[management] Legacy to embedded IdP migration tool (#5586)

.github/workflows/check-license-dependencies.yml

@@ -31,7 +31,7 @@ jobs:
           while IFS= read -r dir; do
             echo "=== Checking $dir ==="
             # Search for problematic imports, excluding test files
-            RESULTS=$(grep -r "github.com/netbirdio/netbird/\(management\|signal\|relay\|proxy\)" "$dir" --include="*.go" 2>/dev/null | grep -v "_test.go" | grep -v "test_" | grep -v "/test/" || true)
+            RESULTS=$(grep -r "github.com/netbirdio/netbird/\(management\|signal\|relay\|proxy\)" "$dir" --include="*.go" 2>/dev/null | grep -v "_test.go" | grep -v "test_" | grep -v "/test/" | grep -v "tools/idp-migrate/" || true)
             if [ -n "$RESULTS" ]; then
               echo "❌ Found problematic dependencies:"
               echo "$RESULTS"
@@ -88,7 +88,7 @@ jobs:
               IMPORTERS=$(go list -json -deps ./... 2>/dev/null | jq -r "select(.Imports[]? == \"$package\") | .ImportPath")
 
               # Check if any importer is NOT in management/signal/relay
-              BSD_IMPORTER=$(echo "$IMPORTERS" | grep -v "github.com/netbirdio/netbird/\(management\|signal\|relay\|proxy\|combined\)" | head -1)
+              BSD_IMPORTER=$(echo "$IMPORTERS" | grep -v "github.com/netbirdio/netbird/\(management\|signal\|relay\|proxy\|combined\|tools/idp-migrate\)" | head -1)
 
               if [ -n "$BSD_IMPORTER" ]; then
                 echo "❌ $package ($license) is imported by BSD-licensed code: $BSD_IMPORTER"

.goreleaser.yaml

@@ -154,6 +154,26 @@ builds:
       - -s -w -X main.Version={{.Version}} -X main.Commit={{.Commit}} -X main.BuildDate={{.CommitDate}}
     mod_timestamp: "{{ .CommitTimestamp }}"
 
+  - id: netbird-idp-migrate
+    dir: tools/idp-migrate
+    env:
+      - CGO_ENABLED=1
+      - >-
+        {{- if eq .Runtime.Goos "linux" }}
+          {{- if eq .Arch "arm64"}}CC=aarch64-linux-gnu-gcc{{- end }}
+          {{- if eq .Arch "arm"}}CC=arm-linux-gnueabihf-gcc{{- end }}
+        {{- end }}
+    binary: netbird-idp-migrate
+    goos:
+      - linux
+    goarch:
+      - amd64
+      - arm64
+      - arm
+    ldflags:
+      - -s -w -X github.com/netbirdio/netbird/version.version={{.Version}} -X main.commit={{.Commit}} -X main.date={{.CommitDate}} -X main.builtBy=goreleaser
+    mod_timestamp: "{{ .CommitTimestamp }}"
+
 universal_binaries:
   - id: netbird
 
@@ -166,6 +186,10 @@ archives:
       - netbird-wasm
     name_template: "{{ .ProjectName }}_{{ .Version }}"
     format: binary
+  - id: netbird-idp-migrate
+    builds:
+      - netbird-idp-migrate
+    name_template: "netbird-idp-migrate_{{ .Version }}_{{ .Os }}_{{ .Arch }}"
 
 nfpms:
   - maintainer: Netbird <dev@netbird.io>

go.mod

@@ -49,6 +49,7 @@ require (
 	github.com/eko/gocache/store/redis/v4 v4.2.2
 	github.com/fsnotify/fsnotify v1.9.0
 	github.com/gliderlabs/ssh v0.3.8
+	github.com/go-jose/go-jose/v4 v4.1.3
 	github.com/godbus/dbus/v5 v5.1.0
 	github.com/golang-jwt/jwt/v5 v5.3.0
 	github.com/golang/mock v1.6.0
@@ -181,7 +182,6 @@ require (
 	github.com/go-asn1-ber/asn1-ber v1.5.8-0.20250403174932-29230038a667 // indirect
 	github.com/go-gl/gl v0.0.0-20231021071112-07e5d0ea2e71 // indirect
 	github.com/go-gl/glfw/v3.3/glfw v0.0.0-20240506104042-037f3cc74f2a // indirect
-	github.com/go-jose/go-jose/v4 v4.1.3 // indirect
 	github.com/go-ldap/ldap/v3 v3.4.12 // indirect
 	github.com/go-logr/logr v1.4.3 // indirect
 	github.com/go-logr/stdr v1.2.2 // indirect

idp/dex/config.go

@@ -170,20 +170,66 @@ type Connector struct {
 }
 
 // ToStorageConnector converts a Connector to storage.Connector type.
+// It maps custom connector types (e.g., "zitadel", "entra") to Dex-native types
+// and augments the config with OIDC defaults when needed.
 func (c *Connector) ToStorageConnector() (storage.Connector, error) {
-	data, err := json.Marshal(c.Config)
+	dexType, augmentedConfig := mapConnectorToDex(c.Type, c.Config)
+
+	data, err := json.Marshal(augmentedConfig)
 	if err != nil {
 		return storage.Connector{}, fmt.Errorf("failed to marshal connector config: %v", err)
 	}
 
 	return storage.Connector{
 		ID:     c.ID,
-		Type:   c.Type,
+		Type:   dexType,
 		Name:   c.Name,
 		Config: data,
 	}, nil
 }
 
+// mapConnectorToDex maps custom connector types to Dex-native types and applies
+// OIDC defaults. This ensures static connectors from config files or env vars
+// are stored with types that Dex can open.
+func mapConnectorToDex(connType string, config map[string]interface{}) (string, map[string]interface{}) {
+	switch connType {
+	case "oidc", "zitadel", "entra", "okta", "pocketid", "authentik", "keycloak":
+		return "oidc", applyOIDCDefaults(connType, config)
+	default:
+		return connType, config
+	}
+}
+
+// applyOIDCDefaults clones the config map, sets common OIDC defaults,
+// and applies provider-specific overrides.
+func applyOIDCDefaults(connType string, config map[string]interface{}) map[string]interface{} {
+	augmented := make(map[string]interface{}, len(config)+4)
+	for k, v := range config {
+		augmented[k] = v
+	}
+	setDefault(augmented, "scopes", []string{"openid", "profile", "email"})
+	setDefault(augmented, "insecureEnableGroups", true)
+	setDefault(augmented, "insecureSkipEmailVerified", true)
+
+	switch connType {
+	case "zitadel":
+		setDefault(augmented, "getUserInfo", true)
+	case "entra":
+		setDefault(augmented, "claimMapping", map[string]string{"email": "preferred_username"})
+	case "okta", "pocketid":
+		augmented["scopes"] = []string{"openid", "profile", "email", "groups"}
+	}
+
+	return augmented
+}
+
+// setDefault sets a key in the map only if it doesn't already exist.
+func setDefault(m map[string]interface{}, key string, value interface{}) {
+	if _, ok := m[key]; !ok {
+		m[key] = value
+	}
+}
+
 // StorageConfig is a configuration that can create a storage.
 type StorageConfig interface {
 	Open(logger *slog.Logger) (storage.Storage, error)

idp/dex/provider.go

@@ -4,6 +4,7 @@ package dex
 import (
 	"context"
 	"encoding/base64"
+	"encoding/json"
 	"errors"
 	"fmt"
 	"log/slog"
@@ -19,10 +20,13 @@ import (
 	"github.com/dexidp/dex/server"
 	"github.com/dexidp/dex/storage"
 	"github.com/dexidp/dex/storage/sql"
+	jose "github.com/go-jose/go-jose/v4"
 	"github.com/google/uuid"
 	"github.com/prometheus/client_golang/prometheus"
 	"golang.org/x/crypto/bcrypt"
 	"google.golang.org/grpc"
+
+	nbjwt "github.com/netbirdio/netbird/shared/auth/jwt"
 )
 
 // Config matches what management/internals/server/server.go expects
@@ -666,3 +670,46 @@ func (p *Provider) GetAuthorizationEndpoint() string {
 	}
 	return issuer + "/auth"
 }
+
+// GetJWKS reads signing keys directly from Dex storage and returns them as Jwks.
+// This avoids HTTP round-trips when the embedded IDP is co-located with the management server.
+// The key retrieval mirrors Dex's own handlePublicKeys/ValidationKeys logic:
+// SigningKeyPub first, then all VerificationKeys, serialized via go-jose.
+func (p *Provider) GetJWKS(ctx context.Context) (*nbjwt.Jwks, error) {
+	keys, err := p.storage.GetKeys(ctx)
+	if err != nil {
+		return nil, fmt.Errorf("failed to get keys from storage: %w", err)
+	}
+
+	if keys.SigningKeyPub == nil {
+		return nil, fmt.Errorf("no public keys found in storage")
+	}
+
+	// Build the key set exactly as Dex's localSigner.ValidationKeys does:
+	// signing key first, then all verification (rotated) keys.
+	joseKeys := make([]jose.JSONWebKey, 0, len(keys.VerificationKeys)+1)
+	joseKeys = append(joseKeys, *keys.SigningKeyPub)
+	for _, vk := range keys.VerificationKeys {
+		if vk.PublicKey != nil {
+			joseKeys = append(joseKeys, *vk.PublicKey)
+		}
+	}
+
+	// Serialize through go-jose (same as Dex's handlePublicKeys handler)
+	// then deserialize into our Jwks type, so the JSON field mapping is identical
+	// to what the /keys HTTP endpoint would return.
+	joseSet := jose.JSONWebKeySet{Keys: joseKeys}
+	data, err := json.Marshal(joseSet)
+	if err != nil {
+		return nil, fmt.Errorf("failed to marshal JWKS: %w", err)
+	}
+
+	jwks := &nbjwt.Jwks{}
+	if err := json.Unmarshal(data, jwks); err != nil {
+		return nil, fmt.Errorf("failed to unmarshal JWKS: %w", err)
+	}
+
+	jwks.ExpiresInTime = keys.NextRotation
+
+	return jwks, nil
+}

idp/dex/provider_test.go

@@ -2,11 +2,14 @@ package dex
 
 import (
 	"context"
+	"encoding/json"
 	"log/slog"
 	"os"
 	"path/filepath"
 	"testing"
 
+	"github.com/dexidp/dex/storage"
+	sqllib "github.com/dexidp/dex/storage/sql"
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
 )
@@ -197,6 +200,295 @@ enablePasswordDB: true
 	t.Logf("User lookup successful: rawID=%s, connectorID=%s", rawID, connID)
 }
 
+// openTestStorage creates a SQLite storage in the given directory for testing.
+func openTestStorage(t *testing.T, tmpDir string) storage.Storage {
+	t.Helper()
+	logger := slog.New(slog.NewTextHandler(os.Stderr, nil))
+	stor, err := (&sqllib.SQLite3{File: filepath.Join(tmpDir, "dex.db")}).Open(logger)
+	require.NoError(t, err)
+	return stor
+}
+
+func TestStaticConnectors_CreatedFromYAML(t *testing.T) {
+	ctx := context.Background()
+
+	tmpDir, err := os.MkdirTemp("", "dex-static-conn-*")
+	require.NoError(t, err)
+	defer os.RemoveAll(tmpDir)
+
+	yamlContent := `
+issuer: http://localhost:5556/dex
+storage:
+  type: sqlite3
+  config:
+    file: ` + filepath.Join(tmpDir, "dex.db") + `
+web:
+  http: 127.0.0.1:5556
+enablePasswordDB: true
+connectors:
+- type: oidc
+  id: my-oidc
+  name: My OIDC Provider
+  config:
+    issuer: https://accounts.example.com
+    clientID: test-client-id
+    clientSecret: test-client-secret
+    redirectURI: http://localhost:5556/dex/callback
+`
+	configPath := filepath.Join(tmpDir, "config.yaml")
+	err = os.WriteFile(configPath, []byte(yamlContent), 0644)
+	require.NoError(t, err)
+
+	yamlConfig, err := LoadConfig(configPath)
+	require.NoError(t, err)
+
+	// Open storage and run initializeStorage directly (avoids Dex server
+	// trying to dial the OIDC issuer)
+	stor := openTestStorage(t, tmpDir)
+	defer stor.Close()
+
+	err = initializeStorage(ctx, stor, yamlConfig)
+	require.NoError(t, err)
+
+	// Verify connector was created in storage
+	conn, err := stor.GetConnector(ctx, "my-oidc")
+	require.NoError(t, err)
+	assert.Equal(t, "my-oidc", conn.ID)
+	assert.Equal(t, "My OIDC Provider", conn.Name)
+	assert.Equal(t, "oidc", conn.Type)
+
+	// Verify config fields were serialized correctly
+	var configMap map[string]interface{}
+	err = json.Unmarshal(conn.Config, &configMap)
+	require.NoError(t, err)
+	assert.Equal(t, "https://accounts.example.com", configMap["issuer"])
+	assert.Equal(t, "test-client-id", configMap["clientID"])
+}
+
+func TestStaticConnectors_UpdatedOnRestart(t *testing.T) {
+	ctx := context.Background()
+
+	tmpDir, err := os.MkdirTemp("", "dex-static-conn-update-*")
+	require.NoError(t, err)
+	defer os.RemoveAll(tmpDir)
+
+	dbFile := filepath.Join(tmpDir, "dex.db")
+
+	// First: load config with initial connector
+	yamlContent1 := `
+issuer: http://localhost:5556/dex
+storage:
+  type: sqlite3
+  config:
+    file: ` + dbFile + `
+web:
+  http: 127.0.0.1:5556
+enablePasswordDB: true
+connectors:
+- type: oidc
+  id: my-oidc
+  name: Original Name
+  config:
+    issuer: https://accounts.example.com
+    clientID: original-client-id
+    clientSecret: original-secret
+`
+	configPath := filepath.Join(tmpDir, "config.yaml")
+	err = os.WriteFile(configPath, []byte(yamlContent1), 0644)
+	require.NoError(t, err)
+
+	yamlConfig1, err := LoadConfig(configPath)
+	require.NoError(t, err)
+
+	stor := openTestStorage(t, tmpDir)
+	err = initializeStorage(ctx, stor, yamlConfig1)
+	require.NoError(t, err)
+
+	// Verify initial state
+	conn, err := stor.GetConnector(ctx, "my-oidc")
+	require.NoError(t, err)
+	assert.Equal(t, "Original Name", conn.Name)
+
+	var configMap1 map[string]interface{}
+	err = json.Unmarshal(conn.Config, &configMap1)
+	require.NoError(t, err)
+	assert.Equal(t, "original-client-id", configMap1["clientID"])
+
+	// Close storage to simulate restart
+	stor.Close()
+
+	// Second: load updated config against the same DB
+	yamlContent2 := `
+issuer: http://localhost:5556/dex
+storage:
+  type: sqlite3
+  config:
+    file: ` + dbFile + `
+web:
+  http: 127.0.0.1:5556
+enablePasswordDB: true
+connectors:
+- type: oidc
+  id: my-oidc
+  name: Updated Name
+  config:
+    issuer: https://accounts.example.com
+    clientID: updated-client-id
+    clientSecret: updated-secret
+`
+	err = os.WriteFile(configPath, []byte(yamlContent2), 0644)
+	require.NoError(t, err)
+
+	yamlConfig2, err := LoadConfig(configPath)
+	require.NoError(t, err)
+
+	stor2 := openTestStorage(t, tmpDir)
+	defer stor2.Close()
+
+	err = initializeStorage(ctx, stor2, yamlConfig2)
+	require.NoError(t, err)
+
+	// Verify connector was updated, not duplicated
+	allConnectors, err := stor2.ListConnectors(ctx)
+	require.NoError(t, err)
+
+	nonLocalCount := 0
+	for _, c := range allConnectors {
+		if c.ID != "local" {
+			nonLocalCount++
+		}
+	}
+	assert.Equal(t, 1, nonLocalCount, "connector should be updated, not duplicated")
+
+	conn2, err := stor2.GetConnector(ctx, "my-oidc")
+	require.NoError(t, err)
+	assert.Equal(t, "Updated Name", conn2.Name)
+
+	var configMap2 map[string]interface{}
+	err = json.Unmarshal(conn2.Config, &configMap2)
+	require.NoError(t, err)
+	assert.Equal(t, "updated-client-id", configMap2["clientID"])
+}
+
+func TestStaticConnectors_MultipleConnectors(t *testing.T) {
+	ctx := context.Background()
+
+	tmpDir, err := os.MkdirTemp("", "dex-static-conn-multi-*")
+	require.NoError(t, err)
+	defer os.RemoveAll(tmpDir)
+
+	yamlContent := `
+issuer: http://localhost:5556/dex
+storage:
+  type: sqlite3
+  config:
+    file: ` + filepath.Join(tmpDir, "dex.db") + `
+web:
+  http: 127.0.0.1:5556
+enablePasswordDB: true
+connectors:
+- type: oidc
+  id: my-oidc
+  name: My OIDC Provider
+  config:
+    issuer: https://accounts.example.com
+    clientID: oidc-client-id
+    clientSecret: oidc-secret
+- type: google
+  id: my-google
+  name: Google Login
+  config:
+    clientID: google-client-id
+    clientSecret: google-secret
+`
+	configPath := filepath.Join(tmpDir, "config.yaml")
+	err = os.WriteFile(configPath, []byte(yamlContent), 0644)
+	require.NoError(t, err)
+
+	yamlConfig, err := LoadConfig(configPath)
+	require.NoError(t, err)
+
+	stor := openTestStorage(t, tmpDir)
+	defer stor.Close()
+
+	err = initializeStorage(ctx, stor, yamlConfig)
+	require.NoError(t, err)
+
+	allConnectors, err := stor.ListConnectors(ctx)
+	require.NoError(t, err)
+
+	// Build a map for easier assertion
+	connByID := make(map[string]storage.Connector)
+	for _, c := range allConnectors {
+		connByID[c.ID] = c
+	}
+
+	// Verify both static connectors exist
+	oidcConn, ok := connByID["my-oidc"]
+	require.True(t, ok, "oidc connector should exist")
+	assert.Equal(t, "My OIDC Provider", oidcConn.Name)
+	assert.Equal(t, "oidc", oidcConn.Type)
+
+	var oidcConfig map[string]interface{}
+	err = json.Unmarshal(oidcConn.Config, &oidcConfig)
+	require.NoError(t, err)
+	assert.Equal(t, "oidc-client-id", oidcConfig["clientID"])
+
+	googleConn, ok := connByID["my-google"]
+	require.True(t, ok, "google connector should exist")
+	assert.Equal(t, "Google Login", googleConn.Name)
+	assert.Equal(t, "google", googleConn.Type)
+
+	var googleConfig map[string]interface{}
+	err = json.Unmarshal(googleConn.Config, &googleConfig)
+	require.NoError(t, err)
+	assert.Equal(t, "google-client-id", googleConfig["clientID"])
+
+	// Verify local connector still exists alongside them (enablePasswordDB: true)
+	localConn, ok := connByID["local"]
+	require.True(t, ok, "local connector should exist")
+	assert.Equal(t, "local", localConn.Type)
+}
+
+func TestStaticConnectors_EmptyList(t *testing.T) {
+	ctx := context.Background()
+
+	tmpDir, err := os.MkdirTemp("", "dex-static-conn-empty-*")
+	require.NoError(t, err)
+	defer os.RemoveAll(tmpDir)
+
+	yamlContent := `
+issuer: http://localhost:5556/dex
+storage:
+  type: sqlite3
+  config:
+    file: ` + filepath.Join(tmpDir, "dex.db") + `
+web:
+  http: 127.0.0.1:5556
+enablePasswordDB: true
+`
+	configPath := filepath.Join(tmpDir, "config.yaml")
+	err = os.WriteFile(configPath, []byte(yamlContent), 0644)
+	require.NoError(t, err)
+
+	yamlConfig, err := LoadConfig(configPath)
+	require.NoError(t, err)
+
+	provider, err := NewProviderFromYAML(ctx, yamlConfig)
+	require.NoError(t, err)
+	defer func() { _ = provider.Stop(ctx) }()
+
+	// No static connectors configured, so ListConnectors should return empty
+	connectors, err := provider.ListConnectors(ctx)
+	require.NoError(t, err)
+	assert.Empty(t, connectors)
+
+	// But local connector should still exist
+	localConn, err := provider.Storage().GetConnector(ctx, "local")
+	require.NoError(t, err)
+	assert.Equal(t, "local", localConn.ID)
+}
+
 func TestNewProvider_ContinueOnConnectorFailure(t *testing.T) {
 	ctx := context.Background()
 

management/internals/server/controllers.go

@@ -20,6 +20,7 @@ import (
 	"github.com/netbirdio/netbird/management/server/integrations/integrated_validator"
 	"github.com/netbirdio/netbird/management/server/integrations/port_forwarding"
 	"github.com/netbirdio/netbird/management/server/job"
+	nbjwt "github.com/netbirdio/netbird/shared/auth/jwt"
 )
 
 func (s *BaseServer) PeersUpdateManager() network_map.PeersUpdateManager {
@@ -71,6 +72,7 @@ func (s *BaseServer) AuthManager() auth.Manager {
 	signingKeyRefreshEnabled := s.Config.HttpConfig.IdpSignKeyRefreshEnabled
 	issuer := s.Config.HttpConfig.AuthIssuer
 	userIDClaim := s.Config.HttpConfig.AuthUserIDClaim
+	var keyFetcher nbjwt.KeyFetcher
 
 	// Use embedded IdP configuration if available
 	if oauthProvider := s.OAuthConfigProvider(); oauthProvider != nil {
@@ -78,8 +80,11 @@ func (s *BaseServer) AuthManager() auth.Manager {
 		if len(audiences) > 0 {
 			audience = audiences[0] // Use the first client ID as the primary audience
 		}
-		// Use localhost keys location for internal validation (management has embedded Dex)
+		keyFetcher = oauthProvider.GetKeyFetcher()
-		keysLocation = oauthProvider.GetLocalKeysLocation()
+		// Fall back to default keys location if direct key fetching is not available
+		if keyFetcher == nil {
+			keysLocation = oauthProvider.GetLocalKeysLocation()
+		}
 		signingKeyRefreshEnabled = true
 		issuer = oauthProvider.GetIssuer()
 		userIDClaim = oauthProvider.GetUserIDClaim()
@@ -92,7 +97,8 @@ func (s *BaseServer) AuthManager() auth.Manager {
 			keysLocation,
 			userIDClaim,
 			audiences,
-			signingKeyRefreshEnabled)
+			signingKeyRefreshEnabled,
+			keyFetcher)
 	})
 }
 

management/internals/server/modules.go

@@ -117,9 +117,11 @@ func (s *BaseServer) IdpManager() idp.Manager {
 	return Create(s, func() idp.Manager {
 		var idpManager idp.Manager
 		var err error
+
 		// Use embedded IdP service if embedded Dex is configured and enabled.
 		// Legacy IdpManager won't be used anymore even if configured.
-		if s.Config.EmbeddedIdP != nil && s.Config.EmbeddedIdP.Enabled {
+		embeddedEnabled := s.Config.EmbeddedIdP != nil && s.Config.EmbeddedIdP.Enabled
+		if embeddedEnabled {
 			idpManager, err = idp.NewEmbeddedIdPManager(context.Background(), s.Config.EmbeddedIdP, s.Metrics())
 			if err != nil {
 				log.Fatalf("failed to create embedded IDP service: %v", err)

management/server/activity/store/sql_store_idp_migration.go

@@ -0,0 +1,61 @@
+package store
+
+// This file contains migration-only methods on Store.
+// They satisfy the migration.MigrationEventStore interface via duck typing.
+// Delete this file when migration tooling is no longer needed.
+
+import (
+	"context"
+	"fmt"
+
+	"gorm.io/gorm"
+
+	"github.com/netbirdio/netbird/management/server/activity"
+	"github.com/netbirdio/netbird/management/server/idp/migration"
+)
+
+// CheckSchema verifies that all tables and columns required by the migration exist in the event database.
+func (store *Store) CheckSchema(checks []migration.SchemaCheck) []migration.SchemaError {
+	migrator := store.db.Migrator()
+	var errs []migration.SchemaError
+
+	for _, check := range checks {
+		if !migrator.HasTable(check.Table) {
+			errs = append(errs, migration.SchemaError{Table: check.Table})
+			continue
+		}
+		for _, col := range check.Columns {
+			if !migrator.HasColumn(check.Table, col) {
+				errs = append(errs, migration.SchemaError{Table: check.Table, Column: col})
+			}
+		}
+	}
+
+	return errs
+}
+
+// UpdateUserID updates all references to oldUserID in events and deleted_users tables.
+func (store *Store) UpdateUserID(ctx context.Context, oldUserID, newUserID string) error {
+	return store.db.WithContext(ctx).Transaction(func(tx *gorm.DB) error {
+		if err := tx.Model(&activity.Event{}).
+			Where("initiator_id = ?", oldUserID).
+			Update("initiator_id", newUserID).Error; err != nil {
+			return fmt.Errorf("update events.initiator_id: %w", err)
+		}
+
+		if err := tx.Model(&activity.Event{}).
+			Where("target_id = ?", oldUserID).
+			Update("target_id", newUserID).Error; err != nil {
+			return fmt.Errorf("update events.target_id: %w", err)
+		}
+
+		// Raw exec: GORM can't update a PK via Model().Update()
+		if err := tx.Exec(
+			"UPDATE deleted_users SET id = ? WHERE id = ?", newUserID, oldUserID,
+		).Error; err != nil {
+			return fmt.Errorf("update deleted_users.id: %w", err)
+		}
+
+		return nil
+	})
+}

management/server/activity/store/sql_store_idp_migration_test.go

@@ -0,0 +1,161 @@
+package store
+
+import (
+	"context"
+	"testing"
+	"time"
+
+	"github.com/stretchr/testify/assert"
+
+	"github.com/netbirdio/netbird/management/server/activity"
+	"github.com/netbirdio/netbird/util/crypt"
+)
+
+func TestUpdateUserID(t *testing.T) {
+	ctx := context.Background()
+
+	newStore := func(t *testing.T) *Store {
+		t.Helper()
+		key, _ := crypt.GenerateKey()
+		s, err := NewSqlStore(ctx, t.TempDir(), key)
+		if err != nil {
+			t.Fatal(err)
+		}
+		t.Cleanup(func() { s.Close(ctx) }) //nolint
+		return s
+	}
+
+	t.Run("updates initiator_id in events", func(t *testing.T) {
+		store := newStore(t)
+		accountID := "account_1"
+
+		_, err := store.Save(ctx, &activity.Event{
+			Timestamp:   time.Now().UTC(),
+			Activity:    activity.PeerAddedByUser,
+			InitiatorID: "old-user",
+			TargetID:    "some-peer",
+			AccountID:   accountID,
+		})
+		assert.NoError(t, err)
+
+		err = store.UpdateUserID(ctx, "old-user", "new-user")
+		assert.NoError(t, err)
+
+		result, err := store.Get(ctx, accountID, 0, 10, false)
+		assert.NoError(t, err)
+		assert.Len(t, result, 1)
+		assert.Equal(t, "new-user", result[0].InitiatorID)
+	})
+
+	t.Run("updates target_id in events", func(t *testing.T) {
+		store := newStore(t)
+		accountID := "account_1"
+
+		_, err := store.Save(ctx, &activity.Event{
+			Timestamp:   time.Now().UTC(),
+			Activity:    activity.PeerAddedByUser,
+			InitiatorID: "some-admin",
+			TargetID:    "old-user",
+			AccountID:   accountID,
+		})
+		assert.NoError(t, err)
+
+		err = store.UpdateUserID(ctx, "old-user", "new-user")
+		assert.NoError(t, err)
+
+		result, err := store.Get(ctx, accountID, 0, 10, false)
+		assert.NoError(t, err)
+		assert.Len(t, result, 1)
+		assert.Equal(t, "new-user", result[0].TargetID)
+	})
+
+	t.Run("updates deleted_users id", func(t *testing.T) {
+		store := newStore(t)
+		accountID := "account_1"
+
+		// Save an event with email/name meta to create a deleted_users row for "old-user"
+		_, err := store.Save(ctx, &activity.Event{
+			Timestamp:   time.Now().UTC(),
+			Activity:    activity.PeerAddedByUser,
+			InitiatorID: "admin",
+			TargetID:    "old-user",
+			AccountID:   accountID,
+			Meta: map[string]any{
+				"email": "user@example.com",
+				"name":  "Test User",
+			},
+		})
+		assert.NoError(t, err)
+
+		err = store.UpdateUserID(ctx, "old-user", "new-user")
+		assert.NoError(t, err)
+
+		// Save another event referencing new-user with email/name meta.
+		// This should upsert (not conflict) because the PK was already migrated.
+		_, err = store.Save(ctx, &activity.Event{
+			Timestamp:   time.Now().UTC(),
+			Activity:    activity.PeerAddedByUser,
+			InitiatorID: "admin",
+			TargetID:    "new-user",
+			AccountID:   accountID,
+			Meta: map[string]any{
+				"email": "user@example.com",
+				"name":  "Test User",
+			},
+		})
+		assert.NoError(t, err)
+
+		// The deleted user info should be retrievable via Get (joined on target_id)
+		result, err := store.Get(ctx, accountID, 0, 10, false)
+		assert.NoError(t, err)
+		assert.Len(t, result, 2)
+		for _, ev := range result {
+			assert.Equal(t, "new-user", ev.TargetID)
+		}
+	})
+
+	t.Run("no-op when old user ID does not exist", func(t *testing.T) {
+		store := newStore(t)
+
+		err := store.UpdateUserID(ctx, "nonexistent-user", "new-user")
+		assert.NoError(t, err)
+	})
+
+	t.Run("only updates matching user leaves others unchanged", func(t *testing.T) {
+		store := newStore(t)
+		accountID := "account_1"
+
+		_, err := store.Save(ctx, &activity.Event{
+			Timestamp:   time.Now().UTC(),
+			Activity:    activity.PeerAddedByUser,
+			InitiatorID: "user-a",
+			TargetID:    "peer-1",
+			AccountID:   accountID,
+		})
+		assert.NoError(t, err)
+
+		_, err = store.Save(ctx, &activity.Event{
+			Timestamp:   time.Now().UTC(),
+			Activity:    activity.PeerAddedByUser,
+			InitiatorID: "user-b",
+			TargetID:    "peer-2",
+			AccountID:   accountID,
+		})
+		assert.NoError(t, err)
+
+		err = store.UpdateUserID(ctx, "user-a", "user-a-new")
+		assert.NoError(t, err)
+
+		result, err := store.Get(ctx, accountID, 0, 10, false)
+		assert.NoError(t, err)
+		assert.Len(t, result, 2)
+
+		for _, ev := range result {
+			if ev.TargetID == "peer-1" {
+				assert.Equal(t, "user-a-new", ev.InitiatorID)
+			} else {
+				assert.Equal(t, "user-b", ev.InitiatorID)
+			}
+		}
+	})
+}

management/server/auth/manager.go

@@ -33,15 +33,20 @@ type manager struct {
 	extractor *nbjwt.ClaimsExtractor
 }
 
-func NewManager(store store.Store, issuer, audience, keysLocation, userIdClaim string, allAudiences []string, idpRefreshKeys bool) Manager {
+func NewManager(store store.Store, issuer, audience, keysLocation, userIdClaim string, allAudiences []string, idpRefreshKeys bool, keyFetcher nbjwt.KeyFetcher) Manager {
-	// @note if invalid/missing parameters are sent the validator will instantiate
+	var jwtValidator *nbjwt.Validator
-	// but it will fail when validating and parsing the token
+	if keyFetcher != nil {
-	jwtValidator := nbjwt.NewValidator(
+		jwtValidator = nbjwt.NewValidatorWithKeyFetcher(issuer, allAudiences, keyFetcher)
-		issuer,
+	} else {
-		allAudiences,
+		// @note if invalid/missing parameters are sent the validator will instantiate
-		keysLocation,
+		// but it will fail when validating and parsing the token
-		idpRefreshKeys,
+		jwtValidator = nbjwt.NewValidator(
-	)
+			issuer,
+			allAudiences,
+			keysLocation,
+			idpRefreshKeys,
+		)
+	}
 
 	claimsExtractor := nbjwt.NewClaimsExtractor(
 		nbjwt.WithAudience(audience),

management/server/auth/manager_test.go

@@ -52,7 +52,7 @@ func TestAuthManager_GetAccountInfoFromPAT(t *testing.T) {
 		t.Fatalf("Error when saving account: %s", err)
 	}
 
-	manager := auth.NewManager(store, "", "", "", "", []string{}, false)
+	manager := auth.NewManager(store, "", "", "", "", []string{}, false, nil)
 
 	user, pat, _, _, err := manager.GetPATInfo(context.Background(), token)
 	if err != nil {
@@ -92,7 +92,7 @@ func TestAuthManager_MarkPATUsed(t *testing.T) {
 		t.Fatalf("Error when saving account: %s", err)
 	}
 
-	manager := auth.NewManager(store, "", "", "", "", []string{}, false)
+	manager := auth.NewManager(store, "", "", "", "", []string{}, false, nil)
 
 	err = manager.MarkPATUsed(context.Background(), "tokenId")
 	if err != nil {
@@ -142,7 +142,7 @@ func TestAuthManager_EnsureUserAccessByJWTGroups(t *testing.T) {
 	// these tests only assert groups are parsed from token as per account settings
 	token := jwt.NewWithClaims(jwt.SigningMethodHS256, jwt.MapClaims{"idp-groups": []interface{}{"group1", "group2"}})
 
-	manager := auth.NewManager(store, "", "", "", "", []string{}, false)
+	manager := auth.NewManager(store, "", "", "", "", []string{}, false, nil)
 
 	t.Run("JWT groups disabled", func(t *testing.T) {
 		userAuth, err := manager.EnsureUserAccessByJWTGroups(context.Background(), userAuth, token)
@@ -225,7 +225,7 @@ func TestAuthManager_ValidateAndParseToken(t *testing.T) {
 	keyId := "test-key"
 
 	// note, we can use a nil store because ValidateAndParseToken does not use it in it's flow
-	manager := auth.NewManager(nil, issuer, audience, server.URL, userIdClaim, []string{audience}, false)
+	manager := auth.NewManager(nil, issuer, audience, server.URL, userIdClaim, []string{audience}, false, nil)
 
 	customClaim := func(name string) string {
 		return fmt.Sprintf("%s/%s", audience, name)

management/server/http/testing/testing_tools/channel/channel.go

@@ -119,7 +119,7 @@ func BuildApiBlackBoxWithDBState(t testing_tools.TB, sqlFile string, expectedPee
 	am.SetServiceManager(serviceManager)
 
 	// @note this is required so that PAT's validate from store, but JWT's are mocked
-	authManager := serverauth.NewManager(store, "", "", "", "", []string{}, false)
+	authManager := serverauth.NewManager(store, "", "", "", "", []string{}, false, nil)
 	authManagerMock := &serverauth.MockManager{
 		ValidateAndParseTokenFunc:       mockValidateAndParseToken,
 		EnsureUserAccessByJWTGroupsFunc: authManager.EnsureUserAccessByJWTGroups,
@@ -248,7 +248,7 @@ func BuildApiBlackBoxWithDBStateAndPeerChannel(t testing_tools.TB, sqlFile strin
 	am.SetServiceManager(serviceManager)
 
 	// @note this is required so that PAT's validate from store, but JWT's are mocked
-	authManager := serverauth.NewManager(store, "", "", "", "", []string{}, false)
+	authManager := serverauth.NewManager(store, "", "", "", "", []string{}, false, nil)
 	authManagerMock := &serverauth.MockManager{
 		ValidateAndParseTokenFunc:       mockValidateAndParseToken,
 		EnsureUserAccessByJWTGroupsFunc: authManager.EnsureUserAccessByJWTGroups,

management/server/idp/embedded.go

@@ -13,6 +13,7 @@ import (
 
 	"github.com/netbirdio/netbird/idp/dex"
 	"github.com/netbirdio/netbird/management/server/telemetry"
+	nbjwt "github.com/netbirdio/netbird/shared/auth/jwt"
 )
 
 const (
@@ -48,6 +49,8 @@ type EmbeddedIdPConfig struct {
 	// Existing local users are preserved and will be able to login again if re-enabled.
 	// Cannot be enabled if no external identity provider connectors are configured.
 	LocalAuthDisabled bool
+	// StaticConnectors are additional connectors to seed during initialization
+	StaticConnectors []dex.Connector
 }
 
 // EmbeddedStorageConfig holds storage configuration for the embedded IdP.
@@ -157,6 +160,7 @@ func (c *EmbeddedIdPConfig) ToYAMLConfig() (*dex.YAMLConfig, error) {
 				RedirectURIs: cliRedirectURIs,
 			},
 		},
+		StaticConnectors: c.StaticConnectors,
 	}
 
 	// Add owner user if provided
@@ -193,6 +197,9 @@ type OAuthConfigProvider interface {
 	// Management server has embedded Dex and can validate tokens via localhost,
 	// avoiding external network calls and DNS resolution issues during startup.
 	GetLocalKeysLocation() string
+	// GetKeyFetcher returns a KeyFetcher that reads keys directly from the IDP storage,
+	// or nil if direct key fetching is not supported (falls back to HTTP).
+	GetKeyFetcher() nbjwt.KeyFetcher
 	GetClientIDs() []string
 	GetUserIDClaim() string
 	GetTokenEndpoint() string
@@ -593,6 +600,11 @@ func (m *EmbeddedIdPManager) GetCLIRedirectURLs() []string {
 	return m.config.CLIRedirectURIs
 }
 
+// GetKeyFetcher returns a KeyFetcher that reads keys directly from Dex storage.
+func (m *EmbeddedIdPManager) GetKeyFetcher() nbjwt.KeyFetcher {
+	return m.provider.GetJWKS
+}
+
 // GetKeysLocation returns the JWKS endpoint URL for token validation.
 func (m *EmbeddedIdPManager) GetKeysLocation() string {
 	return m.provider.GetKeysLocation()

management/server/idp/migration/migration.go

@@ -0,0 +1,235 @@
+// Package migration provides utility functions for migrating from the external IdP solution in pre v0.62.0
+// to the new embedded IdP manager (Dex based), which is the default in v0.62.0 and later.
+// It includes functions to seed connectors and migrate existing users to use these connectors.
+package migration
+
+import (
+	"context"
+	"encoding/base64"
+	"encoding/json"
+	"errors"
+	"fmt"
+	"os"
+
+	log "github.com/sirupsen/logrus"
+
+	"github.com/netbirdio/netbird/idp/dex"
+	"github.com/netbirdio/netbird/management/server/idp"
+	"github.com/netbirdio/netbird/management/server/types"
+)
+
+// Server is the dependency interface that migration functions use to access
+// the main data store and the activity event store.
+type Server interface {
+	Store() Store
+	EventStore() EventStore // may return nil
+}
+
+const idpSeedInfoKey = "IDP_SEED_INFO"
+const dryRunEnvKey = "NB_IDP_MIGRATION_DRY_RUN"
+
+func isDryRun() bool {
+	return os.Getenv(dryRunEnvKey) == "true"
+}
+
+var ErrNoSeedInfo = errors.New("no seed info found in environment")
+
+// SeedConnectorFromEnv reads the IDP_SEED_INFO env var, base64-decodes it,
+// and JSON-unmarshals it into a dex.Connector. Returns nil if not set.
+func SeedConnectorFromEnv() (*dex.Connector, error) {
+	val, ok := os.LookupEnv(idpSeedInfoKey)
+	if !ok || val == "" {
+		return nil, ErrNoSeedInfo
+	}
+
+	decoded, err := base64.StdEncoding.DecodeString(val)
+	if err != nil {
+		return nil, fmt.Errorf("base64 decode: %w", err)
+	}
+
+	var conn dex.Connector
+	if err := json.Unmarshal(decoded, &conn); err != nil {
+		return nil, fmt.Errorf("json unmarshal: %w", err)
+	}
+
+	return &conn, nil
+}
+
+// MigrateUsersToStaticConnectors re-keys every user ID in the main store (and
+// the activity store, if present) so that it encodes the given connector ID,
+// skipping users that have already been migrated. Set NB_IDP_MIGRATION_DRY_RUN=true
+// to log what would happen without writing any changes.
+func MigrateUsersToStaticConnectors(s Server, conn *dex.Connector) error {
+	ctx := context.Background()
+
+	if isDryRun() {
+		log.Info("[DRY RUN] migration dry-run mode enabled, no changes will be written")
+	}
+
+	users, err := s.Store().ListUsers(ctx)
+	if err != nil {
+		return fmt.Errorf("failed to list users: %w", err)
+	}
+
+	// Reconciliation pass: fix activity store for users already migrated in main DB
+	// but whose activity references may still use old IDs (from a previous partial failure).
+	if s.EventStore() != nil && !isDryRun() {
+		if err := reconcileActivityStore(ctx, s.EventStore(), users); err != nil {
+			return err
+		}
+	}
+
+	var migratedCount, skippedCount int
+
+	for _, user := range users {
+		_, _, decErr := dex.DecodeDexUserID(user.Id)
+		if decErr == nil {
+			skippedCount++
+			continue
+		}
+
+		newUserID := dex.EncodeDexUserID(user.Id, conn.ID)
+
+		if isDryRun() {
+			log.Infof("[DRY RUN] would migrate user %s -> %s (account: %s)", user.Id, newUserID, user.AccountID)
+			migratedCount++
+			continue
+		}
+
+		if err := migrateUser(ctx, s, user.Id, user.AccountID, newUserID); err != nil {
+			return err
+		}
+
+		migratedCount++
+	}
+
+	if isDryRun() {
+		log.Infof("[DRY RUN] migration summary: %d users would be migrated, %d already migrated", migratedCount, skippedCount)
+	} else {
+		log.Infof("migration complete: %d users migrated, %d already migrated", migratedCount, skippedCount)
+	}
+
+	return nil
+}
+
+// reconcileActivityStore updates activity store references for users already migrated
+// in the main DB whose activity entries may still use old IDs from a previous partial failure.
+func reconcileActivityStore(ctx context.Context, eventStore EventStore, users []*types.User) error {
+	for _, user := range users {
+		originalID, _, err := dex.DecodeDexUserID(user.Id)
+		if err != nil {
+			// skip users that aren't migrated, they will be handled in the main migration loop
+			continue
+		}
+		if err := eventStore.UpdateUserID(ctx, originalID, user.Id); err != nil {
+			return fmt.Errorf("reconcile activity store for user %s: %w", user.Id, err)
+		}
+	}
+	return nil
+}
+
+// migrateUser updates a single user's ID in both the main store and the activity store.
+func migrateUser(ctx context.Context, s Server, oldID, accountID, newID string) error {
+	if err := s.Store().UpdateUserID(ctx, accountID, oldID, newID); err != nil {
+		return fmt.Errorf("failed to update user ID for user %s: %w", oldID, err)
+	}
+
+	if s.EventStore() == nil {
+		return nil
+	}
+
+	if err := s.EventStore().UpdateUserID(ctx, oldID, newID); err != nil {
+		return fmt.Errorf("failed to update activity store user ID for user %s: %w", oldID, err)
+	}
+
+	return nil
+}
+
+// PopulateUserInfo fetches user email and name from the external IDP and updates
+// the store for users that are missing this information.
+func PopulateUserInfo(s Server, idpManager idp.Manager, dryRun bool) error {
+	ctx := context.Background()
+
+	users, err := s.Store().ListUsers(ctx)
+	if err != nil {
+		return fmt.Errorf("failed to list users: %w", err)
+	}
+
+	// Build a map of IDP user ID -> UserData from the external IDP
+	allAccounts, err := idpManager.GetAllAccounts(ctx)
+	if err != nil {
+		return fmt.Errorf("failed to fetch accounts from IDP: %w", err)
+	}
+
+	idpUsers := make(map[string]*idp.UserData)
+	for _, accountUsers := range allAccounts {
+		for _, userData := range accountUsers {
+			idpUsers[userData.ID] = userData
+		}
+	}
+
+	log.Infof("fetched %d users from IDP", len(idpUsers))
+
+	var updatedCount, skippedCount, notFoundCount int
+
+	for _, user := range users {
+		if user.IsServiceUser {
+			skippedCount++
+			continue
+		}
+
+		if user.Email != "" && user.Name != "" {
+			skippedCount++
+			continue
+		}
+
+		// The user ID in the store may be the original IDP ID or a Dex-encoded ID.
+		// Try to decode the Dex format first to get the original IDP ID.
+		lookupID := user.Id
+		if originalID, _, decErr := dex.DecodeDexUserID(user.Id); decErr == nil {
+			lookupID = originalID
+		}
+
+		idpUser, found := idpUsers[lookupID]
+		if !found {
+			notFoundCount++
+			log.Debugf("user %s (lookup: %s) not found in IDP, skipping", user.Id, lookupID)
+			continue
+		}
+
+		email := user.Email
+		name := user.Name
+		if email == "" && idpUser.Email != "" {
+			email = idpUser.Email
+		}
+		if name == "" && idpUser.Name != "" {
+			name = idpUser.Name
+		}
+
+		if email == user.Email && name == user.Name {
+			skippedCount++
+			continue
+		}
+
+		if dryRun {
+			log.Infof("[DRY RUN] would update user %s: email=%q, name=%q", user.Id, email, name)
+			updatedCount++
+			continue
+		}
+
+		if err := s.Store().UpdateUserInfo(ctx, user.Id, email, name); err != nil {
+			return fmt.Errorf("failed to update user info for %s: %w", user.Id, err)
+		}
+
+		log.Infof("updated user %s: email=%q, name=%q", user.Id, email, name)
+		updatedCount++
+	}
+
+	if dryRun {
+		log.Infof("[DRY RUN] user info summary: %d would be updated, %d skipped, %d not found in IDP", updatedCount, skippedCount, notFoundCount)
+	} else {
+		log.Infof("user info population complete: %d updated, %d skipped, %d not found in IDP", updatedCount, skippedCount, notFoundCount)
+	}
+
+	return nil
+}

management/server/idp/migration/migration_test.go

@@ -0,0 +1,828 @@
+package migration
+
+import (
+	"context"
+	"encoding/base64"
+	"encoding/json"
+	"fmt"
+	"os"
+	"testing"
+
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+
+	"github.com/netbirdio/netbird/idp/dex"
+	"github.com/netbirdio/netbird/management/server/idp"
+	"github.com/netbirdio/netbird/management/server/types"
+)
+
+// testStore is a hand-written mock for MigrationStore.
+type testStore struct {
+	listUsersFunc      func(ctx context.Context) ([]*types.User, error)
+	updateUserIDFunc   func(ctx context.Context, accountID, oldUserID, newUserID string) error
+	updateUserInfoFunc func(ctx context.Context, userID, email, name string) error
+	checkSchemaFunc    func(checks []SchemaCheck) []SchemaError
+	updateCalls        []updateUserIDCall
+	updateInfoCalls    []updateUserInfoCall
+}
+
+type updateUserIDCall struct {
+	AccountID string
+	OldUserID string
+	NewUserID string
+}
+
+type updateUserInfoCall struct {
+	UserID string
+	Email  string
+	Name   string
+}
+
+func (s *testStore) ListUsers(ctx context.Context) ([]*types.User, error) {
+	return s.listUsersFunc(ctx)
+}
+
+func (s *testStore) UpdateUserID(ctx context.Context, accountID, oldUserID, newUserID string) error {
+	s.updateCalls = append(s.updateCalls, updateUserIDCall{accountID, oldUserID, newUserID})
+	return s.updateUserIDFunc(ctx, accountID, oldUserID, newUserID)
+}
+
+func (s *testStore) UpdateUserInfo(ctx context.Context, userID, email, name string) error {
+	s.updateInfoCalls = append(s.updateInfoCalls, updateUserInfoCall{userID, email, name})
+	if s.updateUserInfoFunc != nil {
+		return s.updateUserInfoFunc(ctx, userID, email, name)
+	}
+	return nil
+}
+
+func (s *testStore) CheckSchema(checks []SchemaCheck) []SchemaError {
+	if s.checkSchemaFunc != nil {
+		return s.checkSchemaFunc(checks)
+	}
+	return nil
+}
+
+type testServer struct {
+	store      Store
+	eventStore EventStore
+}
+
+func (s *testServer) Store() Store           { return s.store }
+func (s *testServer) EventStore() EventStore { return s.eventStore }
+
+func TestSeedConnectorFromEnv(t *testing.T) {
+	t.Run("returns ErrNoSeedInfo when env var is not set", func(t *testing.T) {
+		os.Unsetenv(idpSeedInfoKey)
+
+		conn, err := SeedConnectorFromEnv()
+		assert.ErrorIs(t, err, ErrNoSeedInfo)
+		assert.Nil(t, conn)
+	})
+
+	t.Run("returns ErrNoSeedInfo when env var is empty", func(t *testing.T) {
+		t.Setenv(idpSeedInfoKey, "")
+
+		conn, err := SeedConnectorFromEnv()
+		assert.ErrorIs(t, err, ErrNoSeedInfo)
+		assert.Nil(t, conn)
+	})
+
+	t.Run("returns error on invalid base64", func(t *testing.T) {
+		t.Setenv(idpSeedInfoKey, "not-valid-base64!!!")
+
+		conn, err := SeedConnectorFromEnv()
+		assert.NotErrorIs(t, err, ErrNoSeedInfo)
+		assert.Error(t, err)
+		assert.Nil(t, conn)
+		assert.Contains(t, err.Error(), "base64 decode")
+	})
+
+	t.Run("returns error on invalid JSON", func(t *testing.T) {
+		encoded := base64.StdEncoding.EncodeToString([]byte("not json"))
+		t.Setenv(idpSeedInfoKey, encoded)
+
+		conn, err := SeedConnectorFromEnv()
+		assert.NotErrorIs(t, err, ErrNoSeedInfo)
+		assert.Error(t, err)
+		assert.Nil(t, conn)
+		assert.Contains(t, err.Error(), "json unmarshal")
+	})
+
+	t.Run("successfully decodes valid connector", func(t *testing.T) {
+		expected := dex.Connector{
+			Type: "oidc",
+			Name: "Test Provider",
+			ID:   "test-provider",
+			Config: map[string]any{
+				"issuer":       "https://example.com",
+				"clientID":     "my-client-id",
+				"clientSecret": "my-secret",
+			},
+		}
+
+		data, err := json.Marshal(expected)
+		require.NoError(t, err)
+
+		encoded := base64.StdEncoding.EncodeToString(data)
+		t.Setenv(idpSeedInfoKey, encoded)
+
+		conn, err := SeedConnectorFromEnv()
+		assert.NoError(t, err)
+		require.NotNil(t, conn)
+		assert.Equal(t, expected.Type, conn.Type)
+		assert.Equal(t, expected.Name, conn.Name)
+		assert.Equal(t, expected.ID, conn.ID)
+		assert.Equal(t, expected.Config["issuer"], conn.Config["issuer"])
+	})
+}
+
+func TestMigrateUsersToStaticConnectors(t *testing.T) {
+	connector := &dex.Connector{
+		Type: "oidc",
+		Name: "Test Provider",
+		ID:   "test-connector",
+	}
+
+	t.Run("succeeds with no users", func(t *testing.T) {
+		ms := &testStore{
+			listUsersFunc:    func(ctx context.Context) ([]*types.User, error) { return nil, nil },
+			updateUserIDFunc: func(ctx context.Context, accountID, oldUserID, newUserID string) error { return nil },
+		}
+
+		srv := &testServer{store: ms}
+		err := MigrateUsersToStaticConnectors(srv, connector)
+		assert.NoError(t, err)
+	})
+
+	t.Run("returns error when ListUsers fails", func(t *testing.T) {
+		ms := &testStore{
+			listUsersFunc: func(ctx context.Context) ([]*types.User, error) {
+				return nil, fmt.Errorf("db error")
+			},
+			updateUserIDFunc: func(ctx context.Context, accountID, oldUserID, newUserID string) error { return nil },
+		}
+
+		srv := &testServer{store: ms}
+		err := MigrateUsersToStaticConnectors(srv, connector)
+		assert.Error(t, err)
+		assert.Contains(t, err.Error(), "failed to list users")
+	})
+
+	t.Run("migrates single user with correct encoded ID", func(t *testing.T) {
+		user := &types.User{Id: "user-1", AccountID: "account-1"}
+		expectedNewID := dex.EncodeDexUserID("user-1", "test-connector")
+
+		ms := &testStore{
+			listUsersFunc: func(ctx context.Context) ([]*types.User, error) {
+				return []*types.User{user}, nil
+			},
+			updateUserIDFunc: func(ctx context.Context, accountID, oldUserID, newUserID string) error {
+				return nil
+			},
+		}
+
+		srv := &testServer{store: ms}
+		err := MigrateUsersToStaticConnectors(srv, connector)
+		assert.NoError(t, err)
+		require.Len(t, ms.updateCalls, 1)
+		assert.Equal(t, "account-1", ms.updateCalls[0].AccountID)
+		assert.Equal(t, "user-1", ms.updateCalls[0].OldUserID)
+		assert.Equal(t, expectedNewID, ms.updateCalls[0].NewUserID)
+	})
+
+	t.Run("migrates multiple users", func(t *testing.T) {
+		users := []*types.User{
+			{Id: "user-1", AccountID: "account-1"},
+			{Id: "user-2", AccountID: "account-1"},
+			{Id: "user-3", AccountID: "account-2"},
+		}
+
+		ms := &testStore{
+			listUsersFunc: func(ctx context.Context) ([]*types.User, error) {
+				return users, nil
+			},
+			updateUserIDFunc: func(ctx context.Context, accountID, oldUserID, newUserID string) error {
+				return nil
+			},
+		}
+
+		srv := &testServer{store: ms}
+		err := MigrateUsersToStaticConnectors(srv, connector)
+		assert.NoError(t, err)
+		assert.Len(t, ms.updateCalls, 3)
+	})
+
+	t.Run("returns error when UpdateUserID fails", func(t *testing.T) {
+		users := []*types.User{
+			{Id: "user-1", AccountID: "account-1"},
+			{Id: "user-2", AccountID: "account-1"},
+		}
+
+		callCount := 0
+		ms := &testStore{
+			listUsersFunc: func(ctx context.Context) ([]*types.User, error) {
+				return users, nil
+			},
+			updateUserIDFunc: func(ctx context.Context, accountID, oldUserID, newUserID string) error {
+				callCount++
+				if callCount == 2 {
+					return fmt.Errorf("update failed")
+				}
+				return nil
+			},
+		}
+
+		srv := &testServer{store: ms}
+		err := MigrateUsersToStaticConnectors(srv, connector)
+		assert.Error(t, err)
+		assert.Contains(t, err.Error(), "failed to update user ID for user user-2")
+	})
+
+	t.Run("stops on first UpdateUserID error", func(t *testing.T) {
+		users := []*types.User{
+			{Id: "user-1", AccountID: "account-1"},
+			{Id: "user-2", AccountID: "account-1"},
+		}
+
+		ms := &testStore{
+			listUsersFunc: func(ctx context.Context) ([]*types.User, error) {
+				return users, nil
+			},
+			updateUserIDFunc: func(ctx context.Context, accountID, oldUserID, newUserID string) error {
+				return fmt.Errorf("update failed")
+			},
+		}
+
+		srv := &testServer{store: ms}
+		err := MigrateUsersToStaticConnectors(srv, connector)
+		assert.Error(t, err)
+		assert.Len(t, ms.updateCalls, 1) // stopped after first error
+	})
+
+	t.Run("skips already migrated users", func(t *testing.T) {
+		alreadyMigratedID := dex.EncodeDexUserID("user-1", "test-connector")
+		users := []*types.User{
+			{Id: alreadyMigratedID, AccountID: "account-1"},
+		}
+
+		ms := &testStore{
+			listUsersFunc: func(ctx context.Context) ([]*types.User, error) {
+				return users, nil
+			},
+			updateUserIDFunc: func(ctx context.Context, accountID, oldUserID, newUserID string) error {
+				return nil
+			},
+		}
+
+		srv := &testServer{store: ms}
+		err := MigrateUsersToStaticConnectors(srv, connector)
+		assert.NoError(t, err)
+		assert.Len(t, ms.updateCalls, 0)
+	})
+
+	t.Run("migrates only non-migrated users in mixed state", func(t *testing.T) {
+		alreadyMigratedID := dex.EncodeDexUserID("user-1", "test-connector")
+		users := []*types.User{
+			{Id: alreadyMigratedID, AccountID: "account-1"},
+			{Id: "user-2", AccountID: "account-1"},
+			{Id: "user-3", AccountID: "account-2"},
+		}
+
+		ms := &testStore{
+			listUsersFunc: func(ctx context.Context) ([]*types.User, error) {
+				return users, nil
+			},
+			updateUserIDFunc: func(ctx context.Context, accountID, oldUserID, newUserID string) error {
+				return nil
+			},
+		}
+
+		srv := &testServer{store: ms}
+		err := MigrateUsersToStaticConnectors(srv, connector)
+		assert.NoError(t, err)
+		// Only user-2 and user-3 should be migrated
+		assert.Len(t, ms.updateCalls, 2)
+		assert.Equal(t, "user-2", ms.updateCalls[0].OldUserID)
+		assert.Equal(t, "user-3", ms.updateCalls[1].OldUserID)
+	})
+
+	t.Run("dry run does not call UpdateUserID", func(t *testing.T) {
+		t.Setenv(dryRunEnvKey, "true")
+
+		users := []*types.User{
+			{Id: "user-1", AccountID: "account-1"},
+			{Id: "user-2", AccountID: "account-1"},
+		}
+
+		ms := &testStore{
+			listUsersFunc: func(ctx context.Context) ([]*types.User, error) {
+				return users, nil
+			},
+			updateUserIDFunc: func(ctx context.Context, accountID, oldUserID, newUserID string) error {
+				t.Fatal("UpdateUserID should not be called in dry-run mode")
+				return nil
+			},
+		}
+
+		srv := &testServer{store: ms}
+		err := MigrateUsersToStaticConnectors(srv, connector)
+		assert.NoError(t, err)
+		assert.Len(t, ms.updateCalls, 0)
+	})
+
+	t.Run("dry run skips already migrated users", func(t *testing.T) {
+		t.Setenv(dryRunEnvKey, "true")
+
+		alreadyMigratedID := dex.EncodeDexUserID("user-1", "test-connector")
+		users := []*types.User{
+			{Id: alreadyMigratedID, AccountID: "account-1"},
+			{Id: "user-2", AccountID: "account-1"},
+		}
+
+		ms := &testStore{
+			listUsersFunc: func(ctx context.Context) ([]*types.User, error) {
+				return users, nil
+			},
+			updateUserIDFunc: func(ctx context.Context, accountID, oldUserID, newUserID string) error {
+				t.Fatal("UpdateUserID should not be called in dry-run mode")
+				return nil
+			},
+		}
+
+		srv := &testServer{store: ms}
+		err := MigrateUsersToStaticConnectors(srv, connector)
+		assert.NoError(t, err)
+	})
+
+	t.Run("dry run disabled by default", func(t *testing.T) {
+		user := &types.User{Id: "user-1", AccountID: "account-1"}
+
+		ms := &testStore{
+			listUsersFunc: func(ctx context.Context) ([]*types.User, error) {
+				return []*types.User{user}, nil
+			},
+			updateUserIDFunc: func(ctx context.Context, accountID, oldUserID, newUserID string) error {
+				return nil
+			},
+		}
+
+		srv := &testServer{store: ms}
+		err := MigrateUsersToStaticConnectors(srv, connector)
+		assert.NoError(t, err)
+		assert.Len(t, ms.updateCalls, 1) // proves it's not in dry-run
+	})
+}
+
+func TestPopulateUserInfo(t *testing.T) {
+	noopUpdateID := func(ctx context.Context, accountID, oldUserID, newUserID string) error { return nil }
+
+	t.Run("succeeds with no users", func(t *testing.T) {
+		ms := &testStore{
+			listUsersFunc:    func(ctx context.Context) ([]*types.User, error) { return nil, nil },
+			updateUserIDFunc: noopUpdateID,
+		}
+		mockIDP := &idp.MockIDP{
+			GetAllAccountsFunc: func(ctx context.Context) (map[string][]*idp.UserData, error) {
+				return map[string][]*idp.UserData{}, nil
+			},
+		}
+
+		srv := &testServer{store: ms}
+		err := PopulateUserInfo(srv, mockIDP, false)
+		assert.NoError(t, err)
+		assert.Empty(t, ms.updateInfoCalls)
+	})
+
+	t.Run("returns error when ListUsers fails", func(t *testing.T) {
+		ms := &testStore{
+			listUsersFunc: func(ctx context.Context) ([]*types.User, error) {
+				return nil, fmt.Errorf("db error")
+			},
+			updateUserIDFunc: noopUpdateID,
+		}
+		mockIDP := &idp.MockIDP{}
+
+		srv := &testServer{store: ms}
+		err := PopulateUserInfo(srv, mockIDP, false)
+		assert.Error(t, err)
+		assert.Contains(t, err.Error(), "failed to list users")
+	})
+
+	t.Run("returns error when GetAllAccounts fails", func(t *testing.T) {
+		ms := &testStore{
+			listUsersFunc: func(ctx context.Context) ([]*types.User, error) {
+				return []*types.User{{Id: "user-1", AccountID: "acc-1"}}, nil
+			},
+			updateUserIDFunc: noopUpdateID,
+		}
+		mockIDP := &idp.MockIDP{
+			GetAllAccountsFunc: func(ctx context.Context) (map[string][]*idp.UserData, error) {
+				return nil, fmt.Errorf("idp error")
+			},
+		}
+
+		srv := &testServer{store: ms}
+		err := PopulateUserInfo(srv, mockIDP, false)
+		assert.Error(t, err)
+		assert.Contains(t, err.Error(), "failed to fetch accounts from IDP")
+	})
+
+	t.Run("updates user with missing email and name", func(t *testing.T) {
+		ms := &testStore{
+			listUsersFunc: func(ctx context.Context) ([]*types.User, error) {
+				return []*types.User{
+					{Id: "user-1", AccountID: "acc-1", Email: "", Name: ""},
+				}, nil
+			},
+			updateUserIDFunc: noopUpdateID,
+		}
+		mockIDP := &idp.MockIDP{
+			GetAllAccountsFunc: func(ctx context.Context) (map[string][]*idp.UserData, error) {
+				return map[string][]*idp.UserData{
+					"acc-1": {
+						{ID: "user-1", Email: "user1@example.com", Name: "User One"},
+					},
+				}, nil
+			},
+		}
+
+		srv := &testServer{store: ms}
+		err := PopulateUserInfo(srv, mockIDP, false)
+		assert.NoError(t, err)
+		require.Len(t, ms.updateInfoCalls, 1)
+		assert.Equal(t, "user-1", ms.updateInfoCalls[0].UserID)
+		assert.Equal(t, "user1@example.com", ms.updateInfoCalls[0].Email)
+		assert.Equal(t, "User One", ms.updateInfoCalls[0].Name)
+	})
+
+	t.Run("updates only missing email when name exists", func(t *testing.T) {
+		ms := &testStore{
+			listUsersFunc: func(ctx context.Context) ([]*types.User, error) {
+				return []*types.User{
+					{Id: "user-1", AccountID: "acc-1", Email: "", Name: "Existing Name"},
+				}, nil
+			},
+			updateUserIDFunc: noopUpdateID,
+		}
+		mockIDP := &idp.MockIDP{
+			GetAllAccountsFunc: func(ctx context.Context) (map[string][]*idp.UserData, error) {
+				return map[string][]*idp.UserData{
+					"acc-1": {{ID: "user-1", Email: "user1@example.com", Name: "IDP Name"}},
+				}, nil
+			},
+		}
+
+		srv := &testServer{store: ms}
+		err := PopulateUserInfo(srv, mockIDP, false)
+		assert.NoError(t, err)
+		require.Len(t, ms.updateInfoCalls, 1)
+		assert.Equal(t, "user1@example.com", ms.updateInfoCalls[0].Email)
+		assert.Equal(t, "Existing Name", ms.updateInfoCalls[0].Name)
+	})
+
+	t.Run("updates only missing name when email exists", func(t *testing.T) {
+		ms := &testStore{
+			listUsersFunc: func(ctx context.Context) ([]*types.User, error) {
+				return []*types.User{
+					{Id: "user-1", AccountID: "acc-1", Email: "existing@example.com", Name: ""},
+				}, nil
+			},
+			updateUserIDFunc: noopUpdateID,
+		}
+		mockIDP := &idp.MockIDP{
+			GetAllAccountsFunc: func(ctx context.Context) (map[string][]*idp.UserData, error) {
+				return map[string][]*idp.UserData{
+					"acc-1": {{ID: "user-1", Email: "idp@example.com", Name: "IDP Name"}},
+				}, nil
+			},
+		}
+
+		srv := &testServer{store: ms}
+		err := PopulateUserInfo(srv, mockIDP, false)
+		assert.NoError(t, err)
+		require.Len(t, ms.updateInfoCalls, 1)
+		assert.Equal(t, "existing@example.com", ms.updateInfoCalls[0].Email)
+		assert.Equal(t, "IDP Name", ms.updateInfoCalls[0].Name)
+	})
+
+	t.Run("skips users that already have both email and name", func(t *testing.T) {
+		ms := &testStore{
+			listUsersFunc: func(ctx context.Context) ([]*types.User, error) {
+				return []*types.User{
+					{Id: "user-1", AccountID: "acc-1", Email: "user1@example.com", Name: "User One"},
+				}, nil
+			},
+			updateUserIDFunc: noopUpdateID,
+		}
+		mockIDP := &idp.MockIDP{
+			GetAllAccountsFunc: func(ctx context.Context) (map[string][]*idp.UserData, error) {
+				return map[string][]*idp.UserData{
+					"acc-1": {{ID: "user-1", Email: "different@example.com", Name: "Different Name"}},
+				}, nil
+			},
+		}
+
+		srv := &testServer{store: ms}
+		err := PopulateUserInfo(srv, mockIDP, false)
+		assert.NoError(t, err)
+		assert.Empty(t, ms.updateInfoCalls)
+	})
+
+	t.Run("skips service users", func(t *testing.T) {
+		ms := &testStore{
+			listUsersFunc: func(ctx context.Context) ([]*types.User, error) {
+				return []*types.User{
+					{Id: "svc-1", AccountID: "acc-1", Email: "", Name: "", IsServiceUser: true},
+				}, nil
+			},
+			updateUserIDFunc: noopUpdateID,
+		}
+		mockIDP := &idp.MockIDP{
+			GetAllAccountsFunc: func(ctx context.Context) (map[string][]*idp.UserData, error) {
+				return map[string][]*idp.UserData{
+					"acc-1": {{ID: "svc-1", Email: "svc@example.com", Name: "Service"}},
+				}, nil
+			},
+		}
+
+		srv := &testServer{store: ms}
+		err := PopulateUserInfo(srv, mockIDP, false)
+		assert.NoError(t, err)
+		assert.Empty(t, ms.updateInfoCalls)
+	})
+
+	t.Run("skips users not found in IDP", func(t *testing.T) {
+		ms := &testStore{
+			listUsersFunc: func(ctx context.Context) ([]*types.User, error) {
+				return []*types.User{
+					{Id: "user-1", AccountID: "acc-1", Email: "", Name: ""},
+				}, nil
+			},
+			updateUserIDFunc: noopUpdateID,
+		}
+		mockIDP := &idp.MockIDP{
+			GetAllAccountsFunc: func(ctx context.Context) (map[string][]*idp.UserData, error) {
+				return map[string][]*idp.UserData{
+					"acc-1": {{ID: "different-user", Email: "other@example.com", Name: "Other"}},
+				}, nil
+			},
+		}
+
+		srv := &testServer{store: ms}
+		err := PopulateUserInfo(srv, mockIDP, false)
+		assert.NoError(t, err)
+		assert.Empty(t, ms.updateInfoCalls)
+	})
+
+	t.Run("looks up dex-encoded user IDs by original ID", func(t *testing.T) {
+		dexEncodedID := dex.EncodeDexUserID("original-idp-id", "my-connector")
+
+		ms := &testStore{
+			listUsersFunc: func(ctx context.Context) ([]*types.User, error) {
+				return []*types.User{
+					{Id: dexEncodedID, AccountID: "acc-1", Email: "", Name: ""},
+				}, nil
+			},
+			updateUserIDFunc: noopUpdateID,
+		}
+		mockIDP := &idp.MockIDP{
+			GetAllAccountsFunc: func(ctx context.Context) (map[string][]*idp.UserData, error) {
+				return map[string][]*idp.UserData{
+					"acc-1": {{ID: "original-idp-id", Email: "user@example.com", Name: "User"}},
+				}, nil
+			},
+		}
+
+		srv := &testServer{store: ms}
+		err := PopulateUserInfo(srv, mockIDP, false)
+		assert.NoError(t, err)
+		require.Len(t, ms.updateInfoCalls, 1)
+		assert.Equal(t, dexEncodedID, ms.updateInfoCalls[0].UserID)
+		assert.Equal(t, "user@example.com", ms.updateInfoCalls[0].Email)
+		assert.Equal(t, "User", ms.updateInfoCalls[0].Name)
+	})
+
+	t.Run("handles multiple users across multiple accounts", func(t *testing.T) {
+		ms := &testStore{
+			listUsersFunc: func(ctx context.Context) ([]*types.User, error) {
+				return []*types.User{
+					{Id: "user-1", AccountID: "acc-1", Email: "", Name: ""},
+					{Id: "user-2", AccountID: "acc-1", Email: "already@set.com", Name: "Already Set"},
+					{Id: "user-3", AccountID: "acc-2", Email: "", Name: ""},
+				}, nil
+			},
+			updateUserIDFunc: noopUpdateID,
+		}
+		mockIDP := &idp.MockIDP{
+			GetAllAccountsFunc: func(ctx context.Context) (map[string][]*idp.UserData, error) {
+				return map[string][]*idp.UserData{
+					"acc-1": {
+						{ID: "user-1", Email: "u1@example.com", Name: "User 1"},
+						{ID: "user-2", Email: "u2@example.com", Name: "User 2"},
+					},
+					"acc-2": {
+						{ID: "user-3", Email: "u3@example.com", Name: "User 3"},
+					},
+				}, nil
+			},
+		}
+
+		srv := &testServer{store: ms}
+		err := PopulateUserInfo(srv, mockIDP, false)
+		assert.NoError(t, err)
+		require.Len(t, ms.updateInfoCalls, 2)
+		assert.Equal(t, "user-1", ms.updateInfoCalls[0].UserID)
+		assert.Equal(t, "u1@example.com", ms.updateInfoCalls[0].Email)
+		assert.Equal(t, "user-3", ms.updateInfoCalls[1].UserID)
+		assert.Equal(t, "u3@example.com", ms.updateInfoCalls[1].Email)
+	})
+
+	t.Run("returns error when UpdateUserInfo fails", func(t *testing.T) {
+		ms := &testStore{
+			listUsersFunc: func(ctx context.Context) ([]*types.User, error) {
+				return []*types.User{
+					{Id: "user-1", AccountID: "acc-1", Email: "", Name: ""},
+				}, nil
+			},
+			updateUserIDFunc: noopUpdateID,
+			updateUserInfoFunc: func(ctx context.Context, userID, email, name string) error {
+				return fmt.Errorf("db write error")
+			},
+		}
+		mockIDP := &idp.MockIDP{
+			GetAllAccountsFunc: func(ctx context.Context) (map[string][]*idp.UserData, error) {
+				return map[string][]*idp.UserData{
+					"acc-1": {{ID: "user-1", Email: "u1@example.com", Name: "User 1"}},
+				}, nil
+			},
+		}
+
+		srv := &testServer{store: ms}
+		err := PopulateUserInfo(srv, mockIDP, false)
+		assert.Error(t, err)
+		assert.Contains(t, err.Error(), "failed to update user info for user-1")
+	})
+
+	t.Run("stops on first UpdateUserInfo error", func(t *testing.T) {
+		callCount := 0
+		ms := &testStore{
+			listUsersFunc: func(ctx context.Context) ([]*types.User, error) {
+				return []*types.User{
+					{Id: "user-1", AccountID: "acc-1", Email: "", Name: ""},
+					{Id: "user-2", AccountID: "acc-1", Email: "", Name: ""},
+				}, nil
+			},
+			updateUserIDFunc: noopUpdateID,
+			updateUserInfoFunc: func(ctx context.Context, userID, email, name string) error {
+				callCount++
+				return fmt.Errorf("db write error")
+			},
+		}
+		mockIDP := &idp.MockIDP{
+			GetAllAccountsFunc: func(ctx context.Context) (map[string][]*idp.UserData, error) {
+				return map[string][]*idp.UserData{
+					"acc-1": {
+						{ID: "user-1", Email: "u1@example.com", Name: "U1"},
+						{ID: "user-2", Email: "u2@example.com", Name: "U2"},
+					},
+				}, nil
+			},
+		}
+
+		srv := &testServer{store: ms}
+		err := PopulateUserInfo(srv, mockIDP, false)
+		assert.Error(t, err)
+		assert.Equal(t, 1, callCount)
+	})
+
+	t.Run("dry run does not call UpdateUserInfo", func(t *testing.T) {
+		ms := &testStore{
+			listUsersFunc: func(ctx context.Context) ([]*types.User, error) {
+				return []*types.User{
+					{Id: "user-1", AccountID: "acc-1", Email: "", Name: ""},
+					{Id: "user-2", AccountID: "acc-1", Email: "", Name: ""},
+				}, nil
+			},
+			updateUserIDFunc: noopUpdateID,
+			updateUserInfoFunc: func(ctx context.Context, userID, email, name string) error {
+				t.Fatal("UpdateUserInfo should not be called in dry-run mode")
+				return nil
+			},
+		}
+		mockIDP := &idp.MockIDP{
+			GetAllAccountsFunc: func(ctx context.Context) (map[string][]*idp.UserData, error) {
+				return map[string][]*idp.UserData{
+					"acc-1": {
+						{ID: "user-1", Email: "u1@example.com", Name: "U1"},
+						{ID: "user-2", Email: "u2@example.com", Name: "U2"},
+					},
+				}, nil
+			},
+		}
+
+		srv := &testServer{store: ms}
+		err := PopulateUserInfo(srv, mockIDP, true)
+		assert.NoError(t, err)
+		assert.Empty(t, ms.updateInfoCalls)
+	})
+
+	t.Run("skips user when IDP has empty email and name too", func(t *testing.T) {
+		ms := &testStore{
+			listUsersFunc: func(ctx context.Context) ([]*types.User, error) {
+				return []*types.User{
+					{Id: "user-1", AccountID: "acc-1", Email: "", Name: ""},
+				}, nil
+			},
+			updateUserIDFunc: noopUpdateID,
+		}
+		mockIDP := &idp.MockIDP{
+			GetAllAccountsFunc: func(ctx context.Context) (map[string][]*idp.UserData, error) {
+				return map[string][]*idp.UserData{
+					"acc-1": {{ID: "user-1", Email: "", Name: ""}},
+				}, nil
+			},
+		}
+
+		srv := &testServer{store: ms}
+		err := PopulateUserInfo(srv, mockIDP, false)
+		assert.NoError(t, err)
+		assert.Empty(t, ms.updateInfoCalls)
+	})
+}
+
+func TestSchemaError_String(t *testing.T) {
+	t.Run("missing table", func(t *testing.T) {
+		e := SchemaError{Table: "jobs"}
+		assert.Equal(t, `table "jobs" is missing`, e.String())
+	})
+
+	t.Run("missing column", func(t *testing.T) {
+		e := SchemaError{Table: "users", Column: "email"}
+		assert.Equal(t, `column "email" on table "users" is missing`, e.String())
+	})
+}
+
+func TestRequiredSchema(t *testing.T) {
+	// Verify RequiredSchema covers all the tables touched by UpdateUserID and UpdateUserInfo.
+	expectedTables := []string{
+		"users",
+		"personal_access_tokens",
+		"peers",
+		"accounts",
+		"user_invites",
+		"proxy_access_tokens",
+		"jobs",
+	}
+
+	schemaTableNames := make([]string, len(RequiredSchema))
+	for i, s := range RequiredSchema {
+		schemaTableNames[i] = s.Table
+	}
+
+	for _, expected := range expectedTables {
+		assert.Contains(t, schemaTableNames, expected, "RequiredSchema should include table %q", expected)
+	}
+}
+
+func TestCheckSchema_MockStore(t *testing.T) {
+	t.Run("returns nil when all schema exists", func(t *testing.T) {
+		ms := &testStore{
+			checkSchemaFunc: func(checks []SchemaCheck) []SchemaError {
+				return nil
+			},
+		}
+		errs := ms.CheckSchema(RequiredSchema)
+		assert.Empty(t, errs)
+	})
+
+	t.Run("returns errors for missing tables", func(t *testing.T) {
+		ms := &testStore{
+			checkSchemaFunc: func(checks []SchemaCheck) []SchemaError {
+				return []SchemaError{
+					{Table: "jobs"},
+					{Table: "proxy_access_tokens"},
+				}
+			},
+		}
+		errs := ms.CheckSchema(RequiredSchema)
+		require.Len(t, errs, 2)
+		assert.Equal(t, "jobs", errs[0].Table)
+		assert.Equal(t, "", errs[0].Column)
+		assert.Equal(t, "proxy_access_tokens", errs[1].Table)
+	})
+
+	t.Run("returns errors for missing columns", func(t *testing.T) {
+		ms := &testStore{
+			checkSchemaFunc: func(checks []SchemaCheck) []SchemaError {
+				return []SchemaError{
+					{Table: "users", Column: "email"},
+					{Table: "users", Column: "name"},
+				}
+			},
+		}
+		errs := ms.CheckSchema(RequiredSchema)
+		require.Len(t, errs, 2)
+		assert.Equal(t, "users", errs[0].Table)
+		assert.Equal(t, "email", errs[0].Column)
+	})
+}

management/server/idp/migration/store.go

@@ -0,0 +1,82 @@
+package migration
+
+import (
+	"context"
+	"fmt"
+
+	"github.com/netbirdio/netbird/management/server/types"
+)
+
+// SchemaCheck represents a table and the columns required on it.
+type SchemaCheck struct {
+	Table   string
+	Columns []string
+}
+
+// RequiredSchema lists all tables and columns that the migration tool needs.
+// If any are missing, the user must upgrade their management server first so
+// that the automatic GORM migrations create them.
+var RequiredSchema = []SchemaCheck{
+	{Table: "users", Columns: []string{"id", "email", "name", "account_id"}},
+	{Table: "personal_access_tokens", Columns: []string{"user_id", "created_by"}},
+	{Table: "peers", Columns: []string{"user_id"}},
+	{Table: "accounts", Columns: []string{"created_by"}},
+	{Table: "user_invites", Columns: []string{"created_by"}},
+	{Table: "proxy_access_tokens", Columns: []string{"created_by"}},
+	{Table: "jobs", Columns: []string{"triggered_by"}},
+}
+
+// SchemaError describes a single missing table or column.
+type SchemaError struct {
+	Table  string
+	Column string // empty when the whole table is missing
+}
+
+func (e SchemaError) String() string {
+	if e.Column == "" {
+		return fmt.Sprintf("table %q is missing", e.Table)
+	}
+	return fmt.Sprintf("column %q on table %q is missing", e.Column, e.Table)
+}
+
+// Store defines the data store operations required for IdP user migration.
+// This interface is separate from the main store.Store interface because these methods
+// are only used during one-time migration and should be removed once migration tooling
+// is no longer needed.
+//
+// The SQL store implementations (SqlStore) already have these methods on their concrete
+// types, so they satisfy this interface via Go's structural typing with zero code changes.
+type Store interface {
+	// ListUsers returns all users across all accounts.
+	ListUsers(ctx context.Context) ([]*types.User, error)
+
+	// UpdateUserID atomically updates a user's ID and all foreign key references
+	// across the database (peers, groups, policies, PATs, etc.).
+	UpdateUserID(ctx context.Context, accountID, oldUserID, newUserID string) error
+
+	// UpdateUserInfo updates a user's email and name in the store.
+	UpdateUserInfo(ctx context.Context, userID, email, name string) error
+
+	// CheckSchema verifies that all tables and columns required by the migration
+	// exist in the database. Returns a list of problems; an empty slice means OK.
+	CheckSchema(checks []SchemaCheck) []SchemaError
+}
+
+// RequiredEventSchema lists all tables and columns that the migration tool needs
+// in the activity/event store.
+var RequiredEventSchema = []SchemaCheck{
+	{Table: "events", Columns: []string{"initiator_id", "target_id"}},
+	{Table: "deleted_users", Columns: []string{"id"}},
+}
+
+// EventStore defines the activity event store operations required for migration.
+// Like Store, this is a temporary interface for migration tooling only.
+type EventStore interface {
+	// CheckSchema verifies that all tables and columns required by the migration
+	// exist in the event database. Returns a list of problems; an empty slice means OK.
+	CheckSchema(checks []SchemaCheck) []SchemaError
+
+	// UpdateUserID updates all event references (initiator_id, target_id) and
+	// deleted_users records to use the new user ID format.
+	UpdateUserID(ctx context.Context, oldUserID, newUserID string) error
+}

management/server/store/sql_store_idp_migration.go

@@ -0,0 +1,177 @@
+package store
+
+// This file contains migration-only methods on SqlStore.
+// They satisfy the migration.Store interface via duck typing.
+// Delete this file when migration tooling is no longer needed.
+
+import (
+	"context"
+	"fmt"
+
+	log "github.com/sirupsen/logrus"
+	"gorm.io/gorm"
+
+	"github.com/netbirdio/netbird/management/server/idp/migration"
+	nbpeer "github.com/netbirdio/netbird/management/server/peer"
+	"github.com/netbirdio/netbird/management/server/types"
+	"github.com/netbirdio/netbird/shared/management/status"
+)
+
+func (s *SqlStore) CheckSchema(checks []migration.SchemaCheck) []migration.SchemaError {
+	migrator := s.db.Migrator()
+	var errs []migration.SchemaError
+
+	for _, check := range checks {
+		if !migrator.HasTable(check.Table) {
+			errs = append(errs, migration.SchemaError{Table: check.Table})
+			continue
+		}
+		for _, col := range check.Columns {
+			if !migrator.HasColumn(check.Table, col) {
+				errs = append(errs, migration.SchemaError{Table: check.Table, Column: col})
+			}
+		}
+	}
+
+	return errs
+}
+
+func (s *SqlStore) ListUsers(ctx context.Context) ([]*types.User, error) {
+	tx := s.db
+	var users []*types.User
+	result := tx.Find(&users)
+	if result.Error != nil {
+		log.WithContext(ctx).Errorf("error when listing users from the store: %s", result.Error)
+		return nil, status.Errorf(status.Internal, "issue listing users from store")
+	}
+
+	for _, user := range users {
+		if err := user.DecryptSensitiveData(s.fieldEncrypt); err != nil {
+			return nil, fmt.Errorf("decrypt user: %w", err)
+		}
+	}
+
+	return users, nil
+}
+
+// txDeferFKConstraints defers foreign key constraint checks for the duration of the transaction.
+// MySQL is already handled by s.transaction (SET FOREIGN_KEY_CHECKS = 0).
+func (s *SqlStore) txDeferFKConstraints(tx *gorm.DB) error {
+	if s.storeEngine == types.SqliteStoreEngine {
+		return tx.Exec("PRAGMA defer_foreign_keys = ON").Error
+	}
+
+	if s.storeEngine != types.PostgresStoreEngine {
+		return nil
+	}
+
+	// GORM creates FK constraints as NOT DEFERRABLE by default, so
+	// SET CONSTRAINTS ALL DEFERRED is a no-op unless we ALTER them first.
+	err := tx.Exec(`
+			DO $$ DECLARE r RECORD;
+			BEGIN
+				FOR r IN SELECT conname, conrelid::regclass AS tbl
+				         FROM pg_constraint WHERE contype = 'f' AND NOT condeferrable
+				LOOP
+					EXECUTE format('ALTER TABLE %s ALTER CONSTRAINT %I DEFERRABLE INITIALLY IMMEDIATE', r.tbl, r.conname);
+				END LOOP;
+			END $$
+		`).Error
+	if err != nil {
+		return fmt.Errorf("make FK constraints deferrable: %w", err)
+	}
+	return tx.Exec("SET CONSTRAINTS ALL DEFERRED").Error
+}
+
+// txRestoreFKConstraints reverts FK constraints back to NOT DEFERRABLE after the
+// deferred updates are done but before the transaction commits.
+func (s *SqlStore) txRestoreFKConstraints(tx *gorm.DB) error {
+	if s.storeEngine != types.PostgresStoreEngine {
+		return nil
+	}
+
+	return tx.Exec(`
+		DO $$ DECLARE r RECORD;
+		BEGIN
+			FOR r IN SELECT conname, conrelid::regclass AS tbl
+			         FROM pg_constraint WHERE contype = 'f' AND condeferrable
+			LOOP
+				EXECUTE format('ALTER TABLE %s ALTER CONSTRAINT %I NOT DEFERRABLE', r.tbl, r.conname);
+			END LOOP;
+		END $$
+	`).Error
+}
+
+func (s *SqlStore) UpdateUserInfo(ctx context.Context, userID, email, name string) error {
+	user := &types.User{Email: email, Name: name}
+	if err := user.EncryptSensitiveData(s.fieldEncrypt); err != nil {
+		return fmt.Errorf("encrypt user info: %w", err)
+	}
+
+	result := s.db.Model(&types.User{}).Where("id = ?", userID).Updates(map[string]any{
+		"email": user.Email,
+		"name":  user.Name,
+	})
+	if result.Error != nil {
+		log.WithContext(ctx).Errorf("error updating user info for %s: %s", userID, result.Error)
+		return status.Errorf(status.Internal, "failed to update user info")
+	}
+
+	return nil
+}
+
+func (s *SqlStore) UpdateUserID(ctx context.Context, accountID, oldUserID, newUserID string) error {
+	type fkUpdate struct {
+		model  any
+		column string
+		where  string
+	}
+
+	updates := []fkUpdate{
+		{&types.PersonalAccessToken{}, "user_id", "user_id = ?"},
+		{&types.PersonalAccessToken{}, "created_by", "created_by = ?"},
+		{&nbpeer.Peer{}, "user_id", "user_id = ?"},
+		{&types.UserInviteRecord{}, "created_by", "created_by = ?"},
+		{&types.Account{}, "created_by", "created_by = ?"},
+		{&types.ProxyAccessToken{}, "created_by", "created_by = ?"},
+		{&types.Job{}, "triggered_by", "triggered_by = ?"},
+	}
+
+	log.Info("Updating user ID in the store")
+	err := s.transaction(func(tx *gorm.DB) error {
+		if err := s.txDeferFKConstraints(tx); err != nil {
+			return err
+		}
+
+		for _, u := range updates {
+			if err := tx.Model(u.model).Where(u.where, oldUserID).Update(u.column, newUserID).Error; err != nil {
+				return fmt.Errorf("update %s: %w", u.column, err)
+			}
+		}
+
+		if err := tx.Model(&types.User{}).Where(accountAndIDQueryCondition, accountID, oldUserID).Update("id", newUserID).Error; err != nil {
+			return fmt.Errorf("update users: %w", err)
+		}
+
+		return nil
+	})
+	if err != nil {
+		log.WithContext(ctx).Errorf("failed to update user ID in the store: %s", err)
+		return status.Errorf(status.Internal, "failed to update user ID in store")
+	}
+
+	log.Info("Restoring FK constraints")
+	err = s.transaction(func(tx *gorm.DB) error {
+		if err := s.txRestoreFKConstraints(tx); err != nil {
+			return fmt.Errorf("restore FK constraints: %w", err)
+		}
+
+		return nil
+	})
+	if err != nil {
+		log.WithContext(ctx).Errorf("failed to restore FK constraints after user ID update: %s", err)
+		return status.Errorf(status.Internal, "failed to restore FK constraints after user ID update")
+	}
+
+	return nil
+}

shared/auth/jwt/validator.go

@@ -25,7 +25,7 @@ import (
 // Jwks is a collection of JSONWebKey obtained from Config.HttpServerConfig.AuthKeysLocation
 type Jwks struct {
 	Keys          []JSONWebKey `json:"keys"`
-	expiresInTime time.Time
+	ExpiresInTime time.Time    `json:"-"`
 }
 
 // The supported elliptic curves types
@@ -53,12 +53,17 @@ type JSONWebKey struct {
 	X5c []string `json:"x5c"`
 }
 
+// KeyFetcher is a function that retrieves JWKS keys directly (e.g., from Dex storage)
+// bypassing HTTP. When set on a Validator, it is used instead of the HTTP-based getPemKeys.
+type KeyFetcher func(ctx context.Context) (*Jwks, error)
+
 type Validator struct {
 	lock                     sync.Mutex
 	issuer                   string
 	audienceList             []string
 	keysLocation             string
 	idpSignkeyRefreshEnabled bool
+	keyFetcher               KeyFetcher
 	keys                     *Jwks
 	lastForcedRefresh        time.Time
 }
@@ -85,10 +90,39 @@ func NewValidator(issuer string, audienceList []string, keysLocation string, idp
 	}
 }
 
+// NewValidatorWithKeyFetcher creates a Validator that fetches keys directly using the
+// provided KeyFetcher (e.g., from Dex storage) instead of via HTTP.
+func NewValidatorWithKeyFetcher(issuer string, audienceList []string, keyFetcher KeyFetcher) *Validator {
+	ctx := context.Background()
+	keys, err := keyFetcher(ctx)
+	if err != nil {
+		log.Warnf("could not get keys from key fetcher: %s, it will try again on the next http request", err)
+	}
+	if keys == nil {
+		keys = &Jwks{}
+	}
+
+	return &Validator{
+		keys:                     keys,
+		issuer:                   issuer,
+		audienceList:             audienceList,
+		idpSignkeyRefreshEnabled: true,
+		keyFetcher:               keyFetcher,
+	}
+}
+
 // forcedRefreshCooldown is the minimum time between forced key refreshes
 // to prevent abuse from invalid tokens with fake kid values
 const forcedRefreshCooldown = 30 * time.Second
 
+// fetchKeys retrieves keys using the keyFetcher if available, otherwise falls back to HTTP.
+func (v *Validator) fetchKeys(ctx context.Context) (*Jwks, error) {
+	if v.keyFetcher != nil {
+		return v.keyFetcher(ctx)
+	}
+	return getPemKeys(v.keysLocation)
+}
+
 func (v *Validator) getKeyFunc(ctx context.Context) jwt.Keyfunc {
 	return func(token *jwt.Token) (interface{}, error) {
 		// If keys are rotated, verify the keys prior to token validation
@@ -131,13 +165,13 @@ func (v *Validator) refreshKeys(ctx context.Context) {
 	v.lock.Lock()
 	defer v.lock.Unlock()
 
-	refreshedKeys, err := getPemKeys(v.keysLocation)
+	refreshedKeys, err := v.fetchKeys(ctx)
 	if err != nil {
 		log.WithContext(ctx).Debugf("cannot get JSONWebKey: %v, falling back to old keys", err)
 		return
 	}
 
-	log.WithContext(ctx).Debugf("keys refreshed, new UTC expiration time: %s", refreshedKeys.expiresInTime.UTC())
+	log.WithContext(ctx).Debugf("keys refreshed, new UTC expiration time: %s", refreshedKeys.ExpiresInTime.UTC())
 	v.keys = refreshedKeys
 }
 
@@ -155,13 +189,13 @@ func (v *Validator) forceRefreshKeys(ctx context.Context) bool {
 
 	log.WithContext(ctx).Debugf("key not found in cache, forcing JWKS refresh")
 
-	refreshedKeys, err := getPemKeys(v.keysLocation)
+	refreshedKeys, err := v.fetchKeys(ctx)
 	if err != nil {
 		log.WithContext(ctx).Debugf("cannot get JSONWebKey: %v, falling back to old keys", err)
 		return false
 	}
 
-	log.WithContext(ctx).Debugf("keys refreshed, new UTC expiration time: %s", refreshedKeys.expiresInTime.UTC())
+	log.WithContext(ctx).Debugf("keys refreshed, new UTC expiration time: %s", refreshedKeys.ExpiresInTime.UTC())
 	v.keys = refreshedKeys
 	v.lastForcedRefresh = time.Now()
 	return true
@@ -203,7 +237,7 @@ func (v *Validator) ValidateAndParse(ctx context.Context, token string) (*jwt.To
 
 // stillValid returns true if the JSONWebKey still valid and have enough time to be used
 func (jwks *Jwks) stillValid() bool {
-	return !jwks.expiresInTime.IsZero() && time.Now().Add(5*time.Second).Before(jwks.expiresInTime)
+	return !jwks.ExpiresInTime.IsZero() && time.Now().Add(5*time.Second).Before(jwks.ExpiresInTime)
 }
 
 func getPemKeys(keysLocation string) (*Jwks, error) {
@@ -227,7 +261,7 @@ func getPemKeys(keysLocation string) (*Jwks, error) {
 
 	cacheControlHeader := resp.Header.Get("Cache-Control")
 	expiresIn := getMaxAgeFromCacheHeader(cacheControlHeader)
-	jwks.expiresInTime = time.Now().Add(time.Duration(expiresIn) * time.Second)
+	jwks.ExpiresInTime = time.Now().Add(time.Duration(expiresIn) * time.Second)
 
 	return jwks, nil
 }

tools/idp-migrate/DEVELOPMENT.md

@@ -0,0 +1,209 @@
+# IdP Migration Tool — Developer Guide
+
+## Overview
+
+This tool migrates NetBird deployments from an external IdP (Auth0, Zitadel, Okta, etc.) to the embedded Dex IdP introduced in v0.62.0. It does two things:
+
+1. **DB migration** — Re-encodes every user ID from `{original_id}` to Dex's protobuf-encoded format `base64(proto{original_id, connector_id})`.
+2. **Config generation** — Transforms `management.json`: removes `IdpManagerConfig`, `PKCEAuthorizationFlow`, and `DeviceAuthorizationFlow`; strips `HttpConfig` to only `CertFile`/`CertKey`; adds `EmbeddedIdP` with the static connector configuration.
+
+## Code Layout
+
+```
+tools/idp-migrate/
+├── config.go            # migrationConfig struct, CLI flags, env vars, validation
+├── main.go              # CLI entry point, migration phases, config generation
+├── main_test.go         # 8 test functions (18 subtests) covering config, connector, URL builder, config generation
+└── DEVELOPMENT.md       # this file
+
+management/server/idp/migration/
+├── migration.go         # Server interface, MigrateUsersToStaticConnectors(), PopulateUserInfo(), migrateUser(), reconcileActivityStore()
+├── migration_test.go    # 6 top-level tests (with subtests) using hand-written mocks
+└── store.go             # Store, EventStore interfaces, SchemaCheck, RequiredSchema, SchemaError types
+
+management/server/store/
+└── sql_store_idp_migration.go   # CheckSchema(), ListUsers(), UpdateUserInfo(), UpdateUserID(), txDeferFKConstraints() on SqlStore
+
+management/server/activity/store/
+├── sql_store_idp_migration.go      # UpdateUserID() on activity Store
+└── sql_store_idp_migration_test.go # 5 subtests for activity UpdateUserID
+
+```
+
+## Release / Distribution
+
+The tool is included in `.goreleaser.yaml` as the `netbird-idp-migrate` build target. Each NetBird release produces pre-built archives for Linux (amd64, arm64, arm) that are uploaded to GitHub Releases. The archive naming convention is:
+
+```
+netbird-idp-migrate_<version>_linux_<arch>.tar.gz
+```
+
+The build requires `CGO_ENABLED=1` because it links the SQLite driver used by `SqlStore`. The cross-compilation setup (CC env for arm64/arm) mirrors the `netbird-mgmt` build.
+
+## CLI Flags
+
+| Flag | Type | Default | Description |
+|------|------|---------|-------------|
+| `--config` | string | *(required)* | Path to management.json |
+| `--datadir` | string | *(required)* | Data directory (containing store.db / events.db) |
+| `--idp-seed-info` | string | *(required)* | Base64-encoded connector JSON |
+| `--domain` | string | `""` | Sets both dashboard and API domain (convenience shorthand) |
+| `--dashboard-domain` | string | *(required)* | Dashboard domain (for redirect URIs) |
+| `--api-domain` | string | *(required)* | API domain (for Dex issuer and callback URLs) |
+| `--dry-run` | bool | `false` | Preview changes without writing |
+| `--force` | bool | `false` | Skip interactive confirmation prompt |
+| `--skip-config` | bool | `false` | Skip config generation (DB-only migration) |
+| `--skip-populate-user-info` | bool | `false` | Skip populating user info (user ID migration only) |
+| `--log-level` | string | `"info"` | Log level (debug, info, warn, error) |
+
+## Environment Variables
+
+All flags can be overridden via environment variables. Env vars take precedence over flags.
+
+| Env Var | Overrides |
+|---------|-----------|
+| `NETBIRD_DOMAIN` | Sets both `--dashboard-domain` and `--api-domain` |
+| `NETBIRD_API_URL` | `--api-domain` |
+| `NETBIRD_DASHBOARD_URL` | `--dashboard-domain` |
+| `NETBIRD_CONFIG_PATH` | `--config` |
+| `NETBIRD_DATA_DIR` | `--datadir` |
+| `NETBIRD_IDP_SEED_INFO` | `--idp-seed-info` |
+| `NETBIRD_DRY_RUN` | `--dry-run` (set to `"true"`) |
+| `NETBIRD_FORCE` | `--force` (set to `"true"`) |
+| `NETBIRD_SKIP_CONFIG` | `--skip-config` (set to `"true"`) |
+| `NETBIRD_SKIP_POPULATE_USER_INFO` | `--skip-populate-user-info` (set to `"true"`) |
+| `NETBIRD_LOG_LEVEL` | `--log-level` |
+
+Resolution order: CLI flags are parsed first, then `--domain` sets both URLs, then `NETBIRD_DOMAIN` overrides both, then `NETBIRD_API_URL` / `NETBIRD_DASHBOARD_URL` override individually. After all resolution, `validateConfig()` ensures all required fields are set.
+
+## Migration Flow
+
+### Phase 0: Schema Validation
+
+`validateSchema()` opens the store and calls `CheckSchema(RequiredSchema)` to verify that all tables and columns required by the migration exist in the database. If anything is missing, the tool exits with a descriptive error instructing the operator to start the management server (v0.66.4+) at least once so that automatic GORM migrations create the required schema.
+
+### Phase 1: Populate User Info
+
+Unless `--skip-populate-user-info` is set, `populateUserInfoFromIDP()` runs before connector resolution:
+
+1. Creates an IDP manager from the existing `IdpManagerConfig` in management.json.
+2. Calls `idpManager.GetAllAccounts()` to fetch email and name for all users from the external IDP.
+3. Calls `migration.PopulateUserInfo()` which iterates over all store users, skipping service users and users that already have both email and name populated. For Dex-encoded user IDs, it decodes back to the original IDP ID for lookup.
+4. Updates the store with any missing email/name values.
+
+This ensures user contact info is preserved before the ID migration makes the original IDP IDs inaccessible.
+
+### Phase 2: Connector Decoding
+
+`decodeConnectorConfig()` base64-decodes and JSON-unmarshals the connector JSON provided via `--idp-seed-info` (or `NETBIRD_IDP_SEED_INFO`). It validates that the connector ID is non-empty. There is no auto-detection or fallback — the operator must provide the full connector configuration.
+
+### Phase 3: DB Migration
+
+`migrateDB()` orchestrates the database migration:
+
+1. `openStores()` opens the main store (`SqlStore`) and activity store (non-fatal if missing).
+2. Type-asserts both to `migration.Store` / `migration.EventStore`.
+3. `previewUsers()` scans all users — counts pending vs already-migrated (using `DecodeDexUserID`).
+4. `confirmPrompt()` asks for interactive confirmation (unless `--force` or `--dry-run`).
+5. Calls `migration.MigrateUsersToStaticConnectors(srv, conn)`:
+   - **Reconciliation pass**: fixes activity store references for users already migrated in the main DB but whose events still reference old IDs (from a previous partial failure).
+   - **Main loop**: for each non-migrated user, calls `migrateUser()` which atomically updates the user ID in both the main store and activity store.
+   - **Dry-run**: logs what would happen, skips all writes.
+
+`SqlStore.UpdateUserID()` atomically updates the user's primary key and all foreign key references (peers, PATs, groups, policies, jobs, etc.) in a single transaction.
+
+### Phase 4: Config Generation
+
+Unless `--skip-config` is set, `generateConfig()` runs:
+
+1. **Read** — loads existing `management.json` as raw JSON to preserve unknown fields.
+
+2. **Strip** — removes keys that are no longer needed:
+   - `IdpManagerConfig`
+   - `PKCEAuthorizationFlow`
+   - `DeviceAuthorizationFlow`
+   - All `HttpConfig` fields except `CertFile` and `CertKey`
+
+3. **Add EmbeddedIdP** — inserts a minimal section with:
+   - `Enabled: true`
+   - `Issuer` built from `--api-domain` + `/oauth2`
+   - `DashboardRedirectURIs` built from `--dashboard-domain` + `/nb-auth` and `/nb-silent-auth`
+   - `StaticConnectors` containing the decoded connector, with `redirectURI` overridden to `--api-domain` + `/oauth2/callback`
+
+4. **Write** — backs up original as `management.json.bak`, writes new config. In dry-run mode, prints to stdout instead.
+
+## Interface Decoupling
+
+Migration methods (`ListUsers`, `UpdateUserID`) are **not** on the core `store.Store` or `activity.Store` interfaces. Instead, they're defined in `migration/store.go`:
+
+```go
+type Store interface {
+    ListUsers(ctx context.Context) ([]*types.User, error)
+    UpdateUserID(ctx context.Context, accountID, oldUserID, newUserID string) error
+    UpdateUserInfo(ctx context.Context, userID, email, name string) error
+    CheckSchema(checks []SchemaCheck) []SchemaError
+}
+
+type EventStore interface {
+    UpdateUserID(ctx context.Context, oldUserID, newUserID string) error
+}
+```
+
+A `Server` interface wraps both stores for dependency injection:
+
+```go
+type Server interface {
+    Store() Store
+    EventStore() EventStore // may return nil
+}
+```
+
+The concrete `SqlStore` types already have these methods (in their respective `sql_store_idp_migration.go` files), so they satisfy the interfaces via Go's structural typing — zero changes needed on the core store interfaces. At runtime, the standalone tool type-asserts:
+
+```go
+migStore, ok := mainStore.(migration.Store)
+```
+
+This keeps migration concerns completely separate from the core store contract.
+
+## Dex User ID Encoding
+
+`EncodeDexUserID(userID, connectorID)` produces a manually-encoded protobuf with two string fields, then base64-encodes the result (raw, no padding). `DecodeDexUserID` reverses this. The migration loop uses `DecodeDexUserID` to detect already-migrated users (decode succeeds → skip).
+
+See `idp/dex/provider.go` for the implementation.
+
+## Standalone Tool
+
+The standalone tool (`tools/idp-migrate/main.go`) is the primary migration entry point. It opens stores directly, runs schema validation, populates user info from the external IDP, migrates user IDs, and generates the new config — then exits. Configuration is handled entirely through `config.go` which parses CLI flags and environment variables.
+
+## Running Tests
+
+```bash
+# Migration library
+go test -v ./management/server/idp/migration/...
+
+# Standalone tool
+go test -v ./tools/idp-migrate/...
+
+# Activity store migration tests
+go test -v -run TestUpdateUserID ./management/server/activity/store/...
+
+# Build locally
+go build ./tools/idp-migrate/
+```
+
+## Clean Removal
+
+When migration tooling is no longer needed, delete:
+
+1. `tools/idp-migrate/` — entire directory
+2. `management/server/idp/migration/` — entire directory
+3. `management/server/store/sql_store_idp_migration.go` — migration methods on main SqlStore
+4. `management/server/activity/store/sql_store_idp_migration.go` — migration method on activity Store
+5. `management/server/activity/store/sql_store_idp_migration_test.go` — tests for the above
+6. In `.goreleaser.yaml`:
+   - Remove the `netbird-idp-migrate` build entry
+   - Remove the `netbird-idp-migrate` archive entry
+7. Run `go mod tidy`
+
+No core interfaces or mocks need editing — that's the point of the decoupling.

tools/idp-migrate/LICENSE

@@ -0,0 +1,661 @@
+                    GNU AFFERO GENERAL PUBLIC LICENSE
+                       Version 3, 19 November 2007
+
+ Copyright (C) 2007 Free Software Foundation, Inc. <https://fsf.org/>
+ Everyone is permitted to copy and distribute verbatim copies
+ of this license document, but changing it is not allowed.
+
+                            Preamble
+
+  The GNU Affero General Public License is a free, copyleft license for
+software and other kinds of works, specifically designed to ensure
+cooperation with the community in the case of network server software.
+
+  The licenses for most software and other practical works are designed
+to take away your freedom to share and change the works.  By contrast,
+our General Public Licenses are intended to guarantee your freedom to
+share and change all versions of a program--to make sure it remains free
+software for all its users.
+
+  When we speak of free software, we are referring to freedom, not
+price.  Our General Public Licenses are designed to make sure that you
+have the freedom to distribute copies of free software (and charge for
+them if you wish), that you receive source code or can get it if you
+want it, that you can change the software or use pieces of it in new
+free programs, and that you know you can do these things.
+
+  Developers that use our General Public Licenses protect your rights
+with two steps: (1) assert copyright on the software, and (2) offer
+you this License which gives you legal permission to copy, distribute
+and/or modify the software.
+
+  A secondary benefit of defending all users' freedom is that
+improvements made in alternate versions of the program, if they
+receive widespread use, become available for other developers to
+incorporate.  Many developers of free software are heartened and
+encouraged by the resulting cooperation.  However, in the case of
+software used on network servers, this result may fail to come about.
+The GNU General Public License permits making a modified version and
+letting the public access it on a server without ever releasing its
+source code to the public.
+
+  The GNU Affero General Public License is designed specifically to
+ensure that, in such cases, the modified source code becomes available
+to the community.  It requires the operator of a network server to
+provide the source code of the modified version running there to the
+users of that server.  Therefore, public use of a modified version, on
+a publicly accessible server, gives the public access to the source
+code of the modified version.
+
+  An older license, called the Affero General Public License and
+published by Affero, was designed to accomplish similar goals.  This is
+a different license, not a version of the Affero GPL, but Affero has
+released a new version of the Affero GPL which permits relicensing under
+this license.
+
+  The precise terms and conditions for copying, distribution and
+modification follow.
+
+                       TERMS AND CONDITIONS
+
+  0. Definitions.
+
+  "This License" refers to version 3 of the GNU Affero General Public License.
+
+  "Copyright" also means copyright-like laws that apply to other kinds of
+works, such as semiconductor masks.
+
+  "The Program" refers to any copyrightable work licensed under this
+License.  Each licensee is addressed as "you".  "Licensees" and
+"recipients" may be individuals or organizations.
+
+  To "modify" a work means to copy from or adapt all or part of the work
+in a fashion requiring copyright permission, other than the making of an
+exact copy.  The resulting work is called a "modified version" of the
+earlier work or a work "based on" the earlier work.
+
+  A "covered work" means either the unmodified Program or a work based
+on the Program.
+
+  To "propagate" a work means to do anything with it that, without
+permission, would make you directly or secondarily liable for
+infringement under applicable copyright law, except executing it on a
+computer or modifying a private copy.  Propagation includes copying,
+distribution (with or without modification), making available to the
+public, and in some countries other activities as well.
+
+  To "convey" a work means any kind of propagation that enables other
+parties to make or receive copies.  Mere interaction with a user through
+a computer network, with no transfer of a copy, is not conveying.
+
+  An interactive user interface displays "Appropriate Legal Notices"
+to the extent that it includes a convenient and prominently visible
+feature that (1) displays an appropriate copyright notice, and (2)
+tells the user that there is no warranty for the work (except to the
+extent that warranties are provided), that licensees may convey the
+work under this License, and how to view a copy of this License.  If
+the interface presents a list of user commands or options, such as a
+menu, a prominent item in the list meets this criterion.
+
+  1. Source Code.
+
+  The "source code" for a work means the preferred form of the work
+for making modifications to it.  "Object code" means any non-source
+form of a work.
+
+  A "Standard Interface" means an interface that either is an official
+standard defined by a recognized standards body, or, in the case of
+interfaces specified for a particular programming language, one that
+is widely used among developers working in that language.
+
+  The "System Libraries" of an executable work include anything, other
+than the work as a whole, that (a) is included in the normal form of
+packaging a Major Component, but which is not part of that Major
+Component, and (b) serves only to enable use of the work with that
+Major Component, or to implement a Standard Interface for which an
+implementation is available to the public in source code form.  A
+"Major Component", in this context, means a major essential component
+(kernel, window system, and so on) of the specific operating system
+(if any) on which the executable work runs, or a compiler used to
+produce the work, or an object code interpreter used to run it.
+
+  The "Corresponding Source" for a work in object code form means all
+the source code needed to generate, install, and (for an executable
+work) run the object code and to modify the work, including scripts to
+control those activities.  However, it does not include the work's
+System Libraries, or general-purpose tools or generally available free
+programs which are used unmodified in performing those activities but
+which are not part of the work.  For example, Corresponding Source
+includes interface definition files associated with source files for
+the work, and the source code for shared libraries and dynamically
+linked subprograms that the work is specifically designed to require,
+such as by intimate data communication or control flow between those
+subprograms and other parts of the work.
+
+  The Corresponding Source need not include anything that users
+can regenerate automatically from other parts of the Corresponding
+Source.
+
+  The Corresponding Source for a work in source code form is that
+same work.
+
+  2. Basic Permissions.
+
+  All rights granted under this License are granted for the term of
+copyright on the Program, and are irrevocable provided the stated
+conditions are met.  This License explicitly affirms your unlimited
+permission to run the unmodified Program.  The output from running a
+covered work is covered by this License only if the output, given its
+content, constitutes a covered work.  This License acknowledges your
+rights of fair use or other equivalent, as provided by copyright law.
+
+  You may make, run and propagate covered works that you do not
+convey, without conditions so long as your license otherwise remains
+in force.  You may convey covered works to others for the sole purpose
+of having them make modifications exclusively for you, or provide you
+with facilities for running those works, provided that you comply with
+the terms of this License in conveying all material for which you do
+not control copyright.  Those thus making or running the covered works
+for you must do so exclusively on your behalf, under your direction
+and control, on terms that prohibit them from making any copies of
+your copyrighted material outside their relationship with you.
+
+  Conveying under any other circumstances is permitted solely under
+the conditions stated below.  Sublicensing is not allowed; section 10
+makes it unnecessary.
+
+  3. Protecting Users' Legal Rights From Anti-Circumvention Law.
+
+  No covered work shall be deemed part of an effective technological
+measure under any applicable law fulfilling obligations under article
+11 of the WIPO copyright treaty adopted on 20 December 1996, or
+similar laws prohibiting or restricting circumvention of such
+measures.
+
+  When you convey a covered work, you waive any legal power to forbid
+circumvention of technological measures to the extent such circumvention
+is effected by exercising rights under this License with respect to
+the covered work, and you disclaim any intention to limit operation or
+modification of the work as a means of enforcing, against the work's
+users, your or third parties' legal rights to forbid circumvention of
+technological measures.
+
+  4. Conveying Verbatim Copies.
+
+  You may convey verbatim copies of the Program's source code as you
+receive it, in any medium, provided that you conspicuously and
+appropriately publish on each copy an appropriate copyright notice;
+keep intact all notices stating that this License and any
+non-permissive terms added in accord with section 7 apply to the code;
+keep intact all notices of the absence of any warranty; and give all
+recipients a copy of this License along with the Program.
+
+  You may charge any price or no price for each copy that you convey,
+and you may offer support or warranty protection for a fee.
+
+  5. Conveying Modified Source Versions.
+
+  You may convey a work based on the Program, or the modifications to
+produce it from the Program, in the form of source code under the
+terms of section 4, provided that you also meet all of these conditions:
+
+    a) The work must carry prominent notices stating that you modified
+    it, and giving a relevant date.
+
+    b) The work must carry prominent notices stating that it is
+    released under this License and any conditions added under section
+    7.  This requirement modifies the requirement in section 4 to
+    "keep intact all notices".
+
+    c) You must license the entire work, as a whole, under this
+    License to anyone who comes into possession of a copy.  This
+    License will therefore apply, along with any applicable section 7
+    additional terms, to the whole of the work, and all its parts,
+    regardless of how they are packaged.  This License gives no
+    permission to license the work in any other way, but it does not
+    invalidate such permission if you have separately received it.
+
+    d) If the work has interactive user interfaces, each must display
+    Appropriate Legal Notices; however, if the Program has interactive
+    interfaces that do not display Appropriate Legal Notices, your
+    work need not make them do so.
+
+  A compilation of a covered work with other separate and independent
+works, which are not by their nature extensions of the covered work,
+and which are not combined with it such as to form a larger program,
+in or on a volume of a storage or distribution medium, is called an
+"aggregate" if the compilation and its resulting copyright are not
+used to limit the access or legal rights of the compilation's users
+beyond what the individual works permit.  Inclusion of a covered work
+in an aggregate does not cause this License to apply to the other
+parts of the aggregate.
+
+  6. Conveying Non-Source Forms.
+
+  You may convey a covered work in object code form under the terms
+of sections 4 and 5, provided that you also convey the
+machine-readable Corresponding Source under the terms of this License,
+in one of these ways:
+
+    a) Convey the object code in, or embodied in, a physical product
+    (including a physical distribution medium), accompanied by the
+    Corresponding Source fixed on a durable physical medium
+    customarily used for software interchange.
+
+    b) Convey the object code in, or embodied in, a physical product
+    (including a physical distribution medium), accompanied by a
+    written offer, valid for at least three years and valid for as
+    long as you offer spare parts or customer support for that product
+    model, to give anyone who possesses the object code either (1) a
+    copy of the Corresponding Source for all the software in the
+    product that is covered by this License, on a durable physical
+    medium customarily used for software interchange, for a price no
+    more than your reasonable cost of physically performing this
+    conveying of source, or (2) access to copy the
+    Corresponding Source from a network server at no charge.
+
+    c) Convey individual copies of the object code with a copy of the
+    written offer to provide the Corresponding Source.  This
+    alternative is allowed only occasionally and noncommercially, and
+    only if you received the object code with such an offer, in accord
+    with subsection 6b.
+
+    d) Convey the object code by offering access from a designated
+    place (gratis or for a charge), and offer equivalent access to the
+    Corresponding Source in the same way through the same place at no
+    further charge.  You need not require recipients to copy the
+    Corresponding Source along with the object code.  If the place to
+    copy the object code is a network server, the Corresponding Source
+    may be on a different server (operated by you or a third party)
+    that supports equivalent copying facilities, provided you maintain
+    clear directions next to the object code saying where to find the
+    Corresponding Source.  Regardless of what server hosts the
+    Corresponding Source, you remain obligated to ensure that it is
+    available for as long as needed to satisfy these requirements.
+
+    e) Convey the object code using peer-to-peer transmission, provided
+    you inform other peers where the object code and Corresponding
+    Source of the work are being offered to the general public at no
+    charge under subsection 6d.
+
+  A separable portion of the object code, whose source code is excluded
+from the Corresponding Source as a System Library, need not be
+included in conveying the object code work.
+
+  A "User Product" is either (1) a "consumer product", which means any
+tangible personal property which is normally used for personal, family,
+or household purposes, or (2) anything designed or sold for incorporation
+into a dwelling.  In determining whether a product is a consumer product,
+doubtful cases shall be resolved in favor of coverage.  For a particular
+product received by a particular user, "normally used" refers to a
+typical or common use of that class of product, regardless of the status
+of the particular user or of the way in which the particular user
+actually uses, or expects or is expected to use, the product.  A product
+is a consumer product regardless of whether the product has substantial
+commercial, industrial or non-consumer uses, unless such uses represent
+the only significant mode of use of the product.
+
+  "Installation Information" for a User Product means any methods,
+procedures, authorization keys, or other information required to install
+and execute modified versions of a covered work in that User Product from
+a modified version of its Corresponding Source.  The information must
+suffice to ensure that the continued functioning of the modified object
+code is in no case prevented or interfered with solely because
+modification has been made.
+
+  If you convey an object code work under this section in, or with, or
+specifically for use in, a User Product, and the conveying occurs as
+part of a transaction in which the right of possession and use of the
+User Product is transferred to the recipient in perpetuity or for a
+fixed term (regardless of how the transaction is characterized), the
+Corresponding Source conveyed under this section must be accompanied
+by the Installation Information.  But this requirement does not apply
+if neither you nor any third party retains the ability to install
+modified object code on the User Product (for example, the work has
+been installed in ROM).
+
+  The requirement to provide Installation Information does not include a
+requirement to continue to provide support service, warranty, or updates
+for a work that has been modified or installed by the recipient, or for
+the User Product in which it has been modified or installed.  Access to a
+network may be denied when the modification itself materially and
+adversely affects the operation of the network or violates the rules and
+protocols for communication across the network.
+
+  Corresponding Source conveyed, and Installation Information provided,
+in accord with this section must be in a format that is publicly
+documented (and with an implementation available to the public in
+source code form), and must require no special password or key for
+unpacking, reading or copying.
+
+  7. Additional Terms.
+
+  "Additional permissions" are terms that supplement the terms of this
+License by making exceptions from one or more of its conditions.
+Additional permissions that are applicable to the entire Program shall
+be treated as though they were included in this License, to the extent
+that they are valid under applicable law.  If additional permissions
+apply only to part of the Program, that part may be used separately
+under those permissions, but the entire Program remains governed by
+this License without regard to the additional permissions.
+
+  When you convey a copy of a covered work, you may at your option
+remove any additional permissions from that copy, or from any part of
+it.  (Additional permissions may be written to require their own
+removal in certain cases when you modify the work.)  You may place
+additional permissions on material, added by you to a covered work,
+for which you have or can give appropriate copyright permission.
+
+  Notwithstanding any other provision of this License, for material you
+add to a covered work, you may (if authorized by the copyright holders of
+that material) supplement the terms of this License with terms:
+
+    a) Disclaiming warranty or limiting liability differently from the
+    terms of sections 15 and 16 of this License; or
+
+    b) Requiring preservation of specified reasonable legal notices or
+    author attributions in that material or in the Appropriate Legal
+    Notices displayed by works containing it; or
+
+    c) Prohibiting misrepresentation of the origin of that material, or
+    requiring that modified versions of such material be marked in
+    reasonable ways as different from the original version; or
+
+    d) Limiting the use for publicity purposes of names of licensors or
+    authors of the material; or
+
+    e) Declining to grant rights under trademark law for use of some
+    trade names, trademarks, or service marks; or
+
+    f) Requiring indemnification of licensors and authors of that
+    material by anyone who conveys the material (or modified versions of
+    it) with contractual assumptions of liability to the recipient, for
+    any liability that these contractual assumptions directly impose on
+    those licensors and authors.
+
+  All other non-permissive additional terms are considered "further
+restrictions" within the meaning of section 10.  If the Program as you
+received it, or any part of it, contains a notice stating that it is
+governed by this License along with a term that is a further
+restriction, you may remove that term.  If a license document contains
+a further restriction but permits relicensing or conveying under this
+License, you may add to a covered work material governed by the terms
+of that license document, provided that the further restriction does
+not survive such relicensing or conveying.
+
+  If you add terms to a covered work in accord with this section, you
+must place, in the relevant source files, a statement of the
+additional terms that apply to those files, or a notice indicating
+where to find the applicable terms.
+
+  Additional terms, permissive or non-permissive, may be stated in the
+form of a separately written license, or stated as exceptions;
+the above requirements apply either way.
+
+  8. Termination.
+
+  You may not propagate or modify a covered work except as expressly
+provided under this License.  Any attempt otherwise to propagate or
+modify it is void, and will automatically terminate your rights under
+this License (including any patent licenses granted under the third
+paragraph of section 11).
+
+  However, if you cease all violation of this License, then your
+license from a particular copyright holder is reinstated (a)
+provisionally, unless and until the copyright holder explicitly and
+finally terminates your license, and (b) permanently, if the copyright
+holder fails to notify you of the violation by some reasonable means
+prior to 60 days after the cessation.
+
+  Moreover, your license from a particular copyright holder is
+reinstated permanently if the copyright holder notifies you of the
+violation by some reasonable means, this is the first time you have
+received notice of violation of this License (for any work) from that
+copyright holder, and you cure the violation prior to 30 days after
+your receipt of the notice.
+
+  Termination of your rights under this section does not terminate the
+licenses of parties who have received copies or rights from you under
+this License.  If your rights have been terminated and not permanently
+reinstated, you do not qualify to receive new licenses for the same
+material under section 10.
+
+  9. Acceptance Not Required for Having Copies.
+
+  You are not required to accept this License in order to receive or
+run a copy of the Program.  Ancillary propagation of a covered work
+occurring solely as a consequence of using peer-to-peer transmission
+to receive a copy likewise does not require acceptance.  However,
+nothing other than this License grants you permission to propagate or
+modify any covered work.  These actions infringe copyright if you do
+not accept this License.  Therefore, by modifying or propagating a
+covered work, you indicate your acceptance of this License to do so.
+
+  10. Automatic Licensing of Downstream Recipients.
+
+  Each time you convey a covered work, the recipient automatically
+receives a license from the original licensors, to run, modify and
+propagate that work, subject to this License.  You are not responsible
+for enforcing compliance by third parties with this License.
+
+  An "entity transaction" is a transaction transferring control of an
+organization, or substantially all assets of one, or subdividing an
+organization, or merging organizations.  If propagation of a covered
+work results from an entity transaction, each party to that
+transaction who receives a copy of the work also receives whatever
+licenses to the work the party's predecessor in interest had or could
+give under the previous paragraph, plus a right to possession of the
+Corresponding Source of the work from the predecessor in interest, if
+the predecessor has it or can get it with reasonable efforts.
+
+  You may not impose any further restrictions on the exercise of the
+rights granted or affirmed under this License.  For example, you may
+not impose a license fee, royalty, or other charge for exercise of
+rights granted under this License, and you may not initiate litigation
+(including a cross-claim or counterclaim in a lawsuit) alleging that
+any patent claim is infringed by making, using, selling, offering for
+sale, or importing the Program or any portion of it.
+
+  11. Patents.
+
+  A "contributor" is a copyright holder who authorizes use under this
+License of the Program or a work on which the Program is based.  The
+work thus licensed is called the contributor's "contributor version".
+
+  A contributor's "essential patent claims" are all patent claims
+owned or controlled by the contributor, whether already acquired or
+hereafter acquired, that would be infringed by some manner, permitted
+by this License, of making, using, or selling its contributor version,
+but do not include claims that would be infringed only as a
+consequence of further modification of the contributor version.  For
+purposes of this definition, "control" includes the right to grant
+patent sublicenses in a manner consistent with the requirements of
+this License.
+
+  Each contributor grants you a non-exclusive, worldwide, royalty-free
+patent license under the contributor's essential patent claims, to
+make, use, sell, offer for sale, import and otherwise run, modify and
+propagate the contents of its contributor version.
+
+  In the following three paragraphs, a "patent license" is any express
+agreement or commitment, however denominated, not to enforce a patent
+(such as an express permission to practice a patent or covenant not to
+sue for patent infringement).  To "grant" such a patent license to a
+party means to make such an agreement or commitment not to enforce a
+patent against the party.
+
+  If you convey a covered work, knowingly relying on a patent license,
+and the Corresponding Source of the work is not available for anyone
+to copy, free of charge and under the terms of this License, through a
+publicly available network server or other readily accessible means,
+then you must either (1) cause the Corresponding Source to be so
+available, or (2) arrange to deprive yourself of the benefit of the
+patent license for this particular work, or (3) arrange, in a manner
+consistent with the requirements of this License, to extend the patent
+license to downstream recipients.  "Knowingly relying" means you have
+actual knowledge that, but for the patent license, your conveying the
+covered work in a country, or your recipient's use of the covered work
+in a country, would infringe one or more identifiable patents in that
+country that you have reason to believe are valid.
+
+  If, pursuant to or in connection with a single transaction or
+arrangement, you convey, or propagate by procuring conveyance of, a
+covered work, and grant a patent license to some of the parties
+receiving the covered work authorizing them to use, propagate, modify
+or convey a specific copy of the covered work, then the patent license
+you grant is automatically extended to all recipients of the covered
+work and works based on it.
+
+  A patent license is "discriminatory" if it does not include within
+the scope of its coverage, prohibits the exercise of, or is
+conditioned on the non-exercise of one or more of the rights that are
+specifically granted under this License.  You may not convey a covered
+work if you are a party to an arrangement with a third party that is
+in the business of distributing software, under which you make payment
+to the third party based on the extent of your activity of conveying
+the work, and under which the third party grants, to any of the
+parties who would receive the covered work from you, a discriminatory
+patent license (a) in connection with copies of the covered work
+conveyed by you (or copies made from those copies), or (b) primarily
+for and in connection with specific products or compilations that
+contain the covered work, unless you entered into that arrangement,
+or that patent license was granted, prior to 28 March 2007.
+
+  Nothing in this License shall be construed as excluding or limiting
+any implied license or other defenses to infringement that may
+otherwise be available to you under applicable patent law.
+
+  12. No Surrender of Others' Freedom.
+
+  If conditions are imposed on you (whether by court order, agreement or
+otherwise) that contradict the conditions of this License, they do not
+excuse you from the conditions of this License.  If you cannot convey a
+covered work so as to satisfy simultaneously your obligations under this
+License and any other pertinent obligations, then as a consequence you may
+not convey it at all.  For example, if you agree to terms that obligate you
+to collect a royalty for further conveying from those to whom you convey
+the Program, the only way you could satisfy both those terms and this
+License would be to refrain entirely from conveying the Program.
+
+  13. Remote Network Interaction; Use with the GNU General Public License.
+
+  Notwithstanding any other provision of this License, if you modify the
+Program, your modified version must prominently offer all users
+interacting with it remotely through a computer network (if your version
+supports such interaction) an opportunity to receive the Corresponding
+Source of your version by providing access to the Corresponding Source
+from a network server at no charge, through some standard or customary
+means of facilitating copying of software.  This Corresponding Source
+shall include the Corresponding Source for any work covered by version 3
+of the GNU General Public License that is incorporated pursuant to the
+following paragraph.
+
+  Notwithstanding any other provision of this License, you have
+permission to link or combine any covered work with a work licensed
+under version 3 of the GNU General Public License into a single
+combined work, and to convey the resulting work.  The terms of this
+License will continue to apply to the part which is the covered work,
+but the work with which it is combined will remain governed by version
+3 of the GNU General Public License.
+
+  14. Revised Versions of this License.
+
+  The Free Software Foundation may publish revised and/or new versions of
+the GNU Affero General Public License from time to time.  Such new versions
+will be similar in spirit to the present version, but may differ in detail to
+address new problems or concerns.
+
+  Each version is given a distinguishing version number.  If the
+Program specifies that a certain numbered version of the GNU Affero General
+Public License "or any later version" applies to it, you have the
+option of following the terms and conditions either of that numbered
+version or of any later version published by the Free Software
+Foundation.  If the Program does not specify a version number of the
+GNU Affero General Public License, you may choose any version ever published
+by the Free Software Foundation.
+
+  If the Program specifies that a proxy can decide which future
+versions of the GNU Affero General Public License can be used, that proxy's
+public statement of acceptance of a version permanently authorizes you
+to choose that version for the Program.
+
+  Later license versions may give you additional or different
+permissions.  However, no additional obligations are imposed on any
+author or copyright holder as a result of your choosing to follow a
+later version.
+
+  15. Disclaimer of Warranty.
+
+  THERE IS NO WARRANTY FOR THE PROGRAM, TO THE EXTENT PERMITTED BY
+APPLICABLE LAW.  EXCEPT WHEN OTHERWISE STATED IN WRITING THE COPYRIGHT
+HOLDERS AND/OR OTHER PARTIES PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY
+OF ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING, BUT NOT LIMITED TO,
+THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+PURPOSE.  THE ENTIRE RISK AS TO THE QUALITY AND PERFORMANCE OF THE PROGRAM
+IS WITH YOU.  SHOULD THE PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF
+ALL NECESSARY SERVICING, REPAIR OR CORRECTION.
+
+  16. Limitation of Liability.
+
+  IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING
+WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MODIFIES AND/OR CONVEYS
+THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES, INCLUDING ANY
+GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING OUT OF THE
+USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED TO LOSS OF
+DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY YOU OR THIRD
+PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER PROGRAMS),
+EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF
+SUCH DAMAGES.
+
+  17. Interpretation of Sections 15 and 16.
+
+  If the disclaimer of warranty and limitation of liability provided
+above cannot be given local legal effect according to their terms,
+reviewing courts shall apply local law that most closely approximates
+an absolute waiver of all civil liability in connection with the
+Program, unless a warranty or assumption of liability accompanies a
+copy of the Program in return for a fee.
+
+                     END OF TERMS AND CONDITIONS
+
+            How to Apply These Terms to Your New Programs
+
+  If you develop a new program, and you want it to be of the greatest
+possible use to the public, the best way to achieve this is to make it
+free software which everyone can redistribute and change under these terms.
+
+  To do so, attach the following notices to the program.  It is safest
+to attach them to the start of each source file to most effectively
+state the exclusion of warranty; and each file should have at least
+the "copyright" line and a pointer to where the full notice is found.
+
+    <one line to give the program's name and a brief idea of what it does.>
+    Copyright (C) <year>  <name of author>
+
+    This program is free software: you can redistribute it and/or modify
+    it under the terms of the GNU Affero General Public License as published by
+    the Free Software Foundation, either version 3 of the License, or
+    (at your option) any later version.
+
+    This program is distributed in the hope that it will be useful,
+    but WITHOUT ANY WARRANTY; without even the implied warranty of
+    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+    GNU Affero General Public License for more details.
+
+    You should have received a copy of the GNU Affero General Public License
+    along with this program.  If not, see <https://www.gnu.org/licenses/>.
+
+Also add information on how to contact you by electronic and paper mail.
+
+  If your software can interact with users remotely through a computer
+network, you should also make sure that it provides a way for users to
+get its source.  For example, if your program is a web application, its
+interface could display a "Source" link that leads users to an archive
+of the code.  There are many ways you could offer source, and different
+solutions will be better for different programs; see section 13 for the
+specific requirements.
+
+  You should also get your employer (if you work as a programmer) or school,
+if any, to sign a "copyright disclaimer" for the program, if necessary.
+For more information on this, and how to apply and follow the GNU AGPL, see
+<https://www.gnu.org/licenses/>.

tools/idp-migrate/config.go

@@ -0,0 +1,174 @@
+package main
+
+import (
+	"flag"
+	"fmt"
+	"os"
+	"strconv"
+
+	"github.com/netbirdio/netbird/util"
+)
+
+type migrationConfig struct {
+	// Data
+	dashboardURL string
+	apiURL       string
+	configPath   string
+	dataDir      string
+	idpSeedInfo  string
+
+	// Options
+	dryRun               bool
+	force                bool
+	skipConfig           bool
+	skipPopulateUserInfo bool
+
+	// Logging
+	logLevel string
+}
+
+func config() (*migrationConfig, error) {
+	cfg, err := configFromArgs(os.Args[1:])
+	if err != nil {
+		return nil, err
+	}
+
+	if err := util.InitLog(cfg.logLevel, util.LogConsole); err != nil {
+		return nil, fmt.Errorf("init logger: %w", err)
+	}
+
+	return cfg, nil
+}
+
+func configFromArgs(args []string) (*migrationConfig, error) {
+	var cfg migrationConfig
+	var domain string
+
+	fs := flag.NewFlagSet("netbird-idp-migrate", flag.ContinueOnError)
+	fs.StringVar(&domain, "domain", "", "domain for both dashboard and API")
+	fs.StringVar(&cfg.dashboardURL, "dashboard-url", "", "dashboard URL")
+	fs.StringVar(&cfg.apiURL, "api-url", "", "API URL")
+	fs.StringVar(&cfg.configPath, "config", "", "path to management.json (required)")
+	fs.StringVar(&cfg.dataDir, "datadir", "", "override data directory from config")
+	fs.StringVar(&cfg.idpSeedInfo, "idp-seed-info", "", "base64-encoded connector JSON (overrides auto-detection)")
+	fs.BoolVar(&cfg.dryRun, "dry-run", false, "preview changes without writing")
+	fs.BoolVar(&cfg.force, "force", false, "skip confirmation prompt")
+	fs.BoolVar(&cfg.skipConfig, "skip-config", false, "skip config generation (DB migration only)")
+	fs.BoolVar(&cfg.skipPopulateUserInfo, "skip-populate-user-info", false, "skip populating user info (user id migration only)")
+	fs.StringVar(&cfg.logLevel, "log-level", "info", "log level (debug, info, warn, error)")
+
+	if err := fs.Parse(args); err != nil {
+		return nil, err
+	}
+
+	applyOverrides(&cfg, domain)
+
+	if err := validateConfig(&cfg); err != nil {
+		return nil, err
+	}
+
+	return &cfg, nil
+}
+
+// applyOverrides resolves domain configuration from broad to narrow sources.
+// The most granular value always wins:
+//
+//	--domain flag (broadest, only fills blanks)
+//	NETBIRD_DOMAIN env (overrides flags, sets both)
+//	--api-domain / --dashboard-domain flags (more specific than --domain)
+//	NETBIRD_API_URL / NETBIRD_DASHBOARD_URL env (most specific, always wins)
+//
+// Other env vars unconditionally override their corresponding flags.
+func applyOverrides(cfg *migrationConfig, domain string) {
+	// --domain is a convenience shorthand: only fills in values not already
+	// set by the more specific --api-domain / --dashboard-domain flags.
+	if domain != "" {
+		if cfg.apiURL == "" {
+			cfg.apiURL = domain
+		}
+		if cfg.dashboardURL == "" {
+			cfg.dashboardURL = domain
+		}
+	}
+
+	// Env vars override flags. Broad env var first, then narrow ones on top,
+	// so the most granular value always wins.
+	if val, ok := os.LookupEnv("NETBIRD_DOMAIN"); ok {
+		cfg.dashboardURL = val
+		cfg.apiURL = val
+	}
+
+	if val, ok := os.LookupEnv("NETBIRD_API_URL"); ok {
+		cfg.apiURL = val
+	}
+
+	if val, ok := os.LookupEnv("NETBIRD_DASHBOARD_URL"); ok {
+		cfg.dashboardURL = val
+	}
+
+	if val, ok := os.LookupEnv("NETBIRD_CONFIG_PATH"); ok {
+		cfg.configPath = val
+	}
+
+	if val, ok := os.LookupEnv("NETBIRD_DATA_DIR"); ok {
+		cfg.dataDir = val
+	}
+
+	if val, ok := os.LookupEnv("NETBIRD_IDP_SEED_INFO"); ok {
+		cfg.idpSeedInfo = val
+	}
+
+	// Enforce dry run if any value is provided
+	if sval, ok := os.LookupEnv("NETBIRD_DRY_RUN"); ok {
+		if val, err := strconv.ParseBool(sval); err == nil {
+			cfg.dryRun = val
+		}
+	}
+
+	cfg.dryRun = parseBool("NETBIRD_DRY_RUN", cfg.dryRun)
+	cfg.force = parseBool("NETBIRD_FORCE", cfg.force)
+	cfg.skipConfig = parseBool("NETBIRD_SKIP_CONFIG", cfg.skipConfig)
+	cfg.skipPopulateUserInfo = parseBool("NETBIRD_SKIP_POPULATE_USER_INFO", cfg.skipPopulateUserInfo)
+
+	if val, ok := os.LookupEnv("NETBIRD_LOG_LEVEL"); ok {
+		cfg.logLevel = val
+	}
+}
+
+func parseBool(varName string, defaultVal bool) bool {
+	stringValue, ok := os.LookupEnv(varName)
+	if !ok {
+		return defaultVal
+	}
+
+	boolValue, err := strconv.ParseBool(stringValue)
+	if err != nil {
+		return defaultVal
+	}
+
+	return boolValue
+}
+
+func validateConfig(cfg *migrationConfig) error {
+	if cfg.configPath == "" {
+		return fmt.Errorf("--config is required")
+	}
+
+	if cfg.dataDir == "" {
+		return fmt.Errorf("--datadir is required")
+	}
+
+	if cfg.idpSeedInfo == "" {
+		return fmt.Errorf("--idp-seed-info is required")
+	}
+
+	if cfg.apiURL == "" {
+		return fmt.Errorf("--api-domain is required")
+	}
+
+	if cfg.dashboardURL == "" {
+		return fmt.Errorf("--dashboard-domain is required")
+	}
+
+	return nil
+}

tools/idp-migrate/main.go

@@ -0,0 +1,449 @@
+// Package main provides a standalone CLI tool to migrate user IDs from an
+// external IdP format to the embedded Dex IdP format used by NetBird >= v0.62.0.
+//
+// This tool reads management.json to auto-detect the current external IdP
+// configuration (issuer, clientID, clientSecret, type) and re-encodes all user
+// IDs in the database to the Dex protobuf-encoded format. It works independently
+// of migrate.sh and the combined server, allowing operators to migrate their
+// database before switching to the combined server.
+//
+// Usage:
+//
+//	netbird-idp-migrate --config /etc/netbird/management.json [--dry-run] [--force]
+package main
+
+import (
+	"bufio"
+	"context"
+	"encoding/base64"
+	"encoding/json"
+	"fmt"
+	"maps"
+	"net/url"
+	"os"
+	"strings"
+
+	log "github.com/sirupsen/logrus"
+
+	"github.com/netbirdio/netbird/idp/dex"
+	nbconfig "github.com/netbirdio/netbird/management/internals/server/config"
+	activitystore "github.com/netbirdio/netbird/management/server/activity/store"
+	"github.com/netbirdio/netbird/management/server/idp"
+	"github.com/netbirdio/netbird/management/server/idp/migration"
+	"github.com/netbirdio/netbird/management/server/store"
+	"github.com/netbirdio/netbird/management/server/types"
+	"github.com/netbirdio/netbird/util"
+	"github.com/netbirdio/netbird/util/crypt"
+)
+
+// migrationServer implements migration.Server by wrapping the migration-specific interfaces.
+type migrationServer struct {
+	store      migration.Store
+	eventStore migration.EventStore
+}
+
+func (s *migrationServer) Store() migration.Store           { return s.store }
+func (s *migrationServer) EventStore() migration.EventStore { return s.eventStore }
+
+func main() {
+	cfg, err := config()
+	if err != nil {
+		log.Fatalf("config error: %v", err)
+	}
+
+	if err := run(cfg); err != nil {
+		log.Fatalf("migration failed: %v", err)
+	}
+
+	if !cfg.dryRun {
+		printPostMigrationInstructions(cfg)
+	}
+}
+
+func run(cfg *migrationConfig) error {
+	mgmtConfig := &nbconfig.Config{}
+	if _, err := util.ReadJsonWithEnvSub(cfg.configPath, mgmtConfig); err != nil {
+		return err
+	}
+
+	// Validate the database schema before attempting any operations.
+	if err := validateSchema(mgmtConfig, cfg.dataDir); err != nil {
+		return err
+	}
+
+	if !cfg.skipPopulateUserInfo {
+		err := populateUserInfoFromIDP(cfg, mgmtConfig)
+		if err != nil {
+			return fmt.Errorf("populate user info: %w", err)
+		}
+	}
+
+	connectorConfig, err := decodeConnectorConfig(cfg.idpSeedInfo)
+	if err != nil {
+		return fmt.Errorf("resolve connector: %w", err)
+	}
+
+	log.Infof(
+		"resolved connector: type=%s, id=%s, name=%s",
+		connectorConfig.Type,
+		connectorConfig.ID,
+		connectorConfig.Name,
+	)
+
+	if err := migrateDB(cfg, mgmtConfig, connectorConfig); err != nil {
+		return err
+	}
+
+	if cfg.skipConfig {
+		log.Info("skipping config generation (--skip-config)")
+		return nil
+	}
+
+	return generateConfig(cfg, connectorConfig)
+}
+
+// validateSchema opens the store and checks that all required tables and columns
+// exist. If anything is missing, it returns a descriptive error telling the user
+// to upgrade their management server.
+func validateSchema(mgmtConfig *nbconfig.Config, dataDir string) error {
+	ctx := context.Background()
+	migStore, migEventStore, cleanup, err := openStores(ctx, mgmtConfig, dataDir)
+	if err != nil {
+		return err
+	}
+	defer cleanup()
+
+	errs := migStore.CheckSchema(migration.RequiredSchema)
+	if len(errs) > 0 {
+		return fmt.Errorf("%s", formatSchemaErrors(errs))
+	}
+
+	if migEventStore != nil {
+		eventErrs := migEventStore.CheckSchema(migration.RequiredEventSchema)
+		if len(eventErrs) > 0 {
+			return fmt.Errorf("activity store schema check failed (upgrade management server first):\n%s", formatSchemaErrors(eventErrs))
+		}
+	}
+
+	log.Info("database schema check passed")
+	return nil
+}
+
+// formatSchemaErrors returns a user-friendly message listing all missing schema
+// elements and instructing the operator to upgrade.
+func formatSchemaErrors(errs []migration.SchemaError) string {
+	var b strings.Builder
+	b.WriteString("database schema is incomplete — the following tables/columns are missing:\n")
+	for _, e := range errs {
+		fmt.Fprintf(&b, "  - %s\n", e.String())
+	}
+	b.WriteString("\nPlease start the NetBird management server (v0.66.4+) at least once so that automatic database migrations create the required schema, then re-run this tool.\n")
+	return b.String()
+}
+
+// populateUserInfoFromIDP creates an IDP manager from the config, fetches all
+// user data (email, name) from the external IDP, and updates the store for users
+// that are missing this information.
+func populateUserInfoFromIDP(cfg *migrationConfig, mgmtConfig *nbconfig.Config) error {
+	ctx := context.Background()
+
+	if mgmtConfig.IdpManagerConfig == nil {
+		return fmt.Errorf("IdpManagerConfig is not set in management.json; cannot fetch user info from IDP")
+	}
+
+	idpManager, err := idp.NewManager(ctx, *mgmtConfig.IdpManagerConfig, nil)
+	if err != nil {
+		return fmt.Errorf("create IDP manager: %w", err)
+	}
+	if idpManager == nil {
+		return fmt.Errorf("IDP manager type is 'none' or empty; cannot fetch user info")
+	}
+
+	log.Infof("created IDP manager (type: %s)", mgmtConfig.IdpManagerConfig.ManagerType)
+
+	migStore, _, cleanup, err := openStores(ctx, mgmtConfig, cfg.dataDir)
+	if err != nil {
+		return err
+	}
+	defer cleanup()
+
+	srv := &migrationServer{store: migStore}
+	return migration.PopulateUserInfo(srv, idpManager, cfg.dryRun)
+}
+
+// openStores opens the main and activity stores, returning migration-specific interfaces.
+// The caller must call the returned cleanup function to close the stores.
+func openStores(ctx context.Context, cfg *nbconfig.Config, dataDir string) (migration.Store, migration.EventStore, func(), error) {
+	engine := cfg.StoreConfig.Engine
+	if engine == "" {
+		engine = types.SqliteStoreEngine
+	}
+
+	mainStore, err := store.NewStore(ctx, engine, dataDir, nil, true)
+	if err != nil {
+		return nil, nil, nil, fmt.Errorf("open main store: %w", err)
+	}
+
+	if cfg.DataStoreEncryptionKey != "" {
+		fieldEncrypt, err := crypt.NewFieldEncrypt(cfg.DataStoreEncryptionKey)
+		if err != nil {
+			_ = mainStore.Close(ctx)
+			return nil, nil, nil, fmt.Errorf("init field encryption: %w", err)
+		}
+		mainStore.SetFieldEncrypt(fieldEncrypt)
+	}
+
+	migStore, ok := mainStore.(migration.Store)
+	if !ok {
+		_ = mainStore.Close(ctx)
+		return nil, nil, nil, fmt.Errorf("store does not support migration operations (ListUsers/UpdateUserID)")
+	}
+
+	cleanup := func() { _ = mainStore.Close(ctx) }
+
+	var migEventStore migration.EventStore
+	actStore, err := activitystore.NewSqlStore(ctx, dataDir, cfg.DataStoreEncryptionKey)
+	if err != nil {
+		log.Warnf("could not open activity store (events.db may not exist): %v", err)
+	} else {
+		migEventStore = actStore
+		prevCleanup := cleanup
+		cleanup = func() { _ = actStore.Close(ctx); prevCleanup() }
+	}
+
+	return migStore, migEventStore, cleanup, nil
+}
+
+// migrateDB opens the stores, previews pending users, and runs the DB migration.
+func migrateDB(cfg *migrationConfig, mgmtConfig *nbconfig.Config, connectorConfig *dex.Connector) error {
+	ctx := context.Background()
+
+	migStore, migEventStore, cleanup, err := openStores(ctx, mgmtConfig, cfg.dataDir)
+	if err != nil {
+		return err
+	}
+	defer cleanup()
+
+	pending, err := previewUsers(ctx, migStore)
+	if err != nil {
+		return err
+	}
+
+	if cfg.dryRun {
+		if err := os.Setenv("NB_IDP_MIGRATION_DRY_RUN", "true"); err != nil {
+			return fmt.Errorf("set dry-run env: %w", err)
+		}
+		defer os.Unsetenv("NB_IDP_MIGRATION_DRY_RUN") //nolint:errcheck
+	}
+
+	if !cfg.dryRun && !cfg.force {
+		if !confirmPrompt(pending) {
+			log.Info("migration cancelled by user")
+			return nil
+		}
+	}
+
+	srv := &migrationServer{store: migStore, eventStore: migEventStore}
+	if err := migration.MigrateUsersToStaticConnectors(srv, connectorConfig); err != nil {
+		return fmt.Errorf("migrate users: %w", err)
+	}
+
+	if !cfg.dryRun {
+		log.Info("DB migration completed successfully")
+	}
+	return nil
+}
+
+// previewUsers counts pending vs already-migrated users and logs a summary.
+// Returns the number of users still needing migration.
+func previewUsers(ctx context.Context, migStore migration.Store) (int, error) {
+	users, err := migStore.ListUsers(ctx)
+	if err != nil {
+		return 0, fmt.Errorf("list users: %w", err)
+	}
+
+	var pending, alreadyMigrated int
+	for _, u := range users {
+		if _, _, decErr := dex.DecodeDexUserID(u.Id); decErr == nil {
+			alreadyMigrated++
+		} else {
+			pending++
+		}
+	}
+
+	log.Infof("found %d total users: %d pending migration, %d already migrated", len(users), pending, alreadyMigrated)
+	return pending, nil
+}
+
+// confirmPrompt asks the user for interactive confirmation. Returns true if they accept.
+func confirmPrompt(pending int) bool {
+	log.Infof("About to migrate %d users. This cannot be easily undone. Continue? [y/N] ", pending)
+	reader := bufio.NewReader(os.Stdin)
+	answer, _ := reader.ReadString('\n')
+	answer = strings.TrimSpace(strings.ToLower(answer))
+	return answer == "y" || answer == "yes"
+}
+
+// decodeConnectorConfig base64-decodes and JSON-unmarshals a connector.
+func decodeConnectorConfig(encoded string) (*dex.Connector, error) {
+	decoded, err := base64.StdEncoding.DecodeString(encoded)
+	if err != nil {
+		return nil, fmt.Errorf("base64 decode: %w", err)
+	}
+
+	var conn dex.Connector
+	if err := json.Unmarshal(decoded, &conn); err != nil {
+		return nil, fmt.Errorf("json unmarshal: %w", err)
+	}
+
+	if conn.ID == "" {
+		return nil, fmt.Errorf("connector ID is empty")
+	}
+
+	return &conn, nil
+}
+
+// generateConfig reads the existing management.json as raw JSON, removes
+// IdpManagerConfig, adds EmbeddedIdP, updates HttpConfig fields, and writes
+// the result. In dry-run mode, it prints the new config to stdout instead.
+func generateConfig(cfg *migrationConfig, connectorConfig *dex.Connector) error {
+	// Read existing config as raw JSON to preserve all fields
+	raw, err := os.ReadFile(cfg.configPath)
+	if err != nil {
+		return fmt.Errorf("read config file: %w", err)
+	}
+
+	var configMap map[string]any
+	if err := json.Unmarshal(raw, &configMap); err != nil {
+		return fmt.Errorf("parse config JSON: %w", err)
+	}
+
+	// Remove unused information
+	delete(configMap, "IdpManagerConfig")
+	delete(configMap, "PKCEAuthorizationFlow")
+	delete(configMap, "DeviceAuthorizationFlow")
+
+	httpConfig, ok := configMap["HttpConfig"].(map[string]any)
+	if httpConfig != nil && ok {
+		certFilePath := httpConfig["CertFile"]
+		certKeyPath := httpConfig["CertKey"]
+
+		delete(configMap, "HttpConfig")
+
+		configMap["HttpConfig"] = map[string]any{
+			"CertFile": certFilePath,
+			"CertKey":  certKeyPath,
+		}
+	}
+
+	// Ensure the connector's redirectURI points to the management server (Dex callback),
+	// not the external IdP. The auto-detection may have used the IdP issuer URL.
+	connConfig := make(map[string]any, len(connectorConfig.Config))
+	maps.Copy(connConfig, connectorConfig.Config)
+
+	redirectURI, err := buildURL(cfg.apiURL, "/oauth2/callback")
+	if err != nil {
+		return fmt.Errorf("build redirect URI: %w", err)
+	}
+	connConfig["redirectURI"] = redirectURI
+
+	issuer, err := buildURL(cfg.apiURL, "/oauth2")
+	if err != nil {
+		return fmt.Errorf("build issuer URL: %w", err)
+	}
+
+	dashboardRedirectURL, err := buildURL(cfg.dashboardURL, "/nb-auth")
+	if err != nil {
+		return fmt.Errorf("build dashboard redirect URL: %w", err)
+	}
+
+	dashboardSilentRedirectURL, err := buildURL(cfg.dashboardURL, "/nb-silent-auth")
+	if err != nil {
+		return fmt.Errorf("build dashboard silent redirect URL: %w", err)
+	}
+
+	// Add minimal EmbeddedIdP section
+	configMap["EmbeddedIdP"] = map[string]any{
+		"Enabled": true,
+		"Issuer":  issuer,
+		"DashboardRedirectURIs": []string{
+			dashboardRedirectURL,
+			dashboardSilentRedirectURL,
+		},
+		"StaticConnectors": []any{
+			map[string]any{
+				"type":   connectorConfig.Type,
+				"name":   connectorConfig.Name,
+				"id":     connectorConfig.ID,
+				"config": connConfig,
+			},
+		},
+	}
+
+	newJSON, err := json.MarshalIndent(configMap, "", "  ")
+	if err != nil {
+		return fmt.Errorf("marshal new config: %w", err)
+	}
+
+	if cfg.dryRun {
+		log.Info("[DRY RUN] new management.json would be:")
+		log.Infoln(string(newJSON))
+		return nil
+	}
+
+	// Backup original
+	backupPath := cfg.configPath + ".bak"
+	if err := os.WriteFile(backupPath, raw, 0o600); err != nil {
+		return fmt.Errorf("write backup: %w", err)
+	}
+	log.Infof("backed up original config to %s", backupPath)
+
+	// Write new config
+	if err := os.WriteFile(cfg.configPath, newJSON, 0o600); err != nil {
+		return fmt.Errorf("write new config: %w", err)
+	}
+	log.Infof("wrote new config to %s", cfg.configPath)
+
+	return nil
+}
+
+func buildURL(uri, path string) (string, error) {
+	// Case for domain without scheme, e.g. "example.com" or "example.com:8080"
+	if !strings.HasPrefix(uri, "http://") && !strings.HasPrefix(uri, "https://") {
+		uri = "https://" + uri
+	}
+
+	val, err := url.JoinPath(uri, path)
+	if err != nil {
+		return "", err
+	}
+
+	return val, nil
+}
+
+func printPostMigrationInstructions(cfg *migrationConfig) {
+	authAuthority, err := buildURL(cfg.apiURL, "/oauth2")
+	if err != nil {
+		authAuthority = "https://<your-domain>/oauth2"
+	}
+
+	log.Info("Congratulations! You have successfully migrated your NetBird management server to the embedded Dex IdP.")
+	log.Info("Next steps:")
+	log.Info("1. Make sure the following environment variables are set for your dashboard server:")
+	log.Infof(`
+AUTH_AUDIENCE=netbird-dashboard
+AUTH_CLIENT_ID=netbird-dashboard
+AUTH_AUTHORITY=%s
+AUTH_SUPPORTED_SCOPES=openid profile email groups
+AUTH_REDIRECT_URI=/nb-auth
+AUTH_SILENT_REDIRECT_URI=/nb-silent-auth
+	`,
+		authAuthority,
+	)
+	log.Info("2. Make sure you restart the dashboard & management servers to pick up the new config and environment variables.")
+	log.Info("eg. docker compose up -d --force-recreate management dashboard")
+	log.Info("3. Optional: If you have a reverse proxy configured, make sure the path `/oauth2/*` points to the management api server.")
+}
+
+// Compile-time check that migrationServer implements migration.Server.
+var _ migration.Server = (*migrationServer)(nil)

tools/idp-migrate/main_test.go

@@ -0,0 +1,487 @@
+package main
+
+import (
+	"encoding/base64"
+	"encoding/json"
+	"os"
+	"path/filepath"
+	"testing"
+
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+
+	"github.com/netbirdio/netbird/idp/dex"
+	"github.com/netbirdio/netbird/management/server/idp/migration"
+)
+
+// TestMigrationServerInterface is a compile-time check that migrationServer
+// implements the migration.Server interface.
+func TestMigrationServerInterface(t *testing.T) {
+	var _ migration.Server = (*migrationServer)(nil)
+}
+
+func TestDecodeConnectorConfig(t *testing.T) {
+	conn := dex.Connector{
+		Type: "oidc",
+		Name: "test",
+		ID:   "test-id",
+		Config: map[string]any{
+			"issuer":       "https://example.com",
+			"clientID":     "cid",
+			"clientSecret": "csecret",
+		},
+	}
+
+	data, err := json.Marshal(conn)
+	require.NoError(t, err)
+	encoded := base64.StdEncoding.EncodeToString(data)
+
+	result, err := decodeConnectorConfig(encoded)
+	require.NoError(t, err)
+	assert.Equal(t, "test-id", result.ID)
+	assert.Equal(t, "oidc", result.Type)
+	assert.Equal(t, "https://example.com", result.Config["issuer"])
+}
+
+func TestDecodeConnectorConfig_InvalidBase64(t *testing.T) {
+	_, err := decodeConnectorConfig("not-valid-base64!!!")
+	require.Error(t, err)
+	assert.Contains(t, err.Error(), "base64 decode")
+}
+
+func TestDecodeConnectorConfig_InvalidJSON(t *testing.T) {
+	encoded := base64.StdEncoding.EncodeToString([]byte("not json"))
+	_, err := decodeConnectorConfig(encoded)
+	require.Error(t, err)
+	assert.Contains(t, err.Error(), "json unmarshal")
+}
+
+func TestDecodeConnectorConfig_EmptyConnectorID(t *testing.T) {
+	conn := dex.Connector{
+		Type: "oidc",
+		Name: "no-id",
+		ID:   "",
+	}
+	data, err := json.Marshal(conn)
+	require.NoError(t, err)
+
+	encoded := base64.StdEncoding.EncodeToString(data)
+	_, err = decodeConnectorConfig(encoded)
+	require.Error(t, err)
+	assert.Contains(t, err.Error(), "connector ID is empty")
+}
+
+func TestValidateConfig(t *testing.T) {
+	valid := &migrationConfig{
+		configPath:   "/etc/netbird/management.json",
+		dataDir:      "/var/lib/netbird",
+		idpSeedInfo:  "some-base64",
+		apiURL:       "https://api.example.com",
+		dashboardURL: "https://dash.example.com",
+	}
+
+	t.Run("valid config", func(t *testing.T) {
+		require.NoError(t, validateConfig(valid))
+	})
+
+	t.Run("missing configPath", func(t *testing.T) {
+		cfg := *valid
+		cfg.configPath = ""
+		err := validateConfig(&cfg)
+		require.Error(t, err)
+		assert.Contains(t, err.Error(), "--config")
+	})
+
+	t.Run("missing dataDir", func(t *testing.T) {
+		cfg := *valid
+		cfg.dataDir = ""
+		err := validateConfig(&cfg)
+		require.Error(t, err)
+		assert.Contains(t, err.Error(), "--datadir")
+	})
+
+	t.Run("missing idpSeedInfo", func(t *testing.T) {
+		cfg := *valid
+		cfg.idpSeedInfo = ""
+		err := validateConfig(&cfg)
+		require.Error(t, err)
+		assert.Contains(t, err.Error(), "--idp-seed-info")
+	})
+
+	t.Run("missing apiUrl", func(t *testing.T) {
+		cfg := *valid
+		cfg.apiURL = ""
+		err := validateConfig(&cfg)
+		require.Error(t, err)
+		assert.Contains(t, err.Error(), "--api-domain")
+	})
+
+	t.Run("missing dashboardUrl", func(t *testing.T) {
+		cfg := *valid
+		cfg.dashboardURL = ""
+		err := validateConfig(&cfg)
+		require.Error(t, err)
+		assert.Contains(t, err.Error(), "--dashboard-domain")
+	})
+}
+
+func TestConfigFromArgs_EnvVarsApplied(t *testing.T) {
+	t.Run("env vars fill in for missing flags", func(t *testing.T) {
+		t.Setenv("NETBIRD_CONFIG_PATH", "/env/management.json")
+		t.Setenv("NETBIRD_DATA_DIR", "/env/data")
+		t.Setenv("NETBIRD_IDP_SEED_INFO", "env-seed")
+		t.Setenv("NETBIRD_API_URL", "https://api.env.com")
+		t.Setenv("NETBIRD_DASHBOARD_URL", "https://dash.env.com")
+
+		cfg, err := configFromArgs([]string{})
+		require.NoError(t, err)
+
+		assert.Equal(t, "/env/management.json", cfg.configPath)
+		assert.Equal(t, "/env/data", cfg.dataDir)
+		assert.Equal(t, "env-seed", cfg.idpSeedInfo)
+		assert.Equal(t, "https://api.env.com", cfg.apiURL)
+		assert.Equal(t, "https://dash.env.com", cfg.dashboardURL)
+	})
+
+	t.Run("flags work without env vars", func(t *testing.T) {
+		cfg, err := configFromArgs([]string{
+			"--config", "/flag/management.json",
+			"--datadir", "/flag/data",
+			"--idp-seed-info", "flag-seed",
+			"--api-url", "https://api.flag.com",
+			"--dashboard-url", "https://dash.flag.com",
+		})
+		require.NoError(t, err)
+
+		assert.Equal(t, "/flag/management.json", cfg.configPath)
+		assert.Equal(t, "/flag/data", cfg.dataDir)
+		assert.Equal(t, "flag-seed", cfg.idpSeedInfo)
+		assert.Equal(t, "https://api.flag.com", cfg.apiURL)
+		assert.Equal(t, "https://dash.flag.com", cfg.dashboardURL)
+	})
+
+	t.Run("env vars override flags", func(t *testing.T) {
+		t.Setenv("NETBIRD_CONFIG_PATH", "/env/management.json")
+		t.Setenv("NETBIRD_API_URL", "https://api.env.com")
+
+		cfg, err := configFromArgs([]string{
+			"--config", "/flag/management.json",
+			"--datadir", "/flag/data",
+			"--idp-seed-info", "flag-seed",
+			"--api-url", "https://api.flag.com",
+			"--dashboard-url", "https://dash.flag.com",
+		})
+		require.NoError(t, err)
+
+		assert.Equal(t, "/env/management.json", cfg.configPath, "env should override flag")
+		assert.Equal(t, "https://api.env.com", cfg.apiURL, "env should override flag")
+		assert.Equal(t, "https://dash.flag.com", cfg.dashboardURL, "flag preserved when no env override")
+	})
+
+	t.Run("--domain flag with specific env var override", func(t *testing.T) {
+		t.Setenv("NETBIRD_API_URL", "https://api.env.com")
+
+		cfg, err := configFromArgs([]string{
+			"--domain", "both.flag.com",
+			"--config", "/path",
+			"--datadir", "/data",
+			"--idp-seed-info", "seed",
+		})
+		require.NoError(t, err)
+
+		assert.Equal(t, "https://api.env.com", cfg.apiURL, "specific env beats --domain")
+		assert.Equal(t, "both.flag.com", cfg.dashboardURL, "--domain fills dashboard")
+	})
+}
+
+func TestApplyOverrides_MostGranularWins(t *testing.T) {
+	t.Run("specific flags beat --domain", func(t *testing.T) {
+		cfg := &migrationConfig{
+			apiURL:       "api.specific.com",
+			dashboardURL: "dash.specific.com",
+		}
+		applyOverrides(cfg, "broad.com")
+
+		assert.Equal(t, "api.specific.com", cfg.apiURL)
+		assert.Equal(t, "dash.specific.com", cfg.dashboardURL)
+	})
+
+	t.Run("--domain fills blanks when specific flags missing", func(t *testing.T) {
+		cfg := &migrationConfig{}
+		applyOverrides(cfg, "broad.com")
+
+		assert.Equal(t, "broad.com", cfg.apiURL)
+		assert.Equal(t, "broad.com", cfg.dashboardURL)
+	})
+
+	t.Run("--domain fills only the missing specific flag", func(t *testing.T) {
+		cfg := &migrationConfig{
+			apiURL: "api.specific.com",
+		}
+		applyOverrides(cfg, "broad.com")
+
+		assert.Equal(t, "api.specific.com", cfg.apiURL)
+		assert.Equal(t, "broad.com", cfg.dashboardURL)
+	})
+
+	t.Run("NETBIRD_DOMAIN overrides flags", func(t *testing.T) {
+		cfg := &migrationConfig{
+			apiURL:       "api.flag.com",
+			dashboardURL: "dash.flag.com",
+		}
+		t.Setenv("NETBIRD_DOMAIN", "env-broad.com")
+
+		applyOverrides(cfg, "")
+
+		assert.Equal(t, "env-broad.com", cfg.apiURL)
+		assert.Equal(t, "env-broad.com", cfg.dashboardURL)
+	})
+
+	t.Run("specific env vars beat NETBIRD_DOMAIN", func(t *testing.T) {
+		cfg := &migrationConfig{}
+		t.Setenv("NETBIRD_DOMAIN", "env-broad.com")
+		t.Setenv("NETBIRD_API_URL", "api.env-specific.com")
+		t.Setenv("NETBIRD_DASHBOARD_URL", "dash.env-specific.com")
+
+		applyOverrides(cfg, "")
+
+		assert.Equal(t, "api.env-specific.com", cfg.apiURL)
+		assert.Equal(t, "dash.env-specific.com", cfg.dashboardURL)
+	})
+
+	t.Run("one specific env var overrides only its field", func(t *testing.T) {
+		cfg := &migrationConfig{}
+		t.Setenv("NETBIRD_DOMAIN", "env-broad.com")
+		t.Setenv("NETBIRD_API_URL", "api.env-specific.com")
+
+		applyOverrides(cfg, "")
+
+		assert.Equal(t, "api.env-specific.com", cfg.apiURL)
+		assert.Equal(t, "env-broad.com", cfg.dashboardURL)
+	})
+
+	t.Run("specific env vars beat all flags combined", func(t *testing.T) {
+		cfg := &migrationConfig{
+			apiURL:       "api.flag.com",
+			dashboardURL: "dash.flag.com",
+		}
+		t.Setenv("NETBIRD_API_URL", "api.env.com")
+		t.Setenv("NETBIRD_DASHBOARD_URL", "dash.env.com")
+
+		applyOverrides(cfg, "domain-flag.com")
+
+		assert.Equal(t, "api.env.com", cfg.apiURL)
+		assert.Equal(t, "dash.env.com", cfg.dashboardURL)
+	})
+
+	t.Run("env vars override all non-domain flags", func(t *testing.T) {
+		cfg := &migrationConfig{
+			configPath:           "/flag/path",
+			dataDir:              "/flag/data",
+			idpSeedInfo:          "flag-seed",
+			dryRun:               false,
+			force:                false,
+			skipConfig:           false,
+			skipPopulateUserInfo: false,
+			logLevel:             "info",
+		}
+		t.Setenv("NETBIRD_CONFIG_PATH", "/env/path")
+		t.Setenv("NETBIRD_DATA_DIR", "/env/data")
+		t.Setenv("NETBIRD_IDP_SEED_INFO", "env-seed")
+		t.Setenv("NETBIRD_DRY_RUN", "true")
+		t.Setenv("NETBIRD_FORCE", "true")
+		t.Setenv("NETBIRD_SKIP_CONFIG", "true")
+		t.Setenv("NETBIRD_SKIP_POPULATE_USER_INFO", "true")
+		t.Setenv("NETBIRD_LOG_LEVEL", "debug")
+
+		applyOverrides(cfg, "")
+
+		assert.Equal(t, "/env/path", cfg.configPath)
+		assert.Equal(t, "/env/data", cfg.dataDir)
+		assert.Equal(t, "env-seed", cfg.idpSeedInfo)
+		assert.True(t, cfg.dryRun)
+		assert.True(t, cfg.force)
+		assert.True(t, cfg.skipConfig)
+		assert.True(t, cfg.skipPopulateUserInfo)
+		assert.Equal(t, "debug", cfg.logLevel)
+	})
+
+	t.Run("boolean env vars properly parse false values", func(t *testing.T) {
+		cfg := &migrationConfig{}
+		t.Setenv("NETBIRD_DRY_RUN", "false")
+		t.Setenv("NETBIRD_FORCE", "yes")
+		t.Setenv("NETBIRD_SKIP_CONFIG", "0")
+
+		applyOverrides(cfg, "")
+
+		assert.False(t, cfg.dryRun)
+		assert.False(t, cfg.force)
+		assert.False(t, cfg.skipConfig)
+	})
+
+	t.Run("unset env vars do not override flags", func(t *testing.T) {
+		cfg := &migrationConfig{
+			configPath:  "/flag/path",
+			dataDir:     "/flag/data",
+			idpSeedInfo: "flag-seed",
+			dryRun:      true,
+			logLevel:    "warn",
+		}
+
+		applyOverrides(cfg, "")
+
+		assert.Equal(t, "/flag/path", cfg.configPath)
+		assert.Equal(t, "/flag/data", cfg.dataDir)
+		assert.Equal(t, "flag-seed", cfg.idpSeedInfo)
+		assert.True(t, cfg.dryRun)
+		assert.Equal(t, "warn", cfg.logLevel)
+	})
+}
+
+func TestBuildUrl(t *testing.T) {
+	tests := []struct {
+		name     string
+		uri      string
+		path     string
+		expected string
+	}{
+		{"with https scheme", "https://example.com", "/oauth2", "https://example.com/oauth2"},
+		{"with http scheme", "http://example.com", "/oauth2/callback", "http://example.com/oauth2/callback"},
+		{"bare domain", "example.com", "/oauth2", "https://example.com/oauth2"},
+		{"domain with port", "example.com:8080", "/nb-auth", "https://example.com:8080/nb-auth"},
+		{"trailing slash on uri", "https://example.com/", "/oauth2", "https://example.com/oauth2"},
+		{"nested path", "https://example.com", "/oauth2/callback", "https://example.com/oauth2/callback"},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			url, err := buildURL(tt.uri, tt.path)
+			assert.NoError(t, err)
+			assert.Equal(t, tt.expected, url)
+		})
+	}
+}
+
+func TestGenerateConfig(t *testing.T) {
+	t.Run("generates valid config", func(t *testing.T) {
+		dir := t.TempDir()
+		configPath := filepath.Join(dir, "management.json")
+
+		originalConfig := `{
+  "Datadir": "/var/lib/netbird",
+  "HttpConfig": {
+    "LetsEncryptDomain": "mgmt.example.com",
+    "CertFile": "/etc/ssl/cert.pem",
+    "CertKey": "/etc/ssl/key.pem",
+    "AuthIssuer": "https://zitadel.example.com/oauth2",
+    "AuthKeysLocation": "https://zitadel.example.com/oauth2/keys",
+    "OIDCConfigEndpoint": "https://zitadel.example.com/.well-known/openid-configuration",
+    "AuthClientID": "old-client-id",
+    "AuthUserIDClaim": "preferred_username"
+  },
+  "IdpManagerConfig": {
+    "ManagerType": "zitadel",
+    "ClientConfig": {
+      "Issuer": "https://zitadel.example.com",
+      "ClientID": "zit-id",
+      "ClientSecret": "zit-secret"
+    }
+  }
+}`
+		require.NoError(t, os.WriteFile(configPath, []byte(originalConfig), 0o600))
+
+		cfg := &migrationConfig{
+			configPath:   configPath,
+			dashboardURL: "https://mgmt.example.com",
+			apiURL:       "https://mgmt.example.com",
+		}
+		conn := &dex.Connector{
+			Type: "zitadel",
+			Name: "zitadel",
+			ID:   "zitadel",
+			Config: map[string]any{
+				"issuer":       "https://zitadel.example.com",
+				"clientID":     "zit-id",
+				"clientSecret": "zit-secret",
+			},
+		}
+
+		err := generateConfig(cfg, conn)
+		require.NoError(t, err)
+
+		// Check backup was created
+		backupPath := configPath + ".bak"
+		backupData, err := os.ReadFile(backupPath)
+		require.NoError(t, err)
+		assert.Equal(t, originalConfig, string(backupData))
+
+		// Read and parse the new config
+		newData, err := os.ReadFile(configPath)
+		require.NoError(t, err)
+
+		var result map[string]any
+		require.NoError(t, json.Unmarshal(newData, &result))
+
+		// IdpManagerConfig should be removed
+		_, hasOldIdp := result["IdpManagerConfig"]
+		assert.False(t, hasOldIdp, "IdpManagerConfig should be removed")
+
+		_, hasPKCE := result["PKCEAuthorizationFlow"]
+		assert.False(t, hasPKCE, "PKCEAuthorizationFlow should be removed")
+
+		// EmbeddedIdP should be present with minimal fields
+		embeddedIDP, ok := result["EmbeddedIdP"].(map[string]any)
+		require.True(t, ok, "EmbeddedIdP should be present")
+		assert.Equal(t, true, embeddedIDP["Enabled"])
+		assert.Equal(t, "https://mgmt.example.com/oauth2", embeddedIDP["Issuer"])
+		assert.Nil(t, embeddedIDP["LocalAuthDisabled"], "LocalAuthDisabled should not be set")
+		assert.Nil(t, embeddedIDP["SignKeyRefreshEnabled"], "SignKeyRefreshEnabled should not be set")
+		assert.Nil(t, embeddedIDP["CLIRedirectURIs"], "CLIRedirectURIs should not be set")
+
+		// Static connector's redirectURI should use the management domain
+		connectors := embeddedIDP["StaticConnectors"].([]any)
+		require.Len(t, connectors, 1)
+		firstConn := connectors[0].(map[string]any)
+		connCfg := firstConn["config"].(map[string]any)
+		assert.Equal(t, "https://mgmt.example.com/oauth2/callback", connCfg["redirectURI"],
+			"redirectURI should be overridden to use the management domain")
+
+		// HttpConfig should only have CertFile and CertKey
+		httpConfig, ok := result["HttpConfig"].(map[string]any)
+		require.True(t, ok, "HttpConfig should be present")
+		assert.Equal(t, "/etc/ssl/cert.pem", httpConfig["CertFile"])
+		assert.Equal(t, "/etc/ssl/key.pem", httpConfig["CertKey"])
+		assert.Nil(t, httpConfig["AuthIssuer"], "AuthIssuer should be stripped")
+
+		// Datadir should be preserved
+		assert.Equal(t, "/var/lib/netbird", result["Datadir"])
+	})
+
+	t.Run("dry run does not write files", func(t *testing.T) {
+		dir := t.TempDir()
+		configPath := filepath.Join(dir, "management.json")
+
+		originalConfig := `{"HttpConfig": {"CertFile": "", "CertKey": ""}}`
+		require.NoError(t, os.WriteFile(configPath, []byte(originalConfig), 0o600))
+
+		cfg := &migrationConfig{
+			configPath:   configPath,
+			dashboardURL: "https://mgmt.example.com",
+			apiURL:       "https://mgmt.example.com",
+			dryRun:       true,
+		}
+		conn := &dex.Connector{Type: "oidc", Name: "test", ID: "test"}
+
+		err := generateConfig(cfg, conn)
+		require.NoError(t, err)
+
+		// Original should be unchanged
+		data, err := os.ReadFile(configPath)
+		require.NoError(t, err)
+		assert.Equal(t, originalConfig, string(data))
+
+		// No backup should exist
+		_, err = os.Stat(configPath + ".bak")
+		assert.True(t, os.IsNotExist(err))
+	})
+}