diff --git a/extensions/oidc/runtime/src/main/java/io/quarkus/oidc/runtime/DefaultTenantConfigResolver.java b/extensions/oidc/runtime/src/main/java/io/quarkus/oidc/runtime/DefaultTenantConfigResolver.java
index 28d79053b5132..94ca6a97f4686 100644
--- a/extensions/oidc/runtime/src/main/java/io/quarkus/oidc/runtime/DefaultTenantConfigResolver.java
+++ b/extensions/oidc/runtime/src/main/java/io/quarkus/oidc/runtime/DefaultTenantConfigResolver.java
@@ -119,17 +119,18 @@ public OidcTenantConfig apply(OidcTenantConfig tenantConfig) {
                             final String tenantId = context.get(OidcUtils.TENANT_ID_ATTRIBUTE);
 
                             if (tenantId != null && !isTenantSetByAnnotation(context, tenantId)) {
-                                TenantConfigContext tenantContext = tenantConfigBean.getDynamicTenantsConfig().get(tenantId);
+                                // WARN: The order (check dynamic before static) is important!
+                                var tenantContext = tenantConfigBean.getDynamicTenant(tenantId);
                                 if (tenantContext != null) {
                                     // Dynamic map may contain the static contexts initialized on demand,
-                                    if (tenantConfigBean.getStaticTenantsConfig().containsKey(tenantId)) {
+                                    if (tenantConfigBean.getStaticTenant(tenantId) != null) {
                                         context.put(CURRENT_STATIC_TENANT_ID, tenantId);
                                     }
                                     return tenantContext.getOidcTenantConfig();
                                 }
                             }
 
-                            TenantConfigContext tenant = getStaticTenantContext(context);
+                            var tenant = getStaticTenantContext(context);
                             if (tenant != null) {
                                 tenantConfig = tenant.oidcConfig;
                             }
@@ -156,12 +157,11 @@ private Uni<TenantConfigContext> initializeStaticTenantIfContextNotReady(TenantC
         if (tenantContext != null && !tenantContext.ready) {
 
             // check if the connection has already been created
-            TenantConfigContext readyTenantContext = tenantConfigBean.getDynamicTenantsConfig()
-                    .get(tenantContext.oidcConfig.tenantId.get());
+            var readyTenantContext = tenantConfigBean.getDynamicTenant(tenantContext.oidcConfig.tenantId.get());
             if (readyTenantContext == null) {
                 LOG.debugf("Tenant '%s' is not initialized yet, trying to create OIDC connection now",
                         tenantContext.oidcConfig.tenantId.get());
-                return tenantConfigBean.getTenantConfigContextFactory().apply(tenantContext.oidcConfig);
+                return tenantConfigBean.createTenantContext(tenantContext.oidcConfig, false);
             } else {
                 tenantContext = readyTenantContext;
             }
@@ -206,7 +206,7 @@ private boolean isTenantSetByAnnotation(RoutingContext context, String tenantId)
     }
 
     private TenantConfigContext getStaticTenantContext(String tenantId) {
-        TenantConfigContext configContext = tenantId != null ? tenantConfigBean.getStaticTenantsConfig().get(tenantId) : null;
+        TenantConfigContext configContext = tenantId != null ? tenantConfigBean.getStaticTenant(tenantId) : null;
         if (configContext == null) {
             if (tenantId != null && !tenantId.isEmpty()) {
                 LOG.debugf(
@@ -255,7 +255,12 @@ private Uni<OidcTenantConfig> getDynamicTenantConfig(RoutingContext context) {
                     //shouldn't happen, but guard against it anyway
                     oidcConfig = Uni.createFrom().nullItem();
                 } else {
-                    oidcConfig = oidcConfig.onItem().transform(cfg -> OidcUtils.resolveProviderConfig(cfg));
+                    oidcConfig = oidcConfig.onItem().transform(new Function<OidcTenantConfig, OidcTenantConfig>() {
+                        @Override
+                        public OidcTenantConfig apply(OidcTenantConfig cfg) {
+                            return OidcUtils.resolveProviderConfig(cfg);
+                        }
+                    });
                 }
                 context.put(CURRENT_DYNAMIC_TENANT_CONFIG, oidcConfig);
             }
@@ -270,18 +275,18 @@ private Uni<TenantConfigContext> getDynamicTenantContext(RoutingContext context)
             @Override
             public Uni<? extends TenantConfigContext> apply(OidcTenantConfig tenantConfig) {
                 if (tenantConfig != null) {
-                    String tenantId = tenantConfig.getTenantId()
+                    var tenantId = tenantConfig.getTenantId()
                             .orElseThrow(() -> new OIDCException("Tenant configuration must have tenant id"));
-                    TenantConfigContext tenantContext = tenantConfigBean.getDynamicTenantsConfig().get(tenantId);
+                    var tenantContext = tenantConfigBean.getDynamicTenant(tenantId);
                     if (tenantContext == null) {
-                        return tenantConfigBean.getTenantConfigContextFactory().apply(tenantConfig);
+                        return tenantConfigBean.createTenantContext(tenantConfig, true);
                     } else {
                         return Uni.createFrom().item(tenantContext);
                     }
                 } else {
-                    final String tenantId = context.get(OidcUtils.TENANT_ID_ATTRIBUTE);
+                    String tenantId = context.get(OidcUtils.TENANT_ID_ATTRIBUTE);
                     if (tenantId != null && !isTenantSetByAnnotation(context, tenantId)) {
-                        TenantConfigContext tenantContext = tenantConfigBean.getDynamicTenantsConfig().get(tenantId);
+                        var tenantContext = tenantConfigBean.getDynamicTenant(tenantId);
                         if (tenantContext != null) {
                             return Uni.createFrom().item(tenantContext);
                         }
@@ -324,21 +329,22 @@ private static TenantResolver[] prepareStaticTenantResolvers(TenantConfigBean te
         }
 
         // 2. path-matching tenant resolver
-        var pathMatchingTenantResolver = PathMatchingTenantResolver.of(tenantConfigBean.getStaticTenantsConfig(), rootPath,
+        var staticTenants = tenantConfigBean.getStaticTenantsConfig();
+        var pathMatchingTenantResolver = PathMatchingTenantResolver.of(staticTenants, rootPath,
                 tenantConfigBean.getDefaultTenant());
         if (pathMatchingTenantResolver != null) {
             staticTenantResolvers.add(pathMatchingTenantResolver);
         }
 
         // 3. default static tenant resolver
-        if (!tenantConfigBean.getStaticTenantsConfig().isEmpty()) {
+        if (!staticTenants.isEmpty()) {
             staticTenantResolvers.add(defaultStaticTenantResolver);
         }
 
         // 4. issuer-based tenant resolver
         if (resolveTenantsWithIssuer) {
             IssuerBasedTenantResolver.addIssuerBasedTenantResolver(staticTenantResolvers,
-                    tenantConfigBean.getStaticTenantsConfig(), tenantConfigBean.getDefaultTenant());
+                    staticTenants, tenantConfigBean.getDefaultTenant());
         }
 
         return staticTenantResolvers.toArray(new TenantResolver[0]);
@@ -351,7 +357,7 @@ public String resolve(RoutingContext context) {
             String[] pathSegments = context.request().path().split("/");
             if (pathSegments.length > 0) {
                 String lastPathSegment = pathSegments[pathSegments.length - 1];
-                if (tenantConfigBean.getStaticTenantsConfig().containsKey(lastPathSegment)) {
+                if (tenantConfigBean.getStaticTenant(lastPathSegment) != null) {
                     LOG.debugf(
                             "Tenant id '%s' is selected on the '%s' request path", lastPathSegment, context.normalizedPath());
                     return lastPathSegment;
@@ -390,14 +396,13 @@ public String resolve(RoutingContext context) {
             return null;
         }
 
-        private static ImmutablePathMatcher.ImmutablePathMatcherBuilder<String> addPath(String tenant, OidcTenantConfig config,
+        private static void addPath(String tenant, OidcTenantConfig config,
                 ImmutablePathMatcher.ImmutablePathMatcherBuilder<String> builder) {
             if (config != null && config.tenantPaths.isPresent()) {
                 for (String path : config.tenantPaths.get()) {
                     builder.addPath(path, tenant);
                 }
             }
-            return builder;
         }
     }
 
@@ -406,14 +411,11 @@ public OidcTenantConfig getResolvedConfig(String sessionTenantId) {
             return tenantConfigBean.getDefaultTenant().getOidcTenantConfig();
         }
 
-        if (tenantConfigBean.getStaticTenantsConfig().containsKey(sessionTenantId)) {
-            return tenantConfigBean.getStaticTenantsConfig().get(sessionTenantId).getOidcTenantConfig();
-        }
-
-        if (tenantConfigBean.getDynamicTenantsConfig().containsKey(sessionTenantId)) {
-            return tenantConfigBean.getDynamicTenantsConfig().get(sessionTenantId).getOidcTenantConfig();
+        var tenant = tenantConfigBean.getStaticTenant(sessionTenantId);
+        if (tenant == null) {
+            tenant = tenantConfigBean.getDynamicTenant(sessionTenantId);
         }
-        return null;
+        return tenant != null ? tenant.getOidcTenantConfig() : null;
     }
 
     public String getRootPath() {
@@ -449,7 +451,7 @@ public String resolve(RoutingContext context) {
                         if (tenantContext.getOidcMetadata().getIssuer().equals(iss)) {
                             OidcUtils.storeExtractedBearerToken(context, token);
 
-                            final String tenantId = tenantContext.oidcConfig.tenantId.get();
+                            final String tenantId = tenantContext.oidcConfig.tenantId.orElseThrow();
                             LOG.debugf("Resolved the '%s' OIDC tenant based on the matching issuer '%s'", tenantId, iss);
                             return tenantId;
                         }
diff --git a/extensions/oidc/runtime/src/main/java/io/quarkus/oidc/runtime/OidcRecorder.java b/extensions/oidc/runtime/src/main/java/io/quarkus/oidc/runtime/OidcRecorder.java
index 83398259ad309..ebc30e803d356 100644
--- a/extensions/oidc/runtime/src/main/java/io/quarkus/oidc/runtime/OidcRecorder.java
+++ b/extensions/oidc/runtime/src/main/java/io/quarkus/oidc/runtime/OidcRecorder.java
@@ -70,7 +70,6 @@ public class OidcRecorder {
     private static final Logger LOG = Logger.getLogger(OidcRecorder.class);
     private static final String SECURITY_EVENTS_ENABLED_CONFIG_KEY = "quarkus.security.events.enabled";
 
-    private static final Map<String, TenantConfigContext> dynamicTenantsConfig = new ConcurrentHashMap<>();
     private static final Set<String> tenantsExpectingServerAvailableEvents = ConcurrentHashMap.newKeySet();
     private static volatile boolean userInfoInjectionPointDetected = false;
 
@@ -95,6 +94,7 @@ public TenantConfigBean get() {
         };
     }
 
+    @SuppressWarnings("resource")
     public void initTenantConfigBean() {
         try {
             // makes sure that config of static tenants is validated during app startup and create static tenant contexts
@@ -123,45 +123,23 @@ public TenantConfigBean setup(OidcConfig config, Vertx vertxValue, TlsConfigurat
                     createStaticTenantContext(vertxValue, tenant.getValue(), false, tenant.getKey(), defaultTlsConfiguration));
         }
 
-        return new TenantConfigBean(staticTenantsConfig, dynamicTenantsConfig, defaultTenantContext,
-                new Function<OidcTenantConfig, Uni<TenantConfigContext>>() {
+        return new TenantConfigBean(staticTenantsConfig, defaultTenantContext,
+                new TenantConfigBean.TenantContextFactory() {
                     @Override
-                    public Uni<TenantConfigContext> apply(OidcTenantConfig config) {
-                        return createDynamicTenantContext(vertxValue, config, config.getTenantId().get(),
-                                defaultTlsConfiguration);
+                    public Uni<TenantConfigContext> create(OidcTenantConfig oidcConfig, boolean dynamicTenant,
+                            String tenantId) {
+                        return createTenantContext(vertxValue, oidcConfig, !dynamicTenant, tenantId,
+                                defaultTlsConfiguration)
+                                .onFailure().transform(new Function<Throwable, Throwable>() {
+                                    @Override
+                                    public Throwable apply(Throwable t) {
+                                        return logTenantConfigContextFailure(t, tenantId);
+                                    }
+                                });
                     }
                 });
     }
 
-    private Uni<TenantConfigContext> createDynamicTenantContext(Vertx vertx,
-            OidcTenantConfig oidcConfig, String tenantId, TlsConfiguration defaultTlsConfiguration) {
-
-        if (oidcConfig.logout.backchannel.path.isPresent()) {
-            throw new ConfigurationException(
-                    "BackChannel Logout is currently not supported for dynamic tenants");
-        }
-        if (!dynamicTenantsConfig.containsKey(tenantId)) {
-            Uni<TenantConfigContext> uniContext = createTenantContext(vertx, oidcConfig, false, tenantId,
-                    defaultTlsConfiguration)
-                    .onFailure().transform(new Function<Throwable, Throwable>() {
-                        @Override
-                        public Throwable apply(Throwable t) {
-                            return logTenantConfigContextFailure(t, tenantId);
-                        }
-                    });
-            return uniContext.onItem().transform(
-                    new Function<TenantConfigContext, TenantConfigContext>() {
-                        @Override
-                        public TenantConfigContext apply(TenantConfigContext t) {
-                            dynamicTenantsConfig.putIfAbsent(tenantId, t);
-                            return t;
-                        }
-                    });
-        } else {
-            return Uni.createFrom().item(dynamicTenantsConfig.get(tenantId));
-        }
-    }
-
     private TenantConfigContext createStaticTenantContext(Vertx vertx,
             OidcTenantConfig oidcConfig, boolean checkNamedTenants, String tenantId,
             TlsConfiguration defaultTlsConfiguration) {
@@ -183,7 +161,7 @@ public TenantConfigContext apply(Throwable t) {
                             }
                             logTenantConfigContextFailure(t, tenantId);
                             if (t instanceof ConfigurationException
-                                    && !oidcConfig.authServerUrl.isPresent()
+                                    && oidcConfig.authServerUrl.isEmpty()
                                     && LaunchMode.DEVELOPMENT == LaunchMode.current()) {
                                 // Let it start if it is a DEV mode and auth-server-url has not been configured yet
                                 return new TenantConfigContext(null, oidcConfig, false);
@@ -211,7 +189,7 @@ private static Throwable logTenantConfigContextFailure(Throwable t, String tenan
     @SuppressWarnings("resource")
     private Uni<TenantConfigContext> createTenantContext(Vertx vertx, OidcTenantConfig oidcTenantConfig,
             boolean checkNamedTenants, String tenantId, TlsConfiguration defaultTlsConfiguration) {
-        if (!oidcTenantConfig.tenantId.isPresent()) {
+        if (oidcTenantConfig.tenantId.isEmpty()) {
             oidcTenantConfig.tenantId = Optional.of(tenantId);
         }
 
@@ -222,7 +200,7 @@ private Uni<TenantConfigContext> createTenantContext(Vertx vertx, OidcTenantConf
             return Uni.createFrom().item(new TenantConfigContext(new OidcProvider(null, null, null, null), oidcConfig));
         }
 
-        if (!oidcConfig.getAuthServerUrl().isPresent()) {
+        if (oidcConfig.getAuthServerUrl().isEmpty()) {
             if (oidcConfig.getPublicKey().isPresent() && oidcConfig.certificateChain.trustStoreFile.isPresent()) {
                 throw new ConfigurationException("Both public key and certificate chain verification modes are enabled");
             }
@@ -236,8 +214,8 @@ private Uni<TenantConfigContext> createTenantContext(Vertx vertx, OidcTenantConf
         }
 
         try {
-            if (!oidcConfig.getAuthServerUrl().isPresent()) {
-                if (DEFAULT_TENANT_ID.equals(oidcConfig.tenantId.get())) {
+            if (oidcConfig.getAuthServerUrl().isEmpty()) {
+                if (DEFAULT_TENANT_ID.equals(oidcConfig.tenantId.orElseThrow())) {
                     ArcContainer container = Arc.container();
                     if (container != null
                             && (container.instance(TenantConfigResolver.class).isAvailable() || checkNamedTenants)) {
@@ -274,7 +252,7 @@ private Uni<TenantConfigContext> createTenantContext(Vertx vertx, OidcTenantConf
 
         if (!oidcConfig.discoveryEnabled.orElse(true)) {
             if (!OidcUtils.isServiceApp(oidcConfig)) {
-                if (!oidcConfig.authorizationPath.isPresent() || !oidcConfig.tokenPath.isPresent()) {
+                if (oidcConfig.authorizationPath.isEmpty() || oidcConfig.tokenPath.isEmpty()) {
                     String authorizationPathProperty = getConfigPropertyForTenant(tenantId, "authorization-path");
                     String tokenPathProperty = getConfigPropertyForTenant(tenantId, "token-path");
                     throw new ConfigurationException(
@@ -285,17 +263,17 @@ private Uni<TenantConfigContext> createTenantContext(Vertx vertx, OidcTenantConf
                 }
             }
             // JWK and introspection endpoints have to be set for both 'web-app' and 'service' applications
-            if (!oidcConfig.jwksPath.isPresent() && !oidcConfig.introspectionPath.isPresent()) {
+            if (oidcConfig.jwksPath.isEmpty() && oidcConfig.introspectionPath.isEmpty()) {
                 if (!oidcConfig.authentication.isIdTokenRequired().orElse(true)
                         && oidcConfig.authentication.isUserInfoRequired().orElse(false)) {
-                    LOG.debugf("tenant %s supports only UserInfo", oidcConfig.tenantId.get());
+                    LOG.debugf("tenant %s supports only UserInfo", oidcConfig.tenantId.orElseThrow());
                 } else {
                     throw new ConfigurationException(
                             "Either 'jwks-path' or 'introspection-path' properties must be set when the discovery is disabled.",
                             Set.of("quarkus.oidc.jwks-path", "quarkus.oidc.introspection-path"));
                 }
             }
-            if (oidcConfig.authentication.userInfoRequired.orElse(false) && !oidcConfig.userInfoPath.isPresent()) {
+            if (oidcConfig.authentication.userInfoRequired.orElse(false) && oidcConfig.userInfoPath.isEmpty()) {
                 String configProperty = getConfigPropertyForTenant(tenantId, "user-info-path");
                 throw new ConfigurationException(
                         "UserInfo is required but '" + configProperty + "' is not configured.",
@@ -310,7 +288,7 @@ private Uni<TenantConfigContext> createTenantContext(Vertx vertx, OidcTenantConf
                                 + "' property can only be enabled for " + ApplicationType.WEB_APP
                                 + " application types");
             }
-            if (!oidcConfig.token.refreshTokenTimeSkew.isEmpty()) {
+            if (oidcConfig.token.refreshTokenTimeSkew.isPresent()) {
                 throw new ConfigurationException(
                         "The '" + getConfigPropertyForTenant(tenantId, "token.refresh-token-time-skew")
                                 + "' property can only be enabled for " + ApplicationType.WEB_APP
@@ -328,7 +306,7 @@ private Uni<TenantConfigContext> createTenantContext(Vertx vertx, OidcTenantConf
                                 + " application types");
             }
         } else {
-            if (!oidcConfig.token.refreshTokenTimeSkew.isEmpty()) {
+            if (oidcConfig.token.refreshTokenTimeSkew.isPresent()) {
                 oidcConfig.token.setRefreshExpired(true);
             }
         }
@@ -388,9 +366,7 @@ private static String getConfigPropertyForTenant(String tenantId, String configS
     private static boolean enableUserInfo(OidcTenantConfig oidcConfig) {
         Optional<Boolean> userInfoRequired = oidcConfig.authentication.isUserInfoRequired();
         if (userInfoRequired.isPresent()) {
-            if (!userInfoRequired.get()) {
-                return false;
-            }
+            return userInfoRequired.get();
         } else {
             oidcConfig.authentication.setUserInfoRequired(true);
         }
@@ -405,7 +381,8 @@ private static TenantConfigContext createTenantContextFromPublicKey(OidcTenantCo
                 + " no connection to the OIDC server will be created");
 
         return new TenantConfigContext(
-                new OidcProvider(oidcConfig.publicKey.get(), oidcConfig, readTokenDecryptionKey(oidcConfig)), oidcConfig);
+                new OidcProvider(oidcConfig.publicKey.orElseThrow(), oidcConfig, readTokenDecryptionKey(oidcConfig)),
+                oidcConfig);
     }
 
     private static TenantConfigContext createTenantContextToVerifyCertChain(OidcTenantConfig oidcConfig) {
@@ -466,7 +443,7 @@ private static Key readTokenDecryptionKey(OidcTenantConfig oidcConfig) {
                             (keys.get(0).getAlgorithm() == null
                                     || keys.get(0).getAlgorithm().equals(KeyEncryptionAlgorithm.RSA_OAEP.getAlgorithm()))
                             && ("enc".equals(keys.get(0).getUse()) || keys.get(0).getUse() == null)) {
-                        key = PublicJsonWebKey.class.cast(keys.get(0)).getPrivateKey();
+                        key = ((PublicJsonWebKey) keys.get(0)).getPrivateKey();
                     }
                 }
                 if (key == null) {
@@ -476,7 +453,7 @@ private static Key readTokenDecryptionKey(OidcTenantConfig oidcConfig) {
             } catch (Exception ex) {
                 throw new ConfigurationException(
                         String.format("Token decryption key for tenant %s can not be read from %s",
-                                oidcConfig.tenantId.get(), oidcConfig.token.decryptionKeyLocation.get()),
+                                oidcConfig.tenantId.orElseThrow(), oidcConfig.token.decryptionKeyLocation.get()),
                         ex);
             }
         } else {
@@ -492,7 +469,7 @@ protected static Uni<JsonWebKeySet> getJsonWebSetUni(OidcProviderClient client,
                         .invoke(new Runnable() {
                             @Override
                             public void run() {
-                                fireOidcServerAvailableEvent(oidcConfig.authServerUrl.get(), tenantId);
+                                fireOidcServerAvailableEvent(oidcConfig.authServerUrl.orElseThrow(), tenantId);
                             }
                         });
             }
@@ -513,7 +490,7 @@ private static Uni<JsonWebKeySet> getJsonWebSetUniWhenDiscoveryDisabled(OidcProv
                 .transform(new Function<Throwable, Throwable>() {
                     @Override
                     public Throwable apply(Throwable t) {
-                        return toOidcException(t, oidcConfig.authServerUrl.get(),
+                        return toOidcException(t, oidcConfig.authServerUrl.orElseThrow(),
                                 oidcConfig.tenantId.orElse(DEFAULT_TENANT_ID));
                     }
                 })
@@ -534,7 +511,7 @@ protected static Uni<OidcProviderClient> createOidcClientUni(OidcTenantConfig oi
 
         Map<OidcEndpoint.Type, List<OidcRequestFilter>> oidcRequestFilters = OidcCommonUtils.getOidcRequestFilters();
 
-        Uni<OidcConfigurationMetadata> metadataUni = null;
+        Uni<OidcConfigurationMetadata> metadataUni;
         if (!oidcConfig.discoveryEnabled.orElse(true)) {
             metadataUni = Uni.createFrom().item(createLocalMetadata(oidcConfig, authServerUriString));
         } else {
@@ -573,7 +550,7 @@ public Uni<OidcProviderClient> apply(OidcConfigurationMetadata metadata, Throwab
                                     "OpenId Connect Provider configuration metadata is not configured and can not be discovered"));
                         }
                         if (oidcConfig.logout.path.isPresent()) {
-                            if (!oidcConfig.endSessionPath.isPresent() && metadata.getEndSessionUri() == null) {
+                            if (oidcConfig.endSessionPath.isEmpty() && metadata.getEndSessionUri() == null) {
                                 client.close();
                                 return Uni.createFrom().failure(new ConfigurationException(
                                         "The application supports RP-Initiated Logout but the OpenID Provider does not advertise the end_session_endpoint"));
@@ -692,6 +669,7 @@ private static final class TenantSpecificOidcIdentityProvider extends OidcIdenti
         private final String tenantId;
         private final BlockingSecurityExecutor blockingExecutor;
 
+        @SuppressWarnings("resource")
         private TenantSpecificOidcIdentityProvider(String tenantId) {
             super(Arc.container().instance(DefaultTenantConfigResolver.class).get(),
                     Arc.container().instance(BlockingSecurityExecutor.class).get());
diff --git a/extensions/oidc/runtime/src/main/java/io/quarkus/oidc/runtime/TenantConfigBean.java b/extensions/oidc/runtime/src/main/java/io/quarkus/oidc/runtime/TenantConfigBean.java
index 535c17814c21e..bd6603f76e116 100644
--- a/extensions/oidc/runtime/src/main/java/io/quarkus/oidc/runtime/TenantConfigBean.java
+++ b/extensions/oidc/runtime/src/main/java/io/quarkus/oidc/runtime/TenantConfigBean.java
@@ -1,12 +1,16 @@
 package io.quarkus.oidc.runtime;
 
+import static java.util.Collections.unmodifiableMap;
+
 import java.util.Map;
+import java.util.concurrent.ConcurrentHashMap;
 import java.util.function.Function;
 
 import jakarta.enterprise.context.spi.CreationalContext;
 
 import io.quarkus.arc.BeanDestroyer;
 import io.quarkus.oidc.OidcTenantConfig;
+import io.quarkus.runtime.configuration.ConfigurationException;
 import io.smallrye.mutiny.Uni;
 
 public class TenantConfigBean {
@@ -14,33 +18,58 @@ public class TenantConfigBean {
     private final Map<String, TenantConfigContext> staticTenantsConfig;
     private final Map<String, TenantConfigContext> dynamicTenantsConfig;
     private final TenantConfigContext defaultTenant;
-    private final Function<OidcTenantConfig, Uni<TenantConfigContext>> tenantConfigContextFactory;
+    private final TenantContextFactory tenantContextFactory;
+
+    @FunctionalInterface
+    public interface TenantContextFactory {
+        Uni<TenantConfigContext> create(OidcTenantConfig oidcTenantConfig, boolean dynamicTenant, String tenantId);
+    }
 
     public TenantConfigBean(
             Map<String, TenantConfigContext> staticTenantsConfig,
-            Map<String, TenantConfigContext> dynamicTenantsConfig,
             TenantConfigContext defaultTenant,
-            Function<OidcTenantConfig, Uni<TenantConfigContext>> tenantConfigContextFactory) {
-        this.staticTenantsConfig = staticTenantsConfig;
-        this.dynamicTenantsConfig = dynamicTenantsConfig;
+            TenantContextFactory tenantContextFactory) {
+        this.staticTenantsConfig = new ConcurrentHashMap<>(staticTenantsConfig);
+        this.dynamicTenantsConfig = new ConcurrentHashMap<>();
         this.defaultTenant = defaultTenant;
-        this.tenantConfigContextFactory = tenantConfigContextFactory;
+        this.tenantContextFactory = tenantContextFactory;
     }
 
-    public Map<String, TenantConfigContext> getStaticTenantsConfig() {
-        return staticTenantsConfig;
+    public Uni<TenantConfigContext> createTenantContext(OidcTenantConfig oidcConfig, boolean dynamicTenant) {
+        if (oidcConfig.logout.backchannel.path.isPresent()) {
+            throw new ConfigurationException(
+                    "BackChannel Logout is currently not supported for dynamic tenants");
+        }
+        var tenantId = oidcConfig.getTenantId().orElseThrow();
+        if (!dynamicTenantsConfig.containsKey(tenantId)) {
+            Uni<TenantConfigContext> uniContext = tenantContextFactory.create(oidcConfig, dynamicTenant, tenantId);
+            return uniContext.onItem().transform(
+                    new Function<TenantConfigContext, TenantConfigContext>() {
+                        @Override
+                        public TenantConfigContext apply(TenantConfigContext t) {
+                            dynamicTenantsConfig.putIfAbsent(tenantId, t);
+                            return t;
+                        }
+                    });
+        } else {
+            return Uni.createFrom().item(dynamicTenantsConfig.get(tenantId));
+        }
     }
 
-    public TenantConfigContext getDefaultTenant() {
-        return defaultTenant;
+    public TenantConfigContext getStaticTenant(String tenantId) {
+        return staticTenantsConfig.get(tenantId);
+    }
+
+    public Map<String, TenantConfigContext> getStaticTenantsConfig() {
+        return unmodifiableMap(staticTenantsConfig);
     }
 
-    public Function<OidcTenantConfig, Uni<TenantConfigContext>> getTenantConfigContextFactory() {
-        return tenantConfigContextFactory;
+    public TenantConfigContext getDynamicTenant(String tenantId) {
+        return dynamicTenantsConfig.get(tenantId);
     }
 
-    public Map<String, TenantConfigContext> getDynamicTenantsConfig() {
-        return dynamicTenantsConfig;
+    public TenantConfigContext getDefaultTenant() {
+        return defaultTenant;
     }
 
     public static class Destroyer implements BeanDestroyer<TenantConfigBean> {
diff --git a/integration-tests/oidc-client-registration/src/main/java/io/quarkus/it/keycloak/ProtectedResource.java b/integration-tests/oidc-client-registration/src/main/java/io/quarkus/it/keycloak/ProtectedResource.java
index 23501f0d2ef23..81ace6de744cb 100644
--- a/integration-tests/oidc-client-registration/src/main/java/io/quarkus/it/keycloak/ProtectedResource.java
+++ b/integration-tests/oidc-client-registration/src/main/java/io/quarkus/it/keycloak/ProtectedResource.java
@@ -62,7 +62,7 @@ public String principalNameMulti2() {
     }
 
     private String getClientName() {
-        OidcTenantConfig oidcConfig = tenantConfigBean.getDynamicTenantsConfig().get(session.getTenantId())
+        OidcTenantConfig oidcConfig = tenantConfigBean.getDynamicTenant(session.getTenantId())
                 .getOidcTenantConfig();
         return oidcConfig.getClientName().get();
     }
diff --git a/integration-tests/oidc-code-flow/src/main/java/io/quarkus/it/keycloak/TenantRefresh.java b/integration-tests/oidc-code-flow/src/main/java/io/quarkus/it/keycloak/TenantRefresh.java
index c1c4646559d67..9b3773a7583a8 100644
--- a/integration-tests/oidc-code-flow/src/main/java/io/quarkus/it/keycloak/TenantRefresh.java
+++ b/integration-tests/oidc-code-flow/src/main/java/io/quarkus/it/keycloak/TenantRefresh.java
@@ -39,7 +39,7 @@ public String sessionExpired(@CookieParam("session_expired") String sessionExpir
             // Cookie format: jwt|<tenant id>
 
             String[] pair = sessionExpired.split("\\|");
-            OidcTenantConfig oidcConfig = tenantConfig.getStaticTenantsConfig().get(pair[1]).getOidcTenantConfig();
+            OidcTenantConfig oidcConfig = tenantConfig.getStaticTenant(pair[1]).getOidcTenantConfig();
             JsonWebToken jwt = new DefaultJWTParser().decrypt(pair[0], oidcConfig.credentials.secret.get());
 
             OidcUtils.removeCookie(context, oidcConfig, "session_expired");