diff --git a/Dockerfile b/Dockerfile
index 36a6726..8477756 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -1,15 +1,20 @@
-FROM maven:3.8.6-jdk-11 as build
+FROM maven:3.8.5-openjdk-17 as build
 
 COPY . /build
 WORKDIR /build
 
+RUN microdnf update \
+ && microdnf install --nodocs wget unzip \
+ && microdnf clean all \
+ && rm -rf /var/cache/yum
+
 RUN unset MAVEN_CONFIG && \
     ./mvnw versions:set -DnewVersion=LATEST && \
     ./mvnw install && \
     ./mvnw clean compile package && \
-    wget -O keycloak-rest-provider.jar https://github.com/daniel-frak/keycloak-user-migration/releases/download/1.0.0/keycloak-rest-provider-1.0.0.jar && \
-    wget -O keycloak-metrics-spi.jar https://github.com/aerogear/keycloak-metrics-spi/releases/download/3.0.0/keycloak-metrics-spi-3.0.0.jar && \
-    wget -O keycloak-home-idp-discovery.jar https://github.com/tidepool-org/keycloak-home-idp-discovery/releases/download/v21.4.0/keycloak-home-idp-discovery.jar
+    wget -O keycloak-rest-provider.jar https://github.com/daniel-frak/keycloak-user-migration/releases/download/5.0.0/keycloak-rest-provider-5.0.0.jar && \
+    wget -O keycloak-metrics-spi.jar https://github.com/aerogear/keycloak-metrics-spi/releases/download/6.0.0/keycloak-metrics-spi-6.0.0.jar && \
+    wget -O keycloak-home-idp-discovery.jar https://github.com/tidepool-org/keycloak-home-idp-discovery/releases/download/v25.0.0-test/keycloak-home-idp-discovery.jar
 
 FROM alpine:latest as release
 
diff --git a/Makefile b/Makefile
index ae880cf..162d3f3 100644
--- a/Makefile
+++ b/Makefile
@@ -1,4 +1,4 @@
-keycloak_version = 21.1.1
+keycloak_version = 25.0.6
 date = $(shell date -u +"%Y-%m-%dT%H-%M-%S")
 image_tag = $(keycloak_version)-$(date)
 
diff --git a/admin/pom.xml b/admin/pom.xml
index e20604d..2caa011 100644
--- a/admin/pom.xml
+++ b/admin/pom.xml
@@ -24,7 +24,7 @@
         <maven.compiler.target>11</maven.compiler.target>
 
         <!-- https://mvnrepository.com/artifact/org.keycloak/keycloak-parent -->
-        <keycloak.version>21.1.1</keycloak.version>
+        <keycloak.version>25.0.6</keycloak.version>
         <!-- https://mvnrepository.com/artifact/org.apache.maven.plugins/maven-compiler-plugin -->
         <maven-compiler-plugin.version>3.8.1</maven-compiler-plugin.version>
     </properties>
diff --git a/admin/src/main/java/org/tidepool/keycloak/extensions/authenticator/RedirectToRegistrationPage.java b/admin/src/main/java/org/tidepool/keycloak/extensions/authenticator/RedirectToRegistrationPage.java
index 5be3295..cdcdadd 100755
--- a/admin/src/main/java/org/tidepool/keycloak/extensions/authenticator/RedirectToRegistrationPage.java
+++ b/admin/src/main/java/org/tidepool/keycloak/extensions/authenticator/RedirectToRegistrationPage.java
@@ -6,8 +6,8 @@
 import org.keycloak.services.Urls;
 import org.keycloak.sessions.AuthenticationSessionModel;
 
-import javax.ws.rs.core.Response;
-import javax.ws.rs.core.UriBuilder;
+import jakarta.ws.rs.core.Response;
+import jakarta.ws.rs.core.UriBuilder;
 import java.net.URI;
 
 final class RedirectToRegistrationPage implements Authenticator {
diff --git a/admin/src/main/java/org/tidepool/keycloak/extensions/authenticator/RegistrationTermsFormAction.java b/admin/src/main/java/org/tidepool/keycloak/extensions/authenticator/RegistrationTermsFormAction.java
index a461507..ad15a18 100644
--- a/admin/src/main/java/org/tidepool/keycloak/extensions/authenticator/RegistrationTermsFormAction.java
+++ b/admin/src/main/java/org/tidepool/keycloak/extensions/authenticator/RegistrationTermsFormAction.java
@@ -3,7 +3,7 @@
 import java.util.ArrayList;
 import java.util.List;
 
-import javax.ws.rs.core.MultivaluedMap;
+import jakarta.ws.rs.core.MultivaluedMap;
 
 import org.keycloak.authentication.FormAction;
 import org.keycloak.authentication.FormContext;
@@ -32,6 +32,13 @@ public void close() {
 
     @Override
     public void buildPage(FormContext context, LoginFormsProvider form) {
+        // TEMPORARY: Currently only for Clinician registration which includes TOS/PP
+        // agreement on clinician registration form. Remove conditional once TOS/PP agreement
+        // included on personal registration form.
+        if (RoleBean.hasClinicianRoleFromAuthenticationSession(context.getAuthenticationSession()) ||
+                RoleBean.hasClinicianRoleFromRealmUser(context.getRealm(), context.getUser())) {
+            form.setAttribute("termsAcceptanceRequired", true);
+        }
     }
 
     @Override
diff --git a/admin/src/main/java/org/tidepool/keycloak/extensions/login/TidepoolLoginFormsProvider.java b/admin/src/main/java/org/tidepool/keycloak/extensions/login/TidepoolLoginFormsProvider.java
index 7387207..7b79018 100644
--- a/admin/src/main/java/org/tidepool/keycloak/extensions/login/TidepoolLoginFormsProvider.java
+++ b/admin/src/main/java/org/tidepool/keycloak/extensions/login/TidepoolLoginFormsProvider.java
@@ -3,7 +3,7 @@
 import java.net.URI;
 import java.util.Locale;
 
-import javax.ws.rs.core.Response;
+import jakarta.ws.rs.core.Response;
 
 import org.keycloak.forms.login.freemarker.FreeMarkerLoginFormsProvider;
 import org.keycloak.models.KeycloakSession;
diff --git a/admin/src/main/java/org/tidepool/keycloak/extensions/model/RoleBean.java b/admin/src/main/java/org/tidepool/keycloak/extensions/model/RoleBean.java
index c1e781a..a7a6100 100644
--- a/admin/src/main/java/org/tidepool/keycloak/extensions/model/RoleBean.java
+++ b/admin/src/main/java/org/tidepool/keycloak/extensions/model/RoleBean.java
@@ -55,9 +55,7 @@ public boolean hasClinicianRole() {
 
     public static boolean hasClinicianRoleFromAuthenticationSession(AuthenticationSessionModel authenticationSession) {
         if (authenticationSession != null) {
-            if (ROLES_CLINICIAN_SET.contains(authenticationSession.getAuthNote(AUTH_NOTE_ROLE))) {
-                return true;
-            }
+            return ROLES_CLINICIAN_SET.contains(authenticationSession.getAuthNote(AUTH_NOTE_ROLE));
         }
         return false;
     }
diff --git a/admin/src/main/java/org/tidepool/keycloak/extensions/resource/AdminResource.java b/admin/src/main/java/org/tidepool/keycloak/extensions/resource/AdminResource.java
index 7323a72..7e7875b 100644
--- a/admin/src/main/java/org/tidepool/keycloak/extensions/resource/AdminResource.java
+++ b/admin/src/main/java/org/tidepool/keycloak/extensions/resource/AdminResource.java
@@ -13,22 +13,22 @@
 import org.keycloak.services.resources.admin.permissions.AdminPermissionEvaluator;
 import org.keycloak.services.resources.admin.permissions.AdminPermissions;
 
-import javax.ws.rs.NotAuthorizedException;
-import javax.ws.rs.NotFoundException;
-import javax.ws.rs.core.Context;
-import javax.ws.rs.core.HttpHeaders;
+import jakarta.ws.rs.NotAuthorizedException;
+import jakarta.ws.rs.NotFoundException;
+import jakarta.ws.rs.core.HttpHeaders;
 
 public abstract class AdminResource {
 
-    @Context
-    private HttpHeaders headers;
-
-    @Context
-    private KeycloakSession session;
+    final private KeycloakSession session;
 
     protected AdminPermissionEvaluator auth;
 
+    public AdminResource(KeycloakSession session) {
+        this.session = session;
+    }
+
     protected void setup() {
+        HttpHeaders headers = session.getContext().getRequestHeaders();
         String tokenString = AppAuthManager.extractAuthorizationHeaderToken(headers);
         if (tokenString == null) throw new NotAuthorizedException("Bearer");
         AccessToken token;
diff --git a/admin/src/main/java/org/tidepool/keycloak/extensions/resource/RegistrationsRealmResourceProvider.java b/admin/src/main/java/org/tidepool/keycloak/extensions/resource/RegistrationsRealmResourceProvider.java
index b4cd1f9..83b8203 100644
--- a/admin/src/main/java/org/tidepool/keycloak/extensions/resource/RegistrationsRealmResourceProvider.java
+++ b/admin/src/main/java/org/tidepool/keycloak/extensions/resource/RegistrationsRealmResourceProvider.java
@@ -2,12 +2,12 @@
 
 import java.net.URI;
 
-import javax.ws.rs.GET;
-import javax.ws.rs.Path;
-import javax.ws.rs.PathParam;
-import javax.ws.rs.QueryParam;
-import javax.ws.rs.core.Response;
-import javax.ws.rs.core.UriBuilder;
+import jakarta.ws.rs.GET;
+import jakarta.ws.rs.Path;
+import jakarta.ws.rs.PathParam;
+import jakarta.ws.rs.QueryParam;
+import jakarta.ws.rs.core.Response;
+import jakarta.ws.rs.core.UriBuilder;
 
 import org.keycloak.authentication.AuthenticationProcessor;
 import org.keycloak.common.ClientConnection;
@@ -58,10 +58,10 @@ public RegistrationsRealmResourceProvider registrations(
     /**
      * Restart authentication with registration. Allows specification of role
      * (clinician or personal) to initiate registration.
-     * 
+     *
      * Mimics LoginActionsService.restartSession, but restarts with registration
      * flow.
-     * 
+     *
      * @param authSessionId
      * @param clientId
      * @param tabId
@@ -85,7 +85,7 @@ public Response restart(
         event.event(EventType.RESTART_AUTHENTICATION);
 
         SessionCodeChecks checks = new SessionCodeChecks(realm, context.getUri(), request,
-                clientConnection, session, event, authSessionId, null, null, clientId, tabId, null);
+                clientConnection, session, event, authSessionId, null, null, clientId, tabId, null, LoginActionsService.REGISTRATION_PATH);
 
         AuthenticationSessionModel authenticationSession = checks.initialVerifyAuthSession();
         if (authenticationSession == null) {
@@ -104,7 +104,9 @@ public Response restart(
 
         AuthenticationProcessor.resetFlow(authenticationSession, LoginActionsService.REGISTRATION_PATH);
 
-        URI redirectUri = getLastExecutionUrl(flowPath, null, authenticationSession.getClient().getClientId(), tabId);
+        String clientData = AuthenticationProcessor.getClientData(session, authenticationSession);
+
+        URI redirectUri = getLastExecutionUrl(flowPath, null, authenticationSession.getClient().getClientId(), tabId, clientData);
 
         if (role != null) {
             redirectUri = UriBuilder.fromUri(redirectUri).queryParam(RoleBean.PARAMETER_ROLE, role).build();
@@ -113,8 +115,8 @@ public Response restart(
         return Response.status(Response.Status.FOUND).location(redirectUri).build();
     }
 
-    private URI getLastExecutionUrl(String flowPath, String executionId, String clientId, String tabId) {
+    private URI getLastExecutionUrl(String flowPath, String executionId, String clientId, String tabId, String clientData) {
         return new AuthenticationFlowURLHelper(session, session.getContext().getRealm(), session.getContext().getUri())
-                .getLastExecutionUrl(flowPath, executionId, clientId, tabId);
+                .getLastExecutionUrl(flowPath, executionId, clientId, tabId, clientData);
     }
 }
diff --git a/admin/src/main/java/org/tidepool/keycloak/extensions/resource/TidepoolAdminResource.java b/admin/src/main/java/org/tidepool/keycloak/extensions/resource/TidepoolAdminResource.java
index f224700..77e63fa 100644
--- a/admin/src/main/java/org/tidepool/keycloak/extensions/resource/TidepoolAdminResource.java
+++ b/admin/src/main/java/org/tidepool/keycloak/extensions/resource/TidepoolAdminResource.java
@@ -5,16 +5,16 @@
 import org.keycloak.representations.idm.CredentialRepresentation;
 import org.keycloak.representations.idm.UserRepresentation;
 
-import javax.ws.rs.GET;
-import javax.ws.rs.POST;
-import javax.ws.rs.Path;
-import javax.ws.rs.Produces;
-import javax.ws.rs.PathParam;
-import javax.ws.rs.QueryParam;
-import javax.ws.rs.BadRequestException;
-import javax.ws.rs.NotFoundException;
-import javax.ws.rs.core.MediaType;
-import javax.ws.rs.core.Response;
+import jakarta.ws.rs.GET;
+import jakarta.ws.rs.POST;
+import jakarta.ws.rs.Path;
+import jakarta.ws.rs.Produces;
+import jakarta.ws.rs.PathParam;
+import jakarta.ws.rs.QueryParam;
+import jakarta.ws.rs.BadRequestException;
+import jakarta.ws.rs.NotFoundException;
+import jakarta.ws.rs.core.MediaType;
+import jakarta.ws.rs.core.Response;
 import java.util.ArrayList;
 import java.util.List;
 import java.util.stream.Collectors;
@@ -26,6 +26,7 @@ public class TidepoolAdminResource extends AdminResource {
     private final KeycloakSession session;
 
     public TidepoolAdminResource(KeycloakSession session) {
+        super(session);
         this.session = session;
     }
 
diff --git a/admin/src/main/java/org/tidepool/keycloak/extensions/resource/TidepoolAdminResourceProvider.java b/admin/src/main/java/org/tidepool/keycloak/extensions/resource/TidepoolAdminResourceProvider.java
index be1c948..c3d2fff 100644
--- a/admin/src/main/java/org/tidepool/keycloak/extensions/resource/TidepoolAdminResourceProvider.java
+++ b/admin/src/main/java/org/tidepool/keycloak/extensions/resource/TidepoolAdminResourceProvider.java
@@ -1,6 +1,5 @@
 package org.tidepool.keycloak.extensions.resource;
 
-import org.jboss.resteasy.spi.ResteasyProviderFactory;
 import org.keycloak.models.*;
 import org.keycloak.services.resource.RealmResourceProvider;
 
@@ -15,7 +14,6 @@ public TidepoolAdminResourceProvider(KeycloakSession session) {
     @Override
     public Object getResource() {
         TidepoolAdminResource resource = new TidepoolAdminResource(session);
-        ResteasyProviderFactory.getInstance().injectProperties(resource);
         resource.setup();
         return resource;
     }
diff --git a/admin/src/main/java/org/tidepool/keycloak/extensions/roles/UserRolePromptRequiredAction.java b/admin/src/main/java/org/tidepool/keycloak/extensions/roles/UserRolePromptRequiredAction.java
index 200f9ca..a579be6 100644
--- a/admin/src/main/java/org/tidepool/keycloak/extensions/roles/UserRolePromptRequiredAction.java
+++ b/admin/src/main/java/org/tidepool/keycloak/extensions/roles/UserRolePromptRequiredAction.java
@@ -9,7 +9,7 @@
 import org.keycloak.models.KeycloakSessionFactory;
 import org.keycloak.models.RoleModel;
 
-import javax.ws.rs.core.Response;
+import jakarta.ws.rs.core.Response;
 import java.util.*;
 
 @AutoService(RequiredActionFactory.class)
@@ -89,4 +89,4 @@ public String getDisplayText() {
     public void close() {
         // NOOP
     }
-}
\ No newline at end of file
+}
diff --git a/admin/src/main/java/org/tidepool/keycloak/extensions/terms/TidepoolTermsRequiredAction.java b/admin/src/main/java/org/tidepool/keycloak/extensions/terms/TidepoolTermsRequiredAction.java
index 00346f1..59301df 100644
--- a/admin/src/main/java/org/tidepool/keycloak/extensions/terms/TidepoolTermsRequiredAction.java
+++ b/admin/src/main/java/org/tidepool/keycloak/extensions/terms/TidepoolTermsRequiredAction.java
@@ -9,7 +9,7 @@
 import org.keycloak.models.KeycloakSessionFactory;
 import org.keycloak.models.RoleModel;
 
-import javax.ws.rs.core.Response;
+import jakarta.ws.rs.core.Response;
 import java.util.*;
 import java.util.stream.Collectors;
 
@@ -23,6 +23,7 @@ public class TidepoolTermsRequiredAction implements RequiredActionProvider, Requ
 
     public static final Map<String, String> FORMS = Map.of(
             "patient","patient_terms.ftl",
+            "clinic", "clinician_terms.ftl",
             "clinician", "clinician_terms.ftl"
     );
 
@@ -114,4 +115,4 @@ public String getDisplayText() {
     public void close() {
         // NOOP
     }
-}
\ No newline at end of file
+}
diff --git a/docker-compose.yml b/docker-compose.yml
index 86519a5..2e8724f 100644
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -20,14 +20,14 @@ services:
       - 6543:5432
 
   providers:
-    image: busybox
-    command: ["/bin/sh", "-c",  "cp /local/admin.jar /providers && wget -O /providers/keycloak-home-idp-discovery.jar https://github.com/toddkazakov/keycloak-home-idp-discovery/releases/download/0.3.0/keycloak-home-idp-discovery.jar"]
+    image: alpine:3.20.3
+    command: ["/bin/sh", "-c",  "apk add ca-certificates && update-ca-certificates && rm -f /providers/* && cp /local/admin.jar /providers && wget -O /providers/keycloak-home-idp-discovery.jar https://github.com/tidepool-org/keycloak-home-idp-discovery/releases/download/v25.0.0-test/keycloak-home-idp-discovery.jar"]
     volumes:
       - ./admin/target/admin-LATEST.jar:/local/admin.jar
       - providers:/providers
 
   keycloak:
-    image: quay.io/keycloak/keycloak:21.1.1
+    image: quay.io/keycloak/keycloak:25.0.6
     container_name: tp-keycloak
     environment:
       KC_DB: postgres
diff --git a/tidepool-theme/login/login-idp-link-confirm.ftl b/tidepool-theme/login/login-idp-link-confirm.ftl
index eb244b5..f621de7 100644
--- a/tidepool-theme/login/login-idp-link-confirm.ftl
+++ b/tidepool-theme/login/login-idp-link-confirm.ftl
@@ -19,7 +19,7 @@
                            id="username"
                            class="${properties.kcInputClass!}"
                            type="text" autocomplete="off"
-                           value="${brokerContext.modelUsername}"
+                           value="${brokerContext.email}"
                     />
                 </div>
             </div>
diff --git a/tidepool-theme/login/login-idp-link-email.ftl b/tidepool-theme/login/login-idp-link-email.ftl
index 815615f..5c7684a 100644
--- a/tidepool-theme/login/login-idp-link-email.ftl
+++ b/tidepool-theme/login/login-idp-link-email.ftl
@@ -5,14 +5,14 @@
     <#elseif section = "form">
             <div class="${properties.kcFormGroupClass!}">
                 <p id="instruction1" class="instruction">
-                    ${msg("emailLinkIdp1", idpDisplayName, brokerContext.username, realm.displayName)}
+                    ${msg("emailLinkIdp1", idpDisplayName, brokerContext.email, realm.displayName)}
                 </p>
                 <div class="attempted-username instruction">
                     <input disabled
                            id="username"
                            class="${properties.kcInputClass!}"
                            type="text" autocomplete="off"
-                           value="${brokerContext.username}"
+                           value="${brokerContext.email}"
                     />
                 </div>
                 <p id="instruction2" class="instruction">
@@ -23,4 +23,4 @@
                 </p>
             </div>
     </#if>
-</@layout.registrationLayout>
\ No newline at end of file
+</@layout.registrationLayout>
diff --git a/tidepool-theme/login/login-username.ftl b/tidepool-theme/login/login-username.ftl
index b729ef7..01b3d62 100644
--- a/tidepool-theme/login/login-username.ftl
+++ b/tidepool-theme/login/login-username.ftl
@@ -64,7 +64,7 @@
             </div>
         </#if>
     <#elseif section = "socialProviders" >
-        <#if realm.password && social.providers??>
+        <#if realm.password && social?? && social.providers?has_content>
             <div id="kc-social-providers" class="${properties.kcFormSocialAccountSectionClass!}">
                 <hr/>
                 <h4>${msg("identity-provider-login-label")}</h4>
diff --git a/tidepool-theme/login/login.ftl b/tidepool-theme/login/login.ftl
index afdc1f2..dd9e64e 100644
--- a/tidepool-theme/login/login.ftl
+++ b/tidepool-theme/login/login.ftl
@@ -1,105 +1,116 @@
 <#import "template.ftl" as layout>
-<@layout.registrationLayout displayMessage=!messagesPerField.existsError('username','password') displayInfo=true; section>
+<@layout.registrationLayout displayMessage=!messagesPerField.existsError('username','password') displayInfo=false; section>
     <#if section = "header">
         ${msg("letsGetStarted")}
     <#elseif section = "form">
-    <div id="kc-form">
-      <div id="kc-form-wrapper">
-        <#if realm.password>
-            <form id="kc-form-login" onsubmit="login.disabled = true; return true;" action="${url.loginAction}" method="post">
-                <#if !usernameHidden??>
+        <div id="kc-form">
+          <div id="kc-form-wrapper">
+            <#if realm.password>
+                <form id="kc-form-login" onsubmit="login.disabled = true; return true;" action="${url.loginAction}" method="post">
+                    <#if !usernameHidden??>
+                        <div class="${properties.kcFormGroupClass!}">
+                            <label for="username" class="${properties.kcLabelClass!}"><#if !realm.loginWithEmailAllowed>${msg("username")}<#elseif !realm.registrationEmailAsUsername>${msg("usernameOrEmail")}<#else>${msg("email")}</#if></label>
+
+                            <input tabindex="2" id="username" class="${properties.kcInputClass!}" name="username" value="${(login.username!'')}"  type="text" autofocus autocomplete="username"
+                                   aria-invalid="<#if messagesPerField.existsError('username','password')>true</#if>"
+                                   placeholder="<#if !realm.loginWithEmailAllowed>${msg("username")}<#elseif !realm.registrationEmailAsUsername>${msg("usernameOrEmail")}<#else>${msg("email")}</#if>"
+                            />
+
+                            <#if messagesPerField.existsError('username','password')>
+                                <div id="input-error" class="${properties.kcInputErrorMessageClass!}" aria-live="polite">
+                                        ${kcSanitize(messagesPerField.getFirstError('username','password'))?no_esc}
+                                </div>
+                            </#if>
+
+                        </div>
+                    </#if>
+
                     <div class="${properties.kcFormGroupClass!}">
-                        <label for="username" class="${properties.kcLabelClass!}"><#if !realm.loginWithEmailAllowed>${msg("username")}<#elseif !realm.registrationEmailAsUsername>${msg("usernameOrEmail")}<#else>${msg("email")}</#if></label>
+                        <label for="password" class="${properties.kcLabelClass!}">${msg("password")}</label>
 
-                        <input tabindex="1" id="username" class="${properties.kcInputClass!}" name="username" value="${(login.username!'')}"  type="text" autofocus autocomplete="off"
-                               aria-invalid="<#if messagesPerField.existsError('username','password')>true</#if>"
-                               placeholder="<#if !realm.loginWithEmailAllowed>${msg("username")}<#elseif !realm.registrationEmailAsUsername>${msg("usernameOrEmail")}<#else>${msg("email")}</#if>"
-                        />
+                        <div class="${properties.kcInputGroup!}">
+                            <input tabindex="3" id="password" class="${properties.kcInputClass!}" name="password" type="password" autocomplete="current-password"
+                                   aria-invalid="<#if messagesPerField.existsError('username','password')>true</#if>"
+                            />
+                            <button class="${properties.kcFormPasswordVisibilityButtonClass!}" type="button" aria-label="${msg("showPassword")}"
+                                    aria-controls="password" data-password-toggle tabindex="4"
+                                    data-icon-show="${properties.kcFormPasswordVisibilityIconShow!}" data-icon-hide="${properties.kcFormPasswordVisibilityIconHide!}"
+                                    data-label-show="${msg('showPassword')}" data-label-hide="${msg('hidePassword')}">
+                                <i class="${properties.kcFormPasswordVisibilityIconShow!}" aria-hidden="true"></i>
+                            </button>
+                        </div>
 
-                        <#if messagesPerField.existsError('username','password')>
+                       <#if usernameHidden?? && messagesPerField.existsError('username','password')>
                             <div id="input-error" class="${properties.kcInputErrorMessageClass!}" aria-live="polite">
                                     ${kcSanitize(messagesPerField.getFirstError('username','password'))?no_esc}
                             </div>
                         </#if>
 
                     </div>
-                </#if>
 
-                <div class="${properties.kcFormGroupClass!}">
-                    <label for="password" class="${properties.kcLabelClass!}">${msg("password")}</label>
-
-                    <input tabindex="2" id="password" class="${properties.kcInputClass!}" name="password" type="password" autocomplete="off"
-                           aria-invalid="<#if messagesPerField.existsError('username','password')>true</#if>"
-                           placeholder="${msg("password")}"
-                    />
-
-                    <#if usernameHidden?? && messagesPerField.existsError('username','password')>
-                        <div id="input-error" class="${properties.kcInputErrorMessageClass!}" aria-live="polite">
-                                ${kcSanitize(messagesPerField.getFirstError('username','password'))?no_esc}
-                        </div>
-                    </#if>
-
-                </div>
-
-                <div class="${properties.kcFormGroupClass!} ${properties.kcFormSettingClass!}">
-                    <div id="kc-form-options">
-                        <#if realm.rememberMe>
-                            <div class="checkbox">
-                                <label>
-                                    <#if login.rememberMe??>
-                                        <input tabindex="3" id="rememberMe" name="rememberMe" type="checkbox" checked> ${msg("rememberMe")}
-                                    <#else>
-                                        <input tabindex="3" id="rememberMe" name="rememberMe" type="checkbox"> ${msg("rememberMe")}
-                                    </#if>
-                                </label>
-                            </div>
-                        </#if>
-                        </div>
-                        <div class="${properties.kcFormOptionsWrapperClass!}">
-                            <#if realm.resetPasswordAllowed>
-                                <span><a tabindex="5" href="${url.loginResetCredentialsUrl}">${msg("doForgotPassword")}</a></span>
+                    <div class="${properties.kcFormGroupClass!} ${properties.kcFormSettingClass!}">
+                        <div id="kc-form-options">
+                            <#if realm.rememberMe && !usernameHidden??>
+                                <div class="checkbox">
+                                    <label>
+                                        <#if login.rememberMe??>
+                                            <input tabindex="5" id="rememberMe" name="rememberMe" type="checkbox" checked> ${msg("rememberMe")}
+                                        <#else>
+                                            <input tabindex="5" id="rememberMe" name="rememberMe" type="checkbox"> ${msg("rememberMe")}
+                                        </#if>
+                                    </label>
+                                </div>
                             </#if>
-                        </div>
+                            </div>
+                            <div class="${properties.kcFormOptionsWrapperClass!}">
+                                <#if realm.resetPasswordAllowed>
+                                    <span><a tabindex="6" href="${url.loginResetCredentialsUrl}">${msg("doForgotPassword")}</a></span>
+                                </#if>
+                            </div>
 
-                  </div>
+                      </div>
 
-                  <div id="kc-form-buttons" class="${properties.kcFormGroupClass!}">
-                      <input type="hidden" id="id-hidden-input" name="credentialId" <#if auth.selectedCredential?has_content>value="${auth.selectedCredential}"</#if>/>
-                      <#if realm.password && realm.registrationAllowed && !registrationDisabled??>
-                        <div id="kc-registration-container">
-                            <div id="kc-registration">
-                                <span><a tabindex="6" href="${url.registrationUrl}"><i class="fa fa-plus-circle"></i> ${msg("doRegister")}</a></span>
-                            </div>
-                        </div>
-                      </#if>
-                      <input tabindex="4" class="${properties.kcButtonClass!} ${properties.kcButtonPrimaryClass!} ${properties.kcButtonBlockClass!} ${properties.kcButtonLargeClass!}" name="login" id="kc-login" type="submit" value="${msg("doLogIn")}"/>
-                  </div>
-            </form>
-        </#if>
+                      <div id="kc-form-buttons" class="${properties.kcFormGroupClass!}">
+                          <input type="hidden" id="id-hidden-input" name="credentialId" <#if auth.selectedCredential?has_content>value="${auth.selectedCredential}"</#if>/>
+                          <input tabindex="7" class="${properties.kcButtonClass!} ${properties.kcButtonPrimaryClass!} ${properties.kcButtonBlockClass!} ${properties.kcButtonLargeClass!}" name="login" id="kc-login" type="submit" value="${msg("doLogIn")}"/>
+                      </div>
+                </form>
+            </#if>
+            </div>
         </div>
-
-        <#if realm.password && social.providers??>
+        <script type="module" src="${url.resourcesPath}/js/passwordVisibility.js"></script>
+    <#elseif section = "info" >
+        <#if realm.password && realm.registrationAllowed && !registrationDisabled??>
+            <div id="kc-registration-container">
+                <div id="kc-registration">
+                    <span>${msg("noAccount")} <a tabindex="8"
+                                                 href="${url.registrationUrl}">${msg("doRegister")}</a></span>
+                </div>
+            </div>
+        </#if>
+    <#elseif section = "socialProviders" >
+        <#if realm.password && social?? && social.providers?has_content>
             <div id="kc-social-providers" class="${properties.kcFormSocialAccountSectionClass!}">
                 <hr/>
-                <h4>${msg("identity-provider-login-label")}</h4>
+                <h2>${msg("identity-provider-login-label")}</h2>
 
                 <ul class="${properties.kcFormSocialAccountListClass!} <#if social.providers?size gt 3>${properties.kcFormSocialAccountListGridClass!}</#if>">
                     <#list social.providers as p>
-                        <a id="social-${p.alias}" class="${properties.kcFormSocialAccountListButtonClass!} <#if social.providers?size gt 3>${properties.kcFormSocialAccountGridItem!}</#if>"
-                                type="button" href="${p.loginUrl}">
-                            <#if p.iconClasses?has_content>
-                                <i class="${properties.kcCommonLogoIdP!} ${p.iconClasses!}" aria-hidden="true"></i>
-                                <span class="${properties.kcFormSocialAccountNameClass!} kc-social-icon-text">${p.displayName!}</span>
-                            <#else>
-                                <span class="${properties.kcFormSocialAccountNameClass!}">${p.displayName!}</span>
-                            </#if>
-                        </a>
+                        <li>
+                            <a id="social-${p.alias}" class="${properties.kcFormSocialAccountListButtonClass!} <#if social.providers?size gt 3>${properties.kcFormSocialAccountGridItem!}</#if>"
+                                    type="button" href="${p.loginUrl}">
+                                <#if p.iconClasses?has_content>
+                                    <i class="${properties.kcCommonLogoIdP!} ${p.iconClasses!}" aria-hidden="true"></i>
+                                    <span class="${properties.kcFormSocialAccountNameClass!} kc-social-icon-text">${p.displayName!}</span>
+                                <#else>
+                                    <span class="${properties.kcFormSocialAccountNameClass!}">${p.displayName!}</span>
+                                </#if>
+                            </a>
+                        </li>
                     </#list>
                 </ul>
             </div>
         </#if>
-
-    </div>
     <#elseif section = "footer" >
       <div class="footer-section footer-section-top">
         <div class="footer-link social-media large-format-only">
diff --git a/tidepool-theme/login/register-clinician.ftl b/tidepool-theme/login/register-clinician.ftl
old mode 100644
new mode 100755
index 96a6f21..d847acc
--- a/tidepool-theme/login/register-clinician.ftl
+++ b/tidepool-theme/login/register-clinician.ftl
@@ -1,121 +1,105 @@
 <#import "template.ftl" as layout>
-<@layout.registrationLayout displayMessage=!messagesPerField.existsError('firstName','lastName','email','username','password','password-confirm', 'terms') displayInfo=true; section>
+<#import "user-profile-commons.ftl" as userProfileCommons>
+<#import "register-commons.ftl" as registerCommons>
+<@layout.registrationLayout displayMessage=messagesPerField.exists('global') displayRequiredFields=false displayInfo=true; section>
     <#if section = "header">
         <div class="${properties.kcRegisterTitleClass!}">
             ${msg("registerTitleClinician")}
         </div>
     <#elseif section = "form">
         <form id="kc-register-form" class="${properties.kcFormClass!}" action="${url.registrationAction}" method="post">
-            <input type="hidden" id="firstName" name="firstName" value="NA">
-            <input type="hidden" id="lastName" name="lastName" value="NA">
 
-            <div class="${properties.kcFormGroupClass!}">
-                <div class="${properties.kcLabelWrapperClass!}">
-                    <label for="email" class="${properties.kcLabelClass!}">${msg("email")}</label>
-                </div>
-                <div class="${properties.kcInputWrapperClass!}">
-                    <input type="text" id="email" class="${properties.kcInputClass!}" name="email"
-                           value="${(register.formData.email!'')}" autocomplete="email"
-                           aria-invalid="<#if messagesPerField.existsError('email')>true</#if>"
-                    />
-
-                    <#if messagesPerField.existsError('email')>
-                        <div id="input-error-email" class="${properties.kcInputErrorMessageClass!}" aria-live="polite">
-                            ${kcSanitize(messagesPerField.get('email'))?no_esc}
-                        </div>
-                    </#if>
-                </div>
-            </div>
-
-            <#if !realm.registrationEmailAsUsername>
-                <div class="${properties.kcFormGroupClass!}">
-                    <div class="${properties.kcLabelWrapperClass!}">
-                        <label for="username" class="${properties.kcLabelClass!}">${msg("username")}</label>
-                    </div>
-                    <div class="${properties.kcInputWrapperClass!}">
-                        <input type="text" id="username" class="${properties.kcInputClass!}" name="username"
-                               value="${(register.formData.username!'')}" autocomplete="username"
-                               aria-invalid="<#if messagesPerField.existsError('username')>true</#if>"
-                        />
-
-                        <#if messagesPerField.existsError('username')>
-                            <div id="input-error-username" class="${properties.kcInputErrorMessageClass!}" aria-live="polite">
-                                ${kcSanitize(messagesPerField.get('username'))?no_esc}
+            <@userProfileCommons.userProfileFormFields; callback, attribute>
+                <#if callback = "afterField">
+                <#-- render password fields just under the username or email (if used as username) -->
+                    <#if passwordRequired?? && (attribute.name == 'username' || (attribute.name == 'email' && realm.registrationEmailAsUsername))>
+                        <div class="${properties.kcFormGroupClass!}">
+                            <div class="${properties.kcLabelWrapperClass!}">
+                                <label for="password" class="${properties.kcLabelClass!}">${msg("password")}</label>
                             </div>
-                        </#if>
-                    </div>
-                </div>
-            </#if>
+                            <div class="${properties.kcInputWrapperClass!}">
+                                <div class="${properties.kcInputGroup!}">
+                                    <input type="password" id="password" class="${properties.kcInputClass!}" name="password"
+                                           autocomplete="new-password"
+                                           aria-invalid="<#if messagesPerField.existsError('password','password-confirm')>true</#if>"
+                                    />
+                                    <button class="${properties.kcFormPasswordVisibilityButtonClass!}" type="button" aria-label="${msg('showPassword')}"
+                                            aria-controls="password"  data-password-toggle
+                                            data-icon-show="${properties.kcFormPasswordVisibilityIconShow!}" data-icon-hide="${properties.kcFormPasswordVisibilityIconHide!}"
+                                            data-label-show="${msg('showPassword')}" data-label-hide="${msg('hidePassword')}">
+                                        <i class="${properties.kcFormPasswordVisibilityIconShow!}" aria-hidden="true"></i>
+                                    </button>
+                                </div>
 
-            <#if passwordRequired??>
-                <div class="${properties.kcFormGroupClass!}">
-                    <div class="${properties.kcLabelWrapperClass!}">
-                        <label for="password" class="${properties.kcLabelClass!}">${msg("password")}</label>
-                    </div>
-                    <div class="${properties.kcInputWrapperClass!}">
-                        <input type="password" id="password" class="${properties.kcInputClass!}" name="password"
-                               autocomplete="new-password"
-                               aria-invalid="<#if messagesPerField.existsError('password','password-confirm')>true</#if>"
-                        />
-
-                        <#if messagesPerField.existsError('password')>
-                            <div id="input-error-password" class="${properties.kcInputErrorMessageClass!}" aria-live="polite">
-                                ${kcSanitize(messagesPerField.get('password'))?no_esc}
+                                <#if messagesPerField.existsError('password')>
+                                    <div id="input-error-password" class="${properties.kcInputErrorMessageClass!}" aria-live="polite">
+		                                ${kcSanitize(messagesPerField.get('password'))?no_esc}
+		                            </div>
+                                </#if>
                             </div>
-                        </#if>
-                    </div>
-                </div>
-
-                <div class="${properties.kcFormGroupClass!}">
-                    <div class="${properties.kcLabelWrapperClass!}">
-                        <label for="password-confirm"
-                               class="${properties.kcLabelClass!}">${msg("passwordConfirm")}</label>
-                    </div>
-                    <div class="${properties.kcInputWrapperClass!}">
-                        <input type="password" id="password-confirm" class="${properties.kcInputClass!}"
-                               name="password-confirm"
-                               aria-invalid="<#if messagesPerField.existsError('password-confirm')>true</#if>"
-                        />
+                        </div>
 
-                        <#if messagesPerField.existsError('password-confirm')>
-                            <div id="input-error-password-confirm" class="${properties.kcInputErrorMessageClass!}" aria-live="polite">
-                                ${kcSanitize(messagesPerField.get('password-confirm'))?no_esc}
+                        <div class="${properties.kcFormGroupClass!}">
+                            <div class="${properties.kcLabelWrapperClass!}">
+                                <label for="password-confirm"
+                                       class="${properties.kcLabelClass!}">${msg("passwordConfirm")}</label>
                             </div>
-                        </#if>
-                    </div>
-                </div>
-            </#if>
+                            <div class="${properties.kcInputWrapperClass!}">
+                                <div class="${properties.kcInputGroup!}">
+                                    <input type="password" id="password-confirm" class="${properties.kcInputClass!}"
+                                           name="password-confirm"
+                                           aria-invalid="<#if messagesPerField.existsError('password-confirm')>true</#if>"
+                                    />
+                                    <button class="${properties.kcFormPasswordVisibilityButtonClass!}" type="button" aria-label="${msg('showPassword')}"
+                                            aria-controls="password-confirm"  data-password-toggle
+                                            data-icon-show="${properties.kcFormPasswordVisibilityIconShow!}" data-icon-hide="${properties.kcFormPasswordVisibilityIconHide!}"
+                                            data-label-show="${msg('showPassword')}" data-label-hide="${msg('hidePassword')}">
+                                        <i class="${properties.kcFormPasswordVisibilityIconShow!}" aria-hidden="true"></i>
+                                    </button>
+                                </div>
 
-            <div class="${properties.kcFormGroupClass!}">
-                <div id="kc-terms-text">
-                    <div class="terms-checkbox">
-                        <div id="terms-wrapper" class="clinician-terms-wrapper">                                
-                            <input type="checkbox" id="terms" name="terms"/>
-                            <label for="terms">I accept the terms of the <a class="terms-link" href="https://tidepool.org/terms-of-use">Tidepool Applications Terms of Use</a> and <a class="terms-link" href="https://tidepool.org/privacy-policy">Privacy Policy</a></label>
+                                <#if messagesPerField.existsError('password-confirm')>
+                                    <div id="input-error-password-confirm" class="${properties.kcInputErrorMessageClass!}" aria-live="polite">
+		                                ${kcSanitize(messagesPerField.get('password-confirm'))?no_esc}
+		                            </div>
+                                </#if>
+                            </div>
                         </div>
-                        <#if messagesPerField.existsError('terms')>
-                            <span id="input-error-terms" class="${properties.kcInputErrorMessageClass!}" aria-live="polite">
-                                ${kcSanitize(messagesPerField.get('terms'))?no_esc}
-                            </span>
-                        </#if>
-                    </div>
-                </div>
-            </div>
+                    </#if>
+                </#if>
+            </@userProfileCommons.userProfileFormFields>
 
-            <#if recaptchaRequired??>
+            <@registerCommons.termsAcceptance/>
+
+            <#if recaptchaRequired?? && (recaptchaVisible!false)>
                 <div class="form-group">
                     <div class="${properties.kcInputWrapperClass!}">
-                        <div class="g-recaptcha" data-size="compact" data-sitekey="${recaptchaSiteKey}"></div>
+                        <div class="g-recaptcha" data-size="compact" data-sitekey="${recaptchaSiteKey}" data-action="${recaptchaAction}"></div>
                     </div>
                 </div>
             </#if>
 
             <div class="${properties.kcFormGroupClass!}">
-                <div id="kc-form-buttons" class="${properties.kcFormButtonsClass!}">
-                    <input class="${properties.kcButtonClass!} ${properties.kcButtonPrimaryClass!} ${properties.kcButtonBlockClass!} ${properties.kcButtonLargeClass!}" type="submit" value="${msg("doCreateAccount")}" id="kc-accept"/>
-                </div>
+                <#if recaptchaRequired?? && !(recaptchaVisible!false)>
+                    <script>
+                        function onSubmitRecaptcha(token) {
+                            document.getElementById("kc-register-form").submit();
+                        }
+                    </script>
+                    <div id="kc-form-buttons" class="${properties.kcFormButtonsClass!}">
+                        <button class="${properties.kcButtonClass!} ${properties.kcButtonPrimaryClass!} ${properties.kcButtonBlockClass!} ${properties.kcButtonLargeClass!} g-recaptcha"
+                            data-sitekey="${recaptchaSiteKey}" data-callback='onSubmitRecaptcha' data-action='${recaptchaAction}' type="submit">
+                            ${msg("doRegister")}
+                        </button>
+                    </div>
+                <#else>
+                    <div id="kc-form-buttons" class="${properties.kcFormButtonsClass!}">
+                        <input class="${properties.kcButtonClass!} ${properties.kcButtonPrimaryClass!} ${properties.kcButtonBlockClass!} ${properties.kcButtonLargeClass!}" type="submit" value="${msg("doCreateAccount")}" id="kc-accept" />
+                    </div>
+                </#if>
             </div>
         </form>
+        <script type="module" src="${url.resourcesPath}/js/passwordVisibility.js"></script>
     <#elseif section = "info" >
         <div id="kc-registration">
             <span>${msg("alreadyHaveAnAccount")} <a tabindex="6" href="${url.loginRestartFlowUrl}">${msg("doLogIn")}</a></span>
@@ -124,4 +108,4 @@
             <span>${msg("needPersonalAccount")} ${msg("createAccountPrefix")} <a tabindex="7" href="${role.registrationUriForPatientRole}">${msg("createAccountPersonal")}</a> ${msg("createAccountSuffix")}</span>
         </div>
     </#if>
-</@layout.registrationLayout>
\ No newline at end of file
+</@layout.registrationLayout>
diff --git a/tidepool-theme/login/register-commons.ftl b/tidepool-theme/login/register-commons.ftl
new file mode 100644
index 0000000..855a129
--- /dev/null
+++ b/tidepool-theme/login/register-commons.ftl
@@ -0,0 +1,19 @@
+<#macro termsAcceptance>
+    <#if termsAcceptanceRequired??>
+        <div class="${properties.kcFormGroupClass!}">
+            <div id="kc-terms-text">
+                <div class="terms-checkbox">
+                    <div id="terms-wrapper" class="clinician-terms-wrapper">
+                        <input type="checkbox" id="terms" name="terms"/>
+                        <label for="terms">I accept the terms of the <a class="terms-link" href="https://tidepool.org/terms-of-use">Tidepool Applications Terms of Use</a> and <a class="terms-link" href="https://tidepool.org/privacy-policy">Privacy Policy</a></label>
+                    </div>
+                    <#if messagesPerField.existsError('terms')>
+                        <span id="input-error-terms" class="${properties.kcInputErrorMessageClass!}" aria-live="polite">
+                                ${kcSanitize(messagesPerField.get('terms'))?no_esc}
+                            </span>
+                    </#if>
+                </div>
+            </div>
+        </div>
+    </#if>
+</#macro>
diff --git a/tidepool-theme/login/register-personal.ftl b/tidepool-theme/login/register-personal.ftl
old mode 100644
new mode 100755
index 86f4b80..b5a1571
--- a/tidepool-theme/login/register-personal.ftl
+++ b/tidepool-theme/login/register-personal.ftl
@@ -1,105 +1,102 @@
 <#import "template.ftl" as layout>
-<@layout.registrationLayout displayMessage=!messagesPerField.existsError('firstName','lastName','email','username','password','password-confirm') displayInfo=true; section>
+<#import "user-profile-commons.ftl" as userProfileCommons>
+<@layout.registrationLayout displayMessage=messagesPerField.exists('global') displayRequiredFields=false displayInfo=true; section>
     <#if section = "header">
         <div class="${properties.kcRegisterTitleClass!}">
             ${msg("registerTitlePersonal")}
         </div>
     <#elseif section = "form">
         <form id="kc-register-form" class="${properties.kcFormClass!}" action="${url.registrationAction}" method="post">
-            <input type="hidden" id="firstName" name="firstName" value="NA">
-            <input type="hidden" id="lastName" name="lastName" value="NA">
 
-            <div class="${properties.kcFormGroupClass!}">
-                <div class="${properties.kcLabelWrapperClass!}">
-                    <label for="email" class="${properties.kcLabelClass!}">${msg("email")}</label>
-                </div>
-                <div class="${properties.kcInputWrapperClass!}">
-                    <input type="text" id="email" class="${properties.kcInputClass!}" name="email"
-                           value="${(register.formData.email!'')}" autocomplete="email"
-                           aria-invalid="<#if messagesPerField.existsError('email')>true</#if>"
-                    />
-
-                    <#if messagesPerField.existsError('email')>
-                        <div id="input-error-email" class="${properties.kcInputErrorMessageClass!}" aria-live="polite">
-                            ${kcSanitize(messagesPerField.get('email'))?no_esc}
-                        </div>
-                    </#if>
-                </div>
-            </div>
-
-            <#if !realm.registrationEmailAsUsername>
-                <div class="${properties.kcFormGroupClass!}">
-                    <div class="${properties.kcLabelWrapperClass!}">
-                        <label for="username" class="${properties.kcLabelClass!}">${msg("username")}</label>
-                    </div>
-                    <div class="${properties.kcInputWrapperClass!}">
-                        <input type="text" id="username" class="${properties.kcInputClass!}" name="username"
-                               value="${(register.formData.username!'')}" autocomplete="username"
-                               aria-invalid="<#if messagesPerField.existsError('username')>true</#if>"
-                        />
-
-                        <#if messagesPerField.existsError('username')>
-                            <div id="input-error-username" class="${properties.kcInputErrorMessageClass!}" aria-live="polite">
-                                ${kcSanitize(messagesPerField.get('username'))?no_esc}
+            <@userProfileCommons.userProfileFormFields; callback, attribute>
+                <#if callback = "afterField">
+                <#-- render password fields just under the username or email (if used as username) -->
+                    <#if passwordRequired?? && (attribute.name == 'username' || (attribute.name == 'email' && realm.registrationEmailAsUsername))>
+                        <div class="${properties.kcFormGroupClass!}">
+                            <div class="${properties.kcLabelWrapperClass!}">
+                                <label for="password" class="${properties.kcLabelClass!}">${msg("password")}</label>
                             </div>
-                        </#if>
-                    </div>
-                </div>
-            </#if>
+                            <div class="${properties.kcInputWrapperClass!}">
+                                <div class="${properties.kcInputGroup!}">
+                                    <input type="password" id="password" class="${properties.kcInputClass!}" name="password"
+                                           autocomplete="new-password"
+                                           aria-invalid="<#if messagesPerField.existsError('password','password-confirm')>true</#if>"
+                                    />
+                                    <button class="${properties.kcFormPasswordVisibilityButtonClass!}" type="button" aria-label="${msg('showPassword')}"
+                                            aria-controls="password"  data-password-toggle
+                                            data-icon-show="${properties.kcFormPasswordVisibilityIconShow!}" data-icon-hide="${properties.kcFormPasswordVisibilityIconHide!}"
+                                            data-label-show="${msg('showPassword')}" data-label-hide="${msg('hidePassword')}">
+                                        <i class="${properties.kcFormPasswordVisibilityIconShow!}" aria-hidden="true"></i>
+                                    </button>
+                                </div>
 
-            <#if passwordRequired??>
-                <div class="${properties.kcFormGroupClass!}">
-                    <div class="${properties.kcLabelWrapperClass!}">
-                        <label for="password" class="${properties.kcLabelClass!}">${msg("password")}</label>
-                    </div>
-                    <div class="${properties.kcInputWrapperClass!}">
-                        <input type="password" id="password" class="${properties.kcInputClass!}" name="password"
-                               autocomplete="new-password"
-                               aria-invalid="<#if messagesPerField.existsError('password','password-confirm')>true</#if>"
-                        />
-
-                        <#if messagesPerField.existsError('password')>
-                            <div id="input-error-password" class="${properties.kcInputErrorMessageClass!}" aria-live="polite">
-                                ${kcSanitize(messagesPerField.get('password'))?no_esc}
+                                <#if messagesPerField.existsError('password')>
+                                    <div id="input-error-password" class="${properties.kcInputErrorMessageClass!}" aria-live="polite">
+		                                ${kcSanitize(messagesPerField.get('password'))?no_esc}
+		                            </div>
+                                </#if>
                             </div>
-                        </#if>
-                    </div>
-                </div>
+                        </div>
 
-                <div class="${properties.kcFormGroupClass!}">
-                    <div class="${properties.kcLabelWrapperClass!}">
-                        <label for="password-confirm"
-                               class="${properties.kcLabelClass!}">${msg("passwordConfirm")}</label>
-                    </div>
-                    <div class="${properties.kcInputWrapperClass!}">
-                        <input type="password" id="password-confirm" class="${properties.kcInputClass!}"
-                               name="password-confirm"
-                               aria-invalid="<#if messagesPerField.existsError('password-confirm')>true</#if>"
-                        />
+                        <div class="${properties.kcFormGroupClass!}">
+                            <div class="${properties.kcLabelWrapperClass!}">
+                                <label for="password-confirm"
+                                       class="${properties.kcLabelClass!}">${msg("passwordConfirm")}</label>
+                            </div>
+                            <div class="${properties.kcInputWrapperClass!}">
+                                <div class="${properties.kcInputGroup!}">
+                                    <input type="password" id="password-confirm" class="${properties.kcInputClass!}"
+                                           name="password-confirm"
+                                           aria-invalid="<#if messagesPerField.existsError('password-confirm')>true</#if>"
+                                    />
+                                    <button class="${properties.kcFormPasswordVisibilityButtonClass!}" type="button" aria-label="${msg('showPassword')}"
+                                            aria-controls="password-confirm"  data-password-toggle
+                                            data-icon-show="${properties.kcFormPasswordVisibilityIconShow!}" data-icon-hide="${properties.kcFormPasswordVisibilityIconHide!}"
+                                            data-label-show="${msg('showPassword')}" data-label-hide="${msg('hidePassword')}">
+                                        <i class="${properties.kcFormPasswordVisibilityIconShow!}" aria-hidden="true"></i>
+                                    </button>
+                                </div>
 
-                        <#if messagesPerField.existsError('password-confirm')>
-                            <div id="input-error-password-confirm" class="${properties.kcInputErrorMessageClass!}" aria-live="polite">
-                                ${kcSanitize(messagesPerField.get('password-confirm'))?no_esc}
+                                <#if messagesPerField.existsError('password-confirm')>
+                                    <div id="input-error-password-confirm" class="${properties.kcInputErrorMessageClass!}" aria-live="polite">
+		                                ${kcSanitize(messagesPerField.get('password-confirm'))?no_esc}
+		                            </div>
+                                </#if>
                             </div>
-                        </#if>
-                    </div>
-                </div>
-            </#if>
+                        </div>
+                    </#if>
+                </#if>
+            </@userProfileCommons.userProfileFormFields>
 
-            <#if recaptchaRequired??>
+            <#if recaptchaRequired?? && (recaptchaVisible!false)>
                 <div class="form-group">
                     <div class="${properties.kcInputWrapperClass!}">
-                        <div class="g-recaptcha" data-size="compact" data-sitekey="${recaptchaSiteKey}"></div>
+                        <div class="g-recaptcha" data-size="compact" data-sitekey="${recaptchaSiteKey}" data-action="${recaptchaAction}"></div>
                     </div>
                 </div>
             </#if>
 
             <div class="${properties.kcFormGroupClass!}">
-                <div id="kc-form-buttons" class="${properties.kcFormButtonsClass!}">
-                    <input class="${properties.kcButtonClass!} ${properties.kcButtonPrimaryClass!} ${properties.kcButtonBlockClass!} ${properties.kcButtonLargeClass!}" type="submit" value="${msg("doCreateAccount")}"/>
-                </div>
+                <#if recaptchaRequired?? && !(recaptchaVisible!false)>
+                    <script>
+                        function onSubmitRecaptcha(token) {
+                            document.getElementById("kc-register-form").submit();
+                        }
+                    </script>
+                    <div id="kc-form-buttons" class="${properties.kcFormButtonsClass!}">
+                        <button class="${properties.kcButtonClass!} ${properties.kcButtonPrimaryClass!} ${properties.kcButtonBlockClass!} ${properties.kcButtonLargeClass!} g-recaptcha"
+                            data-sitekey="${recaptchaSiteKey}" data-callback='onSubmitRecaptcha' data-action='${recaptchaAction}' type="submit">
+                            ${msg("doRegister")}
+                        </button>
+                    </div>
+                <#else>
+                    <div id="kc-form-buttons" class="${properties.kcFormButtonsClass!}">
+                        <input class="${properties.kcButtonClass!} ${properties.kcButtonPrimaryClass!} ${properties.kcButtonBlockClass!} ${properties.kcButtonLargeClass!}" type="submit" value="${msg("doCreateAccount")}"/>
+                    </div>
+                </#if>
             </div>
         </form>
+        <script type="module" src="${url.resourcesPath}/js/passwordVisibility.js"></script>
     <#elseif section = "info" >
         <div id="kc-registration">
             <span>${msg("alreadyHaveAnAccount")} <a tabindex="6" href="${url.loginRestartFlowUrl}">${msg("doLogIn")}</a></span>
@@ -108,4 +105,4 @@
             <span>${msg("needClinicianAccount")} ${msg("createAccountPrefix")} <a tabindex="7" href="${role.registrationUriForClinicianRole}">${msg("createAccountClinician")}</a> ${msg("createAccountSuffix")}</span>
         </div>
     </#if>
-</@layout.registrationLayout>
\ No newline at end of file
+</@layout.registrationLayout>
diff --git a/tidepool-theme/login/resources/css/styles.css b/tidepool-theme/login/resources/css/styles.css
index 2892bd5..71af580 100644
--- a/tidepool-theme/login/resources/css/styles.css
+++ b/tidepool-theme/login/resources/css/styles.css
@@ -247,6 +247,11 @@ a.tp-btn-primary:hover, .tp-btn-primary:hover:enabled {
   margin: 0;
 }
 
+.login-pf-page .login-pf-header {
+  padding-left: 20px;
+  padding-right: 20px;
+}
+
 .login-pf-page .card-pf .logo {
   margin-top: 40px;
   margin-bottom: 40px;
@@ -276,7 +281,7 @@ a.tp-btn-primary:hover, .tp-btn-primary:hover:enabled {
 }
 
 .login-pf-page #kc-form-wrapper {
-  max-width: 500px;
+  max-width: 800px;
   margin-left: auto;
   margin-right: auto;
 }
@@ -316,10 +321,11 @@ a.tp-btn-primary:hover, .tp-btn-primary:hover:enabled {
   }
 }
 
-@media(max-width: 512px) {
+@media(max-width: 580px) {
   .login-pf-page #kc-form, .login-pf-page #kc-register-form, .login-pf-page #tp-role-prompt {
     margin-right: auto;
     margin-left: auto;
+    width: 100%;
   }
 }
 
@@ -389,6 +395,14 @@ a.tp-btn-primary:hover, .tp-btn-primary:hover:enabled {
   text-decoration: none;
 }
 
+/* Password visibility toggle */
+.tp-password-visibility:after {
+  border-color: #979797;
+}
+
+.tp-password-visibility:after:hover {
+  border-color: #6078ff;
+}
 
 /* Forgot password */
 .login-pf-page .tp-form-options-wrapper {
@@ -402,6 +416,7 @@ a.tp-btn-primary:hover, .tp-btn-primary:hover:enabled {
 .login-pf-page #kc-form-buttons {
   display: flex;
   align-items: center;
+  margin-top: 0;
 }
 
 .login-pf-page #kc-form-buttons input[type="submit"], .login-pf-page #kc-form-buttons button[type="submit"] {
@@ -417,7 +432,6 @@ a.tp-btn-primary:hover, .tp-btn-primary:hover:enabled {
 
 #kc-register-form input[type=submit] {
   width: 100%;
-  margin-top: 20px;
 }
 
 .tp-register-title {
diff --git a/tidepool-theme/login/template.ftl b/tidepool-theme/login/template.ftl
index 7cabe1e..f4bbda4 100644
--- a/tidepool-theme/login/template.ftl
+++ b/tidepool-theme/login/template.ftl
@@ -1,6 +1,6 @@
 <#macro registrationLayout bodyClass="" displayInfo=false displayMessage=true displayRequiredFields=false>
 <!DOCTYPE html>
-<html class="${properties.kcHtmlClass!}">
+<html class="${properties.kcHtmlClass!}"<#if realm.internationalizationEnabled> lang="${locale.currentLanguageTag}"</#if>>
 
 <head>
     <meta charset="utf-8">
@@ -29,11 +29,26 @@
             <script src="${url.resourcesPath}/${script}" type="text/javascript"></script>
         </#list>
     </#if>
+    <script type="importmap">
+        {
+            "imports": {
+                "rfc4648": "${url.resourcesCommonPath}/node_modules/rfc4648/lib/rfc4648.js"
+            }
+        }
+    </script>
+    <script src="${url.resourcesPath}/js/menu-button-links.js" type="module"></script>
     <#if scripts??>
         <#list scripts as script>
             <script src="${script}" type="text/javascript"></script>
         </#list>
     </#if>
+    <script type="module">
+        import { checkCookiesAndSetTimer } from "${url.resourcesPath}/js/authChecker.js";
+
+        checkCookiesAndSetTimer(
+          "${url.ssoLoginInOtherTabsUrl?no_esc}"
+        );
+    </script>
     <#if properties.zendeskKey?has_content>
       <!-- Start of tidepoolsupport Zendesk Widget script -->
       <script id="ze-snippet" src="https://static.zdassets.com/ekr/snippet.js?key=${properties.zendeskKey}" type="text/javascript"></script>
@@ -52,13 +67,15 @@
             <#if realm.internationalizationEnabled  && locale.supported?size gt 1>
                 <div class="${properties.kcLocaleMainClass!}" id="kc-locale">
                     <div id="kc-locale-wrapper" class="${properties.kcLocaleWrapperClass!}">
-                        <div id="kc-locale-dropdown" class="${properties.kcLocaleDropDownClass!}">
-                            <a href="#" id="kc-current-locale-link">${locale.current}</a>
-                            <ul class="${properties.kcLocaleListClass!}">
+                        <div id="kc-locale-dropdown" class="menu-button-links ${properties.kcLocaleDropDownClass!}">
+                            <button tabindex="1" id="kc-current-locale-link" aria-label="${msg("languages")}" aria-haspopup="true" aria-expanded="false" aria-controls="language-switch1">${locale.current}</button>
+                            <ul role="menu" tabindex="-1" aria-labelledby="kc-current-locale-link" aria-activedescendant="" id="language-switch1" class="${properties.kcLocaleListClass!}">
+                                <#assign i = 1>
                                 <#list locale.supported as l>
-                                    <li class="${properties.kcLocaleListItemClass!}">
-                                        <a class="${properties.kcLocaleItemClass!}" href="${l.url}">${l.label}</a>
+                                    <li class="${properties.kcLocaleListItemClass!}" role="none">
+                                        <a role="menuitem" id="language-${i}" class="${properties.kcLocaleItemClass!}" href="${l.url}">${l.label}</a>
                                     </li>
+                                    <#assign i++>
                                 </#list>
                             </ul>
                         </div>
diff --git a/tidepool-theme/login/theme.properties b/tidepool-theme/login/theme.properties
index e075c6b..ae38099 100644
--- a/tidepool-theme/login/theme.properties
+++ b/tidepool-theme/login/theme.properties
@@ -23,3 +23,4 @@ kcLabelWrapperClass=tp-label-wrapper
 kcInputWrapperClass=tp-input-wrapper
 kcFormButtonsClass=tp-form-buttons
 kcFormClass=tp-form
+kcFormPasswordVisibilityButtonClass=pf-c-button pf-m-control tp-password-visibility
diff --git a/tidepool-theme/login/user-profile-commons.ftl b/tidepool-theme/login/user-profile-commons.ftl
new file mode 100644
index 0000000..8864c9a
--- /dev/null
+++ b/tidepool-theme/login/user-profile-commons.ftl
@@ -0,0 +1,205 @@
+<#macro userProfileFormFields>
+	<#assign currentGroup="">
+
+	<#list profile.attributes as attribute>
+
+		<#assign group = (attribute.group)!"">
+		<#if group != currentGroup>
+			<#assign currentGroup=group>
+			<#if currentGroup != "">
+				<div class="${properties.kcFormGroupClass!}"
+				<#list group.html5DataAnnotations as key, value>
+					data-${key}="${value}"
+				</#list>
+				>
+
+					<#assign groupDisplayHeader=group.displayHeader!"">
+					<#if groupDisplayHeader != "">
+						<#assign groupHeaderText=advancedMsg(groupDisplayHeader)!group>
+					<#else>
+						<#assign groupHeaderText=group.name!"">
+					</#if>
+					<div class="${properties.kcContentWrapperClass!}">
+						<label id="header-${attribute.group.name}" class="${kcFormGroupHeader!}">${groupHeaderText}</label>
+					</div>
+
+					<#assign groupDisplayDescription=group.displayDescription!"">
+					<#if groupDisplayDescription != "">
+						<#assign groupDescriptionText=advancedMsg(groupDisplayDescription)!"">
+						<div class="${properties.kcLabelWrapperClass!}">
+							<label id="description-${group.name}" class="${properties.kcLabelClass!}">${groupDescriptionText}</label>
+						</div>
+					</#if>
+				</div>
+			</#if>
+		</#if>
+
+		<#nested "beforeField" attribute>
+		<div class="${properties.kcFormGroupClass!}">
+			<div class="${properties.kcLabelWrapperClass!}">
+				<label for="${attribute.name}" class="${properties.kcLabelClass!}">${advancedMsg(attribute.displayName!'')}</label>
+				<#if !attribute.required>(optional)</#if>
+			</div>
+			<div class="${properties.kcInputWrapperClass!}">
+				<#if attribute.annotations.inputHelperTextBefore??>
+					<div class="${properties.kcInputHelperTextBeforeClass!}" id="form-help-text-before-${attribute.name}" aria-live="polite">${kcSanitize(advancedMsg(attribute.annotations.inputHelperTextBefore))?no_esc}</div>
+				</#if>
+				<@inputFieldByType attribute=attribute/>
+				<#if messagesPerField.existsError('${attribute.name}')>
+					<div id="input-error-${attribute.name}" class="${properties.kcInputErrorMessageClass!}" aria-live="polite">
+						${kcSanitize(messagesPerField.get('${attribute.name}'))?no_esc}
+					</div>
+				</#if>
+				<#if attribute.annotations.inputHelperTextAfter??>
+					<div class="${properties.kcInputHelperTextAfterClass!}" id="form-help-text-after-${attribute.name}" aria-live="polite">${kcSanitize(advancedMsg(attribute.annotations.inputHelperTextAfter))?no_esc}</div>
+				</#if>
+			</div>
+		</div>
+		<#nested "afterField" attribute>
+	</#list>
+
+	<#list profile.html5DataAnnotations?keys as key>
+		<script type="module" src="${url.resourcesPath}/js/${key}.js"></script>
+	</#list>
+</#macro>
+
+<#macro inputFieldByType attribute>
+	<#switch attribute.annotations.inputType!''>
+	<#case 'textarea'>
+		<@textareaTag attribute=attribute/>
+		<#break>
+	<#case 'select'>
+	<#case 'multiselect'>
+		<@selectTag attribute=attribute/>
+		<#break>
+	<#case 'select-radiobuttons'>
+	<#case 'multiselect-checkboxes'>
+		<@inputTagSelects attribute=attribute/>
+		<#break>
+	<#default>
+		<#if attribute.multivalued && attribute.values?has_content>
+			<#list attribute.values as value>
+				<@inputTag attribute=attribute value=value!''/>
+			</#list>
+		<#else>
+			<@inputTag attribute=attribute value=attribute.value!''/>
+		</#if>
+	</#switch>
+</#macro>
+
+<#macro inputTag attribute value>
+	<input type="<@inputTagType attribute=attribute/>" id="${attribute.name}" name="${attribute.name}" value="${(value!'')}" class="${properties.kcInputClass!}"
+		aria-invalid="<#if messagesPerField.existsError('${attribute.name}')>true</#if>"
+		<#if attribute.readOnly>disabled</#if>
+		<#if attribute.autocomplete??>autocomplete="${attribute.autocomplete}"</#if>
+		<#if attribute.annotations.inputTypePlaceholder??>placeholder="${advancedMsg(attribute.annotations.inputTypePlaceholder)}"</#if>
+		<#if attribute.annotations.inputTypePattern??>pattern="${attribute.annotations.inputTypePattern}"</#if>
+		<#if attribute.annotations.inputTypeSize??>size="${attribute.annotations.inputTypeSize}"</#if>
+		<#if attribute.annotations.inputTypeMaxlength??>maxlength="${attribute.annotations.inputTypeMaxlength}"</#if>
+		<#if attribute.annotations.inputTypeMinlength??>minlength="${attribute.annotations.inputTypeMinlength}"</#if>
+		<#if attribute.annotations.inputTypeMax??>max="${attribute.annotations.inputTypeMax}"</#if>
+		<#if attribute.annotations.inputTypeMin??>min="${attribute.annotations.inputTypeMin}"</#if>
+		<#if attribute.annotations.inputTypeStep??>step="${attribute.annotations.inputTypeStep}"</#if>
+		<#if attribute.annotations.inputTypeStep??>step="${attribute.annotations.inputTypeStep}"</#if>
+		<#list attribute.html5DataAnnotations as key, value>
+    		data-${key}="${value}"
+		</#list>
+	/>
+</#macro>
+
+<#macro inputTagType attribute>
+	<#compress>
+	<#if attribute.annotations.inputType??>
+		<#if attribute.annotations.inputType?starts_with("html5-")>
+			${attribute.annotations.inputType[6..]}
+		<#else>
+			${attribute.annotations.inputType}
+		</#if>
+	<#else>
+	text
+	</#if>
+	</#compress>
+</#macro>
+
+<#macro textareaTag attribute>
+	<textarea id="${attribute.name}" name="${attribute.name}" class="${properties.kcInputClass!}"
+		aria-invalid="<#if messagesPerField.existsError('${attribute.name}')>true</#if>"
+		<#if attribute.readOnly>disabled</#if>
+		<#if attribute.annotations.inputTypeCols??>cols="${attribute.annotations.inputTypeCols}"</#if>
+		<#if attribute.annotations.inputTypeRows??>rows="${attribute.annotations.inputTypeRows}"</#if>
+		<#if attribute.annotations.inputTypeMaxlength??>maxlength="${attribute.annotations.inputTypeMaxlength}"</#if>
+	>${(attribute.value!'')}</textarea>
+</#macro>
+
+<#macro selectTag attribute>
+	<select id="${attribute.name}" name="${attribute.name}" class="${properties.kcInputClass!}"
+		aria-invalid="<#if messagesPerField.existsError('${attribute.name}')>true</#if>"
+		<#if attribute.readOnly>disabled</#if>
+		<#if attribute.annotations.inputType=='multiselect'>multiple</#if>
+		<#if attribute.annotations.inputTypeSize??>size="${attribute.annotations.inputTypeSize}"</#if>
+	>
+	<#if attribute.annotations.inputType=='select'>
+		<option value=""></option>
+	</#if>
+
+	<#if attribute.annotations.inputOptionsFromValidation?? && attribute.validators[attribute.annotations.inputOptionsFromValidation]?? && attribute.validators[attribute.annotations.inputOptionsFromValidation].options??>
+		<#assign options=attribute.validators[attribute.annotations.inputOptionsFromValidation].options>
+	<#elseif attribute.validators.options?? && attribute.validators.options.options??>
+		<#assign options=attribute.validators.options.options>
+	<#else>
+		<#assign options=[]>
+	</#if>
+
+	<#list options as option>
+		<option value="${option}" <#if attribute.values?seq_contains(option)>selected</#if>><@selectOptionLabelText attribute=attribute option=option/></option>
+	</#list>
+
+	</select>
+</#macro>
+
+<#macro inputTagSelects attribute>
+	<#if attribute.annotations.inputType=='select-radiobuttons'>
+		<#assign inputType='radio'>
+		<#assign classDiv=properties.kcInputClassRadio!>
+		<#assign classInput=properties.kcInputClassRadioInput!>
+		<#assign classLabel=properties.kcInputClassRadioLabel!>
+	<#else>
+		<#assign inputType='checkbox'>
+		<#assign classDiv=properties.kcInputClassCheckbox!>
+		<#assign classInput=properties.kcInputClassCheckboxInput!>
+		<#assign classLabel=properties.kcInputClassCheckboxLabel!>
+	</#if>
+
+	<#if attribute.annotations.inputOptionsFromValidation?? && attribute.validators[attribute.annotations.inputOptionsFromValidation]?? && attribute.validators[attribute.annotations.inputOptionsFromValidation].options??>
+		<#assign options=attribute.validators[attribute.annotations.inputOptionsFromValidation].options>
+	<#elseif attribute.validators.options?? && attribute.validators.options.options??>
+		<#assign options=attribute.validators.options.options>
+	<#else>
+		<#assign options=[]>
+	</#if>
+
+	<#list options as option>
+		<div class="${classDiv}">
+			<input type="${inputType}" id="${attribute.name}-${option}" name="${attribute.name}" value="${option}" class="${classInput}"
+				aria-invalid="<#if messagesPerField.existsError('${attribute.name}')>true</#if>"
+				<#if attribute.readOnly>disabled</#if>
+				<#if attribute.values?seq_contains(option)>checked</#if>
+			/>
+			<label for="${attribute.name}-${option}" class="${classLabel}<#if attribute.readOnly> ${properties.kcInputClassRadioCheckboxLabelDisabled!}</#if>"><@selectOptionLabelText attribute=attribute option=option/></label>
+		</div>
+	</#list>
+</#macro>
+
+<#macro selectOptionLabelText attribute option>
+	<#compress>
+	<#if attribute.annotations.inputOptionLabels??>
+		${advancedMsg(attribute.annotations.inputOptionLabels[option]!option)}
+	<#else>
+		<#if attribute.annotations.inputOptionLabelsI18nPrefix??>
+			${msg(attribute.annotations.inputOptionLabelsI18nPrefix + '.' + option)}
+		<#else>
+			${option}
+		</#if>
+	</#if>
+	</#compress>
+</#macro>