[management] Legacy to embedded IdP migration tool (#5586)

management/server/idp/embedded.go

@@ -13,6 +13,7 @@ import (
 
 	"github.com/netbirdio/netbird/idp/dex"
 	"github.com/netbirdio/netbird/management/server/telemetry"
+	nbjwt "github.com/netbirdio/netbird/shared/auth/jwt"
 )
 
 const (
@@ -48,6 +49,8 @@ type EmbeddedIdPConfig struct {
 	// Existing local users are preserved and will be able to login again if re-enabled.
 	// Cannot be enabled if no external identity provider connectors are configured.
 	LocalAuthDisabled bool
+	// StaticConnectors are additional connectors to seed during initialization
+	StaticConnectors []dex.Connector
 }
 
 // EmbeddedStorageConfig holds storage configuration for the embedded IdP.
@@ -157,6 +160,7 @@ func (c *EmbeddedIdPConfig) ToYAMLConfig() (*dex.YAMLConfig, error) {
 				RedirectURIs: cliRedirectURIs,
 			},
 		},
+		StaticConnectors: c.StaticConnectors,
 	}
 
 	// Add owner user if provided
@@ -193,6 +197,9 @@ type OAuthConfigProvider interface {
 	// Management server has embedded Dex and can validate tokens via localhost,
 	// avoiding external network calls and DNS resolution issues during startup.
 	GetLocalKeysLocation() string
+	// GetKeyFetcher returns a KeyFetcher that reads keys directly from the IDP storage,
+	// or nil if direct key fetching is not supported (falls back to HTTP).
+	GetKeyFetcher() nbjwt.KeyFetcher
 	GetClientIDs() []string
 	GetUserIDClaim() string
 	GetTokenEndpoint() string
@@ -593,6 +600,11 @@ func (m *EmbeddedIdPManager) GetCLIRedirectURLs() []string {
 	return m.config.CLIRedirectURIs
 }
 
+// GetKeyFetcher returns a KeyFetcher that reads keys directly from Dex storage.
+func (m *EmbeddedIdPManager) GetKeyFetcher() nbjwt.KeyFetcher {
+	return m.provider.GetJWKS
+}
+
 // GetKeysLocation returns the JWKS endpoint URL for token validation.
 func (m *EmbeddedIdPManager) GetKeysLocation() string {
 	return m.provider.GetKeysLocation()