69,6 +69,9 @@ func shouldAddOrgIDFromHeader(path string) bool {
 	if strings.HasPrefix(path, "/api/flightctl/api/v1/organizations") {
 		return false
 	}
+	if strings.HasPrefix(path, "/api/flightctl/api/v1/auth/config") {
+		return false
+	}
 
 	return isFlightCtlAPICall(path) || isAlertsAPICall(path)
 }