From 521e80b0ae7732c3da12bd9bae43496d2b981459 Mon Sep 17 00:00:00 2001
From: Mahdi Baghbani <mahdi-baghbani@azadehafzar.io>
Date: Fri, 24 Oct 2025 17:03:06 +0000
Subject: [PATCH] feat(ocm): implement WAYF page and enhance invitation
 workflow

add: Wayf.vue component with provider selection and federation discovery
add: useWayf.ts composable for WAYF logic and provider management
add: InvitationAcceptanceModal.vue for invitation acceptance
add: useInvitationAcceptance.ts composable to share acceptance logic
add: wayf.ts types for federation and provider interfaces
add: WAYF documentation
add: /wayf route with anonymous authentication support
add: /accept-invite route for invitation acceptance workflow
add: Configure anonymous authContext for public WAYF access
refactor: IncomingInvitations to use shared acceptance composable
add: multiple token copy options to OutgoingInvitations (plain, base64, WAYF link)
enhance: token display with separate copy buttons for each format
enhance: Prevent users from accepting self-generated invitations
enhance: Filter out current instance from federation provider lists
enhance: Validate manual provider entries against self-domain

Signed-off-by: Mahdi Baghbani <mahdi-baghbani@azadehafzar.io>
---
 .../unreleased/enhancement-ocm-wayf-page.md   |  11 +
 .../docs/Where Are You From page.md           | 122 ++++
 .../composables/useInvitationAcceptance.ts    |  66 ++
 .../web-app-ocm/src/composables/useWayf.ts    | 195 ++++++
 packages/web-app-ocm/src/extensions.ts        |   2 +-
 packages/web-app-ocm/src/index.ts             |  28 +
 packages/web-app-ocm/src/types/wayf.ts        |  35 ++
 packages/web-app-ocm/src/views/App.vue        |  59 +-
 .../src/views/ConnectionsPanel.vue            |  13 +-
 .../src/views/IncomingInvitations.vue         |  61 +-
 .../src/views/InvitationAcceptanceModal.vue   | 101 ++++
 .../src/views/OutgoingInvitations.vue         | 104 +++-
 packages/web-app-ocm/src/views/Wayf.vue       | 564 ++++++++++++++++++
 .../piniaStores/inviteTokensList.ts           |   2 +
 14 files changed, 1297 insertions(+), 66 deletions(-)
 create mode 100644 changelog/unreleased/enhancement-ocm-wayf-page.md
 create mode 100644 packages/web-app-ocm/docs/Where Are You From page.md
 create mode 100644 packages/web-app-ocm/src/composables/useInvitationAcceptance.ts
 create mode 100644 packages/web-app-ocm/src/composables/useWayf.ts
 create mode 100644 packages/web-app-ocm/src/types/wayf.ts
 create mode 100644 packages/web-app-ocm/src/views/InvitationAcceptanceModal.vue
 create mode 100644 packages/web-app-ocm/src/views/Wayf.vue

diff --git a/changelog/unreleased/enhancement-ocm-wayf-page.md b/changelog/unreleased/enhancement-ocm-wayf-page.md
new file mode 100644
index 00000000000..5f5abd0517e
--- /dev/null
+++ b/changelog/unreleased/enhancement-ocm-wayf-page.md
@@ -0,0 +1,11 @@
+Enhancement: Add WAYF page for OCM
+
+We've implemented a Where Are You From page that allows users to discover and select their cloud provider when accepting federated invitations.
+The new page includes federation browsing, provider search functionality, and manual provider entry with automatic OCM discovery.
+
+The implementation added new routes (`/wayf` and `/accept-invite`) with anonymous authentication support, enabling users to access the provider selection interface without prior authentication.
+Outgoing invitations now include multiple token copy options (plain, base64, and WAYF link) for improved sharing flexibility.
+
+Enhancements prevent users from accepting self-generated invitations and automatically exclude the current instance from available provider lists.
+
+https://github.com/owncloud/web/pull/13243
diff --git a/packages/web-app-ocm/docs/Where Are You From page.md b/packages/web-app-ocm/docs/Where Are You From page.md
new file mode 100644
index 00000000000..01c0d02d2ec
--- /dev/null
+++ b/packages/web-app-ocm/docs/Where Are You From page.md	
@@ -0,0 +1,122 @@
+# Where Are You From
+
+## Overview
+
+The WAYF page allows users to select their cloud provider when accepting an invitation. It's accessible at the path `domain.tld/open-cloud-mesh/wayf?token=token`.
+
+## Usage
+
+### 1. Basic Functionality Test
+
+Navigate to: `http://localhost:3000/open-cloud-mesh/wayf?token=test-token-123`
+
+Expected behavior:
+
+- Page loads with "Where Are You From?" header
+- Shows loading state initially
+- Displays list of available providers grouped by federation
+- Search functionality works
+- Manual provider input is available
+
+### 2. URL Parameters Test
+
+Test with different URL parameters:
+
+- `?token=test-token-123` - Should show providers
+- No token - Should show "You need a token for this feature to work"
+
+**Note**: `providerDomain` is ALWAYS auto-detected from `window.location.hostname` and should NOT be passed in the URL for security reasons.
+
+### 3. Provider Selection Test
+
+- Click on any provider from the list
+- Should redirect to the provider's accept-invite page with token and domain parameters
+
+### 4. Manual Provider Test
+
+- Enter a domain in the manual provider field (e.g., "example.com")
+- Press Enter or click the input
+- Should attempt to discover the provider and redirect
+
+### 5. Search Functionality Test
+
+- Type in the search box to filter providers
+- Should filter by provider name or FQDN
+- Clear search should show all providers again
+
+### 6. Error Handling Test
+
+- Test with invalid provider domains
+- Should show appropriate error messages
+- Should not crash the application
+
+### 7. Self-Domain Prevention Test
+
+**Test that users cannot select their own instance:**
+
+- If `window.location.hostname` is `example.com`:
+  - Federation list should NOT include any provider with FQDN `example.com`
+  - Manual entry of `example.com` should show error
+  - Manual entry of `http://example.com` should show error
+  - Manual entry of `https://example.com:443` should show error
+- Error message should be: "Invalid Provider Selection - You cannot select your own instance as a provider..."
+
+### How It Works
+
+1. **Federation List Filtering**: When loading federations from the backend, any provider whose domain matches `window.location.hostname` is automatically filtered out
+2. **Provider Selection Validation**: If a user somehow selects their own domain from the list, an error message is shown
+3. **Manual Entry Validation**: If a user manually enters their own domain, an error message is shown
+
+### Error Message
+
+When attempting to select own instance:
+
+```
+Title: Invalid Provider Selection
+Message: You cannot select your own instance as a provider.
+         Please select a different provider to establish a federated connection.
+```
+
+### Implementation Details
+
+- Domain comparison is case-insensitive
+- Protocols (`http://`, `https://`) are stripped before comparison
+- Port numbers are stripped before comparison
+- If backend returns the current instance in federations, it's automatically dropped from the list
+
+## API Endpoints Used
+
+### Backend Endpoints
+
+- `GET /sciencemesh/federations` - Loads list of available federations (public endpoint)
+- `POST /sciencemesh/discover` - Discovers provider's OCM API endpoint for manual entry (public endpoint)
+
+### External OCM Discovery
+
+- `https://{provider-domain}/.well-known/ocm` - OCM discovery endpoint (called by backend, not frontend)
+- `https://{provider-domain}/ocm-provider` - Legacy OCM discovery endpoint (fallback)
+
+## Expected URL Structure
+
+When a provider is selected, the user is redirected to:
+
+```
+{provider-invite-accept-dialog}?token={token}&providerDomain={providerDomain}
+```
+
+**Important Clarification**:
+
+- `providerDomain` = The domain **where the WAYF page is hosted** (YOUR domain, the inviting party)
+- `provider-invite-accept-dialog` = The selected provider's invite acceptance URL
+
+**Example Flow**:
+
+1. User visits WAYF on: `your-domain.com/open-cloud-mesh/wayf?token=abc123`
+2. User selects provider: CERNBox
+3. User is redirected to: `qa.cernbox.cern.ch/accept?token=abc123&providerDomain=your-domain.com`
+   - Note: `providerDomain` is `your-domain.com` (NOT `qa.cernbox.cern.ch`)
+
+**How providerDomain is determined**:
+
+- **ALWAYS** automatically extracted from `window.location.hostname`
+- **NEVER** accepted from query string (security: prevents domain spoofing)
diff --git a/packages/web-app-ocm/src/composables/useInvitationAcceptance.ts b/packages/web-app-ocm/src/composables/useInvitationAcceptance.ts
new file mode 100644
index 00000000000..b11579a89b2
--- /dev/null
+++ b/packages/web-app-ocm/src/composables/useInvitationAcceptance.ts
@@ -0,0 +1,66 @@
+import { ref, computed } from 'vue'
+import { useClientService, useMessages, useInviteTokensListStore } from '@ownclouders/web-pkg'
+import { useGettext } from 'vue3-gettext'
+
+export function useInvitationAcceptance() {
+  const clientService = useClientService()
+  const { showErrorMessage } = useMessages()
+  const inviteTokensListStore = useInviteTokensListStore()
+  const { $gettext } = useGettext()
+
+  const loading = ref(false)
+  const error = ref(false)
+
+  const isOwnGeneratedToken = (token: string) => {
+    return inviteTokensListStore.getTokensList().some((t) => t.token === token)
+  }
+
+  const errorPopup = (error: Error) => {
+    console.error(error)
+    showErrorMessage({
+      title: $gettext('Error'),
+      desc: $gettext('An error occurred'),
+      errors: [error]
+    })
+  }
+
+  const acceptInvitation = async (token: string, providerDomain: string) => {
+    loading.value = true
+    error.value = false
+
+    try {
+      if (isOwnGeneratedToken(token)) {
+        throw new Error($gettext('Self-invitations are not permitted'))
+      }
+
+      const response = await clientService.httpAuthenticated.post('/sciencemesh/accept-invite', {
+        token,
+        providerDomain
+      })
+
+      return true
+    } catch (err) {
+      console.error('Error accepting invitation:', err)
+      error.value = true
+      errorPopup(err)
+      throw err
+    } finally {
+      loading.value = false
+    }
+  }
+
+  const validateParameters = (token: string | undefined, providerDomain: string | undefined) => {
+    if (!token || !providerDomain) {
+      throw new Error($gettext('Missing required parameters: token and providerDomain'))
+    }
+  }
+
+  return {
+    loading: computed(() => loading.value),
+    error: computed(() => error.value),
+    isOwnGeneratedToken,
+    acceptInvitation,
+    validateParameters,
+    errorPopup
+  }
+}
diff --git a/packages/web-app-ocm/src/composables/useWayf.ts b/packages/web-app-ocm/src/composables/useWayf.ts
new file mode 100644
index 00000000000..2cdab377780
--- /dev/null
+++ b/packages/web-app-ocm/src/composables/useWayf.ts
@@ -0,0 +1,195 @@
+import { ref, computed } from 'vue'
+import { useClientService, useMessages } from '@ownclouders/web-pkg'
+import { useGettext } from 'vue3-gettext'
+import type {
+  WayfProvider,
+  WayfFederation,
+  FederationsApiResponse,
+  DiscoverRequest,
+  DiscoverResponse
+} from '../types/wayf'
+
+export function useWayf() {
+  const clientService = useClientService()
+  const { showErrorMessage } = useMessages()
+  const { $gettext } = useGettext()
+
+  const loading = ref(false)
+  const error = ref(false)
+  const federations = ref<WayfFederation>({})
+
+  const isSelfDomain = (domain: string): boolean => {
+    const currentHost = window.location.hostname.toLowerCase()
+    const checkDomain = domain
+      .toLowerCase()
+      .replace(/^https?:\/\//, '')
+      .replace(/:\d+$/, '')
+    return currentHost === checkDomain
+  }
+
+  const discoverProvider = async (domain: string): Promise<string> => {
+    try {
+      loading.value = true
+      const response = await clientService.httpUnAuthenticated.post<DiscoverResponse>(
+        '/sciencemesh/discover',
+        { domain } as DiscoverRequest
+      )
+
+      if (!response.data || !response.data.inviteAcceptDialog) {
+        throw new Error('No invite accept dialog found in discovery response')
+      }
+
+      return response.data.inviteAcceptDialog
+    } catch (err) {
+      console.error('Provider discovery failed:', err)
+      showErrorMessage({
+        title: $gettext('Discovery Failed'),
+        desc: $gettext('Could not discover provider at %{domain}', { domain }),
+        errors: [err]
+      })
+      throw err
+    } finally {
+      loading.value = false
+    }
+  }
+
+  const buildProviderUrl = (baseUrl: string, token: string, providerDomain?: string): string => {
+    const url = new URL(baseUrl)
+    if (providerDomain) url.searchParams.set('providerDomain', providerDomain)
+    if (token) url.searchParams.set('token', token)
+    return url.toString()
+  }
+
+  const navigateToProvider = async (
+    provider: WayfProvider,
+    token: string,
+    providerDomain?: string
+  ) => {
+    if (isSelfDomain(provider.fqdn)) {
+      showErrorMessage({
+        title: $gettext('Invalid Provider Selection'),
+        desc: $gettext(
+          'You cannot select your own instance as a provider. Please select a different provider to establish a federated connection.'
+        )
+      })
+      return
+    }
+
+    try {
+      loading.value = true
+      let inviteDialogUrl = provider.inviteAcceptDialog
+
+      // If inviteAcceptDialog is empty, call backend discovery
+      if (!inviteDialogUrl || inviteDialogUrl.trim() === '') {
+        inviteDialogUrl = await discoverProvider(provider.fqdn)
+      } else {
+        // If it's a relative path, make it absolute
+        if (inviteDialogUrl.startsWith('/')) {
+          const baseUrl = `https://${provider.fqdn}`
+          inviteDialogUrl = `${baseUrl}${inviteDialogUrl}`
+        }
+        // If it's already absolute, use as-is
+      }
+
+      // Build final URL with query parameters and redirect
+      const finalUrl = buildProviderUrl(inviteDialogUrl, token, providerDomain)
+      window.location.href = finalUrl
+    } catch (err) {
+      console.error('Failed to navigate to provider:', err)
+      // Error is already shown by discoverProvider, do not use showErrorMessage here
+    } finally {
+      loading.value = false
+    }
+  }
+
+  const navigateToManualProvider = async (
+    input: string,
+    token: string,
+    providerDomain?: string
+  ) => {
+    const trimmedInput = input.trim()
+    if (!trimmedInput) return
+
+    if (isSelfDomain(trimmedInput)) {
+      showErrorMessage({
+        title: $gettext('Invalid Provider Selection'),
+        desc: $gettext(
+          'You cannot use your own instance as a provider. Please select a different provider to establish a federated connection.'
+        )
+      })
+      return
+    }
+
+    try {
+      loading.value = true
+      const inviteDialogUrl = await discoverProvider(trimmedInput)
+      const finalUrl = buildProviderUrl(inviteDialogUrl, token, providerDomain)
+      window.location.href = finalUrl
+    } catch (err) {
+      console.error('Failed to navigate to manual provider:', err)
+      // Error is already shown by discoverProvider, do not use showErrorMessage here
+    } finally {
+      loading.value = false
+    }
+  }
+
+  const loadFederations = async () => {
+    try {
+      loading.value = true
+      error.value = false
+
+      const response = await clientService.httpUnAuthenticated.get<FederationsApiResponse>(
+        '/sciencemesh/federations'
+      )
+
+      const transformedFederations: WayfFederation = {}
+      response.data.forEach((fed) => {
+        const providers = fed.servers
+          .map((server) => ({
+            name: server.displayName,
+            fqdn: new URL(server.url).hostname,
+            // Keep empty if not provided by the server
+            inviteAcceptDialog: server.inviteAcceptDialog || ''
+          }))
+          .filter((provider) => !isSelfDomain(provider.fqdn))
+
+        if (providers.length > 0) {
+          transformedFederations[fed.federation] = providers
+        }
+      })
+
+      federations.value = transformedFederations
+    } catch (err) {
+      console.error('Failed to load federations:', err)
+      error.value = true
+      showErrorMessage({
+        title: $gettext('Failed to Load Providers'),
+        desc: $gettext('Could not load the list of available providers'),
+        errors: [err]
+      })
+    } finally {
+      loading.value = false
+    }
+  }
+
+  const filterProviders = (providers: WayfProvider[], query: string): WayfProvider[] => {
+    const searchTerm = (query || '').toLowerCase()
+    return providers.filter(
+      (provider) =>
+        provider.name.toLowerCase().includes(searchTerm) ||
+        provider.fqdn.toLowerCase().includes(searchTerm)
+    )
+  }
+
+  return {
+    loading: computed(() => loading.value),
+    error: computed(() => error.value),
+    federations: computed(() => federations.value),
+    discoverProvider,
+    buildProviderUrl,
+    navigateToProvider,
+    navigateToManualProvider,
+    loadFederations,
+    filterProviders
+  }
+}
diff --git a/packages/web-app-ocm/src/extensions.ts b/packages/web-app-ocm/src/extensions.ts
index 152d0e0d910..5e7b6b90fa8 100644
--- a/packages/web-app-ocm/src/extensions.ts
+++ b/packages/web-app-ocm/src/extensions.ts
@@ -40,7 +40,7 @@ export const extensions = (appInfo: ApplicationInformation) => {
         })
       }
     } catch (error) {
-      console.log(error)
+      console.error(error)
       showErrorMessage({
         title: $gettext('An error occurred'),
         desc: $gettext("Couldn't open remotely"),
diff --git a/packages/web-app-ocm/src/index.ts b/packages/web-app-ocm/src/index.ts
index 09b67f182b6..2b31e980e0c 100644
--- a/packages/web-app-ocm/src/index.ts
+++ b/packages/web-app-ocm/src/index.ts
@@ -1,4 +1,5 @@
 import App from './views/App.vue'
+import Wayf from './views/Wayf.vue'
 import { ApplicationInformation, defineWebApplication, useRouter } from '@ownclouders/web-pkg'
 import translations from '../l10n/translations.json'
 import { extensions } from './extensions'
@@ -20,6 +21,33 @@ const routes: RouteRecordRaw[] = [
       patchCleanPath: true,
       title: 'Invitations'
     }
+  },
+  {
+    path: '/accept-invite',
+    name: 'open-cloud-mesh-accept-invite',
+    component: App,
+    meta: {
+      patchCleanPath: true,
+      title: 'Accept Invitation'
+    }
+  },
+  {
+    path: '/wayf',
+    name: 'open-cloud-mesh-wayf',
+    component: Wayf,
+    meta: {
+      patchCleanPath: true,
+      title: 'Where Are You From',
+      /*
+      How authentication context works:
+      authContext: 'user'         requires full authentication (default)
+      authContext: 'anonymous'    no authentication required
+      authContext: 'hybrid'       works with or without authentication (didn't work without login for me)
+      authContext: 'idp'          requires IdP authentication only
+      authContext: 'publicLink'   for public link contexts
+      */
+      authContext: 'anonymous'
+    }
   }
 ]
 
diff --git a/packages/web-app-ocm/src/types/wayf.ts b/packages/web-app-ocm/src/types/wayf.ts
new file mode 100644
index 00000000000..a208afd76c9
--- /dev/null
+++ b/packages/web-app-ocm/src/types/wayf.ts
@@ -0,0 +1,35 @@
+// Frontend types
+export interface WayfProvider {
+  name: string
+  fqdn: string
+  // Can be empty, relative path, or absolute URL
+  inviteAcceptDialog: string
+}
+
+export interface WayfFederation {
+  [federationName: string]: WayfProvider[]
+}
+
+// Backend API response types
+export interface FederationServerResponse {
+  displayName: string
+  url: string
+  inviteAcceptDialog: string
+}
+
+export interface FederationResponse {
+  federation: string
+  servers: FederationServerResponse[]
+}
+
+export type FederationsApiResponse = FederationResponse[]
+
+export interface DiscoverRequest {
+  domain: string
+}
+
+export interface DiscoverResponse {
+  inviteAcceptDialog: string
+  provider?: string
+  apiVersion?: string
+}
diff --git a/packages/web-app-ocm/src/views/App.vue b/packages/web-app-ocm/src/views/App.vue
index 60bf2be87cb..899e53a2b0c 100644
--- a/packages/web-app-ocm/src/views/App.vue
+++ b/packages/web-app-ocm/src/views/App.vue
@@ -17,36 +17,87 @@
         />
       </div>
     </div>
+
+    <invitation-acceptance-modal
+      v-if="showInvitationModal"
+      :show-modal="showInvitationModal"
+      :token="invitationToken"
+      :provider="invitationProvider"
+      @highlight-new-connections="highlightNewConnections"
+      @close="closeInvitationModal"
+    />
   </div>
 </template>
 
 <script lang="ts" setup>
-import { onMounted, onUnmounted, ref, unref, Ref } from 'vue'
+import { onMounted, onUnmounted, ref, unref, Ref, computed, watch } from 'vue'
 import ConnectionsPanel from './ConnectionsPanel.vue'
 import IncomingInvitations from './IncomingInvitations.vue'
 import OutgoingInvitations from './OutgoingInvitations.vue'
+import InvitationAcceptanceModal from './InvitationAcceptanceModal.vue'
 import {
   useClientService,
   useScrollTo,
   FederatedConnection,
-  useMessages
+  useMessages,
+  useRoute,
+  useRouter
 } from '@ownclouders/web-pkg'
 import { useGettext } from 'vue3-gettext'
 import { buildConnection } from '../functions'
 
 const { showMessage } = useMessages()
 const { scrollToResource } = useScrollTo()
-const clientSerivce = useClientService()
+const clientService = useClientService()
 const { $gettext } = useGettext()
+const route = useRoute()
+const router = useRouter()
 
 const connections: Ref<FederatedConnection[]> = ref([])
 const highlightedConnections: Ref<FederatedConnection[]> = ref([])
 const highlightNewConnectionsInterval = ref(null)
 const loadingConnections = ref(true)
 
+// Modal state for invitation acceptance
+const showInvitationModal = ref(false)
+const invitationToken = ref('')
+const invitationProvider = ref('')
+
+// Check if we're on the accept-invite route and show modal
+const isAcceptInviteRoute = computed(() => {
+  return route.value.name === 'open-cloud-mesh-accept-invite'
+})
+
+// Watch for route changes to show modal
+watch(
+  isAcceptInviteRoute,
+  (isAcceptRoute) => {
+    if (isAcceptRoute) {
+      const token = route.value.query.token as string
+      const provider = route.value.query.providerDomain as string
+
+      if (token && provider) {
+        invitationToken.value = token
+        invitationProvider.value = provider
+        showInvitationModal.value = true
+      }
+    }
+  },
+  { immediate: true }
+)
+
+const closeInvitationModal = () => {
+  showInvitationModal.value = false
+  invitationToken.value = ''
+  invitationProvider.value = ''
+
+  // Clear URL query parameters and navigate to invitations
+  router.replace({ name: 'open-cloud-mesh-invitations' })
+}
+
 const findAcceptedUsers = async () => {
   try {
-    const { data: acceptedUsers } = await clientSerivce.httpAuthenticated.get<
+    const { data: acceptedUsers } = await clientService.httpAuthenticated.get<
       FederatedConnection[]
     >('/sciencemesh/find-accepted-users')
     loadingConnections.value = false
diff --git a/packages/web-app-ocm/src/views/ConnectionsPanel.vue b/packages/web-app-ocm/src/views/ConnectionsPanel.vue
index 21751a357c7..40e80fcf000 100644
--- a/packages/web-app-ocm/src/views/ConnectionsPanel.vue
+++ b/packages/web-app-ocm/src/views/ConnectionsPanel.vue
@@ -84,6 +84,7 @@ import {
   AppLoadingSpinner,
   useRouter,
   useClientService,
+  useMessages,
   FederatedConnection
 } from '@ownclouders/web-pkg'
 import { useGettext } from 'vue3-gettext'
@@ -105,6 +106,7 @@ const emit = defineEmits<Emits>()
 const router = useRouter()
 const { $gettext } = useGettext()
 const clientService = useClientService()
+const { showErrorMessage } = useMessages()
 
 const fields = computed(() => {
   return [
@@ -139,7 +141,7 @@ const fields = computed(() => {
 const helperContent = computed(() => {
   return {
     text: $gettext(
-      'Federated conections for mutual sharing. To share, go to "Files" app, select the resource click "Share" in the context menu and select account type "federated".'
+      'Federated connections for mutual sharing. To share, go to "Files" app, select the resource click "Share" in the context menu and select account type "federated".'
     ),
     title: $gettext('Federated connections')
   }
@@ -164,8 +166,13 @@ const deleteConnection = async (user: FederatedConnection) => {
     const updatedConnections = connections.filter(({ id }) => id !== buildConnection(user).id)
 
     emit('update:connections', updatedConnections)
-  } catch (e) {
-    console.error(e)
+  } catch (error) {
+    console.error('Failed to delete connection:', error)
+    showErrorMessage({
+      title: $gettext('Error'),
+      desc: $gettext('Failed to delete connection'),
+      errors: [error]
+    })
   }
 }
 </script>
diff --git a/packages/web-app-ocm/src/views/IncomingInvitations.vue b/packages/web-app-ocm/src/views/IncomingInvitations.vue
index 4a129b0f32e..93260f10c3c 100644
--- a/packages/web-app-ocm/src/views/IncomingInvitations.vue
+++ b/packages/web-app-ocm/src/views/IncomingInvitations.vue
@@ -48,24 +48,18 @@
 
 <script lang="ts" setup>
 import { computed, ref, unref } from 'vue'
-import {
-  useClientService,
-  useRoute,
-  useRouter,
-  useMessages,
-  useInviteTokensListStore
-} from '@ownclouders/web-pkg'
+import { useRoute, useRouter } from '@ownclouders/web-pkg'
 import { useGettext } from 'vue3-gettext'
+import { useInvitationAcceptance } from '../composables/useInvitationAcceptance'
 
 const emit = defineEmits<{ (e: 'highlightNewConnections'): void }>()
 
-const { showErrorMessage } = useMessages()
 const router = useRouter()
 const route = useRoute()
-const inviteTokensListStore = useInviteTokensListStore()
-const clientService = useClientService()
 const { $gettext } = useGettext()
 
+const { acceptInvitation, isOwnGeneratedToken } = useInvitationAcceptance()
+
 const token = ref<string>(undefined)
 const decodedToken = ref<string>(undefined)
 const provider = ref<string>(undefined)
@@ -80,18 +74,6 @@ const helperContent = computed(() => {
   }
 })
 
-/**
- * Check if the token is generated by the user.
- * This is to avoid accepting own generated tokens.
- * In other words, the user should not be able to accept their own invitations.
- * @param token
- *
- * @returns boolean
- */
-const isOwnGeneratedToken = (token: string) => {
-  return inviteTokensListStore.getTokensList().some((t) => t.token === token)
-}
-
 const isUsingOwnGeneratedTokenToolTip = computed(() =>
   isOwnGeneratedToken(unref(decodedToken)) ? $gettext('Self-invitations are not permitted') : ''
 )
@@ -100,24 +82,15 @@ const acceptInvitationButtonDisabled = computed(() => {
   return !unref(decodedToken) || !unref(provider) || isOwnGeneratedToken(unref(decodedToken))
 })
 
-const errorPopup = (error: Error) => {
-  console.error(error)
-  showErrorMessage({
-    title: $gettext('Error'),
-    desc: $gettext('An error occurred'),
-    errors: [error]
-  })
-}
 const acceptInvite = async () => {
   if (isOwnGeneratedToken(unref(decodedToken))) {
     return
   }
 
   try {
-    await clientService.httpAuthenticated.post('/sciencemesh/accept-invite', {
-      token: unref(decodedToken),
-      providerDomain: unref(provider)
-    })
+    // Use shared invitation acceptance logic
+    await acceptInvitation(unref(decodedToken), unref(provider))
+
     token.value = undefined
     provider.value = undefined
 
@@ -129,21 +102,33 @@ const acceptInvite = async () => {
 
     emit('highlightNewConnections')
   } catch (error) {
-    errorPopup(error)
+    // Error handling is already done in the shared logic, do not use showErrorMessage here
   }
 }
 
 const decodeInviteToken = (value: string) => {
   try {
-    const decoded = atob(value)
+    let decoded = value.trim()
+
+    // If value doesn't contain '@', assume it's base64 encoded
     if (!decoded.includes('@')) {
-      throw new Error()
+      decoded = atob(decoded)
     }
+
+    if (!decoded.includes('@')) {
+      throw new Error('Invalid token format')
+    }
+
     const [token, serverUrl] = decoded.split('@')
+    if (!token || !serverUrl) {
+      throw new Error('Invalid token format')
+    }
+
     provider.value = serverUrl
     decodedToken.value = token
     providerError.value = false
-  } catch (e) {
+  } catch (error) {
+    console.error('Failed to decode invite token:', error)
     provider.value = ''
     decodedToken.value = ''
     providerError.value = true
diff --git a/packages/web-app-ocm/src/views/InvitationAcceptanceModal.vue b/packages/web-app-ocm/src/views/InvitationAcceptanceModal.vue
new file mode 100644
index 00000000000..d30879b78c4
--- /dev/null
+++ b/packages/web-app-ocm/src/views/InvitationAcceptanceModal.vue
@@ -0,0 +1,101 @@
+<template>
+  <oc-modal
+    v-if="showModal"
+    :title="$gettext('Accept Invitation')"
+    :button-cancel-text="$gettext('Decline')"
+    :button-confirm-text="$gettext('Accept')"
+    :button-confirm-disabled="acceptButtonDisabled"
+    @cancel="declineInvitation"
+    @confirm="acceptInvitation"
+  >
+    <template #content>
+      <div class="invitation-acceptance-content">
+        <div v-if="loading" class="oc-text-center oc-p-m">
+          <app-loading-spinner />
+          <p class="oc-mt-s" v-text="$gettext('Processing invitation...')" />
+        </div>
+
+        <div v-else class="oc-p-m">
+          <div class="oc-flex oc-flex-middle oc-mb-m">
+            <oc-icon name="user-received" size="large" class="oc-mr-m" />
+            <div>
+              <h3 v-text="$gettext('You have received an invitation')" />
+              <p
+                class="oc-text-muted"
+                v-text="$gettext('Accept this invitation to establish a federated connection.')"
+              />
+            </div>
+          </div>
+
+          <div
+            class="invitation-details oc-p-m"
+            style="background: var(--oc-color-background-hover); border-radius: 8px"
+          >
+            <div class="oc-mb-s">
+              <strong v-text="$gettext('From Institution:')" />
+              <span class="oc-ml-s" v-text="provider" />
+            </div>
+            <div class="oc-text-small oc-text-muted">
+              <span v-text="$gettext('Token:')" />
+              <span class="oc-ml-s oc-font-mono" v-text="token" />
+            </div>
+          </div>
+        </div>
+      </div>
+    </template>
+  </oc-modal>
+</template>
+
+<script lang="ts" setup>
+import { computed } from 'vue'
+import { useInvitationAcceptance } from '../composables/useInvitationAcceptance'
+
+const emit = defineEmits<{
+  (e: 'highlightNewConnections'): void
+  (e: 'close'): void
+}>()
+
+const props = defineProps<{
+  showModal: boolean
+  token: string
+  provider: string
+}>()
+
+const {
+  loading,
+  acceptInvitation: acceptInvitationAPI,
+  validateParameters
+} = useInvitationAcceptance()
+
+const acceptButtonDisabled = computed(() => {
+  return loading.value || !props.token || !props.provider
+})
+
+const acceptInvitation = async () => {
+  try {
+    validateParameters(props.token, props.provider)
+
+    await acceptInvitationAPI(props.token, props.provider)
+
+    emit('highlightNewConnections')
+    emit('close')
+  } catch (err) {
+    console.error('Error accepting invitation:', err)
+    emit('close')
+  }
+}
+
+const declineInvitation = () => {
+  emit('close')
+}
+</script>
+
+<style lang="scss" scoped>
+.invitation-acceptance-content {
+  min-height: 200px;
+}
+
+.invitation-details {
+  border: 1px solid var(--oc-color-border);
+}
+</style>
diff --git a/packages/web-app-ocm/src/views/OutgoingInvitations.vue b/packages/web-app-ocm/src/views/OutgoingInvitations.vue
index f902c307f3c..c10f6c5ec68 100644
--- a/packages/web-app-ocm/src/views/OutgoingInvitations.vue
+++ b/packages/web-app-ocm/src/views/OutgoingInvitations.vue
@@ -62,26 +62,47 @@
           :highlighted="inviteTokensListStore.getLastCreatedToken()"
         >
           <template #token="rowData">
-            <div class="invite-code-wrapper oc-flex">
-              <div class="oc-text-truncate">
-                <span class="oc-text-truncate">{{ encodeInviteToken(rowData.item.token) }}</span>
+            <div class="invite-code-wrapper oc-flex oc-flex-middle">
+              <div class="oc-text-truncate oc-mr-s">
+                <span class="oc-text-truncate">{{ rowData.item.token }}</span>
+              </div>
+              <div class="copy-buttons oc-flex oc-flex-middle">
+                <oc-button
+                  id="oc-sciencemesh-copy-plain"
+                  v-oc-tooltip="$gettext('Copy plain token')"
+                  :aria-label="$gettext('Copy plain token')"
+                  appearance="raw"
+                  class="oc-mr-xs"
+                  @click="copyPlainToken(rowData)"
+                >
+                  <oc-icon name="file-copy" />
+                </oc-button>
+                <oc-button
+                  id="oc-sciencemesh-copy-base64"
+                  v-oc-tooltip="$gettext('Copy base64 token')"
+                  :aria-label="$gettext('Copy base64 token')"
+                  appearance="raw"
+                  class="oc-mr-xs"
+                  @click="copyToken(rowData)"
+                >
+                  <oc-icon name="code" />
+                </oc-button>
+                <oc-button
+                  id="oc-sciencemesh-copy-wayf"
+                  v-oc-tooltip="$gettext('Copy Invite link')"
+                  :aria-label="$gettext('Copy Invite link')"
+                  appearance="raw"
+                  @click="copyWayfLink(rowData)"
+                >
+                  <oc-icon name="link" />
+                </oc-button>
               </div>
-              <oc-button
-                id="oc-sciencemesh-copy-token"
-                v-oc-tooltip="$gettext('Copy invite token')"
-                :aria-label="$gettext('Copy invite token')"
-                appearance="raw"
-                class="oc-ml-s"
-                @click="copyToken(rowData)"
-              >
-                <oc-icon name="file-copy" />
-              </oc-button>
             </div>
           </template>
           <template #link="rowData">
             <a :href="rowData.item.link" v-text="$gettext('Link')" />
             <oc-button
-              id="oc-sciencemesh-copy-token"
+              id="oc-sciencemesh-copy-link"
               v-oc-tooltip="$gettext('Copy invitation link')"
               :aria-label="$gettext('Copy invitation link')"
               appearance="raw"
@@ -171,9 +192,18 @@ const helperContent = computed(() => {
   }
 })
 
+const getTokenAtProvider = (token: string) => {
+  const url = new URL(configStore.serverUrl)
+  return `${token}@${url.host}`
+}
+
 const encodeInviteToken = (token: string) => {
+  return btoa(getTokenAtProvider(token))
+}
+
+const generateWayfLink = (token: string) => {
   const url = new URL(configStore.serverUrl)
-  return btoa(`${token}@${url.host}`)
+  return `${url.origin}/open-cloud-mesh/wayf?token=${token}`
 }
 
 const generateToken = async () => {
@@ -194,10 +224,15 @@ const generateToken = async () => {
     )
 
     if (tokenInfo.token) {
+      const tokenAtProvider = getTokenAtProvider(tokenInfo.token)
+      const wayfLink = generateWayfLink(tokenInfo.token)
+
       inviteTokensListStore.addToken({
         id: tokenInfo.token,
         link: tokenInfo.invite_link,
         token: tokenInfo.token,
+        tokenAtProvider: tokenAtProvider,
+        wayfLink: wayfLink,
         ...(tokenInfo.expiration && {
           expiration: toDateTime(tokenInfo.expiration)
         }),
@@ -216,7 +251,7 @@ const generateToken = async () => {
 
       const quickToken = encodeInviteToken(tokenInfo.token)
       inviteTokensListStore.setLastCreatedToken(quickToken)
-      navigator.clipboard.writeText(quickToken)
+      await navigator.clipboard.writeText(quickToken)
     }
   } catch (error) {
     inviteTokensListStore.setLastCreatedToken('')
@@ -235,6 +270,8 @@ const listTokens = async () => {
     const tokenList = data.map((t) => ({
       id: t.token,
       token: t.token,
+      tokenAtProvider: getTokenAtProvider(t.token),
+      wayfLink: generateWayfLink(t.token),
       ...(t.expiration && {
         expiration: toDateTime(t.expiration)
       }),
@@ -245,7 +282,7 @@ const listTokens = async () => {
     }))
     inviteTokensListStore.setTokensList(tokenList)
   } catch (error) {
-    console.log(error)
+    console.error('Failed to list invite tokens:', error)
   } finally {
     loading.value = false
   }
@@ -254,15 +291,32 @@ const listTokens = async () => {
 const copyLink = (rowData: { item: { link: string; token: string } }) => {
   navigator.clipboard.writeText(rowData.item.link)
   showMessage({
-    title: $gettext('Invition link copied'),
+    title: $gettext('Invitation link copied'),
     desc: $gettext('Invitation link has been copied to your clipboard.')
   })
 }
+const copyPlainToken = (rowData: { item: { token: string } }) => {
+  const tokenAtProvider = getTokenAtProvider(rowData.item.token)
+  navigator.clipboard.writeText(tokenAtProvider)
+  showMessage({
+    title: $gettext('Plain token copied'),
+    desc: $gettext('Plain token has been copied to your clipboard.')
+  })
+}
+
 const copyToken = (rowData: { item: { link: string; token: string } }) => {
   navigator.clipboard.writeText(encodeInviteToken(rowData.item.token))
   showMessage({
-    title: $gettext('Invite token copied'),
-    desc: $gettext('Invite token has been copied to your clipboard.')
+    title: $gettext('Base64 token copied'),
+    desc: $gettext('Base64 token has been copied to your clipboard.')
+  })
+}
+
+const copyWayfLink = (rowData: { item: { wayfLink: string } }) => {
+  navigator.clipboard.writeText(rowData.item.wayfLink)
+  showMessage({
+    title: $gettext('Invite link copied'),
+    desc: $gettext('Invite link has been copied to your clipboard.')
   })
 }
 const errorPopup = (error: Error) => {
@@ -307,6 +361,16 @@ const formatDateRelative = (date: Date) => {
 .sciencemesh-app {
   .invite-code-wrapper {
     width: 200px;
+
+    .copy-buttons {
+      gap: 4px;
+
+      .oc-button {
+        padding: 4px;
+        min-width: 32px;
+        height: 32px;
+      }
+    }
   }
   #invite-tokens-empty {
     height: 100%;
diff --git a/packages/web-app-ocm/src/views/Wayf.vue b/packages/web-app-ocm/src/views/Wayf.vue
new file mode 100644
index 00000000000..8b4e0b89ad2
--- /dev/null
+++ b/packages/web-app-ocm/src/views/Wayf.vue
@@ -0,0 +1,564 @@
+<template>
+  <main id="wayf" class="oc-flex oc-height-1-1">
+    <div class="wayf-wrapper oc-width-expand oc-height-1-1">
+      <div class="wayf-content">
+        <!-- Header Section -->
+        <div class="wayf-header oc-flex oc-flex-middle oc-px-m oc-py-s">
+          <oc-icon name="cloud" size="large" class="oc-mr-s" />
+          <h1 class="oc-px-s" v-text="$gettext('Where Are You From?')" />
+          <oc-contextual-helper class="oc-pl-xs" v-bind="helperContent" />
+        </div>
+
+        <!-- No Token State -->
+        <no-content-message
+          v-if="!hasToken"
+          id="wayf-no-token"
+          icon="cloud"
+          class="oc-text-center oc-p-l"
+        >
+          <template #message>
+            <span v-text="$gettext('Token Required')" />
+          </template>
+          <template #callToAction>
+            <span
+              class="oc-text-muted"
+              v-text="$gettext('You need a token for this feature to work.')"
+            />
+          </template>
+        </no-content-message>
+
+        <!-- Loading State -->
+        <div v-else-if="loading" class="oc-text-center oc-p-l">
+          <app-loading-spinner />
+          <p class="oc-mt-s" v-text="$gettext('Loading providers...')" />
+        </div>
+
+        <!-- Error State -->
+        <no-content-message v-else-if="error" id="wayf-error" icon="alert-circle">
+          <template #message>
+            <span v-text="$gettext('Failed to load providers')" />
+          </template>
+          <template #callToAction>
+            <oc-button
+              appearance="filled"
+              variation="primary"
+              class="oc-px-m oc-py-m"
+              @click="loadFederations"
+            >
+              <span v-text="$gettext('Retry')" />
+            </oc-button>
+          </template>
+        </no-content-message>
+
+        <!-- Main Content -->
+        <div v-else class="wayf-main oc-flex oc-flex-column oc-height-1-1">
+          <!-- Search Section -->
+          <div class="wayf-search oc-px-m oc-pb-s">
+            <oc-text-input
+              v-model="query"
+              :label="$gettext('Search providers')"
+              type="search"
+              id="wayf-search"
+              name="search"
+              class="oc-mb-s"
+            >
+              <template #icon>
+                <oc-icon name="magnify" :size="20" />
+              </template>
+            </oc-text-input>
+          </div>
+
+          <!-- Empty State (no federations or no matches) -->
+          <div v-if="totalFilteredCount === 0" class="wayf-empty-state">
+            <no-content-message id="wayf-empty" class="oc-mx-m oc-my-m" icon="magnify">
+              <template #message>
+                <span v-text="$gettext('No providers match your search')" />
+              </template>
+              <template #callToAction>
+                <span
+                  class="oc-text-muted"
+                  v-text="$gettext('Try a different search or enter a domain manually below.')"
+                />
+              </template>
+            </no-content-message>
+          </div>
+
+          <!-- Federation Sections -->
+          <div v-else class="wayf-federations oc-flex-1">
+            <div
+              v-for="[federation, providers] in sortedFederationEntries"
+              :key="federation"
+              class="wayf-federation"
+            >
+              <div class="wayf-federation-header oc-flex oc-flex-middle oc-px-m oc-py-s">
+                <oc-icon name="shield-check" :size="16" class="oc-mr-s" />
+                <h2 class="oc-text-truncate" :title="federation">{{ federation }}</h2>
+                <span class="wayf-provider-count oc-ml-s oc-text-muted oc-text-small">
+                  {{ providers.length }}
+                  {{ providers.length === 1 ? $gettext('provider') : $gettext('providers') }}
+                </span>
+              </div>
+              <div class="wayf-providers">
+                <oc-button
+                  v-for="p in providers"
+                  :key="p.fqdn"
+                  appearance="raw"
+                  class="wayf-provider-button oc-width-1-1 oc-px-s oc-py-s"
+                  :disabled="loading"
+                  :aria-label="$gettext('Select provider %{name}', { name: p.name })"
+                  @click="navigateToProvider(p, token, providerDomain)"
+                >
+                  <div class="oc-flex oc-flex-middle oc-flex-center">
+                    <div class="oc-flex oc-flex-column oc-width-expand oc-text-center">
+                      <div class="wayf-provider-name oc-text-truncate">{{ p.name }}</div>
+                      <div class="wayf-provider-fqdn oc-text-muted oc-text-small">
+                        {{ p.fqdn }}
+                      </div>
+                    </div>
+                  </div>
+                </oc-button>
+              </div>
+            </div>
+          </div>
+
+          <!-- Manual Provider Section -->
+          <div class="wayf-manual oc-px-m oc-pt-m">
+            <div class="oc-flex oc-flex-middle oc-mb-s">
+              <oc-icon name="cloud" :size="20" class="oc-mr-s" />
+              <h3 v-text="$gettext('Manual Provider Entry')" />
+            </div>
+            <oc-text-input
+              v-model="manualProvider"
+              :label="$gettext('Enter provider domain manually')"
+              type="text"
+              id="wayf-manual"
+              name="manual"
+              class="oc-mb-s"
+              @keyup.enter="goToManualProvider"
+            >
+              <template #icon>
+                <oc-icon name="cloud" :size="20" />
+              </template>
+            </oc-text-input>
+            <oc-button
+              appearance="filled"
+              variation="primary"
+              class="oc-mt-s oc-px-m oc-py-m wayf-continue-button"
+              :disabled="!manualProvider.trim() || loading"
+              @click="goToManualProvider"
+            >
+              <span v-text="$gettext('Continue')" />
+            </oc-button>
+          </div>
+        </div>
+      </div>
+    </div>
+  </main>
+</template>
+
+<script lang="ts" setup>
+import { ref, computed, onMounted } from 'vue'
+import { useRoute } from 'vue-router'
+import { useGettext } from 'vue3-gettext'
+import { NoContentMessage, AppLoadingSpinner } from '@ownclouders/web-pkg'
+import { useWayf } from '../composables/useWayf'
+import type { WayfProvider } from '../types/wayf'
+
+const route = useRoute()
+const { $gettext } = useGettext()
+
+const token = computed(() => (route.query.token as string) || '')
+const hasToken = computed(() => token.value.trim().length > 0)
+
+// providerDomain is always domain, the domain where this WAYF page is hosted
+const providerDomain = computed(() => {
+  return window.location.hostname
+})
+
+const query = ref('')
+const manualProvider = ref('')
+
+const {
+  loading,
+  error,
+  federations,
+  navigateToProvider,
+  navigateToManualProvider,
+  loadFederations,
+  filterProviders
+} = useWayf()
+
+const helperContent = computed(() => {
+  return {
+    text: $gettext(
+      'Select your cloud provider to continue with the invitation process. You can search for providers or enter a domain manually.'
+    ),
+    title: $gettext('Where Are You From?')
+  }
+})
+
+const filteredFederations = computed<Record<string, WayfProvider[]>>(() => {
+  const result: Record<string, WayfProvider[]> = {}
+  const currentFederations = federations.value || {}
+  Object.entries(currentFederations).forEach(([name, providers]) => {
+    const filtered = filterProviders(providers as WayfProvider[], query.value)
+    if (filtered.length > 0) {
+      result[name] = filtered
+    }
+  })
+  return result
+})
+
+const totalFilteredCount = computed(() => {
+  return Object.values(filteredFederations.value).reduce((sum, arr) => sum + arr.length, 0)
+})
+
+const sortedFederationEntries = computed(() => {
+  return Object.entries(filteredFederations.value).sort(([a], [b]) => a.localeCompare(b))
+})
+
+const goToManualProvider = async () => {
+  await navigateToManualProvider(manualProvider.value, token.value, providerDomain.value)
+}
+
+onMounted(() => {
+  loadFederations()
+})
+</script>
+
+<style lang="scss" scoped>
+#wayf {
+  background-color: var(--oc-color-background-hover);
+  height: 100vh;
+  overflow: auto;
+  display: flex;
+  flex-direction: column;
+
+  /* Custom scrollbar styling */
+  &::-webkit-scrollbar {
+    width: 6px;
+  }
+
+  &::-webkit-scrollbar-track {
+    background: transparent;
+  }
+
+  &::-webkit-scrollbar-thumb {
+    background: var(--oc-color-border);
+    border-radius: 3px;
+
+    &:hover {
+      background: var(--oc-color-text-muted);
+    }
+  }
+}
+
+.wayf-wrapper {
+  width: 100%;
+  background-color: var(--oc-color-background-default);
+  border-radius: 0;
+  margin: 0;
+  display: flex;
+  flex-direction: column;
+}
+
+.wayf-content {
+  display: flex;
+  flex-direction: column;
+  flex: 1;
+  min-height: 0;
+}
+
+.wayf-header {
+  background-color: var(--oc-color-background-hover);
+  border-bottom: 1px solid var(--oc-color-border);
+  flex-shrink: 0;
+  min-height: 60px;
+
+  h1 {
+    color: var(--oc-color-text-default);
+    font-size: 1.5rem;
+    font-weight: 600;
+    margin: 0;
+  }
+}
+
+.wayf-main {
+  background-color: var(--oc-color-background-default);
+  min-height: 0;
+  display: grid;
+  grid-template-rows: auto 1fr auto;
+  flex: 1;
+}
+
+.wayf-search {
+  background-color: var(--oc-color-background-hover);
+  border-bottom: 1px solid var(--oc-color-border);
+  flex-shrink: 0;
+  overflow: hidden;
+  min-height: 80px;
+}
+
+.wayf-federations {
+  overflow-y: auto;
+  overflow-x: hidden;
+  min-height: 200px;
+  padding: var(--oc-space-small);
+  display: grid;
+  grid-template-columns: repeat(auto-fill, minmax(280px, 1fr));
+  grid-gap: var(--oc-space-small);
+  align-content: start;
+
+  /* Custom scrollbar styling */
+  &::-webkit-scrollbar {
+    width: 6px;
+  }
+
+  &::-webkit-scrollbar-track {
+    background: transparent;
+  }
+
+  &::-webkit-scrollbar-thumb {
+    background: var(--oc-color-border);
+    border-radius: 3px;
+
+    &:hover {
+      background: var(--oc-color-text-muted);
+    }
+  }
+}
+
+.wayf-federation {
+  border: 1px solid var(--oc-color-border);
+  border-radius: 10px;
+  overflow: hidden;
+  display: flex;
+  flex-direction: column;
+  max-height: 280px;
+  height: 280px;
+}
+
+.wayf-federation-header {
+  background-color: var(--oc-color-background-hover);
+  border-bottom: 1px solid var(--oc-color-border);
+  min-height: 42px;
+
+  h2 {
+    color: var(--oc-color-text-default);
+    font-size: 1.1rem;
+    font-weight: 600;
+    margin: 0;
+    min-width: 0;
+    flex: 1 1 auto;
+  }
+
+  .wayf-provider-count {
+    background-color: var(--oc-color-background-default);
+    padding: 2px 8px;
+    border-radius: 12px;
+    font-size: 0.75rem;
+    font-weight: 500;
+    margin-left: auto;
+    min-width: fit-content;
+    text-align: right;
+    white-space: nowrap;
+    flex-shrink: 0;
+  }
+}
+
+.wayf-providers {
+  background-color: var(--oc-color-background-default);
+  overflow-y: auto;
+  flex: 1;
+  min-height: 0;
+
+  /* Custom scrollbar styling */
+  &::-webkit-scrollbar {
+    width: 6px;
+  }
+
+  &::-webkit-scrollbar-track {
+    background: transparent;
+  }
+
+  &::-webkit-scrollbar-thumb {
+    background: var(--oc-color-border);
+    border-radius: 3px;
+
+    &:hover {
+      background: var(--oc-color-text-muted);
+    }
+  }
+}
+
+.wayf-provider-button {
+  border: none;
+  border-bottom: 1px solid var(--oc-color-border);
+  border-radius: 0;
+  text-align: left;
+  transition: background-color 0.15s ease;
+  font-size: 0.9rem;
+  padding-top: var(--oc-space-2xsmall);
+  padding-bottom: var(--oc-space-2xsmall);
+
+  &:hover:not(:disabled) {
+    background-color: var(--oc-color-background-hover);
+  }
+
+  &:last-child {
+    border-bottom: none;
+  }
+
+  &:disabled {
+    opacity: 0.6;
+    cursor: not-allowed;
+  }
+}
+
+.wayf-provider-icon {
+  display: none;
+}
+
+.wayf-provider-name {
+  font-weight: 600;
+  color: var(--oc-color-text-default);
+  margin-bottom: 2px;
+  font-size: 1rem;
+}
+
+.wayf-provider-fqdn {
+  color: var(--oc-color-text-muted);
+  font-family: monospace;
+  font-size: 0.8rem;
+}
+
+.wayf-manual {
+  background-color: var(--oc-color-background-hover);
+  border-top: 1px solid var(--oc-color-border);
+  box-shadow: 0 -2px 6px rgba(0, 0, 0, 0.04);
+  overflow-y: auto;
+  overflow-x: hidden;
+  min-height: 220px;
+  max-height: 350px;
+  display: flex;
+  flex-direction: column;
+
+  /* Custom scrollbar styling - matches main container */
+  &::-webkit-scrollbar {
+    width: 6px;
+  }
+
+  &::-webkit-scrollbar-track {
+    background: transparent;
+  }
+
+  &::-webkit-scrollbar-thumb {
+    background: var(--oc-color-border);
+    border-radius: 3px;
+
+    &:hover {
+      background: var(--oc-color-text-muted);
+    }
+  }
+
+  h3 {
+    color: var(--oc-color-text-default);
+    font-size: 1rem;
+    font-weight: 600;
+    margin: 0;
+  }
+}
+
+.wayf-continue-button {
+  min-width: 120px;
+  justify-self: flex-end;
+}
+
+.wayf-empty-state {
+  display: flex;
+  align-items: center;
+  justify-content: center;
+  min-height: 300px;
+  flex: 1;
+}
+
+.wayf-no-token {
+  background-color: var(--oc-color-background-default);
+  min-height: 400px;
+  display: flex;
+  flex-direction: column;
+  align-items: center;
+  justify-content: center;
+
+  h2 {
+    color: var(--oc-color-text-default);
+    font-size: 1.5rem;
+    font-weight: 600;
+    margin: 0 0 var(--oc-space-small) 0;
+  }
+
+  p {
+    color: var(--oc-color-text-muted);
+    margin: 0;
+  }
+}
+
+@media (max-width: $oc-breakpoint-large-default) {
+  .wayf-federations {
+    grid-template-columns: 1fr 1fr;
+  }
+}
+
+@media (max-width: $oc-breakpoint-medium-default) {
+  .wayf-header {
+    h1 {
+      font-size: 1.25rem;
+    }
+  }
+
+  .wayf-federation-header {
+    h2 {
+      font-size: 1rem;
+    }
+  }
+
+  .wayf-federations {
+    grid-template-columns: 1fr;
+    min-height: 150px;
+  }
+
+  .wayf-main {
+    grid-template-rows: auto 1fr auto;
+  }
+
+  .wayf-federation {
+    max-height: 240px;
+    height: 240px;
+  }
+
+  .wayf-manual {
+    min-height: 220px;
+    max-height: 300px;
+  }
+}
+
+@media (max-height: 600px) {
+  .wayf-federations {
+    min-height: 120px;
+  }
+
+  .wayf-main {
+    grid-template-rows: auto 1fr auto;
+  }
+
+  .wayf-federation {
+    max-height: 200px;
+    height: 200px;
+  }
+
+  .wayf-manual {
+    min-height: 220px;
+    max-height: 250px;
+  }
+}
+</style>
diff --git a/packages/web-pkg/src/composables/piniaStores/inviteTokensList.ts b/packages/web-pkg/src/composables/piniaStores/inviteTokensList.ts
index 21f1e3199be..5023574e925 100644
--- a/packages/web-pkg/src/composables/piniaStores/inviteTokensList.ts
+++ b/packages/web-pkg/src/composables/piniaStores/inviteTokensList.ts
@@ -5,6 +5,8 @@ type Token = {
   id: string
   token: string
   link?: string
+  tokenAtProvider?: string
+  wayfLink?: string
   expiration?: Date
   expirationSeconds?: number
   description?: string