From 58761010621127f03599b343413bb4afb9db9993 Mon Sep 17 00:00:00 2001
From: Tyagi-Sunny <sunny.tyagi@sourcefuse.com>
Date: Wed, 11 Sep 2024 14:01:10 +0530
Subject: [PATCH] feat(authentication-service): added the logic for rotation of
 keys with database

2034
---
 package-lock.json                             |  13 +
 services/authentication-service/.env.defaults |   4 +-
 services/authentication-service/.env.example  |   2 +
 .../20241105074844-add-jwt-keys-schema.js     |  59 +++
 ...0241105074844-add-jwt-keys-schema-down.sql |   1 +
 .../20241105074844-add-jwt-keys-schema-up.sql |   7 +
 .../20241105074844-add-jwt-keys-schema.js     |  59 +++
 ...0241105074844-add-jwt-keys-schema-down.sql |   1 +
 .../20241105074844-add-jwt-keys-schema-up.sql |   7 +
 services/authentication-service/openapi.json  | 204 ++++++++--
 services/authentication-service/openapi.md    | 352 ++++++++++++++++--
 services/authentication-service/package.json  |   3 +-
 .../authentication-service/src/component.ts   |  10 +
 .../src/models/index.ts                       |   3 +
 .../src/models/jwt-keys.model.ts              |  44 +++
 .../controllers/apple-login.controller.ts     |  25 +-
 .../controllers/azure-login.controller.ts     |  45 ++-
 .../controllers/cognito-login.controller.ts   |  31 +-
 .../controllers/facebook-login.controller.ts  |  19 +-
 .../controllers/google-login.controller.ts    |  35 +-
 .../controllers/identity-server.controller.ts | 162 ++------
 .../controllers/instagram-login.controller.ts |  19 +-
 .../controllers/keycloak-login.controller.ts  |  41 +-
 .../auth/controllers/logout.controller.ts     | 144 +------
 .../auth/controllers/saml-login.controller.ts |  21 +-
 .../auth/models/idp-auth-request.dto.ts       |  36 --
 .../modules/auth/models/idp-auth.method.ts    |  10 -
 .../src/modules/auth/models/index.ts          |   2 -
 .../src/providers/index.ts                    |   2 +
 .../jwks-jwt-asymmertric-signer.provider.ts   |  49 +++
 .../jwks-jwt-asymmetric-verifier.provider.ts  |  46 +++
 .../src/repositories/index.ts                 |   3 +
 .../src/repositories/jwt-keys.repository.ts   |  16 +
 .../src/repositories/sequelize/index.ts       |   3 +
 .../sequelize/jwt-keys.repository.ts          |  19 +
 .../src/services/idp-login.service.ts         | 322 +++++++++-------
 services/authentication-service/src/types.ts  |   1 +
 37 files changed, 1259 insertions(+), 561 deletions(-)
 create mode 100644 services/authentication-service/migrations/mysql/migrations/20241105074844-add-jwt-keys-schema.js
 create mode 100644 services/authentication-service/migrations/mysql/migrations/sqls/20241105074844-add-jwt-keys-schema-down.sql
 create mode 100644 services/authentication-service/migrations/mysql/migrations/sqls/20241105074844-add-jwt-keys-schema-up.sql
 create mode 100644 services/authentication-service/migrations/pg/migrations/20241105074844-add-jwt-keys-schema.js
 create mode 100644 services/authentication-service/migrations/pg/migrations/sqls/20241105074844-add-jwt-keys-schema-down.sql
 create mode 100644 services/authentication-service/migrations/pg/migrations/sqls/20241105074844-add-jwt-keys-schema-up.sql
 create mode 100644 services/authentication-service/src/models/jwt-keys.model.ts
 delete mode 100644 services/authentication-service/src/modules/auth/models/idp-auth-request.dto.ts
 delete mode 100644 services/authentication-service/src/modules/auth/models/idp-auth.method.ts
 create mode 100644 services/authentication-service/src/providers/jwks-jwt-asymmertric-signer.provider.ts
 create mode 100644 services/authentication-service/src/providers/jwks-jwt-asymmetric-verifier.provider.ts
 create mode 100644 services/authentication-service/src/repositories/jwt-keys.repository.ts
 create mode 100644 services/authentication-service/src/repositories/sequelize/jwt-keys.repository.ts

diff --git a/package-lock.json b/package-lock.json
index 8658e7f19a..d69be84149 100644
--- a/package-lock.json
+++ b/package-lock.json
@@ -11322,6 +11322,16 @@
         "@types/node": "*"
       }
     },
+    "node_modules/@types/node-jose": {
+      "version": "1.1.13",
+      "resolved": "https://registry.npmjs.org/@types/node-jose/-/node-jose-1.1.13.tgz",
+      "integrity": "sha512-QjMd4yhwy1EvSToQn0YI3cD29YhyfxFwj7NecuymjLys2/P0FwxWnkgBlFxCai6Y3aBCe7rbwmqwJJawxlgcXw==",
+      "dev": true,
+      "license": "MIT",
+      "dependencies": {
+        "@types/node": "*"
+      }
+    },
     "node_modules/@types/normalize-package-data": {
       "version": "2.4.4",
       "resolved": "https://registry.npmjs.org/@types/normalize-package-data/-/normalize-package-data-2.4.4.tgz",
@@ -26948,6 +26958,7 @@
       "version": "2.2.0",
       "resolved": "https://registry.npmjs.org/node-jose/-/node-jose-2.2.0.tgz",
       "integrity": "sha512-XPCvJRr94SjLrSIm4pbYHKLEaOsDvJCpyFw/6V/KK/IXmyZ6SFBzAUDO9HQf4DB/nTEFcRGH87mNciOP23kFjw==",
+      "license": "Apache-2.0",
       "dependencies": {
         "base64url": "^3.0.1",
         "buffer": "^6.0.3",
@@ -43742,6 +43753,7 @@
         "moment": "^2.29.3",
         "moment-timezone": "^0.5.34",
         "node-fetch": "^2.6.6",
+        "node-jose": "^2.2.0",
         "otplib": "^12.0.1",
         "passport-apple": "^2.0.1",
         "passport-auth0": "^1.4.4",
@@ -43768,6 +43780,7 @@
         "@types/node": "^18.11.9",
         "@types/node-fetch": "^2.6.1",
         "@types/node-forge": "^1.3.4",
+        "@types/node-jose": "^1.1.13",
         "@types/passport-apple": "^1.1.1",
         "@types/passport-auth0": "^1.0.9",
         "@types/passport-azure-ad": "^4.3.1",
diff --git a/services/authentication-service/.env.defaults b/services/authentication-service/.env.defaults
index 26a0bdd8e9..3e85300184 100644
--- a/services/authentication-service/.env.defaults
+++ b/services/authentication-service/.env.defaults
@@ -61,4 +61,6 @@ AZURE_AUTH_COOKIE_KEY=
 
 #iv is 12 bit
 
-AZURE_AUTH_COOKIE_IV=
\ No newline at end of file
+AZURE_AUTH_COOKIE_IV=
+
+MAX_JWT_KEYS=2
\ No newline at end of file
diff --git a/services/authentication-service/.env.example b/services/authentication-service/.env.example
index 3d351f2665..485162a606 100644
--- a/services/authentication-service/.env.example
+++ b/services/authentication-service/.env.example
@@ -83,3 +83,5 @@ AUTH0_DOMAIN=
 AUTH0_CLIENT_ID=
 AUTH0_CLIENT_SECRET=
 AUTH0_CALLBACK_URL=
+
+MAX_JWT_KEYS=
diff --git a/services/authentication-service/migrations/mysql/migrations/20241105074844-add-jwt-keys-schema.js b/services/authentication-service/migrations/mysql/migrations/20241105074844-add-jwt-keys-schema.js
new file mode 100644
index 0000000000..b1ebc0e60c
--- /dev/null
+++ b/services/authentication-service/migrations/mysql/migrations/20241105074844-add-jwt-keys-schema.js
@@ -0,0 +1,59 @@
+'use strict';
+
+var dbm;
+var type;
+var seed;
+var fs = require('fs');
+var path = require('path');
+var Promise;
+
+/**
+ * We receive the dbmigrate dependency from dbmigrate initially.
+ * This enables us to not have to rely on NODE_PATH.
+ */
+exports.setup = function (options, seedLink) {
+  dbm = options.dbmigrate;
+  type = dbm.dataType;
+  seed = seedLink;
+  Promise = options.Promise;
+};
+
+exports.up = function (db) {
+  var filePath = path.join(
+    __dirname,
+    'sqls',
+    '20241105074844-add-jwt-keys-schema-up.sql',
+  );
+  return new Promise(function (resolve, reject) {
+    fs.readFile(filePath, {encoding: 'utf-8'}, function (err, data) {
+      if (err) return reject(err);
+      console.log('received data: ' + data);
+
+      resolve(data);
+    });
+  }).then(function (data) {
+    return db.runSql(data);
+  });
+};
+
+exports.down = function (db) {
+  var filePath = path.join(
+    __dirname,
+    'sqls',
+    '20241105074844-add-jwt-keys-schema-down.sql',
+  );
+  return new Promise(function (resolve, reject) {
+    fs.readFile(filePath, {encoding: 'utf-8'}, function (err, data) {
+      if (err) return reject(err);
+      console.log('received data: ' + data);
+
+      resolve(data);
+    });
+  }).then(function (data) {
+    return db.runSql(data);
+  });
+};
+
+exports._meta = {
+  version: 1,
+};
diff --git a/services/authentication-service/migrations/mysql/migrations/sqls/20241105074844-add-jwt-keys-schema-down.sql b/services/authentication-service/migrations/mysql/migrations/sqls/20241105074844-add-jwt-keys-schema-down.sql
new file mode 100644
index 0000000000..fbcccb9d0c
--- /dev/null
+++ b/services/authentication-service/migrations/mysql/migrations/sqls/20241105074844-add-jwt-keys-schema-down.sql
@@ -0,0 +1 @@
+DROP TABLE main.jwt_keys;
diff --git a/services/authentication-service/migrations/mysql/migrations/sqls/20241105074844-add-jwt-keys-schema-up.sql b/services/authentication-service/migrations/mysql/migrations/sqls/20241105074844-add-jwt-keys-schema-up.sql
new file mode 100644
index 0000000000..7a3e493c39
--- /dev/null
+++ b/services/authentication-service/migrations/mysql/migrations/sqls/20241105074844-add-jwt-keys-schema-up.sql
@@ -0,0 +1,7 @@
+CREATE TABLE main.jwt_keys (
+    id INT AUTO_INCREMENT PRIMARY KEY,
+    key_id VARCHAR(100) UNIQUE NOT NULL,
+    public_key TEXT NOT NULL,                -- Public key in PEM format
+    private_key TEXT NOT NULL,               -- Private key in PEM format
+    created_at TIMESTAMP DEFAULT CURRENT_TIMESTAMP
+);
diff --git a/services/authentication-service/migrations/pg/migrations/20241105074844-add-jwt-keys-schema.js b/services/authentication-service/migrations/pg/migrations/20241105074844-add-jwt-keys-schema.js
new file mode 100644
index 0000000000..b1ebc0e60c
--- /dev/null
+++ b/services/authentication-service/migrations/pg/migrations/20241105074844-add-jwt-keys-schema.js
@@ -0,0 +1,59 @@
+'use strict';
+
+var dbm;
+var type;
+var seed;
+var fs = require('fs');
+var path = require('path');
+var Promise;
+
+/**
+ * We receive the dbmigrate dependency from dbmigrate initially.
+ * This enables us to not have to rely on NODE_PATH.
+ */
+exports.setup = function (options, seedLink) {
+  dbm = options.dbmigrate;
+  type = dbm.dataType;
+  seed = seedLink;
+  Promise = options.Promise;
+};
+
+exports.up = function (db) {
+  var filePath = path.join(
+    __dirname,
+    'sqls',
+    '20241105074844-add-jwt-keys-schema-up.sql',
+  );
+  return new Promise(function (resolve, reject) {
+    fs.readFile(filePath, {encoding: 'utf-8'}, function (err, data) {
+      if (err) return reject(err);
+      console.log('received data: ' + data);
+
+      resolve(data);
+    });
+  }).then(function (data) {
+    return db.runSql(data);
+  });
+};
+
+exports.down = function (db) {
+  var filePath = path.join(
+    __dirname,
+    'sqls',
+    '20241105074844-add-jwt-keys-schema-down.sql',
+  );
+  return new Promise(function (resolve, reject) {
+    fs.readFile(filePath, {encoding: 'utf-8'}, function (err, data) {
+      if (err) return reject(err);
+      console.log('received data: ' + data);
+
+      resolve(data);
+    });
+  }).then(function (data) {
+    return db.runSql(data);
+  });
+};
+
+exports._meta = {
+  version: 1,
+};
diff --git a/services/authentication-service/migrations/pg/migrations/sqls/20241105074844-add-jwt-keys-schema-down.sql b/services/authentication-service/migrations/pg/migrations/sqls/20241105074844-add-jwt-keys-schema-down.sql
new file mode 100644
index 0000000000..fbcccb9d0c
--- /dev/null
+++ b/services/authentication-service/migrations/pg/migrations/sqls/20241105074844-add-jwt-keys-schema-down.sql
@@ -0,0 +1 @@
+DROP TABLE main.jwt_keys;
diff --git a/services/authentication-service/migrations/pg/migrations/sqls/20241105074844-add-jwt-keys-schema-up.sql b/services/authentication-service/migrations/pg/migrations/sqls/20241105074844-add-jwt-keys-schema-up.sql
new file mode 100644
index 0000000000..ba3615437c
--- /dev/null
+++ b/services/authentication-service/migrations/pg/migrations/sqls/20241105074844-add-jwt-keys-schema-up.sql
@@ -0,0 +1,7 @@
+CREATE TABLE main.jwt_keys (
+    id SERIAL PRIMARY KEY,
+    key_id VARCHAR(100) UNIQUE NOT NULL,
+    public_key TEXT NOT NULL,                -- Public key in PEM format
+    private_key TEXT NOT NULL,               -- Private key in PEM format
+    created_at TIMESTAMP DEFAULT CURRENT_TIMESTAMP
+);
\ No newline at end of file
diff --git a/services/authentication-service/openapi.json b/services/authentication-service/openapi.json
index 563a06a49d..3b07049b2f 100644
--- a/services/authentication-service/openapi.json
+++ b/services/authentication-service/openapi.json
@@ -752,7 +752,7 @@
         ],
         "responses": {
           "200": {
-            "description": "Google Token Response,\n         (Deprecated: Possible security issue if secret is passed via query params, \n          please use the post endpoint)",
+            "description": "Google Token Response,\n         (Deprecated: Possible security issue if secret is passed via query params,\n          please use the post endpoint)",
             "content": {
               "application/json": {
                 "schema": {
@@ -1688,14 +1688,130 @@
         "operationId": "LogoutController.cognitoLogout"
       }
     },
-    "/connect/auth": {
+    "/connect/endsession": {
       "post": {
         "x-controller-name": "IdentityServerController",
-        "x-operation-name": "connectAuth",
+        "x-operation-name": "logout",
+        "tags": [
+          "IdentityServerController"
+        ],
+        "security": [
+          {
+            "HTTPBearer": []
+          }
+        ],
+        "description": "To logout",
+        "responses": {
+          "200": {
+            "description": "Success Response",
+            "content": {
+              "application/json": {
+                "schema": {
+                  "$ref": "#/components/schemas/SuccessResponse"
+                }
+              }
+            }
+          },
+          "400": {
+            "description": "The syntax of the request entity is incorrect."
+          },
+          "401": {
+            "description": "Invalid Credentials."
+          },
+          "404": {
+            "description": "The entity requested does not exist."
+          },
+          "422": {
+            "description": "The syntax of the request entity is incorrect"
+          }
+        },
+        "parameters": [
+          {
+            "name": "Authorization",
+            "in": "header",
+            "schema": {
+              "type": "string"
+            },
+            "description": "This is the access token which is required to authenticate user."
+          }
+        ],
+        "requestBody": {
+          "content": {
+            "application/json": {
+              "schema": {
+                "$ref": "#/components/schemas/AuthRefreshTokenRequestPartial"
+              }
+            }
+          },
+          "x-parameter-index": 1
+        },
+        "operationId": "IdentityServerController.logout"
+      }
+    },
+    "/connect/get-keys": {
+      "post": {
+        "x-controller-name": "IdentityServerController",
+        "x-operation-name": "getKeys",
         "tags": [
           "IdentityServerController"
         ],
-        "description": "POST Call for idp login",
+        "description": "Get the public keys",
+        "responses": {
+          "200": {
+            "description": "JWKS Keys"
+          },
+          "400": {
+            "description": "The syntax of the request entity is incorrect."
+          },
+          "401": {
+            "description": "Invalid Credentials."
+          },
+          "404": {
+            "description": "The entity requested does not exist."
+          },
+          "422": {
+            "description": "The syntax of the request entity is incorrect"
+          }
+        },
+        "operationId": "IdentityServerController.getKeys"
+      }
+    },
+    "/connect/rotate-keys": {
+      "post": {
+        "x-controller-name": "IdentityServerController",
+        "x-operation-name": "generateKeys",
+        "tags": [
+          "IdentityServerController"
+        ],
+        "description": "Generate the set of public and private keys",
+        "responses": {
+          "200": {
+            "description": "JWKS Keys"
+          },
+          "400": {
+            "description": "The syntax of the request entity is incorrect."
+          },
+          "401": {
+            "description": "Invalid Credentials."
+          },
+          "404": {
+            "description": "The entity requested does not exist."
+          },
+          "422": {
+            "description": "The syntax of the request entity is incorrect"
+          }
+        },
+        "operationId": "IdentityServerController.generateKeys"
+      }
+    },
+    "/connect/token": {
+      "post": {
+        "x-controller-name": "IdentityServerController",
+        "x-operation-name": "getToken",
+        "tags": [
+          "IdentityServerController"
+        ],
+        "description": "Send the code received from the POST /auth/login api and get refresh token and access token (webapps)",
         "responses": {
           "200": {
             "description": "Token Response",
@@ -1706,18 +1822,64 @@
                 }
               }
             }
+          },
+          "400": {
+            "description": "The syntax of the request entity is incorrect."
+          },
+          "401": {
+            "description": "Invalid Credentials."
+          },
+          "404": {
+            "description": "The entity requested does not exist."
+          },
+          "422": {
+            "description": "The syntax of the request entity is incorrect"
           }
         },
         "requestBody": {
           "content": {
-            "application/x-www-form-urlencoded": {
+            "application/json": {
               "schema": {
-                "$ref": "#/components/schemas/IdpAuthRequest"
+                "$ref": "#/components/schemas/AuthTokenRequest"
               }
             }
           }
         },
-        "operationId": "IdentityServerController.connectAuth"
+        "operationId": "IdentityServerController.getToken"
+      }
+    },
+    "/connect/userinfo": {
+      "get": {
+        "x-controller-name": "IdentityServerController",
+        "x-operation-name": "me",
+        "tags": [
+          "IdentityServerController"
+        ],
+        "security": [
+          {
+            "HTTPBearer": []
+          }
+        ],
+        "description": "To get the user details",
+        "responses": {
+          "200": {
+            "description": "User Object",
+            "content": {}
+          },
+          "400": {
+            "description": "The syntax of the request entity is incorrect."
+          },
+          "401": {
+            "description": "Invalid Credentials."
+          },
+          "404": {
+            "description": "The entity requested does not exist."
+          },
+          "422": {
+            "description": "The syntax of the request entity is incorrect"
+          }
+        },
+        "operationId": "IdentityServerController.me"
       }
     },
     "/google/logout": {
@@ -2646,30 +2808,20 @@
         ],
         "additionalProperties": false
       },
-      "IdpAuthRequest": {
-        "title": "IdpAuthRequest",
+      "AuthRefreshTokenRequestPartial": {
+        "title": "AuthRefreshTokenRequestPartial",
         "type": "object",
-        "description": "This is signature for idp authentication request.",
+        "description": "(tsType: Partial<AuthRefreshTokenRequest>, schemaOptions: { partial: true })",
         "properties": {
-          "client_id": {
-            "type": "string",
-            "description": "This property is supposed to be a string and is a required field"
-          },
-          "client_secret": {
-            "type": "string",
-            "description": "This property is supposed to be a string and is a required field"
+          "refreshToken": {
+            "type": "string"
           },
-          "auth_method": {
-            "type": "string",
-            "description": "This property is supposed to be a string and is a required field"
+          "tenantId": {
+            "type": "string"
           }
         },
-        "required": [
-          "client_id",
-          "client_secret",
-          "auth_method"
-        ],
-        "additionalProperties": false
+        "additionalProperties": false,
+        "x-typescript-type": "Partial<AuthRefreshTokenRequest>"
       },
       "loopback.Count": {
         "type": "object",
diff --git a/services/authentication-service/openapi.md b/services/authentication-service/openapi.md
index afdb350d34..d1252a775d 100644
--- a/services/authentication-service/openapi.md
+++ b/services/authentication-service/openapi.md
@@ -102,24 +102,235 @@ To perform this operation, you must be authenticated by means of one of the foll
 HTTPBearer
 </aside>
 
-## IdentityServerController.connectAuth
+## IdentityServerController.logout
 
-<a id="opIdIdentityServerController.connectAuth"></a>
+<a id="opIdIdentityServerController.logout"></a>
 
 > Code samples
 
 ```javascript
 const inputBody = '{
-  "client_id": "string",
-  "client_secret": "string",
-  "auth_method": "string"
+  "refreshToken": "string",
+  "tenantId": "string"
 }';
 const headers = {
-  'Content-Type':'application/x-www-form-urlencoded',
+  'Content-Type':'application/json',
+  'Accept':'application/json',
+  'Authorization':'string'
+};
+
+fetch('/connect/endsession',
+{
+  method: 'POST',
+  body: inputBody,
+  headers: headers
+})
+.then(function(res) {
+    return res.json();
+}).then(function(body) {
+    console.log(body);
+});
+
+```
+
+```javascript--nodejs
+const fetch = require('node-fetch');
+const inputBody = {
+  "refreshToken": "string",
+  "tenantId": "string"
+};
+const headers = {
+  'Content-Type':'application/json',
+  'Accept':'application/json',
+  'Authorization':'string'
+};
+
+fetch('/connect/endsession',
+{
+  method: 'POST',
+  body: JSON.stringify(inputBody),
+  headers: headers
+})
+.then(function(res) {
+    return res.json();
+}).then(function(body) {
+    console.log(body);
+});
+
+```
+
+`POST /connect/endsession`
+
+To logout
+
+> Body parameter
+
+```json
+{
+  "refreshToken": "string",
+  "tenantId": "string"
+}
+```
+
+<h3 id="identityservercontroller.logout-parameters">Parameters</h3>
+
+|Name|In|Type|Required|Description|
+|---|---|---|---|---|
+|Authorization|header|string|false|This is the access token which is required to authenticate user.|
+|body|body|[AuthRefreshTokenRequestPartial](#schemaauthrefreshtokenrequestpartial)|false|none|
+
+> Example responses
+
+> 200 Response
+
+```json
+{
+  "success": true
+}
+```
+
+<h3 id="identityservercontroller.logout-responses">Responses</h3>
+
+|Status|Meaning|Description|Schema|
+|---|---|---|---|
+|200|[OK](https://tools.ietf.org/html/rfc7231#section-6.3.1)|Success Response|[SuccessResponse](#schemasuccessresponse)|
+|400|[Bad Request](https://tools.ietf.org/html/rfc7231#section-6.5.1)|The syntax of the request entity is incorrect.|None|
+|401|[Unauthorized](https://tools.ietf.org/html/rfc7235#section-3.1)|Invalid Credentials.|None|
+|404|[Not Found](https://tools.ietf.org/html/rfc7231#section-6.5.4)|The entity requested does not exist.|None|
+|422|[Unprocessable Entity](https://tools.ietf.org/html/rfc2518#section-10.3)|The syntax of the request entity is incorrect|None|
+
+<aside class="warning">
+To perform this operation, you must be authenticated by means of one of the following methods:
+HTTPBearer
+</aside>
+
+## IdentityServerController.getKeys
+
+<a id="opIdIdentityServerController.getKeys"></a>
+
+> Code samples
+
+```javascript
+
+fetch('/connect/get-keys',
+{
+  method: 'POST'
+
+})
+.then(function(res) {
+    return res.json();
+}).then(function(body) {
+    console.log(body);
+});
+
+```
+
+```javascript--nodejs
+const fetch = require('node-fetch');
+
+fetch('/connect/get-keys',
+{
+  method: 'POST'
+
+})
+.then(function(res) {
+    return res.json();
+}).then(function(body) {
+    console.log(body);
+});
+
+```
+
+`POST /connect/get-keys`
+
+Get the public keys
+
+<h3 id="identityservercontroller.getkeys-responses">Responses</h3>
+
+|Status|Meaning|Description|Schema|
+|---|---|---|---|
+|200|[OK](https://tools.ietf.org/html/rfc7231#section-6.3.1)|JWKS Keys|None|
+|400|[Bad Request](https://tools.ietf.org/html/rfc7231#section-6.5.1)|The syntax of the request entity is incorrect.|None|
+|401|[Unauthorized](https://tools.ietf.org/html/rfc7235#section-3.1)|Invalid Credentials.|None|
+|404|[Not Found](https://tools.ietf.org/html/rfc7231#section-6.5.4)|The entity requested does not exist.|None|
+|422|[Unprocessable Entity](https://tools.ietf.org/html/rfc2518#section-10.3)|The syntax of the request entity is incorrect|None|
+
+<aside class="success">
+This operation does not require authentication
+</aside>
+
+## IdentityServerController.generateKeys
+
+<a id="opIdIdentityServerController.generateKeys"></a>
+
+> Code samples
+
+```javascript
+
+fetch('/connect/rotate-keys',
+{
+  method: 'POST'
+
+})
+.then(function(res) {
+    return res.json();
+}).then(function(body) {
+    console.log(body);
+});
+
+```
+
+```javascript--nodejs
+const fetch = require('node-fetch');
+
+fetch('/connect/rotate-keys',
+{
+  method: 'POST'
+
+})
+.then(function(res) {
+    return res.json();
+}).then(function(body) {
+    console.log(body);
+});
+
+```
+
+`POST /connect/rotate-keys`
+
+Generate the set of public and private keys
+
+<h3 id="identityservercontroller.generatekeys-responses">Responses</h3>
+
+|Status|Meaning|Description|Schema|
+|---|---|---|---|
+|200|[OK](https://tools.ietf.org/html/rfc7231#section-6.3.1)|JWKS Keys|None|
+|400|[Bad Request](https://tools.ietf.org/html/rfc7231#section-6.5.1)|The syntax of the request entity is incorrect.|None|
+|401|[Unauthorized](https://tools.ietf.org/html/rfc7235#section-3.1)|Invalid Credentials.|None|
+|404|[Not Found](https://tools.ietf.org/html/rfc7231#section-6.5.4)|The entity requested does not exist.|None|
+|422|[Unprocessable Entity](https://tools.ietf.org/html/rfc2518#section-10.3)|The syntax of the request entity is incorrect|None|
+
+<aside class="success">
+This operation does not require authentication
+</aside>
+
+## IdentityServerController.getToken
+
+<a id="opIdIdentityServerController.getToken"></a>
+
+> Code samples
+
+```javascript
+const inputBody = '{
+  "code": "string",
+  "clientId": "string"
+}';
+const headers = {
+  'Content-Type':'application/json',
   'Accept':'application/json'
 };
 
-fetch('/connect/auth',
+fetch('/connect/token',
 {
   method: 'POST',
   body: inputBody,
@@ -136,16 +347,15 @@ fetch('/connect/auth',
 ```javascript--nodejs
 const fetch = require('node-fetch');
 const inputBody = {
-  "client_id": "string",
-  "client_secret": "string",
-  "auth_method": "string"
+  "code": "string",
+  "clientId": "string"
 };
 const headers = {
-  'Content-Type':'application/x-www-form-urlencoded',
+  'Content-Type':'application/json',
   'Accept':'application/json'
 };
 
-fetch('/connect/auth',
+fetch('/connect/token',
 {
   method: 'POST',
   body: JSON.stringify(inputBody),
@@ -159,24 +369,24 @@ fetch('/connect/auth',
 
 ```
 
-`POST /connect/auth`
+`POST /connect/token`
 
-POST Call for idp login
+Send the code received from the POST /auth/login api and get refresh token and access token (webapps)
 
 > Body parameter
 
-```yaml
-client_id: string
-client_secret: string
-auth_method: string
-
+```json
+{
+  "code": "string",
+  "clientId": "string"
+}
 ```
 
-<h3 id="identityservercontroller.connectauth-parameters">Parameters</h3>
+<h3 id="identityservercontroller.gettoken-parameters">Parameters</h3>
 
 |Name|In|Type|Required|Description|
 |---|---|---|---|---|
-|body|body|[IdpAuthRequest](#schemaidpauthrequest)|false|none|
+|body|body|[AuthTokenRequest](#schemaauthtokenrequest)|false|none|
 
 > Example responses
 
@@ -191,16 +401,90 @@ auth_method: string
 }
 ```
 
-<h3 id="identityservercontroller.connectauth-responses">Responses</h3>
+<h3 id="identityservercontroller.gettoken-responses">Responses</h3>
 
 |Status|Meaning|Description|Schema|
 |---|---|---|---|
 |200|[OK](https://tools.ietf.org/html/rfc7231#section-6.3.1)|Token Response|[TokenResponse](#schematokenresponse)|
+|400|[Bad Request](https://tools.ietf.org/html/rfc7231#section-6.5.1)|The syntax of the request entity is incorrect.|None|
+|401|[Unauthorized](https://tools.ietf.org/html/rfc7235#section-3.1)|Invalid Credentials.|None|
+|404|[Not Found](https://tools.ietf.org/html/rfc7231#section-6.5.4)|The entity requested does not exist.|None|
+|422|[Unprocessable Entity](https://tools.ietf.org/html/rfc2518#section-10.3)|The syntax of the request entity is incorrect|None|
 
 <aside class="success">
 This operation does not require authentication
 </aside>
 
+## IdentityServerController.me
+
+<a id="opIdIdentityServerController.me"></a>
+
+> Code samples
+
+```javascript
+
+const headers = {
+  'Authorization':'Bearer {access-token}'
+};
+
+fetch('/connect/userinfo',
+{
+  method: 'GET',
+
+  headers: headers
+})
+.then(function(res) {
+    return res.json();
+}).then(function(body) {
+    console.log(body);
+});
+
+```
+
+```javascript--nodejs
+const fetch = require('node-fetch');
+
+const headers = {
+  'Authorization':'Bearer {access-token}'
+};
+
+fetch('/connect/userinfo',
+{
+  method: 'GET',
+
+  headers: headers
+})
+.then(function(res) {
+    return res.json();
+}).then(function(body) {
+    console.log(body);
+});
+
+```
+
+`GET /connect/userinfo`
+
+To get the user details
+
+> Example responses
+
+<h3 id="identityservercontroller.me-responses">Responses</h3>
+
+|Status|Meaning|Description|Schema|
+|---|---|---|---|
+|200|[OK](https://tools.ietf.org/html/rfc7231#section-6.3.1)|User Object|None|
+|400|[Bad Request](https://tools.ietf.org/html/rfc7231#section-6.5.1)|The syntax of the request entity is incorrect.|None|
+|401|[Unauthorized](https://tools.ietf.org/html/rfc7235#section-3.1)|Invalid Credentials.|None|
+|404|[Not Found](https://tools.ietf.org/html/rfc7231#section-6.5.4)|The entity requested does not exist.|None|
+|422|[Unprocessable Entity](https://tools.ietf.org/html/rfc2518#section-10.3)|The syntax of the request entity is incorrect|None|
+
+<h3 id="identityservercontroller.me-responseschema">Response Schema</h3>
+
+<aside class="warning">
+To perform this operation, you must be authenticated by means of one of the following methods:
+HTTPBearer
+</aside>
+
 <h1 id="authentication-service-loginactivitycontroller">LoginActivityController</h1>
 
 ## LoginActivityController.getActiveUsers
@@ -3114,7 +3398,7 @@ fetch('/auth/google',
 |Status|Meaning|Description|Schema|
 |---|---|---|---|
 |200|[OK](https://tools.ietf.org/html/rfc7231#section-6.3.1)|Google Token Response,
-         (Deprecated: Possible security issue if secret is passed via query params, 
+         (Deprecated: Possible security issue if secret is passed via query params,
           please use the post endpoint)|[TokenResponse](#schematokenresponse)|
 
 <aside class="success">
@@ -5140,31 +5424,29 @@ ActiveUsersFilter
 |userIdentity|string|true|none|none|
 |userIdentifier|object|true|none|none|
 
-<h2 id="tocS_IdpAuthRequest">IdpAuthRequest</h2>
+<h2 id="tocS_AuthRefreshTokenRequestPartial">AuthRefreshTokenRequestPartial</h2>
 <!-- backwards compatibility -->
-<a id="schemaidpauthrequest"></a>
-<a id="schema_IdpAuthRequest"></a>
-<a id="tocSidpauthrequest"></a>
-<a id="tocsidpauthrequest"></a>
+<a id="schemaauthrefreshtokenrequestpartial"></a>
+<a id="schema_AuthRefreshTokenRequestPartial"></a>
+<a id="tocSauthrefreshtokenrequestpartial"></a>
+<a id="tocsauthrefreshtokenrequestpartial"></a>
 
 ```json
 {
-  "client_id": "string",
-  "client_secret": "string",
-  "auth_method": "string"
+  "refreshToken": "string",
+  "tenantId": "string"
 }
 
 ```
 
-IdpAuthRequest
+AuthRefreshTokenRequestPartial
 
 ### Properties
 
 |Name|Type|Required|Restrictions|Description|
 |---|---|---|---|---|
-|client_id|string|true|none|This property is supposed to be a string and is a required field|
-|client_secret|string|true|none|This property is supposed to be a string and is a required field|
-|auth_method|string|true|none|This property is supposed to be a string and is a required field|
+|refreshToken|string|false|none|none|
+|tenantId|string|false|none|none|
 
 <h2 id="tocS_loopback.Count">loopback.Count</h2>
 <!-- backwards compatibility -->
diff --git a/services/authentication-service/package.json b/services/authentication-service/package.json
index 0589fe2be8..a7851f5c79 100644
--- a/services/authentication-service/package.json
+++ b/services/authentication-service/package.json
@@ -25,7 +25,6 @@
     }
   },
   "scripts": {
-    "start": "node -r source-map-support/register .",
     "prebuild": "npm run clean",
     "build": "lb-tsc && npm run openapi-spec && npm run apidocs",
     "build:watch": "lb-tsc --watch",
@@ -95,6 +94,7 @@
     "moment": "^2.29.3",
     "moment-timezone": "^0.5.34",
     "node-fetch": "^2.6.6",
+    "node-jose": "^2.2.0",
     "otplib": "^12.0.1",
     "passport-apple": "^2.0.1",
     "passport-auth0": "^1.4.4",
@@ -121,6 +121,7 @@
     "@types/node": "^18.11.9",
     "@types/node-fetch": "^2.6.1",
     "@types/node-forge": "^1.3.4",
+    "@types/node-jose": "^1.1.13",
     "@types/passport-apple": "^1.1.1",
     "@types/passport-auth0": "^1.0.9",
     "@types/passport-azure-ad": "^4.3.1",
diff --git a/services/authentication-service/src/component.ts b/services/authentication-service/src/component.ts
index 9647651bed..42c3ce92fc 100644
--- a/services/authentication-service/src/component.ts
+++ b/services/authentication-service/src/component.ts
@@ -81,6 +81,8 @@ import {
   InstagramOauth2SignupProvider,
   InstagramPostVerifyProvider,
   InstagramPreVerifyProvider,
+  JwksJWTAsymmetricSignerProvider,
+  JwksJWTAsymmetricVerifierProvider,
   JWTAsymmetricSignerProvider,
   JWTAsymmetricVerifierProvider,
   JwtPayloadProvider,
@@ -369,6 +371,14 @@ export class AuthenticationServiceComponent implements Component {
       this.providers[AuthCodeBindings.JWT_VERIFIER.key] =
         JWTSymmetricVerifierProvider;
     }
+
+    if (this.authConfig?.useIdentityServer) {
+      this.providers[AuthCodeBindings.JWT_SIGNER.key] =
+        JwksJWTAsymmetricSignerProvider;
+      this.providers[AuthCodeBindings.JWT_VERIFIER.key] =
+        JwksJWTAsymmetricVerifierProvider;
+    }
+
     this.providers[AuthServiceBindings.JWTPayloadProvider.key] =
       JwtPayloadProvider;
     this.providers[AuthServiceBindings.ForgotPasswordHandler.key] =
diff --git a/services/authentication-service/src/models/index.ts b/services/authentication-service/src/models/index.ts
index 80fa95edd4..dea77092e2 100644
--- a/services/authentication-service/src/models/index.ts
+++ b/services/authentication-service/src/models/index.ts
@@ -7,6 +7,7 @@ import {AuthClient} from './auth-client.model';
 import {AuthSecureClient} from './auth-secure-client.model';
 import {ForgetPasswordDto} from './forget-password-dto.model';
 import {ForgetPasswordResponseDto} from './forget-password-response-dto.model';
+import {JwtKeys} from './jwt-keys.model';
 import {LocalUserProfileDto} from './local-user-profile';
 import {LoginActivity} from './login-activity.model';
 import {OtpCache} from './otp-cache.model';
@@ -34,6 +35,7 @@ export * from './auth-client.model';
 export * from './auth-secure-client.model';
 export * from './forget-password-dto.model';
 export * from './forget-password-response-dto.model';
+export * from './jwt-keys.model';
 export * from './local-user-profile';
 export * from './login-activity.model';
 export * from './otp-cache.model';
@@ -81,4 +83,5 @@ export const models = [
   LocalUserProfileDto,
   LoginActivity,
   ActiveUsersFilter,
+  JwtKeys,
 ];
diff --git a/services/authentication-service/src/models/jwt-keys.model.ts b/services/authentication-service/src/models/jwt-keys.model.ts
new file mode 100644
index 0000000000..a8c61f0d31
--- /dev/null
+++ b/services/authentication-service/src/models/jwt-keys.model.ts
@@ -0,0 +1,44 @@
+import {Entity, model, property} from '@loopback/repository';
+
+@model({
+  name: 'jwt_keys',
+})
+export class JwtKeys extends Entity {
+  @property({
+    type: 'string',
+    id: true,
+  })
+  id?: string;
+
+  @property({
+    type: 'string',
+    required: true,
+    name: 'key_id',
+  })
+  keyId: string;
+
+  @property({
+    type: 'string',
+    required: true,
+    name: 'public_key',
+  })
+  publicKey: string;
+
+  @property({
+    type: 'string',
+    required: true,
+    name: 'private_key',
+  })
+  privateKey: string;
+
+  @property({
+    type: 'date',
+    default: () => new Date(),
+    name: 'created_on',
+  })
+  createdOn?: Date;
+
+  constructor(data?: Partial<JwtKeys>) {
+    super(data);
+  }
+}
diff --git a/services/authentication-service/src/modules/auth/controllers/apple-login.controller.ts b/services/authentication-service/src/modules/auth/controllers/apple-login.controller.ts
index 6601e7f00c..961eb24766 100644
--- a/services/authentication-service/src/modules/auth/controllers/apple-login.controller.ts
+++ b/services/authentication-service/src/modules/auth/controllers/apple-login.controller.ts
@@ -33,7 +33,6 @@ import {authorize} from 'loopback4-authorization';
 import {URLSearchParams} from 'url';
 import {AuthCodeBindings, AuthCodeGeneratorFn} from '../../../providers';
 import {AuthClientRepository} from '../../../repositories';
-import {IdpLoginService} from '../../../services';
 import {AuthUser, ClientAuthRequest, TokenResponse} from '../models';
 
 const queryGen = (from: 'body' | 'query') => {
@@ -51,11 +50,22 @@ export class AppleLoginController {
     @inject(LOGGER.LOGGER_INJECT) public logger: ILogger,
     @inject(AuthCodeBindings.AUTH_CODE_GENERATOR_PROVIDER)
     private readonly getAuthCode: AuthCodeGeneratorFn,
-    @inject('services.IdpLoginService')
-    private readonly idpLoginService: IdpLoginService,
-  ) { }
+  ) {}
 
   @authenticateClient(STRATEGY.CLIENT_PASSWORD)
+  @authenticate(
+    STRATEGY.APPLE_OAUTH2,
+    {
+      accessType: 'offline',
+      scope: ['name', 'email'],
+      callbackURL: process.env.APPLE_AUTH_CALLBACK_URL,
+      clientID: process.env.APPLE_AUTH_CLIENT_ID,
+      teamID: process.env.APPLE_AUTH_TEAM_ID,
+      keyID: process.env.APPLE_AUTH_KEY_ID,
+      privateKeyLocation: process.env.APPLE_AUTH_PRIVATE_KEY_LOCATION,
+    },
+    queryGen('body'),
+  )
   @authorize({permissions: ['*']})
   @post('/auth/oauth-apple', {
     responses: {
@@ -74,8 +84,8 @@ export class AppleLoginController {
       },
     })
     clientCreds: ClientAuthRequest,
-  ): Promise<void> {
-    return this.idpLoginService.loginViaApple();
+  ): void {
+    //do nothing
   }
 
   @authenticate(
@@ -128,7 +138,8 @@ export class AppleLoginController {
       const token = await this.getAuthCode(client, user);
       const role = user.role;
       response.redirect(
-        `${process.env.WEBAPP_URL ?? ''}${client.redirectUrl
+        `${process.env.WEBAPP_URL ?? ''}${
+          client.redirectUrl
         }?code=${token}&role=${role}`,
       );
     } catch (error) {
diff --git a/services/authentication-service/src/modules/auth/controllers/azure-login.controller.ts b/services/authentication-service/src/modules/auth/controllers/azure-login.controller.ts
index 8432586a99..8b54bb74ec 100644
--- a/services/authentication-service/src/modules/auth/controllers/azure-login.controller.ts
+++ b/services/authentication-service/src/modules/auth/controllers/azure-login.controller.ts
@@ -29,7 +29,6 @@ import {
 import {authorize} from 'loopback4-authorization';
 import {AuthCodeBindings, AuthCodeGeneratorFn} from '../../../providers';
 import {AuthClientRepository} from '../../../repositories';
-import {IdpLoginService} from '../../../services';
 import {AuthUser, ClientAuthRequest, TokenResponse} from '../models';
 
 const queryGen = (from: 'body' | 'query') => {
@@ -50,11 +49,44 @@ export class AzureLoginController {
     @inject(LOGGER.LOGGER_INJECT) public logger: ILogger,
     @inject(AuthCodeBindings.AUTH_CODE_GENERATOR_PROVIDER)
     private readonly getAuthCode: AuthCodeGeneratorFn,
-    @inject('services.IdpLoginService')
-    private readonly idpLoginService: IdpLoginService,
-  ) { }
+  ) {}
 
   @authenticateClient(STRATEGY.CLIENT_PASSWORD)
+  @authenticate(
+    STRATEGY.AZURE_AD,
+    {
+      scope: ['profile', 'email', 'openid', 'offline_access'],
+      identityMetadata: process.env.AZURE_IDENTITY_METADATA,
+      clientID: process.env.AZURE_AUTH_CLIENT_ID,
+      responseType: 'code',
+      responseMode: 'query',
+      redirectUrl: process.env.AZURE_AUTH_REDIRECT_URL,
+      clientSecret: process.env.AZURE_AUTH_CLIENT_SECRET,
+      allowHttpForRedirectUrl: !!+(
+        process.env.AZURE_AUTH_ALLOW_HTTP_REDIRECT ?? 1
+      ),
+      passReqToCallback: !!+(process.env.AZURE_AUTH_PASS_REQ_CALLBACK ?? 0),
+      validateIssuer: !!+(process.env.AZURE_AUTH_VALIDATE_ISSUER ?? 1),
+      useCookieInsteadOfSession: !!+(
+        process.env.AZURE_AUTH_COOKIE_INSTEAD_SESSION ?? 1
+      ),
+      cookieEncryptionKeys: [
+        {
+          key: process.env.AZURE_AUTH_COOKIE_KEY,
+          iv: process.env.AZURE_AUTH_COOKIE_IV,
+        },
+      ],
+      isB2c: !!+(process.env.AZURE_AUTH_B2C_TENANT ?? 0),
+      clockSkew: +(process.env.AZURE_AUTH_CLOCK_SKEW ?? clockSkew),
+      loggingLevel: process.env.AZURE_AUTH_LOG_LEVEL,
+      loggingNoPII: !!+(process.env.AZURE_AUTH_LOG_PII ?? 1),
+      nonceLifetime: +(process.env.AZURE_AUTH_NONCE_TIME ?? nonceTime),
+      nonceMaxAmount: +(process.env.AZURE_AUTH_NONCE_COUNT ?? nonceCount),
+      issuer: process.env.AZURE_AUTH_ISSUER,
+      cookieSameSite: !!+(process.env.AZURE_AUTH_COOKIE_SAME_SITE ?? 0),
+    },
+    queryGen('query'),
+  )
   @authorize({permissions: ['*']})
   @oas.deprecated()
   @get('/auth/azure', {
@@ -76,7 +108,7 @@ export class AzureLoginController {
     @param.query.string('client_secret')
     clientSecret?: string, //NOSONAR
   ): Promise<void> {
-    return this.idpLoginService.loginViaAzure();
+    //do nothing
   }
 
   @authenticateClient(STRATEGY.CLIENT_PASSWORD)
@@ -215,7 +247,8 @@ export class AzureLoginController {
       const token = await this.getAuthCode(client, user);
       const role = user.role;
       response.redirect(
-        `${process.env.WEBAPP_URL ?? ''}${client.redirectUrl
+        `${process.env.WEBAPP_URL ?? ''}${
+          client.redirectUrl
         }?code=${token}&role=${role}`,
       );
     } catch (error) {
diff --git a/services/authentication-service/src/modules/auth/controllers/cognito-login.controller.ts b/services/authentication-service/src/modules/auth/controllers/cognito-login.controller.ts
index 0293d210af..294489aacf 100644
--- a/services/authentication-service/src/modules/auth/controllers/cognito-login.controller.ts
+++ b/services/authentication-service/src/modules/auth/controllers/cognito-login.controller.ts
@@ -34,7 +34,6 @@ import {authorize} from 'loopback4-authorization';
 import {URLSearchParams} from 'url';
 import {AuthCodeBindings, AuthCodeGeneratorFn} from '../../../providers';
 import {AuthClientRepository} from '../../../repositories';
-import {IdpLoginService} from '../../../services';
 import {AuthUser, ClientAuthRequest, TokenResponse} from '../models';
 
 const queryGen = (from: 'body' | 'query') => {
@@ -52,11 +51,20 @@ export class CognitoLoginController {
     @inject(LOGGER.LOGGER_INJECT) public logger: ILogger,
     @inject(AuthCodeBindings.AUTH_CODE_GENERATOR_PROVIDER)
     private readonly getAuthCode: AuthCodeGeneratorFn,
-    @inject('services.IdpLoginService')
-    private readonly idpLoginService: IdpLoginService,
-  ) { }
+  ) {}
 
   @authenticateClient(STRATEGY.CLIENT_PASSWORD)
+  @authenticate(
+    STRATEGY.COGNITO_OAUTH2,
+    {
+      callbackURL: process.env.COGNITO_AUTH_CALLBACK_URL,
+      clientDomain: process.env.COGNITO_AUTH_CLIENT_DOMAIN,
+      clientID: process.env.COGNITO_AUTH_CLIENT_ID,
+      clientSecret: process.env.COGNITO_AUTH_CLIENT_SECRET,
+      region: process.env.COGNITO_AUTH_REGION,
+    },
+    queryGen('query'),
+  )
   @authorize({permissions: ['*']})
   @oas.deprecated()
   @get('/auth/cognito', {
@@ -83,10 +91,21 @@ export class CognitoLoginController {
     @param.query.string('client_secret')
     clientSecret?: string,
   ): Promise<void> {
-    return this.idpLoginService.loginViaCognito();
+    //do nothing
   }
 
   @authenticateClient(STRATEGY.CLIENT_PASSWORD)
+  @authenticate(
+    STRATEGY.COGNITO_OAUTH2,
+    {
+      callbackURL: process.env.COGNITO_AUTH_CALLBACK_URL,
+      clientDomain: process.env.COGNITO_AUTH_CLIENT_DOMAIN,
+      clientID: process.env.COGNITO_AUTH_CLIENT_ID,
+      clientSecret: process.env.COGNITO_AUTH_CLIENT_SECRET,
+      region: process.env.COGNITO_AUTH_REGION,
+    },
+    queryGen('body'),
+  )
   @authorize({permissions: ['*']})
   @post('/auth/cognito', {
     responses: {
@@ -110,7 +129,7 @@ export class CognitoLoginController {
     })
     clientCreds?: ClientAuthRequest,
   ): Promise<void> {
-    return this.idpLoginService.loginViaCognito();
+    //do nothing
   }
 
   @authenticate(
diff --git a/services/authentication-service/src/modules/auth/controllers/facebook-login.controller.ts b/services/authentication-service/src/modules/auth/controllers/facebook-login.controller.ts
index 305164a412..895c367525 100644
--- a/services/authentication-service/src/modules/auth/controllers/facebook-login.controller.ts
+++ b/services/authentication-service/src/modules/auth/controllers/facebook-login.controller.ts
@@ -33,7 +33,6 @@ import {authorize} from 'loopback4-authorization';
 import {URLSearchParams} from 'url';
 import {AuthCodeBindings, AuthCodeGeneratorFn} from '../../../providers';
 import {AuthClientRepository} from '../../../repositories';
-import {IdpLoginService} from '../../../services';
 import {AuthUser, ClientAuthRequest, TokenResponse} from '../models';
 
 const queryGen = (from: 'body' | 'query') => {
@@ -51,11 +50,21 @@ export class FacebookLoginController {
     @inject(LOGGER.LOGGER_INJECT) public logger: ILogger,
     @inject(AuthCodeBindings.AUTH_CODE_GENERATOR_PROVIDER)
     private readonly getAuthCode: AuthCodeGeneratorFn,
-    @inject('services.IdpLoginService')
-    private readonly idpLoginService: IdpLoginService,
-  ) { }
+  ) {}
 
   @authenticateClient(STRATEGY.CLIENT_PASSWORD)
+  @authenticate(
+    STRATEGY.FACEBOOK_OAUTH2,
+    {
+      accessType: 'offline',
+      authorizationURL: process.env.FACEBOOK_AUTH_URL,
+      callbackURL: process.env.FACEBOOK_AUTH_CALLBACK_URL,
+      clientID: process.env.FACEBOOK_AUTH_CLIENT_ID,
+      clientSecret: process.env.FACEBOOK_AUTH_CLIENT_SECRET,
+      tokenURL: process.env.FACEBOOK_AUTH_TOKEN_URL,
+    },
+    queryGen('body'),
+  )
   @authorize({permissions: ['*']})
   @post('/auth/facebook', {
     responses: {
@@ -79,7 +88,7 @@ export class FacebookLoginController {
     })
     clientCreds?: ClientAuthRequest,
   ): Promise<void> {
-    return this.idpLoginService.loginViaFacebook();
+    //do nothing
   }
 
   @authenticate(
diff --git a/services/authentication-service/src/modules/auth/controllers/google-login.controller.ts b/services/authentication-service/src/modules/auth/controllers/google-login.controller.ts
index cf61a609c0..b681cfb849 100644
--- a/services/authentication-service/src/modules/auth/controllers/google-login.controller.ts
+++ b/services/authentication-service/src/modules/auth/controllers/google-login.controller.ts
@@ -34,7 +34,6 @@ import {authorize} from 'loopback4-authorization';
 import {URLSearchParams} from 'url';
 import {AuthCodeBindings, AuthCodeGeneratorFn} from '../../../providers';
 import {AuthClientRepository} from '../../../repositories';
-import {IdpLoginService} from '../../../services';
 import {AuthUser, ClientAuthRequest, TokenResponse} from '../models';
 
 const queryGen = (from: 'body' | 'query') => {
@@ -52,11 +51,22 @@ export class GoogleLoginController {
     @inject(LOGGER.LOGGER_INJECT) public logger: ILogger,
     @inject(AuthCodeBindings.AUTH_CODE_GENERATOR_PROVIDER)
     private readonly getAuthCode: AuthCodeGeneratorFn,
-    @inject('services.IdpLoginService')
-    private readonly idpLoginService: IdpLoginService,
-  ) { }
+  ) {}
 
   @authenticateClient(STRATEGY.CLIENT_PASSWORD)
+  @authenticate(
+    STRATEGY.GOOGLE_OAUTH2,
+    {
+      accessType: 'offline',
+      scope: ['profile', 'email'],
+      authorizationURL: process.env.GOOGLE_AUTH_URL,
+      callbackURL: process.env.GOOGLE_AUTH_CALLBACK_URL,
+      clientID: process.env.GOOGLE_AUTH_CLIENT_ID,
+      clientSecret: process.env.GOOGLE_AUTH_CLIENT_SECRET,
+      tokenURL: process.env.GOOGLE_AUTH_TOKEN_URL,
+    },
+    queryGen('query'),
+  )
   @authorize({permissions: ['*']})
   @oas.deprecated()
   @get('/auth/google', {
@@ -84,10 +94,23 @@ export class GoogleLoginController {
     @param.query.string('client_secret')
     clientSecret?: string,
   ): Promise<void> {
-    return this.idpLoginService.loginViaGoogle();
+    //do nothing
   }
 
   @authenticateClient(STRATEGY.CLIENT_PASSWORD)
+  @authenticate(
+    STRATEGY.GOOGLE_OAUTH2,
+    {
+      accessType: 'offline',
+      scope: ['profile', 'email'],
+      authorizationURL: process.env.GOOGLE_AUTH_URL,
+      callbackURL: process.env.GOOGLE_AUTH_CALLBACK_URL,
+      clientID: process.env.GOOGLE_AUTH_CLIENT_ID,
+      clientSecret: process.env.GOOGLE_AUTH_CLIENT_SECRET,
+      tokenURL: process.env.GOOGLE_AUTH_TOKEN_URL,
+    },
+    queryGen('body'),
+  )
   @authorize({permissions: ['*']})
   @post('/auth/google', {
     responses: {
@@ -111,7 +134,7 @@ export class GoogleLoginController {
     })
     clientCreds?: ClientAuthRequest,
   ): Promise<void> {
-    return this.idpLoginService.loginViaGoogle();
+    //do nothing
   }
 
   @authenticate(
diff --git a/services/authentication-service/src/modules/auth/controllers/identity-server.controller.ts b/services/authentication-service/src/modules/auth/controllers/identity-server.controller.ts
index 6c0c3102e2..a53a508df4 100644
--- a/services/authentication-service/src/modules/auth/controllers/identity-server.controller.ts
+++ b/services/authentication-service/src/modules/auth/controllers/identity-server.controller.ts
@@ -9,116 +9,40 @@ import {
   requestBody,
 } from '@loopback/rest';
 import {
-  AuthenticateErrorKeys,
   CONTENT_TYPE,
   ErrorCodes,
   OPERATION_SECURITY_SPEC,
-  RevokedTokenRepository,
   STATUS_CODE,
   SuccessResponse,
   X_TS_TYPE,
 } from '@sourceloop/core';
 import {
   authenticate,
-  authenticateClient,
   AuthenticationBindings,
   AuthErrorKeys,
   STRATEGY,
 } from 'loopback4-authentication';
 import {authorize} from 'loopback4-authorization';
-import {
-  AuthCodeBindings,
-  AuthServiceBindings,
-  CodeReaderFn,
-  IUserActivity,
-  LoginType,
-  RefreshTokenRepository,
-  RefreshTokenRequest,
-  UserRepository,
-  UserTenantRepository,
-} from '../../..';
+import {JwtKeys} from '../../../models';
+import {JwtKeysRepository} from '../../../repositories';
 import {IdpLoginService} from '../../../services';
 import {
+  AuthRefreshTokenRequest,
   AuthTokenRequest,
   AuthUser,
-  IdpAuthMethod,
-  IdpAuthRequest,
   IdpConfiguration,
   TokenResponse,
 } from '../models';
 
 export class IdentityServerController {
   constructor(
-    @inject(AuthCodeBindings.CODEREADER_PROVIDER)
-    private readonly codeReader: CodeReaderFn,
     @inject('services.IdpLoginService')
     private readonly idpLoginService: IdpLoginService,
     @inject(AuthenticationBindings.CURRENT_USER)
     private readonly user: AuthUser | undefined,
-    @repository(RevokedTokenRepository)
-    private readonly revokedTokens: RevokedTokenRepository,
-    @repository(RefreshTokenRepository)
-    public refreshTokenRepo: RefreshTokenRepository,
-    @repository(UserRepository)
-    public userRepo: UserRepository,
-    @repository(UserTenantRepository)
-    public userTenantRepo: UserTenantRepository,
-    @inject(AuthServiceBindings.MarkUserActivity, {optional: true})
-    private readonly userActivity?: IUserActivity,
-  ) { }
-
-  @authenticateClient(STRATEGY.CLIENT_PASSWORD)
-  @authorize({permissions: ['*']})
-  @post('/connect/auth', {
-    description: 'POST Call for idp login',
-    responses: {
-      [STATUS_CODE.OK]: {
-        description: 'Token Response',
-        content: {
-          [CONTENT_TYPE.JSON]: {
-            schema: {[X_TS_TYPE]: TokenResponse},
-          },
-        },
-      },
-    },
-  })
-  async connectAuth(
-    @requestBody({
-      content: {
-        [CONTENT_TYPE.FORM_URLENCODED]: {
-          schema: getModelSchemaRef(IdpAuthRequest),
-        },
-      },
-    })
-    idpAuthRequest: IdpAuthRequest,
-  ): Promise<void> {
-    switch (idpAuthRequest?.auth_method) {
-      case IdpAuthMethod.COGNITO:
-        await this.idpLoginService.loginViaCognito();
-        break;
-      case IdpAuthMethod.GOOGLE:
-        await this.idpLoginService.loginViaGoogle();
-        break;
-      case IdpAuthMethod.SAML:
-        await this.idpLoginService.loginViaSaml();
-        break;
-      case IdpAuthMethod.FACEBOOK:
-        await this.idpLoginService.loginViaFacebook();
-        break;
-      case IdpAuthMethod.APPLE:
-        await this.idpLoginService.loginViaApple();
-        break;
-      case IdpAuthMethod.AZURE:
-        await this.idpLoginService.loginViaAzure();
-        break;
-      case IdpAuthMethod.INSTAGRAM:
-        await this.idpLoginService.loginViaInstagram();
-        break;
-      case IdpAuthMethod.KEYCLOAK:
-        await this.idpLoginService.loginViaKeycloak();
-        break;
-    }
-  }
+    @repository(JwtKeysRepository)
+    private jwtKeysRepository: JwtKeysRepository,
+  ) {}
 
   @authorize({permissions: ['*']})
   @get('/.well-known/openid-configuration', {
@@ -134,8 +58,8 @@ export class IdentityServerController {
       ...ErrorCodes,
     },
   })
-  async getConfig(): Promise<void> {
-    this.idpLoginService.getOpenIdConfiguration();
+  async getConfig(): Promise<IdpConfiguration> {
+    return this.idpLoginService.getOpenIdConfiguration();
   }
 
   @authorize({permissions: ['*']})
@@ -211,54 +135,44 @@ export class IdentityServerController {
     @requestBody({
       content: {
         [CONTENT_TYPE.JSON]: {
-          schema: getModelSchemaRef(RefreshTokenRequest, {
+          schema: getModelSchemaRef(AuthRefreshTokenRequest, {
             partial: true,
           }),
         },
       },
     })
-    req: RefreshTokenRequest,
+    req: AuthRefreshTokenRequest,
   ): Promise<SuccessResponse> {
-    const token = auth?.replace(/bearer /i, '');
-    if (!token || !req.refreshToken) {
-      throw new HttpErrors.UnprocessableEntity(
-        AuthenticateErrorKeys.TokenMissing,
-      );
-    }
-
-    const refreshTokenModel = await this.refreshTokenRepo.get(req.refreshToken);
-    if (!refreshTokenModel) {
-      throw new HttpErrors.Unauthorized(AuthErrorKeys.TokenExpired);
-    }
-    if (refreshTokenModel.accessToken !== token) {
-      throw new HttpErrors.Unauthorized(AuthErrorKeys.TokenInvalid);
-    }
-    await this.revokedTokens.set(token, {token});
-    await this.refreshTokenRepo.delete(req.refreshToken);
-    if (refreshTokenModel.pubnubToken) {
-      await this.refreshTokenRepo.delete(refreshTokenModel.pubnubToken);
-    }
-
-    const user = await this.userRepo.findById(refreshTokenModel.userId);
-
-    const userTenant = await this.userTenantRepo.findOne({
-      where: {userId: user.id},
-    });
+    return this.idpLoginService.logoutUser(auth, req);
+  }
 
-    if (this.userActivity?.markUserActivity)
-      this.idpLoginService.markUserActivity(
-        user,
-        userTenant,
-        {
-          ...user,
-          clientId: refreshTokenModel.clientId,
-        },
-        LoginType.LOGOUT,
-      );
-    return new SuccessResponse({
-      success: true,
+  @authorize({permissions: ['*']})
+  @post('/connect/rotate-keys', {
+    description: 'Generate the set of public and private keys',
+    responses: {
+      [STATUS_CODE.OK]: {
+        description: 'JWKS Keys',
+      },
+      ...ErrorCodes,
+    },
+  })
+  async generateKeys(): Promise<void> {
+    return this.idpLoginService.rotateKeys();
+  }
 
-      key: refreshTokenModel.userId,
+  @authorize({permissions: ['*']})
+  @post('/connect/get-keys', {
+    description: 'Get the public keys',
+    responses: {
+      [STATUS_CODE.OK]: {
+        description: 'JWKS Keys',
+      },
+      ...ErrorCodes,
+    },
+  })
+  async getKeys(): Promise<JwtKeys[]> {
+    return this.jwtKeysRepository.find({
+      fields: {publicKey: true, id: true, keyId: true},
     });
   }
 }
diff --git a/services/authentication-service/src/modules/auth/controllers/instagram-login.controller.ts b/services/authentication-service/src/modules/auth/controllers/instagram-login.controller.ts
index a879f3459f..b2adbdbc5f 100644
--- a/services/authentication-service/src/modules/auth/controllers/instagram-login.controller.ts
+++ b/services/authentication-service/src/modules/auth/controllers/instagram-login.controller.ts
@@ -33,7 +33,6 @@ import {authorize} from 'loopback4-authorization';
 import {URLSearchParams} from 'url';
 import {AuthCodeBindings, AuthCodeGeneratorFn} from '../../../providers';
 import {AuthClientRepository} from '../../../repositories';
-import {IdpLoginService} from '../../../services';
 import {AuthUser, ClientAuthRequest, TokenResponse} from '../models';
 
 const queryGen = (from: 'body' | 'query') => {
@@ -51,11 +50,21 @@ export class InstagramLoginController {
     @inject(LOGGER.LOGGER_INJECT) public logger: ILogger,
     @inject(AuthCodeBindings.AUTH_CODE_GENERATOR_PROVIDER)
     private readonly getAuthCode: AuthCodeGeneratorFn,
-    @inject('services.IdpLoginService')
-    private readonly idpLoginService: IdpLoginService,
-  ) { }
+  ) {}
 
   @authenticateClient(STRATEGY.CLIENT_PASSWORD)
+  @authenticate(
+    STRATEGY.INSTAGRAM_OAUTH2,
+    {
+      accessType: 'offline',
+      authorizationURL: process.env.INSTAGRAM_AUTH_URL,
+      callbackURL: process.env.INSTAGRAM_AUTH_CALLBACK_URL,
+      clientID: process.env.INSTAGRAM_AUTH_CLIENT_ID,
+      clientSecret: process.env.INSTAGRAM_AUTH_CLIENT_SECRET,
+      tokenURL: process.env.INSTAGRAM_AUTH_TOKEN_URL,
+    },
+    queryGen('body'),
+  )
   @authorize({permissions: ['*']})
   @post('/auth/instagram', {
     responses: {
@@ -79,7 +88,7 @@ export class InstagramLoginController {
     })
     clientCreds?: ClientAuthRequest,
   ): Promise<void> {
-    return this.idpLoginService.loginViaInstagram();
+    //do nothing
   }
 
   @authenticate(
diff --git a/services/authentication-service/src/modules/auth/controllers/keycloak-login.controller.ts b/services/authentication-service/src/modules/auth/controllers/keycloak-login.controller.ts
index f0a9755dd5..c85378c5b8 100644
--- a/services/authentication-service/src/modules/auth/controllers/keycloak-login.controller.ts
+++ b/services/authentication-service/src/modules/auth/controllers/keycloak-login.controller.ts
@@ -34,7 +34,6 @@ import {authorize} from 'loopback4-authorization';
 import {URLSearchParams} from 'url';
 import {AuthCodeBindings, AuthCodeGeneratorFn} from '../../../providers';
 import {AuthClientRepository} from '../../../repositories';
-import {IdpLoginService} from '../../../services';
 import {AuthUser, ClientAuthRequest, TokenResponse} from '../models';
 
 const queryGen = (from: 'body' | 'query') => {
@@ -52,11 +51,25 @@ export class KeycloakLoginController {
     @inject(LOGGER.LOGGER_INJECT) public logger: ILogger,
     @inject(AuthCodeBindings.AUTH_CODE_GENERATOR_PROVIDER)
     private readonly getAuthCode: AuthCodeGeneratorFn,
-    @inject('services.IdpLoginService')
-    private readonly idpLoginService: IdpLoginService,
-  ) { }
+  ) {}
 
   @authenticateClient(STRATEGY.CLIENT_PASSWORD)
+  @authenticate(
+    STRATEGY.KEYCLOAK,
+    {
+      host: process.env.KEYCLOAK_HOST,
+      realm: process.env.KEYCLOAK_REALM, //'Tenant1',
+      clientID: process.env.KEYCLOAK_CLIENT_ID, //'onboarding',
+      clientSecret: process.env.KEYCLOAK_CLIENT_SECRET,
+      //'e607fd75-adc8-4af7-9f03-c9e79a4b8b72',
+      callbackURL: process.env.KEYCLOAK_CALLBACK_URL,
+      //'http://localhost:3001/auth/keycloak-auth-redirect',
+      authorizationURL: `${process.env.KEYCLOAK_HOST}/auth/realms/${process.env.KEYCLOAK_REALM}/protocol/openid-connect/auth`,
+      tokenURL: `${process.env.KEYCLOAK_HOST}/auth/realms/${process.env.KEYCLOAK_REALM}/protocol/openid-connect/token`,
+      userInfoURL: `${process.env.KEYCLOAK_HOST}/auth/realms/${process.env.KEYCLOAK_REALM}/protocol/openid-connect/userinfo`,
+    },
+    queryGen('body'),
+  )
   @authorize({permissions: ['*']})
   @post('/auth/keycloak', {
     description: 'POST Call for keycloak based login',
@@ -81,10 +94,26 @@ export class KeycloakLoginController {
     })
     clientCreds?: ClientAuthRequest, //NOSONAR
   ): Promise<void> {
-    return this.idpLoginService.loginViaKeycloak();
+    //do nothing
   }
 
   @authenticateClient(STRATEGY.CLIENT_PASSWORD)
+  @authenticate(
+    STRATEGY.KEYCLOAK,
+    {
+      host: process.env.KEYCLOAK_HOST,
+      realm: process.env.KEYCLOAK_REALM, //'Tenant1',
+      clientID: process.env.KEYCLOAK_CLIENT_ID, //'onboarding',
+      clientSecret: process.env.KEYCLOAK_CLIENT_SECRET,
+      //'e607fd75-adc8-4af7-9f03-c9e79a4b8b72',
+      callbackURL: process.env.KEYCLOAK_CALLBACK_URL,
+      //'http://localhost:3001/auth/keycloak-auth-redirect',
+      authorizationURL: `${process.env.KEYCLOAK_HOST}/auth/realms/${process.env.KEYCLOAK_REALM}/protocol/openid-connect/auth`,
+      tokenURL: `${process.env.KEYCLOAK_HOST}/auth/realms/${process.env.KEYCLOAK_REALM}/protocol/openid-connect/token`,
+      userInfoURL: `${process.env.KEYCLOAK_HOST}/auth/realms/${process.env.KEYCLOAK_REALM}/protocol/openid-connect/userinfo`,
+    },
+    queryGen('query'),
+  )
   @authorize({permissions: ['*']})
   @oas.deprecated()
   @get('/auth/keycloak', {
@@ -107,7 +136,7 @@ export class KeycloakLoginController {
     @param.query.string('client_secret')
     clientSecret?: string, //NOSONAR
   ): Promise<void> {
-    return this.idpLoginService.loginViaKeycloak();
+    //do nothing
   }
 
   @authenticate(
diff --git a/services/authentication-service/src/modules/auth/controllers/logout.controller.ts b/services/authentication-service/src/modules/auth/controllers/logout.controller.ts
index 343932547a..b82373b3ca 100644
--- a/services/authentication-service/src/modules/auth/controllers/logout.controller.ts
+++ b/services/authentication-service/src/modules/auth/controllers/logout.controller.ts
@@ -26,28 +26,13 @@ import {
   X_TS_TYPE,
 } from '@sourceloop/core';
 import {encode} from 'base-64';
-import crypto from 'crypto';
 import {HttpsProxyAgent} from 'https-proxy-agent';
-import {
-  authenticate,
-  AuthenticationBindings,
-  AuthErrorKeys,
-  STRATEGY,
-} from 'loopback4-authentication';
+import {authenticate, AuthErrorKeys, STRATEGY} from 'loopback4-authentication';
 import {authorize} from 'loopback4-authorization';
 import fetch from 'node-fetch';
 import {URLSearchParams} from 'url';
-import {LoginType} from '../../../enums';
 import {AuthServiceBindings} from '../../../keys';
-import {
-  AuthClient,
-  LoginActivity,
-  RefreshToken,
-  RefreshTokenRequest,
-  User,
-  UserTenant,
-} from '../../../models';
-import {JwtPayloadFn} from '../../../providers';
+import {RefreshTokenRequest} from '../../../models';
 import {
   LoginActivityRepository,
   RefreshTokenRepository,
@@ -55,7 +40,8 @@ import {
   UserRepository,
   UserTenantRepository,
 } from '../../../repositories';
-import {ActorId, IUserActivity} from '../../../types';
+import {IdpLoginService} from '../../../services';
+import {ActorId} from '../../../types';
 
 const proxyUrl = process.env.HTTPS_PROXY ?? process.env.HTTP_PROXY;
 
@@ -65,8 +51,6 @@ const getProxyAgent = () => {
   }
   return undefined;
 };
-
-const size = 16;
 const SUCCESS_RESPONSE = 'Success Response';
 const AUTHENTICATE_USER =
   'This is the access token which is required to authenticate user.';
@@ -87,12 +71,8 @@ export class LogoutController {
     public userRepo: UserRepository,
     @repository(UserTenantRepository)
     public userTenantRepo: UserTenantRepository,
-    @inject(AuthServiceBindings.JWTPayloadProvider)
-    private readonly getJwtPayload: JwtPayloadFn,
-    @inject(AuthenticationBindings.CURRENT_CLIENT)
-    private readonly client: AuthClient | undefined,
-    @inject(AuthServiceBindings.MarkUserActivity, {optional: true})
-    private readonly userActivity?: IUserActivity,
+    @inject('services.IdpLoginService')
+    private readonly idpLoginService: IdpLoginService,
   ) {}
 
   @authenticate(STRATEGY.BEARER, {
@@ -130,41 +110,7 @@ export class LogoutController {
     })
     req: RefreshTokenRequest,
   ): Promise<SuccessResponse> {
-    const token = auth?.replace(/bearer /i, '');
-    if (!token || !req.refreshToken) {
-      throw new HttpErrors.UnprocessableEntity(
-        AuthenticateErrorKeys.TokenMissing,
-      );
-    }
-
-    const refreshTokenModel = await this.refreshTokenRepo.get(req.refreshToken);
-    if (!refreshTokenModel) {
-      throw new HttpErrors.Unauthorized(AuthErrorKeys.TokenExpired);
-    }
-    if (refreshTokenModel.accessToken !== token) {
-      throw new HttpErrors.Unauthorized(AuthErrorKeys.TokenInvalid);
-    }
-    await this.revokedTokens.set(token, {token});
-    await this.refreshTokenRepo.delete(req.refreshToken);
-    if (refreshTokenModel.pubnubToken) {
-      await this.refreshTokenRepo.delete(refreshTokenModel.pubnubToken);
-    }
-
-    //
-
-    const user = await this.userRepo.findById(refreshTokenModel.userId);
-
-    const userTenant = await this.userTenantRepo.findOne({
-      where: {userId: user.id},
-    });
-
-    if (this.userActivity?.markUserActivity)
-      this.markUserActivity(refreshTokenModel, user, userTenant);
-    return new SuccessResponse({
-      success: true,
-
-      key: refreshTokenModel.userId,
-    });
+    return this.idpLoginService.logoutUser(auth, req);
   }
 
   @authenticate(STRATEGY.BEARER, {
@@ -441,80 +387,4 @@ export class LogoutController {
       key: refreshTokenModel.userId,
     });
   }
-
-  private markUserActivity(
-    refreshTokenModel: RefreshToken,
-    user: User,
-    userTenant: UserTenant | null,
-  ) {
-    const encryptionKey = process.env.ENCRYPTION_KEY;
-
-    if (encryptionKey) {
-      const iv = crypto.randomBytes(size);
-
-      /* encryption of IP Address */
-      const cipherIp = crypto.createCipheriv('aes-256-gcm', encryptionKey, iv);
-      const ip =
-        this.ctx.request.headers['x-forwarded-for']?.toString() ??
-        this.ctx.request.socket.remoteAddress?.toString() ??
-        '';
-      const encyptIp = Buffer.concat([
-        cipherIp.update(ip, 'utf8'),
-        cipherIp.final(),
-      ]);
-      const authTagIp = cipherIp.getAuthTag();
-      const ipAddress = JSON.stringify({
-        iv: iv.toString('hex'),
-        encryptedData: encyptIp.toString('hex'),
-        authTag: authTagIp.toString('hex'),
-      });
-
-      /* encryption of Paylolad Address */
-
-      const cipherPayload = crypto.createCipheriv(
-        'aes-256-gcm',
-        encryptionKey,
-        iv,
-      );
-      const activityPayload = JSON.stringify({
-        ...user,
-        clientId: refreshTokenModel.clientId,
-      });
-      const encyptPayload = Buffer.concat([
-        cipherPayload.update(activityPayload, 'utf8'),
-        cipherPayload.final(),
-      ]);
-      const authTagPayload = cipherIp.getAuthTag();
-      const tokenPayload = JSON.stringify({
-        iv: iv.toString('hex'),
-        encryptedData: encyptPayload.toString('hex'),
-        authTag: authTagPayload.toString('hex'),
-      });
-      let actor: string, tenantId;
-      if (userTenant) {
-        actor = userTenant[this.actorKey]?.toString() ?? '0';
-        tenantId = userTenant.tenantId;
-      } else {
-        actor = user['id']?.toString() ?? '0';
-        tenantId = user.defaultTenantId ?? '0';
-      }
-
-      const loginActivity = new LoginActivity({
-        actor,
-        tenantId,
-        loginTime: new Date(),
-        tokenPayload,
-        deviceInfo: this.ctx.request.headers['user-agent']?.toString(),
-        loginType: LoginType.LOGOUT,
-        ipAddress,
-      });
-      this.loginActivityRepo.create(loginActivity).catch(() => {
-        this.logger.error(
-          `Failed to add the login activity => ${JSON.stringify(
-            loginActivity,
-          )}`,
-        );
-      });
-    }
-  }
 }
diff --git a/services/authentication-service/src/modules/auth/controllers/saml-login.controller.ts b/services/authentication-service/src/modules/auth/controllers/saml-login.controller.ts
index dfc4a33cbf..4b2390d2db 100644
--- a/services/authentication-service/src/modules/auth/controllers/saml-login.controller.ts
+++ b/services/authentication-service/src/modules/auth/controllers/saml-login.controller.ts
@@ -27,7 +27,6 @@ import {
 import {authorize} from 'loopback4-authorization';
 import {AuthCodeBindings, AuthCodeGeneratorFn} from '../../../providers';
 import {AuthClientRepository} from '../../../repositories';
-import {IdpLoginService} from '../../../services';
 import {AuthUser, ClientAuthRequest, TokenResponse} from '../models';
 
 export class SamlLoginController {
@@ -38,11 +37,23 @@ export class SamlLoginController {
     public logger: ILogger,
     @inject(AuthCodeBindings.AUTH_CODE_GENERATOR_PROVIDER)
     private readonly getAuthCode: AuthCodeGeneratorFn,
-    @inject('services.IdpLoginService')
-    private readonly idpLoginService: IdpLoginService,
-  ) { }
+  ) {}
 
   @authenticateClient(STRATEGY.CLIENT_PASSWORD)
+  @authenticate(STRATEGY.SAML, {
+    accessType: 'offline',
+    scope: ['profile', 'email'],
+    callbackURL: process.env.SAML_CALLBACK_URL,
+    issuer: process.env.SAML_ISSUER,
+    cert: process.env.SAML_CERT,
+    entryPoint: process.env.SAML_ENTRY_POINT,
+    audience: process.env.SAML_AUDIENCE,
+    logoutUrl: process.env.SAML_LOGOUT_URL,
+    passReqToCallback: !!+(process.env.SAML_AUTH_PASS_REQ_CALLBACK ?? 0),
+    validateInResponseTo: !!+(process.env.VALIDATE_RESPONSE ?? 1),
+    idpIssuer: process.env.IDP_ISSUER,
+    logoutCallbackUrl: process.env.SAML_LOGOUT_CALLBACK_URL,
+  })
   @authorize({permissions: ['*']})
   @post('/auth/saml', {
     description: 'POST Call for saml based login',
@@ -67,7 +78,7 @@ export class SamlLoginController {
     })
     clientCreds?: ClientAuthRequest, //NOSONAR
   ): Promise<void> {
-    return this.idpLoginService.loginViaSaml();
+    //do nothing
   }
 
   @authenticate(STRATEGY.SAML, {
diff --git a/services/authentication-service/src/modules/auth/models/idp-auth-request.dto.ts b/services/authentication-service/src/modules/auth/models/idp-auth-request.dto.ts
deleted file mode 100644
index 7d06733c11..0000000000
--- a/services/authentication-service/src/modules/auth/models/idp-auth-request.dto.ts
+++ /dev/null
@@ -1,36 +0,0 @@
-// Copyright (c) 2023 Sourcefuse Technologies
-//
-// This software is released under the MIT License.
-// https://opensource.org/licenses/MIT
-/* eslint-disable @typescript-eslint/naming-convention */
-
-import {model, property} from '@loopback/repository';
-import {CoreModel} from '@sourceloop/core';
-import {IdpAuthMethod} from './idp-auth.method';
-import {ModelPropertyDescriptionString} from './model-property-description.enum';
-
-@model({
-  description: 'This is signature for idp authentication request.',
-})
-export class IdpAuthRequest extends CoreModel<IdpAuthRequest> {
-  @property({
-    type: 'string',
-    description: ModelPropertyDescriptionString.reqStrPropDesc,
-    required: true,
-  })
-  client_id: string; //NOSONAR
-
-  @property({
-    type: 'string',
-    description: ModelPropertyDescriptionString.reqStrPropDesc,
-    required: true,
-  })
-  client_secret: string; //NOSONAR
-
-  @property({
-    type: 'string',
-    description: ModelPropertyDescriptionString.reqStrPropDesc,
-    required: true,
-  })
-  auth_method: IdpAuthMethod; //NOSONAR
-}
diff --git a/services/authentication-service/src/modules/auth/models/idp-auth.method.ts b/services/authentication-service/src/modules/auth/models/idp-auth.method.ts
deleted file mode 100644
index f7b1cc30ba..0000000000
--- a/services/authentication-service/src/modules/auth/models/idp-auth.method.ts
+++ /dev/null
@@ -1,10 +0,0 @@
-export enum IdpAuthMethod {
-  COGNITO = 'COGNITO',
-  GOOGLE = 'GOOGLE',
-  SAML = 'SAML',
-  FACEBOOK = 'FACEBOOK',
-  APPLE = 'APPLE',
-  AZURE = 'AZURE',
-  INSTAGRAM = 'INSTAGRAM',
-  KEYCLOAK = 'KEYCLOAK',
-}
diff --git a/services/authentication-service/src/modules/auth/models/index.ts b/services/authentication-service/src/modules/auth/models/index.ts
index ba78819a36..fc587424eb 100644
--- a/services/authentication-service/src/modules/auth/models/index.ts
+++ b/services/authentication-service/src/modules/auth/models/index.ts
@@ -2,8 +2,6 @@ export * from './auth-refresh-token-request.dto';
 export * from './auth-token-request.dto';
 export * from './auth-user.model';
 export * from './client-auth-request.dto';
-export * from './idp-auth-request.dto';
-export * from './idp-auth.method';
 export * from './idp-configuration.dto';
 export * from './login-request.dto';
 export * from './model-property-description.enum';
diff --git a/services/authentication-service/src/providers/index.ts b/services/authentication-service/src/providers/index.ts
index 01dca82f0e..eab3388eda 100644
--- a/services/authentication-service/src/providers/index.ts
+++ b/services/authentication-service/src/providers/index.ts
@@ -30,6 +30,8 @@ export * from './google-pre-verify.provider';
 export * from './instagram-oauth2-signup.provider';
 export * from './instagram-post-verify.provider';
 export * from './instagram-pre-verify.provider';
+export * from './jwks-jwt-asymmertric-signer.provider';
+export * from './jwks-jwt-asymmetric-verifier.provider';
 export * from './jwt-asymmetric-signer.provider';
 export * from './jwt-asymmetric-verifier.provider';
 export * from './jwt-payload.provider';
diff --git a/services/authentication-service/src/providers/jwks-jwt-asymmertric-signer.provider.ts b/services/authentication-service/src/providers/jwks-jwt-asymmertric-signer.provider.ts
new file mode 100644
index 0000000000..a698c1b0c8
--- /dev/null
+++ b/services/authentication-service/src/providers/jwks-jwt-asymmertric-signer.provider.ts
@@ -0,0 +1,49 @@
+// Copyright (c) 2023 Sourcefuse Technologies
+//
+// This software is released under the MIT License.
+// https://opensource.org/licenses/MIT
+import {Provider} from '@loopback/core';
+import {repository} from '@loopback/repository';
+import {HttpErrors} from '@loopback/rest';
+import * as jwt from 'jsonwebtoken';
+import {JwtKeysRepository} from '../repositories';
+import {JWTSignerFn} from './types';
+
+export class JwksJWTAsymmetricSignerProvider<T extends string | object | Buffer>
+  implements Provider<JWTSignerFn<T>>
+{
+  constructor(
+    @repository(JwtKeysRepository)
+    public jwtKeysRepo: JwtKeysRepository,
+  ) {}
+
+  value(): JWTSignerFn<T> {
+    return async (data: T, options: jwt.SignOptions) => {
+      // Load private keys
+      const privateKeys = await this.jwtKeysRepo.find({
+        order: ['createdOn DESC'],
+      });
+
+      if (!privateKeys.length) {
+        throw new HttpErrors.InternalServerError('No keys found');
+      }
+
+      // Use the latest private key (assuming it's the last one added)
+      const privateKey = privateKeys[0];
+
+      const accessToken = jwt.sign(
+        data,
+        {
+          key: privateKey.privateKey,
+          passphrase: process.env.JWT_PRIVATE_KEY_PASSPHRASE,
+        },
+        {
+          ...options,
+          algorithm: 'RS256',
+          keyid: privateKey.keyId,
+        },
+      );
+      return accessToken;
+    };
+  }
+}
diff --git a/services/authentication-service/src/providers/jwks-jwt-asymmetric-verifier.provider.ts b/services/authentication-service/src/providers/jwks-jwt-asymmetric-verifier.provider.ts
new file mode 100644
index 0000000000..fec55ad583
--- /dev/null
+++ b/services/authentication-service/src/providers/jwks-jwt-asymmetric-verifier.provider.ts
@@ -0,0 +1,46 @@
+// Copyright (c) 2023 Sourcefuse Technologies
+//
+// This software is released under the MIT License.
+// https://opensource.org/licenses/MIT
+import {Provider} from '@loopback/core';
+import {repository} from '@loopback/repository';
+import * as jwt from 'jsonwebtoken';
+import * as jose from 'node-jose';
+import {JwtKeysRepository} from '../repositories';
+import {JWTVerifierFn} from './types';
+
+export class JwksJWTAsymmetricVerifierProvider<T>
+  implements Provider<JWTVerifierFn<T>>
+{
+  constructor(
+    @repository(JwtKeysRepository)
+    public jwtKeysRepo: JwtKeysRepository,
+  ) {}
+  value(): JWTVerifierFn<T> {
+    return async (token: string, options: jwt.VerifyOptions) => {
+      // Get the key that matches the token's kid
+      const decoded = jwt.decode(token, {complete: true});
+      const kid = decoded?.header.kid;
+
+      // Load the JWKS
+      const key = await this.jwtKeysRepo.findOne({
+        where: {
+          keyId: kid,
+        },
+      });
+
+      if (!key) {
+        throw new Error('Key not found for verification');
+      }
+
+      // Convert the JWK to PEM format for verification
+      const jwkKey = await jose.JWK.asKey(key.publicKey, 'pem');
+      const pem = jwkKey.toPEM(false);
+
+      // Verify the token with the retrieved PEM-formatted public key
+      const payload = jwt.verify(token, pem, options) as T;
+
+      return payload;
+    };
+  }
+}
diff --git a/services/authentication-service/src/repositories/index.ts b/services/authentication-service/src/repositories/index.ts
index 1260da1ab7..a0f641de04 100644
--- a/services/authentication-service/src/repositories/index.ts
+++ b/services/authentication-service/src/repositories/index.ts
@@ -4,6 +4,7 @@
 // https://opensource.org/licenses/MIT
 import {AuthClientRepository} from './auth-client.repository';
 import {AuthSecureClientRepository} from './auth-secure-client.repository';
+import {JwtKeysRepository} from './jwt-keys.repository';
 import {LoginActivityRepository} from './login-activity.repository';
 import {OtpCacheRepository} from './otp-cache.repository';
 import {OtpRepository} from './otp.repository';
@@ -20,6 +21,7 @@ import {UserRepository} from './user.repository';
 
 export * from './auth-client.repository';
 export * from './auth-secure-client.repository';
+export * from './jwt-keys.repository';
 export * from './login-activity.repository';
 export * from './otp-cache.repository';
 export * from './otp.repository';
@@ -50,4 +52,5 @@ export const repositories = [
   TenantRepository,
   UserLevelResourceRepository,
   LoginActivityRepository,
+  JwtKeysRepository,
 ];
diff --git a/services/authentication-service/src/repositories/jwt-keys.repository.ts b/services/authentication-service/src/repositories/jwt-keys.repository.ts
new file mode 100644
index 0000000000..d811e76a32
--- /dev/null
+++ b/services/authentication-service/src/repositories/jwt-keys.repository.ts
@@ -0,0 +1,16 @@
+import {inject} from '@loopback/core';
+import {DefaultCrudRepository, juggler} from '@loopback/repository';
+import {JwtKeys} from '../models';
+import {AuthDbSourceName} from '../types';
+
+export class JwtKeysRepository extends DefaultCrudRepository<
+  JwtKeys,
+  typeof JwtKeys.prototype.id
+> {
+  constructor(
+    @inject(`datasources.${AuthDbSourceName}`)
+    dataSource: juggler.DataSource,
+  ) {
+    super(JwtKeys, dataSource);
+  }
+}
diff --git a/services/authentication-service/src/repositories/sequelize/index.ts b/services/authentication-service/src/repositories/sequelize/index.ts
index 4d7d36a168..9441b49a32 100644
--- a/services/authentication-service/src/repositories/sequelize/index.ts
+++ b/services/authentication-service/src/repositories/sequelize/index.ts
@@ -8,6 +8,7 @@ import {RefreshTokenRepository} from '../refresh-token.repository';
 import {RevokedTokenRepository} from '../revoked-token.repository';
 import {AuthClientRepository} from './auth-client.repository';
 import {AuthSecureClientRepository} from './auth-secure-client.repository';
+import {JwtKeysRepository} from './jwt-keys.repository';
 import {LoginActivityRepository} from './login-activity.repository';
 import {RoleRepository} from './role.repository';
 import {TenantConfigRepository} from './tenant-config.repository';
@@ -18,6 +19,7 @@ import {UserLevelResourceRepository} from './user-level-resource.repository';
 import {UserTenantRepository} from './user-tenant.repository';
 import {UserRepository} from './user.repository';
 
+export * from '../jwt-keys.repository';
 export * from '../otp-cache.repository';
 export * from '../otp.repository';
 export * from '../refresh-token.repository';
@@ -50,4 +52,5 @@ export const repositories = [
   TenantRepository,
   UserLevelResourceRepository,
   LoginActivityRepository,
+  JwtKeysRepository,
 ];
diff --git a/services/authentication-service/src/repositories/sequelize/jwt-keys.repository.ts b/services/authentication-service/src/repositories/sequelize/jwt-keys.repository.ts
new file mode 100644
index 0000000000..a24a4ba39c
--- /dev/null
+++ b/services/authentication-service/src/repositories/sequelize/jwt-keys.repository.ts
@@ -0,0 +1,19 @@
+import {inject} from '@loopback/core';
+import {
+  SequelizeCrudRepository,
+  SequelizeDataSource,
+} from '@loopback/sequelize';
+import {JwtKeys} from '../../models';
+import {AuthDbSourceName} from '../../types';
+
+export class JwtKeysRepository extends SequelizeCrudRepository<
+  JwtKeys,
+  typeof JwtKeys.prototype.id
+> {
+  constructor(
+    @inject(`datasources.${AuthDbSourceName}`)
+    dataSource: SequelizeDataSource,
+  ) {
+    super(JwtKeys, dataSource);
+  }
+}
diff --git a/services/authentication-service/src/services/idp-login.service.ts b/services/authentication-service/src/services/idp-login.service.ts
index ea40a5af5b..be966c0d57 100644
--- a/services/authentication-service/src/services/idp-login.service.ts
+++ b/services/authentication-service/src/services/idp-login.service.ts
@@ -1,18 +1,25 @@
 import {BindingScope, inject, injectable} from '@loopback/core';
 import {AnyObject, repository} from '@loopback/repository';
 import {HttpErrors, RequestContext} from '@loopback/rest';
-import {AuthenticateErrorKeys, ILogger, LOGGER} from '@sourceloop/core';
-import crypto from 'crypto';
 import {
-  authenticate,
-  AuthErrorKeys,
-  ClientAuthCode,
-  STRATEGY,
-} from 'loopback4-authentication';
+  AuthenticateErrorKeys,
+  ILogger,
+  LOGGER,
+  SuccessResponse,
+} from '@sourceloop/core';
+import crypto, {generateKeyPairSync} from 'crypto';
+import {AuthErrorKeys, ClientAuthCode} from 'loopback4-authentication';
 import moment from 'moment';
+import * as jose from 'node-jose';
 import {LoginType} from '../enums';
 import {AuthServiceBindings} from '../keys';
-import {AuthClient, LoginActivity, User, UserTenant} from '../models';
+import {
+  AuthClient,
+  LoginActivity,
+  RefreshTokenRequest,
+  User,
+  UserTenant,
+} from '../models';
 import {
   AuthTokenRequest,
   AuthUser,
@@ -20,14 +27,15 @@ import {
   TokenResponse,
 } from '../modules/auth';
 import {
-  AuthCodeBindings,
   CodeReaderFn,
   JwtPayloadFn,
   JWTSignerFn,
   JWTVerifierFn,
 } from '../providers';
+import {AuthCodeBindings} from '../providers/keys';
 import {
   AuthClientRepository,
+  JwtKeysRepository,
   LoginActivityRepository,
   RefreshTokenRepository,
   RevokedTokenRepository,
@@ -39,6 +47,7 @@ import {ActorId, ExternalTokens, IUserActivity} from '../types';
 const clockSkew = 300;
 const nonceTime = 3600;
 const nonceCount = 10;
+const auth0Scope = 'openid email profile';
 
 @injectable({scope: BindingScope.TRANSIENT})
 export class IdpLoginService {
@@ -51,6 +60,8 @@ export class IdpLoginService {
     public userTenantRepo: UserTenantRepository,
     @repository(RefreshTokenRepository)
     public refreshTokenRepo: RefreshTokenRepository,
+    @repository(JwtKeysRepository)
+    public jwtKeysRepo: JwtKeysRepository,
     @repository(RevokedTokenRepository)
     public revokedTokensRepo: RevokedTokenRepository,
     @inject(LOGGER.LOGGER_INJECT) public logger: ILogger,
@@ -69,151 +80,30 @@ export class IdpLoginService {
     private readonly getJwtPayload: JwtPayloadFn,
     @inject(AuthServiceBindings.MarkUserActivity, {optional: true})
     private readonly userActivity?: IUserActivity,
-  ) { }
-
-  @authenticate(STRATEGY.COGNITO_OAUTH2, {
-    callbackURL: process.env.COGNITO_AUTH_CALLBACK_URL,
-    clientDomain: process.env.COGNITO_AUTH_CLIENT_DOMAIN,
-    clientID: process.env.COGNITO_AUTH_CLIENT_ID,
-    clientSecret: process.env.COGNITO_AUTH_CLIENT_SECRET,
-    region: process.env.COGNITO_AUTH_REGION,
-  })
-  async loginViaCognito(): Promise<void> {
-    // do nothing
-  }
-
-  @authenticate(STRATEGY.GOOGLE_OAUTH2, {
-    accessType: 'offline',
-    scope: ['profile', 'email'],
-    authorizationURL: process.env.GOOGLE_AUTH_URL,
-    callbackURL: process.env.GOOGLE_AUTH_CALLBACK_URL,
-    clientID: process.env.GOOGLE_AUTH_CLIENT_ID,
-    clientSecret: process.env.GOOGLE_AUTH_CLIENT_SECRET,
-    tokenURL: process.env.GOOGLE_AUTH_TOKEN_URL,
-  })
-  async loginViaGoogle(): Promise<void> {
-    // do nothing
-  }
-
-  @authenticate(STRATEGY.SAML, {
-    accessType: 'offline',
-    scope: ['profile', 'email'],
-    callbackURL: process.env.SAML_CALLBACK_URL,
-    issuer: process.env.SAML_ISSUER,
-    cert: process.env.SAML_CERT,
-    entryPoint: process.env.SAML_ENTRY_POINT,
-    audience: process.env.SAML_AUDIENCE,
-    logoutUrl: process.env.SAML_LOGOUT_URL,
-    passReqToCallback: !!+(process.env.SAML_AUTH_PASS_REQ_CALLBACK ?? 0),
-    validateInResponseTo: !!+(process.env.VALIDATE_RESPONSE ?? 1),
-    idpIssuer: process.env.IDP_ISSUER,
-    logoutCallbackUrl: process.env.SAML_LOGOUT_CALLBACK_URL,
-  })
-  async loginViaSaml(): Promise<void> {
-    // do nothing
-  }
-
-  @authenticate(STRATEGY.FACEBOOK_OAUTH2, {
-    accessType: 'offline',
-    authorizationURL: process.env.FACEBOOK_AUTH_URL,
-    callbackURL: process.env.FACEBOOK_AUTH_CALLBACK_URL,
-    clientID: process.env.FACEBOOK_AUTH_CLIENT_ID,
-    clientSecret: process.env.FACEBOOK_AUTH_CLIENT_SECRET,
-    tokenURL: process.env.FACEBOOK_AUTH_TOKEN_URL,
-  })
-  async loginViaFacebook(): Promise<void> {
-    // do nothing
-  }
-
-  @authenticate(STRATEGY.APPLE_OAUTH2, {
-    accessType: 'offline',
-    scope: ['name', 'email'],
-    callbackURL: process.env.APPLE_AUTH_CALLBACK_URL,
-    clientID: process.env.APPLE_AUTH_CLIENT_ID,
-    teamID: process.env.APPLE_AUTH_TEAM_ID,
-    keyID: process.env.APPLE_AUTH_KEY_ID,
-    privateKeyLocation: process.env.APPLE_AUTH_PRIVATE_KEY_LOCATION,
-  })
-  async loginViaApple(): Promise<void> {
-    // do nothing
-  }
-
-  @authenticate(STRATEGY.AZURE_AD, {
-    scope: ['profile', 'email', 'openid', 'offline_access'],
-    identityMetadata: process.env.AZURE_IDENTITY_METADATA,
-    clientID: process.env.AZURE_AUTH_CLIENT_ID,
-    responseType: 'code',
-    responseMode: 'query',
-    redirectUrl: process.env.AZURE_AUTH_REDIRECT_URL,
-    clientSecret: process.env.AZURE_AUTH_CLIENT_SECRET,
-    allowHttpForRedirectUrl: !!+(
-      process.env.AZURE_AUTH_ALLOW_HTTP_REDIRECT ?? 1
-    ),
-    passReqToCallback: !!+(process.env.AZURE_AUTH_PASS_REQ_CALLBACK ?? 0),
-    validateIssuer: !!+(process.env.AZURE_AUTH_VALIDATE_ISSUER ?? 1),
-    useCookieInsteadOfSession: !!+(
-      process.env.AZURE_AUTH_COOKIE_INSTEAD_SESSION ?? 1
-    ),
-    cookieEncryptionKeys: [
-      {
-        key: process.env.AZURE_AUTH_COOKIE_KEY,
-        iv: process.env.AZURE_AUTH_COOKIE_IV,
-      },
-    ],
-    isB2c: !!+(process.env.AZURE_AUTH_B2C_TENANT ?? 0),
-    clockSkew: +(process.env.AZURE_AUTH_CLOCK_SKEW ?? clockSkew),
-    loggingLevel: process.env.AZURE_AUTH_LOG_LEVEL,
-    loggingNoPII: !!+(process.env.AZURE_AUTH_LOG_PII ?? 1),
-    nonceLifetime: +(process.env.AZURE_AUTH_NONCE_TIME ?? nonceTime),
-    nonceMaxAmount: +(process.env.AZURE_AUTH_NONCE_COUNT ?? nonceCount),
-    issuer: process.env.AZURE_AUTH_ISSUER,
-    cookieSameSite: !!+(process.env.AZURE_AUTH_COOKIE_SAME_SITE ?? 0),
-  })
-  async loginViaAzure(): Promise<void> {
-    // do nothing
-  }
-
-  @authenticate(STRATEGY.INSTAGRAM_OAUTH2, {
-    accessType: 'offline',
-    authorizationURL: process.env.INSTAGRAM_AUTH_URL,
-    callbackURL: process.env.INSTAGRAM_AUTH_CALLBACK_URL,
-    clientID: process.env.INSTAGRAM_AUTH_CLIENT_ID,
-    clientSecret: process.env.INSTAGRAM_AUTH_CLIENT_SECRET,
-    tokenURL: process.env.INSTAGRAM_AUTH_TOKEN_URL,
-  })
-  async loginViaInstagram(): Promise<void> {
-    // do nothing
-  }
-
-  @authenticate(STRATEGY.KEYCLOAK, {
-    host: process.env.KEYCLOAK_HOST,
-    realm: process.env.KEYCLOAK_REALM,
-    clientID: process.env.KEYCLOAK_CLIENT_ID,
-    clientSecret: process.env.KEYCLOAK_CLIENT_SECRET,
-    callbackURL: process.env.KEYCLOAK_CALLBACK_URL,
-    authorizationURL: `${process.env.KEYCLOAK_HOST}/auth/realms/${process.env.KEYCLOAK_REALM}/protocol/openid-connect/auth`,
-    tokenURL: `${process.env.KEYCLOAK_HOST}/auth/realms/${process.env.KEYCLOAK_REALM}/protocol/openid-connect/token`,
-    userInfoURL: `${process.env.KEYCLOAK_HOST}/auth/realms/${process.env.KEYCLOAK_REALM}/protocol/openid-connect/userinfo`,
-  })
-  async loginViaKeycloak(): Promise<void> {
-    // do nothing
-  }
+  ) {}
 
   /**
    * The function `getOpenIdConfiguration` returns an IdpConfiguration object with specific properties
    * set based on environment variables.
    * @returns An IdpConfiguration object with the specified properties and values is being returned.
    */
-  getOpenIdConfiguration() {
+  async getOpenIdConfiguration() {
+    await this.generateJWKS();
+
     const config = new IdpConfiguration();
-    config.issuer = '';
+    config.issuer = `${process.env.API_BASE_URL}`;
     config.authorization_endpoint = `${process.env.API_BASE_URL}/connect/auth`;
     config.token_endpoint = `${process.env.API_BASE_URL}/connect/token`;
-    config.jwks_uri = '';
+    config.jwks_uri = `${process.env.API_BASE_URL}/connect/get-keys`;
     config.end_session_endpoint = `${process.env.API_BASE_URL}/connect/endsession`;
-    config.response_types_supported = ['code'];
+    config.response_types_supported = ['code', 'id_token', 'token'];
     config.scopes_supported = ['openid', 'email', 'phone', 'profile'];
-    config.id_token_signing_alg_values_supported = ['RS256'];
+    config.id_token_signing_alg_values_supported = [
+      'RS256',
+      'HS256',
+      'RS384',
+      'RS512',
+    ];
     config.token_endpoint_auth_methods_supported = [
       'client_secret_basic',
       'client_secret_post',
@@ -484,4 +374,150 @@ export class IdpLoginService {
       });
     }
   }
+
+  /**
+   * The `logoutUser` function in TypeScript handles the logout process for a user
+   * by revoking tokens and deleting refresh tokens.
+   * @param {string} auth - The `auth` parameter in the `logoutUser` function is a
+   * string that represents the authentication token. It is used to identify and
+   * authenticate the user who is attempting to log out. The function extracts the
+   * token from the `auth` parameter and performs various checks and operations
+   * related to user logout based on
+   * @param {RefreshTokenRequest} req - The `req` parameter in the `logoutUser`
+   * function is of type `RefreshTokenRequest`. It likely contains information
+   * related to the refresh token that is used to identify and authenticate the
+   * user during the logout process. This parameter may include properties such as
+   * `refreshToken`, which is essential for revoking
+   * @returns The `logoutUser` function returns a `Promise` that resolves to a
+   * `SuccessResponse` object with a `success` property set to `true` and a `key`
+   * property set to `refreshTokenModel.userId`.
+   */
+  async logoutUser(
+    auth: string,
+    req: RefreshTokenRequest,
+  ): Promise<SuccessResponse> {
+    const token = auth?.replace(/bearer /i, '');
+    if (!token || !req.refreshToken) {
+      throw new HttpErrors.UnprocessableEntity(
+        AuthenticateErrorKeys.TokenMissing,
+      );
+    }
+
+    const refreshTokenModel = await this.refreshTokenRepo.get(req.refreshToken);
+    if (!refreshTokenModel) {
+      throw new HttpErrors.Unauthorized(AuthErrorKeys.TokenExpired);
+    }
+    if (refreshTokenModel.accessToken !== token) {
+      throw new HttpErrors.Unauthorized(AuthErrorKeys.TokenInvalid);
+    }
+    await this.revokedTokensRepo.set(token, {token});
+    await this.refreshTokenRepo.delete(req.refreshToken);
+    if (refreshTokenModel.pubnubToken) {
+      await this.refreshTokenRepo.delete(refreshTokenModel.pubnubToken);
+    }
+
+    const user = await this.userRepo.findById(refreshTokenModel.userId);
+
+    const userTenant = await this.userTenantRepo.findOne({
+      where: {userId: user.id},
+    });
+
+    if (this.userActivity?.markUserActivity)
+      this.markUserActivity(
+        user,
+        userTenant,
+        {
+          ...user,
+          clientId: refreshTokenModel.clientId,
+        },
+        LoginType.LOGOUT,
+      );
+    return new SuccessResponse({
+      success: true,
+
+      key: refreshTokenModel.userId,
+    });
+  }
+
+  /**
+   * The function generates a JSON Web Key Set (JWKS) containing a RSA public key and saves it to a
+   * file.
+   */
+  async generateJWKS(): Promise<void> {
+    // Generate the RSA key pair
+    const {publicKey, privateKey} = generateKeyPairSync('rsa', {
+      modulusLength: 2048,
+      publicKeyEncoding: {
+        type: 'spki',
+        format: 'pem',
+      },
+      privateKeyEncoding: {
+        type: 'pkcs8',
+        format: 'pem',
+        cipher: 'aes-256-cbc',
+        passphrase: process.env.JWT_PRIVATE_KEY_PASSPHRASE,
+      },
+    });
+
+    // Create the JWKS object
+    const keyStore = jose.JWK.createKeyStore();
+    const key = await keyStore.add(publicKey, 'pem');
+
+    // Save public and private keys to the database using JwtKeysRepository
+    await this.jwtKeysRepo.create({
+      keyId: key.kid, // Unique identifier for the key
+      publicKey: publicKey,
+      privateKey: privateKey,
+    });
+
+    console.log('JWKS has been generated and saved to the database');
+  }
+
+  /**
+   * The function rotates the RSA keys used for signing JWT tokens. It generates a new key pair,
+   * adds the public key to the JWKS, and saves the private key to a file.
+   */
+  async rotateKeys(): Promise<void> {
+    // Generate a new RSA key pair
+    const {publicKey, privateKey} = generateKeyPairSync('rsa', {
+      modulusLength: 2048,
+      publicKeyEncoding: {
+        type: 'spki',
+        format: 'pem',
+      },
+      privateKeyEncoding: {
+        type: 'pkcs8',
+        format: 'pem',
+        cipher: 'aes-256-cbc',
+        passphrase: process.env.JWT_PRIVATE_KEY_PASSPHRASE,
+      },
+    });
+
+    // Create a new KeyStore and add the public key
+    const keyStore = jose.JWK.createKeyStore();
+    const newKey = await keyStore.add(publicKey, 'pem');
+    const newKid = `key-${Date.now()}`;
+    newKey.kid = newKid;
+
+    // Fetch existing keys from the database
+    const existingKeys = await this.jwtKeysRepo.find({
+      order: ['createdOn ASC'],
+    });
+
+    // Rotate keys: remove the oldest key if max limit is exceeded
+    const maxKeys = +(process.env.MAX_JWT_KEYS || 2);
+    if (existingKeys.length >= maxKeys) {
+      const oldestKey = existingKeys[0];
+      await this.jwtKeysRepo.deleteById(oldestKey.id);
+    }
+
+    // Save the new public and private keys to the repository
+    await this.jwtKeysRepo.create({
+      keyId: newKid,
+      publicKey: publicKey,
+      privateKey: privateKey,
+    });
+
+    console.log('Keys have been rotated and saved to the database.');
+  }
 }
diff --git a/services/authentication-service/src/types.ts b/services/authentication-service/src/types.ts
index 2236374577..bd440315de 100644
--- a/services/authentication-service/src/types.ts
+++ b/services/authentication-service/src/types.ts
@@ -14,6 +14,7 @@ import {AuthRefreshTokenRequest} from './modules/auth';
 // sonarignore:start
 export interface IAuthServiceConfig extends IServiceConfig {
   useSymmetricEncryption?: boolean;
+  useIdentityServer?: boolean;
 }
 // sonarignore:end