diff --git a/composer.json b/composer.json
index f12dfa885b..8ada588af8 100644
--- a/composer.json
+++ b/composer.json
@@ -48,6 +48,7 @@
             "Flarum\\Mentions\\": "extensions/mentions/src",
             "Flarum\\Nicknames\\": "extensions/nicknames/src",
             "Flarum\\ExtensionManager\\": "extensions/package-manager/src",
+            "Flarum\\OAuthProvider\\": "extensions/oauth-provider/src",
             "Flarum\\Pusher\\": "extensions/pusher/src",
             "Flarum\\Realtime\\": "extensions/realtime/src",
             "Flarum\\Statistics\\": "extensions/statistics/src",
@@ -75,6 +76,7 @@
             "Flarum\\Mentions\\Tests\\": "extensions/mentions/tests",
             "Flarum\\Nicknames\\Tests\\": "extensions/nicknames/tests",
             "Flarum\\ExtensionManager\\Tests\\": "extensions/package-manager/tests",
+            "Flarum\\OAuthProvider\\Tests\\": "extensions/oauth-provider/tests",
             "Flarum\\Pusher\\Tests\\": "extensions/pusher/tests",
             "Flarum\\Realtime\\Tests\\": "extensions/realtime/tests",
             "Flarum\\Statistics\\Tests\\": "extensions/statistics/tests",
@@ -102,6 +104,7 @@
         "flarum/mentions": "self.version",
         "flarum/nicknames": "self.version",
         "flarum/extension-manager": "self.version",
+        "flarum/oauth-provider": "self.version",
         "flarum/pusher": "self.version",
         "flarum/realtime": "self.version",
         "flarum/statistics": "self.version",
@@ -146,8 +149,10 @@
         "laminas/laminas-diactoros": "^3.0",
         "laminas/laminas-httphandlerrunner": "^2.6",
         "laminas/laminas-stratigility": "^3.10",
+        "lcobucci/jwt": "^5.0",
         "league/flysystem": "^3.15",
         "league/flysystem-memory": "^3.15",
+        "league/oauth2-server": "^8.5",
         "matthiasmullie/minify": "^1.3",
         "middlewares/base-path": "^v2.1",
         "middlewares/base-path-router": "^2.0.1",
@@ -204,6 +209,7 @@
             "extensions/mentions",
             "extensions/nicknames",
             "extensions/package-manager",
+            "extensions/oauth-provider",
             "extensions/pusher",
             "extensions/realtime",
             "extensions/statistics",
diff --git a/extensions/oauth-provider/CHANGELOG.md b/extensions/oauth-provider/CHANGELOG.md
new file mode 100644
index 0000000000..7cdef3fc18
--- /dev/null
+++ b/extensions/oauth-provider/CHANGELOG.md
@@ -0,0 +1,12 @@
+# Changelog
+
+## [Unreleased]
+
+### Added
+
+- Initial release. Turn Flarum into an OAuth 2.0 authorization server.
+- Authorization code grant with optional PKCE (via league/oauth2-server).
+- Refresh token grant.
+- OpenID Connect-style `/oauth/userinfo` endpoint with `openid`, `profile`, and `email` scopes.
+- Admin UI for managing OAuth client registrations.
+- User consent screen before issuing authorization codes.
diff --git a/extensions/oauth-provider/LICENSE.md b/extensions/oauth-provider/LICENSE.md
new file mode 100644
index 0000000000..9fe7ef1c7c
--- /dev/null
+++ b/extensions/oauth-provider/LICENSE.md
@@ -0,0 +1,21 @@
+The MIT License (MIT)
+
+Copyright (c) 2020-2021 Stichting Flarum (Flarum Foundation)
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.
diff --git a/extensions/oauth-provider/composer.json b/extensions/oauth-provider/composer.json
new file mode 100644
index 0000000000..1e7e104a0f
--- /dev/null
+++ b/extensions/oauth-provider/composer.json
@@ -0,0 +1,93 @@
+{
+    "name": "flarum/oauth-provider",
+    "description": "Turn Flarum into an OAuth 2.0 / OpenID Connect provider.",
+    "type": "flarum-extension",
+    "keywords": [
+        "oauth",
+        "oauth2",
+        "openid",
+        "sso",
+        "authentication"
+    ],
+    "license": "MIT",
+    "support": {
+        "issues": "https://github.com/flarum/framework/issues",
+        "source": "https://github.com/flarum/oauth-provider",
+        "forum": "https://discuss.flarum.org"
+    },
+    "homepage": "https://flarum.org",
+    "funding": [
+        {
+            "type": "website",
+            "url": "https://flarum.org/donate/"
+        }
+    ],
+    "require": {
+        "flarum/core": "^2.0.0-rc.1",
+        "league/oauth2-server": "^8.5",
+        "lcobucci/jwt": "^4.3 || ^5.0"
+    },
+    "autoload": {
+        "psr-4": {
+            "Flarum\\OAuthProvider\\": "src/"
+        }
+    },
+    "extra": {
+        "branch-alias": {
+            "dev-main": "2.x-dev"
+        },
+        "flarum-extension": {
+            "title": "OAuth Provider",
+            "category": "authentication",
+            "icon": {
+                "name": "fas fa-key",
+                "backgroundColor": "#3B4252",
+                "color": "#ffffff"
+            }
+        },
+        "flarum-cli": {
+            "modules": {
+                "admin": true,
+                "forum": true,
+                "js": true,
+                "jsCommon": false,
+                "css": true,
+                "gitConf": true,
+                "githubActions": true,
+                "prettier": true,
+                "typescript": true,
+                "bundlewatch": false,
+                "backendTesting": true,
+                "editorConfig": true,
+                "styleci": true
+            }
+        }
+    },
+    "scripts": {
+        "test": [
+            "@test:unit",
+            "@test:integration"
+        ],
+        "test:unit": "phpunit -c tests/phpunit.unit.xml",
+        "test:integration": "phpunit -c tests/phpunit.integration.xml",
+        "test:setup": "@php tests/integration/setup.php"
+    },
+    "require-dev": {
+        "flarum/testing": "^2.0",
+        "flarum/core": "2.x-dev"
+    },
+    "scripts-descriptions": {
+        "test": "Runs all tests.",
+        "test:unit": "Runs all unit tests.",
+        "test:integration": "Runs all integration tests.",
+        "test:setup": "Sets up a database for use with integration tests. Execute this only once."
+    },
+    "repositories": [
+        {
+            "type": "path",
+            "url": "../../*/*"
+        }
+    ],
+    "minimum-stability": "dev",
+    "prefer-stable": true
+}
diff --git a/extensions/oauth-provider/extend.php b/extensions/oauth-provider/extend.php
new file mode 100644
index 0000000000..abf4e1465c
--- /dev/null
+++ b/extensions/oauth-provider/extend.php
@@ -0,0 +1,43 @@
+<?php
+
+/*
+ * This file is part of Flarum.
+ *
+ * For detailed copyright and license information, please view the
+ * LICENSE file that was distributed with this source code.
+ */
+
+namespace Flarum\OAuthProvider;
+
+use Flarum\Extend;
+
+return [
+    (new Extend\Frontend('admin'))
+        ->js(__DIR__.'/js/dist/admin.js')
+        ->css(__DIR__.'/resources/less/admin.less')
+        ->jsDirectory(__DIR__.'/js/dist/admin'),
+
+    (new Extend\Frontend('forum'))
+        ->js(__DIR__.'/js/dist/forum.js'),
+
+    new Extend\Locales(__DIR__.'/resources/locale'),
+
+    (new Extend\Routes('forum'))
+        ->get('/oauth/authorize', 'oauthProvider.authorize', Http\Controller\AuthorizeController::class)
+        ->post('/oauth/authorize', 'oauthProvider.authorize.post', Http\Controller\AuthorizeController::class)
+        ->post('/oauth/token', 'oauthProvider.token', Http\Controller\TokenController::class)
+        ->get('/oauth/userinfo', 'oauthProvider.userinfo', Http\Controller\UserInfoController::class)
+        ->get('/.well-known/openid-configuration', 'oauthProvider.discovery', Http\Controller\OpenIdConfigurationController::class)
+        ->get('/.well-known/jwks.json', 'oauthProvider.jwks', Http\Controller\JwksController::class),
+
+    (new Extend\Csrf())
+        ->exemptRoute('oauthProvider.token'),
+
+    new Extend\ApiResource(Api\Resource\ClientResource::class),
+
+    (new Extend\View())
+        ->namespace('flarum-oauth-provider', __DIR__.'/resources/views'),
+
+    (new Extend\ServiceProvider())
+        ->register(Provider\OAuthProviderServiceProvider::class),
+];
diff --git a/extensions/oauth-provider/js/admin.ts b/extensions/oauth-provider/js/admin.ts
new file mode 100644
index 0000000000..3e69ff3b97
--- /dev/null
+++ b/extensions/oauth-provider/js/admin.ts
@@ -0,0 +1 @@
+export * from './src/admin';
diff --git a/extensions/oauth-provider/js/forum.ts b/extensions/oauth-provider/js/forum.ts
new file mode 100644
index 0000000000..facb26fab0
--- /dev/null
+++ b/extensions/oauth-provider/js/forum.ts
@@ -0,0 +1 @@
+export * from './src/forum';
diff --git a/extensions/oauth-provider/js/package.json b/extensions/oauth-provider/js/package.json
new file mode 100644
index 0000000000..c22c3c498b
--- /dev/null
+++ b/extensions/oauth-provider/js/package.json
@@ -0,0 +1,28 @@
+{
+    "name": "@flarum/oauth-provider",
+    "version": "0.0.0",
+    "private": true,
+    "prettier": "@flarum/prettier-config",
+    "devDependencies": {
+        "prettier": "^2.5.1",
+        "flarum-webpack-config": "^3.0.0",
+        "webpack": "^5.104.1",
+        "webpack-cli": "^4.9.1",
+        "@flarum/prettier-config": "^1.0.0",
+        "flarum-tsconfig": "^2.0.0",
+        "typescript": "^4.5.4",
+        "typescript-coverage-report": "^0.6.1"
+    },
+    "scripts": {
+        "dev": "webpack --mode development --watch",
+        "build": "webpack --mode production",
+        "analyze": "cross-env ANALYZER=true yarn run build",
+        "format": "prettier --write src",
+        "format-check": "prettier --check src",
+        "clean-typings": "npx rimraf dist-typings && mkdir dist-typings",
+        "build-typings": "yarn run clean-typings && ([ -e src/@types ] && cp -r src/@types dist-typings/@types || true) && tsc && yarn run post-build-typings",
+        "post-build-typings": "find dist-typings -type f -name '*.d.ts' -print0 | xargs -0 sed -i 's,../src/@types,@types,g'",
+        "check-typings": "tsc --noEmit --emitDeclarationOnly false",
+        "check-typings-coverage": "typescript-coverage-report"
+    }
+}
diff --git a/extensions/oauth-provider/js/src/admin/components/ClientFormModal.tsx b/extensions/oauth-provider/js/src/admin/components/ClientFormModal.tsx
new file mode 100644
index 0000000000..6c43477515
--- /dev/null
+++ b/extensions/oauth-provider/js/src/admin/components/ClientFormModal.tsx
@@ -0,0 +1,129 @@
+import app from 'flarum/admin/app';
+import FormModal, { IFormModalAttrs } from 'flarum/common/components/FormModal';
+import Button from 'flarum/common/components/Button';
+import Switch from 'flarum/common/components/Switch';
+import Stream from 'flarum/common/utils/Stream';
+import type Mithril from 'mithril';
+
+import OAuthClient from '../models/OAuthClient';
+
+interface ClientFormModalAttrs extends IFormModalAttrs {
+  client?: OAuthClient;
+  onSaved: (client: OAuthClient, plainSecret: string | null) => void;
+}
+
+export default class ClientFormModal extends FormModal<ClientFormModalAttrs> {
+  name!: Stream<string>;
+  redirectUris!: Stream<string>;
+  scopes!: Stream<string>;
+  confidential!: Stream<boolean>;
+  revoked!: Stream<boolean>;
+
+  oninit(vnode: Mithril.Vnode<ClientFormModalAttrs, this>) {
+    super.oninit(vnode);
+
+    const client = this.attrs.client;
+
+    this.name = Stream(client?.name() ?? '');
+    this.redirectUris = Stream((client?.redirectUris() ?? []).join('\n'));
+    this.scopes = Stream((client?.scopes() ?? ['openid', 'profile', 'email']).join(' '));
+    this.confidential = Stream(client?.confidential() ?? true);
+    this.revoked = Stream(client?.revoked() ?? false);
+  }
+
+  className() {
+    return 'ClientFormModal Modal--medium';
+  }
+
+  title() {
+    return this.attrs.client
+      ? app.translator.trans('flarum-oauth-provider.admin.form.edit_title')
+      : app.translator.trans('flarum-oauth-provider.admin.form.new_title');
+  }
+
+  content() {
+    return (
+      <div className="Modal-body">
+        <div className="Form">
+          <div className="Form-group">
+            <label>{app.translator.trans('flarum-oauth-provider.admin.form.name_label')}</label>
+            <input className="FormControl" bidi={this.name} required />
+          </div>
+
+          <div className="Form-group">
+            <label>{app.translator.trans('flarum-oauth-provider.admin.form.redirect_uris_label')}</label>
+            <textarea className="FormControl" bidi={this.redirectUris} rows={3} required />
+            <p className="helpText">{app.translator.trans('flarum-oauth-provider.admin.form.redirect_uris_help')}</p>
+          </div>
+
+          <div className="Form-group">
+            <label>{app.translator.trans('flarum-oauth-provider.admin.form.scopes_label')}</label>
+            <input className="FormControl" bidi={this.scopes} />
+            <p className="helpText">{app.translator.trans('flarum-oauth-provider.admin.form.scopes_help')}</p>
+          </div>
+
+          <div className="Form-group">
+            <Switch state={this.confidential()} disabled={!!this.attrs.client} onchange={(checked: boolean) => this.confidential(checked)}>
+              {app.translator.trans('flarum-oauth-provider.admin.form.confidential_label')}
+            </Switch>
+            <p className="helpText">{app.translator.trans('flarum-oauth-provider.admin.form.confidential_help')}</p>
+          </div>
+
+          {this.attrs.client ? (
+            <div className="Form-group">
+              <Switch state={this.revoked()} onchange={(checked: boolean) => this.revoked(checked)}>
+                {app.translator.trans('flarum-oauth-provider.admin.form.revoked_label')}
+              </Switch>
+            </div>
+          ) : null}
+
+          <div className="Form-group">
+            <Button className="Button Button--primary" type="submit" loading={this.loading} disabled={this.loading}>
+              {app.translator.trans('flarum-oauth-provider.admin.form.save_button')}
+            </Button>
+          </div>
+        </div>
+      </div>
+    );
+  }
+
+  onsubmit(e: SubmitEvent): void {
+    e.preventDefault();
+
+    const redirectUris = this.redirectUris()
+      .split('\n')
+      .map((uri) => uri.trim())
+      .filter((uri) => uri.length > 0);
+
+    const scopes = this.scopes()
+      .split(/\s+/)
+      .map((s) => s.trim())
+      .filter((s) => s.length > 0);
+
+    const attrs = {
+      name: this.name(),
+      redirectUris,
+      scopes,
+      confidential: this.confidential(),
+      revoked: this.revoked(),
+    };
+
+    this.loading = true;
+
+    const existing = this.attrs.client;
+    const record = existing ?? app.store.createRecord<OAuthClient>('oauth-provider-clients');
+
+    record
+      .save(attrs as unknown as Record<string, unknown>)
+      .then((saved) => {
+        const plainSecret = (saved as OAuthClient).plainSecret() ?? null;
+        const onSaved = this.attrs.onSaved;
+        this.hide();
+        onSaved(saved as OAuthClient, plainSecret);
+      })
+      .catch(() => {
+        this.loading = false;
+        m.redraw();
+      });
+  }
+}
diff --git a/extensions/oauth-provider/js/src/admin/components/NewClientSecretModal.tsx b/extensions/oauth-provider/js/src/admin/components/NewClientSecretModal.tsx
new file mode 100644
index 0000000000..0cd209c35c
--- /dev/null
+++ b/extensions/oauth-provider/js/src/admin/components/NewClientSecretModal.tsx
@@ -0,0 +1,49 @@
+import app from 'flarum/admin/app';
+import Modal, { IInternalModalAttrs } from 'flarum/common/components/Modal';
+import Button from 'flarum/common/components/Button';
+
+interface NewClientSecretModalAttrs extends IInternalModalAttrs {
+  clientId: string;
+  clientSecret: string;
+  rotated?: boolean;
+}
+
+export default class NewClientSecretModal extends Modal<NewClientSecretModalAttrs> {
+  className() {
+    return 'NewClientSecretModal Modal--medium';
+  }
+
+  title() {
+    return this.attrs.rotated
+      ? app.translator.trans('flarum-oauth-provider.admin.secret_modal.rotated_title')
+      : app.translator.trans('flarum-oauth-provider.admin.secret_modal.title');
+  }
+
+  content() {
+    return (
+      <div className="Modal-body">
+        <p>
+          {this.attrs.rotated
+            ? app.translator.trans('flarum-oauth-provider.admin.secret_modal.rotated_intro')
+            : app.translator.trans('flarum-oauth-provider.admin.secret_modal.intro')}
+        </p>
+
+        <div className="Form-group">
+          <label>{app.translator.trans('flarum-oauth-provider.admin.secret_modal.client_id_label')}</label>
+          <input type="text" className="FormControl" readOnly value={this.attrs.clientId} />
+        </div>
+
+        <div className="Form-group">
+          <label>{app.translator.trans('flarum-oauth-provider.admin.secret_modal.client_secret_label')}</label>
+          <input type="text" className="FormControl" readOnly value={this.attrs.clientSecret} />
+        </div>
+
+        <div className="Form-group">
+          <Button className="Button Button--primary" onclick={() => app.modal.close()}>
+            {app.translator.trans('flarum-oauth-provider.admin.secret_modal.close_button')}
+          </Button>
+        </div>
+      </div>
+    );
+  }
+}
diff --git a/extensions/oauth-provider/js/src/admin/components/OAuthClientsPage.tsx b/extensions/oauth-provider/js/src/admin/components/OAuthClientsPage.tsx
new file mode 100644
index 0000000000..2c3e0e085b
--- /dev/null
+++ b/extensions/oauth-provider/js/src/admin/components/OAuthClientsPage.tsx
@@ -0,0 +1,178 @@
+import app from 'flarum/admin/app';
+import ExtensionPage from 'flarum/admin/components/ExtensionPage';
+import Button from 'flarum/common/components/Button';
+import LoadingIndicator from 'flarum/common/components/LoadingIndicator';
+import type Mithril from 'mithril';
+
+import OAuthClient from '../models/OAuthClient';
+
+const loadClientFormModal = () => import('./ClientFormModal');
+const loadNewClientSecretModal = () => import('./NewClientSecretModal');
+
+export default class OAuthClientsPage extends ExtensionPage {
+  clients: OAuthClient[] = [];
+  loading = true;
+
+  oninit(vnode: Mithril.Vnode) {
+    super.oninit(vnode);
+    this.loadClients();
+  }
+
+  loadClients(): Promise<void> {
+    this.loading = true;
+    m.redraw();
+
+    return app.store
+      .find<OAuthClient[]>('oauth-provider-clients')
+      .then((clients) => {
+        this.clients = clients;
+      })
+      .catch(() => {
+        this.clients = [];
+      })
+      .finally(() => {
+        this.loading = false;
+        m.redraw();
+      });
+  }
+
+  content() {
+    return (
+      <div className="ExtensionPage-settings">
+        <div className="container">
+          <div className="Form-group">
+            <h3>{app.translator.trans('flarum-oauth-provider.admin.clients.heading')}</h3>
+            <p className="helpText">{app.translator.trans('flarum-oauth-provider.admin.clients.help')}</p>
+
+            <Button
+              className="Button Button--primary"
+              icon="fas fa-plus"
+              onclick={() => {
+                app.modal.show(loadClientFormModal, {
+                  onSaved: (client: OAuthClient, plainSecret: string | null) => this.onCreated(client, plainSecret),
+                });
+              }}
+            >
+              {app.translator.trans('flarum-oauth-provider.admin.clients.new_button')}
+            </Button>
+          </div>
+
+          {this.loading ? (
+            <LoadingIndicator />
+          ) : (
+            <div className="Form-group">{this.clients.length === 0 ? this.emptyState() : this.clientsTable()}</div>
+          )}
+        </div>
+      </div>
+    );
+  }
+
+  emptyState(): Mithril.Children {
+    return <p>{app.translator.trans('flarum-oauth-provider.admin.clients.empty')}</p>;
+  }
+
+  clientsTable(): Mithril.Children {
+    return (
+      <ul className="OAuthClientsList">
+        {this.clients.map((client) => (
+          <li key={client.id()} className={'OAuthClientsList-item' + (client.revoked() ? ' OAuthClientsList-item--revoked' : '')}>
+            <div className="OAuthClientsList-main">
+              <div className="OAuthClientsList-name">
+                {client.name()}
+                {client.revoked() ? (
+                  <span className="OAuthClientsList-badge OAuthClientsList-badge--revoked">
+                    {app.translator.trans('flarum-oauth-provider.admin.clients.status_revoked')}
+                  </span>
+                ) : null}
+              </div>
+              <div className="OAuthClientsList-meta">
+                <span className="OAuthClientsList-metaLabel">{app.translator.trans('flarum-oauth-provider.admin.clients.id_column')}</span>
+                <code className="OAuthClientsList-id" title={client.id()}>
+                  {client.id()}
+                </code>
+              </div>
+              <div className="OAuthClientsList-meta">
+                <span className="OAuthClientsList-metaLabel">{app.translator.trans('flarum-oauth-provider.admin.clients.redirects_column')}</span>
+                <span>{(client.redirectUris() || []).join(', ')}</span>
+              </div>
+            </div>
+            <div className="OAuthClientsList-actions">
+              <Button
+                className="Button Button--icon"
+                icon="fas fa-pencil-alt"
+                aria-label={app.translator.trans('flarum-oauth-provider.admin.clients.edit_button')}
+                onclick={() => {
+                  app.modal.show(loadClientFormModal, {
+                    client,
+                    onSaved: () => {
+                      this.loadClients();
+                    },
+                  });
+                }}
+              />
+              {client.confidential() ? (
+                <Button
+                  className="Button Button--icon"
+                  icon="fas fa-sync-alt"
+                  aria-label={app.translator.trans('flarum-oauth-provider.admin.clients.rotate_button')}
+                  onclick={() => this.rotateSecret(client)}
+                />
+              ) : null}
+              <Button
+                className="Button Button--icon Button--danger"
+                icon="fas fa-trash"
+                aria-label={app.translator.trans('flarum-oauth-provider.admin.clients.delete_button')}
+                onclick={() => this.deleteClient(client)}
+              />
+            </div>
+          </li>
+        ))}
+      </ul>
+    );
+  }
+
+  onCreated(client: OAuthClient, plainSecret: string | null) {
+    const clientId = client.id();
+
+    if (clientId && plainSecret) {
+      setTimeout(() => {
+        app.modal.show(loadNewClientSecretModal, { clientId, clientSecret: plainSecret });
+      }, 0);
+    }
+
+    this.loadClients();
+  }
+
+  deleteClient(client: OAuthClient) {
+    if (!confirm(app.translator.trans('flarum-oauth-provider.admin.clients.delete_confirm') as unknown as string)) {
+      return;
+    }
+
+    client.delete().then(() => this.loadClients());
+  }
+
+  rotateSecret(client: OAuthClient) {
+    if (!confirm(app.translator.trans('flarum-oauth-provider.admin.clients.rotate_confirm') as unknown as string)) {
+      return;
+    }
+
+    const clientId = client.id();
+
+    app
+      .request<{ data: { attributes: { plainSecret: string | null } } }>({
+        method: 'POST',
+        url: `${app.forum.attribute('apiUrl')}/oauth-provider-clients/${clientId}/rotate-secret`,
+      })
+      .then((response) => {
+        const plainSecret = response?.data?.attributes?.plainSecret ?? null;
+
+        if (clientId && plainSecret) {
+          setTimeout(() => {
+            app.modal.show(loadNewClientSecretModal, { clientId, clientSecret: plainSecret, rotated: true });
+          }, 0);
+        }
+
+        return this.loadClients();
+      });
+  }
+}
diff --git a/extensions/oauth-provider/js/src/admin/extend.tsx b/extensions/oauth-provider/js/src/admin/extend.tsx
new file mode 100644
index 0000000000..374e29b7df
--- /dev/null
+++ b/extensions/oauth-provider/js/src/admin/extend.tsx
@@ -0,0 +1,12 @@
+import Extend from 'flarum/common/extenders';
+
+import OAuthClient from './models/OAuthClient';
+import OAuthClientsPage from './components/OAuthClientsPage';
+
+export default [
+  new Extend.Store() //
+    .add('oauth-provider-clients', OAuthClient),
+
+  new Extend.Admin() //
+    .page(OAuthClientsPage),
+];
diff --git a/extensions/oauth-provider/js/src/admin/index.ts b/extensions/oauth-provider/js/src/admin/index.ts
new file mode 100644
index 0000000000..9f6887b580
--- /dev/null
+++ b/extensions/oauth-provider/js/src/admin/index.ts
@@ -0,0 +1,7 @@
+import app from 'flarum/admin/app';
+
+export { default as extend } from './extend';
+
+app.initializers.add('flarum-oauth-provider', () => {
+  //
+});
diff --git a/extensions/oauth-provider/js/src/admin/models/OAuthClient.ts b/extensions/oauth-provider/js/src/admin/models/OAuthClient.ts
new file mode 100644
index 0000000000..b6e5947009
--- /dev/null
+++ b/extensions/oauth-provider/js/src/admin/models/OAuthClient.ts
@@ -0,0 +1,12 @@
+import Model from 'flarum/common/Model';
+
+export default class OAuthClient extends Model {
+  name = Model.attribute<string>('name');
+  redirectUris = Model.attribute<string[]>('redirectUris');
+  scopes = Model.attribute<string[] | null>('scopes');
+  confidential = Model.attribute<boolean>('confidential');
+  revoked = Model.attribute<boolean>('revoked');
+  plainSecret = Model.attribute<string | null>('plainSecret');
+  createdAt = Model.attribute<string, Date>('createdAt', Model.transformDate);
+  updatedAt = Model.attribute<string | null, Date | null>('updatedAt', Model.transformDate);
+}
diff --git a/extensions/oauth-provider/js/src/forum/index.ts b/extensions/oauth-provider/js/src/forum/index.ts
new file mode 100644
index 0000000000..ce34688cb0
--- /dev/null
+++ b/extensions/oauth-provider/js/src/forum/index.ts
@@ -0,0 +1,71 @@
+import app from 'flarum/forum/app';
+
+// Same-origin guard: only trust return URLs on this forum.
+const isSafeReturnTo = (url: string | null): url is string => {
+  if (!url) return false;
+  try {
+    const parsed = new URL(url, window.location.origin);
+    return parsed.origin === window.location.origin;
+  } catch {
+    return false;
+  }
+};
+
+// app.session isn't built yet inside initializers; read the raw payload instead.
+const isLoggedIn = (): boolean => {
+  const sessionData = (app as unknown as { data?: { session?: { userId?: number } } }).data?.session;
+  return !!sessionData?.userId;
+};
+
+app.initializers.add('flarum-oauth-provider', () => {
+  const params = new URLSearchParams(window.location.search);
+
+  if (params.get('oauth_login') === '1') {
+    const returnTo = params.get('return_to');
+
+    if (isSafeReturnTo(returnTo)) {
+      try {
+        sessionStorage.setItem('flarum-oauth-provider.return_to', returnTo);
+      } catch {
+        // Storage unavailable; the resume block below will no-op.
+      }
+    }
+
+    // Strip the query params so a refresh doesn't keep re-triggering this flow.
+    try {
+      const clean = window.location.pathname + window.location.hash;
+      window.history.replaceState(null, '', clean);
+    } catch {
+      // ignore
+    }
+
+    // Only show the login modal if we really are a guest. If the session payload
+    // shows a user, the resume block below will redirect on this same boot.
+    if (!isLoggedIn()) {
+      app.beforeMount(() => {
+        setTimeout(() => {
+          app.modal.show(() => import('flarum/forum/components/LogInModal'));
+        }, 0);
+      });
+    }
+  }
+
+  // Resume: after a successful login reload (or any subsequent page load while
+  // a return URL is stashed), bounce back to /oauth/authorize.
+  let stashed: string | null = null;
+  try {
+    stashed = sessionStorage.getItem('flarum-oauth-provider.return_to');
+  } catch {
+    return;
+  }
+
+  if (!stashed || !isLoggedIn() || !isSafeReturnTo(stashed)) return;
+
+  try {
+    sessionStorage.removeItem('flarum-oauth-provider.return_to');
+  } catch {
+    // ignore
+  }
+
+  window.location.replace(stashed);
+});
diff --git a/extensions/oauth-provider/js/tsconfig.json b/extensions/oauth-provider/js/tsconfig.json
new file mode 100644
index 0000000000..842c3b155b
--- /dev/null
+++ b/extensions/oauth-provider/js/tsconfig.json
@@ -0,0 +1,10 @@
+{
+  "extends": "flarum-tsconfig",
+  "include": ["src/**/*", "../../../framework/core/js/dist-typings/@types/**/*", "@types/**/*"],
+  "compilerOptions": {
+    "declarationDir": "./dist-typings",
+    "paths": {
+      "flarum/*": ["../../../framework/core/js/dist-typings/*"]
+    }
+  }
+}
diff --git a/extensions/oauth-provider/js/webpack.config.js b/extensions/oauth-provider/js/webpack.config.js
new file mode 100644
index 0000000000..ef35ea0069
--- /dev/null
+++ b/extensions/oauth-provider/js/webpack.config.js
@@ -0,0 +1 @@
+module.exports = require('flarum-webpack-config')();
diff --git a/extensions/oauth-provider/migrations/2026_04_22_000000_create_oauth_provider_clients_table.php b/extensions/oauth-provider/migrations/2026_04_22_000000_create_oauth_provider_clients_table.php
new file mode 100644
index 0000000000..0f8353cd2b
--- /dev/null
+++ b/extensions/oauth-provider/migrations/2026_04_22_000000_create_oauth_provider_clients_table.php
@@ -0,0 +1,26 @@
+<?php
+
+/*
+ * This file is part of Flarum.
+ *
+ * For detailed copyright and license information, please view the
+ * LICENSE file that was distributed with this source code.
+ */
+
+use Flarum\Database\Migration;
+use Illuminate\Database\Schema\Blueprint;
+
+return Migration::createTable('oauth_provider_clients', function (Blueprint $table) {
+    $table->string('id', 80)->primary();
+    $table->string('name');
+    $table->string('secret', 255)->nullable();
+    $table->text('redirect_uris');
+    $table->string('scopes', 1000)->nullable();
+    $table->boolean('confidential')->default(true);
+    $table->boolean('revoked')->default(false);
+    $table->integer('created_by')->unsigned()->nullable();
+    $table->dateTime('created_at')->nullable();
+    $table->dateTime('updated_at')->nullable();
+
+    $table->foreign('created_by')->references('id')->on('users')->onDelete('set null');
+});
diff --git a/extensions/oauth-provider/migrations/2026_04_22_000001_create_oauth_provider_auth_codes_table.php b/extensions/oauth-provider/migrations/2026_04_22_000001_create_oauth_provider_auth_codes_table.php
new file mode 100644
index 0000000000..37c09c24ed
--- /dev/null
+++ b/extensions/oauth-provider/migrations/2026_04_22_000001_create_oauth_provider_auth_codes_table.php
@@ -0,0 +1,25 @@
+<?php
+
+/*
+ * This file is part of Flarum.
+ *
+ * For detailed copyright and license information, please view the
+ * LICENSE file that was distributed with this source code.
+ */
+
+use Flarum\Database\Migration;
+use Illuminate\Database\Schema\Blueprint;
+
+return Migration::createTable('oauth_provider_auth_codes', function (Blueprint $table) {
+    $table->string('id', 100)->primary();
+    $table->string('client_id', 80);
+    $table->integer('user_id')->unsigned();
+    $table->string('scopes', 1000)->nullable();
+    $table->boolean('revoked')->default(false);
+    $table->dateTime('expires_at');
+    $table->dateTime('created_at')->nullable();
+
+    $table->foreign('client_id')->references('id')->on('oauth_provider_clients')->onDelete('cascade');
+    $table->foreign('user_id')->references('id')->on('users')->onDelete('cascade');
+    $table->index('expires_at');
+});
diff --git a/extensions/oauth-provider/migrations/2026_04_22_000002_create_oauth_provider_access_tokens_table.php b/extensions/oauth-provider/migrations/2026_04_22_000002_create_oauth_provider_access_tokens_table.php
new file mode 100644
index 0000000000..dac65fe0a6
--- /dev/null
+++ b/extensions/oauth-provider/migrations/2026_04_22_000002_create_oauth_provider_access_tokens_table.php
@@ -0,0 +1,25 @@
+<?php
+
+/*
+ * This file is part of Flarum.
+ *
+ * For detailed copyright and license information, please view the
+ * LICENSE file that was distributed with this source code.
+ */
+
+use Flarum\Database\Migration;
+use Illuminate\Database\Schema\Blueprint;
+
+return Migration::createTable('oauth_provider_access_tokens', function (Blueprint $table) {
+    $table->string('id', 100)->primary();
+    $table->string('client_id', 80);
+    $table->integer('user_id')->unsigned();
+    $table->string('scopes', 1000)->nullable();
+    $table->boolean('revoked')->default(false);
+    $table->dateTime('expires_at');
+    $table->dateTime('created_at')->nullable();
+
+    $table->foreign('client_id')->references('id')->on('oauth_provider_clients')->onDelete('cascade');
+    $table->foreign('user_id')->references('id')->on('users')->onDelete('cascade');
+    $table->index('expires_at');
+});
diff --git a/extensions/oauth-provider/migrations/2026_04_22_000003_create_oauth_provider_refresh_tokens_table.php b/extensions/oauth-provider/migrations/2026_04_22_000003_create_oauth_provider_refresh_tokens_table.php
new file mode 100644
index 0000000000..bea95c1100
--- /dev/null
+++ b/extensions/oauth-provider/migrations/2026_04_22_000003_create_oauth_provider_refresh_tokens_table.php
@@ -0,0 +1,25 @@
+<?php
+
+/*
+ * This file is part of Flarum.
+ *
+ * For detailed copyright and license information, please view the
+ * LICENSE file that was distributed with this source code.
+ */
+
+use Flarum\Database\Migration;
+use Illuminate\Database\Schema\Blueprint;
+
+return Migration::createTable('oauth_provider_refresh_tokens', function (Blueprint $table) {
+    $table->string('id', 100)->primary();
+    $table->string('access_token_id', 100);
+    $table->boolean('revoked')->default(false);
+    $table->dateTime('expires_at');
+    $table->dateTime('created_at')->nullable();
+
+    $table->foreign('access_token_id')
+        ->references('id')
+        ->on('oauth_provider_access_tokens')
+        ->onDelete('cascade');
+    $table->index('expires_at');
+});
diff --git a/extensions/oauth-provider/migrations/2026_04_22_000005_create_oauth_provider_user_consents_table.php b/extensions/oauth-provider/migrations/2026_04_22_000005_create_oauth_provider_user_consents_table.php
new file mode 100644
index 0000000000..46513d32b1
--- /dev/null
+++ b/extensions/oauth-provider/migrations/2026_04_22_000005_create_oauth_provider_user_consents_table.php
@@ -0,0 +1,25 @@
+<?php
+
+/*
+ * This file is part of Flarum.
+ *
+ * For detailed copyright and license information, please view the
+ * LICENSE file that was distributed with this source code.
+ */
+
+use Flarum\Database\Migration;
+use Illuminate\Database\Schema\Blueprint;
+
+return Migration::createTable('oauth_provider_user_consents', function (Blueprint $table) {
+    $table->increments('id');
+    $table->integer('user_id')->unsigned();
+    $table->string('client_id', 80);
+    $table->string('scopes', 1000)->nullable();
+    $table->boolean('revoked')->default(false);
+    $table->dateTime('created_at')->nullable();
+    $table->dateTime('updated_at')->nullable();
+
+    $table->foreign('user_id')->references('id')->on('users')->onDelete('cascade');
+    $table->foreign('client_id')->references('id')->on('oauth_provider_clients')->onDelete('cascade');
+    $table->unique(['user_id', 'client_id']);
+});
diff --git a/extensions/oauth-provider/migrations/2026_04_23_000000_add_oidc_columns.php b/extensions/oauth-provider/migrations/2026_04_23_000000_add_oidc_columns.php
new file mode 100644
index 0000000000..1342a28aa0
--- /dev/null
+++ b/extensions/oauth-provider/migrations/2026_04_23_000000_add_oidc_columns.php
@@ -0,0 +1,32 @@
+<?php
+
+/*
+ * This file is part of Flarum.
+ *
+ * For detailed copyright and license information, please view the
+ * LICENSE file that was distributed with this source code.
+ */
+
+use Illuminate\Database\Schema\Blueprint;
+use Illuminate\Database\Schema\Builder;
+
+return [
+    'up' => function (Builder $schema) {
+        $schema->table('oauth_provider_auth_codes', function (Blueprint $table) {
+            $table->string('nonce', 255)->nullable()->after('scopes');
+            $table->dateTime('auth_time')->nullable()->after('nonce');
+        });
+        $schema->table('oauth_provider_access_tokens', function (Blueprint $table) {
+            $table->string('nonce', 255)->nullable()->after('scopes');
+            $table->dateTime('auth_time')->nullable()->after('nonce');
+        });
+    },
+    'down' => function (Builder $schema) {
+        $schema->table('oauth_provider_auth_codes', function (Blueprint $table) {
+            $table->dropColumn(['nonce', 'auth_time']);
+        });
+        $schema->table('oauth_provider_access_tokens', function (Blueprint $table) {
+            $table->dropColumn(['nonce', 'auth_time']);
+        });
+    },
+];
diff --git a/extensions/oauth-provider/resources/less/admin.less b/extensions/oauth-provider/resources/less/admin.less
new file mode 100644
index 0000000000..0c3d0d5aa5
--- /dev/null
+++ b/extensions/oauth-provider/resources/less/admin.less
@@ -0,0 +1,99 @@
+.OAuthClientsList {
+  list-style: none;
+  padding: 0;
+  margin: 16px 0 0;
+  display: grid;
+  grid-template-columns: 1fr;
+  gap: 8px;
+}
+
+.OAuthClientsList-item {
+  display: grid;
+  grid-template-columns: 1fr auto;
+  align-items: center;
+  gap: 16px;
+  padding: 14px 16px;
+  background: var(--control-bg);
+  border-radius: var(--border-radius, 4px);
+  transition: background 120ms ease;
+
+  &:hover {
+    background: var(--control-danger-bg, var(--control-bg));
+  }
+
+  &--revoked {
+    opacity: 0.6;
+  }
+}
+
+.OAuthClientsList-main {
+  display: grid;
+  gap: 4px;
+  min-width: 0;
+}
+
+.OAuthClientsList-name {
+  font-weight: 600;
+  font-size: 1.05em;
+  display: flex;
+  align-items: center;
+  gap: 8px;
+}
+
+.OAuthClientsList-badge {
+  font-size: 0.7em;
+  font-weight: 600;
+  text-transform: uppercase;
+  letter-spacing: 0.04em;
+  padding: 2px 6px;
+  border-radius: 3px;
+
+  &--revoked {
+    background: var(--alert-error-bg, #fde2e2);
+    color: var(--alert-error-color, #8a2929);
+  }
+}
+
+.OAuthClientsList-meta {
+  display: grid;
+  grid-template-columns: 120px 1fr;
+  gap: 8px;
+  font-size: 0.9em;
+  color: var(--muted-color);
+  min-width: 0;
+}
+
+.OAuthClientsList-metaLabel {
+  font-weight: 500;
+  text-transform: uppercase;
+  letter-spacing: 0.03em;
+  font-size: 0.8em;
+  padding-top: 2px;
+}
+
+.OAuthClientsList-id {
+  font-family: monospace;
+  font-size: 0.9em;
+  overflow: hidden;
+  text-overflow: ellipsis;
+  white-space: nowrap;
+}
+
+.OAuthClientsList-actions {
+  display: flex;
+  gap: 4px;
+  align-self: start;
+}
+
+.ClientFormModal {
+  textarea.FormControl {
+    font-family: monospace;
+    font-size: 0.9em;
+  }
+}
+
+.NewClientSecretModal {
+  input.FormControl[readonly] {
+    font-family: monospace;
+  }
+}
diff --git a/extensions/oauth-provider/resources/locale/en.yml b/extensions/oauth-provider/resources/locale/en.yml
new file mode 100644
index 0000000000..dc0377dbaa
--- /dev/null
+++ b/extensions/oauth-provider/resources/locale/en.yml
@@ -0,0 +1,48 @@
+flarum-oauth-provider:
+  admin:
+    clients:
+      heading: "OAuth clients"
+      help: "Register third-party applications that can log users in via this forum."
+      new_button: "Add client"
+      empty: "No clients registered yet."
+      name_column: "Name"
+      id_column: "Client ID"
+      redirects_column: "Redirect URIs"
+      status_column: "Status"
+      status_active: "Active"
+      status_revoked: "Revoked"
+      edit_button: "Edit"
+      delete_button: "Delete"
+      rotate_button: "Rotate secret"
+      delete_confirm: "Delete this OAuth client? This will invalidate any existing tokens issued to it."
+      rotate_confirm: "Rotate this client's secret? The old secret will stop working immediately, all existing access/refresh tokens will be revoked, and any apps using the old secret will need the new one to reconnect."
+
+    form:
+      new_title: "Add OAuth client"
+      edit_title: "Edit OAuth client"
+      name_label: "Display name"
+      redirect_uris_label: "Redirect URIs"
+      redirect_uris_help: "One URI per line. The client must send one of these as redirect_uri on the authorization request."
+      scopes_label: "Allowed scopes"
+      scopes_help: "Space-separated list of scopes this client may request."
+      confidential_label: "Confidential client (backend can keep a secret)"
+      confidential_help: "Uncheck for public clients (SPA, mobile) that must use PKCE. This cannot be changed after creation."
+      revoked_label: "Revoked (reject all new auth requests)"
+      save_button: "Save"
+
+    secret_modal:
+      title: "Client created"
+      intro: "Save these credentials now — the secret is not shown again."
+      rotated_title: "Secret rotated"
+      rotated_intro: "The client secret has been replaced. Update the consuming application with the new secret — the old one will no longer work, and any existing sessions have been revoked."
+      client_id_label: "Client ID"
+      client_secret_label: "Client secret"
+      close_button: "I've saved these"
+
+  forum:
+    consent:
+      title: "Authorize application"
+      intro: "Hi {username}, {client} wants to access your account."
+      scopes_heading: "This will allow it to:"
+      approve_button: "Authorize"
+      deny_button: "Cancel"
diff --git a/extensions/oauth-provider/resources/views/consent.blade.php b/extensions/oauth-provider/resources/views/consent.blade.php
new file mode 100644
index 0000000000..f9808be07a
--- /dev/null
+++ b/extensions/oauth-provider/resources/views/consent.blade.php
@@ -0,0 +1,55 @@
+<!DOCTYPE html>
+<html lang="en">
+<head>
+    <meta charset="UTF-8">
+    <meta name="viewport" content="width=device-width, initial-scale=1">
+    <title>{{ $translator->trans('flarum-oauth-provider.forum.consent.title') }}</title>
+    <style>
+        body { font-family: -apple-system, BlinkMacSystemFont, "Segoe UI", Roboto, sans-serif; background: #f6f7f9; margin: 0; padding: 2rem; }
+        .card { max-width: 480px; margin: 3rem auto; background: #fff; border-radius: 8px; box-shadow: 0 2px 8px rgba(0,0,0,0.08); padding: 2rem; }
+        h1 { font-size: 1.25rem; margin: 0 0 0.5rem; }
+        .muted { color: #6b7280; font-size: 0.9rem; }
+        ul { padding-left: 1.2rem; }
+        li { margin: 0.25rem 0; }
+        .actions { display: flex; gap: 0.5rem; margin-top: 1.5rem; }
+        .btn { flex: 1; padding: 0.75rem 1rem; border-radius: 4px; border: 0; cursor: pointer; font-weight: 500; }
+        .btn-primary { background: #4863a6; color: #fff; }
+        .btn-secondary { background: #e5e7eb; color: #111827; }
+    </style>
+</head>
+<body>
+<div class="card">
+    <h1>{{ $client->getName() }}</h1>
+    <p class="muted">
+        {{ $translator->trans('flarum-oauth-provider.forum.consent.intro', ['username' => $actor->display_name, 'client' => $client->getName()]) }}
+    </p>
+
+    @if (count($scopes) > 0)
+        <p><strong>{{ $translator->trans('flarum-oauth-provider.forum.consent.scopes_heading') }}</strong></p>
+        <ul>
+            @foreach ($scopes as $id => $description)
+                <li>{{ $description }}</li>
+            @endforeach
+        </ul>
+    @endif
+
+    <form method="POST" action="{{ $formAction }}">
+        @if ($csrfToken)
+            <input type="hidden" name="csrfToken" value="{{ $csrfToken }}">
+        @endif
+        @foreach ($queryParams as $name => $value)
+            <input type="hidden" name="{{ $name }}" value="{{ $value }}">
+        @endforeach
+
+        <div class="actions">
+            <button type="submit" name="oauth_consent_approved" value="0" class="btn btn-secondary">
+                {{ $translator->trans('flarum-oauth-provider.forum.consent.deny_button') }}
+            </button>
+            <button type="submit" name="oauth_consent_approved" value="1" class="btn btn-primary">
+                {{ $translator->trans('flarum-oauth-provider.forum.consent.approve_button') }}
+            </button>
+        </div>
+    </form>
+</div>
+</body>
+</html>
diff --git a/extensions/oauth-provider/src/Api/Resource/ClientResource.php b/extensions/oauth-provider/src/Api/Resource/ClientResource.php
new file mode 100644
index 0000000000..28213bb240
--- /dev/null
+++ b/extensions/oauth-provider/src/Api/Resource/ClientResource.php
@@ -0,0 +1,157 @@
+<?php
+
+/*
+ * This file is part of Flarum.
+ *
+ * For detailed copyright and license information, please view the
+ * LICENSE file that was distributed with this source code.
+ */
+
+namespace Flarum\OAuthProvider\Api\Resource;
+
+use Carbon\Carbon;
+use Flarum\Api\Context;
+use Flarum\Api\Endpoint;
+use Flarum\Api\Resource;
+use Flarum\Api\Schema;
+use Flarum\Foundation\ValidationException;
+use Flarum\Http\RequestUtil;
+use Flarum\OAuthProvider\Models\AccessToken;
+use Flarum\OAuthProvider\Models\AuthCode;
+use Flarum\OAuthProvider\Models\Client;
+use Flarum\OAuthProvider\Models\RefreshToken;
+use Illuminate\Support\Str;
+use Tobyz\JsonApiServer\Context as OriginalContext;
+
+/**
+ * @extends Resource\AbstractDatabaseResource<Client>
+ */
+class ClientResource extends Resource\AbstractDatabaseResource
+{
+    public function routeNamePrefix(): ?string
+    {
+        return 'oauthProvider';
+    }
+
+    public function type(): string
+    {
+        return 'oauth-provider-clients';
+    }
+
+    public function model(): string
+    {
+        return Client::class;
+    }
+
+    public function endpoints(): array
+    {
+        return [
+            Endpoint\Index::make()
+                ->authenticated()
+                ->admin(),
+            Endpoint\Show::make()
+                ->authenticated()
+                ->admin(),
+            Endpoint\Create::make()
+                ->authenticated()
+                ->admin(),
+            Endpoint\Update::make()
+                ->authenticated()
+                ->admin(),
+            Endpoint\Delete::make()
+                ->authenticated()
+                ->admin(),
+            Endpoint\Endpoint::make('rotateSecret')
+                ->route('POST', '/{id}/rotate-secret')
+                ->authenticated()
+                ->admin()
+                ->action(function (Context $context): object {
+                    /** @var Client $client */
+                    $client = $context->model;
+
+                    if (! $client->confidential) {
+                        throw new ValidationException([
+                            'client' => 'Public clients have no secret to rotate.',
+                        ]);
+                    }
+
+                    $plainSecret = Str::random(40);
+                    $client->secret = hash('sha256', $plainSecret);
+                    $client->updated_at = Carbon::now();
+                    $client->save();
+
+                    // Invalidate all tokens previously issued to this client —
+                    // a rotation should lock out anyone holding the old secret.
+                    AuthCode::query()->where('client_id', $client->id)->update(['revoked' => true]);
+                    $accessTokenIds = AccessToken::query()
+                        ->where('client_id', $client->id)
+                        ->pluck('id');
+                    AccessToken::query()->where('client_id', $client->id)->update(['revoked' => true]);
+                    RefreshToken::query()
+                        ->whereIn('access_token_id', $accessTokenIds)
+                        ->update(['revoked' => true]);
+
+                    $client->plainSecret = $plainSecret;
+
+                    return $client;
+                }),
+        ];
+    }
+
+    public function fields(): array
+    {
+        return [
+            Schema\Str::make('name')
+                ->writable()
+                ->requiredOnCreate()
+                ->maxLength(255),
+            Schema\Arr::make('redirectUris')
+                ->writable()
+                ->requiredOnCreate()
+                ->property('redirect_uris'),
+            Schema\Arr::make('scopes')
+                ->writable()
+                ->nullable(),
+            Schema\Boolean::make('confidential')
+                ->writable(),
+            Schema\Boolean::make('revoked')
+                ->writable(),
+            Schema\Str::make('plainSecret')
+                ->nullable()
+                ->get(fn (Client $client) => $client->plainSecret),
+            Schema\DateTime::make('createdAt'),
+            Schema\DateTime::make('updatedAt'),
+        ];
+    }
+
+    public function creating(object $model, OriginalContext $context): ?object
+    {
+        /** @var Client $model */
+        $model->id = Str::random(20);
+
+        $actor = RequestUtil::getActor($context->request);
+        $model->created_by = $actor->id;
+
+        if ($model->confidential === null) {
+            $model->confidential = true;
+        }
+
+        if ($model->confidential) {
+            $plainSecret = Str::random(40);
+            $model->secret = hash('sha256', $plainSecret);
+            $model->plainSecret = $plainSecret;
+        }
+
+        $model->created_at = Carbon::now();
+
+        return $model;
+    }
+
+    public function updating(object $model, OriginalContext $context): ?object
+    {
+        /** @var Client $model */
+        $model->updated_at = Carbon::now();
+
+        return $model;
+    }
+}
diff --git a/extensions/oauth-provider/src/Extend/Scope.php b/extensions/oauth-provider/src/Extend/Scope.php
new file mode 100644
index 0000000000..ced8a085d1
--- /dev/null
+++ b/extensions/oauth-provider/src/Extend/Scope.php
@@ -0,0 +1,40 @@
+<?php
+
+/*
+ * This file is part of Flarum.
+ *
+ * For detailed copyright and license information, please view the
+ * LICENSE file that was distributed with this source code.
+ */
+
+namespace Flarum\OAuthProvider\Extend;
+
+use Flarum\Extend\ExtenderInterface;
+use Flarum\Extension\Extension;
+use Flarum\OAuthProvider\Scope\ScopeRegistry;
+use Illuminate\Contracts\Container\Container;
+
+/**
+ * Extender for registering OAuth 2 scopes.
+ *
+ * Usage in an extension's extend.php:
+ *
+ *   (new \Flarum\OAuthProvider\Extend\Scope('email', 'Read your email address'))
+ */
+class Scope implements ExtenderInterface
+{
+    public function __construct(
+        protected string $identifier,
+        protected string $description,
+    ) {
+    }
+
+    public function extend(Container $container, ?Extension $extension = null): void
+    {
+        $container->extend(ScopeRegistry::class, function (ScopeRegistry $registry) {
+            $registry->register($this->identifier, $this->description);
+
+            return $registry;
+        });
+    }
+}
diff --git a/extensions/oauth-provider/src/Http/Controller/AuthorizeController.php b/extensions/oauth-provider/src/Http/Controller/AuthorizeController.php
new file mode 100644
index 0000000000..ddaf16d425
--- /dev/null
+++ b/extensions/oauth-provider/src/Http/Controller/AuthorizeController.php
@@ -0,0 +1,224 @@
+<?php
+
+/*
+ * This file is part of Flarum.
+ *
+ * For detailed copyright and license information, please view the
+ * LICENSE file that was distributed with this source code.
+ */
+
+namespace Flarum\OAuthProvider\Http\Controller;
+
+use Carbon\Carbon;
+use Flarum\Http\AccessToken;
+use Flarum\Http\RequestUtil;
+use Flarum\Http\UrlGenerator;
+use Flarum\OAuthProvider\Models\AuthCode;
+use Flarum\OAuthProvider\Models\Consent;
+use Flarum\OAuthProvider\Scope\ScopeRegistry;
+use Flarum\OAuthProvider\Server\AuthorizationServerFactory;
+use Flarum\OAuthProvider\Server\Entity\UserEntity;
+use Illuminate\Contracts\View\Factory;
+use Laminas\Diactoros\Response\HtmlResponse;
+use Laminas\Diactoros\Response\RedirectResponse;
+use League\OAuth2\Server\Exception\OAuthServerException;
+use League\OAuth2\Server\RequestTypes\AuthorizationRequest;
+use Psr\Http\Message\ResponseInterface;
+use Psr\Http\Message\ServerRequestInterface as Request;
+use Psr\Http\Server\RequestHandlerInterface;
+
+class AuthorizeController implements RequestHandlerInterface
+{
+    public function __construct(
+        protected AuthorizationServerFactory $factory,
+        protected Factory $view,
+        protected UrlGenerator $url,
+        protected ScopeRegistry $scopes,
+    ) {
+    }
+
+    public function handle(Request $request): ResponseInterface
+    {
+        $server = $this->factory->authorizationServer();
+
+        try {
+            $authRequest = $server->validateAuthorizationRequest($request);
+        } catch (OAuthServerException $exception) {
+            return $exception->generateHttpResponse(new \Laminas\Diactoros\Response());
+        }
+
+        $actor = RequestUtil::getActor($request);
+        $queryParams = $request->getQueryParams();
+        $prompt = $queryParams['prompt'] ?? null;
+        $nonce = $queryParams['nonce'] ?? null;
+        $maxAge = isset($queryParams['max_age']) ? (int) $queryParams['max_age'] : null;
+
+        $authTime = $this->sessionAuthTime($request);
+
+        // OIDC max_age: if the user's session is older than max_age seconds (or
+        // we can't determine when they last authenticated), force re-auth even
+        // if they're currently logged in. prompt=login has the same effect.
+        $needsReAuth = $actor->isGuest()
+            || $prompt === 'login'
+            || ($maxAge !== null && ($authTime === null || (Carbon::now()->getTimestamp() - $authTime->getTimestamp()) >= $maxAge));
+
+        if ($needsReAuth) {
+            $base = $this->url->to('forum')->base();
+
+            // Build the return-to as a path+query on the configured forum URL so
+            // the scheme matches (avoids http/https mismatches behind proxies).
+            $uri = $request->getUri();
+            $returnPath = $uri->getPath();
+            if ($uri->getQuery() !== '') {
+                $returnPath .= '?'.$uri->getQuery();
+            }
+            $returnTo = urlencode($base.$returnPath);
+
+            return new RedirectResponse($base.'/?oauth_login=1&return_to='.$returnTo);
+        }
+
+        $clientId = $authRequest->getClient()->getIdentifier();
+        $requestedScopes = array_map(fn ($scope) => $scope->getIdentifier(), $authRequest->getScopes());
+
+        $params = $request->getParsedBody() ?? [];
+        $method = strtoupper($request->getMethod());
+
+        // The consent form was submitted — record the decision.
+        if ($method === 'POST' && isset($params['oauth_consent_approved'])) {
+            $approved = $params['oauth_consent_approved'] === '1';
+
+            if ($approved) {
+                $this->rememberConsent((int) $actor->id, $clientId, $requestedScopes);
+            }
+
+            return $this->completeAuthorization($authRequest, $server, $actor->id, $approved, $nonce, $authTime);
+        }
+
+        // Previously-granted consent still covers this request — skip the prompt
+        // unless the client explicitly asked for re-consent via prompt=consent.
+        if ($prompt !== 'consent' && $this->hasExistingConsent((int) $actor->id, $clientId, $requestedScopes)) {
+            return $this->completeAuthorization($authRequest, $server, $actor->id, true, $nonce, $authTime);
+        }
+
+        $scopeDescriptions = [];
+
+        foreach ($authRequest->getScopes() as $scope) {
+            $scopeDescriptions[$scope->getIdentifier()] = $this->scopes->description($scope->getIdentifier()) ?? $scope->getIdentifier();
+        }
+
+        $csrfToken = $request->getAttribute('session')?->token();
+
+        $html = $this->view->make('flarum-oauth-provider::consent', [
+            'client' => $authRequest->getClient(),
+            'scopes' => $scopeDescriptions,
+            'actor' => $actor,
+            'formAction' => (string) $request->getUri(),
+            'csrfToken' => $csrfToken,
+            'queryParams' => $queryParams,
+        ])->render();
+
+        return new HtmlResponse($html);
+    }
+
+    protected function completeAuthorization(
+        AuthorizationRequest $authRequest,
+        $server,
+        int $userId,
+        bool $approved,
+        ?string $nonce = null,
+        ?Carbon $authTime = null,
+    ): ResponseInterface {
+        $userEntity = new UserEntity();
+        $userEntity->setIdentifier((string) $userId);
+
+        $authRequest->setUser($userEntity);
+        $authRequest->setAuthorizationApproved($approved);
+
+        try {
+            $response = $server->completeAuthorizationRequest($authRequest, new \Laminas\Diactoros\Response());
+        } catch (OAuthServerException $exception) {
+            return $exception->generateHttpResponse(new \Laminas\Diactoros\Response());
+        }
+
+        // If approved, attach nonce + auth_time to the just-created auth code
+        // so they survive through to ID token issuance at the token endpoint.
+        if ($approved) {
+            AuthCode::query()
+                ->where('user_id', $userId)
+                ->where('client_id', $authRequest->getClient()->getIdentifier())
+                ->orderByDesc('created_at')
+                ->limit(1)
+                ->update([
+                    'nonce' => $nonce,
+                    'auth_time' => $authTime ?? Carbon::now(),
+                ]);
+        }
+
+        return $response;
+    }
+
+    /**
+     * Best-effort "when did the current session authenticate" timestamp. Uses
+     * the session's access token creation time — Flarum reissues a fresh access
+     * token each time a remember-me cookie restores a session, so this is the
+     * most accurate "this session started" signal we have.
+     *
+     * Returns null for guests or if the session is orphaned.
+     */
+    protected function sessionAuthTime(Request $request): ?Carbon
+    {
+        $session = $request->getAttribute('session');
+        $tokenValue = $session?->get('access_token');
+
+        if (! is_string($tokenValue) || $tokenValue === '') {
+            return null;
+        }
+
+        $token = AccessToken::findValid($tokenValue);
+
+        return $token?->created_at;
+    }
+
+    protected function hasExistingConsent(int $userId, string $clientId, array $requestedScopes): bool
+    {
+        /** @var Consent|null $consent */
+        $consent = Consent::query()
+            ->where('user_id', $userId)
+            ->where('client_id', $clientId)
+            ->where('revoked', false)
+            ->first();
+
+        return $consent !== null && $consent->covers($requestedScopes);
+    }
+
+    protected function rememberConsent(int $userId, string $clientId, array $requestedScopes): void
+    {
+        /** @var Consent|null $existing */
+        $existing = Consent::query()
+            ->where('user_id', $userId)
+            ->where('client_id', $clientId)
+            ->first();
+
+        if ($existing === null) {
+            Consent::query()->create([
+                'user_id' => $userId,
+                'client_id' => $clientId,
+                'scopes' => $requestedScopes,
+                'revoked' => false,
+                'created_at' => Carbon::now(),
+                'updated_at' => Carbon::now(),
+            ]);
+
+            return;
+        }
+
+        // Merge newly-approved scopes into the existing grant and re-activate it
+        // if it was previously revoked.
+        $merged = array_values(array_unique(array_merge($existing->scopes ?? [], $requestedScopes)));
+
+        $existing->scopes = $merged;
+        $existing->revoked = false;
+        $existing->updated_at = Carbon::now();
+        $existing->save();
+    }
+}
diff --git a/extensions/oauth-provider/src/Http/Controller/JwksController.php b/extensions/oauth-provider/src/Http/Controller/JwksController.php
new file mode 100644
index 0000000000..5ac5998893
--- /dev/null
+++ b/extensions/oauth-provider/src/Http/Controller/JwksController.php
@@ -0,0 +1,63 @@
+<?php
+
+/*
+ * This file is part of Flarum.
+ *
+ * For detailed copyright and license information, please view the
+ * LICENSE file that was distributed with this source code.
+ */
+
+namespace Flarum\OAuthProvider\Http\Controller;
+
+use Flarum\OAuthProvider\KeyManager;
+use Laminas\Diactoros\Response\JsonResponse;
+use Psr\Http\Message\ResponseInterface;
+use Psr\Http\Message\ServerRequestInterface as Request;
+use Psr\Http\Server\RequestHandlerInterface;
+use RuntimeException;
+
+/**
+ * JSON Web Key Set endpoint — `/.well-known/jwks.json`.
+ *
+ * Exposes the RSA public key so OIDC/OAuth 2 clients can verify JWT access
+ * tokens and ID tokens issued by this provider without a pre-shared key.
+ */
+class JwksController implements RequestHandlerInterface
+{
+    public function __construct(protected KeyManager $keys)
+    {
+    }
+
+    public function handle(Request $request): ResponseInterface
+    {
+        $publicKeyPem = $this->keys->publicKey()->getKeyContents();
+
+        $details = openssl_pkey_get_details(openssl_pkey_get_public($publicKeyPem) ?: throw new RuntimeException('Invalid public key'));
+
+        if ($details === false || ! isset($details['rsa'])) {
+            throw new RuntimeException('Failed to extract RSA key details');
+        }
+
+        $modulus = $details['rsa']['n'];
+        $exponent = $details['rsa']['e'];
+
+        // Key ID: a deterministic fingerprint so clients can cache by kid.
+        $kid = substr(hash('sha256', $publicKeyPem), 0, 16);
+
+        return new JsonResponse([
+            'keys' => [[
+                'kty' => 'RSA',
+                'use' => 'sig',
+                'alg' => 'RS256',
+                'kid' => $kid,
+                'n' => $this->base64UrlEncode($modulus),
+                'e' => $this->base64UrlEncode($exponent),
+            ]],
+        ]);
+    }
+
+    private function base64UrlEncode(string $bytes): string
+    {
+        return rtrim(strtr(base64_encode($bytes), '+/', '-_'), '=');
+    }
+}
diff --git a/extensions/oauth-provider/src/Http/Controller/OpenIdConfigurationController.php b/extensions/oauth-provider/src/Http/Controller/OpenIdConfigurationController.php
new file mode 100644
index 0000000000..f7cc2ffde8
--- /dev/null
+++ b/extensions/oauth-provider/src/Http/Controller/OpenIdConfigurationController.php
@@ -0,0 +1,70 @@
+<?php
+
+/*
+ * This file is part of Flarum.
+ *
+ * For detailed copyright and license information, please view the
+ * LICENSE file that was distributed with this source code.
+ */
+
+namespace Flarum\OAuthProvider\Http\Controller;
+
+use Flarum\Http\UrlGenerator;
+use Flarum\OAuthProvider\Scope\ScopeRegistry;
+use Laminas\Diactoros\Response\JsonResponse;
+use Psr\Http\Message\ResponseInterface;
+use Psr\Http\Message\ServerRequestInterface as Request;
+use Psr\Http\Server\RequestHandlerInterface;
+
+/**
+ * OpenID Connect Discovery 1.0 §4 — `/.well-known/openid-configuration`.
+ *
+ * Allows OIDC clients to auto-configure from an issuer URL without hard-coding
+ * endpoint paths or supported features.
+ */
+class OpenIdConfigurationController implements RequestHandlerInterface
+{
+    public function __construct(
+        protected UrlGenerator $url,
+        protected ScopeRegistry $scopes,
+    ) {
+    }
+
+    public function handle(Request $request): ResponseInterface
+    {
+        $issuer = rtrim($this->url->to('forum')->base(), '/');
+
+        return new JsonResponse([
+            'issuer' => $issuer,
+            'authorization_endpoint' => $issuer.'/oauth/authorize',
+            'token_endpoint' => $issuer.'/oauth/token',
+            'userinfo_endpoint' => $issuer.'/oauth/userinfo',
+            'jwks_uri' => $issuer.'/.well-known/jwks.json',
+            'response_types_supported' => ['code'],
+            'response_modes_supported' => ['query'],
+            'subject_types_supported' => ['public'],
+            'id_token_signing_alg_values_supported' => ['RS256'],
+            'scopes_supported' => array_keys($this->scopes->all()),
+            'token_endpoint_auth_methods_supported' => [
+                'client_secret_post',
+                'client_secret_basic',
+                'none',
+            ],
+            'claims_supported' => [
+                'sub',
+                'iss',
+                'aud',
+                'exp',
+                'iat',
+                'auth_time',
+                'nonce',
+                'name',
+                'picture',
+                'email',
+                'email_verified',
+            ],
+            'grant_types_supported' => ['authorization_code', 'refresh_token'],
+            'code_challenge_methods_supported' => ['S256', 'plain'],
+        ]);
+    }
+}
diff --git a/extensions/oauth-provider/src/Http/Controller/TokenController.php b/extensions/oauth-provider/src/Http/Controller/TokenController.php
new file mode 100644
index 0000000000..33d5b75b1c
--- /dev/null
+++ b/extensions/oauth-provider/src/Http/Controller/TokenController.php
@@ -0,0 +1,35 @@
+<?php
+
+/*
+ * This file is part of Flarum.
+ *
+ * For detailed copyright and license information, please view the
+ * LICENSE file that was distributed with this source code.
+ */
+
+namespace Flarum\OAuthProvider\Http\Controller;
+
+use Flarum\OAuthProvider\Server\AuthorizationServerFactory;
+use Laminas\Diactoros\Response;
+use League\OAuth2\Server\Exception\OAuthServerException;
+use Psr\Http\Message\ResponseInterface;
+use Psr\Http\Message\ServerRequestInterface as Request;
+use Psr\Http\Server\RequestHandlerInterface;
+
+class TokenController implements RequestHandlerInterface
+{
+    public function __construct(protected AuthorizationServerFactory $factory)
+    {
+    }
+
+    public function handle(Request $request): ResponseInterface
+    {
+        $server = $this->factory->authorizationServer();
+
+        try {
+            return $server->respondToAccessTokenRequest($request, new Response());
+        } catch (OAuthServerException $exception) {
+            return $exception->generateHttpResponse(new Response());
+        }
+    }
+}
diff --git a/extensions/oauth-provider/src/Http/Controller/UserInfoController.php b/extensions/oauth-provider/src/Http/Controller/UserInfoController.php
new file mode 100644
index 0000000000..388727355e
--- /dev/null
+++ b/extensions/oauth-provider/src/Http/Controller/UserInfoController.php
@@ -0,0 +1,67 @@
+<?php
+
+/*
+ * This file is part of Flarum.
+ *
+ * For detailed copyright and license information, please view the
+ * LICENSE file that was distributed with this source code.
+ */
+
+namespace Flarum\OAuthProvider\Http\Controller;
+
+use Flarum\OAuthProvider\Server\AuthorizationServerFactory;
+use Flarum\User\UserRepository;
+use Laminas\Diactoros\Response\JsonResponse;
+use League\OAuth2\Server\Exception\OAuthServerException;
+use Psr\Http\Message\ResponseInterface;
+use Psr\Http\Message\ServerRequestInterface as Request;
+use Psr\Http\Server\RequestHandlerInterface;
+
+class UserInfoController implements RequestHandlerInterface
+{
+    public function __construct(
+        protected AuthorizationServerFactory $factory,
+        protected UserRepository $users,
+    ) {
+    }
+
+    public function handle(Request $request): ResponseInterface
+    {
+        $resourceServer = $this->factory->resourceServer();
+
+        try {
+            $request = $resourceServer->validateAuthenticatedRequest($request);
+        } catch (OAuthServerException $exception) {
+            return $exception->generateHttpResponse(new \Laminas\Diactoros\Response());
+        }
+
+        $userId = (int) $request->getAttribute('oauth_user_id');
+        $scopes = (array) $request->getAttribute('oauth_scopes', []);
+
+        $user = $this->users->findOrFail($userId);
+
+        $payload = [
+            'sub' => (string) $user->id,
+        ];
+
+        if (in_array('profile', $scopes, true)) {
+            $payload['name'] = $user->display_name;
+            $payload['picture'] = $user->avatar_url;
+
+            // Non-standard extension: srcset string for HiDPI variants when the
+            // avatar driver provides them (e.g. uploaded avatars expose @2x/@3x).
+            // Format: "url 1x, url@2x 2x, url@3x 3x" — same as <img srcset>.
+            $srcset = $user->avatar_srcset;
+            if (! empty($srcset)) {
+                $payload['picture_srcset'] = $srcset;
+            }
+        }
+
+        if (in_array('email', $scopes, true)) {
+            $payload['email'] = $user->email;
+            $payload['email_verified'] = (bool) $user->is_email_confirmed;
+        }
+
+        return new JsonResponse($payload);
+    }
+}
diff --git a/extensions/oauth-provider/src/KeyManager.php b/extensions/oauth-provider/src/KeyManager.php
new file mode 100644
index 0000000000..79da057991
--- /dev/null
+++ b/extensions/oauth-provider/src/KeyManager.php
@@ -0,0 +1,101 @@
+<?php
+
+/*
+ * This file is part of Flarum.
+ *
+ * For detailed copyright and license information, please view the
+ * LICENSE file that was distributed with this source code.
+ */
+
+namespace Flarum\OAuthProvider;
+
+use Defuse\Crypto\Key;
+use Flarum\Settings\SettingsRepositoryInterface;
+use League\OAuth2\Server\CryptKey;
+use RuntimeException;
+
+/**
+ * Manages the RSA keypair used to sign access token JWTs and the symmetric
+ * encryption key used for auth codes + refresh tokens.
+ *
+ * Keys are generated lazily on first use and persisted in the settings store.
+ * Call rotate() to regenerate them — existing tokens will be invalidated.
+ */
+class KeyManager
+{
+    public const PRIVATE_KEY_SETTING = 'flarum-oauth-provider.private_key';
+    public const PUBLIC_KEY_SETTING = 'flarum-oauth-provider.public_key';
+    public const ENCRYPTION_KEY_SETTING = 'flarum-oauth-provider.encryption_key';
+
+    public function __construct(protected SettingsRepositoryInterface $settings)
+    {
+    }
+
+    public function privateKey(): CryptKey
+    {
+        $key = $this->settings->get(self::PRIVATE_KEY_SETTING);
+
+        if (empty($key)) {
+            $this->generateKeyPair();
+            $key = $this->settings->get(self::PRIVATE_KEY_SETTING);
+        }
+
+        return new CryptKey($key, null, false);
+    }
+
+    public function publicKey(): CryptKey
+    {
+        $key = $this->settings->get(self::PUBLIC_KEY_SETTING);
+
+        if (empty($key)) {
+            $this->generateKeyPair();
+            $key = $this->settings->get(self::PUBLIC_KEY_SETTING);
+        }
+
+        return new CryptKey($key, null, false);
+    }
+
+    public function encryptionKey(): Key
+    {
+        $key = $this->settings->get(self::ENCRYPTION_KEY_SETTING);
+
+        if (empty($key)) {
+            $key = Key::createNewRandomKey()->saveToAsciiSafeString();
+            $this->settings->set(self::ENCRYPTION_KEY_SETTING, $key);
+        }
+
+        return Key::loadFromAsciiSafeString($key);
+    }
+
+    public function rotate(): void
+    {
+        $this->generateKeyPair();
+        $this->settings->set(self::ENCRYPTION_KEY_SETTING, Key::createNewRandomKey()->saveToAsciiSafeString());
+    }
+
+    private function generateKeyPair(): void
+    {
+        $resource = \openssl_pkey_new([
+            'digest_alg' => 'sha256',
+            'private_key_bits' => 2048,
+            'private_key_type' => OPENSSL_KEYTYPE_RSA,
+        ]);
+
+        if ($resource === false) {
+            throw new RuntimeException('Failed to generate RSA key pair: '.\openssl_error_string());
+        }
+
+        if (! \openssl_pkey_export($resource, $privateKey)) {
+            throw new RuntimeException('Failed to export RSA private key: '.\openssl_error_string());
+        }
+
+        $details = \openssl_pkey_get_details($resource);
+
+        if ($details === false || ! isset($details['key'])) {
+            throw new RuntimeException('Failed to read RSA public key: '.\openssl_error_string());
+        }
+
+        $this->settings->set(self::PRIVATE_KEY_SETTING, $privateKey);
+        $this->settings->set(self::PUBLIC_KEY_SETTING, $details['key']);
+    }
+}
diff --git a/extensions/oauth-provider/src/Models/AccessToken.php b/extensions/oauth-provider/src/Models/AccessToken.php
new file mode 100644
index 0000000000..c11c43de3f
--- /dev/null
+++ b/extensions/oauth-provider/src/Models/AccessToken.php
@@ -0,0 +1,64 @@
+<?php
+
+/*
+ * This file is part of Flarum.
+ *
+ * For detailed copyright and license information, please view the
+ * LICENSE file that was distributed with this source code.
+ */
+
+namespace Flarum\OAuthProvider\Models;
+
+use Carbon\Carbon;
+use Flarum\Database\AbstractModel;
+use Flarum\User\User;
+use Illuminate\Database\Eloquent\Relations\BelongsTo;
+use Illuminate\Database\Eloquent\Relations\HasOne;
+
+/**
+ * @property string      $id
+ * @property string      $client_id
+ * @property int         $user_id
+ * @property array|null  $scopes
+ * @property string|null $nonce
+ * @property Carbon|null $auth_time
+ * @property bool        $revoked
+ * @property Carbon      $expires_at
+ * @property Carbon|null $created_at
+ * @property Client      $client
+ * @property User        $user
+ * @property RefreshToken|null $refreshToken
+ */
+class AccessToken extends AbstractModel
+{
+    protected $table = 'oauth_provider_access_tokens';
+
+    public $incrementing = false;
+    protected $keyType = 'string';
+    public $timestamps = false;
+
+    protected $casts = [
+        'scopes' => 'array',
+        'revoked' => 'boolean',
+        'expires_at' => 'datetime',
+        'created_at' => 'datetime',
+        'auth_time' => 'datetime',
+    ];
+
+    protected $guarded = [];
+
+    public function client(): BelongsTo
+    {
+        return $this->belongsTo(Client::class, 'client_id');
+    }
+
+    public function user(): BelongsTo
+    {
+        return $this->belongsTo(User::class, 'user_id');
+    }
+
+    public function refreshToken(): HasOne
+    {
+        return $this->hasOne(RefreshToken::class, 'access_token_id');
+    }
+}
diff --git a/extensions/oauth-provider/src/Models/AuthCode.php b/extensions/oauth-provider/src/Models/AuthCode.php
new file mode 100644
index 0000000000..6da16e1156
--- /dev/null
+++ b/extensions/oauth-provider/src/Models/AuthCode.php
@@ -0,0 +1,57 @@
+<?php
+
+/*
+ * This file is part of Flarum.
+ *
+ * For detailed copyright and license information, please view the
+ * LICENSE file that was distributed with this source code.
+ */
+
+namespace Flarum\OAuthProvider\Models;
+
+use Carbon\Carbon;
+use Flarum\Database\AbstractModel;
+use Flarum\User\User;
+use Illuminate\Database\Eloquent\Relations\BelongsTo;
+
+/**
+ * @property string      $id
+ * @property string      $client_id
+ * @property int         $user_id
+ * @property array|null  $scopes
+ * @property string|null $nonce
+ * @property Carbon|null $auth_time
+ * @property bool        $revoked
+ * @property Carbon      $expires_at
+ * @property Carbon|null $created_at
+ * @property Client      $client
+ * @property User        $user
+ */
+class AuthCode extends AbstractModel
+{
+    protected $table = 'oauth_provider_auth_codes';
+
+    public $incrementing = false;
+    protected $keyType = 'string';
+    public $timestamps = false;
+
+    protected $casts = [
+        'scopes' => 'array',
+        'revoked' => 'boolean',
+        'expires_at' => 'datetime',
+        'created_at' => 'datetime',
+        'auth_time' => 'datetime',
+    ];
+
+    protected $guarded = [];
+
+    public function client(): BelongsTo
+    {
+        return $this->belongsTo(Client::class, 'client_id');
+    }
+
+    public function user(): BelongsTo
+    {
+        return $this->belongsTo(User::class, 'user_id');
+    }
+}
diff --git a/extensions/oauth-provider/src/Models/Client.php b/extensions/oauth-provider/src/Models/Client.php
new file mode 100644
index 0000000000..ae035e2a50
--- /dev/null
+++ b/extensions/oauth-provider/src/Models/Client.php
@@ -0,0 +1,65 @@
+<?php
+
+/*
+ * This file is part of Flarum.
+ *
+ * For detailed copyright and license information, please view the
+ * LICENSE file that was distributed with this source code.
+ */
+
+namespace Flarum\OAuthProvider\Models;
+
+use Carbon\Carbon;
+use Flarum\Database\AbstractModel;
+use Flarum\User\User;
+use Illuminate\Database\Eloquent\Relations\BelongsTo;
+
+/**
+ * @property string      $id
+ * @property string      $name
+ * @property string|null $secret
+ * @property array       $redirect_uris
+ * @property array|null  $scopes
+ * @property bool        $confidential
+ * @property bool        $revoked
+ * @property int|null    $created_by
+ * @property User|null   $creator
+ * @property Carbon|null $created_at
+ * @property Carbon|null $updated_at
+ */
+class Client extends AbstractModel
+{
+    protected $table = 'oauth_provider_clients';
+
+    public $incrementing = false;
+    protected $keyType = 'string';
+
+    protected $casts = [
+        'redirect_uris' => 'array',
+        'scopes' => 'array',
+        'confidential' => 'boolean',
+        'revoked' => 'boolean',
+        'created_at' => 'datetime',
+        'updated_at' => 'datetime',
+    ];
+
+    protected $guarded = [];
+
+    protected $hidden = ['secret'];
+
+    /**
+     * Plain client secret — only populated at the moment of creation so the
+     * API resource can return it to the admin once. Not persisted.
+     */
+    public ?string $plainSecret = null;
+
+    public function creator(): BelongsTo
+    {
+        return $this->belongsTo(User::class, 'created_by');
+    }
+
+    public function hasRedirectUri(string $uri): bool
+    {
+        return in_array($uri, (array) $this->redirect_uris, true);
+    }
+}
diff --git a/extensions/oauth-provider/src/Models/Consent.php b/extensions/oauth-provider/src/Models/Consent.php
new file mode 100644
index 0000000000..76cb6eb308
--- /dev/null
+++ b/extensions/oauth-provider/src/Models/Consent.php
@@ -0,0 +1,66 @@
+<?php
+
+/*
+ * This file is part of Flarum.
+ *
+ * For detailed copyright and license information, please view the
+ * LICENSE file that was distributed with this source code.
+ */
+
+namespace Flarum\OAuthProvider\Models;
+
+use Carbon\Carbon;
+use Flarum\Database\AbstractModel;
+use Flarum\User\User;
+use Illuminate\Database\Eloquent\Relations\BelongsTo;
+
+/**
+ * @property int         $id
+ * @property int         $user_id
+ * @property string      $client_id
+ * @property array|null  $scopes
+ * @property bool        $revoked
+ * @property Carbon|null $created_at
+ * @property Carbon|null $updated_at
+ * @property User        $user
+ * @property Client      $client
+ */
+class Consent extends AbstractModel
+{
+    protected $table = 'oauth_provider_user_consents';
+
+    protected $casts = [
+        'scopes' => 'array',
+        'revoked' => 'boolean',
+        'created_at' => 'datetime',
+        'updated_at' => 'datetime',
+    ];
+
+    protected $guarded = [];
+
+    public function user(): BelongsTo
+    {
+        return $this->belongsTo(User::class, 'user_id');
+    }
+
+    public function client(): BelongsTo
+    {
+        return $this->belongsTo(Client::class, 'client_id');
+    }
+
+    /**
+     * Does this consent record cover every one of the given scope identifiers?
+     */
+    public function covers(array $requestedScopes): bool
+    {
+        $granted = $this->scopes ?? [];
+
+        foreach ($requestedScopes as $scope) {
+            if (! in_array($scope, $granted, true)) {
+                return false;
+            }
+        }
+
+        return true;
+    }
+}
diff --git a/extensions/oauth-provider/src/Models/RefreshToken.php b/extensions/oauth-provider/src/Models/RefreshToken.php
new file mode 100644
index 0000000000..187e1307ce
--- /dev/null
+++ b/extensions/oauth-provider/src/Models/RefreshToken.php
@@ -0,0 +1,44 @@
+<?php
+
+/*
+ * This file is part of Flarum.
+ *
+ * For detailed copyright and license information, please view the
+ * LICENSE file that was distributed with this source code.
+ */
+
+namespace Flarum\OAuthProvider\Models;
+
+use Carbon\Carbon;
+use Flarum\Database\AbstractModel;
+use Illuminate\Database\Eloquent\Relations\BelongsTo;
+
+/**
+ * @property string      $id
+ * @property string      $access_token_id
+ * @property bool        $revoked
+ * @property Carbon      $expires_at
+ * @property Carbon|null $created_at
+ * @property AccessToken $accessToken
+ */
+class RefreshToken extends AbstractModel
+{
+    protected $table = 'oauth_provider_refresh_tokens';
+
+    public $incrementing = false;
+    protected $keyType = 'string';
+    public $timestamps = false;
+
+    protected $casts = [
+        'revoked' => 'boolean',
+        'expires_at' => 'datetime',
+        'created_at' => 'datetime',
+    ];
+
+    protected $guarded = [];
+
+    public function accessToken(): BelongsTo
+    {
+        return $this->belongsTo(AccessToken::class, 'access_token_id');
+    }
+}
diff --git a/extensions/oauth-provider/src/Provider/OAuthProviderServiceProvider.php b/extensions/oauth-provider/src/Provider/OAuthProviderServiceProvider.php
new file mode 100644
index 0000000000..0a8a43a3c5
--- /dev/null
+++ b/extensions/oauth-provider/src/Provider/OAuthProviderServiceProvider.php
@@ -0,0 +1,29 @@
+<?php
+
+/*
+ * This file is part of Flarum.
+ *
+ * For detailed copyright and license information, please view the
+ * LICENSE file that was distributed with this source code.
+ */
+
+namespace Flarum\OAuthProvider\Provider;
+
+use Flarum\Foundation\AbstractServiceProvider;
+use Flarum\OAuthProvider\Scope\ScopeRegistry;
+
+class OAuthProviderServiceProvider extends AbstractServiceProvider
+{
+    public function register(): void
+    {
+        $this->container->singleton(ScopeRegistry::class, function () {
+            $registry = new ScopeRegistry();
+
+            $registry->register('openid', 'Identify you to the application');
+            $registry->register('profile', 'Access your public profile (username, display name, avatar)');
+            $registry->register('email', 'Access your email address');
+
+            return $registry;
+        });
+    }
+}
diff --git a/extensions/oauth-provider/src/Scope/ScopeRegistry.php b/extensions/oauth-provider/src/Scope/ScopeRegistry.php
new file mode 100644
index 0000000000..47259f3ca3
--- /dev/null
+++ b/extensions/oauth-provider/src/Scope/ScopeRegistry.php
@@ -0,0 +1,43 @@
+<?php
+
+/*
+ * This file is part of Flarum.
+ *
+ * For detailed copyright and license information, please view the
+ * LICENSE file that was distributed with this source code.
+ */
+
+namespace Flarum\OAuthProvider\Scope;
+
+class ScopeRegistry
+{
+    /**
+     * @var array<string, string> Identifier => human-readable description
+     */
+    protected array $scopes = [];
+
+    public function register(string $identifier, string $description): self
+    {
+        $this->scopes[$identifier] = $description;
+
+        return $this;
+    }
+
+    public function has(string $identifier): bool
+    {
+        return array_key_exists($identifier, $this->scopes);
+    }
+
+    public function description(string $identifier): ?string
+    {
+        return $this->scopes[$identifier] ?? null;
+    }
+
+    /**
+     * @return array<string, string>
+     */
+    public function all(): array
+    {
+        return $this->scopes;
+    }
+}
diff --git a/extensions/oauth-provider/src/Server/AuthorizationServerFactory.php b/extensions/oauth-provider/src/Server/AuthorizationServerFactory.php
new file mode 100644
index 0000000000..9868e5e9d1
--- /dev/null
+++ b/extensions/oauth-provider/src/Server/AuthorizationServerFactory.php
@@ -0,0 +1,73 @@
+<?php
+
+/*
+ * This file is part of Flarum.
+ *
+ * For detailed copyright and license information, please view the
+ * LICENSE file that was distributed with this source code.
+ */
+
+namespace Flarum\OAuthProvider\Server;
+
+use DateInterval;
+use Flarum\OAuthProvider\KeyManager;
+use Flarum\OAuthProvider\Server\Grant\OidcAuthCodeGrant;
+use Flarum\OAuthProvider\Server\Repository\AccessTokenRepository;
+use Flarum\OAuthProvider\Server\Repository\AuthCodeRepository;
+use Flarum\OAuthProvider\Server\Repository\ClientRepository;
+use Flarum\OAuthProvider\Server\Repository\RefreshTokenRepository;
+use Flarum\OAuthProvider\Server\Repository\ScopeRepository;
+use Flarum\OAuthProvider\Server\ResponseType\IdTokenResponse;
+use League\OAuth2\Server\AuthorizationServer;
+use League\OAuth2\Server\Grant\RefreshTokenGrant;
+use League\OAuth2\Server\ResourceServer;
+
+class AuthorizationServerFactory
+{
+    public function __construct(
+        protected KeyManager $keys,
+        protected ClientRepository $clients,
+        protected AccessTokenRepository $accessTokens,
+        protected RefreshTokenRepository $refreshTokens,
+        protected AuthCodeRepository $authCodes,
+        protected ScopeRepository $scopes,
+        protected IdTokenBuilder $idTokenBuilder,
+    ) {
+    }
+
+    public function authorizationServer(): AuthorizationServer
+    {
+        $server = new AuthorizationServer(
+            $this->clients,
+            $this->accessTokens,
+            $this->scopes,
+            $this->keys->privateKey(),
+            $this->keys->encryptionKey(),
+            new IdTokenResponse($this->idTokenBuilder),
+        );
+
+        $authCodeGrant = new OidcAuthCodeGrant(
+            $this->authCodes,
+            $this->refreshTokens,
+            new DateInterval('PT10M')
+        );
+        $authCodeGrant->setRefreshTokenTTL(new DateInterval('P1M'));
+
+        $server->enableGrantType($authCodeGrant, new DateInterval('PT1H'));
+
+        $refreshGrant = new RefreshTokenGrant($this->refreshTokens);
+        $refreshGrant->setRefreshTokenTTL(new DateInterval('P1M'));
+
+        $server->enableGrantType($refreshGrant, new DateInterval('PT1H'));
+
+        return $server;
+    }
+
+    public function resourceServer(): ResourceServer
+    {
+        return new ResourceServer(
+            $this->accessTokens,
+            $this->keys->publicKey(),
+        );
+    }
+}
diff --git a/extensions/oauth-provider/src/Server/Entity/AccessTokenEntity.php b/extensions/oauth-provider/src/Server/Entity/AccessTokenEntity.php
new file mode 100644
index 0000000000..b186d12209
--- /dev/null
+++ b/extensions/oauth-provider/src/Server/Entity/AccessTokenEntity.php
@@ -0,0 +1,45 @@
+<?php
+
+/*
+ * This file is part of Flarum.
+ *
+ * For detailed copyright and license information, please view the
+ * LICENSE file that was distributed with this source code.
+ */
+
+namespace Flarum\OAuthProvider\Server\Entity;
+
+use League\OAuth2\Server\Entities\AccessTokenEntityInterface;
+use League\OAuth2\Server\Entities\Traits\AccessTokenTrait;
+use League\OAuth2\Server\Entities\Traits\EntityTrait;
+use League\OAuth2\Server\Entities\Traits\TokenEntityTrait;
+
+class AccessTokenEntity implements AccessTokenEntityInterface
+{
+    use AccessTokenTrait;
+    use TokenEntityTrait;
+    use EntityTrait;
+
+    protected ?string $nonce = null;
+    protected ?\DateTimeImmutable $authTime = null;
+
+    public function setNonce(?string $nonce): void
+    {
+        $this->nonce = $nonce;
+    }
+
+    public function getNonce(): ?string
+    {
+        return $this->nonce;
+    }
+
+    public function setAuthTime(?\DateTimeImmutable $authTime): void
+    {
+        $this->authTime = $authTime;
+    }
+
+    public function getAuthTime(): ?\DateTimeImmutable
+    {
+        return $this->authTime;
+    }
+}
diff --git a/extensions/oauth-provider/src/Server/Entity/AuthCodeEntity.php b/extensions/oauth-provider/src/Server/Entity/AuthCodeEntity.php
new file mode 100644
index 0000000000..e36d21fe94
--- /dev/null
+++ b/extensions/oauth-provider/src/Server/Entity/AuthCodeEntity.php
@@ -0,0 +1,45 @@
+<?php
+
+/*
+ * This file is part of Flarum.
+ *
+ * For detailed copyright and license information, please view the
+ * LICENSE file that was distributed with this source code.
+ */
+
+namespace Flarum\OAuthProvider\Server\Entity;
+
+use League\OAuth2\Server\Entities\AuthCodeEntityInterface;
+use League\OAuth2\Server\Entities\Traits\AuthCodeTrait;
+use League\OAuth2\Server\Entities\Traits\EntityTrait;
+use League\OAuth2\Server\Entities\Traits\TokenEntityTrait;
+
+class AuthCodeEntity implements AuthCodeEntityInterface
+{
+    use AuthCodeTrait;
+    use TokenEntityTrait;
+    use EntityTrait;
+
+    protected ?string $nonce = null;
+    protected ?\DateTimeImmutable $authTime = null;
+
+    public function setNonce(?string $nonce): void
+    {
+        $this->nonce = $nonce;
+    }
+
+    public function getNonce(): ?string
+    {
+        return $this->nonce;
+    }
+
+    public function setAuthTime(?\DateTimeImmutable $authTime): void
+    {
+        $this->authTime = $authTime;
+    }
+
+    public function getAuthTime(): ?\DateTimeImmutable
+    {
+        return $this->authTime;
+    }
+}
diff --git a/extensions/oauth-provider/src/Server/Entity/ClientEntity.php b/extensions/oauth-provider/src/Server/Entity/ClientEntity.php
new file mode 100644
index 0000000000..406e432cc4
--- /dev/null
+++ b/extensions/oauth-provider/src/Server/Entity/ClientEntity.php
@@ -0,0 +1,35 @@
+<?php
+
+/*
+ * This file is part of Flarum.
+ *
+ * For detailed copyright and license information, please view the
+ * LICENSE file that was distributed with this source code.
+ */
+
+namespace Flarum\OAuthProvider\Server\Entity;
+
+use League\OAuth2\Server\Entities\ClientEntityInterface;
+use League\OAuth2\Server\Entities\Traits\ClientTrait;
+use League\OAuth2\Server\Entities\Traits\EntityTrait;
+
+class ClientEntity implements ClientEntityInterface
+{
+    use EntityTrait;
+    use ClientTrait;
+
+    public function setName(string $name): void
+    {
+        $this->name = $name;
+    }
+
+    public function setRedirectUri(array|string $uri): void
+    {
+        $this->redirectUri = $uri;
+    }
+
+    public function setConfidential(bool $confidential): void
+    {
+        $this->isConfidential = $confidential;
+    }
+}
diff --git a/extensions/oauth-provider/src/Server/Entity/RefreshTokenEntity.php b/extensions/oauth-provider/src/Server/Entity/RefreshTokenEntity.php
new file mode 100644
index 0000000000..7a003a627b
--- /dev/null
+++ b/extensions/oauth-provider/src/Server/Entity/RefreshTokenEntity.php
@@ -0,0 +1,20 @@
+<?php
+
+/*
+ * This file is part of Flarum.
+ *
+ * For detailed copyright and license information, please view the
+ * LICENSE file that was distributed with this source code.
+ */
+
+namespace Flarum\OAuthProvider\Server\Entity;
+
+use League\OAuth2\Server\Entities\RefreshTokenEntityInterface;
+use League\OAuth2\Server\Entities\Traits\EntityTrait;
+use League\OAuth2\Server\Entities\Traits\RefreshTokenTrait;
+
+class RefreshTokenEntity implements RefreshTokenEntityInterface
+{
+    use RefreshTokenTrait;
+    use EntityTrait;
+}
diff --git a/extensions/oauth-provider/src/Server/Entity/ScopeEntity.php b/extensions/oauth-provider/src/Server/Entity/ScopeEntity.php
new file mode 100644
index 0000000000..5b69701dce
--- /dev/null
+++ b/extensions/oauth-provider/src/Server/Entity/ScopeEntity.php
@@ -0,0 +1,23 @@
+<?php
+
+/*
+ * This file is part of Flarum.
+ *
+ * For detailed copyright and license information, please view the
+ * LICENSE file that was distributed with this source code.
+ */
+
+namespace Flarum\OAuthProvider\Server\Entity;
+
+use League\OAuth2\Server\Entities\ScopeEntityInterface;
+use League\OAuth2\Server\Entities\Traits\EntityTrait;
+
+class ScopeEntity implements ScopeEntityInterface
+{
+    use EntityTrait;
+
+    public function jsonSerialize(): mixed
+    {
+        return $this->getIdentifier();
+    }
+}
diff --git a/extensions/oauth-provider/src/Server/Entity/UserEntity.php b/extensions/oauth-provider/src/Server/Entity/UserEntity.php
new file mode 100644
index 0000000000..72dc45158d
--- /dev/null
+++ b/extensions/oauth-provider/src/Server/Entity/UserEntity.php
@@ -0,0 +1,18 @@
+<?php
+
+/*
+ * This file is part of Flarum.
+ *
+ * For detailed copyright and license information, please view the
+ * LICENSE file that was distributed with this source code.
+ */
+
+namespace Flarum\OAuthProvider\Server\Entity;
+
+use League\OAuth2\Server\Entities\Traits\EntityTrait;
+use League\OAuth2\Server\Entities\UserEntityInterface;
+
+class UserEntity implements UserEntityInterface
+{
+    use EntityTrait;
+}
diff --git a/extensions/oauth-provider/src/Server/Grant/OidcAuthCodeGrant.php b/extensions/oauth-provider/src/Server/Grant/OidcAuthCodeGrant.php
new file mode 100644
index 0000000000..bbc5f5f5c5
--- /dev/null
+++ b/extensions/oauth-provider/src/Server/Grant/OidcAuthCodeGrant.php
@@ -0,0 +1,89 @@
+<?php
+
+/*
+ * This file is part of Flarum.
+ *
+ * For detailed copyright and license information, please view the
+ * LICENSE file that was distributed with this source code.
+ */
+
+namespace Flarum\OAuthProvider\Server\Grant;
+
+use DateInterval;
+use DateTimeImmutable;
+use Flarum\OAuthProvider\Models\AccessToken as AccessTokenModel;
+use Flarum\OAuthProvider\Models\AuthCode as AuthCodeModel;
+use League\OAuth2\Server\Grant\AuthCodeGrant;
+use League\OAuth2\Server\ResponseTypes\ResponseTypeInterface;
+use Psr\Http\Message\ServerRequestInterface;
+
+/**
+ * Authorization code grant with OIDC-required nonce + auth_time propagation.
+ *
+ * The base league/oauth2-server grant doesn't know about OIDC. This subclass
+ * stores the nonce + authentication time on both the auth code and the access
+ * token rows so the ID token issued on code exchange can include them as
+ * required by OpenID Connect Core 1.0 §3.1.3.7 and §2.
+ *
+ * Nonce lifecycle:
+ * - Authorize: the controller reads `nonce` from the query and stores it on
+ *   the auth code row *after* the parent grant has created the row.
+ * - Token exchange: the parent grant creates a new access token; we then copy
+ *   nonce + auth_time from the auth code row onto the access token row, keyed
+ *   by the auth_code_id we extract from the decrypted code payload.
+ * - ID token: the response type reads nonce + auth_time from the access token
+ *   row when building claims.
+ */
+class OidcAuthCodeGrant extends AuthCodeGrant
+{
+    public function respondToAccessTokenRequest(
+        ServerRequestInterface $request,
+        ResponseTypeInterface $responseType,
+        DateInterval $accessTokenTTL
+    ) {
+        $response = parent::respondToAccessTokenRequest($request, $responseType, $accessTokenTTL);
+
+        // After the parent has successfully minted an access token, copy
+        // nonce + auth_time from the exchanged auth code onto it.
+        $encryptedAuthCode = $this->getRequestParameter('code', $request, null);
+
+        if (! is_string($encryptedAuthCode)) {
+            return $response;
+        }
+
+        try {
+            $payload = json_decode($this->decrypt($encryptedAuthCode), true);
+        } catch (\Throwable) {
+            return $response;
+        }
+
+        if (! is_array($payload) || empty($payload['auth_code_id'])) {
+            return $response;
+        }
+
+        /** @var AuthCodeModel|null $authCode */
+        $authCode = AuthCodeModel::query()->find($payload['auth_code_id']);
+
+        if ($authCode === null) {
+            return $response;
+        }
+
+        // The access token that was just persisted. There should be exactly
+        // one non-revoked access token freshly issued for this user/client in
+        // the last moment — find the newest one.
+        /** @var AccessTokenModel|null $accessToken */
+        $accessToken = AccessTokenModel::query()
+            ->where('user_id', $authCode->user_id)
+            ->where('client_id', $authCode->client_id)
+            ->orderByDesc('created_at')
+            ->first();
+
+        if ($accessToken !== null) {
+            $accessToken->nonce = $authCode->nonce;
+            $accessToken->auth_time = $authCode->auth_time ?? new DateTimeImmutable();
+            $accessToken->save();
+        }
+
+        return $response;
+    }
+}
diff --git a/extensions/oauth-provider/src/Server/IdTokenBuilder.php b/extensions/oauth-provider/src/Server/IdTokenBuilder.php
new file mode 100644
index 0000000000..3b2558ac11
--- /dev/null
+++ b/extensions/oauth-provider/src/Server/IdTokenBuilder.php
@@ -0,0 +1,100 @@
+<?php
+
+/*
+ * This file is part of Flarum.
+ *
+ * For detailed copyright and license information, please view the
+ * LICENSE file that was distributed with this source code.
+ */
+
+namespace Flarum\OAuthProvider\Server;
+
+use DateTimeImmutable;
+use Flarum\Http\UrlGenerator;
+use Flarum\OAuthProvider\KeyManager;
+use Flarum\OAuthProvider\Models\AccessToken as AccessTokenModel;
+use Flarum\User\UserRepository;
+use Lcobucci\JWT\Configuration;
+use Lcobucci\JWT\Signer\Key\InMemory;
+use Lcobucci\JWT\Signer\Rsa\Sha256;
+use League\OAuth2\Server\Entities\AccessTokenEntityInterface;
+
+/**
+ * Builds OpenID Connect ID tokens per OIDC Core 1.0 §2.
+ *
+ * Issued when the `openid` scope was granted. Signed with the same RSA private
+ * key used for access tokens (RS256), so the same JWKS entry verifies both.
+ */
+class IdTokenBuilder
+{
+    public function __construct(
+        protected KeyManager $keys,
+        protected UrlGenerator $url,
+        protected UserRepository $users,
+    ) {
+    }
+
+    /**
+     * @return string|null The serialized JWT, or null if no `openid` scope was granted.
+     */
+    public function build(AccessTokenEntityInterface $accessToken): ?string
+    {
+        $scopes = array_map(fn ($s) => $s->getIdentifier(), $accessToken->getScopes());
+
+        if (! in_array('openid', $scopes, true)) {
+            return null;
+        }
+
+        /** @var AccessTokenModel|null $persisted */
+        $persisted = AccessTokenModel::query()->find($accessToken->getIdentifier());
+
+        $config = Configuration::forAsymmetricSigner(
+            new Sha256(),
+            InMemory::plainText($this->keys->privateKey()->getKeyContents()),
+            InMemory::plainText($this->keys->publicKey()->getKeyContents()),
+        );
+
+        $now = new DateTimeImmutable();
+        $expiry = $accessToken->getExpiryDateTime();
+
+        $builder = $config->builder()
+            ->issuedBy($this->issuer())
+            ->relatedTo((string) $accessToken->getUserIdentifier())
+            ->permittedFor($accessToken->getClient()->getIdentifier())
+            ->issuedAt($now)
+            ->expiresAt($expiry instanceof DateTimeImmutable ? $expiry : DateTimeImmutable::createFromMutable($expiry));
+
+        if ($persisted?->nonce) {
+            $builder = $builder->withClaim('nonce', $persisted->nonce);
+        }
+
+        if ($persisted?->auth_time) {
+            $builder = $builder->withClaim('auth_time', $persisted->auth_time->getTimestamp());
+        }
+
+        // Profile / email claims are mirrored into the ID token when those
+        // scopes are granted, per OIDC Core 1.0 §5.4.
+        if ((int) $accessToken->getUserIdentifier() > 0) {
+            $user = $this->users->findOrFail((int) $accessToken->getUserIdentifier());
+
+            if (in_array('profile', $scopes, true)) {
+                $builder = $builder
+                    ->withClaim('name', $user->display_name)
+                    ->withClaim('picture', $user->avatar_url);
+            }
+
+            if (in_array('email', $scopes, true)) {
+                $builder = $builder
+                    ->withClaim('email', $user->email)
+                    ->withClaim('email_verified', (bool) $user->is_email_confirmed);
+            }
+        }
+
+        return $builder->getToken($config->signer(), $config->signingKey())->toString();
+    }
+
+    public function issuer(): string
+    {
+        return rtrim($this->url->to('forum')->base(), '/');
+    }
+}
diff --git a/extensions/oauth-provider/src/Server/Repository/AccessTokenRepository.php b/extensions/oauth-provider/src/Server/Repository/AccessTokenRepository.php
new file mode 100644
index 0000000000..30a028ecdd
--- /dev/null
+++ b/extensions/oauth-provider/src/Server/Repository/AccessTokenRepository.php
@@ -0,0 +1,76 @@
+<?php
+
+/*
+ * This file is part of Flarum.
+ *
+ * For detailed copyright and license information, please view the
+ * LICENSE file that was distributed with this source code.
+ */
+
+namespace Flarum\OAuthProvider\Server\Repository;
+
+use Carbon\Carbon;
+use Flarum\OAuthProvider\Models\AccessToken;
+use Flarum\OAuthProvider\Server\Entity\AccessTokenEntity;
+use League\OAuth2\Server\Entities\AccessTokenEntityInterface;
+use League\OAuth2\Server\Entities\ClientEntityInterface;
+use League\OAuth2\Server\Exception\UniqueTokenIdentifierConstraintViolationException;
+use League\OAuth2\Server\Repositories\AccessTokenRepositoryInterface;
+
+class AccessTokenRepository implements AccessTokenRepositoryInterface
+{
+    public function getNewToken(
+        ClientEntityInterface $clientEntity,
+        array $scopes,
+        $userIdentifier = null
+    ): AccessTokenEntityInterface {
+        $token = new AccessTokenEntity();
+        $token->setClient($clientEntity);
+
+        foreach ($scopes as $scope) {
+            $token->addScope($scope);
+        }
+
+        if ($userIdentifier !== null) {
+            $token->setUserIdentifier($userIdentifier);
+        }
+
+        return $token;
+    }
+
+    public function persistNewAccessToken(AccessTokenEntityInterface $accessTokenEntity): void
+    {
+        if (AccessToken::query()->where('id', $accessTokenEntity->getIdentifier())->exists()) {
+            throw UniqueTokenIdentifierConstraintViolationException::create();
+        }
+
+        $scopes = array_map(fn ($scope) => $scope->getIdentifier(), $accessTokenEntity->getScopes());
+
+        AccessToken::query()->create([
+            'id' => $accessTokenEntity->getIdentifier(),
+            'client_id' => $accessTokenEntity->getClient()->getIdentifier(),
+            'user_id' => (int) $accessTokenEntity->getUserIdentifier(),
+            'scopes' => $scopes,
+            'revoked' => false,
+            'expires_at' => Carbon::instance($accessTokenEntity->getExpiryDateTime()),
+            'created_at' => Carbon::now(),
+        ]);
+    }
+
+    public function revokeAccessToken($tokenId): void
+    {
+        AccessToken::query()->where('id', $tokenId)->update(['revoked' => true]);
+    }
+
+    public function isAccessTokenRevoked($tokenId): bool
+    {
+        /** @var AccessToken|null $token */
+        $token = AccessToken::query()->where('id', $tokenId)->first();
+
+        if ($token === null) {
+            return true;
+        }
+
+        return (bool) $token->revoked;
+    }
+}
diff --git a/extensions/oauth-provider/src/Server/Repository/AuthCodeRepository.php b/extensions/oauth-provider/src/Server/Repository/AuthCodeRepository.php
new file mode 100644
index 0000000000..ac4a8c38e1
--- /dev/null
+++ b/extensions/oauth-provider/src/Server/Repository/AuthCodeRepository.php
@@ -0,0 +1,61 @@
+<?php
+
+/*
+ * This file is part of Flarum.
+ *
+ * For detailed copyright and license information, please view the
+ * LICENSE file that was distributed with this source code.
+ */
+
+namespace Flarum\OAuthProvider\Server\Repository;
+
+use Carbon\Carbon;
+use Flarum\OAuthProvider\Models\AuthCode;
+use Flarum\OAuthProvider\Server\Entity\AuthCodeEntity;
+use League\OAuth2\Server\Entities\AuthCodeEntityInterface;
+use League\OAuth2\Server\Exception\UniqueTokenIdentifierConstraintViolationException;
+use League\OAuth2\Server\Repositories\AuthCodeRepositoryInterface;
+
+class AuthCodeRepository implements AuthCodeRepositoryInterface
+{
+    public function getNewAuthCode(): AuthCodeEntityInterface
+    {
+        return new AuthCodeEntity();
+    }
+
+    public function persistNewAuthCode(AuthCodeEntityInterface $authCodeEntity): void
+    {
+        if (AuthCode::query()->where('id', $authCodeEntity->getIdentifier())->exists()) {
+            throw UniqueTokenIdentifierConstraintViolationException::create();
+        }
+
+        $scopes = array_map(fn ($scope) => $scope->getIdentifier(), $authCodeEntity->getScopes());
+
+        AuthCode::query()->create([
+            'id' => $authCodeEntity->getIdentifier(),
+            'client_id' => $authCodeEntity->getClient()->getIdentifier(),
+            'user_id' => (int) $authCodeEntity->getUserIdentifier(),
+            'scopes' => $scopes,
+            'revoked' => false,
+            'expires_at' => Carbon::instance($authCodeEntity->getExpiryDateTime()),
+            'created_at' => Carbon::now(),
+        ]);
+    }
+
+    public function revokeAuthCode($codeId): void
+    {
+        AuthCode::query()->where('id', $codeId)->update(['revoked' => true]);
+    }
+
+    public function isAuthCodeRevoked($codeId): bool
+    {
+        /** @var AuthCode|null $code */
+        $code = AuthCode::query()->where('id', $codeId)->first();
+
+        if ($code === null) {
+            return true;
+        }
+
+        return (bool) $code->revoked;
+    }
+}
diff --git a/extensions/oauth-provider/src/Server/Repository/ClientRepository.php b/extensions/oauth-provider/src/Server/Repository/ClientRepository.php
new file mode 100644
index 0000000000..a4eb53e8d8
--- /dev/null
+++ b/extensions/oauth-provider/src/Server/Repository/ClientRepository.php
@@ -0,0 +1,67 @@
+<?php
+
+/*
+ * This file is part of Flarum.
+ *
+ * For detailed copyright and license information, please view the
+ * LICENSE file that was distributed with this source code.
+ */
+
+namespace Flarum\OAuthProvider\Server\Repository;
+
+use Flarum\OAuthProvider\Models\Client;
+use Flarum\OAuthProvider\Server\Entity\ClientEntity;
+use League\OAuth2\Server\Entities\ClientEntityInterface;
+use League\OAuth2\Server\Repositories\ClientRepositoryInterface;
+
+class ClientRepository implements ClientRepositoryInterface
+{
+    public function getClientEntity($clientIdentifier): ?ClientEntityInterface
+    {
+        /** @var Client|null $client */
+        $client = Client::query()
+            ->where('id', $clientIdentifier)
+            ->where('revoked', false)
+            ->first();
+
+        if ($client === null) {
+            return null;
+        }
+
+        return $this->buildEntity($client);
+    }
+
+    public function validateClient($clientIdentifier, $clientSecret, $grantType): bool
+    {
+        /** @var Client|null $client */
+        $client = Client::query()
+            ->where('id', $clientIdentifier)
+            ->where('revoked', false)
+            ->first();
+
+        if ($client === null) {
+            return false;
+        }
+
+        if ($client->confidential) {
+            if ($clientSecret === null || $clientSecret === '') {
+                return false;
+            }
+
+            return hash_equals((string) $client->secret, hash('sha256', $clientSecret));
+        }
+
+        return true;
+    }
+
+    private function buildEntity(Client $client): ClientEntity
+    {
+        $entity = new ClientEntity();
+        $entity->setIdentifier($client->id);
+        $entity->setName($client->name);
+        $entity->setRedirectUri((array) $client->redirect_uris);
+        $entity->setConfidential((bool) $client->confidential);
+
+        return $entity;
+    }
+}
diff --git a/extensions/oauth-provider/src/Server/Repository/RefreshTokenRepository.php b/extensions/oauth-provider/src/Server/Repository/RefreshTokenRepository.php
new file mode 100644
index 0000000000..b201064ffb
--- /dev/null
+++ b/extensions/oauth-provider/src/Server/Repository/RefreshTokenRepository.php
@@ -0,0 +1,57 @@
+<?php
+
+/*
+ * This file is part of Flarum.
+ *
+ * For detailed copyright and license information, please view the
+ * LICENSE file that was distributed with this source code.
+ */
+
+namespace Flarum\OAuthProvider\Server\Repository;
+
+use Carbon\Carbon;
+use Flarum\OAuthProvider\Models\RefreshToken;
+use Flarum\OAuthProvider\Server\Entity\RefreshTokenEntity;
+use League\OAuth2\Server\Entities\RefreshTokenEntityInterface;
+use League\OAuth2\Server\Exception\UniqueTokenIdentifierConstraintViolationException;
+use League\OAuth2\Server\Repositories\RefreshTokenRepositoryInterface;
+
+class RefreshTokenRepository implements RefreshTokenRepositoryInterface
+{
+    public function getNewRefreshToken(): ?RefreshTokenEntityInterface
+    {
+        return new RefreshTokenEntity();
+    }
+
+    public function persistNewRefreshToken(RefreshTokenEntityInterface $refreshTokenEntity): void
+    {
+        if (RefreshToken::query()->where('id', $refreshTokenEntity->getIdentifier())->exists()) {
+            throw UniqueTokenIdentifierConstraintViolationException::create();
+        }
+
+        RefreshToken::query()->create([
+            'id' => $refreshTokenEntity->getIdentifier(),
+            'access_token_id' => $refreshTokenEntity->getAccessToken()->getIdentifier(),
+            'revoked' => false,
+            'expires_at' => Carbon::instance($refreshTokenEntity->getExpiryDateTime()),
+            'created_at' => Carbon::now(),
+        ]);
+    }
+
+    public function revokeRefreshToken($tokenId): void
+    {
+        RefreshToken::query()->where('id', $tokenId)->update(['revoked' => true]);
+    }
+
+    public function isRefreshTokenRevoked($tokenId): bool
+    {
+        /** @var RefreshToken|null $token */
+        $token = RefreshToken::query()->where('id', $tokenId)->first();
+
+        if ($token === null) {
+            return true;
+        }
+
+        return (bool) $token->revoked;
+    }
+}
diff --git a/extensions/oauth-provider/src/Server/Repository/ScopeRepository.php b/extensions/oauth-provider/src/Server/Repository/ScopeRepository.php
new file mode 100644
index 0000000000..ce0f43e42e
--- /dev/null
+++ b/extensions/oauth-provider/src/Server/Repository/ScopeRepository.php
@@ -0,0 +1,44 @@
+<?php
+
+/*
+ * This file is part of Flarum.
+ *
+ * For detailed copyright and license information, please view the
+ * LICENSE file that was distributed with this source code.
+ */
+
+namespace Flarum\OAuthProvider\Server\Repository;
+
+use Flarum\OAuthProvider\Scope\ScopeRegistry;
+use Flarum\OAuthProvider\Server\Entity\ScopeEntity;
+use League\OAuth2\Server\Entities\ClientEntityInterface;
+use League\OAuth2\Server\Entities\ScopeEntityInterface;
+use League\OAuth2\Server\Repositories\ScopeRepositoryInterface;
+
+class ScopeRepository implements ScopeRepositoryInterface
+{
+    public function __construct(protected ScopeRegistry $scopes)
+    {
+    }
+
+    public function getScopeEntityByIdentifier($identifier): ?ScopeEntityInterface
+    {
+        if (! $this->scopes->has($identifier)) {
+            return null;
+        }
+
+        $entity = new ScopeEntity();
+        $entity->setIdentifier($identifier);
+
+        return $entity;
+    }
+
+    public function finalizeScopes(
+        array $scopes,
+        $grantType,
+        ClientEntityInterface $clientEntity,
+        $userIdentifier = null
+    ): array {
+        return $scopes;
+    }
+}
diff --git a/extensions/oauth-provider/src/Server/Repository/UserRepository.php b/extensions/oauth-provider/src/Server/Repository/UserRepository.php
new file mode 100644
index 0000000000..60295d37cf
--- /dev/null
+++ b/extensions/oauth-provider/src/Server/Repository/UserRepository.php
@@ -0,0 +1,32 @@
+<?php
+
+/*
+ * This file is part of Flarum.
+ *
+ * For detailed copyright and license information, please view the
+ * LICENSE file that was distributed with this source code.
+ */
+
+namespace Flarum\OAuthProvider\Server\Repository;
+
+use League\OAuth2\Server\Entities\ClientEntityInterface;
+use League\OAuth2\Server\Entities\UserEntityInterface;
+use League\OAuth2\Server\Repositories\UserRepositoryInterface;
+
+/**
+ * Required by league/oauth2-server for the password grant.
+ *
+ * We don't enable the password grant — only authorization code + refresh token — so
+ * this exists purely to satisfy the interface. It always rejects.
+ */
+class UserRepository implements UserRepositoryInterface
+{
+    public function getUserEntityByUserCredentials(
+        $username,
+        $password,
+        $grantType,
+        ClientEntityInterface $clientEntity
+    ): ?UserEntityInterface {
+        return null;
+    }
+}
diff --git a/extensions/oauth-provider/src/Server/ResponseType/IdTokenResponse.php b/extensions/oauth-provider/src/Server/ResponseType/IdTokenResponse.php
new file mode 100644
index 0000000000..7b779698be
--- /dev/null
+++ b/extensions/oauth-provider/src/Server/ResponseType/IdTokenResponse.php
@@ -0,0 +1,37 @@
+<?php
+
+/*
+ * This file is part of Flarum.
+ *
+ * For detailed copyright and license information, please view the
+ * LICENSE file that was distributed with this source code.
+ */
+
+namespace Flarum\OAuthProvider\Server\ResponseType;
+
+use Flarum\OAuthProvider\Server\IdTokenBuilder;
+use League\OAuth2\Server\Entities\AccessTokenEntityInterface;
+use League\OAuth2\Server\ResponseTypes\BearerTokenResponse;
+
+/**
+ * Extends the standard bearer token response to include an `id_token` in the
+ * token endpoint response when the `openid` scope was granted. Required by
+ * OpenID Connect Core 1.0 §3.1.3.3.
+ */
+class IdTokenResponse extends BearerTokenResponse
+{
+    public function __construct(protected IdTokenBuilder $builder)
+    {
+    }
+
+    protected function getExtraParams(AccessTokenEntityInterface $accessToken): array
+    {
+        $idToken = $this->builder->build($accessToken);
+
+        if ($idToken === null) {
+            return [];
+        }
+
+        return ['id_token' => $idToken];
+    }
+}
diff --git a/extensions/oauth-provider/tests/.phpunit.cache/test-results b/extensions/oauth-provider/tests/.phpunit.cache/test-results
new file mode 100644
index 0000000000..8feff24951
--- /dev/null
+++ b/extensions/oauth-provider/tests/.phpunit.cache/test-results
@@ -0,0 +1 @@
+{"version":2,"defects":{"Flarum\\OAuthProvider\\Tests\\integration\\api\\ClientCrudTest::admin_can_list_clients":8,"Flarum\\OAuthProvider\\Tests\\integration\\api\\ClientCrudTest::normal_user_cannot_rotate_client_secret":8,"Flarum\\OAuthProvider\\Tests\\integration\\api\\ClientCrudTest::admin_can_update_client":7,"Flarum\\OAuthProvider\\Tests\\integration\\api\\ClientCrudTest::admin_can_rotate_client_secret":8,"Flarum\\OAuthProvider\\Tests\\integration\\api\\ClientCrudTest::rotate_rejects_public_clients":8,"Flarum\\OAuthProvider\\Tests\\integration\\api\\ClientCrudTest::admin_can_delete_client":8,"Flarum\\OAuthProvider\\Tests\\integration\\forum\\AuthorizeEndpointTest::missing_client_id_returns_error":8,"Flarum\\OAuthProvider\\Tests\\integration\\forum\\AuthorizeEndpointTest::unknown_client_id_returns_error":8,"Flarum\\OAuthProvider\\Tests\\integration\\forum\\AuthorizeEndpointTest::guest_is_redirected_to_login":7,"Flarum\\OAuthProvider\\Tests\\integration\\forum\\AuthorizeEndpointTest::logged_in_user_sees_consent_screen":7,"Flarum\\OAuthProvider\\Tests\\integration\\forum\\AuthorizeEndpointTest::approving_consent_redirects_with_auth_code":7,"Flarum\\OAuthProvider\\Tests\\integration\\forum\\AuthorizeEndpointTest::denying_consent_redirects_with_error":8,"Flarum\\OAuthProvider\\Tests\\integration\\forum\\AuthorizeEndpointTest::approval_persists_consent_record":7,"Flarum\\OAuthProvider\\Tests\\integration\\forum\\AuthorizeEndpointTest::denial_does_not_persist_consent_record":8,"Flarum\\OAuthProvider\\Tests\\integration\\forum\\AuthorizeEndpointTest::existing_consent_skips_consent_screen":7,"Flarum\\OAuthProvider\\Tests\\integration\\forum\\AuthorizeEndpointTest::existing_consent_not_covering_requested_scopes_still_shows_consent_screen":7,"Flarum\\OAuthProvider\\Tests\\integration\\forum\\AuthorizeEndpointTest::revoked_consent_still_shows_consent_screen":7,"Flarum\\OAuthProvider\\Tests\\integration\\forum\\AuthorizeEndpointTest::prompt_consent_forces_re_prompt_even_when_consent_exists":7,"Flarum\\OAuthProvider\\Tests\\integration\\forum\\AuthorizeEndpointTest::second_approval_merges_scopes_into_existing_consent":7,"Flarum\\OAuthProvider\\Tests\\integration\\forum\\AuthorizeEndpointTest::revoked_client_is_rejected":8,"Flarum\\OAuthProvider\\Tests\\integration\\forum\\TokenExchangeTest::valid_auth_code_exchanges_for_access_token":7,"Flarum\\OAuthProvider\\Tests\\integration\\forum\\TokenExchangeTest::wrong_client_secret_is_rejected":8,"Flarum\\OAuthProvider\\Tests\\integration\\forum\\TokenExchangeTest::auth_code_cannot_be_reused":7,"Flarum\\OAuthProvider\\Tests\\integration\\forum\\TokenExchangeTest::refresh_token_returns_new_access_token":8,"Flarum\\OAuthProvider\\Tests\\integration\\forum\\TokenExchangeTest::userinfo_returns_profile_for_valid_access_token":8,"Flarum\\OAuthProvider\\Tests\\integration\\forum\\TokenExchangeTest::userinfo_without_token_is_rejected":8,"Flarum\\OAuthProvider\\Tests\\integration\\forum\\IdTokenTest::id_token_contains_required_claims":7,"Flarum\\OAuthProvider\\Tests\\integration\\forum\\AuthorizeEndpointTest::max_age_zero_forces_re_auth_even_for_logged_in_user":7},"times":{"Flarum\\OAuthProvider\\Tests\\unit\\ClientModelTest::hasRedirectUri_matches_exact_uri":0.013,"Flarum\\OAuthProvider\\Tests\\unit\\ClientModelTest::hasRedirectUri_rejects_non_matching_uri":0,"Flarum\\OAuthProvider\\Tests\\unit\\ClientModelTest::secret_is_hidden_from_serialization":0.002,"Flarum\\OAuthProvider\\Tests\\unit\\ScopeRegistryTest::registered_scope_is_reported_as_present":0.001,"Flarum\\OAuthProvider\\Tests\\unit\\ScopeRegistryTest::unregistered_scope_is_not_present":0,"Flarum\\OAuthProvider\\Tests\\unit\\ScopeRegistryTest::all_returns_registered_scopes":0,"Flarum\\OAuthProvider\\Tests\\unit\\ScopeRegistryTest::re_registering_overwrites_description":0,"Flarum\\OAuthProvider\\Tests\\integration\\api\\ClientCrudTest::guest_cannot_list_clients":0.165,"Flarum\\OAuthProvider\\Tests\\integration\\api\\ClientCrudTest::admin_can_list_clients":0.072,"Flarum\\OAuthProvider\\Tests\\unit\\ConsentModelTest::covers_returns_true_when_all_requested_scopes_are_granted":0.001,"Flarum\\OAuthProvider\\Tests\\unit\\ConsentModelTest::covers_returns_false_when_any_requested_scope_is_missing":0,"Flarum\\OAuthProvider\\Tests\\unit\\ConsentModelTest::covers_returns_true_for_empty_request":0,"Flarum\\OAuthProvider\\Tests\\unit\\ConsentModelTest::covers_returns_false_when_consent_has_no_scopes":0,"Flarum\\OAuthProvider\\Tests\\unit\\ConsentModelTest::covers_returns_true_when_both_consent_and_request_are_empty":0,"Flarum\\OAuthProvider\\Tests\\integration\\api\\ClientCrudTest::normal_user_cannot_list_clients":0.068,"Flarum\\OAuthProvider\\Tests\\integration\\api\\ClientCrudTest::normal_user_cannot_rotate_client_secret":0.057,"Flarum\\OAuthProvider\\Tests\\integration\\api\\ClientCrudTest::admin_can_create_confidential_client_and_receives_plain_secret":0.072,"Flarum\\OAuthProvider\\Tests\\integration\\api\\ClientCrudTest::public_client_has_no_secret":0.066,"Flarum\\OAuthProvider\\Tests\\integration\\api\\ClientCrudTest::admin_can_update_client":0.074,"Flarum\\OAuthProvider\\Tests\\integration\\api\\ClientCrudTest::admin_can_rotate_client_secret":0.064,"Flarum\\OAuthProvider\\Tests\\integration\\api\\ClientCrudTest::rotate_rejects_public_clients":0.062,"Flarum\\OAuthProvider\\Tests\\integration\\api\\ClientCrudTest::admin_can_delete_client":0.06,"Flarum\\OAuthProvider\\Tests\\integration\\forum\\AuthorizeEndpointTest::missing_client_id_returns_error":0.088,"Flarum\\OAuthProvider\\Tests\\integration\\forum\\AuthorizeEndpointTest::unknown_client_id_returns_error":0.124,"Flarum\\OAuthProvider\\Tests\\integration\\forum\\AuthorizeEndpointTest::guest_is_redirected_to_login":0.076,"Flarum\\OAuthProvider\\Tests\\integration\\forum\\AuthorizeEndpointTest::logged_in_user_sees_consent_screen":0.167,"Flarum\\OAuthProvider\\Tests\\integration\\forum\\AuthorizeEndpointTest::approving_consent_redirects_with_auth_code":0.123,"Flarum\\OAuthProvider\\Tests\\integration\\forum\\AuthorizeEndpointTest::denying_consent_redirects_with_error":0.152,"Flarum\\OAuthProvider\\Tests\\integration\\forum\\AuthorizeEndpointTest::approval_persists_consent_record":0.138,"Flarum\\OAuthProvider\\Tests\\integration\\forum\\AuthorizeEndpointTest::denial_does_not_persist_consent_record":0.162,"Flarum\\OAuthProvider\\Tests\\integration\\forum\\AuthorizeEndpointTest::existing_consent_skips_consent_screen":0.147,"Flarum\\OAuthProvider\\Tests\\integration\\forum\\AuthorizeEndpointTest::existing_consent_not_covering_requested_scopes_still_shows_consent_screen":0.151,"Flarum\\OAuthProvider\\Tests\\integration\\forum\\AuthorizeEndpointTest::revoked_consent_still_shows_consent_screen":0.157,"Flarum\\OAuthProvider\\Tests\\integration\\forum\\AuthorizeEndpointTest::prompt_consent_forces_re_prompt_even_when_consent_exists":0.146,"Flarum\\OAuthProvider\\Tests\\integration\\forum\\AuthorizeEndpointTest::second_approval_merges_scopes_into_existing_consent":0.154,"Flarum\\OAuthProvider\\Tests\\integration\\forum\\AuthorizeEndpointTest::revoked_client_is_rejected":0.186,"Flarum\\OAuthProvider\\Tests\\integration\\forum\\TokenExchangeTest::valid_auth_code_exchanges_for_access_token":0.279,"Flarum\\OAuthProvider\\Tests\\integration\\forum\\TokenExchangeTest::wrong_client_secret_is_rejected":0.174,"Flarum\\OAuthProvider\\Tests\\integration\\forum\\TokenExchangeTest::auth_code_cannot_be_reused":0.156,"Flarum\\OAuthProvider\\Tests\\integration\\forum\\TokenExchangeTest::refresh_token_returns_new_access_token":0.222,"Flarum\\OAuthProvider\\Tests\\integration\\forum\\TokenExchangeTest::userinfo_returns_profile_for_valid_access_token":0.162,"Flarum\\OAuthProvider\\Tests\\integration\\forum\\TokenExchangeTest::userinfo_without_token_is_rejected":0.086,"Flarum\\OAuthProvider\\Tests\\integration\\forum\\IdTokenTest::id_token_issued_when_openid_scope_granted":0.152,"Flarum\\OAuthProvider\\Tests\\integration\\forum\\IdTokenTest::id_token_contains_required_claims":0.188,"Flarum\\OAuthProvider\\Tests\\integration\\forum\\IdTokenTest::id_token_echoes_nonce_from_authorize_request":0.144,"Flarum\\OAuthProvider\\Tests\\integration\\forum\\IdTokenTest::id_token_omits_nonce_when_not_requested":0.172,"Flarum\\OAuthProvider\\Tests\\integration\\forum\\IdTokenTest::id_token_includes_profile_claims_when_profile_scope_granted":0.225,"Flarum\\OAuthProvider\\Tests\\integration\\forum\\IdTokenTest::id_token_includes_email_claims_when_email_scope_granted":0.181,"Flarum\\OAuthProvider\\Tests\\integration\\forum\\IdTokenTest::no_id_token_when_openid_scope_not_granted":0.219,"Flarum\\OAuthProvider\\Tests\\integration\\forum\\OidcDiscoveryTest::discovery_document_has_required_fields":0.063,"Flarum\\OAuthProvider\\Tests\\integration\\forum\\OidcDiscoveryTest::discovery_endpoints_all_absolute_urls":0.061,"Flarum\\OAuthProvider\\Tests\\integration\\forum\\OidcDiscoveryTest::discovery_advertises_registered_scopes":0.073,"Flarum\\OAuthProvider\\Tests\\integration\\forum\\OidcDiscoveryTest::jwks_returns_valid_rsa_key":0.093,"Flarum\\OAuthProvider\\Tests\\integration\\forum\\AuthorizeEndpointTest::max_age_zero_forces_re_auth_even_for_logged_in_user":0.249,"Flarum\\OAuthProvider\\Tests\\integration\\forum\\AuthorizeEndpointTest::max_age_larger_than_session_age_is_satisfied":0.173,"Flarum\\OAuthProvider\\Tests\\integration\\forum\\AuthorizeEndpointTest::prompt_login_forces_re_auth_even_for_logged_in_user":0.202,"Flarum\\OAuthProvider\\Tests\\integration\\forum\\IdTokenTest::auth_time_reflects_real_session_start_not_now":0.173}}
\ No newline at end of file
diff --git a/extensions/oauth-provider/tests/integration/api/ClientCrudTest.php b/extensions/oauth-provider/tests/integration/api/ClientCrudTest.php
new file mode 100644
index 0000000000..04d516e276
--- /dev/null
+++ b/extensions/oauth-provider/tests/integration/api/ClientCrudTest.php
@@ -0,0 +1,296 @@
+<?php
+
+/*
+ * This file is part of Flarum.
+ *
+ * For detailed copyright and license information, please view the
+ * LICENSE file that was distributed with this source code.
+ */
+
+namespace Flarum\OAuthProvider\Tests\integration\api;
+
+use Carbon\Carbon;
+use Flarum\OAuthProvider\Models\Client;
+use Flarum\Testing\integration\RetrievesAuthorizedUsers;
+use Flarum\Testing\integration\TestCase;
+use Flarum\User\User;
+use PHPUnit\Framework\Attributes\Test;
+
+class ClientCrudTest extends TestCase
+{
+    use RetrievesAuthorizedUsers;
+
+    public function setUp(): void
+    {
+        parent::setUp();
+
+        $this->extension('flarum-oauth-provider');
+
+        $now = Carbon::now()->toDateTimeString();
+
+        $this->prepareDatabase([
+            User::class => [
+                $this->normalUser(),
+            ],
+            'oauth_provider_clients' => [
+                [
+                    'id' => 'existing-client',
+                    'name' => 'Existing',
+                    'secret' => null,
+                    'redirect_uris' => json_encode(['https://example.com/cb']),
+                    'scopes' => null,
+                    'confidential' => 1,
+                    'revoked' => 0,
+                    'created_at' => $now,
+                ],
+                [
+                    'id' => 'client-to-update',
+                    'name' => 'Old Name',
+                    'secret' => null,
+                    'redirect_uris' => json_encode(['https://example.com/cb']),
+                    'scopes' => null,
+                    'confidential' => 1,
+                    'revoked' => 0,
+                    'created_at' => $now,
+                ],
+                [
+                    'id' => 'client-to-rotate',
+                    'name' => 'Rotate Me',
+                    'secret' => hash('sha256', 'original-secret'),
+                    'redirect_uris' => json_encode(['https://example.com/cb']),
+                    'scopes' => null,
+                    'confidential' => 1,
+                    'revoked' => 0,
+                    'created_at' => $now,
+                ],
+                [
+                    'id' => 'public-client',
+                    'name' => 'Public',
+                    'secret' => null,
+                    'redirect_uris' => json_encode(['https://example.com/cb']),
+                    'scopes' => null,
+                    'confidential' => 0,
+                    'revoked' => 0,
+                    'created_at' => $now,
+                ],
+                [
+                    'id' => 'protected-client',
+                    'name' => 'Protected',
+                    'secret' => hash('sha256', 'x'),
+                    'redirect_uris' => json_encode(['https://example.com/cb']),
+                    'scopes' => null,
+                    'confidential' => 1,
+                    'revoked' => 0,
+                    'created_at' => $now,
+                ],
+                [
+                    'id' => 'client-to-delete',
+                    'name' => 'Delete Me',
+                    'secret' => null,
+                    'redirect_uris' => json_encode(['https://example.com/cb']),
+                    'scopes' => null,
+                    'confidential' => 1,
+                    'revoked' => 0,
+                    'created_at' => $now,
+                ],
+            ],
+        ]);
+    }
+
+    #[Test]
+    public function guest_cannot_list_clients(): void
+    {
+        $response = $this->send(
+            $this->request('GET', '/api/oauth-provider-clients')
+                ->withAttribute('bypassCsrfToken', true)
+        );
+
+        $this->assertEquals(401, $response->getStatusCode());
+    }
+
+    #[Test]
+    public function normal_user_cannot_list_clients(): void
+    {
+        $response = $this->send(
+            $this->request('GET', '/api/oauth-provider-clients', ['authenticatedAs' => 2])
+                ->withAttribute('bypassCsrfToken', true)
+        );
+
+        $this->assertEquals(403, $response->getStatusCode());
+    }
+
+    #[Test]
+    public function admin_can_list_clients(): void
+    {
+        $response = $this->send(
+            $this->request('GET', '/api/oauth-provider-clients', ['authenticatedAs' => 1])
+                ->withAttribute('bypassCsrfToken', true)
+        );
+
+        $this->assertEquals(200, $response->getStatusCode());
+        $body = json_decode($response->getBody()->getContents(), true);
+        $this->assertGreaterThanOrEqual(1, count($body['data']));
+
+        $names = array_map(fn ($row) => $row['attributes']['name'], $body['data']);
+        $this->assertContains('Existing', $names);
+    }
+
+    #[Test]
+    public function admin_can_create_confidential_client_and_receives_plain_secret(): void
+    {
+        $response = $this->send(
+            $this->request('POST', '/api/oauth-provider-clients', [
+                'authenticatedAs' => 1,
+                'json' => [
+                    'data' => [
+                        'type' => 'oauth-provider-clients',
+                        'attributes' => [
+                            'name' => 'Test App',
+                            'redirectUris' => ['https://testapp.example.com/callback'],
+                            'scopes' => ['openid', 'profile'],
+                            'confidential' => true,
+                        ],
+                    ],
+                ],
+            ])->withAttribute('bypassCsrfToken', true)
+        );
+
+        $this->assertEquals(201, $response->getStatusCode());
+        $body = json_decode($response->getBody()->getContents(), true);
+
+        $this->assertNotEmpty($body['data']['id']);
+        $this->assertEquals('Test App', $body['data']['attributes']['name']);
+        $this->assertTrue($body['data']['attributes']['confidential']);
+        $this->assertIsString($body['data']['attributes']['plainSecret']);
+        $this->assertNotEmpty($body['data']['attributes']['plainSecret']);
+
+        /** @var Client $client */
+        $client = Client::query()->find($body['data']['id']);
+        $this->assertNotNull($client);
+
+        // Secret stored on the model is a sha256 hash of the plain secret we returned.
+        $this->assertEquals(
+            hash('sha256', $body['data']['attributes']['plainSecret']),
+            $client->secret
+        );
+    }
+
+    #[Test]
+    public function public_client_has_no_secret(): void
+    {
+        $response = $this->send(
+            $this->request('POST', '/api/oauth-provider-clients', [
+                'authenticatedAs' => 1,
+                'json' => [
+                    'data' => [
+                        'type' => 'oauth-provider-clients',
+                        'attributes' => [
+                            'name' => 'Public App',
+                            'redirectUris' => ['https://spa.example.com/callback'],
+                            'confidential' => false,
+                        ],
+                    ],
+                ],
+            ])->withAttribute('bypassCsrfToken', true)
+        );
+
+        $this->assertEquals(201, $response->getStatusCode());
+        $body = json_decode($response->getBody()->getContents(), true);
+
+        $this->assertFalse($body['data']['attributes']['confidential']);
+        $this->assertNull($body['data']['attributes']['plainSecret']);
+
+        /** @var Client $client */
+        $client = Client::query()->find($body['data']['id']);
+        $this->assertNull($client->secret);
+    }
+
+    #[Test]
+    public function admin_can_update_client(): void
+    {
+        $response = $this->send(
+            $this->request('PATCH', '/api/oauth-provider-clients/client-to-update', [
+                'authenticatedAs' => 1,
+                'json' => [
+                    'data' => [
+                        'type' => 'oauth-provider-clients',
+                        'id' => 'client-to-update',
+                        'attributes' => [
+                            'name' => 'New Name',
+                            'revoked' => true,
+                        ],
+                    ],
+                ],
+            ])->withAttribute('bypassCsrfToken', true)
+        );
+
+        $this->assertEquals(200, $response->getStatusCode());
+
+        /** @var Client $client */
+        $client = Client::query()->find('client-to-update');
+        $this->assertEquals('New Name', $client->name);
+        $this->assertTrue($client->revoked);
+    }
+
+    #[Test]
+    public function admin_can_rotate_client_secret(): void
+    {
+        $oldHash = hash('sha256', 'original-secret');
+
+        $response = $this->send(
+            $this->request('POST', '/api/oauth-provider-clients/client-to-rotate/rotate-secret', [
+                'authenticatedAs' => 1,
+            ])->withAttribute('bypassCsrfToken', true)
+        );
+
+        $this->assertEquals(200, $response->getStatusCode());
+        $body = json_decode($response->getBody()->getContents(), true);
+
+        $this->assertIsString($body['data']['attributes']['plainSecret']);
+        $this->assertNotEmpty($body['data']['attributes']['plainSecret']);
+
+        /** @var Client $client */
+        $client = Client::query()->find('client-to-rotate');
+        $this->assertNotEquals($oldHash, $client->secret);
+        $this->assertEquals(
+            hash('sha256', $body['data']['attributes']['plainSecret']),
+            $client->secret
+        );
+    }
+
+    #[Test]
+    public function rotate_rejects_public_clients(): void
+    {
+        $response = $this->send(
+            $this->request('POST', '/api/oauth-provider-clients/public-client/rotate-secret', [
+                'authenticatedAs' => 1,
+            ])->withAttribute('bypassCsrfToken', true)
+        );
+
+        $this->assertEquals(422, $response->getStatusCode());
+    }
+
+    #[Test]
+    public function normal_user_cannot_rotate_client_secret(): void
+    {
+        $response = $this->send(
+            $this->request('POST', '/api/oauth-provider-clients/protected-client/rotate-secret', [
+                'authenticatedAs' => 2,
+            ])->withAttribute('bypassCsrfToken', true)
+        );
+
+        $this->assertEquals(403, $response->getStatusCode());
+    }
+
+    #[Test]
+    public function admin_can_delete_client(): void
+    {
+        $response = $this->send(
+            $this->request('DELETE', '/api/oauth-provider-clients/client-to-delete', ['authenticatedAs' => 1])
+                ->withAttribute('bypassCsrfToken', true)
+        );
+
+        $this->assertEquals(204, $response->getStatusCode());
+        $this->assertNull(Client::query()->find('client-to-delete'));
+    }
+}
diff --git a/extensions/oauth-provider/tests/integration/forum/AuthorizeEndpointTest.php b/extensions/oauth-provider/tests/integration/forum/AuthorizeEndpointTest.php
new file mode 100644
index 0000000000..55a5ecbaef
--- /dev/null
+++ b/extensions/oauth-provider/tests/integration/forum/AuthorizeEndpointTest.php
@@ -0,0 +1,381 @@
+<?php
+
+/*
+ * This file is part of Flarum.
+ *
+ * For detailed copyright and license information, please view the
+ * LICENSE file that was distributed with this source code.
+ */
+
+namespace Flarum\OAuthProvider\Tests\integration\forum;
+
+use Carbon\Carbon;
+use Flarum\Extend;
+use Flarum\OAuthProvider\Models\Client;
+use Flarum\OAuthProvider\Models\Consent;
+use Flarum\Testing\integration\RetrievesAuthorizedUsers;
+use Flarum\Testing\integration\TestCase;
+use Flarum\User\User;
+use PHPUnit\Framework\Attributes\Test;
+use Psr\Http\Message\ResponseInterface;
+use Psr\Http\Message\ServerRequestInterface;
+
+class AuthorizeEndpointTest extends TestCase
+{
+    use RetrievesAuthorizedUsers;
+
+    protected const DEFAULT_QUERY = [
+        'client_id' => 'test-client',
+        'response_type' => 'code',
+        'redirect_uri' => 'https://testapp.example.com/callback',
+        'scope' => 'openid profile',
+        'state' => 'xyz',
+    ];
+
+    public function setUp(): void
+    {
+        parent::setUp();
+
+        $this->extend(
+            (new Extend\Csrf())
+                ->exemptRoute('login')
+                ->exemptRoute('oauthProvider.authorize')
+                ->exemptRoute('oauthProvider.authorize.post')
+        );
+
+        $this->extension('flarum-oauth-provider');
+
+        $this->prepareDatabase([
+            User::class => [
+                $this->normalUser(),
+            ],
+            'oauth_provider_clients' => [
+                [
+                    'id' => 'test-client',
+                    'name' => 'Test Application',
+                    'secret' => hash('sha256', 'test-secret'),
+                    'redirect_uris' => json_encode(['https://testapp.example.com/callback']),
+                    'scopes' => json_encode(['openid', 'profile', 'email']),
+                    'confidential' => 1,
+                    'revoked' => 0,
+                    'created_at' => Carbon::now()->toDateTimeString(),
+                ],
+            ],
+        ]);
+    }
+
+    protected function loginNormalUser(): ResponseInterface
+    {
+        $response = $this->send(
+            $this->request('POST', '/login', [
+                'json' => [
+                    'identification' => 'normal',
+                    'password' => 'too-obscure',
+                ],
+            ])
+        );
+
+        $this->assertEquals(200, $response->getStatusCode(), 'Failed to log in');
+
+        return $response;
+    }
+
+    /**
+     * Build an authorize endpoint request with query params applied to both
+     * the URI and the PSR-7 getQueryParams() bag (which Diactoros doesn't
+     * populate from the URI string on its own).
+     */
+    protected function authorizeRequest(string $method, array $query, array $options = []): ServerRequestInterface
+    {
+        $path = '/oauth/authorize'.($query ? '?'.http_build_query($query) : '');
+
+        return $this->request($method, $path, $options)
+            ->withQueryParams($query)
+            ->withAttribute('bypassCsrfToken', true);
+    }
+
+    #[Test]
+    public function missing_client_id_returns_error(): void
+    {
+        $response = $this->send($this->authorizeRequest('GET', [
+            'response_type' => 'code',
+            'redirect_uri' => 'https://testapp.example.com/callback',
+        ]));
+
+        $this->assertGreaterThanOrEqual(400, $response->getStatusCode());
+        $this->assertLessThan(500, $response->getStatusCode());
+    }
+
+    #[Test]
+    public function unknown_client_id_returns_error(): void
+    {
+        $response = $this->send($this->authorizeRequest('GET', [
+            'client_id' => 'unknown',
+            'response_type' => 'code',
+            'redirect_uri' => 'https://testapp.example.com/callback',
+        ]));
+
+        $this->assertGreaterThanOrEqual(400, $response->getStatusCode());
+        $this->assertLessThan(500, $response->getStatusCode());
+    }
+
+    #[Test]
+    public function guest_is_redirected_to_login(): void
+    {
+        $response = $this->send($this->authorizeRequest('GET', self::DEFAULT_QUERY));
+
+        $this->assertEquals(302, $response->getStatusCode());
+        $location = $response->getHeaderLine('Location');
+        $this->assertStringContainsString('oauth_login=1', $location);
+        $this->assertStringContainsString('return_to=', $location);
+    }
+
+    #[Test]
+    public function logged_in_user_sees_consent_screen(): void
+    {
+        $loginResponse = $this->loginNormalUser();
+
+        $response = $this->send($this->authorizeRequest('GET', self::DEFAULT_QUERY, [
+            'cookiesFrom' => $loginResponse,
+        ]));
+
+        $this->assertEquals(200, $response->getStatusCode());
+        $body = (string) $response->getBody();
+        $this->assertStringContainsString('Test Application', $body);
+        $this->assertStringContainsString('oauth_consent_approved', $body);
+    }
+
+    #[Test]
+    public function approving_consent_redirects_with_auth_code(): void
+    {
+        $loginResponse = $this->loginNormalUser();
+
+        $response = $this->send($this->authorizeRequest('POST', self::DEFAULT_QUERY, [
+            'cookiesFrom' => $loginResponse,
+            'json' => ['oauth_consent_approved' => '1'],
+        ]));
+
+        $this->assertEquals(302, $response->getStatusCode());
+        $location = $response->getHeaderLine('Location');
+        $this->assertStringStartsWith('https://testapp.example.com/callback', $location);
+        $this->assertStringContainsString('code=', $location);
+        $this->assertStringContainsString('state=xyz', $location);
+    }
+
+    #[Test]
+    public function denying_consent_redirects_with_error(): void
+    {
+        $loginResponse = $this->loginNormalUser();
+
+        $response = $this->send($this->authorizeRequest('POST', self::DEFAULT_QUERY, [
+            'cookiesFrom' => $loginResponse,
+            'json' => ['oauth_consent_approved' => '0'],
+        ]));
+
+        $this->assertEquals(302, $response->getStatusCode());
+        $location = $response->getHeaderLine('Location');
+        $this->assertStringStartsWith('https://testapp.example.com/callback', $location);
+        $this->assertStringContainsString('error=access_denied', $location);
+    }
+
+    #[Test]
+    public function approval_persists_consent_record(): void
+    {
+        $loginResponse = $this->loginNormalUser();
+
+        $this->send($this->authorizeRequest('POST', self::DEFAULT_QUERY, [
+            'cookiesFrom' => $loginResponse,
+            'json' => ['oauth_consent_approved' => '1'],
+        ]));
+
+        /** @var Consent|null $consent */
+        $consent = Consent::query()->where('user_id', 2)->where('client_id', 'test-client')->first();
+        $this->assertNotNull($consent);
+        $this->assertFalse($consent->revoked);
+        $this->assertEqualsCanonicalizing(['openid', 'profile'], $consent->scopes);
+    }
+
+    #[Test]
+    public function denial_does_not_persist_consent_record(): void
+    {
+        $loginResponse = $this->loginNormalUser();
+
+        $this->send($this->authorizeRequest('POST', self::DEFAULT_QUERY, [
+            'cookiesFrom' => $loginResponse,
+            'json' => ['oauth_consent_approved' => '0'],
+        ]));
+
+        $this->assertEquals(0, Consent::query()->count());
+    }
+
+    #[Test]
+    public function existing_consent_skips_consent_screen(): void
+    {
+        $loginResponse = $this->loginNormalUser();
+
+        Consent::query()->create([
+            'user_id' => 2,
+            'client_id' => 'test-client',
+            'scopes' => ['openid', 'profile'],
+            'revoked' => false,
+            'created_at' => Carbon::now(),
+            'updated_at' => Carbon::now(),
+        ]);
+
+        $response = $this->send($this->authorizeRequest('GET', self::DEFAULT_QUERY, [
+            'cookiesFrom' => $loginResponse,
+        ]));
+
+        $this->assertEquals(302, $response->getStatusCode());
+        $location = $response->getHeaderLine('Location');
+        $this->assertStringStartsWith('https://testapp.example.com/callback', $location);
+        $this->assertStringContainsString('code=', $location);
+    }
+
+    #[Test]
+    public function existing_consent_not_covering_requested_scopes_still_shows_consent_screen(): void
+    {
+        $loginResponse = $this->loginNormalUser();
+
+        Consent::query()->create([
+            'user_id' => 2,
+            'client_id' => 'test-client',
+            'scopes' => ['openid'],
+            'revoked' => false,
+            'created_at' => Carbon::now(),
+            'updated_at' => Carbon::now(),
+        ]);
+
+        $response = $this->send($this->authorizeRequest('GET', [...self::DEFAULT_QUERY, 'scope' => 'openid profile email'], [
+            'cookiesFrom' => $loginResponse,
+        ]));
+
+        $this->assertEquals(200, $response->getStatusCode());
+        $this->assertStringContainsString('Test Application', (string) $response->getBody());
+    }
+
+    #[Test]
+    public function revoked_consent_still_shows_consent_screen(): void
+    {
+        $loginResponse = $this->loginNormalUser();
+
+        Consent::query()->create([
+            'user_id' => 2,
+            'client_id' => 'test-client',
+            'scopes' => ['openid', 'profile'],
+            'revoked' => true,
+            'created_at' => Carbon::now(),
+            'updated_at' => Carbon::now(),
+        ]);
+
+        $response = $this->send($this->authorizeRequest('GET', self::DEFAULT_QUERY, [
+            'cookiesFrom' => $loginResponse,
+        ]));
+
+        $this->assertEquals(200, $response->getStatusCode());
+    }
+
+    #[Test]
+    public function prompt_consent_forces_re_prompt_even_when_consent_exists(): void
+    {
+        $loginResponse = $this->loginNormalUser();
+
+        Consent::query()->create([
+            'user_id' => 2,
+            'client_id' => 'test-client',
+            'scopes' => ['openid', 'profile'],
+            'revoked' => false,
+            'created_at' => Carbon::now(),
+            'updated_at' => Carbon::now(),
+        ]);
+
+        $response = $this->send($this->authorizeRequest('GET', [...self::DEFAULT_QUERY, 'prompt' => 'consent'], [
+            'cookiesFrom' => $loginResponse,
+        ]));
+
+        $this->assertEquals(200, $response->getStatusCode());
+        $this->assertStringContainsString('Test Application', (string) $response->getBody());
+    }
+
+    #[Test]
+    public function second_approval_merges_scopes_into_existing_consent(): void
+    {
+        $loginResponse = $this->loginNormalUser();
+
+        Consent::query()->create([
+            'user_id' => 2,
+            'client_id' => 'test-client',
+            'scopes' => ['openid'],
+            'revoked' => false,
+            'created_at' => Carbon::now(),
+            'updated_at' => Carbon::now(),
+        ]);
+
+        $this->send($this->authorizeRequest('POST', [...self::DEFAULT_QUERY, 'scope' => 'profile email'], [
+            'cookiesFrom' => $loginResponse,
+            'json' => ['oauth_consent_approved' => '1'],
+        ]));
+
+        /** @var Consent $consent */
+        $consent = Consent::query()->where('user_id', 2)->where('client_id', 'test-client')->first();
+        $this->assertNotNull($consent);
+        $this->assertEqualsCanonicalizing(['openid', 'profile', 'email'], $consent->scopes);
+        $this->assertEquals(1, Consent::query()->count());
+    }
+
+    #[Test]
+    public function max_age_zero_forces_re_auth_even_for_logged_in_user(): void
+    {
+        $loginResponse = $this->loginNormalUser();
+
+        $response = $this->send($this->authorizeRequest('GET', [...self::DEFAULT_QUERY, 'max_age' => '0'], [
+            'cookiesFrom' => $loginResponse,
+        ]));
+
+        $this->assertEquals(302, $response->getStatusCode());
+        $location = $response->getHeaderLine('Location');
+        $this->assertStringContainsString('oauth_login=1', $location);
+    }
+
+    #[Test]
+    public function max_age_larger_than_session_age_is_satisfied(): void
+    {
+        $loginResponse = $this->loginNormalUser();
+
+        // Session was just created; any generous max_age lets us through.
+        $response = $this->send($this->authorizeRequest('GET', [...self::DEFAULT_QUERY, 'max_age' => '3600'], [
+            'cookiesFrom' => $loginResponse,
+        ]));
+
+        $this->assertEquals(200, $response->getStatusCode());
+    }
+
+    #[Test]
+    public function prompt_login_forces_re_auth_even_for_logged_in_user(): void
+    {
+        $loginResponse = $this->loginNormalUser();
+
+        $response = $this->send($this->authorizeRequest('GET', [...self::DEFAULT_QUERY, 'prompt' => 'login'], [
+            'cookiesFrom' => $loginResponse,
+        ]));
+
+        $this->assertEquals(302, $response->getStatusCode());
+        $location = $response->getHeaderLine('Location');
+        $this->assertStringContainsString('oauth_login=1', $location);
+    }
+
+    #[Test]
+    public function revoked_client_is_rejected(): void
+    {
+        $loginResponse = $this->loginNormalUser();
+
+        Client::query()->where('id', 'test-client')->update(['revoked' => true]);
+
+        $response = $this->send($this->authorizeRequest('GET', self::DEFAULT_QUERY, [
+            'cookiesFrom' => $loginResponse,
+        ]));
+
+        $this->assertGreaterThanOrEqual(400, $response->getStatusCode());
+        $this->assertLessThan(500, $response->getStatusCode());
+    }
+}
diff --git a/extensions/oauth-provider/tests/integration/forum/IdTokenTest.php b/extensions/oauth-provider/tests/integration/forum/IdTokenTest.php
new file mode 100644
index 0000000000..d0cbaca7b3
--- /dev/null
+++ b/extensions/oauth-provider/tests/integration/forum/IdTokenTest.php
@@ -0,0 +1,249 @@
+<?php
+
+/*
+ * This file is part of Flarum.
+ *
+ * For detailed copyright and license information, please view the
+ * LICENSE file that was distributed with this source code.
+ */
+
+namespace Flarum\OAuthProvider\Tests\integration\forum;
+
+use Carbon\Carbon;
+use Flarum\Extend;
+use Flarum\Testing\integration\RetrievesAuthorizedUsers;
+use Flarum\Testing\integration\TestCase;
+use Flarum\User\User;
+use PHPUnit\Framework\Attributes\Test;
+use Psr\Http\Message\ResponseInterface;
+
+class IdTokenTest extends TestCase
+{
+    use RetrievesAuthorizedUsers;
+
+    public function setUp(): void
+    {
+        parent::setUp();
+
+        $this->extend(
+            (new Extend\Csrf())
+                ->exemptRoute('login')
+                ->exemptRoute('oauthProvider.authorize')
+                ->exemptRoute('oauthProvider.authorize.post')
+        );
+
+        $this->extension('flarum-oauth-provider');
+
+        $this->prepareDatabase([
+            User::class => [
+                $this->normalUser(),
+            ],
+            'oauth_provider_clients' => [
+                [
+                    'id' => 'test-client',
+                    'name' => 'Test Application',
+                    'secret' => hash('sha256', 'test-secret'),
+                    'redirect_uris' => json_encode(['https://testapp.example.com/callback']),
+                    'scopes' => json_encode(['openid', 'profile', 'email']),
+                    'confidential' => 1,
+                    'revoked' => 0,
+                    'created_at' => Carbon::now()->toDateTimeString(),
+                ],
+            ],
+        ]);
+    }
+
+    protected function loginNormalUser(): ResponseInterface
+    {
+        $response = $this->send(
+            $this->request('POST', '/login', [
+                'json' => [
+                    'identification' => 'normal',
+                    'password' => 'too-obscure',
+                ],
+            ])
+        );
+
+        $this->assertEquals(200, $response->getStatusCode());
+
+        return $response;
+    }
+
+    protected function authorizeRequest(array $query, array $options = []): \Psr\Http\Message\ServerRequestInterface
+    {
+        $path = '/oauth/authorize?'.http_build_query($query);
+
+        return $this->request('POST', $path, $options)
+            ->withQueryParams($query)
+            ->withAttribute('bypassCsrfToken', true);
+    }
+
+    protected function getAuthCode(string $scope = 'openid profile', ?string $nonce = null): string
+    {
+        $login = $this->loginNormalUser();
+
+        $query = [
+            'client_id' => 'test-client',
+            'response_type' => 'code',
+            'redirect_uri' => 'https://testapp.example.com/callback',
+            'scope' => $scope,
+            'state' => 'xyz',
+        ];
+
+        if ($nonce !== null) {
+            $query['nonce'] = $nonce;
+        }
+
+        $resp = $this->send($this->authorizeRequest($query, [
+            'cookiesFrom' => $login,
+            'json' => ['oauth_consent_approved' => '1'],
+        ]));
+
+        $this->assertEquals(302, $resp->getStatusCode());
+
+        parse_str(parse_url($resp->getHeaderLine('Location'), PHP_URL_QUERY) ?? '', $params);
+
+        return $params['code'];
+    }
+
+    protected function exchange(string $code): array
+    {
+        $resp = $this->send(
+            $this->request('POST', '/oauth/token', [
+                'json' => [
+                    'grant_type' => 'authorization_code',
+                    'client_id' => 'test-client',
+                    'client_secret' => 'test-secret',
+                    'redirect_uri' => 'https://testapp.example.com/callback',
+                    'code' => $code,
+                ],
+            ])->withAttribute('bypassCsrfToken', true)
+        );
+
+        $this->assertEquals(200, $resp->getStatusCode());
+        $body = json_decode((string) $resp->getBody(), true);
+        $this->assertIsArray($body);
+
+        return $body;
+    }
+
+    protected function decodeJwtPayload(string $jwt): array
+    {
+        [$_, $payload] = explode('.', $jwt);
+        $decoded = json_decode(base64_decode(strtr($payload, '-_', '+/')), true);
+        $this->assertIsArray($decoded);
+
+        return $decoded;
+    }
+
+    #[Test]
+    public function id_token_issued_when_openid_scope_granted(): void
+    {
+        $code = $this->getAuthCode('openid profile email');
+        $tokens = $this->exchange($code);
+
+        $this->assertArrayHasKey('id_token', $tokens);
+        $this->assertIsString($tokens['id_token']);
+        $this->assertEquals(2, substr_count($tokens['id_token'], '.'));
+    }
+
+    #[Test]
+    public function id_token_contains_required_claims(): void
+    {
+        $code = $this->getAuthCode('openid');
+        $tokens = $this->exchange($code);
+
+        $claims = $this->decodeJwtPayload($tokens['id_token']);
+
+        $this->assertArrayHasKey('iss', $claims);
+        $this->assertArrayHasKey('sub', $claims);
+        $this->assertArrayHasKey('aud', $claims);
+        $this->assertArrayHasKey('exp', $claims);
+        $this->assertArrayHasKey('iat', $claims);
+        $this->assertArrayHasKey('auth_time', $claims);
+
+        $this->assertEquals('2', $claims['sub']);
+        $this->assertEquals('test-client', $claims['aud']);
+    }
+
+    #[Test]
+    public function id_token_echoes_nonce_from_authorize_request(): void
+    {
+        $nonce = 'n-0S6_WzA2Mj';
+        $code = $this->getAuthCode('openid', $nonce);
+        $tokens = $this->exchange($code);
+
+        $claims = $this->decodeJwtPayload($tokens['id_token']);
+
+        $this->assertArrayHasKey('nonce', $claims);
+        $this->assertEquals($nonce, $claims['nonce']);
+    }
+
+    #[Test]
+    public function id_token_omits_nonce_when_not_requested(): void
+    {
+        $code = $this->getAuthCode('openid');
+        $tokens = $this->exchange($code);
+
+        $claims = $this->decodeJwtPayload($tokens['id_token']);
+
+        $this->assertArrayNotHasKey('nonce', $claims);
+    }
+
+    #[Test]
+    public function id_token_includes_profile_claims_when_profile_scope_granted(): void
+    {
+        $code = $this->getAuthCode('openid profile');
+        $tokens = $this->exchange($code);
+
+        $claims = $this->decodeJwtPayload($tokens['id_token']);
+
+        $this->assertArrayHasKey('name', $claims);
+        $this->assertEquals('normal', $claims['name']);
+    }
+
+    #[Test]
+    public function id_token_includes_email_claims_when_email_scope_granted(): void
+    {
+        $code = $this->getAuthCode('openid email');
+        $tokens = $this->exchange($code);
+
+        $claims = $this->decodeJwtPayload($tokens['id_token']);
+
+        $this->assertArrayHasKey('email', $claims);
+        $this->assertEquals('normal@machine.local', $claims['email']);
+        $this->assertArrayHasKey('email_verified', $claims);
+    }
+
+    #[Test]
+    public function no_id_token_when_openid_scope_not_granted(): void
+    {
+        // Grant only profile — no openid.
+        // Most OAuth providers would still accept; we test the non-OIDC path.
+        $code = $this->getAuthCode('profile');
+        $tokens = $this->exchange($code);
+
+        $this->assertArrayNotHasKey('id_token', $tokens);
+    }
+
+    #[Test]
+    public function auth_time_reflects_real_session_start_not_now(): void
+    {
+        // Time window that encloses the login. auth_time in the ID token
+        // should fall inside it, not near the authorize/token time.
+        $beforeLogin = time();
+        $code = $this->getAuthCode('openid');
+        $afterLogin = time();
+
+        $tokens = $this->exchange($code);
+        $claims = $this->decodeJwtPayload($tokens['id_token']);
+
+        $this->assertArrayHasKey('auth_time', $claims);
+        $this->assertGreaterThanOrEqual($beforeLogin - 2, $claims['auth_time']);
+        $this->assertLessThanOrEqual($afterLogin + 2, $claims['auth_time']);
+
+        // iat reflects ID token issuance (close to now).
+        $this->assertArrayHasKey('iat', $claims);
+        $this->assertGreaterThanOrEqual($beforeLogin - 2, $claims['iat']);
+    }
+}
diff --git a/extensions/oauth-provider/tests/integration/forum/OidcDiscoveryTest.php b/extensions/oauth-provider/tests/integration/forum/OidcDiscoveryTest.php
new file mode 100644
index 0000000000..a472324224
--- /dev/null
+++ b/extensions/oauth-provider/tests/integration/forum/OidcDiscoveryTest.php
@@ -0,0 +1,106 @@
+<?php
+
+/*
+ * This file is part of Flarum.
+ *
+ * For detailed copyright and license information, please view the
+ * LICENSE file that was distributed with this source code.
+ */
+
+namespace Flarum\OAuthProvider\Tests\integration\forum;
+
+use Flarum\Testing\integration\TestCase;
+use PHPUnit\Framework\Attributes\Test;
+
+class OidcDiscoveryTest extends TestCase
+{
+    public function setUp(): void
+    {
+        parent::setUp();
+        $this->extension('flarum-oauth-provider');
+    }
+
+    #[Test]
+    public function discovery_document_has_required_fields(): void
+    {
+        $response = $this->send(
+            $this->request('GET', '/.well-known/openid-configuration')
+                ->withAttribute('bypassCsrfToken', true)
+        );
+
+        $this->assertEquals(200, $response->getStatusCode());
+        $this->assertEquals('application/json', $response->getHeaderLine('content-type'));
+
+        $body = json_decode((string) $response->getBody(), true);
+
+        // OIDC Discovery 1.0 §3 required fields.
+        $this->assertArrayHasKey('issuer', $body);
+        $this->assertArrayHasKey('authorization_endpoint', $body);
+        $this->assertArrayHasKey('token_endpoint', $body);
+        $this->assertArrayHasKey('jwks_uri', $body);
+        $this->assertArrayHasKey('response_types_supported', $body);
+        $this->assertArrayHasKey('subject_types_supported', $body);
+        $this->assertArrayHasKey('id_token_signing_alg_values_supported', $body);
+
+        $this->assertContains('code', $body['response_types_supported']);
+        $this->assertContains('RS256', $body['id_token_signing_alg_values_supported']);
+    }
+
+    #[Test]
+    public function discovery_endpoints_all_absolute_urls(): void
+    {
+        $response = $this->send(
+            $this->request('GET', '/.well-known/openid-configuration')
+                ->withAttribute('bypassCsrfToken', true)
+        );
+
+        $body = json_decode((string) $response->getBody(), true);
+
+        foreach (['authorization_endpoint', 'token_endpoint', 'userinfo_endpoint', 'jwks_uri'] as $field) {
+            $this->assertMatchesRegularExpression('#^https?://#', $body[$field], "$field is not absolute: {$body[$field]}");
+        }
+    }
+
+    #[Test]
+    public function discovery_advertises_registered_scopes(): void
+    {
+        $response = $this->send(
+            $this->request('GET', '/.well-known/openid-configuration')
+                ->withAttribute('bypassCsrfToken', true)
+        );
+
+        $body = json_decode((string) $response->getBody(), true);
+
+        $this->assertContains('openid', $body['scopes_supported']);
+        $this->assertContains('profile', $body['scopes_supported']);
+        $this->assertContains('email', $body['scopes_supported']);
+    }
+
+    #[Test]
+    public function jwks_returns_valid_rsa_key(): void
+    {
+        $response = $this->send(
+            $this->request('GET', '/.well-known/jwks.json')
+                ->withAttribute('bypassCsrfToken', true)
+        );
+
+        $this->assertEquals(200, $response->getStatusCode());
+
+        $body = json_decode((string) $response->getBody(), true);
+
+        $this->assertArrayHasKey('keys', $body);
+        $this->assertCount(1, $body['keys']);
+
+        $key = $body['keys'][0];
+        $this->assertEquals('RSA', $key['kty']);
+        $this->assertEquals('sig', $key['use']);
+        $this->assertEquals('RS256', $key['alg']);
+        $this->assertArrayHasKey('n', $key);
+        $this->assertArrayHasKey('e', $key);
+        $this->assertArrayHasKey('kid', $key);
+
+        // `n` and `e` are base64url-encoded — no +, /, or = allowed.
+        $this->assertDoesNotMatchRegularExpression('#[+/=]#', $key['n']);
+        $this->assertDoesNotMatchRegularExpression('#[+/=]#', $key['e']);
+    }
+}
diff --git a/extensions/oauth-provider/tests/integration/forum/TokenExchangeTest.php b/extensions/oauth-provider/tests/integration/forum/TokenExchangeTest.php
new file mode 100644
index 0000000000..434fccad29
--- /dev/null
+++ b/extensions/oauth-provider/tests/integration/forum/TokenExchangeTest.php
@@ -0,0 +1,294 @@
+<?php
+
+/*
+ * This file is part of Flarum.
+ *
+ * For detailed copyright and license information, please view the
+ * LICENSE file that was distributed with this source code.
+ */
+
+namespace Flarum\OAuthProvider\Tests\integration\forum;
+
+use Carbon\Carbon;
+use Flarum\Extend;
+use Flarum\OAuthProvider\Models\AccessToken;
+use Flarum\OAuthProvider\Models\RefreshToken;
+use Flarum\Testing\integration\RetrievesAuthorizedUsers;
+use Flarum\Testing\integration\TestCase;
+use Flarum\User\User;
+use PHPUnit\Framework\Attributes\Test;
+use Psr\Http\Message\ResponseInterface;
+
+class TokenExchangeTest extends TestCase
+{
+    use RetrievesAuthorizedUsers;
+
+    public function setUp(): void
+    {
+        parent::setUp();
+
+        $this->extend(
+            (new Extend\Csrf())
+                ->exemptRoute('login')
+                ->exemptRoute('oauthProvider.authorize')
+                ->exemptRoute('oauthProvider.authorize.post')
+        );
+
+        $this->extension('flarum-oauth-provider');
+
+        $this->prepareDatabase([
+            User::class => [
+                $this->normalUser(),
+            ],
+            'oauth_provider_clients' => [
+                [
+                    'id' => 'test-client',
+                    'name' => 'Test Application',
+                    'secret' => hash('sha256', 'test-secret'),
+                    'redirect_uris' => json_encode(['https://testapp.example.com/callback']),
+                    'scopes' => json_encode(['openid', 'profile', 'email']),
+                    'confidential' => 1,
+                    'revoked' => 0,
+                    'created_at' => Carbon::now()->toDateTimeString(),
+                ],
+            ],
+        ]);
+    }
+
+    protected function loginNormalUser(): ResponseInterface
+    {
+        $response = $this->send(
+            $this->request('POST', '/login', [
+                'json' => [
+                    'identification' => 'normal',
+                    'password' => 'too-obscure',
+                ],
+            ])
+        );
+
+        $this->assertEquals(200, $response->getStatusCode(), 'Failed to log in');
+
+        return $response;
+    }
+
+    /**
+     * Drive the authorize endpoint to produce an auth code, then return it.
+     */
+    protected function getAuthorizationCode(array $overrides = []): string
+    {
+        $loginResponse = $this->loginNormalUser();
+
+        $query = array_merge([
+            'client_id' => 'test-client',
+            'response_type' => 'code',
+            'redirect_uri' => 'https://testapp.example.com/callback',
+            'scope' => 'openid profile',
+            'state' => 'xyz',
+        ], $overrides);
+
+        $response = $this->send(
+            $this->request('POST', '/oauth/authorize?'.http_build_query($query), [
+                'cookiesFrom' => $loginResponse,
+                'json' => [
+                    'oauth_consent_approved' => '1',
+                ],
+            ])
+                ->withQueryParams($query)
+                ->withAttribute('bypassCsrfToken', true)
+        );
+
+        $this->assertEquals(302, $response->getStatusCode());
+
+        $location = $response->getHeaderLine('Location');
+        parse_str(parse_url($location, PHP_URL_QUERY) ?? '', $params);
+
+        $this->assertArrayHasKey('code', $params);
+
+        return $params['code'];
+    }
+
+    #[Test]
+    public function valid_auth_code_exchanges_for_access_token(): void
+    {
+        $code = $this->getAuthorizationCode();
+
+        $response = $this->send(
+            $this->request('POST', '/oauth/token', [
+                'json' => [
+                    'grant_type' => 'authorization_code',
+                    'client_id' => 'test-client',
+                    'client_secret' => 'test-secret',
+                    'redirect_uri' => 'https://testapp.example.com/callback',
+                    'code' => $code,
+                ],
+            ])->withAttribute('bypassCsrfToken', true)
+        );
+
+        $this->assertEquals(200, $response->getStatusCode());
+
+        $body = json_decode((string) $response->getBody(), true);
+        $this->assertIsArray($body);
+        $this->assertArrayHasKey('access_token', $body);
+        $this->assertArrayHasKey('token_type', $body);
+        $this->assertEquals('Bearer', $body['token_type']);
+        $this->assertArrayHasKey('expires_in', $body);
+        $this->assertArrayHasKey('refresh_token', $body);
+        $this->assertIsString($body['access_token']);
+        $this->assertNotEmpty($body['access_token']);
+
+        $this->assertGreaterThan(0, AccessToken::query()->count());
+        $this->assertGreaterThan(0, RefreshToken::query()->count());
+    }
+
+    #[Test]
+    public function wrong_client_secret_is_rejected(): void
+    {
+        $code = $this->getAuthorizationCode();
+
+        $response = $this->send(
+            $this->request('POST', '/oauth/token', [
+                'json' => [
+                    'grant_type' => 'authorization_code',
+                    'client_id' => 'test-client',
+                    'client_secret' => 'wrong-secret',
+                    'redirect_uri' => 'https://testapp.example.com/callback',
+                    'code' => $code,
+                ],
+            ])->withAttribute('bypassCsrfToken', true)
+        );
+
+        $this->assertGreaterThanOrEqual(400, $response->getStatusCode());
+        $this->assertLessThan(500, $response->getStatusCode());
+
+        $body = json_decode((string) $response->getBody(), true);
+        $this->assertIsArray($body);
+        $this->assertArrayHasKey('error', $body);
+    }
+
+    #[Test]
+    public function auth_code_cannot_be_reused(): void
+    {
+        $code = $this->getAuthorizationCode();
+
+        $first = $this->send(
+            $this->request('POST', '/oauth/token', [
+                'json' => [
+                    'grant_type' => 'authorization_code',
+                    'client_id' => 'test-client',
+                    'client_secret' => 'test-secret',
+                    'redirect_uri' => 'https://testapp.example.com/callback',
+                    'code' => $code,
+                ],
+            ])->withAttribute('bypassCsrfToken', true)
+        );
+
+        $this->assertEquals(200, $first->getStatusCode());
+
+        $second = $this->send(
+            $this->request('POST', '/oauth/token', [
+                'json' => [
+                    'grant_type' => 'authorization_code',
+                    'client_id' => 'test-client',
+                    'client_secret' => 'test-secret',
+                    'redirect_uri' => 'https://testapp.example.com/callback',
+                    'code' => $code,
+                ],
+            ])->withAttribute('bypassCsrfToken', true)
+        );
+
+        $this->assertGreaterThanOrEqual(400, $second->getStatusCode());
+    }
+
+    #[Test]
+    public function refresh_token_returns_new_access_token(): void
+    {
+        $code = $this->getAuthorizationCode();
+
+        $first = $this->send(
+            $this->request('POST', '/oauth/token', [
+                'json' => [
+                    'grant_type' => 'authorization_code',
+                    'client_id' => 'test-client',
+                    'client_secret' => 'test-secret',
+                    'redirect_uri' => 'https://testapp.example.com/callback',
+                    'code' => $code,
+                ],
+            ])->withAttribute('bypassCsrfToken', true)
+        );
+
+        $this->assertEquals(200, $first->getStatusCode());
+        $tokens = json_decode((string) $first->getBody(), true);
+        $this->assertIsArray($tokens);
+        $this->assertArrayHasKey('refresh_token', $tokens);
+
+        $refreshResponse = $this->send(
+            $this->request('POST', '/oauth/token', [
+                'json' => [
+                    'grant_type' => 'refresh_token',
+                    'refresh_token' => $tokens['refresh_token'],
+                    'client_id' => 'test-client',
+                    'client_secret' => 'test-secret',
+                    'scope' => 'openid profile',
+                ],
+            ])->withAttribute('bypassCsrfToken', true)
+        );
+
+        $this->assertEquals(200, $refreshResponse->getStatusCode());
+        $refreshed = json_decode((string) $refreshResponse->getBody(), true);
+        $this->assertIsArray($refreshed);
+
+        $this->assertArrayHasKey('access_token', $refreshed);
+        $this->assertArrayHasKey('refresh_token', $refreshed);
+        $this->assertNotEquals($tokens['access_token'], $refreshed['access_token']);
+    }
+
+    #[Test]
+    public function userinfo_returns_profile_for_valid_access_token(): void
+    {
+        $code = $this->getAuthorizationCode(['scope' => 'openid profile email']);
+
+        $first = $this->send(
+            $this->request('POST', '/oauth/token', [
+                'json' => [
+                    'grant_type' => 'authorization_code',
+                    'client_id' => 'test-client',
+                    'client_secret' => 'test-secret',
+                    'redirect_uri' => 'https://testapp.example.com/callback',
+                    'code' => $code,
+                ],
+            ])->withAttribute('bypassCsrfToken', true)
+        );
+
+        $this->assertEquals(200, $first->getStatusCode());
+        $tokens = json_decode((string) $first->getBody(), true);
+        $this->assertIsArray($tokens);
+        $this->assertArrayHasKey('access_token', $tokens);
+
+        $userinfo = $this->send(
+            $this->request('GET', '/oauth/userinfo')
+                ->withHeader('Authorization', 'Bearer '.$tokens['access_token'])
+                ->withAttribute('bypassCsrfToken', true)
+        );
+
+        $this->assertEquals(200, $userinfo->getStatusCode());
+
+        $payload = json_decode($userinfo->getBody()->getContents(), true);
+
+        $this->assertEquals('2', $payload['sub']);
+        $this->assertEquals('normal', $payload['name']);
+        $this->assertArrayHasKey('email', $payload);
+        $this->assertEquals('normal@machine.local', $payload['email']);
+    }
+
+    #[Test]
+    public function userinfo_without_token_is_rejected(): void
+    {
+        $response = $this->send(
+            $this->request('GET', '/oauth/userinfo')
+                ->withAttribute('bypassCsrfToken', true)
+        );
+
+        $this->assertGreaterThanOrEqual(400, $response->getStatusCode());
+        $this->assertLessThan(500, $response->getStatusCode());
+    }
+}
diff --git a/extensions/oauth-provider/tests/integration/setup.php b/extensions/oauth-provider/tests/integration/setup.php
new file mode 100644
index 0000000000..96caab5fef
--- /dev/null
+++ b/extensions/oauth-provider/tests/integration/setup.php
@@ -0,0 +1,12 @@
+<?php
+
+/*
+ * This file is part of Flarum.
+ *
+ * For detailed copyright and license information, please view the
+ * LICENSE file that was distributed with this source code.
+ */
+
+$setup = require __DIR__.'/../../../../php-packages/testing/bootstrap/monorepo.php';
+
+$setup->run();
diff --git a/extensions/oauth-provider/tests/phpunit.integration.xml b/extensions/oauth-provider/tests/phpunit.integration.xml
new file mode 100644
index 0000000000..849ceb516e
--- /dev/null
+++ b/extensions/oauth-provider/tests/phpunit.integration.xml
@@ -0,0 +1,24 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<phpunit
+    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+    xsi:noNamespaceSchemaLocation="../../../vendor/phpunit/phpunit/phpunit.xsd"
+    backupGlobals="false"
+    cacheDirectory=".phpunit.cache"
+    backupStaticProperties="false"
+    colors="true"
+    processIsolation="true"
+    stopOnFailure="false"
+    bootstrap="../../../php-packages/testing/bootstrap/monorepo.php"
+>
+    <source>
+        <include>
+            <directory suffix=".php">../src/</directory>
+        </include>
+    </source>
+    <testsuites>
+        <testsuite name="Flarum Integration Tests">
+            <directory suffix="Test.php">./integration</directory>
+             <exclude>./integration/tmp</exclude>
+        </testsuite>
+    </testsuites>
+</phpunit>
diff --git a/extensions/oauth-provider/tests/phpunit.unit.xml b/extensions/oauth-provider/tests/phpunit.unit.xml
new file mode 100644
index 0000000000..5cf94ab048
--- /dev/null
+++ b/extensions/oauth-provider/tests/phpunit.unit.xml
@@ -0,0 +1,23 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<phpunit
+    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+    xsi:noNamespaceSchemaLocation="../../../vendor/phpunit/phpunit/phpunit.xsd"
+    backupGlobals="false"
+    cacheDirectory=".phpunit.cache"
+    backupStaticProperties="false"
+    colors="true"
+    processIsolation="false"
+    stopOnFailure="false"
+    bootstrap="../../../php-packages/testing/bootstrap/monorepo.php"
+>
+    <source>
+        <include>
+            <directory suffix=".php">../src/</directory>
+        </include>
+    </source>
+    <testsuites>
+        <testsuite name="Flarum Unit Tests">
+            <directory suffix="Test.php">./unit</directory>
+        </testsuite>
+    </testsuites>
+</phpunit>
diff --git a/extensions/oauth-provider/tests/unit/ClientModelTest.php b/extensions/oauth-provider/tests/unit/ClientModelTest.php
new file mode 100644
index 0000000000..0e809b5a66
--- /dev/null
+++ b/extensions/oauth-provider/tests/unit/ClientModelTest.php
@@ -0,0 +1,50 @@
+<?php
+
+/*
+ * This file is part of Flarum.
+ *
+ * For detailed copyright and license information, please view the
+ * LICENSE file that was distributed with this source code.
+ */
+
+namespace Flarum\OAuthProvider\Tests\unit;
+
+use Flarum\OAuthProvider\Models\Client;
+use PHPUnit\Framework\Attributes\Test;
+use PHPUnit\Framework\TestCase;
+
+class ClientModelTest extends TestCase
+{
+    #[Test]
+    public function hasRedirectUri_matches_exact_uri(): void
+    {
+        $client = new Client();
+        $client->redirect_uris = ['https://example.com/callback', 'https://other.example.com/cb'];
+
+        $this->assertTrue($client->hasRedirectUri('https://example.com/callback'));
+        $this->assertTrue($client->hasRedirectUri('https://other.example.com/cb'));
+    }
+
+    #[Test]
+    public function hasRedirectUri_rejects_non_matching_uri(): void
+    {
+        $client = new Client();
+        $client->redirect_uris = ['https://example.com/callback'];
+
+        $this->assertFalse($client->hasRedirectUri('https://example.com/'));
+        $this->assertFalse($client->hasRedirectUri('https://evil.example.com/callback'));
+    }
+
+    #[Test]
+    public function secret_is_hidden_from_serialization(): void
+    {
+        $client = new Client();
+        $client->id = 'test';
+        $client->name = 'Test';
+        $client->secret = 'super-secret';
+
+        $array = $client->toArray();
+
+        $this->assertArrayNotHasKey('secret', $array);
+    }
+}
diff --git a/extensions/oauth-provider/tests/unit/ConsentModelTest.php b/extensions/oauth-provider/tests/unit/ConsentModelTest.php
new file mode 100644
index 0000000000..352b5775a0
--- /dev/null
+++ b/extensions/oauth-provider/tests/unit/ConsentModelTest.php
@@ -0,0 +1,65 @@
+<?php
+
+/*
+ * This file is part of Flarum.
+ *
+ * For detailed copyright and license information, please view the
+ * LICENSE file that was distributed with this source code.
+ */
+
+namespace Flarum\OAuthProvider\Tests\unit;
+
+use Flarum\OAuthProvider\Models\Consent;
+use PHPUnit\Framework\Attributes\Test;
+use PHPUnit\Framework\TestCase;
+
+class ConsentModelTest extends TestCase
+{
+    #[Test]
+    public function covers_returns_true_when_all_requested_scopes_are_granted(): void
+    {
+        $consent = new Consent();
+        $consent->scopes = ['openid', 'profile', 'email'];
+
+        $this->assertTrue($consent->covers(['openid', 'profile']));
+        $this->assertTrue($consent->covers(['openid', 'profile', 'email']));
+        $this->assertTrue($consent->covers(['email']));
+    }
+
+    #[Test]
+    public function covers_returns_false_when_any_requested_scope_is_missing(): void
+    {
+        $consent = new Consent();
+        $consent->scopes = ['openid', 'profile'];
+
+        $this->assertFalse($consent->covers(['openid', 'profile', 'email']));
+        $this->assertFalse($consent->covers(['invoices:read']));
+    }
+
+    #[Test]
+    public function covers_returns_true_for_empty_request(): void
+    {
+        $consent = new Consent();
+        $consent->scopes = ['openid'];
+
+        $this->assertTrue($consent->covers([]));
+    }
+
+    #[Test]
+    public function covers_returns_false_when_consent_has_no_scopes(): void
+    {
+        $consent = new Consent();
+        $consent->scopes = null;
+
+        $this->assertFalse($consent->covers(['openid']));
+    }
+
+    #[Test]
+    public function covers_returns_true_when_both_consent_and_request_are_empty(): void
+    {
+        $consent = new Consent();
+        $consent->scopes = null;
+
+        $this->assertTrue($consent->covers([]));
+    }
+}
diff --git a/extensions/oauth-provider/tests/unit/ScopeRegistryTest.php b/extensions/oauth-provider/tests/unit/ScopeRegistryTest.php
new file mode 100644
index 0000000000..6181130a50
--- /dev/null
+++ b/extensions/oauth-provider/tests/unit/ScopeRegistryTest.php
@@ -0,0 +1,59 @@
+<?php
+
+/*
+ * This file is part of Flarum.
+ *
+ * For detailed copyright and license information, please view the
+ * LICENSE file that was distributed with this source code.
+ */
+
+namespace Flarum\OAuthProvider\Tests\unit;
+
+use Flarum\OAuthProvider\Scope\ScopeRegistry;
+use PHPUnit\Framework\Attributes\Test;
+use PHPUnit\Framework\TestCase;
+
+class ScopeRegistryTest extends TestCase
+{
+    #[Test]
+    public function registered_scope_is_reported_as_present(): void
+    {
+        $registry = new ScopeRegistry();
+        $registry->register('profile', 'Read your profile');
+
+        $this->assertTrue($registry->has('profile'));
+        $this->assertSame('Read your profile', $registry->description('profile'));
+    }
+
+    #[Test]
+    public function unregistered_scope_is_not_present(): void
+    {
+        $registry = new ScopeRegistry();
+
+        $this->assertFalse($registry->has('unknown'));
+        $this->assertNull($registry->description('unknown'));
+    }
+
+    #[Test]
+    public function all_returns_registered_scopes(): void
+    {
+        $registry = new ScopeRegistry();
+        $registry->register('profile', 'Profile');
+        $registry->register('email', 'Email');
+
+        $this->assertSame(
+            ['profile' => 'Profile', 'email' => 'Email'],
+            $registry->all()
+        );
+    }
+
+    #[Test]
+    public function re_registering_overwrites_description(): void
+    {
+        $registry = new ScopeRegistry();
+        $registry->register('profile', 'Old');
+        $registry->register('profile', 'New');
+
+        $this->assertSame('New', $registry->description('profile'));
+    }
+}
diff --git a/flarum-monorepo.json b/flarum-monorepo.json
index 02592a36c5..d230ddc9a5 100644
--- a/flarum-monorepo.json
+++ b/flarum-monorepo.json
@@ -66,6 +66,11 @@
         "gitRemote": "git@github.com:flarum/nicknames.git",
         "mainBranch": "2.x"
       },
+      {
+        "name": "oauth-provider",
+        "gitRemote": "git@github.com:flarum/oauth-provider.git",
+        "mainBranch": "2.x"
+      },
       {
         "name": "package-manager",
         "gitRemote": "git@github.com:flarum/package-manager.git",