diff --git a/compose.yaml b/compose.yaml
index cd16468ff..ce2e6c2e5 100644
--- a/compose.yaml
+++ b/compose.yaml
@@ -46,7 +46,8 @@ services:
       PHOTOPRISM_REGISTER_URI: "https://keycloak.localssl.dev/admin/"
       PHOTOPRISM_PASSWORD_RESET_URI: "https://keycloak.localssl.dev/realms/master/login-actions/reset-credentials"
       ## OpenID Connect (pre-configured for local tests):
-      PHOTOPRISM_OIDC_URI: "https://keycloak.localssl.dev/auth/realms/master"
+      ## see https://keycloak.localssl.dev/realms/master/.well-known/openid-configuration
+      PHOTOPRISM_OIDC_URI: "https://keycloak.localssl.dev/realms/master"
       PHOTOPRISM_OIDC_INSECURE: "true"
       PHOTOPRISM_OIDC_CLIENT: "photoprism-develop"
       PHOTOPRISM_OIDC_SECRET: "9d8351a0-ca01-4556-9c37-85eb634869b9"
@@ -177,7 +178,7 @@ services:
 
   ## Dummy OpenID Connect Provider
   dummy-oidc:
-    image: photoprism/dummy-oidc:240131
+    image: photoprism/dummy-oidc:240627
     container_name: dummy-oidc
     labels:
       - "traefik.enable=true"
@@ -191,7 +192,7 @@ services:
 
   ## Dummy WebDAV Server
   dummy-webdav:
-    image: photoprism/dummy-webdav:240131
+    image: photoprism/dummy-webdav:240627
     container_name: dummy-webdav
     environment:
       WEBDAV_USERNAME: admin
@@ -210,7 +211,7 @@ services:
   ## Login: user / photoprism
   ## Admin: admin / photoprism
   keycloak:
-    image: quay.io/keycloak/keycloak:24.0
+    image: quay.io/keycloak/keycloak:25.0
     container_name: keycloak
     profiles: ["all", "auth", "keycloak"]
     command: "start-dev" # development mode, do not use this in production!
diff --git a/docker/dummy/oidc/Dockerfile b/docker/dummy/oidc/Dockerfile
index ca2caf475..ffeae409f 100644
--- a/docker/dummy/oidc/Dockerfile
+++ b/docker/dummy/oidc/Dockerfile
@@ -11,7 +11,8 @@ RUN go mod download
 RUN go build -o server .
 
 # Allow HTTP scheme
-ENV CAOS_OIDC_DEV=true
+ENV CAOS_OIDC_DEV="true" \
+    ZITADEL_OIDC_DEV="true"
 
 # Expose HTTP port
 EXPOSE 9998
diff --git a/docker/dummy/oidc/app/mock/storage.go b/docker/dummy/oidc/app/mock/storage.go
index cd0c0dc4d..6d9201975 100644
--- a/docker/dummy/oidc/app/mock/storage.go
+++ b/docker/dummy/oidc/app/mock/storage.go
@@ -312,7 +312,8 @@ func (c *ConfClient) RedirectURIs() []string {
 		"https://localhost:8443/test/a/instructions-example/callback",
 		"https://op.certification.openid.net:62064/authz_cb",
 		"https://op.certification.openid.net:62064/authz_post",
-		"http://localhost:2342/api/v1/auth/callback",
+		"http://localhost:2342/api/v1/oidc/redirect",
+		"https://app.localssl.dev/api/v1/oidc/redirect",
 	}
 }
 func (c *ConfClient) PostLogoutRedirectURIs() []string {
diff --git a/docker/dummy/webdav/Dockerfile b/docker/dummy/webdav/Dockerfile
index 5dba811ed..ffa1adf46 100644
--- a/docker/dummy/webdav/Dockerfile
+++ b/docker/dummy/webdav/Dockerfile
@@ -7,8 +7,8 @@ WORKDIR "/webdav"
 
 RUN go install github.com/hacdias/webdav@latest
 
-ENV WEBDAV_USERNAME admin
-ENV WEBDAV_PASSWORD photoprism
+ENV WEBDAV_USERNAME="admin" \
+    WEBDAV_PASSWORD="photoprism"
 
 # Expose HTTP port
 EXPOSE 80
diff --git a/internal/oidc/httpclient.go b/internal/oidc/http_client.go
similarity index 75%
rename from internal/oidc/httpclient.go
rename to internal/oidc/http_client.go
index 4d40d7f6a..92ced3ab8 100644
--- a/internal/oidc/httpclient.go
+++ b/internal/oidc/http_client.go
@@ -8,16 +8,21 @@ import (
 )
 
 // HttpClient represents a client that makes HTTP requests.
+//
+// NOTE: Timeout specifies a time limit for requests made by
+// this Client. The timeout includes connection time, any
+// redirects, and reading the response body. The timer remains
+// running after Get, Head, Post, or Do return and will
+// interrupt reading of the Response.Body.
 func HttpClient(debug bool) *http.Client {
 	if debug {
 		return &http.Client{
 			Transport: LoggingRoundTripper{http.DefaultTransport},
-			Timeout:   time.Second * 10,
+			Timeout:   time.Second * 20,
 		}
 	}
-	cl := http.DefaultClient
-	cl.Timeout = time.Second * 10
-	return cl
+
+	return &http.Client{Timeout: 20 * time.Second}
 }
 
 // LoggingRoundTripper specifies the http.RoundTripper interface.
diff --git a/internal/oidc/httpclient_test.go b/internal/oidc/http_client_test.go
similarity index 100%
rename from internal/oidc/httpclient_test.go
rename to internal/oidc/http_client_test.go
diff --git a/scripts/sql/mariadb-init.sql b/scripts/sql/mariadb-init.sql
index 41369d701..8fffc2e6f 100644
--- a/scripts/sql/mariadb-init.sql
+++ b/scripts/sql/mariadb-init.sql
@@ -1886,7 +1886,7 @@ CREATE TABLE `REDIRECT_URIS` (
 
 LOCK TABLES `REDIRECT_URIS` WRITE;
 /*!40000 ALTER TABLE `REDIRECT_URIS` DISABLE KEYS */;
-INSERT INTO `REDIRECT_URIS` VALUES ('4e4977d6-eaa9-4245-ae4c-04d20f5436d9','/realms/master/account/*'),('54905dd0-4ade-494e-9c35-ab2d445a99f5','/realms/master/account/*'),('5a059221-51fd-434f-84a6-40fa51cda5ce','https://app.localssl.dev/api/v1/auth/callback'),('bda020f6-dd7f-4bb8-b565-bdc8edb9a8fc','/admin/master/console/*');
+INSERT INTO `REDIRECT_URIS` VALUES ('4e4977d6-eaa9-4245-ae4c-04d20f5436d9','/realms/master/account/*'),('54905dd0-4ade-494e-9c35-ab2d445a99f5','/realms/master/account/*'),('5a059221-51fd-434f-84a6-40fa51cda5ce','https://app.localssl.dev/api/v1/oidc/redirect'),('bda020f6-dd7f-4bb8-b565-bdc8edb9a8fc','/admin/master/console/*');
 /*!40000 ALTER TABLE `REDIRECT_URIS` ENABLE KEYS */;
 UNLOCK TABLES;