build(deps): update module github.com/ory/fosite to v0.43.0 (#4269)

This updates fosite and refactors our usage out of compose.
2022-11-13 14:26:10 +11:00 · 2022-11-13 14:26:10 +11:00 · ad68f33aeb
parent 7a0067e572
commit ad68f33aeb
20 changed files with 989 additions and 1216 deletions
--- a/go.mod
+++ b/go.mod
@ -19,14 +19,16 @@ require (
 	github.com/golang-jwt/jwt/v4 v4.4.2
 	github.com/golang/mock v1.6.0
 	github.com/google/uuid v1.3.0
+	github.com/hashicorp/go-retryablehttp v0.7.1
 	github.com/jackc/pgx/v5 v5.1.0
 	github.com/jmoiron/sqlx v1.3.5
 	github.com/knadh/koanf v1.4.4
 	github.com/mattn/go-sqlite3 v1.14.16
 	github.com/mitchellh/mapstructure v1.5.0
 	github.com/mohae/deepcopy v0.0.0-20170929034955-c48cc78d4826
-	github.com/ory/fosite v0.42.2
+	github.com/ory/fosite v0.43.0
 	github.com/ory/herodot v0.9.13
+	github.com/ory/x v0.0.507
 	github.com/otiai10/copy v1.9.0
 	github.com/pkg/errors v0.9.1
 	github.com/pquerna/otp v1.3.0
@ -51,37 +53,40 @@ require (
 	github.com/boombuler/barcode v1.0.1-0.20190219062509-6c824513bacc // indirect
 	github.com/cespare/xxhash/v2 v2.1.2 // indirect
 	github.com/cpuguy83/go-md2man/v2 v2.0.2 // indirect
+	github.com/cristalhq/jwt/v4 v4.0.2 // indirect
+	github.com/dave/jennifer v1.6.0 // indirect
 	github.com/davecgh/go-spew v1.1.1 // indirect
-	github.com/dgraph-io/ristretto v0.1.0 // indirect
+	github.com/dgraph-io/ristretto v0.1.1 // indirect
 	github.com/dgryski/go-rendezvous v0.0.0-20200823014737-9f7001d12a5f // indirect
 	github.com/dlclark/regexp2 v1.4.0 // indirect
 	github.com/dustin/go-humanize v1.0.0 // indirect
+	github.com/ecordell/optgen v0.0.6 // indirect
 	github.com/facebookgo/stack v0.0.0-20160209184415-751773369052 // indirect
 	github.com/fxamacker/cbor/v2 v2.4.0 // indirect
 	github.com/go-crypt/x v0.1.3 // indirect
 	github.com/go-redis/redis/v8 v8.11.5 // indirect
 	github.com/go-webauthn/revoke v0.1.6 // indirect
-	github.com/golang/glog v0.0.0-20160126235308-23def4e6c14b // indirect
+	github.com/golang/glog v1.0.0 // indirect
 	github.com/golang/protobuf v1.5.2 // indirect
 	github.com/google/go-tpm v0.3.3 // indirect
-	github.com/gorilla/websocket v1.4.2 // indirect
+	github.com/gorilla/websocket v1.5.0 // indirect
+	github.com/hashicorp/go-cleanhttp v0.5.2 // indirect
 	github.com/hashicorp/hcl v1.0.0 // indirect
 	github.com/inconshreveable/mousetrap v1.0.1 // indirect
 	github.com/jackc/pgpassfile v1.0.0 // indirect
 	github.com/jackc/pgservicefile v0.0.0-20200714003250-2b9c44734f2b // indirect
 	github.com/jandelgado/gcov2lcov v1.0.5 // indirect
 	github.com/klauspost/compress v1.15.9 // indirect
-	github.com/magiconair/properties v1.8.5 // indirect
-	github.com/mattn/goveralls v0.0.6 // indirect
-	github.com/matttproud/golang_protobuf_extensions v1.0.1 // indirect
+	github.com/magiconair/properties v1.8.6 // indirect
+	github.com/mattn/goveralls v0.0.11 // indirect
+	github.com/matttproud/golang_protobuf_extensions v1.0.4 // indirect
 	github.com/mitchellh/copystructure v1.2.0 // indirect
 	github.com/mitchellh/reflectwalk v1.0.2 // indirect
-	github.com/ory/go-acc v0.2.6 // indirect
+	github.com/ory/go-acc v0.2.8 // indirect
 	github.com/ory/go-convenience v0.1.0 // indirect
 	github.com/ory/viper v1.7.5 // indirect
-	github.com/ory/x v0.0.288 // indirect
 	github.com/pborman/uuid v1.2.1 // indirect
-	github.com/pelletier/go-toml v1.9.4 // indirect
+	github.com/pelletier/go-toml v1.9.5 // indirect
 	github.com/philhofer/fwd v1.1.1 // indirect
 	github.com/pmezard/go-difflib v1.0.0 // indirect
 	github.com/prometheus/client_model v0.3.0 // indirect
@ -90,10 +95,10 @@ require (
 	github.com/russross/blackfriday/v2 v2.1.0 // indirect
 	github.com/savsgio/dictpool v0.0.0-20220406081701-03de5edb2e6d // indirect
 	github.com/savsgio/gotils v0.0.0-20220530130905-52f3993e8d6d // indirect
-	github.com/spf13/afero v1.6.0 // indirect
-	github.com/spf13/cast v1.4.1 // indirect
+	github.com/spf13/afero v1.9.2 // indirect
+	github.com/spf13/cast v1.5.0 // indirect
 	github.com/spf13/jwalterweatherman v1.1.0 // indirect
-	github.com/subosito/gotenv v1.2.0 // indirect
+	github.com/subosito/gotenv v1.4.1 // indirect
 	github.com/test-go/testify v1.1.4 // indirect
 	github.com/tinylib/msgp v1.1.6 // indirect
 	github.com/valyala/bytebufferpool v1.0.0 // indirect
@ -102,14 +107,16 @@ require (
 	github.com/ysmood/gson v0.7.1 // indirect
 	github.com/ysmood/leakless v0.8.0 // indirect
 	golang.org/x/crypto v0.1.0 // indirect
-	golang.org/x/mod v0.6.0-dev.0.20220419223038-86c51ed26bb4 // indirect
+	golang.org/x/mod v0.6.0 // indirect
 	golang.org/x/net v0.1.0 // indirect
+	golang.org/x/oauth2 v0.0.0-20220223155221-ee480838109b // indirect
 	golang.org/x/sys v0.2.0 // indirect
-	golang.org/x/tools v0.1.12 // indirect
-	google.golang.org/genproto v0.0.0-20211208223120-3a66f561d7aa // indirect
-	google.golang.org/grpc v1.42.0 // indirect
+	golang.org/x/tools v0.2.0 // indirect
+	google.golang.org/appengine v1.6.7 // indirect
+	google.golang.org/genproto v0.0.0-20221025140454-527a21cfbd71 // indirect
+	google.golang.org/grpc v1.50.1 // indirect
 	google.golang.org/protobuf v1.28.1 // indirect
-	gopkg.in/ini.v1 v1.66.2 // indirect
+	gopkg.in/ini.v1 v1.67.0 // indirect
 	gopkg.in/yaml.v2 v2.4.0 // indirect
 )

--- a/go.sum
+++ b/go.sum
--- a/internal/handlers/handler_oauth_introspection.go
+++ b/internal/handlers/handler_oauth_introspection.go
@ -25,7 +25,7 @@ func OAuthIntrospectionPOST(ctx *middlewares.AutheliaCtx, rw http.ResponseWriter

 		ctx.Logger.Errorf("Introspection Request failed with error: %s", rfc.WithExposeDebug(true).GetDescription())

-		ctx.Providers.OpenIDConnect.WriteIntrospectionError(rw, err)
+		ctx.Providers.OpenIDConnect.WriteIntrospectionError(ctx, rw, err)

 		return
 	}
@ -34,5 +34,5 @@ func OAuthIntrospectionPOST(ctx *middlewares.AutheliaCtx, rw http.ResponseWriter

 	ctx.Logger.Tracef("Introspection Request yeilded a %s (active: %t) requested at %s created with request id '%s' on client with id '%s'", responder.GetTokenUse(), responder.IsActive(), requester.GetRequestedAt().String(), requester.GetID(), requester.GetClient().GetID())

-	ctx.Providers.OpenIDConnect.WriteIntrospectionResponse(rw, responder)
+	ctx.Providers.OpenIDConnect.WriteIntrospectionResponse(ctx, rw, responder)
 }
--- a/internal/handlers/handler_oauth_revocation.go
+++ b/internal/handlers/handler_oauth_revocation.go
@ -20,5 +20,5 @@ func OAuthRevocationPOST(ctx *middlewares.AutheliaCtx, rw http.ResponseWriter, r
 		ctx.Logger.Errorf("Revocation Request failed with error: %s", rfc.WithExposeDebug(true).GetDescription())
 	}

-	ctx.Providers.OpenIDConnect.WriteRevocationResponse(rw, err)
+	ctx.Providers.OpenIDConnect.WriteRevocationResponse(ctx, rw, err)
 }
--- a/internal/handlers/handler_oidc_authorization.go
+++ b/internal/handlers/handler_oidc_authorization.go
@ -31,7 +31,7 @@ func OpenIDConnectAuthorization(ctx *middlewares.AutheliaCtx, rw http.ResponseWr

 		ctx.Logger.Errorf("Authorization Request failed with error: %s", rfc.WithExposeDebug(true).GetDescription())

-		ctx.Providers.OpenIDConnect.WriteAuthorizeError(rw, requester, err)
+		ctx.Providers.OpenIDConnect.WriteAuthorizeError(ctx, rw, requester, err)

 		return
 	}
@ -47,7 +47,7 @@ func OpenIDConnectAuthorization(ctx *middlewares.AutheliaCtx, rw http.ResponseWr
 			ctx.Logger.Errorf("Authorization Request with id '%s' on client with id '%s' could not be processed: failed to find client: %+v", requester.GetID(), clientID, err)
 		}

-		ctx.Providers.OpenIDConnect.WriteAuthorizeError(rw, requester, err)
+		ctx.Providers.OpenIDConnect.WriteAuthorizeError(ctx, rw, requester, err)

 		return
 	}
@ -55,7 +55,7 @@ func OpenIDConnectAuthorization(ctx *middlewares.AutheliaCtx, rw http.ResponseWr
 	if issuer, err = ctx.IssuerURL(); err != nil {
 		ctx.Logger.Errorf("Authorization Request with id '%s' on client with id '%s' could not be processed: error occurred determining issuer: %+v", requester.GetID(), clientID, err)

-		ctx.Providers.OpenIDConnect.WriteAuthorizeError(rw, requester, oidc.ErrIssuerCouldNotDerive)
+		ctx.Providers.OpenIDConnect.WriteAuthorizeError(ctx, rw, requester, oidc.ErrIssuerCouldNotDerive)

 		return
 	}
@ -76,7 +76,7 @@ func OpenIDConnectAuthorization(ctx *middlewares.AutheliaCtx, rw http.ResponseWr
 	if authTime, err = userSession.AuthenticatedTime(client.Policy); err != nil {
 		ctx.Logger.Errorf("Authorization Request with id '%s' on client with id '%s' could not be processed: error occurred checking authentication time: %+v", requester.GetID(), client.GetID(), err)

-		ctx.Providers.OpenIDConnect.WriteAuthorizeError(rw, requester, fosite.ErrServerError.WithHint("Could not obtain the authentication time."))
+		ctx.Providers.OpenIDConnect.WriteAuthorizeError(ctx, rw, requester, fosite.ErrServerError.WithHint("Could not obtain the authentication time."))

 		return
 	}
@ -94,7 +94,7 @@ func OpenIDConnectAuthorization(ctx *middlewares.AutheliaCtx, rw http.ResponseWr

 		ctx.Logger.Errorf("Authorization Response for Request with id '%s' on client with id '%s' could not be created: %s", requester.GetID(), clientID, rfc.WithExposeDebug(true).GetDescription())

-		ctx.Providers.OpenIDConnect.WriteAuthorizeError(rw, requester, err)
+		ctx.Providers.OpenIDConnect.WriteAuthorizeError(ctx, rw, requester, err)

 		return
 	}
@ -102,10 +102,10 @@ func OpenIDConnectAuthorization(ctx *middlewares.AutheliaCtx, rw http.ResponseWr
 	if err = ctx.Providers.StorageProvider.SaveOAuth2ConsentSessionGranted(ctx, consent.ID); err != nil {
 		ctx.Logger.Errorf("Authorization Request with id '%s' on client with id '%s' could not be processed: error occurred saving consent session: %+v", requester.GetID(), client.GetID(), err)

-		ctx.Providers.OpenIDConnect.WriteAuthorizeError(rw, requester, oidc.ErrConsentCouldNotSave)
+		ctx.Providers.OpenIDConnect.WriteAuthorizeError(ctx, rw, requester, oidc.ErrConsentCouldNotSave)

 		return
 	}

-	ctx.Providers.OpenIDConnect.WriteAuthorizeResponse(rw, requester, responder)
+	ctx.Providers.OpenIDConnect.WriteAuthorizeResponse(ctx, rw, requester, responder)
 }
--- a/internal/handlers/handler_oidc_authorization_consent.go
+++ b/internal/handlers/handler_oidc_authorization_consent.go
@ -37,7 +37,7 @@ func handleOIDCAuthorizationConsent(ctx *middlewares.AutheliaCtx, issuer *url.UR
 		if subject, err = ctx.Providers.OpenIDConnect.GetSubject(ctx, client.GetSectorIdentifier(), userSession.Username); err != nil {
 			ctx.Logger.Errorf(logFmtErrConsentCantGetSubject, requester.GetID(), client.GetID(), client.Consent, userSession.Username, client.GetSectorIdentifier(), err)

-			ctx.Providers.OpenIDConnect.WriteAuthorizeError(rw, requester, oidc.ErrSubjectCouldNotLookup)
+			ctx.Providers.OpenIDConnect.WriteAuthorizeError(ctx, rw, requester, oidc.ErrSubjectCouldNotLookup)

 			return nil, true
 		}
@ -52,7 +52,7 @@ func handleOIDCAuthorizationConsent(ctx *middlewares.AutheliaCtx, issuer *url.UR
 		default:
 			ctx.Logger.Errorf(logFmtErrConsentCantDetermineConsentMode, requester.GetID(), client.GetID())

-			ctx.Providers.OpenIDConnect.WriteAuthorizeError(rw, requester, fosite.ErrServerError.WithHint("Could not determine the client consent mode."))
+			ctx.Providers.OpenIDConnect.WriteAuthorizeError(ctx, rw, requester, fosite.ErrServerError.WithHint("Could not determine the client consent mode."))

 			return nil, true
 		}
@ -60,7 +60,7 @@ func handleOIDCAuthorizationConsent(ctx *middlewares.AutheliaCtx, issuer *url.UR
 		if subject, err = ctx.Providers.OpenIDConnect.GetSubject(ctx, client.GetSectorIdentifier(), userSession.Username); err != nil {
 			ctx.Logger.Errorf(logFmtErrConsentCantGetSubject, requester.GetID(), client.GetID(), client.Consent, userSession.Username, client.GetSectorIdentifier(), err)

-			ctx.Providers.OpenIDConnect.WriteAuthorizeError(rw, requester, oidc.ErrSubjectCouldNotLookup)
+			ctx.Providers.OpenIDConnect.WriteAuthorizeError(ctx, rw, requester, oidc.ErrSubjectCouldNotLookup)

 			return nil, true
 		}
@ -93,7 +93,7 @@ func handleOIDCAuthorizationConsentGenerate(ctx *middlewares.AutheliaCtx, issuer
 	if len(ctx.QueryArgs().PeekBytes(qryArgConsentID)) != 0 {
 		ctx.Logger.Errorf(logFmtErrConsentGenerateError, requester.GetID(), client.GetID(), client.Consent, "generating", errors.New("consent id value was present when it should be absent"))

-		ctx.Providers.OpenIDConnect.WriteAuthorizeError(rw, requester, oidc.ErrConsentCouldNotGenerate)
+		ctx.Providers.OpenIDConnect.WriteAuthorizeError(ctx, rw, requester, oidc.ErrConsentCouldNotGenerate)

 		return nil, true
 	}
@ -101,7 +101,7 @@ func handleOIDCAuthorizationConsentGenerate(ctx *middlewares.AutheliaCtx, issuer
 	if consent, err = model.NewOAuth2ConsentSession(subject, requester); err != nil {
 		ctx.Logger.Errorf(logFmtErrConsentGenerateError, requester.GetID(), client.GetID(), client.Consent, "generating", err)

-		ctx.Providers.OpenIDConnect.WriteAuthorizeError(rw, requester, oidc.ErrConsentCouldNotGenerate)
+		ctx.Providers.OpenIDConnect.WriteAuthorizeError(ctx, rw, requester, oidc.ErrConsentCouldNotGenerate)

 		return nil, true
 	}
@ -109,7 +109,7 @@ func handleOIDCAuthorizationConsentGenerate(ctx *middlewares.AutheliaCtx, issuer
 	if err = ctx.Providers.StorageProvider.SaveOAuth2ConsentSession(ctx, *consent); err != nil {
 		ctx.Logger.Errorf(logFmtErrConsentGenerateError, requester.GetID(), client.GetID(), client.Consent, "saving", err)

-		ctx.Providers.OpenIDConnect.WriteAuthorizeError(rw, requester, oidc.ErrConsentCouldNotSave)
+		ctx.Providers.OpenIDConnect.WriteAuthorizeError(ctx, rw, requester, oidc.ErrConsentCouldNotSave)

 		return nil, true
 	}
--- a/internal/handlers/handler_oidc_authorization_consent_explicit.go
+++ b/internal/handlers/handler_oidc_authorization_consent_explicit.go
@ -30,7 +30,7 @@ func handleOIDCAuthorizationConsentModeExplicit(ctx *middlewares.AutheliaCtx, is
 		if consentID, err = uuid.ParseBytes(bytesConsentID); err != nil {
 			ctx.Logger.Errorf(logFmtErrConsentParseChallengeID, requester.GetID(), client.GetID(), client.Consent, bytesConsentID, err)

-			ctx.Providers.OpenIDConnect.WriteAuthorizeError(rw, requester, oidc.ErrConsentMalformedChallengeID)
+			ctx.Providers.OpenIDConnect.WriteAuthorizeError(ctx, rw, requester, oidc.ErrConsentMalformedChallengeID)

 			return nil, true
 		}
@ -49,7 +49,7 @@ func handleOIDCAuthorizationConsentModeExplicitWithID(ctx *middlewares.AutheliaC
 	if consentID.ID() == 0 {
 		ctx.Logger.Errorf(logFmtErrConsentZeroID, requester.GetID(), client.GetID(), client.Consent)

-		ctx.Providers.OpenIDConnect.WriteAuthorizeError(rw, requester, oidc.ErrConsentCouldNotLookup)
+		ctx.Providers.OpenIDConnect.WriteAuthorizeError(ctx, rw, requester, oidc.ErrConsentCouldNotLookup)

 		return nil, true
 	}
@ -57,7 +57,7 @@ func handleOIDCAuthorizationConsentModeExplicitWithID(ctx *middlewares.AutheliaC
 	if consent, err = ctx.Providers.StorageProvider.LoadOAuth2ConsentSessionByChallengeID(ctx, consentID); err != nil {
 		ctx.Logger.Errorf(logFmtErrConsentLookupLoadingSession, requester.GetID(), client.GetID(), client.Consent, consentID, err)

-		ctx.Providers.OpenIDConnect.WriteAuthorizeError(rw, requester, oidc.ErrConsentCouldNotLookup)
+		ctx.Providers.OpenIDConnect.WriteAuthorizeError(ctx, rw, requester, oidc.ErrConsentCouldNotLookup)

 		return nil, true
 	}
@ -65,7 +65,7 @@ func handleOIDCAuthorizationConsentModeExplicitWithID(ctx *middlewares.AutheliaC
 	if subject.ID() != consent.Subject.UUID.ID() {
 		ctx.Logger.Errorf(logFmtErrConsentSessionSubjectNotAuthorized, requester.GetID(), client.GetID(), client.Consent, consent.ChallengeID, userSession.Username, subject, consent.Subject.UUID)

-		ctx.Providers.OpenIDConnect.WriteAuthorizeError(rw, requester, oidc.ErrConsentCouldNotLookup)
+		ctx.Providers.OpenIDConnect.WriteAuthorizeError(ctx, rw, requester, oidc.ErrConsentCouldNotLookup)

 		return nil, true
 	}
@ -73,7 +73,7 @@ func handleOIDCAuthorizationConsentModeExplicitWithID(ctx *middlewares.AutheliaC
 	if !consent.CanGrant() {
 		ctx.Logger.Errorf(logFmtErrConsentCantGrant, requester.GetID(), client.GetID(), client.Consent, consent.ChallengeID, "explicit")

-		ctx.Providers.OpenIDConnect.WriteAuthorizeError(rw, requester, oidc.ErrConsentCouldNotPerform)
+		ctx.Providers.OpenIDConnect.WriteAuthorizeError(ctx, rw, requester, oidc.ErrConsentCouldNotPerform)

 		return nil, true
 	}
@ -82,7 +82,7 @@ func handleOIDCAuthorizationConsentModeExplicitWithID(ctx *middlewares.AutheliaC
 		if consent.Responded() {
 			ctx.Logger.Errorf(logFmtErrConsentCantGrantRejected, requester.GetID(), client.GetID(), client.Consent, consent.ChallengeID)

-			ctx.Providers.OpenIDConnect.WriteAuthorizeError(rw, requester, fosite.ErrAccessDenied)
+			ctx.Providers.OpenIDConnect.WriteAuthorizeError(ctx, rw, requester, fosite.ErrAccessDenied)

 			return nil, true
 		}
--- a/internal/handlers/handler_oidc_authorization_consent_implicit.go
+++ b/internal/handlers/handler_oidc_authorization_consent_implicit.go
@ -28,7 +28,7 @@ func handleOIDCAuthorizationConsentModeImplicit(ctx *middlewares.AutheliaCtx, is
 		if consentID, err = uuid.ParseBytes(bytesConsentID); err != nil {
 			ctx.Logger.Errorf(logFmtErrConsentParseChallengeID, requester.GetID(), client.GetID(), client.Consent, bytesConsentID, err)

-			ctx.Providers.OpenIDConnect.WriteAuthorizeError(rw, requester, oidc.ErrConsentMalformedChallengeID)
+			ctx.Providers.OpenIDConnect.WriteAuthorizeError(ctx, rw, requester, oidc.ErrConsentMalformedChallengeID)

 			return nil, true
 		}
@ -47,7 +47,7 @@ func handleOIDCAuthorizationConsentModeImplicitWithID(ctx *middlewares.AutheliaC
 	if consentID.ID() == 0 {
 		ctx.Logger.Errorf(logFmtErrConsentZeroID, requester.GetID(), client.GetID(), client.Consent)

-		ctx.Providers.OpenIDConnect.WriteAuthorizeError(rw, requester, oidc.ErrConsentCouldNotLookup)
+		ctx.Providers.OpenIDConnect.WriteAuthorizeError(ctx, rw, requester, oidc.ErrConsentCouldNotLookup)

 		return nil, true
 	}
@ -55,7 +55,7 @@ func handleOIDCAuthorizationConsentModeImplicitWithID(ctx *middlewares.AutheliaC
 	if consent, err = ctx.Providers.StorageProvider.LoadOAuth2ConsentSessionByChallengeID(ctx, consentID); err != nil {
 		ctx.Logger.Errorf(logFmtErrConsentLookupLoadingSession, requester.GetID(), client.GetID(), client.Consent, consentID, err)

-		ctx.Providers.OpenIDConnect.WriteAuthorizeError(rw, requester, oidc.ErrConsentCouldNotLookup)
+		ctx.Providers.OpenIDConnect.WriteAuthorizeError(ctx, rw, requester, oidc.ErrConsentCouldNotLookup)

 		return nil, true
 	}
@ -63,7 +63,7 @@ func handleOIDCAuthorizationConsentModeImplicitWithID(ctx *middlewares.AutheliaC
 	if subject.ID() != consent.Subject.UUID.ID() {
 		ctx.Logger.Errorf(logFmtErrConsentSessionSubjectNotAuthorized, requester.GetID(), client.GetID(), client.Consent, consent.ChallengeID, userSession.Username, subject, consent.Subject.UUID)

-		ctx.Providers.OpenIDConnect.WriteAuthorizeError(rw, requester, oidc.ErrConsentCouldNotLookup)
+		ctx.Providers.OpenIDConnect.WriteAuthorizeError(ctx, rw, requester, oidc.ErrConsentCouldNotLookup)

 		return nil, true
 	}
@ -71,7 +71,7 @@ func handleOIDCAuthorizationConsentModeImplicitWithID(ctx *middlewares.AutheliaC
 	if !consent.CanGrant() {
 		ctx.Logger.Errorf(logFmtErrConsentCantGrant, requester.GetID(), client.GetID(), client.Consent, consent.ChallengeID, "implicit")

-		ctx.Providers.OpenIDConnect.WriteAuthorizeError(rw, requester, oidc.ErrConsentCouldNotPerform)
+		ctx.Providers.OpenIDConnect.WriteAuthorizeError(ctx, rw, requester, oidc.ErrConsentCouldNotPerform)

 		return nil, true
 	}
@ -81,7 +81,7 @@ func handleOIDCAuthorizationConsentModeImplicitWithID(ctx *middlewares.AutheliaC
 	if err = ctx.Providers.StorageProvider.SaveOAuth2ConsentSessionResponse(ctx, *consent, false); err != nil {
 		ctx.Logger.Errorf(logFmtErrConsentSaveSessionResponse, requester.GetID(), client.GetID(), client.Consent, consent.ChallengeID, err)

-		ctx.Providers.OpenIDConnect.WriteAuthorizeError(rw, requester, oidc.ErrConsentCouldNotSave)
+		ctx.Providers.OpenIDConnect.WriteAuthorizeError(ctx, rw, requester, oidc.ErrConsentCouldNotSave)

 		return nil, true
 	}
@ -99,7 +99,7 @@ func handleOIDCAuthorizationConsentModeImplicitWithoutID(ctx *middlewares.Authel
 	if consent, err = model.NewOAuth2ConsentSession(subject, requester); err != nil {
 		ctx.Logger.Errorf(logFmtErrConsentGenerate, requester.GetID(), client.GetID(), client.Consent, err)

-		ctx.Providers.OpenIDConnect.WriteAuthorizeError(rw, requester, oidc.ErrConsentCouldNotGenerate)
+		ctx.Providers.OpenIDConnect.WriteAuthorizeError(ctx, rw, requester, oidc.ErrConsentCouldNotGenerate)

 		return nil, true
 	}
@ -107,7 +107,7 @@ func handleOIDCAuthorizationConsentModeImplicitWithoutID(ctx *middlewares.Authel
 	if err = ctx.Providers.StorageProvider.SaveOAuth2ConsentSession(ctx, *consent); err != nil {
 		ctx.Logger.Errorf(logFmtErrConsentSaveSession, requester.GetID(), client.GetID(), client.Consent, consent.ChallengeID, err)

-		ctx.Providers.OpenIDConnect.WriteAuthorizeError(rw, requester, oidc.ErrConsentCouldNotSave)
+		ctx.Providers.OpenIDConnect.WriteAuthorizeError(ctx, rw, requester, oidc.ErrConsentCouldNotSave)

 		return nil, true
 	}
@ -115,7 +115,7 @@ func handleOIDCAuthorizationConsentModeImplicitWithoutID(ctx *middlewares.Authel
 	if consent, err = ctx.Providers.StorageProvider.LoadOAuth2ConsentSessionByChallengeID(ctx, consent.ChallengeID); err != nil {
 		ctx.Logger.Errorf(logFmtErrConsentSaveSession, requester.GetID(), client.GetID(), client.Consent, consent.ChallengeID, err)

-		ctx.Providers.OpenIDConnect.WriteAuthorizeError(rw, requester, oidc.ErrConsentCouldNotSave)
+		ctx.Providers.OpenIDConnect.WriteAuthorizeError(ctx, rw, requester, oidc.ErrConsentCouldNotSave)

 		return nil, true
 	}
@ -125,7 +125,7 @@ func handleOIDCAuthorizationConsentModeImplicitWithoutID(ctx *middlewares.Authel
 	if err = ctx.Providers.StorageProvider.SaveOAuth2ConsentSessionResponse(ctx, *consent, false); err != nil {
 		ctx.Logger.Errorf(logFmtErrConsentSaveSessionResponse, requester.GetID(), client.GetID(), client.Consent, consent.ChallengeID, err)

-		ctx.Providers.OpenIDConnect.WriteAuthorizeError(rw, requester, oidc.ErrConsentCouldNotSave)
+		ctx.Providers.OpenIDConnect.WriteAuthorizeError(ctx, rw, requester, oidc.ErrConsentCouldNotSave)

 		return nil, true
 	}
--- a/internal/handlers/handler_oidc_authorization_consent_pre_configured.go
+++ b/internal/handlers/handler_oidc_authorization_consent_pre_configured.go
@ -34,7 +34,7 @@ func handleOIDCAuthorizationConsentModePreConfigured(ctx *middlewares.AutheliaCt
 		if consentID, err = uuid.ParseBytes(bytesConsentID); err != nil {
 			ctx.Logger.Errorf(logFmtErrConsentParseChallengeID, requester.GetID(), client.GetID(), client.Consent, bytesConsentID, err)

-			ctx.Providers.OpenIDConnect.WriteAuthorizeError(rw, requester, oidc.ErrConsentMalformedChallengeID)
+			ctx.Providers.OpenIDConnect.WriteAuthorizeError(ctx, rw, requester, oidc.ErrConsentMalformedChallengeID)

 			return nil, true
 		}
@ -54,7 +54,7 @@ func handleOIDCAuthorizationConsentModePreConfiguredWithID(ctx *middlewares.Auth
 	if consentID.ID() == 0 {
 		ctx.Logger.Errorf(logFmtErrConsentZeroID, requester.GetID(), client.GetID(), client.Consent)

-		ctx.Providers.OpenIDConnect.WriteAuthorizeError(rw, requester, oidc.ErrConsentCouldNotLookup)
+		ctx.Providers.OpenIDConnect.WriteAuthorizeError(ctx, rw, requester, oidc.ErrConsentCouldNotLookup)

 		return nil, true
 	}
@ -62,7 +62,7 @@ func handleOIDCAuthorizationConsentModePreConfiguredWithID(ctx *middlewares.Auth
 	if consent, err = ctx.Providers.StorageProvider.LoadOAuth2ConsentSessionByChallengeID(ctx, consentID); err != nil {
 		ctx.Logger.Errorf(logFmtErrConsentLookupLoadingSession, requester.GetID(), client.GetID(), client.Consent, consentID, err)

-		ctx.Providers.OpenIDConnect.WriteAuthorizeError(rw, requester, oidc.ErrConsentCouldNotLookup)
+		ctx.Providers.OpenIDConnect.WriteAuthorizeError(ctx, rw, requester, oidc.ErrConsentCouldNotLookup)

 		return nil, true
 	}
@ -70,7 +70,7 @@ func handleOIDCAuthorizationConsentModePreConfiguredWithID(ctx *middlewares.Auth
 	if subject.ID() != consent.Subject.UUID.ID() {
 		ctx.Logger.Errorf(logFmtErrConsentSessionSubjectNotAuthorized, requester.GetID(), client.GetID(), client.Consent, consent.ChallengeID, userSession.Username, subject, consent.Subject.UUID)

-		ctx.Providers.OpenIDConnect.WriteAuthorizeError(rw, requester, oidc.ErrConsentCouldNotLookup)
+		ctx.Providers.OpenIDConnect.WriteAuthorizeError(ctx, rw, requester, oidc.ErrConsentCouldNotLookup)

 		return nil, true
 	}
@ -78,7 +78,7 @@ func handleOIDCAuthorizationConsentModePreConfiguredWithID(ctx *middlewares.Auth
 	if !consent.CanGrant() {
 		ctx.Logger.Errorf(logFmtErrConsentCantGrantPreConf, requester.GetID(), client.GetID(), client.Consent, consent.ChallengeID)

-		ctx.Providers.OpenIDConnect.WriteAuthorizeError(rw, requester, oidc.ErrConsentCouldNotPerform)
+		ctx.Providers.OpenIDConnect.WriteAuthorizeError(ctx, rw, requester, oidc.ErrConsentCouldNotPerform)

 		return nil, true
 	}
@ -86,7 +86,7 @@ func handleOIDCAuthorizationConsentModePreConfiguredWithID(ctx *middlewares.Auth
 	if config, err = handleOIDCAuthorizationConsentModePreConfiguredGetPreConfig(ctx, client, subject, requester); err != nil {
 		ctx.Logger.Errorf(logFmtErrConsentPreConfLookup, requester.GetID(), client.GetID(), client.Consent, err)

-		ctx.Providers.OpenIDConnect.WriteAuthorizeError(rw, requester, oidc.ErrConsentCouldNotLookup)
+		ctx.Providers.OpenIDConnect.WriteAuthorizeError(ctx, rw, requester, oidc.ErrConsentCouldNotLookup)

 		return nil, true
 	}
@ -99,7 +99,7 @@ func handleOIDCAuthorizationConsentModePreConfiguredWithID(ctx *middlewares.Auth
 		if err = ctx.Providers.StorageProvider.SaveOAuth2ConsentSessionResponse(ctx, *consent, false); err != nil {
 			ctx.Logger.Errorf(logFmtErrConsentSaveSessionResponse, requester.GetID(), client.GetID(), client.Consent, consent.ChallengeID, err)

-			ctx.Providers.OpenIDConnect.WriteAuthorizeError(rw, requester, oidc.ErrConsentCouldNotSave)
+			ctx.Providers.OpenIDConnect.WriteAuthorizeError(ctx, rw, requester, oidc.ErrConsentCouldNotSave)

 			return nil, true
 		}
@ -111,7 +111,7 @@ func handleOIDCAuthorizationConsentModePreConfiguredWithID(ctx *middlewares.Auth
 		if consent.Responded() {
 			ctx.Logger.Errorf(logFmtErrConsentCantGrantRejected, requester.GetID(), client.GetID(), client.Consent, consent.ChallengeID)

-			ctx.Providers.OpenIDConnect.WriteAuthorizeError(rw, requester, fosite.ErrAccessDenied)
+			ctx.Providers.OpenIDConnect.WriteAuthorizeError(ctx, rw, requester, fosite.ErrAccessDenied)

 			return nil, true
 		}
@ -135,7 +135,7 @@ func handleOIDCAuthorizationConsentModePreConfiguredWithoutID(ctx *middlewares.A
 	if config, err = handleOIDCAuthorizationConsentModePreConfiguredGetPreConfig(ctx, client, subject, requester); err != nil {
 		ctx.Logger.Errorf(logFmtErrConsentPreConfLookup, requester.GetID(), client.GetID(), client.Consent, err)

-		ctx.Providers.OpenIDConnect.WriteAuthorizeError(rw, requester, oidc.ErrConsentCouldNotLookup)
+		ctx.Providers.OpenIDConnect.WriteAuthorizeError(ctx, rw, requester, oidc.ErrConsentCouldNotLookup)

 		return nil, true
 	}
@ -147,7 +147,7 @@ func handleOIDCAuthorizationConsentModePreConfiguredWithoutID(ctx *middlewares.A
 	if consent, err = model.NewOAuth2ConsentSession(subject, requester); err != nil {
 		ctx.Logger.Errorf(logFmtErrConsentGenerate, requester.GetID(), client.GetID(), client.Consent, err)

-		ctx.Providers.OpenIDConnect.WriteAuthorizeError(rw, requester, oidc.ErrConsentCouldNotGenerate)
+		ctx.Providers.OpenIDConnect.WriteAuthorizeError(ctx, rw, requester, oidc.ErrConsentCouldNotGenerate)

 		return nil, true
 	}
@ -155,7 +155,7 @@ func handleOIDCAuthorizationConsentModePreConfiguredWithoutID(ctx *middlewares.A
 	if err = ctx.Providers.StorageProvider.SaveOAuth2ConsentSession(ctx, *consent); err != nil {
 		ctx.Logger.Errorf(logFmtErrConsentSaveSession, requester.GetID(), client.GetID(), client.Consent, consent.ChallengeID, err)

-		ctx.Providers.OpenIDConnect.WriteAuthorizeError(rw, requester, oidc.ErrConsentCouldNotSave)
+		ctx.Providers.OpenIDConnect.WriteAuthorizeError(ctx, rw, requester, oidc.ErrConsentCouldNotSave)

 		return nil, true
 	}
@ -163,7 +163,7 @@ func handleOIDCAuthorizationConsentModePreConfiguredWithoutID(ctx *middlewares.A
 	if consent, err = ctx.Providers.StorageProvider.LoadOAuth2ConsentSessionByChallengeID(ctx, consent.ChallengeID); err != nil {
 		ctx.Logger.Errorf(logFmtErrConsentSaveSession, requester.GetID(), client.GetID(), client.Consent, consent.ChallengeID, err)

-		ctx.Providers.OpenIDConnect.WriteAuthorizeError(rw, requester, oidc.ErrConsentCouldNotSave)
+		ctx.Providers.OpenIDConnect.WriteAuthorizeError(ctx, rw, requester, oidc.ErrConsentCouldNotSave)

 		return nil, true
 	}
@ -175,7 +175,7 @@ func handleOIDCAuthorizationConsentModePreConfiguredWithoutID(ctx *middlewares.A
 	if err = ctx.Providers.StorageProvider.SaveOAuth2ConsentSessionResponse(ctx, *consent, false); err != nil {
 		ctx.Logger.Errorf(logFmtErrConsentSaveSessionResponse, requester.GetID(), client.GetID(), client.Consent, consent.ChallengeID, err)

-		ctx.Providers.OpenIDConnect.WriteAuthorizeError(rw, requester, oidc.ErrConsentCouldNotSave)
+		ctx.Providers.OpenIDConnect.WriteAuthorizeError(ctx, rw, requester, oidc.ErrConsentCouldNotSave)

 		return nil, true
 	}
--- a/internal/handlers/handler_oidc_token.go
+++ b/internal/handlers/handler_oidc_token.go
@ -26,7 +26,7 @@ func OpenIDConnectTokenPOST(ctx *middlewares.AutheliaCtx, rw http.ResponseWriter

 		ctx.Logger.Errorf("Access Request failed with error: %s", rfc.WithExposeDebug(true).GetDescription())

-		ctx.Providers.OpenIDConnect.WriteAccessError(rw, requester, err)
+		ctx.Providers.OpenIDConnect.WriteAccessError(ctx, rw, requester, err)

 		return
 	}
@ -51,7 +51,7 @@ func OpenIDConnectTokenPOST(ctx *middlewares.AutheliaCtx, rw http.ResponseWriter

 		ctx.Logger.Errorf("Access Response for Request with id '%s' failed to be created with error: %s", requester.GetID(), rfc.WithExposeDebug(true).GetDescription())

-		ctx.Providers.OpenIDConnect.WriteAccessError(rw, requester, err)
+		ctx.Providers.OpenIDConnect.WriteAccessError(ctx, rw, requester, err)

 		return
 	}
@ -60,5 +60,5 @@ func OpenIDConnectTokenPOST(ctx *middlewares.AutheliaCtx, rw http.ResponseWriter

 	ctx.Logger.Tracef("Access Request with id '%s' on client with id '%s' produced the following claims: %+v", requester.GetID(), client.GetID(), responder.ToMap())

-	ctx.Providers.OpenIDConnect.WriteAccessResponse(rw, requester, responder)
+	ctx.Providers.OpenIDConnect.WriteAccessResponse(ctx, rw, requester, responder)
 }
--- a/internal/oidc/config.go
+++ b/internal/oidc/config.go
@ -0,0 +1,583 @@
+package oidc
+
+import (
+	"context"
+	"crypto/sha512"
+	"hash"
+	"html/template"
+	"net/url"
+	"time"
+
+	"github.com/hashicorp/go-retryablehttp"
+	"github.com/ory/fosite"
+	"github.com/ory/fosite/handler/oauth2"
+	"github.com/ory/fosite/handler/openid"
+	"github.com/ory/fosite/handler/par"
+	"github.com/ory/fosite/handler/pkce"
+	"github.com/ory/fosite/i18n"
+	"github.com/ory/fosite/token/hmac"
+	"github.com/ory/fosite/token/jwt"
+
+	"github.com/authelia/authelia/v4/internal/configuration/schema"
+	"github.com/authelia/authelia/v4/internal/utils"
+)
+
+func NewConfig(config *schema.OpenIDConnectConfiguration) *Config {
+	c := &Config{
+		GlobalSecret:               []byte(utils.HashSHA256FromString(config.HMACSecret)),
+		SendDebugMessagesToClients: config.EnableClientDebugMessages,
+		MinParameterEntropy:        config.MinimumParameterEntropy,
+		Lifespans: LifespanConfig{
+			AccessToken:   config.AccessTokenLifespan,
+			AuthorizeCode: config.AuthorizeCodeLifespan,
+			IDToken:       config.IDTokenLifespan,
+			RefreshToken:  config.RefreshTokenLifespan,
+		},
+		ProofKeyCodeExchange: ProofKeyCodeExchangeConfig{
+			Enforce:                   config.EnforcePKCE == "always",
+			EnforcePublicClients:      config.EnforcePKCE != "never",
+			AllowPlainChallengeMethod: config.EnablePKCEPlainChallenge,
+		},
+	}
+
+	prefix := "authelia_%s_"
+	c.Strategy.Core = &HMACCoreStrategy{
+		Enigma: &hmac.HMACStrategy{Config: c},
+		Config: c,
+		prefix: &prefix,
+	}
+
+	return c
+}
+
+type Config struct {
+	// GlobalSecret is the global secret used to sign and verify signatures.
+	GlobalSecret []byte
+
+	// RotatedGlobalSecrets is a list of global secrets that are used to verify signatures.
+	RotatedGlobalSecrets [][]byte
+
+	Issuers IssuersConfig
+
+	SendDebugMessagesToClients    bool
+	DisableRefreshTokenValidation bool
+	OmitRedirectScopeParameter    bool
+
+	JWTScopeField  jwt.JWTScopeFieldEnum
+	JWTMaxDuration time.Duration
+
+	Hash                 HashConfig
+	Strategy             StrategyConfig
+	PAR                  PARConfig
+	Handlers             HandlersConfig
+	Lifespans            LifespanConfig
+	ProofKeyCodeExchange ProofKeyCodeExchangeConfig
+	GrantTypeJWTBearer   GrantTypeJWTBearerConfig
+
+	TokenURL            string
+	TokenEntropy        int
+	MinParameterEntropy int
+
+	SanitationWhiteList []string
+	AllowedPrompts      []string
+	RefreshTokenScopes  []string
+
+	HTTPClient           *retryablehttp.Client
+	FormPostHTMLTemplate *template.Template
+	MessageCatalog       i18n.MessageCatalog
+}
+
+type HashConfig struct {
+	ClientSecrets fosite.Hasher
+	HMAC          func() (h hash.Hash)
+}
+
+type StrategyConfig struct {
+	Core                 oauth2.CoreStrategy
+	OpenID               openid.OpenIDConnectTokenStrategy
+	Audience             fosite.AudienceMatchingStrategy
+	Scope                fosite.ScopeStrategy
+	JWKSFetcher          fosite.JWKSFetcherStrategy
+	ClientAuthentication fosite.ClientAuthenticationStrategy
+}
+
+type PARConfig struct {
+	Enforced        bool
+	URIPrefix       string
+	ContextLifespan time.Duration
+}
+
+type IssuersConfig struct {
+	IDToken     string
+	AccessToken string
+}
+
+type HandlersConfig struct {
+	// ResponseMode provides an extension handler for custom response modes.
+	ResponseMode fosite.ResponseModeHandler
+
+	// AuthorizeEndpoint is a list of handlers that are called before the authorization endpoint is served.
+	AuthorizeEndpoint fosite.AuthorizeEndpointHandlers
+
+	// TokenEndpoint is a list of handlers that are called before the token endpoint is served.
+	TokenEndpoint fosite.TokenEndpointHandlers
+
+	// TokenIntrospection is a list of handlers that are called before the token introspection endpoint is served.
+	TokenIntrospection fosite.TokenIntrospectionHandlers
+
+	// Revocation is a list of handlers that are called before the revocation endpoint is served.
+	Revocation fosite.RevocationHandlers
+
+	// PushedAuthorizeEndpoint is a list of handlers that are called before the PAR endpoint is served.
+	PushedAuthorizeEndpoint fosite.PushedAuthorizeEndpointHandlers
+}
+
+type GrantTypeJWTBearerConfig struct {
+	OptionalClientAuth bool
+	OptionalJTIClaim   bool
+	OptionalIssuedDate bool
+}
+
+type ProofKeyCodeExchangeConfig struct {
+	Enforce                   bool
+	EnforcePublicClients      bool
+	AllowPlainChallengeMethod bool
+}
+
+type LifespanConfig struct {
+	AccessToken   time.Duration
+	AuthorizeCode time.Duration
+	IDToken       time.Duration
+	RefreshToken  time.Duration
+}
+
+const (
+	PromptNone    = none
+	PromptLogin   = "login"
+	PromptConsent = "consent"
+)
+
+func (c *Config) LoadHandlers(store *Store, strategy jwt.Signer) {
+	validator := openid.NewOpenIDConnectRequestValidator(strategy, c)
+
+	handlers := []any{
+		&oauth2.AuthorizeExplicitGrantHandler{
+			AccessTokenStrategy:    c.Strategy.Core,
+			RefreshTokenStrategy:   c.Strategy.Core,
+			AuthorizeCodeStrategy:  c.Strategy.Core,
+			CoreStorage:            store,
+			TokenRevocationStorage: store,
+			Config:                 c,
+		},
+		&oauth2.AuthorizeImplicitGrantTypeHandler{
+			AccessTokenStrategy: c.Strategy.Core,
+			AccessTokenStorage:  store,
+			Config:              c,
+		},
+		&oauth2.ClientCredentialsGrantHandler{
+			HandleHelper: &oauth2.HandleHelper{
+				AccessTokenStrategy: c.Strategy.Core,
+				AccessTokenStorage:  store,
+				Config:              c,
+			},
+			Config: c,
+		},
+		&oauth2.RefreshTokenGrantHandler{
+			AccessTokenStrategy:    c.Strategy.Core,
+			RefreshTokenStrategy:   c.Strategy.Core,
+			TokenRevocationStorage: store,
+			Config:                 c,
+		},
+		&openid.OpenIDConnectExplicitHandler{
+			IDTokenHandleHelper: &openid.IDTokenHandleHelper{
+				IDTokenStrategy: c.Strategy.OpenID,
+			},
+			OpenIDConnectRequestValidator: validator,
+			OpenIDConnectRequestStorage:   store,
+			Config:                        c,
+		},
+		&openid.OpenIDConnectImplicitHandler{
+			AuthorizeImplicitGrantTypeHandler: &oauth2.AuthorizeImplicitGrantTypeHandler{
+				AccessTokenStrategy: c.Strategy.Core,
+				AccessTokenStorage:  store,
+				Config:              c,
+			},
+			IDTokenHandleHelper: &openid.IDTokenHandleHelper{
+				IDTokenStrategy: c.Strategy.OpenID,
+			},
+			OpenIDConnectRequestValidator: validator,
+			Config:                        c,
+		},
+		&openid.OpenIDConnectHybridHandler{
+			AuthorizeExplicitGrantHandler: &oauth2.AuthorizeExplicitGrantHandler{
+				AccessTokenStrategy:   c.Strategy.Core,
+				RefreshTokenStrategy:  c.Strategy.Core,
+				AuthorizeCodeStrategy: c.Strategy.Core,
+				CoreStorage:           store,
+				Config:                c,
+			},
+			Config: c,
+			AuthorizeImplicitGrantTypeHandler: &oauth2.AuthorizeImplicitGrantTypeHandler{
+				AccessTokenStrategy: c.Strategy.Core,
+				AccessTokenStorage:  store,
+				Config:              c,
+			},
+			IDTokenHandleHelper: &openid.IDTokenHandleHelper{
+				IDTokenStrategy: c.Strategy.OpenID,
+			},
+			OpenIDConnectRequestValidator: validator,
+			OpenIDConnectRequestStorage:   store,
+		},
+		&openid.OpenIDConnectRefreshHandler{
+			IDTokenHandleHelper: &openid.IDTokenHandleHelper{
+				IDTokenStrategy: c.Strategy.OpenID,
+			},
+			Config: c,
+		},
+		&oauth2.CoreValidator{
+			CoreStrategy: c.Strategy.Core,
+			CoreStorage:  store,
+			Config:       c,
+		},
+		&oauth2.TokenRevocationHandler{
+			AccessTokenStrategy:    c.Strategy.Core,
+			RefreshTokenStrategy:   c.Strategy.Core,
+			TokenRevocationStorage: store,
+		},
+		&pkce.Handler{
+			AuthorizeCodeStrategy: c.Strategy.Core,
+			Storage:               store,
+			Config:                c,
+		},
+		&par.PushedAuthorizeHandler{
+			Storage: store,
+			Config:  c,
+		},
+	}
+
+	x := HandlersConfig{}
+
+	for _, handler := range handlers {
+		if h, ok := handler.(fosite.AuthorizeEndpointHandler); ok {
+			x.AuthorizeEndpoint.Append(h)
+		}
+
+		if h, ok := handler.(fosite.TokenEndpointHandler); ok {
+			x.TokenEndpoint.Append(h)
+		}
+
+		if h, ok := handler.(fosite.TokenIntrospector); ok {
+			x.TokenIntrospection.Append(h)
+		}
+
+		if h, ok := handler.(fosite.RevocationHandler); ok {
+			x.Revocation.Append(h)
+		}
+	}
+
+	c.Handlers = x
+}
+
+// GetAllowedPrompts returns the allowed prompts.
+func (c *Config) GetAllowedPrompts(ctx context.Context) (prompts []string) {
+	if len(c.AllowedPrompts) == 0 {
+		c.AllowedPrompts = []string{PromptNone, PromptLogin, PromptConsent}
+	}
+
+	return c.AllowedPrompts
+}
+
+// GetEnforcePKCE returns the enforcement of PKCE.
+func (c *Config) GetEnforcePKCE(ctx context.Context) (enforce bool) {
+	return c.ProofKeyCodeExchange.Enforce
+}
+
+// GetEnforcePKCEForPublicClients returns the enforcement of PKCE for public clients.
+func (c *Config) GetEnforcePKCEForPublicClients(ctx context.Context) (enforce bool) {
+	return c.GetEnforcePKCE(ctx) || c.ProofKeyCodeExchange.EnforcePublicClients
+}
+
+// GetEnablePKCEPlainChallengeMethod returns the enable PKCE plain challenge method.
+func (c *Config) GetEnablePKCEPlainChallengeMethod(ctx context.Context) (enable bool) {
+	return c.ProofKeyCodeExchange.AllowPlainChallengeMethod
+}
+
+// GetGrantTypeJWTBearerCanSkipClientAuth returns the grant type JWT bearer can skip client auth.
+func (c *Config) GetGrantTypeJWTBearerCanSkipClientAuth(ctx context.Context) (skip bool) {
+	return c.GrantTypeJWTBearer.OptionalClientAuth
+}
+
+// GetGrantTypeJWTBearerIDOptional returns the grant type JWT bearer ID optional.
+func (c *Config) GetGrantTypeJWTBearerIDOptional(ctx context.Context) (optional bool) {
+	return c.GrantTypeJWTBearer.OptionalJTIClaim
+}
+
+// GetGrantTypeJWTBearerIssuedDateOptional returns the grant type JWT bearer issued date optional.
+func (c *Config) GetGrantTypeJWTBearerIssuedDateOptional(ctx context.Context) (optional bool) {
+	return c.GrantTypeJWTBearer.OptionalIssuedDate
+}
+
+// GetJWTMaxDuration returns the JWT max duration.
+func (c *Config) GetJWTMaxDuration(ctx context.Context) (duration time.Duration) {
+	if c.JWTMaxDuration == 0 {
+		c.JWTMaxDuration = time.Hour * 24
+	}
+
+	return c.JWTMaxDuration
+}
+
+// GetRedirectSecureChecker returns the redirect URL security validator.
+func (c *Config) GetRedirectSecureChecker(ctx context.Context) func(context.Context, *url.URL) (secure bool) {
+	return fosite.IsRedirectURISecure
+}
+
+// GetOmitRedirectScopeParam must be set to true if the scope query param is to be omitted
+// in the authorization's redirect URI.
+func (c *Config) GetOmitRedirectScopeParam(ctx context.Context) (omit bool) {
+	return c.OmitRedirectScopeParameter
+}
+
+// GetSanitationWhiteList is a whitelist of form values that are required by the token endpoint. These values
+// are safe for storage in a database (cleartext).
+func (c *Config) GetSanitationWhiteList(ctx context.Context) (whitelist []string) {
+	return c.SanitationWhiteList
+}
+
+// GetJWTScopeField returns the JWT scope field.
+func (c *Config) GetJWTScopeField(ctx context.Context) (field jwt.JWTScopeFieldEnum) {
+	if c.JWTScopeField == jwt.JWTScopeFieldUnset {
+		c.JWTScopeField = jwt.JWTScopeFieldList
+	}
+
+	return c.JWTScopeField
+}
+
+// GetIDTokenIssuer returns the ID token issuer.
+func (c *Config) GetIDTokenIssuer(ctx context.Context) (issuer string) {
+	return c.Issuers.IDToken
+}
+
+// GetAccessTokenIssuer returns the access token issuer.
+func (c *Config) GetAccessTokenIssuer(ctx context.Context) (issuer string) {
+	return c.Issuers.AccessToken
+}
+
+// GetDisableRefreshTokenValidation returns the disable refresh token validation flag.
+func (c *Config) GetDisableRefreshTokenValidation(ctx context.Context) (disable bool) {
+	return c.DisableRefreshTokenValidation
+}
+
+// GetAuthorizeCodeLifespan returns the authorization code lifespan.
+func (c *Config) GetAuthorizeCodeLifespan(ctx context.Context) (lifespan time.Duration) {
+	if c.Lifespans.AuthorizeCode <= 0 {
+		c.Lifespans.AccessToken = lifespanAuthorizeCodeDefault
+	}
+
+	return c.Lifespans.AuthorizeCode
+}
+
+// GetRefreshTokenLifespan returns the refresh token lifespan.
+func (c *Config) GetRefreshTokenLifespan(ctx context.Context) (lifespan time.Duration) {
+	if c.Lifespans.RefreshToken <= 0 {
+		c.Lifespans.AccessToken = lifespanRefreshTokenDefault
+	}
+
+	return c.Lifespans.RefreshToken
+}
+
+// GetIDTokenLifespan returns the ID token lifespan.
+func (c *Config) GetIDTokenLifespan(ctx context.Context) (lifespan time.Duration) {
+	if c.Lifespans.IDToken <= 0 {
+		c.Lifespans.AccessToken = lifespanTokenDefault
+	}
+
+	return c.Lifespans.IDToken
+}
+
+// GetAccessTokenLifespan returns the access token lifespan.
+func (c *Config) GetAccessTokenLifespan(ctx context.Context) (lifespan time.Duration) {
+	if c.Lifespans.AccessToken <= 0 {
+		c.Lifespans.AccessToken = lifespanTokenDefault
+	}
+
+	return c.Lifespans.AccessToken
+}
+
+// GetTokenEntropy returns the token entropy.
+func (c *Config) GetTokenEntropy(ctx context.Context) (entropy int) {
+	if c.TokenEntropy == 0 {
+		c.TokenEntropy = 32
+	}
+
+	return c.TokenEntropy
+}
+
+// GetGlobalSecret returns the global secret.
+func (c *Config) GetGlobalSecret(ctx context.Context) (secret []byte) {
+	return c.GlobalSecret
+}
+
+// GetRotatedGlobalSecrets returns the rotated global secrets.
+func (c *Config) GetRotatedGlobalSecrets(ctx context.Context) (secrets [][]byte) {
+	return c.RotatedGlobalSecrets
+}
+
+// GetHTTPClient returns the HTTP client provider.
+func (c *Config) GetHTTPClient(ctx context.Context) (client *retryablehttp.Client) {
+	if c.HTTPClient == nil {
+		c.HTTPClient = retryablehttp.NewClient()
+	}
+
+	return c.HTTPClient
+}
+
+// GetRefreshTokenScopes returns the refresh token scopes.
+func (c *Config) GetRefreshTokenScopes(ctx context.Context) (scopes []string) {
+	if c.RefreshTokenScopes == nil {
+		c.RefreshTokenScopes = []string{ScopeOffline, ScopeOfflineAccess}
+	}
+
+	return c.RefreshTokenScopes
+}
+
+// GetScopeStrategy returns the scope strategy.
+func (c *Config) GetScopeStrategy(ctx context.Context) (strategy fosite.ScopeStrategy) {
+	if c.Strategy.Scope == nil {
+		c.Strategy.Scope = fosite.ExactScopeStrategy
+	}
+
+	return c.Strategy.Scope
+}
+
+// GetAudienceStrategy returns the audience strategy.
+func (c *Config) GetAudienceStrategy(ctx context.Context) (strategy fosite.AudienceMatchingStrategy) {
+	if c.Strategy.Audience == nil {
+		c.Strategy.Audience = fosite.DefaultAudienceMatchingStrategy
+	}
+
+	return c.Strategy.Audience
+}
+
+// GetMinParameterEntropy returns the minimum parameter entropy.
+func (c *Config) GetMinParameterEntropy(_ context.Context) (entropy int) {
+	if c.MinParameterEntropy == 0 {
+		c.MinParameterEntropy = fosite.MinParameterEntropy
+	}
+
+	return c.MinParameterEntropy
+}
+
+// GetHMACHasher returns the hash function.
+func (c *Config) GetHMACHasher(ctx context.Context) func() (h hash.Hash) {
+	if c.Hash.HMAC == nil {
+		c.Hash.HMAC = sha512.New512_256
+	}
+
+	return c.Hash.HMAC
+}
+
+// GetSendDebugMessagesToClients returns the send debug messages to clients.
+func (c *Config) GetSendDebugMessagesToClients(ctx context.Context) (send bool) {
+	return c.SendDebugMessagesToClients
+}
+
+// GetJWKSFetcherStrategy returns the JWKS fetcher strategy.
+func (c *Config) GetJWKSFetcherStrategy(ctx context.Context) (strategy fosite.JWKSFetcherStrategy) {
+	if c.Strategy.JWKSFetcher == nil {
+		c.Strategy.JWKSFetcher = fosite.NewDefaultJWKSFetcherStrategy()
+	}
+
+	return c.Strategy.JWKSFetcher
+}
+
+// GetClientAuthenticationStrategy returns the client authentication strategy.
+func (c *Config) GetClientAuthenticationStrategy(ctx context.Context) (strategy fosite.ClientAuthenticationStrategy) {
+	return c.Strategy.ClientAuthentication
+}
+
+// GetMessageCatalog returns the message catalog.
+func (c *Config) GetMessageCatalog(ctx context.Context) (catalog i18n.MessageCatalog) {
+	return c.MessageCatalog
+}
+
+// GetFormPostHTMLTemplate returns the form post HTML template.
+func (c *Config) GetFormPostHTMLTemplate(ctx context.Context) (tmpl *template.Template) {
+	return c.FormPostHTMLTemplate
+}
+
+// GetTokenURL returns the token URL.
+func (c *Config) GetTokenURL(ctx context.Context) (tokenURL string) {
+	return c.TokenURL
+}
+
+// GetSecretsHasher returns the client secrets hashing function.
+func (c *Config) GetSecretsHasher(ctx context.Context) (hasher fosite.Hasher) {
+	if c.Hash.ClientSecrets == nil {
+		c.Hash.ClientSecrets = &AdaptiveHasher{}
+	}
+
+	return c.Hash.ClientSecrets
+}
+
+// GetUseLegacyErrorFormat returns whether to use the legacy error format.
+//
+// Deprecated: Do not use this flag anymore.
+func (c *Config) GetUseLegacyErrorFormat(ctx context.Context) (use bool) {
+	return false
+}
+
+// GetAuthorizeEndpointHandlers returns the authorize endpoint handlers.
+func (c *Config) GetAuthorizeEndpointHandlers(ctx context.Context) (handlers fosite.AuthorizeEndpointHandlers) {
+	return c.Handlers.AuthorizeEndpoint
+}
+
+// GetTokenEndpointHandlers returns the token endpoint handlers.
+func (c *Config) GetTokenEndpointHandlers(ctx context.Context) (handlers fosite.TokenEndpointHandlers) {
+	return c.Handlers.TokenEndpoint
+}
+
+// GetTokenIntrospectionHandlers returns the token introspection handlers.
+func (c *Config) GetTokenIntrospectionHandlers(ctx context.Context) (handlers fosite.TokenIntrospectionHandlers) {
+	return c.Handlers.TokenIntrospection
+}
+
+// GetRevocationHandlers returns the revocation handlers.
+func (c *Config) GetRevocationHandlers(ctx context.Context) (handlers fosite.RevocationHandlers) {
+	return c.Handlers.Revocation
+}
+
+// GetPushedAuthorizeEndpointHandlers returns the handlers.
+func (c *Config) GetPushedAuthorizeEndpointHandlers(ctx context.Context) fosite.PushedAuthorizeEndpointHandlers {
+	return c.Handlers.PushedAuthorizeEndpoint
+}
+
+// GetResponseModeHandlerExtension returns the response mode handler extension.
+func (c *Config) GetResponseModeHandlerExtension(ctx context.Context) (handler fosite.ResponseModeHandler) {
+	return c.Handlers.ResponseMode
+}
+
+// GetPushedAuthorizeRequestURIPrefix is the request URI prefix. This is
+// usually 'urn:ietf:params:oauth:request_uri:'.
+func (c *Config) GetPushedAuthorizeRequestURIPrefix(ctx context.Context) string {
+	if c.PAR.URIPrefix == "" {
+		c.PAR.URIPrefix = urnPARPrefix
+	}
+
+	return c.PAR.URIPrefix
+}
+
+// EnforcePushedAuthorize indicates if PAR is enforced. In this mode, a client
+// cannot pass authorize parameters at the 'authorize' endpoint. The 'authorize' endpoint
+// must contain the PAR request_uri.
+func (c *Config) EnforcePushedAuthorize(ctx context.Context) bool {
+	return c.PAR.Enforced
+}
+
+// GetPushedAuthorizeContextLifespan is the lifespan of the short-lived PAR context.
+func (c *Config) GetPushedAuthorizeContextLifespan(ctx context.Context) (lifespan time.Duration) {
+	if c.PAR.ContextLifespan == 0 {
+		c.PAR.ContextLifespan = lifespanPARContextDefault
+	}
+
+	return c.PAR.ContextLifespan
+}
--- a/internal/oidc/const.go
+++ b/internal/oidc/const.go
@ -1,8 +1,13 @@
 package oidc

+import (
+	"time"
+)
+
 // Scope strings.
 const (
 	ScopeOfflineAccess = "offline_access"
+	ScopeOffline       = "offline"
 	ScopeOpenID        = "openid"
 	ScopeProfile       = "profile"
 	ScopeEmail         = "email"
@ -35,6 +40,17 @@ const (
 	ClaimClientIdentifier                    = "client_id"
 )

+const (
+	lifespanTokenDefault         = time.Hour
+	lifespanRefreshTokenDefault  = time.Hour * 24 * 30
+	lifespanAuthorizeCodeDefault = time.Minute * 15
+	lifespanPARContextDefault    = time.Minute * 5
+)
+
+const (
+	urnPARPrefix = "urn:ietf:params:oauth:request_uri:"
+)
+
 const (
 	// ClaimEmailAlts is an unregistered/custom claim.
 	// It represents the emails which are not considered primary.
--- a/internal/oidc/hmac.go
+++ b/internal/oidc/hmac.go
@ -0,0 +1,129 @@
+package oidc
+
+import (
+	"context"
+	"fmt"
+	"strings"
+	"time"
+
+	"github.com/ory/fosite"
+	"github.com/ory/fosite/token/hmac"
+	"github.com/ory/x/errorsx"
+)
+
+// HMACCoreStrategy implements oauth2.CoreStrategy. It's a copy of the oauth2.HMACSHAStrategy.
+type HMACCoreStrategy struct {
+	Enigma *hmac.HMACStrategy
+	Config interface {
+		fosite.AccessTokenLifespanProvider
+		fosite.RefreshTokenLifespanProvider
+		fosite.AuthorizeCodeLifespanProvider
+	}
+	prefix *string
+}
+
+// AccessTokenSignature implements oauth2.AccessTokenStrategy.
+func (h *HMACCoreStrategy) AccessTokenSignature(ctx context.Context, token string) string {
+	return h.Enigma.Signature(token)
+}
+
+// GenerateAccessToken implements oauth2.AccessTokenStrategy.
+func (h *HMACCoreStrategy) GenerateAccessToken(ctx context.Context, _ fosite.Requester) (token string, signature string, err error) {
+	token, sig, err := h.Enigma.Generate(ctx)
+	if err != nil {
+		return "", "", err
+	}
+
+	return h.setPrefix(token, "at"), sig, nil
+}
+
+// ValidateAccessToken implements oauth2.AccessTokenStrategy.
+func (h *HMACCoreStrategy) ValidateAccessToken(ctx context.Context, r fosite.Requester, token string) (err error) {
+	var exp = r.GetSession().GetExpiresAt(fosite.AccessToken)
+	if exp.IsZero() && r.GetRequestedAt().Add(h.Config.GetAccessTokenLifespan(ctx)).Before(time.Now().UTC()) {
+		return errorsx.WithStack(fosite.ErrTokenExpired.WithHintf("Access token expired at '%s'.", r.GetRequestedAt().Add(h.Config.GetAccessTokenLifespan(ctx))))
+	}
+
+	if !exp.IsZero() && exp.Before(time.Now().UTC()) {
+		return errorsx.WithStack(fosite.ErrTokenExpired.WithHintf("Access token expired at '%s'.", exp))
+	}
+
+	return h.Enigma.Validate(ctx, h.trimPrefix(token, "at"))
+}
+
+// RefreshTokenSignature implements oauth2.RefreshTokenStrategy.
+func (h *HMACCoreStrategy) RefreshTokenSignature(ctx context.Context, token string) string {
+	return h.Enigma.Signature(token)
+}
+
+// GenerateRefreshToken implements oauth2.RefreshTokenStrategy.
+func (h *HMACCoreStrategy) GenerateRefreshToken(ctx context.Context, _ fosite.Requester) (token string, signature string, err error) {
+	token, sig, err := h.Enigma.Generate(ctx)
+	if err != nil {
+		return "", "", err
+	}
+
+	return h.setPrefix(token, "rt"), sig, nil
+}
+
+// ValidateRefreshToken implements oauth2.RefreshTokenStrategy.
+func (h *HMACCoreStrategy) ValidateRefreshToken(ctx context.Context, r fosite.Requester, token string) (err error) {
+	var exp = r.GetSession().GetExpiresAt(fosite.RefreshToken)
+	if exp.IsZero() {
+		return h.Enigma.Validate(ctx, h.trimPrefix(token, "rt"))
+	}
+
+	if !exp.IsZero() && exp.Before(time.Now().UTC()) {
+		return errorsx.WithStack(fosite.ErrTokenExpired.WithHintf("Refresh token expired at '%s'.", exp))
+	}
+
+	return h.Enigma.Validate(ctx, h.trimPrefix(token, "rt"))
+}
+
+// AuthorizeCodeSignature implements oauth2.AuthorizeCodeStrategy.
+func (h *HMACCoreStrategy) AuthorizeCodeSignature(ctx context.Context, token string) string {
+	return h.Enigma.Signature(token)
+}
+
+// GenerateAuthorizeCode implements oauth2.AuthorizeCodeStrategy.
+func (h *HMACCoreStrategy) GenerateAuthorizeCode(ctx context.Context, _ fosite.Requester) (token string, signature string, err error) {
+	token, sig, err := h.Enigma.Generate(ctx)
+	if err != nil {
+		return "", "", err
+	}
+
+	return h.setPrefix(token, "ac"), sig, nil
+}
+
+// ValidateAuthorizeCode implements oauth2.AuthorizeCodeStrategy.
+func (h *HMACCoreStrategy) ValidateAuthorizeCode(ctx context.Context, r fosite.Requester, token string) (err error) {
+	var exp = r.GetSession().GetExpiresAt(fosite.AuthorizeCode)
+	if exp.IsZero() && r.GetRequestedAt().Add(h.Config.GetAuthorizeCodeLifespan(ctx)).Before(time.Now().UTC()) {
+		return errorsx.WithStack(fosite.ErrTokenExpired.WithHintf("Authorize code expired at '%s'.", r.GetRequestedAt().Add(h.Config.GetAuthorizeCodeLifespan(ctx))))
+	}
+
+	if !exp.IsZero() && exp.Before(time.Now().UTC()) {
+		return errorsx.WithStack(fosite.ErrTokenExpired.WithHintf("Authorize code expired at '%s'.", exp))
+	}
+
+	return h.Enigma.Validate(ctx, h.trimPrefix(token, "ac"))
+}
+
+func (h *HMACCoreStrategy) getPrefix(part string) string {
+	if h.prefix == nil {
+		prefix := "ory_%s_"
+		h.prefix = &prefix
+	} else if len(*h.prefix) == 0 {
+		return ""
+	}
+
+	return fmt.Sprintf(*h.prefix, part)
+}
+
+func (h *HMACCoreStrategy) trimPrefix(token, part string) string {
+	return strings.TrimPrefix(token, h.getPrefix(part))
+}
+
+func (h *HMACCoreStrategy) setPrefix(token, part string) string {
+	return h.getPrefix(part) + token
+}
--- a/internal/oidc/keys.go
+++ b/internal/oidc/keys.go
@ -34,7 +34,7 @@ func NewKeyManager() (manager *KeyManager) {
 }

 // Strategy returns the fosite jwt.JWTStrategy.
-func (m *KeyManager) Strategy() (strategy jwt.JWTStrategy) {
+func (m *KeyManager) Strategy() (strategy jwt.Signer) {
 	if m.jwk == nil {
 		return nil
 	}
@ -98,7 +98,7 @@ func (m *KeyManager) AddActiveJWK(chain schema.X509CertificateChain, key *rsa.Pr

 // JWTStrategy is a decorator struct for the fosite jwt.JWTStrategy.
 type JWTStrategy struct {
-	jwt.JWTStrategy
+	jwt.Signer

 	id string
 }
@ -157,8 +157,12 @@ type JWK struct {
 }

 // Strategy returns the relevant jwt.JWTStrategy for this JWT.
-func (j *JWK) Strategy() (strategy jwt.JWTStrategy) {
-	return &JWTStrategy{id: j.id, JWTStrategy: &jwt.RS256JWTStrategy{PrivateKey: j.key}}
+func (j *JWK) Strategy() (strategy jwt.Signer) {
+	return &JWTStrategy{id: j.id, Signer: &jwt.DefaultSigner{GetPrivateKey: j.GetPrivateKey}}
+}
+
+func (j *JWK) GetPrivateKey(ctx context.Context) (key any, err error) {
+	return j.key, nil
 }

 // JSONWebKey returns the relevant *jose.JSONWebKey for this JWT.
--- a/internal/oidc/provider.go
+++ b/internal/oidc/provider.go
@ -1,18 +1,14 @@
 package oidc

 import (
-	"crypto/sha512"
 	"fmt"

-	"github.com/ory/fosite/compose"
-	"github.com/ory/fosite/handler/oauth2"
+	"github.com/ory/fosite"
 	"github.com/ory/fosite/handler/openid"
-	"github.com/ory/fosite/token/hmac"
 	"github.com/ory/herodot"

 	"github.com/authelia/authelia/v4/internal/configuration/schema"
 	"github.com/authelia/authelia/v4/internal/storage"
-	"github.com/authelia/authelia/v4/internal/utils"
 )

 // NewOpenIDConnectProvider new-ups a OpenIDConnectProvider.
@ -23,76 +19,22 @@ func NewOpenIDConnectProvider(config *schema.OpenIDConnectConfiguration, store s

 	provider = &OpenIDConnectProvider{
 		JSONWriter: herodot.NewJSONWriter(nil),
-		Store:      NewOpenIDConnectStore(config, store),
+		Store:      NewStore(config, store),
+		Config:     NewConfig(config),
 	}

-	cconfig := &compose.Config{
-		AccessTokenLifespan:            config.AccessTokenLifespan,
-		AuthorizeCodeLifespan:          config.AuthorizeCodeLifespan,
-		IDTokenLifespan:                config.IDTokenLifespan,
-		RefreshTokenLifespan:           config.RefreshTokenLifespan,
-		SendDebugMessagesToClients:     config.EnableClientDebugMessages,
-		MinParameterEntropy:            config.MinimumParameterEntropy,
-		EnforcePKCE:                    config.EnforcePKCE == "always",
-		EnforcePKCEForPublicClients:    config.EnforcePKCE != "never",
-		EnablePKCEPlainChallengeMethod: config.EnablePKCEPlainChallenge,
-	}
+	provider.OAuth2Provider = fosite.NewOAuth2Provider(provider.Store, provider.Config)

 	if provider.KeyManager, err = NewKeyManagerWithConfiguration(config); err != nil {
 		return nil, err
 	}

-	jwtStrategy := provider.KeyManager.Strategy()
-
-	strategy := &compose.CommonStrategy{
-		CoreStrategy: &oauth2.HMACSHAStrategy{
-			Enigma: &hmac.HMACStrategy{
-				GlobalSecret:         []byte(utils.HashSHA256FromString(config.HMACSecret)),
-				RotatedGlobalSecrets: nil,
-				TokenEntropy:         cconfig.GetTokenEntropy(),
-				Hash:                 sha512.New512_256,
-			},
-			AccessTokenLifespan:   cconfig.GetAccessTokenLifespan(),
-			AuthorizeCodeLifespan: cconfig.GetAuthorizeCodeLifespan(),
-			RefreshTokenLifespan:  cconfig.GetRefreshTokenLifespan(),
-		},
-		OpenIDConnectTokenStrategy: &openid.DefaultStrategy{
-			JWTStrategy:         jwtStrategy,
-			Expiry:              cconfig.GetIDTokenLifespan(),
-			Issuer:              cconfig.IDTokenIssuer,
-			MinParameterEntropy: cconfig.GetMinParameterEntropy(),
-		},
-		JWTStrategy: jwtStrategy,
+	provider.Config.Strategy.OpenID = &openid.DefaultStrategy{
+		Signer: provider.KeyManager.Strategy(),
+		Config: provider.Config,
 	}

-	provider.OAuth2Provider = compose.Compose(
-		cconfig,
-		provider.Store,
-		strategy,
-		AdaptiveHasher{},
-
-		/*
-			These are the OAuth2 and OpenIDConnect factories. Order is important (the OAuth2 factories at the top must
-			be before the OpenIDConnect factories) and taken directly from fosite.compose.ComposeAllEnabled. The
-			commented factories are not enabled as we don't yet use them but are still here for reference purposes.
-		*/
-		compose.OAuth2AuthorizeExplicitFactory,
-		compose.OAuth2AuthorizeImplicitFactory,
-		compose.OAuth2ClientCredentialsGrantFactory,
-		compose.OAuth2RefreshTokenGrantFactory,
-		// compose.OAuth2ResourceOwnerPasswordCredentialsFactory,
-		// compose.RFC7523AssertionGrantFactory,.
-
-		compose.OpenIDConnectExplicitFactory,
-		compose.OpenIDConnectImplicitFactory,
-		compose.OpenIDConnectHybridFactory,
-		compose.OpenIDConnectRefreshFactory,
-
-		compose.OAuth2TokenIntrospectionFactory,
-		compose.OAuth2TokenRevocationFactory,
-
-		compose.OAuth2PKCEFactory,
-	)
+	provider.Config.LoadHandlers(provider.Store, provider.KeyManager.Strategy())

 	provider.discovery = NewOpenIDConnectWellKnownConfiguration(config.EnablePKCEPlainChallenge, provider.Store.clients)

--- a/internal/oidc/store.go
+++ b/internal/oidc/store.go
@ -18,8 +18,8 @@ import (
 	"github.com/authelia/authelia/v4/internal/storage"
 )

-// NewOpenIDConnectStore returns a Store when provided with a schema.OpenIDConnectConfiguration and storage.Provider.
-func NewOpenIDConnectStore(config *schema.OpenIDConnectConfiguration, provider storage.Provider) (store *Store) {
+// NewStore returns a Store when provided with a schema.OpenIDConnectConfiguration and storage.Provider.
+func NewStore(config *schema.OpenIDConnectConfiguration, provider storage.Provider) (store *Store) {
 	logger := logging.Logger()

 	store = &Store{
--- a/internal/oidc/store_test.go
+++ b/internal/oidc/store_test.go
@ -12,7 +12,7 @@ import (
 )

 func TestOpenIDConnectStore_GetClientPolicy(t *testing.T) {
-	s := NewOpenIDConnectStore(&schema.OpenIDConnectConfiguration{
+	s := NewStore(&schema.OpenIDConnectConfiguration{
 		IssuerCertificateChain: schema.X509CertificateChain{},
 		IssuerPrivateKey:       mustParseRSAPrivateKey(exampleIssuerPrivateKey),
 		Clients: []schema.OpenIDConnectClientConfiguration{
@ -44,7 +44,7 @@ func TestOpenIDConnectStore_GetClientPolicy(t *testing.T) {
 }

 func TestOpenIDConnectStore_GetInternalClient(t *testing.T) {
-	s := NewOpenIDConnectStore(&schema.OpenIDConnectConfiguration{
+	s := NewStore(&schema.OpenIDConnectConfiguration{
 		IssuerCertificateChain: schema.X509CertificateChain{},
 		IssuerPrivateKey:       mustParseRSAPrivateKey(exampleIssuerPrivateKey),
 		Clients: []schema.OpenIDConnectClientConfiguration{
@ -77,7 +77,7 @@ func TestOpenIDConnectStore_GetInternalClient_ValidClient(t *testing.T) {
 		Secret:      MustDecodeSecret("$plaintext$mysecret"),
 	}

-	s := NewOpenIDConnectStore(&schema.OpenIDConnectConfiguration{
+	s := NewStore(&schema.OpenIDConnectConfiguration{
 		IssuerCertificateChain: schema.X509CertificateChain{},
 		IssuerPrivateKey:       mustParseRSAPrivateKey(exampleIssuerPrivateKey),
 		Clients:                []schema.OpenIDConnectClientConfiguration{c1},
@ -105,7 +105,7 @@ func TestOpenIDConnectStore_GetInternalClient_InvalidClient(t *testing.T) {
 		Secret:      MustDecodeSecret("$plaintext$mysecret"),
 	}

-	s := NewOpenIDConnectStore(&schema.OpenIDConnectConfiguration{
+	s := NewStore(&schema.OpenIDConnectConfiguration{
 		IssuerCertificateChain: schema.X509CertificateChain{},
 		IssuerPrivateKey:       mustParseRSAPrivateKey(exampleIssuerPrivateKey),
 		Clients:                []schema.OpenIDConnectClientConfiguration{c1},
@ -117,7 +117,7 @@ func TestOpenIDConnectStore_GetInternalClient_InvalidClient(t *testing.T) {
 }

 func TestOpenIDConnectStore_IsValidClientID(t *testing.T) {
-	s := NewOpenIDConnectStore(&schema.OpenIDConnectConfiguration{
+	s := NewStore(&schema.OpenIDConnectConfiguration{
 		IssuerCertificateChain: schema.X509CertificateChain{},
 		IssuerPrivateKey:       mustParseRSAPrivateKey(exampleIssuerPrivateKey),
 		Clients: []schema.OpenIDConnectClientConfiguration{
--- a/internal/oidc/types.go
+++ b/internal/oidc/types.go
@ -9,7 +9,7 @@ import (
 	"github.com/ory/fosite/handler/openid"
 	"github.com/ory/fosite/token/jwt"
 	"github.com/ory/herodot"
-	jose "gopkg.in/square/go-jose.v2"
+	"gopkg.in/square/go-jose.v2"

 	"github.com/authelia/authelia/v4/internal/authorization"
 	"github.com/authelia/authelia/v4/internal/model"
@ -82,6 +82,7 @@ type OpenIDConnectProvider struct {
 	fosite.OAuth2Provider
 	*herodot.JSONWriter
 	*Store
+	*Config

 	KeyManager *KeyManager

@ -607,16 +608,36 @@ type OpenIDConnectBackChannelLogoutDiscoveryOptions struct {
 	BackChannelLogoutSessionSupported bool `json:"backchannel_logout_session_supported"`
 }

+// PushedAuthorizationDiscoveryOptions represents the well known discovery document specific to the
+// OAuth 2.0 Pushed Authorization Requests (RFC9126) implementation.
+//
+// OAuth 2.0 Pushed Authorization Requests: https://datatracker.ietf.org/doc/html/rfc9126#section-5
+type PushedAuthorizationDiscoveryOptions struct {
+	/*
+	   The URL of the pushed authorization request endpoint at which a client can post an authorization request to
+	   exchange for a "request_uri" value usable at the authorization server.
+	*/
+	PushedAuthorizationRequestEndpoint string `json:"pushed_authorization_request_endpoint,omitempty"`
+
+	/*
+		    Boolean parameter indicating whether the authorization server accepts authorization request data only via PAR.
+			If omitted, the default value is "false".
+	*/
+	RequirePushedAuthorizationRequests bool `json:"require_pushed_authorization_requests"`
+}
+
 // OAuth2WellKnownConfiguration represents the well known discovery document specific to OAuth 2.0.
 type OAuth2WellKnownConfiguration struct {
 	CommonDiscoveryOptions
 	OAuth2DiscoveryOptions
+	PushedAuthorizationDiscoveryOptions
 }

 // OpenIDConnectWellKnownConfiguration represents the well known discovery document specific to OpenID Connect.
 type OpenIDConnectWellKnownConfiguration struct {
 	CommonDiscoveryOptions
 	OAuth2DiscoveryOptions
+	PushedAuthorizationDiscoveryOptions
 	OpenIDConnectDiscoveryOptions
 	OpenIDConnectFrontChannelLogoutDiscoveryOptions
 	OpenIDConnectBackChannelLogoutDiscoveryOptions
--- a/internal/storage/const.go
+++ b/internal/storage/const.go
@ -29,17 +29,35 @@ const (
 )

 // OAuth2SessionType represents the potential OAuth 2.0 session types.
-type OAuth2SessionType string
+type OAuth2SessionType int

 // Representation of specific OAuth 2.0 session types.
 const (
-	OAuth2SessionTypeAuthorizeCode OAuth2SessionType = "authorization code"
-	OAuth2SessionTypeAccessToken   OAuth2SessionType = "access token"
-	OAuth2SessionTypeRefreshToken  OAuth2SessionType = "refresh token"
-	OAuth2SessionTypePKCEChallenge OAuth2SessionType = "pkce challenge"
-	OAuth2SessionTypeOpenIDConnect OAuth2SessionType = "openid connect"
+	OAuth2SessionTypeAuthorizeCode OAuth2SessionType = iota
+	OAuth2SessionTypeAccessToken
+	OAuth2SessionTypeRefreshToken
+	OAuth2SessionTypePKCEChallenge
+	OAuth2SessionTypeOpenIDConnect
 )

+// String returns a string representation of this OAuth2SessionType.
+func (s OAuth2SessionType) String() string {
+	switch s {
+	case OAuth2SessionTypeAuthorizeCode:
+		return "authorization code"
+	case OAuth2SessionTypeAccessToken:
+		return "access token"
+	case OAuth2SessionTypeRefreshToken:
+		return "refresh token"
+	case OAuth2SessionTypePKCEChallenge:
+		return "pkce challenge"
+	case OAuth2SessionTypeOpenIDConnect:
+		return "openid connect"
+	default:
+		return "invalid"
+	}
+}
+
 const (
 	sqlNetworkTypeTCP        = "tcp"
 	sqlNetworkTypeUnixSocket = "unix"
--- a/internal/storage/sql_provider.go
+++ b/internal/storage/sql_provider.go
@ -547,11 +547,11 @@ func (p *SQLProvider) RevokeOAuth2Session(ctx context.Context, sessionType OAuth
 	case OAuth2SessionTypeOpenIDConnect:
 		query = p.sqlRevokeOAuth2OpenIDConnectSession
 	default:
-		return fmt.Errorf("error revoking oauth2 session with signature '%s': unknown oauth2 session type '%s'", signature, sessionType)
+		return fmt.Errorf("error revoking oauth2 session with signature '%s': unknown oauth2 session type '%s'", signature, sessionType.String())
 	}

 	if _, err = p.db.ExecContext(ctx, query, signature); err != nil {
-		return fmt.Errorf("error revoking oauth2 %s session with signature '%s': %w", sessionType, signature, err)
+		return fmt.Errorf("error revoking oauth2 %s session with signature '%s': %w", sessionType.String(), signature, err)
 	}

 	return nil
@ -573,11 +573,11 @@ func (p *SQLProvider) RevokeOAuth2SessionByRequestID(ctx context.Context, sessio
 	case OAuth2SessionTypeOpenIDConnect:
 		query = p.sqlRevokeOAuth2OpenIDConnectSessionByRequestID
 	default:
-		return fmt.Errorf("error revoking oauth2 session with request id '%s': unknown oauth2 session type '%s'", requestID, sessionType)
+		return fmt.Errorf("error revoking oauth2 session with request id '%s': unknown oauth2 session type '%s'", requestID, sessionType.String())
 	}

 	if _, err = p.db.ExecContext(ctx, query, requestID); err != nil {
-		return fmt.Errorf("error revoking oauth2 %s session with request id '%s': %w", sessionType, requestID, err)
+		return fmt.Errorf("error revoking oauth2 %s session with request id '%s': %w", sessionType.String(), requestID, err)
 	}

 	return nil
@ -599,11 +599,11 @@ func (p *SQLProvider) DeactivateOAuth2Session(ctx context.Context, sessionType O
 	case OAuth2SessionTypeOpenIDConnect:
 		query = p.sqlDeactivateOAuth2OpenIDConnectSession
 	default:
-		return fmt.Errorf("error deactivating oauth2 session with signature '%s': unknown oauth2 session type '%s'", signature, sessionType)
+		return fmt.Errorf("error deactivating oauth2 session with signature '%s': unknown oauth2 session type '%s'", signature, sessionType.String())
 	}

 	if _, err = p.db.ExecContext(ctx, query, signature); err != nil {
-		return fmt.Errorf("error deactivating oauth2 %s session with signature '%s': %w", sessionType, signature, err)
+		return fmt.Errorf("error deactivating oauth2 %s session with signature '%s': %w", sessionType.String(), signature, err)
 	}

 	return nil
@ -625,7 +625,7 @@ func (p *SQLProvider) DeactivateOAuth2SessionByRequestID(ctx context.Context, se
 	case OAuth2SessionTypeOpenIDConnect:
 		query = p.sqlDeactivateOAuth2OpenIDConnectSessionByRequestID
 	default:
-		return fmt.Errorf("error deactivating oauth2 session with request id '%s': unknown oauth2 session type '%s'", requestID, sessionType)
+		return fmt.Errorf("error deactivating oauth2 session with request id '%s': unknown oauth2 session type '%s'", requestID, sessionType.String())
 	}

 	if _, err = p.db.ExecContext(ctx, query, requestID); err != nil {
@ -651,17 +651,17 @@ func (p *SQLProvider) LoadOAuth2Session(ctx context.Context, sessionType OAuth2S
 	case OAuth2SessionTypeOpenIDConnect:
 		query = p.sqlSelectOAuth2OpenIDConnectSession
 	default:
-		return nil, fmt.Errorf("error selecting oauth2 session: unknown oauth2 session type '%s'", sessionType)
+		return nil, fmt.Errorf("error selecting oauth2 session: unknown oauth2 session type '%s'", sessionType.String())
 	}

 	session = &model.OAuth2Session{}

 	if err = p.db.GetContext(ctx, session, query, signature); err != nil {
-		return nil, fmt.Errorf("error selecting oauth2 %s session with signature '%s': %w", sessionType, signature, err)
+		return nil, fmt.Errorf("error selecting oauth2 %s session with signature '%s': %w", sessionType.String(), signature, err)
 	}

 	if session.Session, err = p.decrypt(session.Session); err != nil {
-		return nil, fmt.Errorf("error decrypting the oauth2 %s session data with signature '%s' for subject '%s' and request id '%s': %w", sessionType, signature, session.Subject, session.RequestID, err)
+		return nil, fmt.Errorf("error decrypting the oauth2 %s session data with signature '%s' for subject '%s' and request id '%s': %w", sessionType.String(), signature, session.Subject, session.RequestID, err)
 	}

 	return session, nil