Merge remote-tracking branch 'origin/main' into dns-skip-failover-on-ede

# Conflicts: # client/internal/dns/upstream.go
Add ServeDNS test for non-retryable EDE short-circuit and OPT stripping
2026-05-08 09:49:54 +00:00 · 2026-05-07 12:16:04 +02:00 · 2026-05-06 10:50:29 +02:00 · 2026-05-06 10:48:10 +02:00 · 2026-05-06 10:31:03 +02:00 · 2026-05-06 10:24:36 +02:00
29 changed files with 353 additions and 808 deletions
--- a/.github/workflows/golangci-lint.yml
+++ b/.github/workflows/golangci-lint.yml
@@ -19,7 +19,7 @@ jobs:
      - name: codespell
        uses: codespell-project/actions-codespell@v2
        with:
-          ignore_words_list: erro,clienta,hastable,iif,groupd,testin,groupe,cros,ans,deriver,te,userA
+          ignore_words_list: erro,clienta,hastable,iif,groupd,testin,groupe,cros,ans,deriver,te,userA,ede,additionals
          skip: go.mod,go.sum,**/proxy/web/**
  golangci:
    strategy:
--- a/CONTRIBUTING.md
+++ b/CONTRIBUTING.md
@@ -8,7 +8,7 @@ There are many ways that you can contribute:
 - Sharing use cases in slack or Reddit
 - Bug fix or feature enhancement

-If you haven't already, join our slack workspace [here](https://docs.netbird.io/slack-url), we would love to discuss topics that need community contribution and enhancements to existing features.
+If you haven't already, join our slack workspace [here](https://join.slack.com/t/netbirdio/shared_invite/zt-vrahf41g-ik1v7fV8du6t0RwxSrJ96A), we would love to discuss topics that need community contribution and enhancements to existing features.

 ## Contents

--- a/client/internal/dns/upstream.go
+++ b/client/internal/dns/upstream.go
@@ -30,6 +30,27 @@ import (

 var currentMTU uint16 = iface.DefaultMTU

+// nonRetryableEDECodes lists EDE info codes (RFC 8914) for which a SERVFAIL
+// from one upstream means another upstream would return the same answer:
+// DNSSEC validation outcomes and policy-based blocks. Transient errors
+// (network, cached, not ready) are not included.
+var nonRetryableEDECodes = map[uint16]struct{}{
+	dns.ExtendedErrorCodeUnsupportedDNSKEYAlgorithm: {},
+	dns.ExtendedErrorCodeUnsupportedDSDigestType:    {},
+	dns.ExtendedErrorCodeDNSSECIndeterminate:        {},
+	dns.ExtendedErrorCodeDNSBogus:                   {},
+	dns.ExtendedErrorCodeSignatureExpired:           {},
+	dns.ExtendedErrorCodeSignatureNotYetValid:       {},
+	dns.ExtendedErrorCodeDNSKEYMissing:              {},
+	dns.ExtendedErrorCodeRRSIGsMissing:              {},
+	dns.ExtendedErrorCodeNoZoneKeyBitSet:            {},
+	dns.ExtendedErrorCodeNSECMissing:                {},
+	dns.ExtendedErrorCodeBlocked:                    {},
+	dns.ExtendedErrorCodeCensored:                   {},
+	dns.ExtendedErrorCodeFiltered:                   {},
+	dns.ExtendedErrorCodeProhibited:                 {},
+}
+
 // privateClientIface is the subset of the WireGuard interface needed by GetClientPrivate.
 type privateClientIface interface {
 	Name() string
@@ -250,6 +271,18 @@ func (u *upstreamResolverBase) queryUpstream(parentCtx context.Context, w dns.Re
 	var t time.Duration
 	var err error

+	// Advertise EDNS0 so the upstream may include Extended DNS Errors
+	// (RFC 8914) in failure responses; we use those to short-circuit
+	// failover for definitive answers like DNSSEC validation failures.
+	// Operate on a copy so the inbound request is unchanged: a client that
+	// did not advertise EDNS0 must not see an OPT in the response.
+	hadEdns := r.IsEdns0() != nil
+	reqUp := r
+	if !hadEdns {
+		reqUp = r.Copy()
+		reqUp.SetEdns0(upstreamUDPSize(), false)
+	}
+
 	var startTime time.Time
 	var upstreamProto *upstreamProtocolResult
 	func() {
@@ -257,7 +290,7 @@ func (u *upstreamResolverBase) queryUpstream(parentCtx context.Context, w dns.Re
 		defer cancel()
 		ctx, upstreamProto = contextWithupstreamProtocolResult(ctx)
 		startTime = time.Now()
-		rm, t, err = u.upstreamClient.exchange(ctx, upstream.String(), r)
+		rm, t, err = u.upstreamClient.exchange(ctx, upstream.String(), reqUp)
 	}()

 	if err != nil {
@@ -269,13 +302,49 @@ func (u *upstreamResolverBase) queryUpstream(parentCtx context.Context, w dns.Re
 	}

 	if rm.Rcode == dns.RcodeServerFailure || rm.Rcode == dns.RcodeRefused {
+		if code, ok := nonRetryableEDE(rm); ok {
+			resutil.SetMeta(w, "ede", edeName(code))
+			if !hadEdns {
+				stripOPT(rm)
+			}
+			u.writeSuccessResponse(w, rm, upstream, r.Question[0].Name, t, upstreamProto, logger)
+			return nil
+		}
 		return &upstreamFailure{upstream: upstream, reason: dns.RcodeToString[rm.Rcode]}
 	}

+	if !hadEdns {
+		stripOPT(rm)
+	}
 	u.writeSuccessResponse(w, rm, upstream, r.Question[0].Name, t, upstreamProto, logger)
 	return nil
 }

+// upstreamUDPSize returns the EDNS0 UDP buffer size we advertise to upstreams,
+// derived from the tunnel MTU and bounded against underflow.
+func upstreamUDPSize() uint16 {
+	if currentMTU > ipUDPHeaderSize {
+		return currentMTU - ipUDPHeaderSize
+	}
+	return dns.MinMsgSize
+}
+
+// stripOPT removes any OPT pseudo-RRs from the response's Extra section so
+// the response complies with RFC 6891 when the client did not advertise EDNS0.
+func stripOPT(rm *dns.Msg) {
+	if len(rm.Extra) == 0 {
+		return
+	}
+	out := rm.Extra[:0]
+	for _, rr := range rm.Extra {
+		if _, ok := rr.(*dns.OPT); ok {
+			continue
+		}
+		out = append(out, rr)
+	}
+	rm.Extra = out
+}
+
 func (u *upstreamResolverBase) handleUpstreamError(err error, upstream netip.AddrPort, startTime time.Time) *upstreamFailure {
 	if !errors.Is(err, context.DeadlineExceeded) && !isTimeout(err) {
 		return &upstreamFailure{upstream: upstream, reason: err.Error()}
@@ -337,6 +406,34 @@ func formatFailures(failures []upstreamFailure) string {
 	return strings.Join(parts, ", ")
 }

+// nonRetryableEDE returns the first non-retryable EDE code carried in the
+// response, if any.
+func nonRetryableEDE(rm *dns.Msg) (uint16, bool) {
+	opt := rm.IsEdns0()
+	if opt == nil {
+		return 0, false
+	}
+	for _, o := range opt.Option {
+		ede, ok := o.(*dns.EDNS0_EDE)
+		if !ok {
+			continue
+		}
+		if _, ok := nonRetryableEDECodes[ede.InfoCode]; ok {
+			return ede.InfoCode, true
+		}
+	}
+	return 0, false
+}
+
+// edeName returns a human-readable name for an EDE code, falling back to
+// the numeric code when unknown.
+func edeName(code uint16) string {
+	if name, ok := dns.ExtendedErrorCodeToString[code]; ok {
+		return name
+	}
+	return fmt.Sprintf("EDE %d", code)
+}
+
 // ProbeAvailability tests all upstream servers simultaneously and
 // disables the resolver if none work
 func (u *upstreamResolverBase) ProbeAvailability(ctx context.Context) {
--- a/client/internal/dns/upstream_test.go
+++ b/client/internal/dns/upstream_test.go
@@ -770,3 +770,132 @@ func TestExchangeWithFallback_TCPTruncatesToClientSize(t *testing.T) {
 	assert.Less(t, len(rm2.Answer), 20, "small EDNS0 client should get fewer records")
 	assert.True(t, rm2.Truncated, "response should be truncated for small buffer client")
 }
+
+func msgWithEDE(rcode int, codes ...uint16) *dns.Msg {
+	m := new(dns.Msg)
+	m.Response = true
+	m.Rcode = rcode
+	if len(codes) == 0 {
+		return m
+	}
+	opt := &dns.OPT{Hdr: dns.RR_Header{Name: ".", Rrtype: dns.TypeOPT}}
+	opt.SetUDPSize(dns.MinMsgSize)
+	for _, c := range codes {
+		opt.Option = append(opt.Option, &dns.EDNS0_EDE{InfoCode: c})
+	}
+	m.Extra = append(m.Extra, opt)
+	return m
+}
+
+func TestNonRetryableEDE(t *testing.T) {
+	tests := []struct {
+		name     string
+		msg      *dns.Msg
+		wantOK   bool
+		wantCode uint16
+	}{
+		{name: "no edns0", msg: msgWithEDE(dns.RcodeServerFailure)},
+		{
+			name: "opt without ede",
+			msg: func() *dns.Msg {
+				m := msgWithEDE(dns.RcodeServerFailure)
+				opt := &dns.OPT{Hdr: dns.RR_Header{Name: ".", Rrtype: dns.TypeOPT}}
+				opt.Option = append(opt.Option, &dns.EDNS0_NSID{Code: dns.EDNS0NSID})
+				m.Extra = []dns.RR{opt}
+				return m
+			}(),
+		},
+		{name: "ede dnsbogus", msg: msgWithEDE(dns.RcodeServerFailure, dns.ExtendedErrorCodeDNSBogus), wantOK: true, wantCode: dns.ExtendedErrorCodeDNSBogus},
+		{name: "ede signature expired", msg: msgWithEDE(dns.RcodeServerFailure, dns.ExtendedErrorCodeSignatureExpired), wantOK: true, wantCode: dns.ExtendedErrorCodeSignatureExpired},
+		{name: "ede blocked", msg: msgWithEDE(dns.RcodeServerFailure, dns.ExtendedErrorCodeBlocked), wantOK: true, wantCode: dns.ExtendedErrorCodeBlocked},
+		{name: "ede prohibited", msg: msgWithEDE(dns.RcodeRefused, dns.ExtendedErrorCodeProhibited), wantOK: true, wantCode: dns.ExtendedErrorCodeProhibited},
+		{name: "ede cached error retryable", msg: msgWithEDE(dns.RcodeServerFailure, dns.ExtendedErrorCodeCachedError)},
+		{name: "ede network error retryable", msg: msgWithEDE(dns.RcodeServerFailure, dns.ExtendedErrorCodeNetworkError)},
+		{name: "ede not ready retryable", msg: msgWithEDE(dns.RcodeServerFailure, dns.ExtendedErrorCodeNotReady)},
+		{
+			name:     "first non-retryable wins",
+			msg:      msgWithEDE(dns.RcodeServerFailure, dns.ExtendedErrorCodeNetworkError, dns.ExtendedErrorCodeDNSBogus),
+			wantOK:   true,
+			wantCode: dns.ExtendedErrorCodeDNSBogus,
+		},
+	}
+	for _, tc := range tests {
+		t.Run(tc.name, func(t *testing.T) {
+			code, ok := nonRetryableEDE(tc.msg)
+			assert.Equal(t, tc.wantOK, ok, "ok should match")
+			if tc.wantOK {
+				assert.Equal(t, tc.wantCode, code, "code should match")
+			}
+		})
+	}
+}
+
+func TestEDEName(t *testing.T) {
+	assert.Equal(t, "DNSSEC Bogus", edeName(dns.ExtendedErrorCodeDNSBogus))
+	assert.Equal(t, "Signature Expired", edeName(dns.ExtendedErrorCodeSignatureExpired))
+	assert.Equal(t, "EDE 9999", edeName(9999), "unknown code falls back to numeric")
+}
+
+func TestStripOPT(t *testing.T) {
+	rm := &dns.Msg{
+		Extra: []dns.RR{
+			&dns.OPT{Hdr: dns.RR_Header{Name: ".", Rrtype: dns.TypeOPT}},
+			&dns.A{Hdr: dns.RR_Header{Name: "x.", Rrtype: dns.TypeA}, A: net.IPv4(1, 2, 3, 4)},
+		},
+	}
+	stripOPT(rm)
+	assert.Len(t, rm.Extra, 1, "OPT should be removed, A kept")
+	_, isOPT := rm.Extra[0].(*dns.OPT)
+	assert.False(t, isOPT, "remaining record must not be OPT")
+}
+
+func TestUpstreamResolver_NonRetryableEDEShortCircuits(t *testing.T) {
+	upstream1 := netip.MustParseAddrPort("192.0.2.1:53")
+	upstream2 := netip.MustParseAddrPort("192.0.2.2:53")
+
+	servfailWithEDE := msgWithEDE(dns.RcodeServerFailure, dns.ExtendedErrorCodeDNSBogus)
+	successResp := buildMockResponse(dns.RcodeSuccess, "192.0.2.100")
+
+	var queried []string
+	tracking := &trackingMockClient{
+		inner: &mockUpstreamResolverPerServer{
+			responses: map[string]mockUpstreamResponse{
+				upstream1.String(): {msg: servfailWithEDE},
+				upstream2.String(): {msg: successResp},
+			},
+			rtt: time.Millisecond,
+		},
+		queriedUpstreams: &queried,
+	}
+
+	ctx, cancel := context.WithCancel(context.Background())
+	defer cancel()
+
+	resolver := &upstreamResolverBase{
+		ctx:             ctx,
+		upstreamClient:  tracking,
+		upstreamServers: []netip.AddrPort{upstream1, upstream2},
+		upstreamTimeout: UpstreamTimeout,
+	}
+
+	var written *dns.Msg
+	w := &test.MockResponseWriter{
+		WriteMsgFunc: func(m *dns.Msg) error {
+			written = m
+			return nil
+		},
+	}
+
+	// Client query without EDNS0 must not see an OPT in the response.
+	q := new(dns.Msg).SetQuestion("example.com.", dns.TypeA)
+	resolver.ServeDNS(w, q)
+
+	require.NotNil(t, written, "response must be written")
+	assert.Equal(t, dns.RcodeServerFailure, written.Rcode, "SERVFAIL must propagate")
+	assert.Len(t, queried, 1, "only first upstream should be queried")
+	assert.Equal(t, upstream1.String(), queried[0])
+	for _, rr := range written.Extra {
+		_, isOPT := rr.(*dns.OPT)
+		assert.False(t, isOPT, "synthetic OPT must not leak to a non-EDNS0 client")
+	}
+}
--- a/combined/cmd/config.go
+++ b/combined/cmd/config.go
@@ -133,18 +133,13 @@ type ManagementConfig struct {

 // AuthConfig contains authentication/identity provider settings
 type AuthConfig struct {
-	Issuer                          string            `yaml:"issuer"`
-	LocalAuthDisabled               bool              `yaml:"localAuthDisabled"`
-	SignKeyRefreshEnabled           bool              `yaml:"signKeyRefreshEnabled"`
-	MfaSessionMaxLifetime           string            `yaml:"mfaSessionMaxLifetime"`
-	MfaSessionIdleTimeout           string            `yaml:"mfaSessionIdleTimeout"`
-	MfaSessionRememberMe            bool              `yaml:"mfaSessionRememberMe"`
-	SessionCookieEncryptionKey      string            `yaml:"sessionCookieEncryptionKey"`
-	Storage                         AuthStorageConfig `yaml:"storage"`
-	DashboardRedirectURIs           []string          `yaml:"dashboardRedirectURIs"`
-	CLIRedirectURIs                 []string          `yaml:"cliRedirectURIs"`
-	Owner                           *AuthOwnerConfig  `yaml:"owner,omitempty"`
-	DashboardPostLogoutRedirectURIs []string          `yaml:"dashboardPostLogoutRedirectURIs"`
+	Issuer                string            `yaml:"issuer"`
+	LocalAuthDisabled     bool              `yaml:"localAuthDisabled"`
+	SignKeyRefreshEnabled bool              `yaml:"signKeyRefreshEnabled"`
+	Storage               AuthStorageConfig `yaml:"storage"`
+	DashboardRedirectURIs []string          `yaml:"dashboardRedirectURIs"`
+	CLIRedirectURIs       []string          `yaml:"cliRedirectURIs"`
+	Owner                 *AuthOwnerConfig  `yaml:"owner,omitempty"`
 }

 // AuthStorageConfig contains auth storage settings
@@ -586,14 +581,10 @@ func (c *CombinedConfig) buildEmbeddedIdPConfig(mgmt ManagementConfig) (*idp.Emb
 	}

 	cfg := &idp.EmbeddedIdPConfig{
-		Enabled:                    true,
-		Issuer:                     mgmt.Auth.Issuer,
-		LocalAuthDisabled:          mgmt.Auth.LocalAuthDisabled,
-		SignKeyRefreshEnabled:      mgmt.Auth.SignKeyRefreshEnabled,
-		MfaSessionMaxLifetime:      mgmt.Auth.MfaSessionMaxLifetime,
-		MfaSessionIdleTimeout:      mgmt.Auth.MfaSessionIdleTimeout,
-		MfaSessionRememberMe:       mgmt.Auth.MfaSessionRememberMe,
-		SessionCookieEncryptionKey: mgmt.Auth.SessionCookieEncryptionKey,
+		Enabled:               true,
+		Issuer:                mgmt.Auth.Issuer,
+		LocalAuthDisabled:     mgmt.Auth.LocalAuthDisabled,
+		SignKeyRefreshEnabled: mgmt.Auth.SignKeyRefreshEnabled,
 		Storage: idp.EmbeddedStorageConfig{
 			Type: authStorageType,
 			Config: idp.EmbeddedStorageTypeConfig{
@@ -601,9 +592,8 @@ func (c *CombinedConfig) buildEmbeddedIdPConfig(mgmt ManagementConfig) (*idp.Emb
 				DSN:  authStorageDSN,
 			},
 		},
-		DashboardRedirectURIs:           mgmt.Auth.DashboardRedirectURIs,
-		CLIRedirectURIs:                 mgmt.Auth.CLIRedirectURIs,
-		DashboardPostLogoutRedirectURIs: mgmt.Auth.DashboardPostLogoutRedirectURIs,
+		DashboardRedirectURIs: mgmt.Auth.DashboardRedirectURIs,
+		CLIRedirectURIs:       mgmt.Auth.CLIRedirectURIs,
 	}

 	if mgmt.Auth.Owner != nil && mgmt.Auth.Owner.Email != "" {
--- a/combined/config.yaml.example
+++ b/combined/config.yaml.example
@@ -86,13 +86,6 @@ server:
    issuer: "https://example.com/oauth2"
    localAuthDisabled: false
    signKeyRefreshEnabled: false
-    # MFA session settings (applies when TOTP is enabled for an account)
-    # mfaSessionMaxLifetime: "24h"  # Max duration for an MFA session from creation
-    # mfaSessionIdleTimeout: "1h"   # MFA session expires after this idle period
-    # mfaSessionRememberMe: false   # Pre-check "remember me" on login so the MFA session persists across tabs/restarts
-    # Optional AES key for encrypting embedded IdP session cookies. Can also be set via NB_IDP_SESSION_COOKIE_ENCRYPTION_KEY.
-    # Must be 16/24/32 raw bytes or base64-encoded to one of those lengths (for example: openssl rand -hex 16).
-    # sessionCookieEncryptionKey: ""
    # OAuth2 redirect URIs for dashboard
    dashboardRedirectURIs:
      - "https://app.example.com/nb-auth"
@@ -100,9 +93,6 @@ server:
    # OAuth2 redirect URIs for CLI
    cliRedirectURIs:
      - "http://localhost:53000/"
-    # OAuth2 post-logout redirect URIs for dashboard (RP-initiated logout)
-    # dashboardPostLogoutRedirectURIs:
-    #   - "https://app.example.com/"
    # Optional initial admin user
    # owner:
    #   email: "admin@example.com"
--- a/go.mod
+++ b/go.mod
@@ -14,7 +14,7 @@ require (
 	github.com/onsi/gomega v1.27.6
 	github.com/rs/cors v1.8.0
 	github.com/sirupsen/logrus v1.9.4
-	github.com/spf13/cobra v1.10.2
+	github.com/spf13/cobra v1.10.1
 	github.com/spf13/pflag v1.0.9
 	github.com/vishvananda/netlink v1.3.1
 	golang.org/x/crypto v0.50.0
@@ -41,11 +41,11 @@ require (
 	github.com/cilium/ebpf v0.15.0
 	github.com/coder/websocket v1.8.14
 	github.com/coreos/go-iptables v0.7.0
-	github.com/coreos/go-oidc/v3 v3.18.0
+	github.com/coreos/go-oidc/v3 v3.14.1
 	github.com/creack/pty v1.1.24
 	github.com/crowdsecurity/crowdsec v1.7.7
 	github.com/crowdsecurity/go-cs-bouncer v0.0.21
-	github.com/dexidp/dex v2.13.0+incompatible
+	github.com/dexidp/dex v0.0.0-00010101000000-000000000000
 	github.com/dexidp/dex/api/v2 v2.4.0
 	github.com/ebitengine/purego v0.8.4
 	github.com/eko/gocache/lib/v4 v4.2.0
@@ -53,9 +53,9 @@ require (
 	github.com/eko/gocache/store/redis/v4 v4.2.2
 	github.com/fsnotify/fsnotify v1.9.0
 	github.com/gliderlabs/ssh v0.3.8
-	github.com/go-jose/go-jose/v4 v4.1.4
+	github.com/go-jose/go-jose/v4 v4.1.3
 	github.com/godbus/dbus/v5 v5.1.0
-	github.com/golang-jwt/jwt/v5 v5.3.1
+	github.com/golang-jwt/jwt/v5 v5.3.0
 	github.com/golang/mock v1.6.0
 	github.com/google/go-cmp v0.7.0
 	github.com/google/gopacket v1.1.19
@@ -72,7 +72,7 @@ require (
 	github.com/lrh3321/ipset-go v0.0.0-20250619021614-54a0a98ace81
 	github.com/mdlayher/socket v0.5.1
 	github.com/mdp/qrterminal/v3 v3.2.1
-	github.com/miekg/dns v1.1.59
+	github.com/miekg/dns v1.1.72
 	github.com/mitchellh/hashstructure/v2 v2.0.2
 	github.com/netbirdio/management-integrations/integrations v0.0.0-20260416123949-2355d972be42
 	github.com/netbirdio/signal-dispatcher/dispatcher v0.0.0-20250805121659-6b4ac470ca45
@@ -113,7 +113,7 @@ require (
 	go.opentelemetry.io/otel/exporters/prometheus v0.64.0
 	go.opentelemetry.io/otel/metric v1.43.0
 	go.opentelemetry.io/otel/sdk/metric v1.43.0
-	go.uber.org/mock v0.6.0
+	go.uber.org/mock v0.5.2
 	go.uber.org/zap v1.27.0
 	goauthentik.io/api/v3 v3.2023051.3
 	golang.org/x/exp v0.0.0-20250620022241-b7579e27df2b
@@ -141,7 +141,7 @@ require (
 	filippo.io/edwards25519 v1.1.1 // indirect
 	github.com/AppsFlyer/go-sundheit v0.6.0 // indirect
 	github.com/Azure/go-ansiterm v0.0.0-20230124172434-306776ec8161 // indirect
-	github.com/Azure/go-ntlmssp v0.1.0 // indirect
+	github.com/Azure/go-ntlmssp v0.0.0-20221128193559-754e69321358 // indirect
 	github.com/BurntSushi/toml v1.5.0 // indirect
 	github.com/Masterminds/goutils v1.1.1 // indirect
 	github.com/Masterminds/semver/v3 v3.3.0 // indirect
@@ -168,7 +168,6 @@ require (
 	github.com/aws/smithy-go v1.23.0 // indirect
 	github.com/beevik/etree v1.6.0 // indirect
 	github.com/beorn7/perks v1.0.1 // indirect
-	github.com/boombuler/barcode v1.0.1-0.20190219062509-6c824513bacc // indirect
 	github.com/caddyserver/zerossl v0.1.3 // indirect
 	github.com/cenkalti/backoff/v5 v5.0.3 // indirect
 	github.com/cespare/xxhash/v2 v2.3.0 // indirect
@@ -184,7 +183,6 @@ require (
 	github.com/docker/go-units v0.5.0 // indirect
 	github.com/felixge/httpsnoop v1.0.4 // indirect
 	github.com/fredbi/uri v1.1.1 // indirect
-	github.com/fxamacker/cbor/v2 v2.9.1 // indirect
 	github.com/fyne-io/gl-js v0.2.0 // indirect
 	github.com/fyne-io/glfw-js v0.3.0 // indirect
 	github.com/fyne-io/image v0.1.1 // indirect
@@ -192,7 +190,7 @@ require (
 	github.com/go-asn1-ber/asn1-ber v1.5.8-0.20250403174932-29230038a667 // indirect
 	github.com/go-gl/gl v0.0.0-20231021071112-07e5d0ea2e71 // indirect
 	github.com/go-gl/glfw/v3.3/glfw v0.0.0-20240506104042-037f3cc74f2a // indirect
-	github.com/go-ldap/ldap/v3 v3.4.13 // indirect
+	github.com/go-ldap/ldap/v3 v3.4.12 // indirect
 	github.com/go-logr/logr v1.4.3 // indirect
 	github.com/go-logr/stdr v1.2.2 // indirect
 	github.com/go-ole/go-ole v1.3.0 // indirect
@@ -208,15 +206,11 @@ require (
 	github.com/go-sql-driver/mysql v1.9.3 // indirect
 	github.com/go-text/render v0.2.0 // indirect
 	github.com/go-text/typesetting v0.2.1 // indirect
-	github.com/go-viper/mapstructure/v2 v2.5.0 // indirect
-	github.com/go-webauthn/webauthn v0.16.4 // indirect
-	github.com/go-webauthn/x v0.2.3 // indirect
 	github.com/goccy/go-yaml v1.18.0 // indirect
 	github.com/gogo/protobuf v1.3.2 // indirect
 	github.com/golang-jwt/jwt/v4 v4.5.2 // indirect
 	github.com/google/btree v1.1.2 // indirect
 	github.com/google/go-querystring v1.1.0 // indirect
-	github.com/google/go-tpm v0.9.8 // indirect
 	github.com/google/s2a-go v0.1.9 // indirect
 	github.com/googleapis/enterprise-certificate-proxy v0.3.14 // indirect
 	github.com/googleapis/gax-go/v2 v2.21.0 // indirect
@@ -224,13 +218,7 @@ require (
 	github.com/hack-pad/go-indexeddb v0.3.2 // indirect
 	github.com/hack-pad/safejs v0.1.0 // indirect
 	github.com/hashicorp/errwrap v1.1.0 // indirect
-	github.com/hashicorp/go-cleanhttp v0.5.2 // indirect
-	github.com/hashicorp/go-retryablehttp v0.7.8 // indirect
-	github.com/hashicorp/go-secure-stdlib/parseutil v0.2.0 // indirect
-	github.com/hashicorp/go-secure-stdlib/strutil v0.1.2 // indirect
-	github.com/hashicorp/go-sockaddr v1.0.7 // indirect
 	github.com/hashicorp/go-uuid v1.0.3 // indirect
-	github.com/hashicorp/hcl v1.0.1-vault-7 // indirect
 	github.com/huandu/xstrings v1.5.0 // indirect
 	github.com/huin/goupnp v1.2.0 // indirect
 	github.com/inconshreveable/mousetrap v1.1.0 // indirect
@@ -250,13 +238,13 @@ require (
 	github.com/klauspost/cpuid/v2 v2.2.10 // indirect
 	github.com/koron/go-ssdp v0.0.4 // indirect
 	github.com/kr/fs v0.1.0 // indirect
-	github.com/lib/pq v1.12.3 // indirect
+	github.com/lib/pq v1.10.9 // indirect
 	github.com/libdns/libdns v0.2.2 // indirect
 	github.com/lufia/plan9stats v0.0.0-20240513124658-fba389f38bae // indirect
 	github.com/magiconair/properties v1.8.10 // indirect
 	github.com/mailru/easyjson v0.9.0 // indirect
 	github.com/mattermost/xml-roundtrip-validator v0.1.0 // indirect
-	github.com/mattn/go-sqlite3 v1.14.42 // indirect
+	github.com/mattn/go-sqlite3 v1.14.32 // indirect
 	github.com/mdelapenya/tlscert v0.2.0 // indirect
 	github.com/mdlayher/genetlink v1.3.2 // indirect
 	github.com/mdlayher/netlink v1.7.3-0.20250113171957-fbb4dce95f42 // indirect
@@ -277,10 +265,8 @@ require (
 	github.com/nxadm/tail v1.4.11 // indirect
 	github.com/oklog/ulid v1.3.1 // indirect
 	github.com/onsi/ginkgo/v2 v2.9.5 // indirect
-	github.com/openbao/openbao/api/v2 v2.5.1 // indirect
 	github.com/opencontainers/go-digest v1.0.0 // indirect
 	github.com/opencontainers/image-spec v1.1.1 // indirect
-	github.com/philhofer/fwd v1.2.0 // indirect
 	github.com/pion/dtls/v2 v2.2.10 // indirect
 	github.com/pion/dtls/v3 v3.0.9 // indirect
 	github.com/pion/mdns/v2 v2.0.7 // indirect
@@ -289,13 +275,11 @@ require (
 	github.com/pkg/errors v0.9.1 // indirect
 	github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2 // indirect
 	github.com/power-devops/perfstat v0.0.0-20240221224432-82ca36839d55 // indirect
-	github.com/pquerna/otp v1.5.0 // indirect
 	github.com/prometheus/client_model v0.6.2 // indirect
 	github.com/prometheus/common v0.67.5 // indirect
 	github.com/prometheus/otlptranslator v1.0.0 // indirect
 	github.com/prometheus/procfs v0.19.2 // indirect
 	github.com/russellhaering/goxmldsig v1.6.0 // indirect
-	github.com/ryanuber/go-glob v1.0.0 // indirect
 	github.com/rymdport/portal v0.4.2 // indirect
 	github.com/shirou/gopsutil/v4 v4.25.8 // indirect
 	github.com/shoenig/go-m1cpu v0.2.1 // indirect
@@ -304,13 +288,11 @@ require (
 	github.com/srwiley/oksvg v0.0.0-20221011165216-be6e8873101c // indirect
 	github.com/srwiley/rasterx v0.0.0-20220730225603-2ab79fcdd4ef // indirect
 	github.com/stretchr/objx v0.5.2 // indirect
-	github.com/tinylib/msgp v1.6.3 // indirect
 	github.com/tklauser/go-sysconf v0.3.15 // indirect
 	github.com/tklauser/numcpus v0.10.0 // indirect
 	github.com/vishvananda/netns v0.0.5 // indirect
 	github.com/vmihailenco/tagparser/v2 v2.0.0 // indirect
 	github.com/wlynxg/anet v0.0.5 // indirect
-	github.com/x448/float16 v0.8.4 // indirect
 	github.com/yuin/goldmark v1.7.8 // indirect
 	github.com/zeebo/blake3 v0.2.3 // indirect
 	go.mongodb.org/mongo-driver v1.17.9 // indirect
@@ -337,12 +319,10 @@ replace github.com/getlantern/systray => github.com/netbirdio/systray v0.0.0-202

 replace golang.zx2c4.com/wireguard => github.com/netbirdio/wireguard-go v0.0.0-20260107100953-33b7c9d03db0

-replace github.com/cloudflare/circl => codeberg.org/cunicu/circl v0.0.0-20230801113412-fec58fc7b5f6
+replace github.com/cloudflare/circl => github.com/cunicu/circl v0.0.0-20230801113412-fec58fc7b5f6

 replace github.com/pion/ice/v4 => github.com/netbirdio/ice/v4 v4.0.0-20250908184934-6202be846b51

-replace github.com/dexidp/dex => github.com/netbirdio/dex v0.244.1-0.20260415145816-a0c6b40ff9f2
-
-replace github.com/dexidp/dex/api/v2 => github.com/netbirdio/dex/api/v2 v2.0.0-20260415145816-a0c6b40ff9f2
+replace github.com/dexidp/dex => github.com/netbirdio/dex v0.244.0

 replace github.com/mailru/easyjson => github.com/netbirdio/easyjson v0.9.0
--- a/go.sum
+++ b/go.sum
@@ -5,8 +5,6 @@ cloud.google.com/go/auth/oauth2adapt v0.2.8/go.mod h1:XQ9y31RkqZCcwJWNSx2Xvric3R
 cloud.google.com/go/compute/metadata v0.2.0/go.mod h1:zFmK7XCadkQkj6TtorcaGlCW1hT1fIilQDwofLpJ20k=
 cloud.google.com/go/compute/metadata v0.9.0 h1:pDUj4QMoPejqq20dK0Pg2N4yG9zIkYGdBtwLoEkH9Zs=
 cloud.google.com/go/compute/metadata v0.9.0/go.mod h1:E0bWwX5wTnLPedCKqk3pJmVgCBSM6qQI1yTBdEb3C10=
-codeberg.org/cunicu/circl v0.0.0-20230801113412-fec58fc7b5f6 h1:b8xUw3004wk+3ipBhu0VU4RtUJsegMIiqjxSK4++lzA=
-codeberg.org/cunicu/circl v0.0.0-20230801113412-fec58fc7b5f6/go.mod h1:+CauBF6R70Jqcyl8N2hC8pAXYbWkGIezuSbuGLtRhnw=
 cunicu.li/go-rosenpass v0.4.0 h1:LtPtBgFWY/9emfgC4glKLEqS0MJTylzV6+ChRhiZERw=
 cunicu.li/go-rosenpass v0.4.0/go.mod h1:MPbjH9nxV4l3vEagKVdFNwHOketqgS5/To1VYJplf/M=
 dario.cat/mergo v1.0.1 h1:Ra4+bf83h2ztPIQYNP99R6m+Y7KfnARDfID+a+vLl4s=
@@ -25,8 +23,8 @@ github.com/AppsFlyer/go-sundheit v0.6.0 h1:d2hBvCjBSb2lUsEWGfPigr4MCOt04sxB+Rppl
 github.com/AppsFlyer/go-sundheit v0.6.0/go.mod h1:LDdBHD6tQBtmHsdW+i1GwdTt6Wqc0qazf5ZEJVTbTME=
 github.com/Azure/go-ansiterm v0.0.0-20230124172434-306776ec8161 h1:L/gRVlceqvL25UVaW/CKtUDjefjrs0SPonmDGUVOYP0=
 github.com/Azure/go-ansiterm v0.0.0-20230124172434-306776ec8161/go.mod h1:xomTg63KZ2rFqZQzSB4Vz2SUXa1BpHTVz9L5PTmPC4E=
-github.com/Azure/go-ntlmssp v0.1.0 h1:DjFo6YtWzNqNvQdrwEyr/e4nhU3vRiwenz5QX7sFz+A=
-github.com/Azure/go-ntlmssp v0.1.0/go.mod h1:NYqdhxd/8aAct/s4qSYZEerdPuH1liG2/X9DiVTbhpk=
+github.com/Azure/go-ntlmssp v0.0.0-20221128193559-754e69321358 h1:mFRzDkZVAjdal+s7s0MwaRv9igoPqLRdzOLzw/8Xvq8=
+github.com/Azure/go-ntlmssp v0.0.0-20221128193559-754e69321358/go.mod h1:chxPXzSsl7ZWRAuOIE23GDNzjWuZquvFlgA8xmpunjU=
 github.com/BurntSushi/toml v1.5.0 h1:W5quZX/G/csjUnuI8SUYlsHs9M38FC7znL0lIO+DvMg=
 github.com/BurntSushi/toml v1.5.0/go.mod h1:ukJfTF/6rtPPRCnwkur4qwRxa8vTRFBF0uk2lLoLwho=
 github.com/Masterminds/goutils v1.1.1 h1:5nUrii3FMTL5diU80unEVvNevw1nH4+ZV4DSLVJLSYI=
@@ -93,8 +91,6 @@ github.com/beevik/etree v1.6.0/go.mod h1:bh4zJxiIr62SOf9pRzN7UUYaEDa9HEKafK25+sL
 github.com/beorn7/perks v1.0.1 h1:VlbKKnNfV8bJzeqoa4cOKqO6bYr3WgKZxO8Z16+hsOM=
 github.com/beorn7/perks v1.0.1/go.mod h1:G2ZrVWU2WbWT9wwq4/hrbKbnv/1ERSJQ0ibhJ6rlkpw=
 github.com/bmatcuk/doublestar v1.1.1/go.mod h1:UD6OnuiIn0yFxxA2le/rnRU1G4RaI4UvFv1sNto9p6w=
-github.com/boombuler/barcode v1.0.1-0.20190219062509-6c824513bacc h1:biVzkmvwrH8WK8raXaxBx6fRVTlJILwEwQGL1I/ByEI=
-github.com/boombuler/barcode v1.0.1-0.20190219062509-6c824513bacc/go.mod h1:paBWMcWSl3LHKBqUq+rly7CNSldXjb2rDl3JlRe0mD8=
 github.com/bsm/ginkgo/v2 v2.12.0 h1:Ny8MWAHyOepLGlLKYmXG4IEkioBysk6GpaRTLC8zwWs=
 github.com/bsm/ginkgo/v2 v2.12.0/go.mod h1:SwYbGRRDovPVboqFv0tPTcG1sN61LM1Z4ARdbAV9g4c=
 github.com/bsm/gomega v1.27.10 h1:yeMWxP2pV2fG3FgAODIY8EiRE3dy0aeFYt4l7wh6yKA=
@@ -121,8 +117,8 @@ github.com/containerd/platforms v0.2.1 h1:zvwtM3rz2YHPQsF2CHYM8+KtB5dvhISiXh5ZpS
 github.com/containerd/platforms v0.2.1/go.mod h1:XHCb+2/hzowdiut9rkudds9bE5yJ7npe7dG/wG+uFPw=
 github.com/coreos/go-iptables v0.7.0 h1:XWM3V+MPRr5/q51NuWSgU0fqMad64Zyxs8ZUoMsamr8=
 github.com/coreos/go-iptables v0.7.0/go.mod h1:Qe8Bv2Xik5FyTXwgIbLAnv2sWSBmvWdFETJConOQ//Q=
-github.com/coreos/go-oidc/v3 v3.18.0 h1:V9orjXynvu5wiC9SemFTWnG4F45v403aIcjWo0d41+A=
-github.com/coreos/go-oidc/v3 v3.18.0/go.mod h1:DYCf24+ncYi+XkIH97GY1+dqoRlbaSI26KVTCI9SrY4=
+github.com/coreos/go-oidc/v3 v3.14.1 h1:9ePWwfdwC4QKRlCXsJGou56adA/owXczOzwKdOumLqk=
+github.com/coreos/go-oidc/v3 v3.14.1/go.mod h1:HaZ3szPaZ0e4r6ebqvsLWlk2Tn+aejfmrfah6hnSYEU=
 github.com/cpuguy83/dockercfg v0.3.2 h1:DlJTyZGBDlXqUZ2Dk2Q3xHs/FtnooJJVaad2S9GKorA=
 github.com/cpuguy83/dockercfg v0.3.2/go.mod h1:sugsbF4//dDlL/i+S+rtpIWp+5h0BHJHfjj5/jFyUJc=
 github.com/cpuguy83/go-md2man/v2 v2.0.6/go.mod h1:oOW0eioCTA6cOiMLiUPZOpcVxMig6NIQQ7OS05n1F4g=
@@ -134,10 +130,14 @@ github.com/crowdsecurity/go-cs-bouncer v0.0.21 h1:arPz0VtdVSaz+auOSfHythzkZVLyy1
 github.com/crowdsecurity/go-cs-bouncer v0.0.21/go.mod h1:4JiH0XXA4KKnnWThItUpe5+heJHWzsLOSA2IWJqUDBA=
 github.com/crowdsecurity/go-cs-lib v0.0.25 h1:Ov6VPW9yV+OPsbAIQk1iTkEWhwkpaG0v3lrBzeqjzj4=
 github.com/crowdsecurity/go-cs-lib v0.0.25/go.mod h1:X0GMJY2CxdA1S09SpuqIKaWQsvRGxXmecUp9cP599dE=
+github.com/cunicu/circl v0.0.0-20230801113412-fec58fc7b5f6 h1:/DS5cDX3FJdl+XaN2D7XAwFpuanTxnp52DBLZAaJKx0=
+github.com/cunicu/circl v0.0.0-20230801113412-fec58fc7b5f6/go.mod h1:+CauBF6R70Jqcyl8N2hC8pAXYbWkGIezuSbuGLtRhnw=
 github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
 github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
 github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc h1:U9qPSI2PIWSS1VwoXQT9A3Wy9MM3WgvqSxFWenqJduM=
 github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
+github.com/dexidp/dex/api/v2 v2.4.0 h1:gNba7n6BKVp8X4Jp24cxYn5rIIGhM6kDOXcZoL6tr9A=
+github.com/dexidp/dex/api/v2 v2.4.0/go.mod h1:/p550ADvFFh7K95VmhUD+jgm15VdaNnab9td8DHOpyI=
 github.com/dgryski/go-rendezvous v0.0.0-20200823014737-9f7001d12a5f h1:lO4WD4F/rVNCu3HqELle0jiPLLBs70cWOduZpkS1E78=
 github.com/dgryski/go-rendezvous v0.0.0-20200823014737-9f7001d12a5f/go.mod h1:cuUVRXasLTGF7a8hSLbxyZXjz+1KgoB3wDUb6vlszIc=
 github.com/distribution/reference v0.6.0 h1:0IXCQ5g4/QMHHkarYzh5l+u8T3t73zM5QvfrDyIgxBk=
@@ -156,8 +156,6 @@ github.com/eko/gocache/store/go_cache/v4 v4.2.2 h1:tAI9nl6TLoJyKG1ujF0CS0n/IgTEM
 github.com/eko/gocache/store/go_cache/v4 v4.2.2/go.mod h1:T9zkHokzr8K9EiC7RfMbDg6HSwaV6rv3UdcNu13SGcA=
 github.com/eko/gocache/store/redis/v4 v4.2.2 h1:Thw31fzGuH3WzJywsdbMivOmP550D6JS7GDHhvCJPA0=
 github.com/eko/gocache/store/redis/v4 v4.2.2/go.mod h1:LaTxLKx9TG/YUEybQvPMij++D7PBTIJ4+pzvk0ykz0w=
-github.com/fatih/color v1.18.0 h1:S8gINlzdQ840/4pfAwic/ZE0djQEH3wM94VfqLTZcOM=
-github.com/fatih/color v1.18.0/go.mod h1:4FelSpRwEGDpQ12mAdzqdOukCy4u8WUtOY6lkT/6HfU=
 github.com/felixge/fgprof v0.9.3 h1:VvyZxILNuCiUCSXtPtYmmtGvb65nqXh2QFWc0Wpf2/g=
 github.com/felixge/fgprof v0.9.3/go.mod h1:RdbpDgzqYVh/T9fPELJyV7EYJuHB55UTEULNun8eiPw=
 github.com/felixge/httpsnoop v1.0.4 h1:NFTV2Zj1bL4mc9sqWACXbQFVBBg2W3GPvqp8/ESS2Wg=
@@ -173,8 +171,6 @@ github.com/fsnotify/fsnotify v1.4.9/go.mod h1:znqG4EE+3YCdAaPaxE2ZRY/06pZUdp0tY4
 github.com/fsnotify/fsnotify v1.6.0/go.mod h1:sl3t1tCWJFWoRz9R8WJCbQihKKwmorjAbSClcnxKAGw=
 github.com/fsnotify/fsnotify v1.9.0 h1:2Ml+OJNzbYCTzsxtv8vKSFD9PbJjmhYF14k/jKC7S9k=
 github.com/fsnotify/fsnotify v1.9.0/go.mod h1:8jBTzvmWwFyi3Pb8djgCCO5IBqzKJ/Jwo8TRcHyHii0=
-github.com/fxamacker/cbor/v2 v2.9.1 h1:2rWm8B193Ll4VdjsJY28jxs70IdDsHRWgQYAI80+rMQ=
-github.com/fxamacker/cbor/v2 v2.9.1/go.mod h1:vM4b+DJCtHn+zz7h3FFp/hDAI9WNWCsZj23V5ytsSxQ=
 github.com/fyne-io/gl-js v0.2.0 h1:+EXMLVEa18EfkXBVKhifYB6OGs3HwKO3lUElA0LlAjs=
 github.com/fyne-io/gl-js v0.2.0/go.mod h1:ZcepK8vmOYLu96JoxbCKJy2ybr+g1pTnaBDdl7c3ajI=
 github.com/fyne-io/glfw-js v0.3.0 h1:d8k2+Y7l+zy2pc7wlGRyPfTgZoqDf3AI4G+2zOWhWUk=
@@ -193,10 +189,10 @@ github.com/go-gl/gl v0.0.0-20231021071112-07e5d0ea2e71 h1:5BVwOaUSBTlVZowGO6VZGw
 github.com/go-gl/gl v0.0.0-20231021071112-07e5d0ea2e71/go.mod h1:9YTyiznxEY1fVinfM7RvRcjRHbw2xLBJ3AAGIT0I4Nw=
 github.com/go-gl/glfw/v3.3/glfw v0.0.0-20240506104042-037f3cc74f2a h1:vxnBhFDDT+xzxf1jTJKMKZw3H0swfWk9RpWbBbDK5+0=
 github.com/go-gl/glfw/v3.3/glfw v0.0.0-20240506104042-037f3cc74f2a/go.mod h1:tQ2UAYgL5IevRw8kRxooKSPJfGvJ9fJQFa0TUsXzTg8=
-github.com/go-jose/go-jose/v4 v4.1.4 h1:moDMcTHmvE6Groj34emNPLs/qtYXRVcd6S7NHbHz3kA=
-github.com/go-jose/go-jose/v4 v4.1.4/go.mod h1:x4oUasVrzR7071A4TnHLGSPpNOm2a21K9Kf04k1rs08=
-github.com/go-ldap/ldap/v3 v3.4.13 h1:+x1nG9h+MZN7h/lUi5Q3UZ0fJ1GyDQYbPvbuH38baDQ=
-github.com/go-ldap/ldap/v3 v3.4.13/go.mod h1:LxsGZV6vbaK0sIvYfsv47rfh4ca0JXokCoKjZxsszv0=
+github.com/go-jose/go-jose/v4 v4.1.3 h1:CVLmWDhDVRa6Mi/IgCgaopNosCaHz7zrMeF9MlZRkrs=
+github.com/go-jose/go-jose/v4 v4.1.3/go.mod h1:x4oUasVrzR7071A4TnHLGSPpNOm2a21K9Kf04k1rs08=
+github.com/go-ldap/ldap/v3 v3.4.12 h1:1b81mv7MagXZ7+1r7cLTWmyuTqVqdwbtJSjC0DAp9s4=
+github.com/go-ldap/ldap/v3 v3.4.12/go.mod h1:+SPAGcTtOfmGsCb3h1RFiq4xpp4N636G75OEace8lNo=
 github.com/go-logr/logr v1.2.2/go.mod h1:jdQByPbusPIv2/zmleS9BjJVeZ6kBagPoEUsqbVz/1A=
 github.com/go-logr/logr v1.4.3 h1:CjnDlHq8ikf6E492q6eKboGOC0T8CDaOvkHCIg8idEI=
 github.com/go-logr/logr v1.4.3/go.mod h1:9T104GzyrTigFIr8wt5mBrctHMim0Nb2HLGrmQ40KvY=
@@ -233,20 +229,12 @@ github.com/go-sql-driver/mysql v1.9.3/go.mod h1:qn46aNg1333BRMNU69Lq93t8du/dwxI6
 github.com/go-task/slim-sprig v0.0.0-20210107165309-348f09dbbbc0/go.mod h1:fyg7847qk6SyHyPtNmDHnmrv/HOrqktSC+C9fM+CJOE=
 github.com/go-task/slim-sprig v0.0.0-20230315185526-52ccab3ef572 h1:tfuBGBXKqDEevZMzYi5KSi8KkcZtzBcTgAUUtapy0OI=
 github.com/go-task/slim-sprig v0.0.0-20230315185526-52ccab3ef572/go.mod h1:9Pwr4B2jHnOSGXyyzV8ROjYa2ojvAY6HCGYYfMoC3Ls=
-github.com/go-test/deep v1.1.1 h1:0r/53hagsehfO4bzD2Pgr/+RgHqhmf+k1Bpse2cTu1U=
-github.com/go-test/deep v1.1.1/go.mod h1:5C2ZWiW0ErCdrYzpqxLbTX7MG14M9iiw8DgHncVwcsE=
 github.com/go-text/render v0.2.0 h1:LBYoTmp5jYiJ4NPqDc2pz17MLmA3wHw1dZSVGcOdeAc=
 github.com/go-text/render v0.2.0/go.mod h1:CkiqfukRGKJA5vZZISkjSYrcdtgKQWRa2HIzvwNN5SU=
 github.com/go-text/typesetting v0.2.1 h1:x0jMOGyO3d1qFAPI0j4GSsh7M0Q3Ypjzr4+CEVg82V8=
 github.com/go-text/typesetting v0.2.1/go.mod h1:mTOxEwasOFpAMBjEQDhdWRckoLLeI/+qrQeBCTGEt6M=
 github.com/go-text/typesetting-utils v0.0.0-20241103174707-87a29e9e6066 h1:qCuYC+94v2xrb1PoS4NIDe7DGYtLnU2wWiQe9a1B1c0=
 github.com/go-text/typesetting-utils v0.0.0-20241103174707-87a29e9e6066/go.mod h1:DDxDdQEnB70R8owOx3LVpEFvpMK9eeH1o2r0yZhFI9o=
-github.com/go-viper/mapstructure/v2 v2.5.0 h1:vM5IJoUAy3d7zRSVtIwQgBj7BiWtMPfmPEgAXnvj1Ro=
-github.com/go-viper/mapstructure/v2 v2.5.0/go.mod h1:oJDH3BJKyqBA2TXFhDsKDGDTlndYOZ6rGS0BRZIxGhM=
-github.com/go-webauthn/webauthn v0.16.4 h1:R9jqR/cYZa7hRquFF7Za/8qoH/K/TIs1/Q/4CyGN+1Q=
-github.com/go-webauthn/webauthn v0.16.4/go.mod h1:SU2ljAgToTV/YLPI0C05QS4qn+e04WpB5g1RMfcZfS4=
-github.com/go-webauthn/x v0.2.3 h1:8oArS+Rc1SWFLXhE17KZNx258Z4kUSyaDgsSncCO5RA=
-github.com/go-webauthn/x v0.2.3/go.mod h1:tM04GF3V6VYq79AZMl7vbj4q6pz9r7L2criWRzbWhPk=
 github.com/goccy/go-yaml v1.18.0 h1:8W7wMFS12Pcas7KU+VVkaiCng+kG8QiFeFwzFb+rwuw=
 github.com/goccy/go-yaml v1.18.0/go.mod h1:XBurs7gK8ATbW4ZPGKgcbrY1Br56PdM69F7LkFRi1kA=
 github.com/godbus/dbus/v5 v5.1.0 h1:4KLkAxT3aOY8Li4FRJe/KvhoNFFxo0m6fNuFUO8QJUk=
@@ -255,8 +243,8 @@ github.com/gogo/protobuf v1.3.2 h1:Ov1cvc58UF3b5XjBnZv7+opcTcQFZebYjWzi34vdm4Q=
 github.com/gogo/protobuf v1.3.2/go.mod h1:P1XiOD3dCwIKUDQYPy72D8LYyHL2YPYrpS2s69NZV8Q=
 github.com/golang-jwt/jwt/v4 v4.5.2 h1:YtQM7lnr8iZ+j5q71MGKkNw9Mn7AjHM68uc9g5fXeUI=
 github.com/golang-jwt/jwt/v4 v4.5.2/go.mod h1:m21LjoU+eqJr34lmDMbreY2eSTRJ1cv77w39/MY0Ch0=
-github.com/golang-jwt/jwt/v5 v5.3.1 h1:kYf81DTWFe7t+1VvL7eS+jKFVWaUnK9cB1qbwn63YCY=
-github.com/golang-jwt/jwt/v5 v5.3.1/go.mod h1:fxCRLWMO43lRc8nhHWY6LGqRcf+1gQWArsqaEUEa5bE=
+github.com/golang-jwt/jwt/v5 v5.3.0 h1:pv4AsKCKKZuqlgs5sUmn4x8UlGa0kEVt/puTpKx9vvo=
+github.com/golang-jwt/jwt/v5 v5.3.0/go.mod h1:fxCRLWMO43lRc8nhHWY6LGqRcf+1gQWArsqaEUEa5bE=
 github.com/golang/mock v1.6.0 h1:ErTB+efbowRARo13NNdxyJji2egdxLGQhRaY+DUumQc=
 github.com/golang/mock v1.6.0/go.mod h1:p6yTPP+5HYm5mzsMV8JkE6ZKdX+/wYM6Hr+LicevLPs=
 github.com/golang/protobuf v1.2.0/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U=
@@ -288,10 +276,6 @@ github.com/google/go-cmp v0.7.0 h1:wk8382ETsv4JYUZwIsn6YpYiWiBsYLSJiTsyBybVuN8=
 github.com/google/go-cmp v0.7.0/go.mod h1:pXiqmnSA92OHEEa9HXL2W4E7lf9JzCmGVUdgjX3N/iU=
 github.com/google/go-querystring v1.1.0 h1:AnCroh3fv4ZBgVIf1Iwtovgjaw/GiKJo8M8yD/fhyJ8=
 github.com/google/go-querystring v1.1.0/go.mod h1:Kcdr2DB4koayq7X8pmAG4sNG59So17icRSOU623lUBU=
-github.com/google/go-tpm v0.9.8 h1:slArAR9Ft+1ybZu0lBwpSmpwhRXaa85hWtMinMyRAWo=
-github.com/google/go-tpm v0.9.8/go.mod h1:h9jEsEECg7gtLis0upRBQU+GhYVH6jMjrFxI8u6bVUY=
-github.com/google/go-tpm-tools v0.3.13-0.20230620182252-4639ecce2aba h1:qJEJcuLzH5KDR0gKc0zcktin6KSAwL7+jWKBYceddTc=
-github.com/google/go-tpm-tools v0.3.13-0.20230620182252-4639ecce2aba/go.mod h1:EFYHy8/1y2KfgTAsx7Luu7NGhoxtuVHnNo8jE7FikKc=
 github.com/google/gofuzz v1.0.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/M65Eg=
 github.com/google/gopacket v1.1.19 h1:ves8RnFZPGiFnTS0uPQStjwru6uO6h+nlr9j6fL7kF8=
 github.com/google/gopacket v1.1.19/go.mod h1:iJ8V8n6KS+z2U1A8pUwu8bW5SyEMkXJB8Yo/Vo+TKTo=
@@ -324,29 +308,15 @@ github.com/hack-pad/safejs v0.1.0/go.mod h1:HdS+bKF1NrE72VoXZeWzxFOVQVUSqZJAG0xN
 github.com/hashicorp/errwrap v1.0.0/go.mod h1:YH+1FKiLXxHSkmPseP+kNlulaMuP3n2brvKWEqk/Jc4=
 github.com/hashicorp/errwrap v1.1.0 h1:OxrOeh75EUXMY8TBjag2fzXGZ40LB6IKw45YeGUDY2I=
 github.com/hashicorp/errwrap v1.1.0/go.mod h1:YH+1FKiLXxHSkmPseP+kNlulaMuP3n2brvKWEqk/Jc4=
-github.com/hashicorp/go-cleanhttp v0.5.2 h1:035FKYIWjmULyFRBKPs8TBQoi0x6d9G4xc9neXJWAZQ=
-github.com/hashicorp/go-cleanhttp v0.5.2/go.mod h1:kO/YDlP8L1346E6Sodw+PrpBSV4/SoxCXGY6BqNFT48=
-github.com/hashicorp/go-hclog v1.6.3 h1:Qr2kF+eVWjTiYmU7Y31tYlP1h0q/X3Nl3tPGdaB11/k=
-github.com/hashicorp/go-hclog v1.6.3/go.mod h1:W4Qnvbt70Wk/zYJryRzDRU/4r0kIg0PVHBcfoyhpF5M=
 github.com/hashicorp/go-multierror v1.1.1 h1:H5DkEtf6CXdFp0N0Em5UCwQpXMWke8IA0+lD48awMYo=
 github.com/hashicorp/go-multierror v1.1.1/go.mod h1:iw975J/qwKPdAO1clOe2L8331t/9/fmwbPZ6JB6eMoM=
-github.com/hashicorp/go-retryablehttp v0.7.8 h1:ylXZWnqa7Lhqpk0L1P1LzDtGcCR0rPVUrx/c8Unxc48=
-github.com/hashicorp/go-retryablehttp v0.7.8/go.mod h1:rjiScheydd+CxvumBsIrFKlx3iS0jrZ7LvzFGFmuKbw=
 github.com/hashicorp/go-secure-stdlib/base62 v0.1.2 h1:ET4pqyjiGmY09R5y+rSd70J2w45CtbWDNvGqWp/R3Ng=
 github.com/hashicorp/go-secure-stdlib/base62 v0.1.2/go.mod h1:EdWO6czbmthiwZ3/PUsDV+UD1D5IRU4ActiaWGwt0Yw=
-github.com/hashicorp/go-secure-stdlib/parseutil v0.2.0 h1:U+kC2dOhMFQctRfhK0gRctKAPTloZdMU5ZJxaesJ/VM=
-github.com/hashicorp/go-secure-stdlib/parseutil v0.2.0/go.mod h1:Ll013mhdmsVDuoIXVfBtvgGJsXDYkTw1kooNcoCXuE0=
-github.com/hashicorp/go-secure-stdlib/strutil v0.1.2 h1:kes8mmyCpxJsI7FTwtzRqEy9CdjCtrXrXGuOpxEA7Ts=
-github.com/hashicorp/go-secure-stdlib/strutil v0.1.2/go.mod h1:Gou2R9+il93BqX25LAKCLuM+y9U2T4hlwvT1yprcna4=
-github.com/hashicorp/go-sockaddr v1.0.7 h1:G+pTkSO01HpR5qCxg7lxfsFEZaG+C0VssTy/9dbT+Fw=
-github.com/hashicorp/go-sockaddr v1.0.7/go.mod h1:FZQbEYa1pxkQ7WLpyXJ6cbjpT8q0YgQaK/JakXqGyWw=
 github.com/hashicorp/go-uuid v1.0.2/go.mod h1:6SBZvOh/SIDV7/2o3Jml5SYk/TvGqwFJ/bN7x4byOro=
 github.com/hashicorp/go-uuid v1.0.3 h1:2gKiV6YVmrJ1i2CKKa9obLvRieoRGviZFL26PcT/Co8=
 github.com/hashicorp/go-uuid v1.0.3/go.mod h1:6SBZvOh/SIDV7/2o3Jml5SYk/TvGqwFJ/bN7x4byOro=
 github.com/hashicorp/go-version v1.7.0 h1:5tqGy27NaOTB8yJKUZELlFAS/LTKJkrmONwQKeRZfjY=
 github.com/hashicorp/go-version v1.7.0/go.mod h1:fltr4n8CU8Ke44wwGCBoEymUuxUHl09ZGVZPK5anwXA=
-github.com/hashicorp/hcl v1.0.1-vault-7 h1:ag5OxFVy3QYTFTJODRzTKVZ6xvdfLLCA1cy/Y6xGI0I=
-github.com/hashicorp/hcl v1.0.1-vault-7/go.mod h1:XYhtn6ijBSAj6n4YqAaf7RBPS4I06AItNorpy+MoQNM=
 github.com/hpcloud/tail v1.0.0/go.mod h1:ab1qPbhIpdTxEkNHXyeSf5vhxWSCs/tWer42PpOxQnU=
 github.com/huandu/xstrings v1.5.0 h1:2ag3IFq9ZDANvthTwTiqSSZLjDc+BedvHPAp5tJy2TI=
 github.com/huandu/xstrings v1.5.0/go.mod h1:y5/lhBue+AyNmUVz9RLU9xbLR0o4KIIExikq4ovT0aE=
@@ -417,8 +387,8 @@ github.com/kr/text v0.2.0/go.mod h1:eLer722TekiGuMkidMxC/pM04lWEeraHUUmBw8l2grE=
 github.com/kylelemons/godebug v1.1.0 h1:RPNrshWIDI6G2gRW9EHilWtl7Z6Sb1BR0xunSBf0SNc=
 github.com/kylelemons/godebug v1.1.0/go.mod h1:9/0rRGxNHcop5bhtWyNeEfOS8JIWk580+fNqagV/RAw=
 github.com/leodido/go-urn v1.1.0/go.mod h1:+cyI34gQWZcE1eQU7NVgKkkzdXDQHr1dBMtdAPozLkw=
-github.com/lib/pq v1.12.3 h1:tTWxr2YLKwIvK90ZXEw8GP7UFHtcbTtty8zsI+YjrfQ=
-github.com/lib/pq v1.12.3/go.mod h1:/p+8NSbOcwzAEI7wiMXFlgydTwcgTr3OSKMsD2BitpA=
+github.com/lib/pq v1.10.9 h1:YXG7RB+JIjhP29X+OtkiDnYaXQwpS4JEWq7dtCCRUEw=
+github.com/lib/pq v1.10.9/go.mod h1:AlVN5x4E4T544tWzH6hKfbfQvm3HdbOxrmggDNAPY9o=
 github.com/libdns/libdns v0.2.2 h1:O6ws7bAfRPaBsgAYt8MDe2HcNBGC29hkZ9MX2eUSX3s=
 github.com/libdns/libdns v0.2.2/go.mod h1:4Bj9+5CQiNMVGf87wjX4CY3HQJypUHRuLvlsfsZqLWQ=
 github.com/libdns/route53 v1.5.0 h1:2SKdpPFl/qgWsXQvsLNJJAoX7rSxlk7zgoL4jnWdXVA=
@@ -436,13 +406,9 @@ github.com/magiconair/properties v1.8.10 h1:s31yESBquKXCV9a/ScB3ESkOjUYYv+X0rg8S
 github.com/magiconair/properties v1.8.10/go.mod h1:Dhd985XPs7jluiymwWYZ0G4Z61jb3vdS329zhj2hYo0=
 github.com/mattermost/xml-roundtrip-validator v0.1.0 h1:RXbVD2UAl7A7nOTR4u7E3ILa4IbtvKBHw64LDsmu9hU=
 github.com/mattermost/xml-roundtrip-validator v0.1.0/go.mod h1:qccnGMcpgwcNaBnxqpJpWWUiPNr5H3O8eDgGV9gT5To=
-github.com/mattn/go-colorable v0.1.14 h1:9A9LHSqF/7dyVVX6g0U9cwm9pG3kP9gSzcuIPHPsaIE=
-github.com/mattn/go-colorable v0.1.14/go.mod h1:6LmQG8QLFO4G5z1gPvYEzlUgJ2wF+stgPZH1UqBm1s8=
 github.com/mattn/go-isatty v0.0.9/go.mod h1:YNRxwqDuOph6SZLI9vUUz6OYw3QyUt7WiY2yME+cCiQ=
-github.com/mattn/go-isatty v0.0.20 h1:xfD0iDuEKnDkl03q4limB+vH+GxLEtL/jb4xVJSWWEY=
-github.com/mattn/go-isatty v0.0.20/go.mod h1:W+V8PltTTMOvKvAeJH7IuucS94S2C6jfK/D7dTCTo3Y=
-github.com/mattn/go-sqlite3 v1.14.42 h1:MigqEP4ZmHw3aIdIT7T+9TLa90Z6smwcthx+Azv4Cgo=
-github.com/mattn/go-sqlite3 v1.14.42/go.mod h1:pjEuOr8IwzLJP2MfGeTb0A35jauH+C2kbHKBr7yXKVQ=
+github.com/mattn/go-sqlite3 v1.14.32 h1:JD12Ag3oLy1zQA+BNn74xRgaBbdhbNIDYvQUEuuErjs=
+github.com/mattn/go-sqlite3 v1.14.32/go.mod h1:Uh1q+B4BYcTPb+yiD3kU8Ct7aC0hY9fxUwlHK0RXw+Y=
 github.com/mdelapenya/tlscert v0.2.0 h1:7H81W6Z/4weDvZBNOfQte5GpIMo0lGYEeWbkGp5LJHI=
 github.com/mdelapenya/tlscert v0.2.0/go.mod h1:O4njj3ELLnJjGdkN7M/vIVCpZ+Cf0L6muqOG4tLSl8o=
 github.com/mdlayher/genetlink v1.3.2 h1:KdrNKe+CTu+IbZnm/GVUMXSqBBLqcGpRDa0xkQy56gw=
@@ -455,8 +421,8 @@ github.com/mdp/qrterminal/v3 v3.2.1 h1:6+yQjiiOsSuXT5n9/m60E54vdgFsw0zhADHhHLrFe
 github.com/mdp/qrterminal/v3 v3.2.1/go.mod h1:jOTmXvnBsMy5xqLniO0R++Jmjs2sTm9dFSuQ5kpz/SU=
 github.com/mholt/acmez/v2 v2.0.1 h1:3/3N0u1pLjMK4sNEAFSI+bcvzbPhRpY383sy1kLHJ6k=
 github.com/mholt/acmez/v2 v2.0.1/go.mod h1:fX4c9r5jYwMyMsC+7tkYRxHibkOTgta5DIFGoe67e1U=
-github.com/miekg/dns v1.1.59 h1:C9EXc/UToRwKLhK5wKU/I4QVsBUc8kE6MkHBkeypWZs=
-github.com/miekg/dns v1.1.59/go.mod h1:nZpewl5p6IvctfgrckopVx2OlSEHPRO/U4SYkRklrEk=
+github.com/miekg/dns v1.1.72 h1:vhmr+TF2A3tuoGNkLDFK9zi36F2LS+hKTRW0Uf8kbzI=
+github.com/miekg/dns v1.1.72/go.mod h1:+EuEPhdHOsfk6Wk5TT2CzssZdqkmFhf8r+aVyDEToIs=
 github.com/mikioh/ipaddr v0.0.0-20190404000644-d465c8ab6721 h1:RlZweED6sbSArvlE924+mUcZuXKLBHA35U7LN621Bws=
 github.com/mikioh/ipaddr v0.0.0-20190404000644-d465c8ab6721/go.mod h1:Ickgr2WtCLZ2MDGd4Gr0geeCH5HybhRJbonOgQpvSxc=
 github.com/mitchellh/copystructure v1.2.0 h1:vpKXTN4ewci03Vljg/q9QvCGUDttBOGBIa15WveJJGw=
@@ -485,10 +451,8 @@ github.com/morikuni/aec v1.0.0 h1:nP9CBfwrvYnBRgY6qfDQkygYDmYwOilePFkwzv4dU8A=
 github.com/morikuni/aec v1.0.0/go.mod h1:BbKIizmSmc5MMPqRYbxO4ZU0S0+P200+tUnFx7PXmsc=
 github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 h1:C3w9PqII01/Oq1c1nUAm88MOHcQC9l5mIlSMApZMrHA=
 github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822/go.mod h1:+n7T8mK8HuQTcFwEeznm/DIxMOiR9yIdICNftLE1DvQ=
-github.com/netbirdio/dex v0.244.1-0.20260415145816-a0c6b40ff9f2 h1:AP7OM/JnTogod3rVcLsMuilSG94kWQCr3z6R4rfVXnc=
-github.com/netbirdio/dex v0.244.1-0.20260415145816-a0c6b40ff9f2/go.mod h1:+trSlzHNmdJGvz0oLEyyiuaPstUeD7YO6B3Fx9nyziY=
-github.com/netbirdio/dex/api/v2 v2.0.0-20260415145816-a0c6b40ff9f2 h1:HEEGJPsVw7/p7SEL3HWP4vaInxHo8OJSEaOkHpUAk+M=
-github.com/netbirdio/dex/api/v2 v2.0.0-20260415145816-a0c6b40ff9f2/go.mod h1:awuTyT29CYALpEyET0S307EgNlPWrc7fFKRAyhsO45M=
+github.com/netbirdio/dex v0.244.0 h1:1GOvi8wnXYassnKGildzNqRHq0RbcfEUw7LKYpKIN7U=
+github.com/netbirdio/dex v0.244.0/go.mod h1:STGInJhPcAflrHmDO7vyit2kSq03PdL+8zQPoGALtcU=
 github.com/netbirdio/easyjson v0.9.0 h1:6Nw2lghSVuy8RSkAYDhDv1thBVEmfVbKZnV7T7Z6Aus=
 github.com/netbirdio/easyjson v0.9.0/go.mod h1:1+xMtQp2MRNVL/V1bOzuP3aP8VNwRW55fQUto+XFtTU=
 github.com/netbirdio/ice/v4 v4.0.0-20250908184934-6202be846b51 h1:Ov4qdafATOgGMB1wbSuh+0aAHcwz9hdvB6VZjh1mVMI=
@@ -525,8 +489,6 @@ github.com/onsi/gomega v1.7.1/go.mod h1:XdKZgCCFLUoM/7CFJVPcG8C1xQ1AJ0vpAezJrB7J
 github.com/onsi/gomega v1.10.1/go.mod h1:iN09h71vgCQne3DLsj+A5owkum+a2tYe+TOCB1ybHNo=
 github.com/onsi/gomega v1.27.6 h1:ENqfyGeS5AX/rlXDd/ETokDz93u0YufY1Pgxuy/PvWE=
 github.com/onsi/gomega v1.27.6/go.mod h1:PIQNjfQwkP3aQAH7lf7j87O/5FiNr+ZR8+ipb+qQlhg=
-github.com/openbao/openbao/api/v2 v2.5.1 h1:Br79D6L20SbAa5P7xqENxmvv8LyI4HoKosPy7klhn4o=
-github.com/openbao/openbao/api/v2 v2.5.1/go.mod h1:Dh5un77tqGgMbmlVEqjqN+8/dMyUohnkaQVg/wXW0Ig=
 github.com/opencontainers/go-digest v1.0.0 h1:apOUWs51W5PlhuyGyz9FCeeBIOUDA/6nW8Oi/yOhh5U=
 github.com/opencontainers/go-digest v1.0.0/go.mod h1:0JzlMkj0TRzQZfJkVvzbP0HBR3IKzErnv2BNG4W4MAM=
 github.com/opencontainers/image-spec v1.1.1 h1:y0fUlFfIZhPF1W537XOLg0/fcx6zcHCJwooC2xJA040=
@@ -539,8 +501,6 @@ github.com/pelletier/go-toml/v2 v2.2.4 h1:mye9XuhQ6gvn5h28+VilKrrPoQVanw5PMw/TB0
 github.com/pelletier/go-toml/v2 v2.2.4/go.mod h1:2gIqNv+qfxSVS7cM2xJQKtLSTLUE9V8t9Stt+h56mCY=
 github.com/petermattis/goid v0.0.0-20250303134427-723919f7f203 h1:E7Kmf11E4K7B5hDti2K2NqPb1nlYlGYsu02S1JNd/Bs=
 github.com/petermattis/goid v0.0.0-20250303134427-723919f7f203/go.mod h1:pxMtw7cyUw6B2bRH0ZBANSPg+AoSud1I1iyJHI69jH4=
-github.com/philhofer/fwd v1.2.0 h1:e6DnBTl7vGY+Gz322/ASL4Gyp1FspeMvx1RNDoToZuM=
-github.com/philhofer/fwd v1.2.0/go.mod h1:RqIHx9QI14HlwKwm98g9Re5prTQ6LdeRQn+gXJFxsJM=
 github.com/pion/dtls/v2 v2.2.7/go.mod h1:8WiMkebSHFD0T+dIU+UeBaoV7kDhOW5oDCzZ7WZ/F9s=
 github.com/pion/dtls/v2 v2.2.10 h1:u2Axk+FyIR1VFTPurktB+1zoEPGIW3bmyj3LEFrXjAA=
 github.com/pion/dtls/v2 v2.2.10/go.mod h1:d9SYc9fch0CqK90mRk1dC7AkzzpwJj6u2GU3u+9pqFE=
@@ -582,8 +542,6 @@ github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2/go.mod h1:iKH
 github.com/power-devops/perfstat v0.0.0-20210106213030-5aafc221ea8c/go.mod h1:OmDBASR4679mdNQnz2pUhc2G8CO2JrUAVFDRBDP/hJE=
 github.com/power-devops/perfstat v0.0.0-20240221224432-82ca36839d55 h1:o4JXh1EVt9k/+g42oCprj/FisM4qX9L3sZB3upGN2ZU=
 github.com/power-devops/perfstat v0.0.0-20240221224432-82ca36839d55/go.mod h1:OmDBASR4679mdNQnz2pUhc2G8CO2JrUAVFDRBDP/hJE=
-github.com/pquerna/otp v1.5.0 h1:NMMR+WrmaqXU4EzdGJEE1aUUI0AMRzsp96fFFWNPwxs=
-github.com/pquerna/otp v1.5.0/go.mod h1:dkJfzwRKNiegxyNb54X/3fLwhCynbMspSyWKnvi1AEg=
 github.com/prometheus/client_golang v1.23.2 h1:Je96obch5RDVy3FDMndoUsjAhG5Edi49h0RJWRi/o0o=
 github.com/prometheus/client_golang v1.23.2/go.mod h1:Tb1a6LWHB3/SPIzCoaDXI4I8UHKeFTEQ1YCr+0Gyqmg=
 github.com/prometheus/client_model v0.6.2 h1:oBsgwpGs7iVziMvrGhE53c/GrLUsZdHnqNwqPLxwZyk=
@@ -607,8 +565,6 @@ github.com/rs/xid v1.3.0/go.mod h1:trrq9SKmegXys3aeAKXMUTdJsYXVwGY3RLcfgqegfbg=
 github.com/russellhaering/goxmldsig v1.6.0 h1:8fdWXEPh2k/NZNQBPFNoVfS3JmzS4ZprY/sAOpKQLks=
 github.com/russellhaering/goxmldsig v1.6.0/go.mod h1:TrnaquDcYxWXfJrOjeMBTX4mLBeYAqaHEyUeWPxZlBM=
 github.com/russross/blackfriday/v2 v2.1.0/go.mod h1:+Rmxgy9KzJVeS9/2gXHxylqXiyQDYRxCVz55jmeOWTM=
-github.com/ryanuber/go-glob v1.0.0 h1:iQh3xXAumdQ+4Ufa5b25cRpC5TYKlno6hsv6Cb3pkBk=
-github.com/ryanuber/go-glob v1.0.0/go.mod h1:807d1WSdnB0XRJzKNil9Om6lcp/3a0v4qIHxIXzX/Yc=
 github.com/rymdport/portal v0.4.2 h1:7jKRSemwlTyVHHrTGgQg7gmNPJs88xkbKcIL3NlcmSU=
 github.com/rymdport/portal v0.4.2/go.mod h1:kFF4jslnJ8pD5uCi17brj/ODlfIidOxlgUDTO5ncnC4=
 github.com/shirou/gopsutil/v3 v3.24.4 h1:dEHgzZXt4LMNm+oYELpzl9YCqV65Yr/6SfrvgRBtXeU=
@@ -631,8 +587,8 @@ github.com/songgao/water v0.0.0-20200317203138-2b4b6d7c09d8 h1:TG/diQgUe0pntT/2D
 github.com/songgao/water v0.0.0-20200317203138-2b4b6d7c09d8/go.mod h1:P5HUIBuIWKbyjl083/loAegFkfbFNx5i2qEP4CNbm7E=
 github.com/spf13/cast v1.7.0 h1:ntdiHjuueXFgm5nzDRdOS4yfT43P5Fnud6DH50rz/7w=
 github.com/spf13/cast v1.7.0/go.mod h1:ancEpBxwJDODSW/UG4rDrAqiKolqNNh2DX3mk86cAdo=
-github.com/spf13/cobra v1.10.2 h1:DMTTonx5m65Ic0GOoRY2c16WCbHxOOw6xxezuLaBpcU=
-github.com/spf13/cobra v1.10.2/go.mod h1:7C1pvHqHw5A4vrJfjNwvOdzYu0Gml16OCs2GRiTUUS4=
+github.com/spf13/cobra v1.10.1 h1:lJeBwCfmrnXthfAupyUTzJ/J4Nc1RsHC/mSRU2dll/s=
+github.com/spf13/cobra v1.10.1/go.mod h1:7SmJGaTHFVBY0jW4NXGluQoLvhqFQM+6XSKD+P4XaB0=
 github.com/spf13/pflag v1.0.9 h1:9exaQaMOCwffKiiiYk6/BndUBv+iRViNW+4lEMi0PvY=
 github.com/spf13/pflag v1.0.9/go.mod h1:McXfInJRrz4CZXVZOBLb0bTZqETkiAhM9Iw0y3An2Bg=
 github.com/spkg/bom v0.0.0-20160624110644-59b7046e48ad/go.mod h1:qLr4V1qq6nMqFKkMo8ZTx3f+BZEkzsRUY10Xsm2mwU0=
@@ -672,8 +628,6 @@ github.com/ti-mo/conntrack v0.5.1 h1:opEwkFICnDbQc0BUXl73PHBK0h23jEIFVjXsqvF4GY0
 github.com/ti-mo/conntrack v0.5.1/go.mod h1:T6NCbkMdVU4qEIgwL0njA6lw/iCAbzchlnwm1Sa314o=
 github.com/ti-mo/netfilter v0.5.2 h1:CTjOwFuNNeZ9QPdRXt1MZFLFUf84cKtiQutNauHWd40=
 github.com/ti-mo/netfilter v0.5.2/go.mod h1:Btx3AtFiOVdHReTDmP9AE+hlkOcvIy403u7BXXbWZKo=
-github.com/tinylib/msgp v1.6.3 h1:bCSxiTz386UTgyT1i0MSCvdbWjVW+8sG3PjkGsZQt4s=
-github.com/tinylib/msgp v1.6.3/go.mod h1:RSp0LW9oSxFut3KzESt5Voq4GVWyS+PSulT77roAqEA=
 github.com/tklauser/go-sysconf v0.3.12/go.mod h1:Ho14jnntGE1fpdOqQEEaiKRpvIavV0hSfmBq8nJbHYI=
 github.com/tklauser/go-sysconf v0.3.15 h1:VE89k0criAymJ/Os65CSn1IXaol+1wrsFHEB8Ol49K4=
 github.com/tklauser/go-sysconf v0.3.15/go.mod h1:Dmjwr6tYFIseJw7a3dRLJfsHAMXZ3nEnL/aZY+0IuI4=
@@ -692,8 +646,6 @@ github.com/vmihailenco/tagparser/v2 v2.0.0 h1:y09buUbR+b5aycVFQs/g70pqKVZNBmxwAh
 github.com/vmihailenco/tagparser/v2 v2.0.0/go.mod h1:Wri+At7QHww0WTrCBeu4J6bNtoV6mEfg5OIWRZA9qds=
 github.com/wlynxg/anet v0.0.5 h1:J3VJGi1gvo0JwZ/P1/Yc/8p63SoW98B5dHkYDmpgvvU=
 github.com/wlynxg/anet v0.0.5/go.mod h1:eay5PRQr7fIVAMbTbchTnO9gG65Hg/uYGdc7mguHxoA=
-github.com/x448/float16 v0.8.4 h1:qLwI1I70+NjRFUR3zs1JPUCgaCXSh3SW62uAKT1mSBM=
-github.com/x448/float16 v0.8.4/go.mod h1:14CWIYCyZA/cWjXOioeEpHeN/83MdbZDRQHoFcYsOfg=
 github.com/yuin/goldmark v1.1.27/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74=
 github.com/yuin/goldmark v1.2.1/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74=
 github.com/yuin/goldmark v1.3.5/go.mod h1:mwnBkeHKe2W/ZEtQ+71ViKU8L12m81fl3OWwC1Zlc8k=
@@ -738,15 +690,14 @@ go.opentelemetry.io/proto/otlp v1.0.0 h1:T0TX0tmXU8a3CbNXzEKGeU5mIVOdf0oykP+u2lI
 go.opentelemetry.io/proto/otlp v1.0.0/go.mod h1:Sy6pihPLfYHkr3NkUbEhGHFhINUSI/v80hjKIs5JXpM=
 go.uber.org/goleak v1.3.0 h1:2K3zAYmnTNqV73imy9J1T3WC+gmCePx2hEGkimedGto=
 go.uber.org/goleak v1.3.0/go.mod h1:CoHD4mav9JJNrW/WLlf7HGZPjdw8EucARQHekz1X6bE=
-go.uber.org/mock v0.6.0 h1:hyF9dfmbgIX5EfOdasqLsWD6xqpNZlXblLB/Dbnwv3Y=
-go.uber.org/mock v0.6.0/go.mod h1:KiVJ4BqZJaMj4svdfmHM0AUx4NJYO8ZNpPnZn1Z+BBU=
+go.uber.org/mock v0.5.2 h1:LbtPTcP8A5k9WPXj54PPPbjcI4Y6lhyOZXn+VS7wNko=
+go.uber.org/mock v0.5.2/go.mod h1:wLlUxC2vVTPTaE3UD51E0BGOAElKrILxhVSDYQLld5o=
 go.uber.org/multierr v1.11.0 h1:blXXJkSxSSfBVBlC76pxqeO+LN3aDfLQo+309xJstO0=
 go.uber.org/multierr v1.11.0/go.mod h1:20+QtiLqy0Nd6FdQB9TLXag12DsQkrbs3htMFfDN80Y=
 go.uber.org/zap v1.27.0 h1:aJMhYGrd5QSmlpLMr2MftRKl7t8J8PTZPA732ud/XR8=
 go.uber.org/zap v1.27.0/go.mod h1:GB2qFLM7cTU87MWRP2mPIjqfIDnGu+VIO4V/SdhGo2E=
 go.yaml.in/yaml/v2 v2.4.3 h1:6gvOSjQoTB3vt1l+CU+tSyi/HOjfOjRLJ4YwYZGwRO0=
 go.yaml.in/yaml/v2 v2.4.3/go.mod h1:zSxWcmIDjOzPXpjlTTbAsKokqkDNAVtZO0WOMiT90s8=
-go.yaml.in/yaml/v3 v3.0.4/go.mod h1:DhzuOOF2ATzADvBadXxruRBLzYTpT36CKvDb3+aBEFg=
 goauthentik.io/api/v3 v3.2023051.3 h1:NebAhD/TeTWNo/9X3/Uj+rM5fG1HaiLOlKTNLQv9Qq4=
 goauthentik.io/api/v3 v3.2023051.3/go.mod h1:nYECml4jGbp/541hj8GcylKQG1gVBsKppHy4+7G8u4U=
 golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w=
--- a/idp/dex/config.go
+++ b/idp/dex/config.go
@@ -51,70 +51,6 @@ type YAMLConfig struct {
 	// StaticPasswords cause the server use this list of passwords rather than
 	// querying the storage.
 	StaticPasswords []Password `yaml:"staticPasswords" json:"staticPasswords"`
-
-	// Sessions holds authentication session configuration.
-	// Requires DEX_SESSIONS_ENABLED=true feature flag.
-	Sessions *Sessions `yaml:"sessions" json:"sessions"`
-
-	// MFA holds multi-factor authentication configuration.
-	MFA MFAConfig `yaml:"mfa" json:"mfa"`
-}
-
-type Sessions struct {
-	// CookieName is the name of the session cookie. Defaults to "dex_session".
-	CookieName string `yaml:"cookieName" json:"cookieName"`
-	// AbsoluteLifetime is the maximum session lifetime from creation. Defaults to "24h".
-	AbsoluteLifetime string `yaml:"absoluteLifetime" json:"absoluteLifetime"`
-	// ValidIfNotUsedFor is the idle timeout. Defaults to "1h".
-	ValidIfNotUsedFor string `yaml:"validIfNotUsedFor" json:"validIfNotUsedFor"`
-	// RememberMeCheckedByDefault controls the default state of the "remember me" checkbox.
-	RememberMeCheckedByDefault *bool `yaml:"rememberMeCheckedByDefault" json:"rememberMeCheckedByDefault"`
-	// CookieEncryptionKey is the AES key for encrypting session cookies.
-	// Must be 16, 24, or 32 bytes for AES-128, AES-192, or AES-256.
-	// If empty, cookies are not encrypted.
-	CookieEncryptionKey string `yaml:"cookieEncryptionKey" json:"cookieEncryptionKey"`
-	// SSOSharedWithDefault is the default SSO sharing policy for clients without explicit ssoSharedWith.
-	// "all" = share with all clients, "none" = share with no one (default: "none").
-	SSOSharedWithDefault string `yaml:"ssoSharedWithDefault" json:"ssoSharedWithDefault"`
-}
-
-type MFAConfig struct {
-	Authenticators []MFAAuthenticator `yaml:"authenticators" json:"authenticators"`
-}
-
-type MFAAuthenticator struct {
-	ID     string                 `yaml:"id" json:"id"`
-	Type   string                 `yaml:"type" json:"type"`
-	Config map[string]interface{} `yaml:"config" json:"config"`
-
-	ConnectorTypes []string `yaml:"connectorTypes" json:"connectorTypes"`
-}
-
-type TOTPConfig struct {
-	Issuer string `yaml:"issuer" json:"issuer"`
-}
-
-// WebAuthnConfig holds configuration for a WebAuthn authenticator.
-type WebAuthnConfig struct {
-	// RPDisplayName is the human-readable relying party name shown in the browser
-	// dialog during key registration and authentication (e.g., "My Company SSO").
-	RPDisplayName string `yaml:"rpDisplayName" json:"rpDisplayName"`
-	// RPID is the relying party identifier — must match the domain in the browser
-	// address bar. If empty, derived from the issuer URL hostname.
-	// Example: "auth.example.com"
-	RPID string `yaml:"rpID" json:"rpID"`
-	// RPOrigins is the list of allowed origins for WebAuthn ceremonies.
-	// If empty, derived from the issuer URL (scheme + host).
-	// Example: ["https://auth.example.com"]
-	RPOrigins []string `yaml:"rpOrigins" json:"rpOrigins"`
-	// AttestationPreference controls what attestation data the authenticator should provide:
-	//   "none"     — don't request attestation (simpler, more private)
-	//   "indirect" — authenticator may anonymize attestation (default)
-	//   "direct"   — request full attestation (for enterprise key model verification)
-	AttestationPreference string `yaml:"attestationPreference" json:"attestationPreference"`
-	// Timeout is the duration allowed for the browser WebAuthn ceremony
-	// (registration or login). Defaults to "60s".
-	Timeout string `yaml:"timeout" json:"timeout"`
 }

 // Web is the config format for the HTTP server.
@@ -180,6 +116,7 @@ type Storage struct {
 	Config map[string]interface{} `yaml:"config" json:"config"`
 }

+// Password represents a static user configuration
 type Password storage.Password

 func (p *Password) UnmarshalYAML(node *yaml.Node) error {
@@ -492,98 +429,9 @@ func (c *YAMLConfig) Validate() error {
 	if !c.EnablePasswordDB && len(c.StaticPasswords) != 0 {
 		return fmt.Errorf("cannot specify static passwords without enabling password db")
 	}
-
 	return nil
 }

-func buildTotpConfig(auth MFAAuthenticator) (*server.TOTPProvider, error) {
-	data, err := json.Marshal(auth.Config)
-	if err != nil {
-		return nil, fmt.Errorf("failed to marshal TOTP config id: %s - %w", auth.ID, err)
-	}
-
-	var cfg TOTPConfig
-	if err := json.Unmarshal(data, &cfg); err != nil {
-		return nil, fmt.Errorf("failed to parse TOTP config id: %s - %w", auth.ID, err)
-	}
-
-	return server.NewTOTPProvider(cfg.Issuer, auth.ConnectorTypes), nil
-}
-
-func buildWebAuthnConfig(auth MFAAuthenticator, issuerURL string) (*server.WebAuthnProvider, error) {
-	data, err := json.Marshal(auth.Config)
-	if err != nil {
-		return nil, fmt.Errorf("failed to marshal WebAuthn config id: %s - %w", auth.ID, err)
-	}
-
-	var cfg WebAuthnConfig
-	if err := json.Unmarshal(data, &cfg); err != nil {
-		return nil, fmt.Errorf("failed to parse WebAuthn config id: %s - %w", auth.ID, err)
-	}
-
-	provider, err := server.NewWebAuthnProvider(cfg.RPDisplayName, cfg.RPID, cfg.RPOrigins,
-		cfg.AttestationPreference, cfg.Timeout, issuerURL, auth.ConnectorTypes)
-	if err != nil {
-		return nil, fmt.Errorf("failed to create WebAuthn provider id: %s - err: %w", auth.ID, err)
-	}
-
-	return provider, nil
-}
-
-func buildMFAProviders(authenticators []MFAAuthenticator, issuerURL string, logger *slog.Logger) map[string]server.MFAProvider {
-	if len(authenticators) == 0 {
-		return nil
-	}
-
-	providers := make(map[string]server.MFAProvider, len(authenticators))
-	for _, auth := range authenticators {
-		switch auth.Type {
-		case "TOTP":
-			provider, err := buildTotpConfig(auth)
-			if err != nil {
-				logger.Error("failed to parse TOTP config", "id", auth.ID, "err", err)
-				continue
-			}
-			providers[auth.ID] = provider
-			logger.Info("MFA authenticator configured", "id", auth.ID, "type", auth.Type)
-		case "WebAuthn":
-			provider, err := buildWebAuthnConfig(auth, issuerURL)
-			if err != nil {
-				logger.Error("failed to parse WebAuthn config", "id", auth.ID, "err", err)
-				continue
-			}
-			providers[auth.ID] = provider
-			logger.Info("MFA authenticator configured", "id", auth.ID, "type", auth.Type)
-		default:
-			logger.Error("unknown MFA authenticator type, skipping", "id", auth.ID, "type", auth.Type)
-		}
-	}
-	return providers
-}
-
-func buildSessionsConfig(sessions *Sessions) *server.SessionConfig {
-	if sessions == nil {
-		return nil
-	}
-
-	if sessions.RememberMeCheckedByDefault == nil {
-		defaultRememberMeCheckedByDefault := false
-		sessions.RememberMeCheckedByDefault = &defaultRememberMeCheckedByDefault
-	}
-
-	absoluteLifetime, _ := parseDuration(sessions.AbsoluteLifetime)
-	validIfNotUsedFor, _ := parseDuration(sessions.ValidIfNotUsedFor)
-
-	return &server.SessionConfig{
-		CookieEncryptionKey:        []byte(sessions.CookieEncryptionKey),
-		CookieName:                 sessions.CookieName,
-		AbsoluteLifetime:           absoluteLifetime,
-		ValidIfNotUsedFor:          validIfNotUsedFor,
-		RememberMeCheckedByDefault: *sessions.RememberMeCheckedByDefault,
-		SSOSharedWithDefault:       sessions.SSOSharedWithDefault,
-	}
-}
-
 // ToServerConfig converts YAMLConfig to dex server.Config
 func (c *YAMLConfig) ToServerConfig(stor storage.Storage, logger *slog.Logger) server.Config {
 	cfg := server.Config{
@@ -600,8 +448,6 @@ func (c *YAMLConfig) ToServerConfig(stor storage.Storage, logger *slog.Logger) s
 			Dir:     c.Frontend.Dir,
 			Extra:   c.Frontend.Extra,
 		},
-		SessionConfig: buildSessionsConfig(c.Sessions),
-		MFAProviders:  buildMFAProviders(c.MFA.Authenticators, c.Issuer, logger),
 	}

 	// Use embedded NetBird-styled templates if no custom dir specified
@@ -614,6 +460,11 @@ func (c *YAMLConfig) ToServerConfig(stor storage.Storage, logger *slog.Logger) s
 	}

 	// Apply expiry settings
+	if c.Expiry.SigningKeys != "" {
+		if d, err := parseDuration(c.Expiry.SigningKeys); err == nil {
+			cfg.RotateKeysAfter = d
+		}
+	}
 	if c.Expiry.IDTokens != "" {
 		if d, err := parseDuration(c.Expiry.IDTokens); err == nil {
 			cfg.IDTokensValidFor = d
--- a/idp/dex/provider.go
+++ b/idp/dex/provider.go
@@ -18,7 +18,6 @@ import (

 	dexapi "github.com/dexidp/dex/api/v2"
 	"github.com/dexidp/dex/server"
-	"github.com/dexidp/dex/server/signer"
 	"github.com/dexidp/dex/storage"
 	"github.com/dexidp/dex/storage/sql"
 	jose "github.com/go-jose/go-jose/v4"
@@ -71,7 +70,7 @@ func NewProvider(ctx context.Context, config *Config) (*Provider, error) {
 	logger := slog.New(slog.NewTextHandler(os.Stderr, nil))

 	// Ensure data directory exists
-	if err := os.MkdirAll(config.DataDir, 0o700); err != nil {
+	if err := os.MkdirAll(config.DataDir, 0700); err != nil {
 		return nil, fmt.Errorf("failed to create data directory: %w", err)
 	}

@@ -102,15 +101,6 @@ func NewProvider(ctx context.Context, config *Config) (*Provider, error) {
 		return nil, fmt.Errorf("failed to create refresh token policy: %w", err)
 	}

-	localSignerConfig := signer.LocalConfig{
-		KeysRotationPeriod: "6h",
-	}
-
-	localSigner, err := localSignerConfig.Open(ctx, stor, 24*time.Hour, time.Now, logger)
-	if err != nil {
-		return nil, fmt.Errorf("failed to create local signer: %w", err)
-	}
-
 	// Build Dex server config - use Dex's types directly
 	dexConfig := server.Config{
 		Issuer:                     issuer,
@@ -120,12 +110,12 @@ func NewProvider(ctx context.Context, config *Config) (*Provider, error) {
 		ContinueOnConnectorFailure: true,
 		Logger:                     logger,
 		PrometheusRegistry:         prometheus.NewRegistry(),
+		RotateKeysAfter:            6 * time.Hour,
 		IDTokensValidFor:           24 * time.Hour,
 		RefreshTokenPolicy:         refreshPolicy,
 		Web: server.WebConfig{
 			Issuer: "NetBird",
 		},
-		Signer: localSigner,
 	}

 	dexSrv, err := server.NewServer(ctx, dexConfig)
@@ -177,14 +167,6 @@ func NewProviderFromYAML(ctx context.Context, yamlConfig *YAMLConfig) (*Provider
 		return nil, fmt.Errorf("failed to create refresh token policy: %w", err)
 	}

-	localSigner, err := getSigner(ctx, stor, yamlConfig, logger)
-	if err != nil {
-		stor.Close()
-		return nil, fmt.Errorf("failed to create local signer: %w", err)
-	}
-
-	dexConfig.Signer = localSigner
-
 	dexSrv, err := server.NewServer(ctx, dexConfig)
 	if err != nil {
 		stor.Close()
@@ -200,32 +182,6 @@ func NewProviderFromYAML(ctx context.Context, yamlConfig *YAMLConfig) (*Provider
 	}, nil
 }

-func getSigner(ctx context.Context, stor storage.Storage, yamlConfig *YAMLConfig, logger *slog.Logger) (signer.Signer, error) {
-	// Parse expiry durations
-	idTokensValidFor := 24 * time.Hour // default
-	if yamlConfig.Expiry.IDTokens != "" {
-		var err error
-		idTokensValidFor, err = parseDuration(yamlConfig.Expiry.IDTokens)
-		if err != nil {
-			return nil, fmt.Errorf("invalid config value %q for id token expiry: %v", yamlConfig.Expiry.IDTokens, err)
-		}
-	}
-
-	localSignerConfig := &signer.LocalConfig{
-		KeysRotationPeriod: "720h", // 30 Days
-	}
-
-	if yamlConfig.Expiry.SigningKeys != "" {
-		if _, err := parseDuration(yamlConfig.Expiry.SigningKeys); err != nil {
-			return nil, fmt.Errorf("invalid config value %q for signing key expiry: %v", yamlConfig.Expiry.SigningKeys, err)
-		}
-
-		localSignerConfig.KeysRotationPeriod = yamlConfig.Expiry.SigningKeys
-	}
-
-	return localSignerConfig.Open(ctx, stor, idTokensValidFor, time.Now, logger)
-}
-
 // initializeStorage sets up connectors, passwords, and clients in storage
 func initializeStorage(ctx context.Context, stor storage.Storage, cfg *YAMLConfig) error {
 	if cfg.EnablePasswordDB {
@@ -285,8 +241,6 @@ func ensureStaticClients(ctx context.Context, stor storage.Storage, clients []st
 			old.RedirectURIs = client.RedirectURIs
 			old.Name = client.Name
 			old.Public = client.Public
-			old.PostLogoutRedirectURIs = client.PostLogoutRedirectURIs
-			old.MFAChain = client.MFAChain
 			return old, nil
 		}); err != nil {
 			return fmt.Errorf("failed to update client %s: %w", client.ID, err)
@@ -299,6 +253,9 @@ func ensureStaticClients(ctx context.Context, stor storage.Storage, clients []st
 func buildDexConfig(yamlConfig *YAMLConfig, stor storage.Storage, logger *slog.Logger) server.Config {
 	cfg := yamlConfig.ToServerConfig(stor, logger)
 	cfg.PrometheusRegistry = prometheus.NewRegistry()
+	if cfg.RotateKeysAfter == 0 {
+		cfg.RotateKeysAfter = 24 * 30 * time.Hour
+	}
 	if cfg.IDTokensValidFor == 0 {
 		cfg.IDTokensValidFor = 24 * time.Hour
 	}
@@ -493,34 +450,10 @@ func (p *Provider) Storage() storage.Storage {
 	return p.storage
 }

-// SetClientsMFAChain updates the MFAChain field on the dashboard and CLI OAuth2 clients.
-// Pass a non-empty slice (e.g. []string{"default-totp"}) to enable MFA, or nil to disable it.
-func (p *Provider) SetClientsMFAChain(ctx context.Context, clientIDs []string, mfaChain []string) error {
-	for _, clientID := range clientIDs {
-		if err := p.storage.UpdateClient(ctx, clientID, func(old storage.Client) (storage.Client, error) {
-			old.MFAChain = mfaChain
-			return old, nil
-		}); err != nil {
-			return fmt.Errorf("failed to update MFA chain on client %s: %w", clientID, err)
-		}
-	}
-	return nil
-}
-
 // Handler returns the Dex server as an http.Handler for embedding in another server.
 // The handler expects requests with path prefix "/oauth2/".
 func (p *Provider) Handler() http.Handler {
-	return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
-		// Dex's /logout endpoint requires id_token_hint for RP-initiated logout with
-		// post_logout_redirect_uri. If the dashboard calls logout without one, avoid
-		// rendering Dex's non-actionable Bad Request page and send the user home.
-		if strings.HasSuffix(r.URL.Path, "/logout") && r.FormValue("id_token_hint") == "" {
-			http.Redirect(w, r, "/", http.StatusSeeOther)
-			return
-		}
-
-		p.dexServer.ServeHTTP(w, r)
-	})
+	return p.dexServer
 }

 // CreateUser creates a new user with the given email, username, and password.
--- a/idp/dex/provider_test.go
+++ b/idp/dex/provider_test.go
@@ -4,8 +4,6 @@ import (
 	"context"
 	"encoding/json"
 	"log/slog"
-	"net/http"
-	"net/http/httptest"
 	"os"
 	"path/filepath"
 	"testing"
@@ -146,30 +144,6 @@ func TestEncodeDexUserID_MatchesDexFormat(t *testing.T) {
 	assert.Equal(t, knownEncodedID, reEncoded)
 }

-func TestHandlerRedirectsLogoutWithoutIDTokenHint(t *testing.T) {
-	ctx := context.Background()
-
-	tmpDir, err := os.MkdirTemp("", "dex-logout-handler-*")
-	require.NoError(t, err)
-	defer os.RemoveAll(tmpDir)
-
-	provider, err := NewProvider(ctx, &Config{
-		Issuer:  "http://localhost:5556/oauth2",
-		Port:    5556,
-		DataDir: tmpDir,
-	})
-	require.NoError(t, err)
-	defer func() { _ = provider.Stop(ctx) }()
-
-	req := httptest.NewRequest(http.MethodGet, "/oauth2/logout?post_logout_redirect_uri=https://example.com", nil)
-	rec := httptest.NewRecorder()
-
-	provider.Handler().ServeHTTP(rec, req)
-
-	require.Equal(t, http.StatusSeeOther, rec.Code)
-	require.Equal(t, "/", rec.Header().Get("Location"))
-}
-
 func TestCreateUserInTempDB(t *testing.T) {
 	ctx := context.Background()

--- a/idp/dex/web/templates/home.html
+++ b/idp/dex/web/templates/home.html
@@ -1,12 +0,0 @@
-{{ template "header.html" . }}
-
-<script>globalThis.location.replace("/");</script>
-<noscript>
-    <div class="nb-card">
-        <h1 class="nb-heading">Redirecting…</h1>
-        <p class="nb-subheading">You are being redirected to the NetBird dashboard.</p>
-        <a href="/" class="nb-btn" style="display:block;text-align:center;text-decoration:none">Go to Dashboard</a>
-    </div>
-</noscript>
-
-{{ template "footer.html" . }}
--- a/idp/dex/web/templates/logout.html
+++ b/idp/dex/web/templates/logout.html
@@ -1,14 +0,0 @@
-{{ template "header.html" . }}
-
-<div class="nb-card">
-    <h1 class="nb-heading">Logged Out</h1>
-    <p class="nb-subheading">You have been successfully logged out.</p>
-
-    {{ if .BackURL }}
-    <div class="nb-back-link">
-        <a href="{{ .BackURL }}" class="nb-link">&larr; Back to Application</a>
-    </div>
-    {{ end }}
-</div>
-
-{{ template "footer.html" . }}
--- a/idp/dex/web/templates/password.html
+++ b/idp/dex/web/templates/password.html
@@ -18,7 +18,6 @@
                id="login"
                name="login"
                class="nb-input"
-                autocomplete="username"
                placeholder="Enter your {{ .UsernamePrompt | lower }}"
                {{ if .Username }}value="{{ .Username }}"{{ else }}autofocus{{ end }}
                required
@@ -32,7 +31,6 @@
                id="password"
                name="password"
                class="nb-input"
-                autocomplete="current-password"
                placeholder="Enter your password"
                {{ if .Invalid }}autofocus{{ end }}
                required
--- a/idp/dex/web/templates/totp_verify.html
+++ b/idp/dex/web/templates/totp_verify.html
@@ -1,44 +0,0 @@
-{{ template "header.html" . }}
-
-<div class="nb-card">
-    <h1 class="nb-heading">Two-factor authentication</h1>
-    {{ if not (eq .QRCode "") }}
-    <p class="nb-subheading">Scan the QR code below using your authenticator app, then enter the code.</p>
-    <div style="text-align: center; margin: 1em 0;">
-        <img src="data:image/png;base64,{{ .QRCode }}" alt="QR code" width="200" height="200"/>
-    </div>
-    {{ else }}
-    <p class="nb-subheading">Enter the code from your authenticator app.</p>
-    {{ end }}
-
-    <form method="post" action="{{ .PostURL }}">
-        {{ if .Invalid }}
-        <div class="nb-error">
-            Invalid code. Please try again.
-        </div>
-        {{ end }}
-
-        <div class="nb-form-group">
-            <label class="nb-label" for="totp">One-time code</label>
-            <input
-                type="text"
-                id="totp"
-                name="totp"
-                class="nb-input"
-                inputmode="numeric"
-                pattern="[0-9]*"
-                maxlength="6"
-                autocomplete="one-time-code"
-                placeholder="000000"
-                autofocus
-                required
-            >
-        </div>
-
-        <button type="submit" id="submit-login" class="nb-btn">
-            Verify
-        </button>
-    </form>
-</div>
-
-{{ template "footer.html" . }}
--- a/idp/dex/web/templates/webauthn_verify.html
+++ b/idp/dex/web/templates/webauthn_verify.html
@@ -1,12 +0,0 @@
-{{ template "header.html" . }}
-
-<script>globalThis.location.replace("/");</script>
-<noscript>
-    <div class="nb-card">
-        <h1 class="nb-heading">Redirecting…</h1>
-        <p class="nb-subheading">You are being redirected to the NetBird dashboard.</p>
-        <a href="/" class="nb-btn" style="display:block;text-align:center;text-decoration:none">Go to Dashboard</a>
-    </div>
-</noscript>
-
-{{ template "footer.html" . }}
--- a/management/internals/controllers/network_map/controller/controller.go
+++ b/management/internals/controllers/network_map/controller/controller.go
@@ -221,13 +221,9 @@ func (c *Controller) sendUpdateAccountPeers(ctx context.Context, accountID strin
 	return nil
 }

-func (c *Controller) bufferSendUpdateAccountPeers(ctx context.Context, accountID string, reason types.UpdateReason) error {
+func (c *Controller) bufferSendUpdateAccountPeers(ctx context.Context, accountID string) error {
 	log.WithContext(ctx).Tracef("buffer sending update peers for account %s from %s", accountID, util.GetCallerName())

-	if c.accountManagerMetrics != nil {
-		c.accountManagerMetrics.CountUpdateAccountPeersTriggered(string(reason.Resource), string(reason.Operation))
-	}
-
 	bufUpd, _ := c.sendAccountUpdateLocks.LoadOrStore(accountID, &bufferUpdate{})
 	b := bufUpd.(*bufferUpdate)

@@ -574,7 +570,7 @@ func isPeerInPolicySourceGroups(account *types.Account, peerID string, policy *t
 }

 func (c *Controller) OnPeersUpdated(ctx context.Context, accountID string, peerIDs []string) error {
-	err := c.bufferSendUpdateAccountPeers(ctx, accountID, types.UpdateReason{Resource: types.UpdateResourcePeer, Operation: types.UpdateOperationUpdate})
+	err := c.bufferSendUpdateAccountPeers(ctx, accountID)
 	if err != nil {
 		log.WithContext(ctx).Errorf("failed to buffer update account peers for peer update in account %s: %v", accountID, err)
 	}
@@ -584,7 +580,7 @@ func (c *Controller) OnPeersUpdated(ctx context.Context, accountID string, peerI

 func (c *Controller) OnPeersAdded(ctx context.Context, accountID string, peerIDs []string) error {
 	log.WithContext(ctx).Debugf("OnPeersAdded call to add peers: %v", peerIDs)
-	return c.bufferSendUpdateAccountPeers(ctx, accountID, types.UpdateReason{Resource: types.UpdateResourcePeer, Operation: types.UpdateOperationCreate})
+	return c.bufferSendUpdateAccountPeers(ctx, accountID)
 }

 func (c *Controller) OnPeersDeleted(ctx context.Context, accountID string, peerIDs []string) error {
@@ -620,7 +616,7 @@ func (c *Controller) OnPeersDeleted(ctx context.Context, accountID string, peerI
 		c.peersUpdateManager.CloseChannel(ctx, peerID)
 	}

-	return c.bufferSendUpdateAccountPeers(ctx, accountID, types.UpdateReason{Resource: types.UpdateResourcePeer, Operation: types.UpdateOperationDelete})
+	return c.bufferSendUpdateAccountPeers(ctx, accountID)
 }

 // GetNetworkMap returns Network map for a given peer (omits original peer from the Peers result)
--- a/management/internals/server/modules.go
+++ b/management/internals/server/modules.go
@@ -26,7 +26,6 @@ import (
 	"github.com/netbirdio/netbird/management/server/networks"
 	"github.com/netbirdio/netbird/management/server/networks/resources"
 	"github.com/netbirdio/netbird/management/server/networks/routers"
-	"github.com/netbirdio/netbird/management/server/types"

 	"github.com/netbirdio/netbird/management/server/permissions"
 	"github.com/netbirdio/netbird/management/server/settings"
@@ -114,47 +113,30 @@ func (s *BaseServer) AccountManager() account.Manager {
 	})
 }

-func isMFAEnabledForAccount(accounts []*types.Account) bool {
-	if len(accounts) != 1 {
-		return false
-	}
-
-	settings := accounts[0].Settings
-	return settings != nil && settings.LocalMfaEnabled
-}
-
 func (s *BaseServer) IdpManager() idp.Manager {
 	return Create(s, func() idp.Manager {
+		var idpManager idp.Manager
+		var err error
+
 		// Use embedded IdP service if embedded Dex is configured and enabled.
 		// Legacy IdpManager won't be used anymore even if configured.
 		embeddedEnabled := s.Config.EmbeddedIdP != nil && s.Config.EmbeddedIdP.Enabled
 		if embeddedEnabled {
-			embeddedMgr, err := idp.NewEmbeddedIdPManager(context.Background(), s.Config.EmbeddedIdP, s.Metrics())
+			idpManager, err = idp.NewEmbeddedIdPManager(context.Background(), s.Config.EmbeddedIdP, s.Metrics())
 			if err != nil {
 				log.Fatalf("failed to create embedded IDP service: %v", err)
 			}
-
-			if val := isMFAEnabledForAccount(s.Store().GetAllAccounts(context.Background())); val {
-				if err := embeddedMgr.SetMFAEnabled(context.Background(), val); err != nil {
-					log.Errorf("failed to set MFA enabled on embedded IDP: %v", err)
-				}
-			}
-
-			return embeddedMgr
+			return idpManager
 		}

 		// Fall back to external IdP service
 		if s.Config.IdpManagerConfig != nil {
-			idpManager, err := idp.NewManager(context.Background(), *s.Config.IdpManagerConfig, s.Metrics())
+			idpManager, err = idp.NewManager(context.Background(), *s.Config.IdpManagerConfig, s.Metrics())
 			if err != nil {
 				log.Fatalf("failed to create IDP service: %v", err)
 			}
-
-			return idpManager
 		}
-
-
-		return nil
+		return idpManager
 	})
 }

--- a/management/server/account.go
+++ b/management/server/account.go
@@ -386,9 +386,6 @@ func (am *DefaultAccountManager) UpdateAccountSettings(ctx context.Context, acco
 	if err = am.handleInactivityExpirationSettings(ctx, oldSettings, newSettings, userID, accountID); err != nil {
 		return nil, err
 	}
-	if err = am.handleLocalMfaSettings(ctx, oldSettings, newSettings, userID, accountID); err != nil {
-		return nil, err
-	}
 	if oldSettings.DNSDomain != newSettings.DNSDomain {
 		eventMeta := map[string]any{
 			"old_dns_domain": oldSettings.DNSDomain,
@@ -605,29 +602,6 @@ func (am *DefaultAccountManager) handleInactivityExpirationSettings(ctx context.
 	return nil
 }

-func (am *DefaultAccountManager) handleLocalMfaSettings(ctx context.Context, oldSettings, newSettings *types.Settings, userID, accountID string) error {
-	if oldSettings.LocalMfaEnabled == newSettings.LocalMfaEnabled {
-		return nil
-	}
-
-	embeddedIdp, ok := am.idpManager.(*idp.EmbeddedIdPManager)
-	if !ok {
-		return nil
-	}
-
-	if err := embeddedIdp.SetMFAEnabled(ctx, newSettings.LocalMfaEnabled); err != nil {
-		return fmt.Errorf("failed to toggle MFA: %w", err)
-	}
-
-	if newSettings.LocalMfaEnabled {
-		am.StoreEvent(ctx, userID, accountID, accountID, activity.AccountLocalMfaEnabled, nil)
-	} else {
-		am.StoreEvent(ctx, userID, accountID, accountID, activity.AccountLocalMfaDisabled, nil)
-	}
-
-	return nil
-}
-
 func (am *DefaultAccountManager) peerLoginExpirationJob(ctx context.Context, accountID string) func() (time.Duration, bool) {
 	return func() (time.Duration, bool) {
 		//nolint
--- a/management/server/activity/codes.go
+++ b/management/server/activity/codes.go
@@ -236,11 +236,6 @@ const (
 	// AccountIPv6Disabled indicates that a user disabled IPv6 overlay for the account
 	AccountIPv6Disabled Activity = 122

-	// AccountLocalMfaEnabled indicates that a user enabled TOTP MFA for local users
-	AccountLocalMfaEnabled Activity = 123
-	// AccountLocalMfaDisabled indicates that a user disabled TOTP MFA for local users
-	AccountLocalMfaDisabled Activity = 124
-
 	AccountDeleted Activity = 99999
 )

@@ -391,9 +386,6 @@ var activityMap = map[Activity]Code{
 	AccountPeerExposeEnabled:  {"Account peer expose enabled", "account.setting.peer.expose.enable"},
 	AccountPeerExposeDisabled: {"Account peer expose disabled", "account.setting.peer.expose.disable"},

-	AccountLocalMfaEnabled:  {"Account local MFA enabled", "account.setting.local.mfa.enable"},
-	AccountLocalMfaDisabled: {"Account local MFA disabled", "account.setting.local.mfa.disable"},
-
 	DomainAdded:     {"Domain added", "domain.add"},
 	DomainDeleted:   {"Domain deleted", "domain.delete"},
 	DomainValidated: {"Domain validated", "domain.validate"},
--- a/management/server/http/handlers/accounts/accounts_handler.go
+++ b/management/server/http/handlers/accounts/accounts_handler.go
@@ -277,9 +277,6 @@ func (h *handler) updateAccountRequestSettings(req api.PutApiAccountsAccountIdJS
 	if req.Settings.AutoUpdateAlways != nil {
 		returnSettings.AutoUpdateAlways = *req.Settings.AutoUpdateAlways
 	}
-	if req.Settings.LocalMfaEnabled != nil {
-		returnSettings.LocalMfaEnabled = *req.Settings.LocalMfaEnabled
-	}
 	if req.Settings.Ipv6EnabledGroups != nil {
 		returnSettings.IPv6EnabledGroups = *req.Settings.Ipv6EnabledGroups
 	}
@@ -415,7 +412,6 @@ func toAccountResponse(accountID string, settings *types.Settings, meta *types.A
 		Ipv6EnabledGroups:               &settings.IPv6EnabledGroups,
 		EmbeddedIdpEnabled:              &settings.EmbeddedIdpEnabled,
 		LocalAuthDisabled:               &settings.LocalAuthDisabled,
-		LocalMfaEnabled:                 &settings.LocalMfaEnabled,
 	}

 	if settings.NetworkRange.IsValid() {
--- a/management/server/http/handlers/accounts/accounts_handler_test.go
+++ b/management/server/http/handlers/accounts/accounts_handler_test.go
@@ -131,7 +131,6 @@ func TestAccounts_AccountsHandler(t *testing.T) {
 				AutoUpdateVersion:               sr(""),
 				EmbeddedIdpEnabled:              br(false),
 				LocalAuthDisabled:               br(false),
-				LocalMfaEnabled:                 br(false),
 			},
 			expectedArray: true,
 			expectedID:    accountID,
@@ -158,7 +157,6 @@ func TestAccounts_AccountsHandler(t *testing.T) {
 				AutoUpdateVersion:               sr(""),
 				EmbeddedIdpEnabled:              br(false),
 				LocalAuthDisabled:               br(false),
-				LocalMfaEnabled:                 br(false),
 			},
 			expectedArray: false,
 			expectedID:    accountID,
@@ -185,7 +183,6 @@ func TestAccounts_AccountsHandler(t *testing.T) {
 				AutoUpdateVersion:               sr("latest"),
 				EmbeddedIdpEnabled:              br(false),
 				LocalAuthDisabled:               br(false),
-				LocalMfaEnabled:                 br(false),
 			},
 			expectedArray: false,
 			expectedID:    accountID,
@@ -212,7 +209,6 @@ func TestAccounts_AccountsHandler(t *testing.T) {
 				AutoUpdateVersion:               sr(""),
 				EmbeddedIdpEnabled:              br(false),
 				LocalAuthDisabled:               br(false),
-				LocalMfaEnabled:                 br(false),
 			},
 			expectedArray: false,
 			expectedID:    accountID,
@@ -239,7 +235,6 @@ func TestAccounts_AccountsHandler(t *testing.T) {
 				AutoUpdateVersion:               sr(""),
 				EmbeddedIdpEnabled:              br(false),
 				LocalAuthDisabled:               br(false),
-				LocalMfaEnabled:                 br(false),
 			},
 			expectedArray: false,
 			expectedID:    accountID,
@@ -266,7 +261,6 @@ func TestAccounts_AccountsHandler(t *testing.T) {
 				AutoUpdateVersion:               sr(""),
 				EmbeddedIdpEnabled:              br(false),
 				LocalAuthDisabled:               br(false),
-				LocalMfaEnabled:                 br(false),
 			},
 			expectedArray: false,
 			expectedID:    accountID,
--- a/management/server/idp/embedded.go
+++ b/management/server/idp/embedded.go
@@ -2,11 +2,9 @@ package idp

 import (
 	"context"
-	"encoding/base64"
 	"errors"
 	"fmt"
 	"net/http"
-	"os"
 	"strings"

 	"github.com/dexidp/dex/storage"
@@ -19,13 +17,12 @@ import (
 )

 const (
-	staticClientDashboard         = "netbird-dashboard"
-	staticClientCLI               = "netbird-cli"
-	defaultCLIRedirectURL1        = "http://localhost:53000/"
-	defaultCLIRedirectURL2        = "http://localhost:54000/"
-	defaultScopes                 = "openid profile email groups"
-	defaultUserIDClaim            = "sub"
-	sessionCookieEncryptionKeyEnv = "NB_IDP_SESSION_COOKIE_ENCRYPTION_KEY"
+	staticClientDashboard  = "netbird-dashboard"
+	staticClientCLI        = "netbird-cli"
+	defaultCLIRedirectURL1 = "http://localhost:53000/"
+	defaultCLIRedirectURL2 = "http://localhost:54000/"
+	defaultScopes          = "openid profile email groups"
+	defaultUserIDClaim     = "sub"
 )

 // EmbeddedIdPConfig contains configuration for the embedded Dex OIDC identity provider
@@ -52,26 +49,6 @@ type EmbeddedIdPConfig struct {
 	// Existing local users are preserved and will be able to login again if re-enabled.
 	// Cannot be enabled if no external identity provider connectors are configured.
 	LocalAuthDisabled bool
-	// MfaSessionMaxLifetime is the maximum MFA session duration from creation (e.g. "24h").
-	// Defaults to "24h" if empty.
-	MfaSessionMaxLifetime string
-	// MfaSessionIdleTimeout is the idle timeout after which the MFA session expires (e.g. "1h").
-	// Defaults to "1h" if empty.
-	MfaSessionIdleTimeout string
-	// MfaSessionRememberMe controls the default state of the "remember me" checkbox on the
-	// login screen. When true, the session cookie persists across browser tabs/restarts so
-	// MFA is not re-prompted until the session expires. Defaults to false.
-	MfaSessionRememberMe bool
-	// SessionCookieEncryptionKey is the optional AES key used to encrypt embedded IdP session cookies.
-	// It can also be set with NB_IDP_SESSION_COOKIE_ENCRYPTION_KEY. The value must be 16, 24, or 32
-	// bytes when provided as a raw string, or base64-encoded to one of those lengths.
-	SessionCookieEncryptionKey string
-	// Dashboard Post logout redirect URIs, these are required to tell
-	// Dex what to allow when an RP-Initiated logout is started by the frontend
-	// at least one of these must match the dashboard base URL or the dashboard
-	// DASHBOARD_POST_LOGOUT_URL environment variable
-	// WARNING: Dex only uses exact match, not wildcards
-	DashboardPostLogoutRedirectURIs []string
 	// StaticConnectors are additional connectors to seed during initialization
 	StaticConnectors []dex.Connector
 }
@@ -149,11 +126,6 @@ func (c *EmbeddedIdPConfig) ToYAMLConfig() (*dex.YAMLConfig, error) {
 	// todo: resolve import cycle
 	dashboardRedirectURIs = append(dashboardRedirectURIs, baseURL+"/api/reverse-proxy/callback")

-	dashboardPostLogoutRedirectURIs := c.DashboardPostLogoutRedirectURIs
-	// It is safe to assume that most installations will share the location of the
-	// MGMT api and the dashboard, adding baseURL means less configuration for the instance admin
-	dashboardPostLogoutRedirectURIs = append(dashboardPostLogoutRedirectURIs, baseURL)
-
 	cfg := &dex.YAMLConfig{
 		Issuer: c.Issuer,
 		Storage: dex.Storage{
@@ -176,11 +148,10 @@ func (c *EmbeddedIdPConfig) ToYAMLConfig() (*dex.YAMLConfig, error) {
 		EnablePasswordDB: true,
 		StaticClients: []storage.Client{
 			{
-				ID:                     staticClientDashboard,
-				Name:                   "NetBird Dashboard",
-				Public:                 true,
-				RedirectURIs:           dashboardRedirectURIs,
-				PostLogoutRedirectURIs: sanitizePostLogoutRedirectURIs(dashboardPostLogoutRedirectURIs),
+				ID:           staticClientDashboard,
+				Name:         "NetBird Dashboard",
+				Public:       true,
+				RedirectURIs: dashboardRedirectURIs,
 			},
 			{
 				ID:           staticClientCLI,
@@ -192,12 +163,6 @@ func (c *EmbeddedIdPConfig) ToYAMLConfig() (*dex.YAMLConfig, error) {
 		StaticConnectors: c.StaticConnectors,
 	}

-	// Always initialize MFA providers and sessions so TOTP can be toggled at runtime.
-	// MFAChain on clients is NOT set here — it's synced from the DB setting on startup.
-	if err := configureMFA(cfg, c.MfaSessionMaxLifetime, c.MfaSessionIdleTimeout, c.MfaSessionRememberMe, c.SessionCookieEncryptionKey); err != nil {
-		return nil, err
-	}
-
 	// Add owner user if provided
 	if c.Owner != nil && c.Owner.Email != "" && c.Owner.Hash != "" {
 		username := c.Owner.Username
@@ -217,100 +182,6 @@ func (c *EmbeddedIdPConfig) ToYAMLConfig() (*dex.YAMLConfig, error) {
 	return cfg, nil
 }

-// Due to how the frontend generates the logout, sometimes it appends a trailing slash
-// and because Dex only allows exact matches, we need to make sure we always have both
-// versions of each provided uri
-func sanitizePostLogoutRedirectURIs(uris []string) []string {
-	result := make([]string, 0)
-	for _, uri := range uris {
-		if strings.HasSuffix(uri, "/") {
-			result = append(result, uri)
-			result = append(result, strings.TrimSuffix(uri, "/"))
-		} else {
-			result = append(result, uri)
-			result = append(result, uri+"/")
-		}
-	}
-
-	return result
-}
-
-func configureMFA(cfg *dex.YAMLConfig, sessionMaxLifetime, sessionIdleTimeout string, rememberMe bool, sessionCookieEncryptionKey string) error {
-	cfg.MFA.Authenticators = []dex.MFAAuthenticator{{
-		ID: "default-totp",
-		// Has to be caps otherwise it will fail
-		Type: "TOTP",
-		Config: map[string]interface{}{
-			"issuer": "NetBird",
-		},
-		ConnectorTypes: []string{"local"},
-	}}
-
-	if sessionMaxLifetime == "" {
-		sessionMaxLifetime = "24h"
-	}
-	if sessionIdleTimeout == "" {
-		sessionIdleTimeout = "1h"
-	}
-
-	cookieEncryptionKey, err := resolveSessionCookieEncryptionKey(sessionCookieEncryptionKey)
-	if err != nil {
-		return err
-	}
-
-	cfg.Sessions = &dex.Sessions{
-		CookieName:                 "netbird-session",
-		AbsoluteLifetime:           sessionMaxLifetime,
-		ValidIfNotUsedFor:          sessionIdleTimeout,
-		RememberMeCheckedByDefault: &rememberMe,
-		SSOSharedWithDefault:       "all",
-		CookieEncryptionKey:        cookieEncryptionKey,
-	}
-	// Absolutely required, otherwise the dex server will omit the MFA configuration entirely
-	os.Setenv("DEX_SESSIONS_ENABLED", "true")
-
-	// Note: MFAChain on clients is NOT set here.
-	// It is toggled at runtime via SetMFAEnabled() based on the account settings DB value.
-	return nil
-}
-
-func resolveSessionCookieEncryptionKey(configuredKey string) (string, error) {
-	key := strings.TrimSpace(configuredKey)
-	if key == "" {
-		key = strings.TrimSpace(os.Getenv(sessionCookieEncryptionKeyEnv))
-	}
-	if key == "" {
-		return "", nil
-	}
-
-	if validSessionCookieEncryptionKeyLength(len([]byte(key))) {
-		return key, nil
-	}
-
-	for _, encoding := range []*base64.Encoding{
-		base64.StdEncoding,
-		base64.RawStdEncoding,
-		base64.URLEncoding,
-		base64.RawURLEncoding,
-	} {
-		decoded, err := encoding.DecodeString(key)
-		if err == nil && validSessionCookieEncryptionKeyLength(len(decoded)) {
-			return string(decoded), nil
-		}
-	}
-
-	return "", fmt.Errorf("invalid embedded IdP session cookie encryption key: %s (or sessionCookieEncryptionKey) must be 16, 24, or 32 bytes as a raw string or base64-encoded to one of those lengths; got %d raw bytes", sessionCookieEncryptionKeyEnv, len([]byte(key)))
-}
-
-func validSessionCookieEncryptionKeyLength(length int) bool {
-	switch length {
-	case 16, 24, 32:
-		return true
-	default:
-		return false
-	}
-}
-
 // Compile-time check that EmbeddedIdPManager implements Manager interface
 var _ Manager = (*EmbeddedIdPManager)(nil)

@@ -344,7 +215,6 @@ type EmbeddedIdPManager struct {
 	provider   *dex.Provider
 	appMetrics telemetry.AppMetrics
 	config     EmbeddedIdPConfig
-	mfaEnabled bool
 }

 // NewEmbeddedIdPManager creates a new instance of EmbeddedIdPManager from a configuration.
@@ -771,27 +641,6 @@ func (m *EmbeddedIdPManager) IsLocalAuthDisabled() bool {
 	return m.config.LocalAuthDisabled
 }

-// SetMFAEnabled enables or disables TOTP MFA for local users by updating the MFAChain on OAuth2 clients.
-func (m *EmbeddedIdPManager) SetMFAEnabled(ctx context.Context, enabled bool) error {
-	var mfaChain []string
-	if enabled {
-		mfaChain = []string{"default-totp"}
-	}
-	if err := m.provider.SetClientsMFAChain(ctx, []string{
-		staticClientCLI,
-		staticClientDashboard,
-	}, mfaChain); err != nil {
-		return fmt.Errorf("failed to set MFA enabled=%v: %w", enabled, err)
-	}
-	m.mfaEnabled = enabled
-	return nil
-}
-
-// IsMFAEnabled returns whether TOTP MFA is currently enabled for local users.
-func (m *EmbeddedIdPManager) IsMFAEnabled() bool {
-	return m.mfaEnabled
-}
-
 // HasNonLocalConnectors checks if there are any identity provider connectors other than local.
 func (m *EmbeddedIdPManager) HasNonLocalConnectors(ctx context.Context) (bool, error) {
 	return m.provider.HasNonLocalConnectors(ctx)
--- a/management/server/idp/embedded_test.go
+++ b/management/server/idp/embedded_test.go
@@ -2,7 +2,6 @@ package idp

 import (
 	"context"
-	"encoding/base64"
 	"os"
 	"path/filepath"
 	"testing"
@@ -314,72 +313,6 @@ func TestEmbeddedIdPManager_UpdateUserPassword(t *testing.T) {
 	})
 }

-func TestEmbeddedIdPConfig_ToYAMLConfig_SessionCookieEncryptionKey(t *testing.T) {
-	t.Setenv(sessionCookieEncryptionKeyEnv, "")
-
-	rawKey := "0123456789abcdef0123456789abcdef"
-	config := &EmbeddedIdPConfig{
-		Enabled:                    true,
-		Issuer:                     "http://localhost:5556/dex",
-		SessionCookieEncryptionKey: base64.StdEncoding.EncodeToString([]byte(rawKey)),
-		Storage: EmbeddedStorageConfig{
-			Type: "sqlite3",
-			Config: EmbeddedStorageTypeConfig{
-				File: filepath.Join(t.TempDir(), "dex.db"),
-			},
-		},
-	}
-
-	yamlConfig, err := config.ToYAMLConfig()
-	require.NoError(t, err)
-	require.NotNil(t, yamlConfig.Sessions)
-	assert.Equal(t, rawKey, yamlConfig.Sessions.CookieEncryptionKey)
-}
-
-func TestResolveSessionCookieEncryptionKey(t *testing.T) {
-	rawKey := "0123456789abcdef0123456789abcdef"
-
-	t.Run("uses raw configured key", func(t *testing.T) {
-		t.Setenv(sessionCookieEncryptionKeyEnv, "")
-
-		key, err := resolveSessionCookieEncryptionKey(rawKey)
-		require.NoError(t, err)
-		assert.Equal(t, rawKey, key)
-	})
-
-	t.Run("uses base64 configured key", func(t *testing.T) {
-		t.Setenv(sessionCookieEncryptionKeyEnv, "")
-
-		key, err := resolveSessionCookieEncryptionKey(base64.StdEncoding.EncodeToString([]byte(rawKey)))
-		require.NoError(t, err)
-		assert.Equal(t, rawKey, key)
-	})
-
-	t.Run("falls back to env var", func(t *testing.T) {
-		t.Setenv(sessionCookieEncryptionKeyEnv, rawKey)
-
-		key, err := resolveSessionCookieEncryptionKey("")
-		require.NoError(t, err)
-		assert.Equal(t, rawKey, key)
-	})
-
-	t.Run("empty key disables encryption", func(t *testing.T) {
-		t.Setenv(sessionCookieEncryptionKeyEnv, "")
-
-		key, err := resolveSessionCookieEncryptionKey("")
-		require.NoError(t, err)
-		assert.Empty(t, key)
-	})
-
-	t.Run("rejects invalid key length", func(t *testing.T) {
-		t.Setenv(sessionCookieEncryptionKeyEnv, "")
-
-		_, err := resolveSessionCookieEncryptionKey("32")
-		require.Error(t, err)
-		assert.Contains(t, err.Error(), sessionCookieEncryptionKeyEnv)
-	})
-}
-
 func TestEmbeddedIdPManager_GetLocalKeysLocation(t *testing.T) {
 	ctx := context.Background()

--- a/management/server/store/sql_store.go
+++ b/management/server/store/sql_store.go
@@ -236,6 +236,7 @@ func (s *SqlStore) GetPeerJobs(ctx context.Context, accountID, peerID string) ([
 		Where(accountAndPeerIDQueryCondition, accountID, peerID).
 		Order("created_at DESC").
 		Find(&jobs).Error
+
 	if err != nil {
 		log.WithContext(ctx).Errorf("failed to fetch jobs from store: %s", err)
 		return nil, err
@@ -462,6 +463,7 @@ func (s *SqlStore) SavePeer(ctx context.Context, accountID string, peer *nbpeer.

 		return nil
 	})
+
 	if err != nil {
 		return err
 	}
@@ -1512,7 +1514,6 @@ func (s *SqlStore) getAccount(ctx context.Context, accountID string) (*types.Acc
 			settings_jwt_groups_enabled, settings_jwt_groups_claim_name, settings_jwt_allow_groups,
 			settings_routing_peer_dns_resolution_enabled, settings_dns_domain, settings_network_range,
 			settings_network_range_v6, settings_ipv6_enabled_groups, settings_lazy_connection_enabled,
-			settings_local_mfa_enabled,
 			-- Embedded ExtraSettings
 			settings_extra_peer_approval_enabled, settings_extra_user_approval_required,
 			settings_extra_integrated_validator, settings_extra_integrated_validator_groups
@@ -1534,7 +1535,6 @@ func (s *SqlStore) getAccount(ctx context.Context, accountID string) (*types.Acc
 		sNetworkRangeV6                  sql.NullString
 		sIPv6EnabledGroups               sql.NullString
 		sLazyConnectionEnabled           sql.NullBool
-		sLocalMFAEnabled                 sql.NullBool
 		sExtraPeerApprovalEnabled        sql.NullBool
 		sExtraUserApprovalRequired       sql.NullBool
 		sExtraIntegratedValidator        sql.NullString
@@ -1557,7 +1557,6 @@ func (s *SqlStore) getAccount(ctx context.Context, accountID string) (*types.Acc
 		&sJWTGroupsEnabled, &sJWTGroupsClaimName, &sJWTAllowGroups,
 		&sRoutingPeerDNSResolutionEnabled, &sDNSDomain, &sNetworkRange,
 		&sNetworkRangeV6, &sIPv6EnabledGroups, &sLazyConnectionEnabled,
-		&sLocalMFAEnabled,
 		&sExtraPeerApprovalEnabled, &sExtraUserApprovalRequired,
 		&sExtraIntegratedValidator, &sExtraIntegratedValidatorGroups,
 	)
@@ -1620,9 +1619,6 @@ func (s *SqlStore) getAccount(ctx context.Context, accountID string) (*types.Acc
 	if sLazyConnectionEnabled.Valid {
 		account.Settings.LazyConnectionEnabled = sLazyConnectionEnabled.Bool
 	}
-	if sLocalMFAEnabled.Valid {
-		account.Settings.LocalMfaEnabled = sLocalMFAEnabled.Bool
-	}
 	if sJWTAllowGroups.Valid {
 		_ = json.Unmarshal([]byte(sJWTAllowGroups.String), &account.Settings.JWTAllowGroups)
 	}
@@ -3065,6 +3061,7 @@ func (s *SqlStore) AddPeerToAllGroup(ctx context.Context, accountID string, peer
 		GroupID:   groupID,
 		PeerID:    peerID,
 	}).Error
+
 	if err != nil {
 		return status.Errorf(status.Internal, "error adding peer to group 'All': %v", err)
 	}
@@ -3084,6 +3081,7 @@ func (s *SqlStore) AddPeerToGroup(ctx context.Context, accountID, peerID, groupI
 		Columns:   []clause.Column{{Name: "group_id"}, {Name: "peer_id"}},
 		DoNothing: true,
 	}).Create(peer).Error
+
 	if err != nil {
 		log.WithContext(ctx).Errorf("failed to add peer %s to group %s for account %s: %v", peerID, groupID, accountID, err)
 		return status.Errorf(status.Internal, "failed to add peer to group")
@@ -3096,6 +3094,7 @@ func (s *SqlStore) AddPeerToGroup(ctx context.Context, accountID, peerID, groupI
 func (s *SqlStore) RemovePeerFromGroup(ctx context.Context, peerID string, groupID string) error {
 	err := s.db.
 		Delete(&types.GroupPeer{}, "group_id = ? AND peer_id = ?", groupID, peerID).Error
+
 	if err != nil {
 		log.WithContext(ctx).Errorf("failed to remove peer %s from group %s: %v", peerID, groupID, err)
 		return status.Errorf(status.Internal, "failed to remove peer from group")
@@ -3108,6 +3107,7 @@ func (s *SqlStore) RemovePeerFromGroup(ctx context.Context, peerID string, group
 func (s *SqlStore) RemovePeerFromAllGroups(ctx context.Context, peerID string) error {
 	err := s.db.
 		Delete(&types.GroupPeer{}, "peer_id = ?", peerID).Error
+
 	if err != nil {
 		log.WithContext(ctx).Errorf("failed to remove peer %s from all groups: %v", peerID, err)
 		return status.Errorf(status.Internal, "failed to remove peer from all groups")
@@ -4964,6 +4964,7 @@ func (s *SqlStore) UpdateService(ctx context.Context, service *rpservice.Service

 		return nil
 	})
+
 	if err != nil {
 		log.WithContext(ctx).Errorf("failed to update service to store: %v", err)
 		return status.Errorf(status.Internal, "failed to update service to store")
@@ -5619,6 +5620,7 @@ func (s *SqlStore) getClusterUnanimousCapability(ctx context.Context, clusterAdd
 		Where("cluster_address = ? AND status = ? AND last_seen > ?",
 			clusterAddr, "connected", time.Now().Add(-proxyActiveThreshold)).
 		Scan(&result).Error
+
 	if err != nil {
 		log.WithContext(ctx).Errorf("query cluster capability %s for %s: %v", column, clusterAddr, err)
 		return nil
@@ -5660,6 +5662,7 @@ func (s *SqlStore) getClusterCapability(ctx context.Context, clusterAddr, column
 		Where("cluster_address = ? AND status = ? AND last_seen > ?",
 			clusterAddr, "connected", time.Now().Add(-proxyActiveThreshold)).
 		Scan(&result).Error
+
 	if err != nil {
 		log.WithContext(ctx).Errorf("query cluster capability %s for %s: %v", column, clusterAddr, err)
 		return nil
--- a/management/server/types/settings.go
+++ b/management/server/types/settings.go
@@ -80,10 +80,6 @@ type Settings struct {
 	// LocalAuthDisabled indicates if local (email/password) authentication is disabled.
 	// This is a runtime-only field, not stored in the database.
 	LocalAuthDisabled bool `gorm:"-"`
-
-	// LocalMfaEnabled indicates if TOTP MFA is enabled for local users.
-	// Only applicable when the embedded IDP is enabled.
-	LocalMfaEnabled bool
 }

 // Copy copies the Settings struct
@@ -112,7 +108,6 @@ func (s *Settings) Copy() *Settings {
 		IPv6EnabledGroups:               slices.Clone(s.IPv6EnabledGroups),
 		EmbeddedIdpEnabled:              s.EmbeddedIdpEnabled,
 		LocalAuthDisabled:               s.LocalAuthDisabled,
-		LocalMfaEnabled:                 s.LocalMfaEnabled,
 	}
 	if s.Extra != nil {
 		settings.Extra = s.Extra.Copy()
--- a/shared/management/http/api/openapi.yml
+++ b/shared/management/http/api/openapi.yml
@@ -381,10 +381,6 @@ components:
          type: boolean
          readOnly: true
          example: false
-        local_mfa_enabled:
-          description: Enables or disables TOTP multi-factor authentication for local users. Only applicable when the embedded identity provider is enabled.
-          type: boolean
-          example: false
        ipv6_enabled_groups:
          description: List of group IDs whose peers receive IPv6 overlay addresses. Peers not in any of these groups will not be allocated an IPv6 address. New accounts default to the All group.
          type: array
--- a/shared/management/http/api/types.gen.go
+++ b/shared/management/http/api/types.gen.go
@@ -1486,9 +1486,6 @@ type AccountSettings struct {
 	// LocalAuthDisabled Indicates whether local (email/password) authentication is disabled. When true, users can only authenticate via external identity providers. This is a read-only field.
 	LocalAuthDisabled *bool `json:"local_auth_disabled,omitempty"`

-	// LocalMfaEnabled Enables or disables TOTP multi-factor authentication for local users. Only applicable when the embedded identity provider is enabled.
-	LocalMfaEnabled *bool `json:"local_mfa_enabled,omitempty"`
-
 	// NetworkRange Allows to define a custom network range for the account in CIDR format
 	NetworkRange *string `json:"network_range,omitempty"`

--- a/util/capture/text.go
+++ b/util/capture/text.go
@@ -12,6 +12,7 @@ import (

 	"github.com/google/gopacket"
 	"github.com/google/gopacket/layers"
+	"github.com/miekg/dns"
 )

 // TextWriter writes human-readable one-line-per-packet summaries.
@@ -594,19 +595,45 @@ func formatDNSResponse(d *layers.DNS, rd string, plen int) string {
 	anCount := d.ANCount
 	nsCount := d.NSCount
 	arCount := d.ARCount
+	ede := formatEDE(d)

 	if d.ResponseCode != layers.DNSResponseCodeNoErr {
-		return fmt.Sprintf("%04x %d/%d/%d %s (%d)", d.ID, anCount, nsCount, arCount, d.ResponseCode, plen)
+		return fmt.Sprintf("%04x %d/%d/%d %s%s (%d)", d.ID, anCount, nsCount, arCount, d.ResponseCode, ede, plen)
 	}

 	if anCount > 0 && len(d.Answers) > 0 {
 		rr := d.Answers[0]
 		if rdata := shortRData(&rr); rdata != "" {
-			return fmt.Sprintf("%04x %d/%d/%d %s %s (%d)", d.ID, anCount, nsCount, arCount, rr.Type, rdata, plen)
+			return fmt.Sprintf("%04x %d/%d/%d %s %s%s (%d)", d.ID, anCount, nsCount, arCount, rr.Type, rdata, ede, plen)
 		}
 	}

-	return fmt.Sprintf("%04x %d/%d/%d (%d)", d.ID, anCount, nsCount, arCount, plen)
+	return fmt.Sprintf("%04x %d/%d/%d%s (%d)", d.ID, anCount, nsCount, arCount, ede, plen)
+}
+
+// dnsOPTCodeEDE is the EDNS0 option code for Extended DNS Errors (RFC 8914).
+const dnsOPTCodeEDE layers.DNSOptionCode = layers.DNSOptionCode(dns.EDNS0EDE)
+
+// formatEDE returns " EDE=Name" for the first Extended DNS Error option
+// found in the response, or empty string if none is present.
+func formatEDE(d *layers.DNS) string {
+	for _, rr := range d.Additionals {
+		if rr.Type != layers.DNSTypeOPT {
+			continue
+		}
+		for _, opt := range rr.OPT {
+			if opt.Code != dnsOPTCodeEDE || len(opt.Data) < 2 {
+				continue
+			}
+			info := binary.BigEndian.Uint16(opt.Data[:2])
+			name, ok := dns.ExtendedErrorCodeToString[info]
+			if !ok {
+				name = fmt.Sprintf("%d", info)
+			}
+			return " EDE=" + name
+		}
+	}
+	return ""
 }

 func shortRData(rr *layers.DNSResourceRecord) string {
Author	SHA1	Message	Date
Viktor Liu	c1862dba6c	Merge remote-tracking branch 'origin/main' into dns-skip-failover-on-ede # Conflicts: # client/internal/dns/upstream.go	2026-05-07 12:16:04 +02:00
Viktor Liu	b7742b15ec	Add ServeDNS test for non-retryable EDE short-circuit and OPT stripping	2026-05-06 10:50:29 +02:00
Viktor Liu	daa256b556	Bump miekg/dns to v1.1.72; show EDE on NOERROR; codespell whitelist 'additionals'	2026-05-06 10:48:10 +02:00
Viktor Liu	bea54ef6aa	Strip OPT from response when client lacked EDNS0; add tests; show EDE in capture	2026-05-06 10:31:03 +02:00
Viktor Liu	e394818b9f	Switch nonRetryableEDE to a map lookup	2026-05-06 10:24:36 +02:00
Viktor Liu	34c3c1a6f0	Whitelist 'ede' in codespell	2026-05-06 10:21:13 +02:00
Viktor Liu	f21965cdd8	Skip upstream failover when SERVFAIL carries a definitive EDE	2026-05-06 10:17:41 +02:00