Validate OIDC issuer when creating or updating (#5074 )

Feature/resolve local jwks keys (#5073 )
[management] fix the issue with duplicated peers with the same key (#5053 )
2026-04-17 15:56:39 +00:00 · 2026-01-09 09:45:43 -05:00 · 2026-01-09 09:41:27 -05:00 · 2026-01-09 11:49:26 +01:00 · 2026-01-09 09:13:04 +01:00 · 2026-01-09 02:53:37 +08:00
209 changed files with 10797 additions and 1936 deletions
--- a/.devcontainer/Dockerfile
+++ b/.devcontainer/Dockerfile
@@ -1,15 +1,15 @@
-FROM golang:1.23-bullseye
+FROM golang:1.25-bookworm

 RUN apt-get update && export DEBIAN_FRONTEND=noninteractive \
    && apt-get -y install --no-install-recommends\
-        gettext-base=0.21-4 \ 
-        iptables=1.8.7-1 \
-        libgl1-mesa-dev=20.3.5-1 \
-        xorg-dev=1:7.7+22 \
-        libayatana-appindicator3-dev=0.5.5-2+deb11u2 \
+        gettext-base=0.21-12 \
+        iptables=1.8.9-2 \
+        libgl1-mesa-dev=22.3.6-1+deb12u1 \
+        xorg-dev=1:7.7+23 \
+        libayatana-appindicator3-dev=0.5.92-1 \
    && apt-get clean \
    && rm -rf /var/lib/apt/lists/* \
-    && go install -v golang.org/x/tools/gopls@v0.18.1
+    && go install -v golang.org/x/tools/gopls@latest


 WORKDIR /app
--- a/.github/workflows/golang-test-freebsd.yml
+++ b/.github/workflows/golang-test-freebsd.yml
@@ -25,7 +25,7 @@ jobs:
          release: "14.2"
          prepare: |
            pkg install -y curl pkgconf xorg
-            GO_TARBALL="go1.24.10.freebsd-amd64.tar.gz"
+            GO_TARBALL="go1.25.3.freebsd-amd64.tar.gz"
            GO_URL="https://go.dev/dl/$GO_TARBALL"
            curl -vLO "$GO_URL"
            tar -C /usr/local -vxzf "$GO_TARBALL"            
--- a/.github/workflows/golang-test-linux.yml
+++ b/.github/workflows/golang-test-linux.yml
@@ -200,7 +200,7 @@ jobs:
            -e GOCACHE=${CONTAINER_GOCACHE} \
            -e GOMODCACHE=${CONTAINER_GOMODCACHE} \
            -e CONTAINER=${CONTAINER} \
-            golang:1.24-alpine \
+            golang:1.25-alpine \
            sh -c ' \
              apk update; apk add --no-cache \
                ca-certificates iptables ip6tables dbus dbus-dev libpcap-dev build-base; \
@@ -259,7 +259,7 @@ jobs:
          CGO_ENABLED=1 GOARCH=${{ matrix.arch }} \
          go test ${{ matrix.raceFlag }} \
            -exec 'sudo' \
-            -timeout 10m ./relay/... ./shared/relay/...
+            -timeout 10m -p 1 ./relay/... ./shared/relay/...

  test_signal:
    name: "Signal / Unit"
--- a/.github/workflows/golangci-lint.yml
+++ b/.github/workflows/golangci-lint.yml
@@ -52,7 +52,10 @@ jobs:
        if: matrix.os == 'ubuntu-latest'
        run: sudo apt update && sudo apt install -y -q libgtk-3-dev libayatana-appindicator3-dev libgl1-mesa-dev xorg-dev libpcap-dev
      - name: golangci-lint
-        uses: golangci/golangci-lint-action@v4
+        uses: golangci/golangci-lint-action@4afd733a84b1f43292c63897423277bb7f4313a9 # v8.0.0
        with:
          version: latest
-          args: --timeout=12m --out-format colored-line-number
+          skip-cache: true
+          skip-save-cache: true
+          cache-invalidation-interval: 0
+          args: --timeout=12m
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -63,7 +63,7 @@ jobs:
            pkg install -y git curl portlint go

            # Install Go for building
-            GO_TARBALL="go1.24.10.freebsd-amd64.tar.gz"
+            GO_TARBALL="go1.25.5.freebsd-amd64.tar.gz"
            GO_URL="https://go.dev/dl/$GO_TARBALL"
            curl -LO "$GO_URL"
            tar -C /usr/local -xzf "$GO_TARBALL"
--- a/.github/workflows/test-infrastructure-files.yml
+++ b/.github/workflows/test-infrastructure-files.yml
@@ -243,6 +243,7 @@ jobs:
        working-directory: infrastructure_files/artifacts
        run: |
          sleep 30
+          docker compose logs
          docker compose exec management ls -l /var/lib/netbird/ | grep -i GeoLite2-City_[0-9]*.mmdb
          docker compose exec management ls -l /var/lib/netbird/ | grep -i geonames_[0-9]*.db

--- a/.github/workflows/wasm-build-validation.yml
+++ b/.github/workflows/wasm-build-validation.yml
@@ -14,6 +14,9 @@ jobs:
  js_lint:
    name: "JS / Lint"
    runs-on: ubuntu-latest
+    env:
+      GOOS: js
+      GOARCH: wasm
    steps:
      - name: Checkout repository
        uses: actions/checkout@v4
@@ -24,16 +27,14 @@ jobs:
      - name: Install dependencies
        run: sudo apt update && sudo apt install -y -q libgtk-3-dev libayatana-appindicator3-dev libgl1-mesa-dev xorg-dev libpcap-dev
      - name: Install golangci-lint
-        uses: golangci/golangci-lint-action@d6238b002a20823d52840fda27e2d4891c5952dc
+        uses: golangci/golangci-lint-action@4afd733a84b1f43292c63897423277bb7f4313a9 # v8.0.0
        with:
          version: latest
          install-mode: binary
          skip-cache: true
-          skip-pkg-cache: true
-          skip-build-cache: true
-      - name: Run golangci-lint for WASM
-        run: |
-          GOOS=js GOARCH=wasm golangci-lint run --timeout=12m --out-format colored-line-number ./client/...
+          skip-save-cache: true
+          cache-invalidation-interval: 0
+          working-directory: ./client
        continue-on-error: true

  js_build:
--- a/.gitignore
+++ b/.gitignore
@@ -31,3 +31,4 @@ infrastructure_files/setup-*.env
 .DS_Store
 vendor/
 /netbird
+client/netbird-electron/
--- a/.golangci.yaml
+++ b/.golangci.yaml
@@ -1,139 +1,124 @@
-run:
-  # Timeout for analysis, e.g. 30s, 5m.
-  # Default: 1m
-  timeout: 6m
-
-# This file contains only configs which differ from defaults.
-# All possible options can be found here https://github.com/golangci/golangci-lint/blob/master/.golangci.reference.yml
-linters-settings:
-  errcheck:
-    # Report about not checking of errors in type assertions: `a := b.(MyStruct)`.
-    # Such cases aren't reported by default.
-    # Default: false
-    check-type-assertions: false
-
-  gosec:
-    includes:
-      - G101 # Look for hard coded credentials
-      #- G102 # Bind to all interfaces
-      - G103 # Audit the use of unsafe block
-      - G104 # Audit errors not checked
-      - G106 # Audit the use of ssh.InsecureIgnoreHostKey
-      #- G107 # Url provided to HTTP request as taint input
-      - G108 # Profiling endpoint automatically exposed on /debug/pprof
-      - G109 # Potential Integer overflow made by strconv.Atoi result conversion to int16/32
-      - G110 # Potential DoS vulnerability via decompression bomb
-      - G111 # Potential directory traversal
-      #- G112 # Potential slowloris attack
-      - G113 # Usage of Rat.SetString in math/big with an overflow (CVE-2022-23772)
-      #- G114 # Use of net/http serve function that has no support for setting timeouts
-      - G201 # SQL query construction using format string
-      - G202 # SQL query construction using string concatenation
-      - G203 # Use of unescaped data in HTML templates
-      #- G204 # Audit use of command execution
-      - G301 # Poor file permissions used when creating a directory
-      - G302 # Poor file permissions used with chmod
-      - G303 # Creating tempfile using a predictable path
-      - G304 # File path provided as taint input
-      - G305 # File traversal when extracting zip/tar archive
-      - G306 # Poor file permissions used when writing to a new file
-      - G307 # Poor file permissions used when creating a file with os.Create
-      #- G401 # Detect the usage of DES, RC4, MD5 or SHA1
-      #- G402 # Look for bad TLS connection settings
-      - G403 # Ensure minimum RSA key length of 2048 bits
-      #- G404 # Insecure random number source (rand)
-      #- G501 # Import blocklist: crypto/md5
-      - G502 # Import blocklist: crypto/des
-      - G503 # Import blocklist: crypto/rc4
-      - G504 # Import blocklist: net/http/cgi
-      #- G505 # Import blocklist: crypto/sha1
-      - G601 # Implicit memory aliasing of items from a range statement
-      - G602 # Slice access out of bounds
-
-  gocritic:
-    disabled-checks:
-      - commentFormatting
-      - captLocal
-      - deprecatedComment
-
-  govet:
-    # Enable all analyzers.
-    # Default: false
-    enable-all: false
-    enable:
-      - nilness
-
-  revive:
-    rules:
-      - name: exported
-        severity: warning
-        disabled: false
-        arguments:
-          - "checkPrivateReceivers"
-          - "sayRepetitiveInsteadOfStutters"
-  tenv:
-    # The option `all` will run against whole test files (`_test.go`) regardless of method/function signatures.
-    # Otherwise, only methods that take `*testing.T`, `*testing.B`, and `testing.TB` as arguments are checked.
-    # Default: false
-    all: true
-
+version: "2"
 linters:
-  disable-all: true
+  default: none
  enable:
-    ## enabled by default
-    - errcheck # checking for unchecked errors, these unchecked errors can be critical bugs in some cases
-    - gosimple # specializes in simplifying a code
-    - govet # reports suspicious constructs, such as Printf calls whose arguments do not align with the format string
-    - ineffassign # detects when assignments to existing variables are not used
-    - staticcheck # is a go vet on steroids, applying a ton of static analysis checks
-    - tenv # Tenv is analyzer that detects using os.Setenv instead of t.Setenv since Go1.17.
-    - typecheck # like the front-end of a Go compiler, parses and type-checks Go code
-    - unused # checks for unused constants, variables, functions and types
-    ## disable by default but the have interesting results so lets add them
-    - bodyclose # checks whether HTTP response body is closed successfully
-    - dupword # dupword checks for duplicate words in the source code
-    - durationcheck # durationcheck checks for two durations multiplied together
-    - forbidigo # forbidigo forbids identifiers
-    - gocritic # provides diagnostics that check for bugs, performance and style issues
-    - gosec # inspects source code for security problems
-    - mirror # mirror reports wrong mirror patterns of bytes/strings usage
-    - misspell # misspess finds commonly misspelled English words in comments
-    - nilerr # finds the code that returns nil even if it checks that the error is not nil
-    - nilnil # checks that there is no simultaneous return of nil error and an invalid value
-    - predeclared # predeclared finds code that shadows one of Go's predeclared identifiers
-    - revive # Fast, configurable, extensible, flexible, and beautiful linter for Go. Drop-in replacement of golint.
-    - sqlclosecheck # checks that sql.Rows and sql.Stmt are closed
-    # - thelper # thelper detects Go test helpers without t.Helper() call and checks the consistency of test helpers.
-    - wastedassign # wastedassign finds wasted assignment statements
+    - bodyclose
+    - dupword
+    - durationcheck
+    - errcheck
+    - forbidigo
+    - gocritic
+    - gosec
+    - govet
+    - ineffassign
+    - mirror
+    - misspell
+    - nilerr
+    - nilnil
+    - predeclared
+    - revive
+    - sqlclosecheck
+    - staticcheck
+    - unused
+    - wastedassign
+  settings:
+    errcheck:
+      check-type-assertions: false
+    gocritic:
+      disabled-checks:
+        - commentFormatting
+        - captLocal
+        - deprecatedComment
+    gosec:
+      includes:
+        - G101
+        - G103
+        - G104
+        - G106
+        - G108
+        - G109
+        - G110
+        - G111
+        - G201
+        - G202
+        - G203
+        - G301
+        - G302
+        - G303
+        - G304
+        - G305
+        - G306
+        - G307
+        - G403
+        - G502
+        - G503
+        - G504
+        - G601
+        - G602
+    govet:
+      enable:
+        - nilness
+      enable-all: false
+    revive:
+      rules:
+        - name: exported
+          arguments:
+            - checkPrivateReceivers
+            - sayRepetitiveInsteadOfStutters
+          severity: warning
+          disabled: false
+  exclusions:
+    generated: lax
+    presets:
+      - comments
+      - common-false-positives
+      - legacy
+      - std-error-handling
+    rules:
+      - linters:
+          - forbidigo
+        path: management/cmd/root\.go
+      - linters:
+          - forbidigo
+        path: signal/cmd/root\.go
+      - linters:
+          - unused
+        path: sharedsock/filter\.go
+      - linters:
+          - unused
+        path: client/firewall/iptables/rule\.go
+      - linters:
+          - gosec
+          - mirror
+        path: test\.go
+      - linters:
+          - nilnil
+        path: mock\.go
+      - linters:
+          - staticcheck
+        text: grpc.DialContext is deprecated
+      - linters:
+          - staticcheck
+        text: grpc.WithBlock is deprecated
+      - linters:
+          - staticcheck
+        text: "QF1001"
+      - linters:
+          - staticcheck
+        text: "QF1008"
+      - linters:
+          - staticcheck
+        text: "QF1012"
+    paths:
+      - third_party$
+      - builtin$
+      - examples$
 issues:
-  # Maximum count of issues with the same text.
-  # Set to 0 to disable.
-  # Default: 3
  max-same-issues: 5
-
-  exclude-rules:
-    # allow fmt
-    - path: management/cmd/root\.go
-      linters: forbidigo
-    - path: signal/cmd/root\.go
-      linters: forbidigo
-    - path: sharedsock/filter\.go
-      linters:
-      - unused
-    - path: client/firewall/iptables/rule\.go
-      linters:
-      - unused
-    - path: test\.go
-      linters:
-      - mirror
-      - gosec
-    - path: mock\.go
-      linters:
-      - nilnil
-    # Exclude specific deprecation warnings for grpc methods
-    - linters:
-       - staticcheck
-      text: "grpc.DialContext is deprecated"
-    - linters:
-        - staticcheck
-      text: "grpc.WithBlock is deprecated"
+formatters:
+  exclusions:
+    generated: lax
+    paths:
+      - third_party$
+      - builtin$
+      - examples$
--- a/.goreleaser.yaml
+++ b/.goreleaser.yaml
@@ -713,8 +713,10 @@ checksum:
  extra_files:
    - glob: ./infrastructure_files/getting-started-with-zitadel.sh
    - glob: ./release_files/install.sh
+    - glob: ./infrastructure_files/getting-started.sh

 release:
  extra_files:
    - glob: ./infrastructure_files/getting-started-with-zitadel.sh
    - glob: ./release_files/install.sh
+    - glob: ./infrastructure_files/getting-started.sh
--- a/README.md
+++ b/README.md
@@ -85,7 +85,7 @@ Follow the [Advanced guide with a custom identity provider](https://docs.netbird

 **Infrastructure requirements:**
 - A Linux VM with at least **1CPU** and **2GB** of memory.
- The VM should be publicly accessible on TCP ports **80** and **443** and UDP ports: **3478**, **49152-65535**.
+- The VM should be publicly accessible on TCP ports **80** and **443** and UDP port: **3478**.
 - **Public domain** name pointing to the VM.

 **Software requirements:**
@@ -98,7 +98,7 @@ Follow the [Advanced guide with a custom identity provider](https://docs.netbird
 **Steps**
 - Download and run the installation script:
 ```bash
-export NETBIRD_DOMAIN=netbird.example.com; curl -fsSL https://github.com/netbirdio/netbird/releases/latest/download/getting-started-with-zitadel.sh | bash
+export NETBIRD_DOMAIN=netbird.example.com; curl -fsSL https://github.com/netbirdio/netbird/releases/latest/download/getting-started.sh | bash
 ```
 - Once finished, you can manage the resources via `docker-compose`

--- a/client/cmd/debug.go
+++ b/client/cmd/debug.go
@@ -136,6 +136,7 @@ func setLogLevel(cmd *cobra.Command, args []string) error {
 	client := proto.NewDaemonServiceClient(conn)
 	level := server.ParseLogLevel(args[0])
 	if level == proto.LogLevel_UNKNOWN {
+		//nolint
 		return fmt.Errorf("unknown log level: %s. Available levels are: panic, fatal, error, warn, info, debug, trace\n", args[0])
 	}

--- a/client/cmd/login.go
+++ b/client/cmd/login.go
@@ -81,6 +81,7 @@ var loginCmd = &cobra.Command{
 func doDaemonLogin(ctx context.Context, cmd *cobra.Command, providedSetupKey string, activeProf *profilemanager.Profile, username string, pm *profilemanager.ProfileManager) error {
 	conn, err := DialClientGRPCServer(ctx, daemonAddr)
 	if err != nil {
+		//nolint
 		return fmt.Errorf("failed to connect to daemon error: %v\n"+
 			"If the daemon is not running please run: "+
 			"\nnetbird service install \nnetbird service start\n", err)
@@ -206,6 +207,7 @@ func switchProfileOnDaemon(ctx context.Context, pm *profilemanager.ProfileManage
 func switchProfile(ctx context.Context, profileName string, username string) error {
 	conn, err := DialClientGRPCServer(ctx, daemonAddr)
 	if err != nil {
+		//nolint
 		return fmt.Errorf("failed to connect to daemon error: %v\n"+
 			"If the daemon is not running please run: "+
 			"\nnetbird service install \nnetbird service start\n", err)
--- a/client/cmd/pprof.go
+++ b/client/cmd/pprof.go
@@ -1,5 +1,4 @@
 //go:build pprof
-// +build pprof

 package cmd

--- a/client/cmd/root.go
+++ b/client/cmd/root.go
@@ -390,6 +390,7 @@ func getClient(cmd *cobra.Command) (*grpc.ClientConn, error) {

 	conn, err := DialClientGRPCServer(cmd.Context(), daemonAddr)
 	if err != nil {
+		//nolint
 		return nil, fmt.Errorf("failed to connect to daemon error: %v\n"+
 			"If the daemon is not running please run: "+
 			"\nnetbird service install \nnetbird service start\n", err)
--- a/client/cmd/ssh.go
+++ b/client/cmd/ssh.go
@@ -634,7 +634,11 @@ func parseAndStartLocalForward(ctx context.Context, c *sshclient.Client, forward
 		return err
 	}

-	cmd.Printf("Local port forwarding: %s -> %s\n", localAddr, remoteAddr)
+	if err := validateDestinationPort(remoteAddr); err != nil {
+		return fmt.Errorf("invalid remote address: %w", err)
+	}
+
+	log.Debugf("Local port forwarding: %s -> %s", localAddr, remoteAddr)

 	go func() {
 		if err := c.LocalPortForward(ctx, localAddr, remoteAddr); err != nil && !errors.Is(err, context.Canceled) {
@@ -652,7 +656,11 @@ func parseAndStartRemoteForward(ctx context.Context, c *sshclient.Client, forwar
 		return err
 	}

-	cmd.Printf("Remote port forwarding: %s -> %s\n", remoteAddr, localAddr)
+	if err := validateDestinationPort(localAddr); err != nil {
+		return fmt.Errorf("invalid local address: %w", err)
+	}
+
+	log.Debugf("Remote port forwarding: %s -> %s", remoteAddr, localAddr)

 	go func() {
 		if err := c.RemotePortForward(ctx, remoteAddr, localAddr); err != nil && !errors.Is(err, context.Canceled) {
@@ -663,6 +671,35 @@ func parseAndStartRemoteForward(ctx context.Context, c *sshclient.Client, forwar
 	return nil
 }

+// validateDestinationPort checks that the destination address has a valid port.
+// Port 0 is only valid for bind addresses (where the OS picks an available port),
+// not for destination addresses where we need to connect.
+func validateDestinationPort(addr string) error {
+	if strings.HasPrefix(addr, "/") || strings.HasPrefix(addr, "./") {
+		return nil
+	}
+
+	_, portStr, err := net.SplitHostPort(addr)
+	if err != nil {
+		return fmt.Errorf("parse address %s: %w", addr, err)
+	}
+
+	port, err := strconv.Atoi(portStr)
+	if err != nil {
+		return fmt.Errorf("invalid port %s: %w", portStr, err)
+	}
+
+	if port == 0 {
+		return fmt.Errorf("port 0 is not valid for destination address")
+	}
+
+	if port < 0 || port > 65535 {
+		return fmt.Errorf("port %d out of range (1-65535)", port)
+	}
+
+	return nil
+}
+
 // parsePortForwardSpec parses port forward specifications like "8080:localhost:80" or "[::1]:8080:localhost:80".
 // Also supports Unix sockets like "8080:/tmp/socket" or "127.0.0.1:8080:/tmp/socket".
 func parsePortForwardSpec(spec string) (string, string, error) {
--- a/client/cmd/status.go
+++ b/client/cmd/status.go
@@ -124,6 +124,7 @@ func statusFunc(cmd *cobra.Command, args []string) error {
 func getStatus(ctx context.Context, shouldRunProbes bool) (*proto.StatusResponse, error) {
 	conn, err := DialClientGRPCServer(ctx, daemonAddr)
 	if err != nil {
+		//nolint
 		return nil, fmt.Errorf("failed to connect to daemon error: %v\n"+
 			"If the daemon is not running please run: "+
 			"\nnetbird service install \nnetbird service start\n", err)
--- a/client/cmd/testutil_test.go
+++ b/client/cmd/testutil_test.go
@@ -89,9 +89,6 @@ func startManagement(t *testing.T, config *config.Config, testFile string) (*grp
 	t.Cleanup(cleanUp)

 	eventStore := &activity.InMemoryEventStore{}
-	if err != nil {
-		return nil, nil
-	}

 	ctrl := gomock.NewController(t)
 	t.Cleanup(ctrl.Finish)
@@ -127,7 +124,7 @@ func startManagement(t *testing.T, config *config.Config, testFile string) (*grp
 	if err != nil {
 		t.Fatal(err)
 	}
-	mgmtServer, err := nbgrpc.NewServer(config, accountManager, settingsMockManager, secretsManager, nil, nil, &mgmt.MockIntegratedValidator{}, networkMapController)
+	mgmtServer, err := nbgrpc.NewServer(config, accountManager, settingsMockManager, secretsManager, nil, nil, &mgmt.MockIntegratedValidator{}, networkMapController, nil)
 	if err != nil {
 		t.Fatal(err)
 	}
--- a/client/cmd/up.go
+++ b/client/cmd/up.go
@@ -216,6 +216,7 @@ func runInDaemonMode(ctx context.Context, cmd *cobra.Command, pm *profilemanager

 	conn, err := DialClientGRPCServer(ctx, daemonAddr)
 	if err != nil {
+		//nolint
 		return fmt.Errorf("failed to connect to daemon error: %v\n"+
 			"If the daemon is not running please run: "+
 			"\nnetbird service install \nnetbird service start\n", err)
--- a/client/firewall/iptables/acl_linux.go
+++ b/client/firewall/iptables/acl_linux.go
@@ -386,11 +386,8 @@ func (m *aclManager) updateState() {

 // filterRuleSpecs returns the specs of a filtering rule
 func filterRuleSpecs(ip net.IP, protocol string, sPort, dPort *firewall.Port, action firewall.Action, ipsetName string) (specs []string) {
-	matchByIP := true
 	// don't use IP matching if IP is 0.0.0.0
-	if ip.IsUnspecified() {
-		matchByIP = false
-	}
+	matchByIP := !ip.IsUnspecified()

 	if matchByIP {
 		if ipsetName != "" {
--- a/client/firewall/iptables/manager_linux_test.go
+++ b/client/firewall/iptables/manager_linux_test.go
@@ -161,7 +161,7 @@ func TestIptablesManagerDenyRules(t *testing.T) {
 			t.Logf("  [%d] %s", i, rule)
 		}

-		var denyRuleIndex, acceptRuleIndex int = -1, -1
+		var denyRuleIndex, acceptRuleIndex = -1, -1
 		for i, rule := range rules {
 			if strings.Contains(rule, "DROP") {
 				t.Logf("Found DROP rule at index %d: %s", i, rule)
--- a/client/firewall/nftables/manager_linux_test.go
+++ b/client/firewall/nftables/manager_linux_test.go
@@ -198,7 +198,7 @@ func TestNftablesManagerRuleOrder(t *testing.T) {
 	t.Logf("Found %d rules in nftables chain", len(rules))

 	// Find the accept and deny rules and verify deny comes before accept
-	var acceptRuleIndex, denyRuleIndex int = -1, -1
+	var acceptRuleIndex, denyRuleIndex = -1, -1
 	for i, rule := range rules {
 		hasAcceptHTTPSet := false
 		hasDenyHTTPSet := false
@@ -208,11 +208,13 @@ func TestNftablesManagerRuleOrder(t *testing.T) {
 		for _, e := range rule.Exprs {
 			// Check for set lookup
 			if lookup, ok := e.(*expr.Lookup); ok {
-				if lookup.SetName == "accept-http" {
+				switch lookup.SetName {
+				case "accept-http":
 					hasAcceptHTTPSet = true
-				} else if lookup.SetName == "deny-http" {
+				case "deny-http":
 					hasDenyHTTPSet = true
 				}
+
 			}
 			// Check for port 80
 			if cmp, ok := e.(*expr.Cmp); ok {
@@ -222,9 +224,10 @@ func TestNftablesManagerRuleOrder(t *testing.T) {
 			}
 			// Check for verdict
 			if verdict, ok := e.(*expr.Verdict); ok {
-				if verdict.Kind == expr.VerdictAccept {
+				switch verdict.Kind {
+				case expr.VerdictAccept:
 					action = "ACCEPT"
-				} else if verdict.Kind == expr.VerdictDrop {
+				case expr.VerdictDrop:
 					action = "DROP"
 				}
 			}
--- a/client/firewall/uspfilter/filter.go
+++ b/client/firewall/uspfilter/filter.go
@@ -29,7 +29,7 @@ import (
 )

 const (
-	layerTypeAll = 0
+	layerTypeAll = 255

 	// ipTCPHeaderMinSize represents minimum IP (20) + TCP (20) header size for MSS calculation
 	ipTCPHeaderMinSize = 40
@@ -262,10 +262,7 @@ func create(iface common.IFaceMapper, nativeFirewall firewall.Manager, disableSe
 }

 func (m *Manager) blockInvalidRouted(iface common.IFaceMapper) (firewall.Rule, error) {
-	wgPrefix, err := netip.ParsePrefix(iface.Address().Network.String())
-	if err != nil {
-		return nil, fmt.Errorf("parse wireguard network: %w", err)
-	}
+	wgPrefix := iface.Address().Network
 	log.Debugf("blocking invalid routed traffic for %s", wgPrefix)

 	rule, err := m.addRouteFiltering(
@@ -439,19 +436,7 @@ func (m *Manager) AddPeerFiltering(
 	r.sPort = sPort
 	r.dPort = dPort

-	switch proto {
-	case firewall.ProtocolTCP:
-		r.protoLayer = layers.LayerTypeTCP
-	case firewall.ProtocolUDP:
-		r.protoLayer = layers.LayerTypeUDP
-	case firewall.ProtocolICMP:
-		r.protoLayer = layers.LayerTypeICMPv4
-		if r.ipLayer == layers.LayerTypeIPv6 {
-			r.protoLayer = layers.LayerTypeICMPv6
-		}
-	case firewall.ProtocolALL:
-		r.protoLayer = layerTypeAll
-	}
+	r.protoLayer = protoToLayer(proto, r.ipLayer)

 	m.mutex.Lock()
 	var targetMap map[netip.Addr]RuleSet
@@ -496,16 +481,17 @@ func (m *Manager) addRouteFiltering(
 	}

 	ruleID := uuid.New().String()
+
 	rule := RouteRule{
 		// TODO: consolidate these IDs
-		id:      ruleID,
-		mgmtId:  id,
-		sources: sources,
-		dstSet:  destination.Set,
-		proto:   proto,
-		srcPort: sPort,
-		dstPort: dPort,
-		action:  action,
+		id:         ruleID,
+		mgmtId:     id,
+		sources:    sources,
+		dstSet:     destination.Set,
+		protoLayer: protoToLayer(proto, layers.LayerTypeIPv4),
+		srcPort:    sPort,
+		dstPort:    dPort,
+		action:     action,
 	}
 	if destination.IsPrefix() {
 		rule.destinations = []netip.Prefix{destination.Prefix}
@@ -795,7 +781,7 @@ func (m *Manager) recalculateTCPChecksum(packetData []byte, d *decoder, tcpHeade
 	pseudoSum += uint32(d.ip4.Protocol)
 	pseudoSum += uint32(tcpLength)

-	var sum uint32 = pseudoSum
+	var sum = pseudoSum
 	for i := 0; i < tcpLength-1; i += 2 {
 		sum += uint32(tcpLayer[i])<<8 | uint32(tcpLayer[i+1])
 	}
@@ -945,7 +931,7 @@ func (m *Manager) filterInbound(packetData []byte, size int) bool {
 func (m *Manager) handleLocalTraffic(d *decoder, srcIP, dstIP netip.Addr, packetData []byte, size int) bool {
 	ruleID, blocked := m.peerACLsBlock(srcIP, d, packetData)
 	if blocked {
-		_, pnum := getProtocolFromPacket(d)
+		pnum := getProtocolFromPacket(d)
 		srcPort, dstPort := getPortsFromPacket(d)

 		m.logger.Trace6("Dropping local packet (ACL denied): rule_id=%s proto=%v src=%s:%d dst=%s:%d",
@@ -1010,20 +996,22 @@ func (m *Manager) handleRoutedTraffic(d *decoder, srcIP, dstIP netip.Addr, packe
 		return false
 	}

-	proto, pnum := getProtocolFromPacket(d)
+	protoLayer := d.decoded[1]
 	srcPort, dstPort := getPortsFromPacket(d)

-	ruleID, pass := m.routeACLsPass(srcIP, dstIP, proto, srcPort, dstPort)
+	ruleID, pass := m.routeACLsPass(srcIP, dstIP, protoLayer, srcPort, dstPort)
 	if !pass {
+		proto := getProtocolFromPacket(d)
+
 		m.logger.Trace6("Dropping routed packet (ACL denied): rule_id=%s proto=%v src=%s:%d dst=%s:%d",
-			ruleID, pnum, srcIP, srcPort, dstIP, dstPort)
+			ruleID, proto, srcIP, srcPort, dstIP, dstPort)

 		m.flowLogger.StoreEvent(nftypes.EventFields{
 			FlowID:     uuid.New(),
 			Type:       nftypes.TypeDrop,
 			RuleID:     ruleID,
 			Direction:  nftypes.Ingress,
-			Protocol:   pnum,
+			Protocol:   proto,
 			SourceIP:   srcIP,
 			DestIP:     dstIP,
 			SourcePort: srcPort,
@@ -1052,16 +1040,33 @@ func (m *Manager) handleRoutedTraffic(d *decoder, srcIP, dstIP netip.Addr, packe
 	return true
 }

-func getProtocolFromPacket(d *decoder) (firewall.Protocol, nftypes.Protocol) {
+func protoToLayer(proto firewall.Protocol, ipLayer gopacket.LayerType) gopacket.LayerType {
+	switch proto {
+	case firewall.ProtocolTCP:
+		return layers.LayerTypeTCP
+	case firewall.ProtocolUDP:
+		return layers.LayerTypeUDP
+	case firewall.ProtocolICMP:
+		if ipLayer == layers.LayerTypeIPv6 {
+			return layers.LayerTypeICMPv6
+		}
+		return layers.LayerTypeICMPv4
+	case firewall.ProtocolALL:
+		return layerTypeAll
+	}
+	return 0
+}
+
+func getProtocolFromPacket(d *decoder) nftypes.Protocol {
 	switch d.decoded[1] {
 	case layers.LayerTypeTCP:
-		return firewall.ProtocolTCP, nftypes.TCP
+		return nftypes.TCP
 	case layers.LayerTypeUDP:
-		return firewall.ProtocolUDP, nftypes.UDP
+		return nftypes.UDP
 	case layers.LayerTypeICMPv4, layers.LayerTypeICMPv6:
-		return firewall.ProtocolICMP, nftypes.ICMP
+		return nftypes.ICMP
 	default:
-		return firewall.ProtocolALL, nftypes.ProtocolUnknown
+		return nftypes.ProtocolUnknown
 	}
 }

@@ -1233,19 +1238,30 @@ func validateRule(ip netip.Addr, packetData []byte, rules map[string]PeerRule, d
 }

 // routeACLsPass returns true if the packet is allowed by the route ACLs
-func (m *Manager) routeACLsPass(srcIP, dstIP netip.Addr, proto firewall.Protocol, srcPort, dstPort uint16) ([]byte, bool) {
+func (m *Manager) routeACLsPass(srcIP, dstIP netip.Addr, protoLayer gopacket.LayerType, srcPort, dstPort uint16) ([]byte, bool) {
 	m.mutex.RLock()
 	defer m.mutex.RUnlock()

 	for _, rule := range m.routeRules {
-		if matches := m.ruleMatches(rule, srcIP, dstIP, proto, srcPort, dstPort); matches {
+		if matches := m.ruleMatches(rule, srcIP, dstIP, protoLayer, srcPort, dstPort); matches {
 			return rule.mgmtId, rule.action == firewall.ActionAccept
 		}
 	}
 	return nil, false
 }

-func (m *Manager) ruleMatches(rule *RouteRule, srcAddr, dstAddr netip.Addr, proto firewall.Protocol, srcPort, dstPort uint16) bool {
+func (m *Manager) ruleMatches(rule *RouteRule, srcAddr, dstAddr netip.Addr, protoLayer gopacket.LayerType, srcPort, dstPort uint16) bool {
+	// TODO: handle ipv6 vs ipv4 icmp rules
+	if rule.protoLayer != layerTypeAll && rule.protoLayer != protoLayer {
+		return false
+	}
+
+	if protoLayer == layers.LayerTypeTCP || protoLayer == layers.LayerTypeUDP {
+		if !portsMatch(rule.srcPort, srcPort) || !portsMatch(rule.dstPort, dstPort) {
+			return false
+		}
+	}
+
 	destMatched := false
 	for _, dst := range rule.destinations {
 		if dst.Contains(dstAddr) {
@@ -1264,21 +1280,8 @@ func (m *Manager) ruleMatches(rule *RouteRule, srcAddr, dstAddr netip.Addr, prot
 			break
 		}
 	}
-	if !sourceMatched {
-		return false
-	}

-	if rule.proto != firewall.ProtocolALL && rule.proto != proto {
-		return false
-	}
-
-	if proto == firewall.ProtocolTCP || proto == firewall.ProtocolUDP {
-		if !portsMatch(rule.srcPort, srcPort) || !portsMatch(rule.dstPort, dstPort) {
-			return false
-		}
-	}
-
-	return true
+	return sourceMatched
 }

 // AddUDPPacketHook calls hook when UDP packet from given direction matched
--- a/client/firewall/uspfilter/filter_bench_test.go
+++ b/client/firewall/uspfilter/filter_bench_test.go
@@ -955,7 +955,7 @@ func BenchmarkRouteACLs(b *testing.B) {
 		for _, tc := range cases {
 			srcIP := netip.MustParseAddr(tc.srcIP)
 			dstIP := netip.MustParseAddr(tc.dstIP)
-			manager.routeACLsPass(srcIP, dstIP, tc.proto, 0, tc.dstPort)
+			manager.routeACLsPass(srcIP, dstIP, protoToLayer(tc.proto, layers.LayerTypeIPv4), 0, tc.dstPort)
 		}
 	}
 }
--- a/client/firewall/uspfilter/filter_filter_test.go
+++ b/client/firewall/uspfilter/filter_filter_test.go
@@ -1259,7 +1259,7 @@ func TestRouteACLFiltering(t *testing.T) {

 			// testing routeACLsPass only and not FilterInbound, as routed packets are dropped after being passed
 			// to the forwarder
-			_, isAllowed := manager.routeACLsPass(srcIP, dstIP, tc.proto, tc.srcPort, tc.dstPort)
+			_, isAllowed := manager.routeACLsPass(srcIP, dstIP, protoToLayer(tc.proto, layers.LayerTypeIPv4), tc.srcPort, tc.dstPort)
 			require.Equal(t, tc.shouldPass, isAllowed)
 		})
 	}
@@ -1445,7 +1445,7 @@ func TestRouteACLOrder(t *testing.T) {
 				srcIP := netip.MustParseAddr(p.srcIP)
 				dstIP := netip.MustParseAddr(p.dstIP)

-				_, isAllowed := manager.routeACLsPass(srcIP, dstIP, p.proto, p.srcPort, p.dstPort)
+				_, isAllowed := manager.routeACLsPass(srcIP, dstIP, protoToLayer(p.proto, layers.LayerTypeIPv4), p.srcPort, p.dstPort)
 				require.Equal(t, p.shouldPass, isAllowed, "packet %d failed", i)
 			}
 		})
@@ -1488,13 +1488,13 @@ func TestRouteACLSet(t *testing.T) {
 	dstIP := netip.MustParseAddr("192.168.1.100")

 	// Check that traffic is dropped (empty set shouldn't match anything)
-	_, isAllowed := manager.routeACLsPass(srcIP, dstIP, fw.ProtocolTCP, 12345, 80)
+	_, isAllowed := manager.routeACLsPass(srcIP, dstIP, protoToLayer(fw.ProtocolTCP, layers.LayerTypeIPv4), 12345, 80)
 	require.False(t, isAllowed, "Empty set should not allow any traffic")

 	err = manager.UpdateSet(set, []netip.Prefix{netip.MustParsePrefix("192.168.1.0/24")})
 	require.NoError(t, err)

 	// Now the packet should be allowed
-	_, isAllowed = manager.routeACLsPass(srcIP, dstIP, fw.ProtocolTCP, 12345, 80)
+	_, isAllowed = manager.routeACLsPass(srcIP, dstIP, protoToLayer(fw.ProtocolTCP, layers.LayerTypeIPv4), 12345, 80)
 	require.True(t, isAllowed, "After set update, traffic to the added network should be allowed")
 }
--- a/client/firewall/uspfilter/filter_test.go
+++ b/client/firewall/uspfilter/filter_test.go
@@ -767,9 +767,9 @@ func TestUpdateSetMerge(t *testing.T) {
 	dstIP2 := netip.MustParseAddr("192.168.1.100")
 	dstIP3 := netip.MustParseAddr("172.16.0.100")

-	_, isAllowed1 := manager.routeACLsPass(srcIP, dstIP1, fw.ProtocolTCP, 12345, 80)
-	_, isAllowed2 := manager.routeACLsPass(srcIP, dstIP2, fw.ProtocolTCP, 12345, 80)
-	_, isAllowed3 := manager.routeACLsPass(srcIP, dstIP3, fw.ProtocolTCP, 12345, 80)
+	_, isAllowed1 := manager.routeACLsPass(srcIP, dstIP1, protoToLayer(fw.ProtocolTCP, layers.LayerTypeIPv4), 12345, 80)
+	_, isAllowed2 := manager.routeACLsPass(srcIP, dstIP2, protoToLayer(fw.ProtocolTCP, layers.LayerTypeIPv4), 12345, 80)
+	_, isAllowed3 := manager.routeACLsPass(srcIP, dstIP3, protoToLayer(fw.ProtocolTCP, layers.LayerTypeIPv4), 12345, 80)

 	require.True(t, isAllowed1, "Traffic to 10.0.0.100 should be allowed")
 	require.True(t, isAllowed2, "Traffic to 192.168.1.100 should be allowed")
@@ -784,8 +784,8 @@ func TestUpdateSetMerge(t *testing.T) {
 	require.NoError(t, err)

 	// Check that all original prefixes are still included
-	_, isAllowed1 = manager.routeACLsPass(srcIP, dstIP1, fw.ProtocolTCP, 12345, 80)
-	_, isAllowed2 = manager.routeACLsPass(srcIP, dstIP2, fw.ProtocolTCP, 12345, 80)
+	_, isAllowed1 = manager.routeACLsPass(srcIP, dstIP1, protoToLayer(fw.ProtocolTCP, layers.LayerTypeIPv4), 12345, 80)
+	_, isAllowed2 = manager.routeACLsPass(srcIP, dstIP2, protoToLayer(fw.ProtocolTCP, layers.LayerTypeIPv4), 12345, 80)
 	require.True(t, isAllowed1, "Traffic to 10.0.0.100 should still be allowed after update")
 	require.True(t, isAllowed2, "Traffic to 192.168.1.100 should still be allowed after update")

@@ -793,8 +793,8 @@ func TestUpdateSetMerge(t *testing.T) {
 	dstIP4 := netip.MustParseAddr("172.16.1.100")
 	dstIP5 := netip.MustParseAddr("10.1.0.50")

-	_, isAllowed4 := manager.routeACLsPass(srcIP, dstIP4, fw.ProtocolTCP, 12345, 80)
-	_, isAllowed5 := manager.routeACLsPass(srcIP, dstIP5, fw.ProtocolTCP, 12345, 80)
+	_, isAllowed4 := manager.routeACLsPass(srcIP, dstIP4, protoToLayer(fw.ProtocolTCP, layers.LayerTypeIPv4), 12345, 80)
+	_, isAllowed5 := manager.routeACLsPass(srcIP, dstIP5, protoToLayer(fw.ProtocolTCP, layers.LayerTypeIPv4), 12345, 80)

 	require.True(t, isAllowed4, "Traffic to new prefix 172.16.0.0/16 should be allowed")
 	require.True(t, isAllowed5, "Traffic to new prefix 10.1.0.0/24 should be allowed")
@@ -922,7 +922,7 @@ func TestUpdateSetDeduplication(t *testing.T) {

 	srcIP := netip.MustParseAddr("100.10.0.1")
 	for _, tc := range testCases {
-		_, isAllowed := manager.routeACLsPass(srcIP, tc.dstIP, fw.ProtocolTCP, 12345, 80)
+		_, isAllowed := manager.routeACLsPass(srcIP, tc.dstIP, protoToLayer(fw.ProtocolTCP, layers.LayerTypeIPv4), 12345, 80)
 		require.Equal(t, tc.expected, isAllowed, tc.desc)
 	}
 }
--- a/client/firewall/uspfilter/forwarder/endpoint.go
+++ b/client/firewall/uspfilter/forwarder/endpoint.go
@@ -2,6 +2,7 @@ package forwarder

 import (
 	"fmt"
+	"sync/atomic"

 	wgdevice "golang.zx2c4.com/wireguard/device"
 	"gvisor.dev/gvisor/pkg/tcpip"
@@ -16,7 +17,7 @@ type endpoint struct {
 	logger     *nblog.Logger
 	dispatcher stack.NetworkDispatcher
 	device     *wgdevice.Device
-	mtu        uint32
+	mtu        atomic.Uint32
 }

 func (e *endpoint) Attach(dispatcher stack.NetworkDispatcher) {
@@ -28,7 +29,7 @@ func (e *endpoint) IsAttached() bool {
 }

 func (e *endpoint) MTU() uint32 {
-	return e.mtu
+	return e.mtu.Load()
 }

 func (e *endpoint) Capabilities() stack.LinkEndpointCapabilities {
@@ -82,6 +83,22 @@ func (e *endpoint) ParseHeader(*stack.PacketBuffer) bool {
 	return true
 }

+func (e *endpoint) Close() {
+	// Endpoint cleanup - nothing to do as device is managed externally
+}
+
+func (e *endpoint) SetLinkAddress(tcpip.LinkAddress) {
+	// Link address is not used for this endpoint type
+}
+
+func (e *endpoint) SetMTU(mtu uint32) {
+	e.mtu.Store(mtu)
+}
+
+func (e *endpoint) SetOnCloseAction(func()) {
+	// No action needed on close
+}
+
 type epID stack.TransportEndpointID

 func (i epID) String() string {
--- a/client/firewall/uspfilter/forwarder/forwarder.go
+++ b/client/firewall/uspfilter/forwarder/forwarder.go
@@ -7,6 +7,7 @@ import (
 	"net/netip"
 	"runtime"
 	"sync"
+	"time"

 	log "github.com/sirupsen/logrus"
 	"gvisor.dev/gvisor/pkg/buffer"
@@ -35,14 +36,16 @@ type Forwarder struct {
 	logger     *nblog.Logger
 	flowLogger nftypes.FlowLogger
 	// ruleIdMap is used to store the rule ID for a given connection
-	ruleIdMap    sync.Map
-	stack        *stack.Stack
-	endpoint     *endpoint
-	udpForwarder *udpForwarder
-	ctx          context.Context
-	cancel       context.CancelFunc
-	ip           tcpip.Address
-	netstack     bool
+	ruleIdMap        sync.Map
+	stack            *stack.Stack
+	endpoint         *endpoint
+	udpForwarder     *udpForwarder
+	ctx              context.Context
+	cancel           context.CancelFunc
+	ip               tcpip.Address
+	netstack         bool
+	hasRawICMPAccess bool
+	pingSemaphore    chan struct{}
 }

 func New(iface common.IFaceMapper, logger *nblog.Logger, flowLogger nftypes.FlowLogger, netstack bool, mtu uint16) (*Forwarder, error) {
@@ -60,8 +63,8 @@ func New(iface common.IFaceMapper, logger *nblog.Logger, flowLogger nftypes.Flow
 	endpoint := &endpoint{
 		logger: logger,
 		device: iface.GetWGDevice(),
-		mtu:    uint32(mtu),
 	}
+	endpoint.mtu.Store(uint32(mtu))

 	if err := s.CreateNIC(nicID, endpoint); err != nil {
 		return nil, fmt.Errorf("create NIC: %v", err)
@@ -103,15 +106,16 @@ func New(iface common.IFaceMapper, logger *nblog.Logger, flowLogger nftypes.Flow

 	ctx, cancel := context.WithCancel(context.Background())
 	f := &Forwarder{
-		logger:       logger,
-		flowLogger:   flowLogger,
-		stack:        s,
-		endpoint:     endpoint,
-		udpForwarder: newUDPForwarder(mtu, logger, flowLogger),
-		ctx:          ctx,
-		cancel:       cancel,
-		netstack:     netstack,
-		ip:           tcpip.AddrFromSlice(iface.Address().IP.AsSlice()),
+		logger:        logger,
+		flowLogger:    flowLogger,
+		stack:         s,
+		endpoint:      endpoint,
+		udpForwarder:  newUDPForwarder(mtu, logger, flowLogger),
+		ctx:           ctx,
+		cancel:        cancel,
+		netstack:      netstack,
+		ip:            tcpip.AddrFromSlice(iface.Address().IP.AsSlice()),
+		pingSemaphore: make(chan struct{}, 3),
 	}

 	receiveWindow := defaultReceiveWindow
@@ -129,6 +133,8 @@ func New(iface common.IFaceMapper, logger *nblog.Logger, flowLogger nftypes.Flow

 	s.SetTransportProtocolHandler(icmp.ProtocolNumber4, f.handleICMP)

+	f.checkICMPCapability()
+
 	log.Debugf("forwarder: Initialization complete with NIC %d", nicID)
 	return f, nil
 }
@@ -198,3 +204,24 @@ func buildKey(srcIP, dstIP netip.Addr, srcPort, dstPort uint16) conntrack.ConnKe
 		DstPort: dstPort,
 	}
 }
+
+// checkICMPCapability tests whether we have raw ICMP socket access at startup.
+func (f *Forwarder) checkICMPCapability() {
+	ctx, cancel := context.WithTimeout(context.Background(), 100*time.Millisecond)
+	defer cancel()
+
+	lc := net.ListenConfig{}
+	conn, err := lc.ListenPacket(ctx, "ip4:icmp", "0.0.0.0")
+	if err != nil {
+		f.hasRawICMPAccess = false
+		f.logger.Debug("forwarder: No raw ICMP socket access, will use ping binary fallback")
+		return
+	}
+
+	if err := conn.Close(); err != nil {
+		f.logger.Debug1("forwarder: Failed to close ICMP capability test socket: %v", err)
+	}
+
+	f.hasRawICMPAccess = true
+	f.logger.Debug("forwarder: Raw ICMP socket access available")
+}
--- a/client/firewall/uspfilter/forwarder/icmp.go
+++ b/client/firewall/uspfilter/forwarder/icmp.go
@@ -2,8 +2,11 @@ package forwarder

 import (
 	"context"
+	"fmt"
 	"net"
 	"net/netip"
+	"os/exec"
+	"runtime"
 	"time"

 	"github.com/google/uuid"
@@ -14,30 +17,95 @@ import (
 )

 // handleICMP handles ICMP packets from the network stack
-func (f *Forwarder) handleICMP(id stack.TransportEndpointID, pkt stack.PacketBufferPtr) bool {
+func (f *Forwarder) handleICMP(id stack.TransportEndpointID, pkt *stack.PacketBuffer) bool {
 	icmpHdr := header.ICMPv4(pkt.TransportHeader().View().AsSlice())
-	icmpType := uint8(icmpHdr.Type())
-	icmpCode := uint8(icmpHdr.Code())
-
-	if header.ICMPv4Type(icmpType) == header.ICMPv4EchoReply {
-		// dont process our own replies
-		return true
-	}

 	flowID := uuid.New()
-	f.sendICMPEvent(nftypes.TypeStart, flowID, id, icmpType, icmpCode, 0, 0)
+	f.sendICMPEvent(nftypes.TypeStart, flowID, id, uint8(icmpHdr.Type()), uint8(icmpHdr.Code()), 0, 0)

-	ctx, cancel := context.WithTimeout(f.ctx, 5*time.Second)
+	// For Echo Requests, send and wait for response
+	if icmpHdr.Type() == header.ICMPv4Echo {
+		return f.handleICMPEcho(flowID, id, pkt, uint8(icmpHdr.Type()), uint8(icmpHdr.Code()))
+	}
+
+	// For other ICMP types (Time Exceeded, Destination Unreachable, etc), forward without waiting
+	if !f.hasRawICMPAccess {
+		f.logger.Debug2("forwarder: Cannot handle ICMP type %v without raw socket access for %v", icmpHdr.Type(), epID(id))
+		return false
+	}
+
+	icmpData := stack.PayloadSince(pkt.TransportHeader()).AsSlice()
+	conn, err := f.forwardICMPPacket(id, icmpData, uint8(icmpHdr.Type()), uint8(icmpHdr.Code()), 100*time.Millisecond)
+	if err != nil {
+		f.logger.Error2("forwarder: Failed to forward ICMP packet for %v: %v", epID(id), err)
+		return true
+	}
+	if err := conn.Close(); err != nil {
+		f.logger.Debug1("forwarder: Failed to close ICMP socket: %v", err)
+	}
+
+	return true
+}
+
+// handleICMPEcho handles ICMP echo requests asynchronously with rate limiting.
+func (f *Forwarder) handleICMPEcho(flowID uuid.UUID, id stack.TransportEndpointID, pkt *stack.PacketBuffer, icmpType, icmpCode uint8) bool {
+	select {
+	case f.pingSemaphore <- struct{}{}:
+		icmpData := stack.PayloadSince(pkt.TransportHeader()).ToSlice()
+		rxBytes := pkt.Size()
+
+		go func() {
+			defer func() { <-f.pingSemaphore }()
+
+			if f.hasRawICMPAccess {
+				f.handleICMPViaSocket(flowID, id, icmpType, icmpCode, icmpData, rxBytes)
+			} else {
+				f.handleICMPViaPing(flowID, id, icmpType, icmpCode, icmpData, rxBytes)
+			}
+		}()
+	default:
+		f.logger.Debug3("forwarder: ICMP rate limit exceeded for %v type %v code %v",
+			epID(id), icmpType, icmpCode)
+	}
+	return true
+}
+
+// forwardICMPPacket creates a raw ICMP socket and sends the packet, returning the connection.
+// The caller is responsible for closing the returned connection.
+func (f *Forwarder) forwardICMPPacket(id stack.TransportEndpointID, payload []byte, icmpType, icmpCode uint8, timeout time.Duration) (net.PacketConn, error) {
+	ctx, cancel := context.WithTimeout(f.ctx, timeout)
 	defer cancel()

 	lc := net.ListenConfig{}
-	// TODO: support non-root
 	conn, err := lc.ListenPacket(ctx, "ip4:icmp", "0.0.0.0")
 	if err != nil {
-		f.logger.Error2("forwarder: Failed to create ICMP socket for %v: %v", epID(id), err)
+		return nil, fmt.Errorf("create ICMP socket: %w", err)
+	}

-		// This will make netstack reply on behalf of the original destination, that's ok for now
-		return false
+	dstIP := f.determineDialAddr(id.LocalAddress)
+	dst := &net.IPAddr{IP: dstIP}
+
+	if _, err = conn.WriteTo(payload, dst); err != nil {
+		if closeErr := conn.Close(); closeErr != nil {
+			f.logger.Debug1("forwarder: Failed to close ICMP socket: %v", closeErr)
+		}
+		return nil, fmt.Errorf("write ICMP packet: %w", err)
+	}
+
+	f.logger.Trace3("forwarder: Forwarded ICMP packet %v type %v code %v",
+		epID(id), icmpType, icmpCode)
+
+	return conn, nil
+}
+
+// handleICMPViaSocket handles ICMP echo requests using raw sockets.
+func (f *Forwarder) handleICMPViaSocket(flowID uuid.UUID, id stack.TransportEndpointID, icmpType, icmpCode uint8, icmpData []byte, rxBytes int) {
+	sendTime := time.Now()
+
+	conn, err := f.forwardICMPPacket(id, icmpData, icmpType, icmpCode, 5*time.Second)
+	if err != nil {
+		f.logger.Error2("forwarder: Failed to send ICMP packet for %v: %v", epID(id), err)
+		return
 	}
 	defer func() {
 		if err := conn.Close(); err != nil {
@@ -45,38 +113,22 @@ func (f *Forwarder) handleICMP(id stack.TransportEndpointID, pkt stack.PacketBuf
 		}
 	}()

-	dstIP := f.determineDialAddr(id.LocalAddress)
-	dst := &net.IPAddr{IP: dstIP}
+	txBytes := f.handleEchoResponse(conn, id)
+	rtt := time.Since(sendTime).Round(10 * time.Microsecond)

-	fullPacket := stack.PayloadSince(pkt.TransportHeader())
-	payload := fullPacket.AsSlice()
+	f.logger.Trace4("forwarder: Forwarded ICMP echo reply %v type %v code %v (rtt=%v, raw socket)",
+		epID(id), icmpType, icmpCode, rtt)

-	if _, err = conn.WriteTo(payload, dst); err != nil {
-		f.logger.Error2("forwarder: Failed to write ICMP packet for %v: %v", epID(id), err)
-		return true
-	}
-
-	f.logger.Trace3("forwarder: Forwarded ICMP packet %v type %v code %v",
-		epID(id), icmpHdr.Type(), icmpHdr.Code())
-
-	// For Echo Requests, send and handle response
-	if header.ICMPv4Type(icmpType) == header.ICMPv4Echo {
-		rxBytes := pkt.Size()
-		txBytes := f.handleEchoResponse(icmpHdr, conn, id)
-		f.sendICMPEvent(nftypes.TypeEnd, flowID, id, icmpType, icmpCode, uint64(rxBytes), uint64(txBytes))
-	}
-
-	// For other ICMP types (Time Exceeded, Destination Unreachable, etc) do nothing
-	return true
+	f.sendICMPEvent(nftypes.TypeEnd, flowID, id, icmpType, icmpCode, uint64(rxBytes), uint64(txBytes))
 }

-func (f *Forwarder) handleEchoResponse(icmpHdr header.ICMPv4, conn net.PacketConn, id stack.TransportEndpointID) int {
+func (f *Forwarder) handleEchoResponse(conn net.PacketConn, id stack.TransportEndpointID) int {
 	if err := conn.SetReadDeadline(time.Now().Add(5 * time.Second)); err != nil {
 		f.logger.Error1("forwarder: Failed to set read deadline for ICMP response: %v", err)
 		return 0
 	}

-	response := make([]byte, f.endpoint.mtu)
+	response := make([]byte, f.endpoint.mtu.Load())
 	n, _, err := conn.ReadFrom(response)
 	if err != nil {
 		if !isTimeout(err) {
@@ -85,31 +137,7 @@ func (f *Forwarder) handleEchoResponse(icmpHdr header.ICMPv4, conn net.PacketCon
 		return 0
 	}

-	ipHdr := make([]byte, header.IPv4MinimumSize)
-	ip := header.IPv4(ipHdr)
-	ip.Encode(&header.IPv4Fields{
-		TotalLength: uint16(header.IPv4MinimumSize + n),
-		TTL:         64,
-		Protocol:    uint8(header.ICMPv4ProtocolNumber),
-		SrcAddr:     id.LocalAddress,
-		DstAddr:     id.RemoteAddress,
-	})
-	ip.SetChecksum(^ip.CalculateChecksum())
-
-	fullPacket := make([]byte, 0, len(ipHdr)+n)
-	fullPacket = append(fullPacket, ipHdr...)
-	fullPacket = append(fullPacket, response[:n]...)
-
-	if err := f.InjectIncomingPacket(fullPacket); err != nil {
-		f.logger.Error1("forwarder: Failed to inject ICMP response: %v", err)
-
-		return 0
-	}
-
-	f.logger.Trace3("forwarder: Forwarded ICMP echo reply for %v type %v code %v",
-		epID(id), icmpHdr.Type(), icmpHdr.Code())
-
-	return len(fullPacket)
+	return f.injectICMPReply(id, response[:n])
 }

 // sendICMPEvent stores flow events for ICMP packets
@@ -152,3 +180,95 @@ func (f *Forwarder) sendICMPEvent(typ nftypes.Type, flowID uuid.UUID, id stack.T

 	f.flowLogger.StoreEvent(fields)
 }
+
+// handleICMPViaPing handles ICMP echo requests by executing the system ping binary.
+// This is used as a fallback when raw socket access is not available.
+func (f *Forwarder) handleICMPViaPing(flowID uuid.UUID, id stack.TransportEndpointID, icmpType, icmpCode uint8, icmpData []byte, rxBytes int) {
+	ctx, cancel := context.WithTimeout(f.ctx, 5*time.Second)
+	defer cancel()
+
+	dstIP := f.determineDialAddr(id.LocalAddress)
+	cmd := buildPingCommand(ctx, dstIP, 5*time.Second)
+
+	pingStart := time.Now()
+	if err := cmd.Run(); err != nil {
+		f.logger.Warn4("forwarder: Ping binary failed for %v type %v code %v: %v", epID(id),
+			icmpType, icmpCode, err)
+		return
+	}
+	rtt := time.Since(pingStart).Round(10 * time.Microsecond)
+
+	f.logger.Trace3("forwarder: Forwarded ICMP echo request %v type %v code %v",
+		epID(id), icmpType, icmpCode)
+
+	txBytes := f.synthesizeEchoReply(id, icmpData)
+
+	f.logger.Trace4("forwarder: Forwarded ICMP echo reply %v type %v code %v (rtt=%v, ping binary)",
+		epID(id), icmpType, icmpCode, rtt)
+
+	f.sendICMPEvent(nftypes.TypeEnd, flowID, id, icmpType, icmpCode, uint64(rxBytes), uint64(txBytes))
+}
+
+// buildPingCommand creates a platform-specific ping command.
+func buildPingCommand(ctx context.Context, target net.IP, timeout time.Duration) *exec.Cmd {
+	timeoutSec := int(timeout.Seconds())
+	if timeoutSec < 1 {
+		timeoutSec = 1
+	}
+
+	switch runtime.GOOS {
+	case "linux", "android":
+		return exec.CommandContext(ctx, "ping", "-c", "1", "-W", fmt.Sprintf("%d", timeoutSec), "-q", target.String())
+	case "darwin", "ios":
+		return exec.CommandContext(ctx, "ping", "-c", "1", "-t", fmt.Sprintf("%d", timeoutSec), "-q", target.String())
+	case "freebsd":
+		return exec.CommandContext(ctx, "ping", "-c", "1", "-t", fmt.Sprintf("%d", timeoutSec), target.String())
+	case "openbsd", "netbsd":
+		return exec.CommandContext(ctx, "ping", "-c", "1", "-w", fmt.Sprintf("%d", timeoutSec), target.String())
+	case "windows":
+		return exec.CommandContext(ctx, "ping", "-n", "1", "-w", fmt.Sprintf("%d", timeoutSec*1000), target.String())
+	default:
+		return exec.CommandContext(ctx, "ping", "-c", "1", target.String())
+	}
+}
+
+// synthesizeEchoReply creates an ICMP echo reply from raw ICMP data and injects it back into the network stack.
+// Returns the size of the injected packet.
+func (f *Forwarder) synthesizeEchoReply(id stack.TransportEndpointID, icmpData []byte) int {
+	replyICMP := make([]byte, len(icmpData))
+	copy(replyICMP, icmpData)
+
+	replyICMPHdr := header.ICMPv4(replyICMP)
+	replyICMPHdr.SetType(header.ICMPv4EchoReply)
+	replyICMPHdr.SetChecksum(0)
+	replyICMPHdr.SetChecksum(header.ICMPv4Checksum(replyICMPHdr, 0))
+
+	return f.injectICMPReply(id, replyICMP)
+}
+
+// injectICMPReply wraps an ICMP payload in an IP header and injects it into the network stack.
+// Returns the total size of the injected packet, or 0 if injection failed.
+func (f *Forwarder) injectICMPReply(id stack.TransportEndpointID, icmpPayload []byte) int {
+	ipHdr := make([]byte, header.IPv4MinimumSize)
+	ip := header.IPv4(ipHdr)
+	ip.Encode(&header.IPv4Fields{
+		TotalLength: uint16(header.IPv4MinimumSize + len(icmpPayload)),
+		TTL:         64,
+		Protocol:    uint8(header.ICMPv4ProtocolNumber),
+		SrcAddr:     id.LocalAddress,
+		DstAddr:     id.RemoteAddress,
+	})
+	ip.SetChecksum(^ip.CalculateChecksum())
+
+	fullPacket := make([]byte, 0, len(ipHdr)+len(icmpPayload))
+	fullPacket = append(fullPacket, ipHdr...)
+	fullPacket = append(fullPacket, icmpPayload...)
+
+	// Bypass netstack and send directly to peer to avoid looping through our ICMP handler
+	if err := f.endpoint.device.CreateOutboundPacket(fullPacket, id.RemoteAddress.AsSlice()); err != nil {
+		f.logger.Error1("forwarder: Failed to send ICMP reply to peer: %v", err)
+		return 0
+	}
+
+	return len(fullPacket)
+}
--- a/client/firewall/uspfilter/forwarder/udp.go
+++ b/client/firewall/uspfilter/forwarder/udp.go
@@ -4,6 +4,7 @@ import (
 	"context"
 	"errors"
 	"fmt"
+	"io"
 	"net"
 	"net/netip"
 	"sync"
@@ -131,10 +132,10 @@ func (f *udpForwarder) cleanup() {
 }

 // handleUDP is called by the UDP forwarder for new packets
-func (f *Forwarder) handleUDP(r *udp.ForwarderRequest) {
+func (f *Forwarder) handleUDP(r *udp.ForwarderRequest) bool {
 	if f.ctx.Err() != nil {
 		f.logger.Trace("forwarder: context done, dropping UDP packet")
-		return
+		return false
 	}

 	id := r.ID()
@@ -144,7 +145,7 @@ func (f *Forwarder) handleUDP(r *udp.ForwarderRequest) {
 	f.udpForwarder.RUnlock()
 	if exists {
 		f.logger.Trace1("forwarder: existing UDP connection for %v", epID(id))
-		return
+		return true
 	}

 	flowID := uuid.New()
@@ -162,7 +163,7 @@ func (f *Forwarder) handleUDP(r *udp.ForwarderRequest) {
 	if err != nil {
 		f.logger.Debug2("forwarder: UDP dial error for %v: %v", epID(id), err)
 		// TODO: Send ICMP error message
-		return
+		return false
 	}

 	// Create wait queue for blocking syscalls
@@ -173,10 +174,10 @@ func (f *Forwarder) handleUDP(r *udp.ForwarderRequest) {
 		if err := outConn.Close(); err != nil {
 			f.logger.Debug2("forwarder: UDP outConn close error for %v: %v", epID(id), err)
 		}
-		return
+		return false
 	}

-	inConn := gonet.NewUDPConn(f.stack, &wq, ep)
+	inConn := gonet.NewUDPConn(&wq, ep)
 	connCtx, connCancel := context.WithCancel(f.ctx)

 	pConn := &udpPacketConn{
@@ -199,7 +200,7 @@ func (f *Forwarder) handleUDP(r *udp.ForwarderRequest) {
 		if err := outConn.Close(); err != nil {
 			f.logger.Debug2("forwarder: UDP outConn close error for %v: %v", epID(id), err)
 		}
-		return
+		return true
 	}
 	f.udpForwarder.conns[id] = pConn
 	f.udpForwarder.Unlock()
@@ -208,6 +209,7 @@ func (f *Forwarder) handleUDP(r *udp.ForwarderRequest) {
 	f.logger.Trace1("forwarder: established UDP connection %v", epID(id))

 	go f.proxyUDP(connCtx, pConn, id, ep)
+	return true
 }

 func (f *Forwarder) proxyUDP(ctx context.Context, pConn *udpPacketConn, id stack.TransportEndpointID, ep tcpip.Endpoint) {
@@ -348,7 +350,7 @@ func (c *udpPacketConn) copy(ctx context.Context, dst net.Conn, src net.Conn, bu
 }

 func isClosedError(err error) bool {
-	return errors.Is(err, net.ErrClosed) || errors.Is(err, context.Canceled)
+	return errors.Is(err, net.ErrClosed) || errors.Is(err, context.Canceled) || errors.Is(err, io.EOF)
 }

 func isTimeout(err error) bool {
--- a/client/firewall/uspfilter/localip.go
+++ b/client/firewall/uspfilter/localip.go
@@ -130,6 +130,7 @@ func (m *localIPManager) UpdateLocalIPs(iface common.IFaceMapper) (err error) {
 	// 127.0.0.0/8
 	newIPv4Bitmap[127] = &ipv4LowBitmap{}
 	for i := 0; i < 8192; i++ {
+		// #nosec G602 -- bitmap is defined as [8192]uint32, loop range is correct
 		newIPv4Bitmap[127].bitmap[i] = 0xFFFFFFFF
 	}

--- a/client/firewall/uspfilter/localip_test.go
+++ b/client/firewall/uspfilter/localip_test.go
@@ -218,7 +218,7 @@ func BenchmarkIPChecks(b *testing.B) {
 		b.ResetTimer()
 		for i := 0; i < b.N; i++ {
 			// nolint:gosimple
-			_, _ = mapManager.localIPs[ip.String()]
+			_ = mapManager.localIPs[ip.String()]
 		}
 	})

@@ -227,7 +227,7 @@ func BenchmarkIPChecks(b *testing.B) {
 		b.ResetTimer()
 		for i := 0; i < b.N; i++ {
 			// nolint:gosimple
-			_, _ = mapManager.localIPs[ip.String()]
+			_ = mapManager.localIPs[ip.String()]
 		}
 	})
 }
--- a/client/firewall/uspfilter/log/log.go
+++ b/client/firewall/uspfilter/log/log.go
@@ -168,6 +168,15 @@ func (l *Logger) Warn3(format string, arg1, arg2, arg3 any) {
 	}
 }

+func (l *Logger) Warn4(format string, arg1, arg2, arg3, arg4 any) {
+	if l.level.Load() >= uint32(LevelWarn) {
+		select {
+		case l.msgChannel <- logMessage{level: LevelWarn, format: format, arg1: arg1, arg2: arg2, arg3: arg3, arg4: arg4}:
+		default:
+		}
+	}
+}
+
 func (l *Logger) Debug1(format string, arg1 any) {
 	if l.level.Load() >= uint32(LevelDebug) {
 		select {
--- a/client/firewall/uspfilter/nat_test.go
+++ b/client/firewall/uspfilter/nat_test.go
@@ -234,9 +234,10 @@ func TestInboundPortDNATNegative(t *testing.T) {
 			require.False(t, translated, "Packet should NOT be translated for %s", tc.name)

 			d = parsePacket(t, packet)
-			if tc.protocol == layers.IPProtocolTCP {
+			switch tc.protocol {
+			case layers.IPProtocolTCP:
 				require.Equal(t, tc.dstPort, uint16(d.tcp.DstPort), "Port should remain unchanged")
-			} else if tc.protocol == layers.IPProtocolUDP {
+			case layers.IPProtocolUDP:
 				require.Equal(t, tc.dstPort, uint16(d.udp.DstPort), "Port should remain unchanged")
 			}
 		})
--- a/client/firewall/uspfilter/rule.go
+++ b/client/firewall/uspfilter/rule.go
@@ -34,7 +34,7 @@ type RouteRule struct {
 	sources      []netip.Prefix
 	dstSet       firewall.Set
 	destinations []netip.Prefix
-	proto        firewall.Protocol
+	protoLayer   gopacket.LayerType
 	srcPort      *firewall.Port
 	dstPort      *firewall.Port
 	action       firewall.Action
--- a/client/firewall/uspfilter/tracer.go
+++ b/client/firewall/uspfilter/tracer.go
@@ -379,9 +379,9 @@ func (m *Manager) handleNativeRouter(trace *PacketTrace) *PacketTrace {
 }

 func (m *Manager) handleRouteACLs(trace *PacketTrace, d *decoder, srcIP, dstIP netip.Addr) *PacketTrace {
-	proto, _ := getProtocolFromPacket(d)
+	protoLayer := d.decoded[1]
 	srcPort, dstPort := getPortsFromPacket(d)
-	id, allowed := m.routeACLsPass(srcIP, dstIP, proto, srcPort, dstPort)
+	id, allowed := m.routeACLsPass(srcIP, dstIP, protoLayer, srcPort, dstPort)

 	strId := string(id)
 	if id == nil {
--- a/client/iface/bind/ice_bind.go
+++ b/client/iface/bind/ice_bind.go
@@ -27,8 +27,23 @@ type receiverCreator struct {
 	iceBind *ICEBind
 }

-func (rc receiverCreator) CreateIPv4ReceiverFn(pc *ipv4.PacketConn, conn *net.UDPConn, rxOffload bool, msgPool *sync.Pool) wgConn.ReceiveFunc {
-	return rc.iceBind.createIPv4ReceiverFn(pc, conn, rxOffload, msgPool)
+func (rc receiverCreator) CreateReceiverFn(pc wgConn.BatchReader, conn *net.UDPConn, rxOffload bool, msgPool *sync.Pool) wgConn.ReceiveFunc {
+	if ipv4PC, ok := pc.(*ipv4.PacketConn); ok {
+		return rc.iceBind.createIPv4ReceiverFn(ipv4PC, conn, rxOffload, msgPool)
+	}
+	// IPv6 is currently not supported in the udpmux, this is a stub for compatibility with the
+	// wireguard-go ReceiverCreator interface which is called for both IPv4 and IPv6.
+	return func(bufs [][]byte, sizes []int, eps []wgConn.Endpoint) (n int, err error) {
+		buf := bufs[0]
+		size, ep, err := conn.ReadFromUDPAddrPort(buf)
+		if err != nil {
+			return 0, err
+		}
+		sizes[0] = size
+		stdEp := &wgConn.StdNetEndpoint{AddrPort: ep}
+		eps[0] = stdEp
+		return 1, nil
+	}
 }

 // ICEBind is a bind implementation with two main features:
--- a/client/iface/device/device_ios.go
+++ b/client/iface/device/device_ios.go
@@ -1,6 +1,3 @@
-//go:build ios
-// +build ios
-
 package device

 import (
--- a/client/iface/wgproxy/factory_kernel.go
+++ b/client/iface/wgproxy/factory_kernel.go
@@ -3,12 +3,19 @@
 package wgproxy

 import (
+	"os"
+	"strconv"
+
 	log "github.com/sirupsen/logrus"

 	"github.com/netbirdio/netbird/client/iface/wgproxy/ebpf"
 	udpProxy "github.com/netbirdio/netbird/client/iface/wgproxy/udp"
 )

+const (
+	envDisableEBPFWGProxy = "NB_DISABLE_EBPF_WG_PROXY"
+)
+
 type KernelFactory struct {
 	wgPort int
 	mtu    uint16
@@ -22,6 +29,12 @@ func NewKernelFactory(wgPort int, mtu uint16) *KernelFactory {
 		mtu:    mtu,
 	}

+	if isEBPFDisabled() {
+		log.Infof("WireGuard Proxy Factory will produce UDP proxy")
+		log.Infof("eBPF WireGuard proxy is disabled via %s environment variable", envDisableEBPFWGProxy)
+		return f
+	}
+
 	ebpfProxy := ebpf.NewWGEBPFProxy(wgPort, mtu)
 	if err := ebpfProxy.Listen(); err != nil {
 		log.Infof("WireGuard Proxy Factory will produce UDP proxy")
@@ -47,3 +60,16 @@ func (w *KernelFactory) Free() error {
 	}
 	return w.ebpfProxy.Free()
 }
+
+func isEBPFDisabled() bool {
+	val := os.Getenv(envDisableEBPFWGProxy)
+	if val == "" {
+		return false
+	}
+	disabled, err := strconv.ParseBool(val)
+	if err != nil {
+		log.Warnf("failed to parse %s: %v", envDisableEBPFWGProxy, err)
+		return false
+	}
+	return disabled
+}
--- a/client/internal/debug/debug_linux.go
+++ b/client/internal/debug/debug_linux.go
@@ -507,15 +507,13 @@ func formatPayloadWithCmp(p *expr.Payload, cmp *expr.Cmp) string {
 	if p.Base == expr.PayloadBaseNetworkHeader {
 		switch p.Offset {
 		case 12:
-			if p.Len == 4 {
-				return fmt.Sprintf("ip saddr %s %s", formatCmpOp(cmp.Op), formatIPBytes(cmp.Data))
-			} else if p.Len == 2 {
+			switch p.Len {
+			case 4, 2:
 				return fmt.Sprintf("ip saddr %s %s", formatCmpOp(cmp.Op), formatIPBytes(cmp.Data))
 			}
 		case 16:
-			if p.Len == 4 {
-				return fmt.Sprintf("ip daddr %s %s", formatCmpOp(cmp.Op), formatIPBytes(cmp.Data))
-			} else if p.Len == 2 {
+			switch p.Len {
+			case 4, 2:
 				return fmt.Sprintf("ip daddr %s %s", formatCmpOp(cmp.Op), formatIPBytes(cmp.Data))
 			}
 		}
--- a/client/internal/engine_test.go
+++ b/client/internal/engine_test.go
@@ -1631,7 +1631,7 @@ func startManagement(t *testing.T, dataDir, testFile string) (*grpc.Server, stri
 	if err != nil {
 		return nil, "", err
 	}
-	mgmtServer, err := nbgrpc.NewServer(config, accountManager, settingsMockManager, secretsManager, nil, nil, &server.MockIntegratedValidator{}, networkMapController)
+	mgmtServer, err := nbgrpc.NewServer(config, accountManager, settingsMockManager, secretsManager, nil, nil, &server.MockIntegratedValidator{}, networkMapController, nil)
 	if err != nil {
 		return nil, "", err
 	}
--- a/client/internal/iface.go
+++ b/client/internal/iface.go
@@ -1,5 +1,4 @@
 //go:build !windows
-// +build !windows

 package internal

--- a/client/internal/routemanager/iface/iface.go
+++ b/client/internal/routemanager/iface/iface.go
@@ -1,5 +1,4 @@
 //go:build !windows
-// +build !windows

 package iface

--- a/client/internal/routemanager/systemops/systemops_generic.go
+++ b/client/internal/routemanager/systemops/systemops_generic.go
@@ -210,7 +210,8 @@ func (r *SysOps) refreshLocalSubnetsCache() {
 func (r *SysOps) genericAddVPNRoute(prefix netip.Prefix, intf *net.Interface) error {
 	nextHop := Nexthop{netip.Addr{}, intf}

-	if prefix == vars.Defaultv4 {
+	switch prefix {
+	case vars.Defaultv4:
 		if err := r.addToRouteTable(splitDefaultv4_1, nextHop); err != nil {
 			return err
 		}
@@ -233,7 +234,7 @@ func (r *SysOps) genericAddVPNRoute(prefix netip.Prefix, intf *net.Interface) er
 		}

 		return nil
-	} else if prefix == vars.Defaultv6 {
+	case vars.Defaultv6:
 		if err := r.addToRouteTable(splitDefaultv6_1, nextHop); err != nil {
 			return fmt.Errorf("add unreachable route split 1: %w", err)
 		}
@@ -255,7 +256,8 @@ func (r *SysOps) genericAddVPNRoute(prefix netip.Prefix, intf *net.Interface) er
 func (r *SysOps) genericRemoveVPNRoute(prefix netip.Prefix, intf *net.Interface) error {
 	nextHop := Nexthop{netip.Addr{}, intf}

-	if prefix == vars.Defaultv4 {
+	switch prefix {
+	case vars.Defaultv4:
 		var result *multierror.Error
 		if err := r.removeFromRouteTable(splitDefaultv4_1, nextHop); err != nil {
 			result = multierror.Append(result, err)
@@ -273,7 +275,7 @@ func (r *SysOps) genericRemoveVPNRoute(prefix netip.Prefix, intf *net.Interface)
 		}

 		return nberrors.FormatErrorOrNil(result)
-	} else if prefix == vars.Defaultv6 {
+	case vars.Defaultv6:
 		var result *multierror.Error
 		if err := r.removeFromRouteTable(splitDefaultv6_1, nextHop); err != nil {
 			result = multierror.Append(result, err)
@@ -283,9 +285,9 @@ func (r *SysOps) genericRemoveVPNRoute(prefix netip.Prefix, intf *net.Interface)
 		}

 		return nberrors.FormatErrorOrNil(result)
+	default:
+		return r.removeFromRouteTable(prefix, nextHop)
 	}
-
-	return r.removeFromRouteTable(prefix, nextHop)
 }

 func (r *SysOps) setupHooks(initAddresses []net.IP, stateManager *statemanager.Manager) error {
--- a/client/ios/NetBirdSDK/client.go
+++ b/client/ios/NetBirdSDK/client.go
@@ -76,7 +76,7 @@ type Client struct {
 	loginComplete         bool
 	connectClient         *internal.ConnectClient
 	// preloadedConfig holds config loaded from JSON (used on tvOS where file writes are blocked)
-	preloadedConfig       *profilemanager.Config
+	preloadedConfig *profilemanager.Config
 }

 // NewClient instantiate a new Client
--- a/client/proto/daemon.pb.go
+++ b/client/proto/daemon.pb.go
@@ -2013,6 +2013,7 @@ type SSHSessionInfo struct {
 	RemoteAddress string                 `protobuf:"bytes,2,opt,name=remoteAddress,proto3" json:"remoteAddress,omitempty"`
 	Command       string                 `protobuf:"bytes,3,opt,name=command,proto3" json:"command,omitempty"`
 	JwtUsername   string                 `protobuf:"bytes,4,opt,name=jwtUsername,proto3" json:"jwtUsername,omitempty"`
+	PortForwards  []string               `protobuf:"bytes,5,rep,name=portForwards,proto3" json:"portForwards,omitempty"`
 	unknownFields protoimpl.UnknownFields
 	sizeCache     protoimpl.SizeCache
 }
@@ -2075,6 +2076,13 @@ func (x *SSHSessionInfo) GetJwtUsername() string {
 	return ""
 }

+func (x *SSHSessionInfo) GetPortForwards() []string {
+	if x != nil {
+		return x.PortForwards
+	}
+	return nil
+}
+
 // SSHServerState contains the latest state of the SSH server
 type SSHServerState struct {
 	state         protoimpl.MessageState `protogen:"open.v1"`
@@ -5706,12 +5714,13 @@ const file_daemon_proto_rawDesc = "" +
 	"\aservers\x18\x01 \x03(\tR\aservers\x12\x18\n" +
 	"\adomains\x18\x02 \x03(\tR\adomains\x12\x18\n" +
 	"\aenabled\x18\x03 \x01(\bR\aenabled\x12\x14\n" +
-	"\x05error\x18\x04 \x01(\tR\x05error\"\x8e\x01\n" +
+	"\x05error\x18\x04 \x01(\tR\x05error\"\xb2\x01\n" +
 	"\x0eSSHSessionInfo\x12\x1a\n" +
 	"\busername\x18\x01 \x01(\tR\busername\x12$\n" +
 	"\rremoteAddress\x18\x02 \x01(\tR\rremoteAddress\x12\x18\n" +
 	"\acommand\x18\x03 \x01(\tR\acommand\x12 \n" +
-	"\vjwtUsername\x18\x04 \x01(\tR\vjwtUsername\"^\n" +
+	"\vjwtUsername\x18\x04 \x01(\tR\vjwtUsername\x12\"\n" +
+	"\fportForwards\x18\x05 \x03(\tR\fportForwards\"^\n" +
 	"\x0eSSHServerState\x12\x18\n" +
 	"\aenabled\x18\x01 \x01(\bR\aenabled\x122\n" +
 	"\bsessions\x18\x02 \x03(\v2\x16.daemon.SSHSessionInfoR\bsessions\"\xaf\x04\n" +
--- a/client/proto/daemon.proto
+++ b/client/proto/daemon.proto
@@ -372,6 +372,7 @@ message SSHSessionInfo {
  string remoteAddress = 2;
  string command = 3;
  string jwtUsername = 4;
+  repeated string portForwards = 5;
 }

 // SSHServerState contains the latest state of the SSH server
--- a/client/server/panic_windows.go
+++ b/client/server/panic_windows.go
@@ -1,5 +1,4 @@
 //go:build windows
-// +build windows

 package server

--- a/client/server/server.go
+++ b/client/server/server.go
@@ -1104,6 +1104,7 @@ func (s *Server) getSSHServerState() *proto.SSHServerState {
 			RemoteAddress: session.RemoteAddress,
 			Command:       session.Command,
 			JwtUsername:   session.JWTUsername,
+			PortForwards:  session.PortForwards,
 		})
 	}

--- a/client/server/server_test.go
+++ b/client/server/server_test.go
@@ -326,7 +326,7 @@ func startManagement(t *testing.T, signalAddr string, counter *int) (*grpc.Serve
 	if err != nil {
 		return nil, "", err
 	}
-	mgmtServer, err := nbgrpc.NewServer(config, accountManager, settingsMockManager, secretsManager, nil, nil, &server.MockIntegratedValidator{}, networkMapController)
+	mgmtServer, err := nbgrpc.NewServer(config, accountManager, settingsMockManager, secretsManager, nil, nil, &server.MockIntegratedValidator{}, networkMapController, nil)
 	if err != nil {
 		return nil, "", err
 	}
--- a/client/ssh/auth/auth.go
+++ b/client/ssh/auth/auth.go
@@ -98,19 +98,17 @@ func (a *Authorizer) Update(config *Config) {
 		len(config.AuthorizedUsers), len(machineUsers))
 }

-// Authorize validates if a user is authorized to login as the specified OS user
-// Returns nil if authorized, or an error describing why authorization failed
-func (a *Authorizer) Authorize(jwtUserID, osUsername string) error {
+// Authorize validates if a user is authorized to login as the specified OS user.
+// Returns a success message describing how authorization was granted, or an error.
+func (a *Authorizer) Authorize(jwtUserID, osUsername string) (string, error) {
 	if jwtUserID == "" {
-		log.Warnf("SSH auth denied: JWT user ID is empty for OS user '%s'", osUsername)
-		return ErrEmptyUserID
+		return "", fmt.Errorf("JWT user ID is empty for OS user %q: %w", osUsername, ErrEmptyUserID)
 	}

 	// Hash the JWT user ID for comparison
 	hashedUserID, err := sshuserhash.HashUserID(jwtUserID)
 	if err != nil {
-		log.Errorf("SSH auth denied: failed to hash user ID '%s' for OS user '%s': %v", jwtUserID, osUsername, err)
-		return fmt.Errorf("failed to hash user ID: %w", err)
+		return "", fmt.Errorf("hash user ID %q for OS user %q: %w", jwtUserID, osUsername, err)
 	}

 	a.mu.RLock()
@@ -119,8 +117,7 @@ func (a *Authorizer) Authorize(jwtUserID, osUsername string) error {
 	// Find the index of this user in the authorized list
 	userIndex, found := a.findUserIndex(hashedUserID)
 	if !found {
-		log.Warnf("SSH auth denied: user '%s' (hash: %s) not in authorized list for OS user '%s'", jwtUserID, hashedUserID, osUsername)
-		return ErrUserNotAuthorized
+		return "", fmt.Errorf("user %q (hash: %s) not in authorized list for OS user %q: %w", jwtUserID, hashedUserID, osUsername, ErrUserNotAuthorized)
 	}

 	return a.checkMachineUserMapping(jwtUserID, osUsername, userIndex)
@@ -128,12 +125,11 @@ func (a *Authorizer) Authorize(jwtUserID, osUsername string) error {

 // checkMachineUserMapping validates if a user's index is authorized for the specified OS user
 // Checks wildcard mapping first, then specific OS user mappings
-func (a *Authorizer) checkMachineUserMapping(jwtUserID, osUsername string, userIndex int) error {
+func (a *Authorizer) checkMachineUserMapping(jwtUserID, osUsername string, userIndex int) (string, error) {
 	// If wildcard exists and user's index is in the wildcard list, allow access to any OS user
 	if wildcardIndexes, hasWildcard := a.machineUsers[Wildcard]; hasWildcard {
 		if a.isIndexInList(uint32(userIndex), wildcardIndexes) {
-			log.Infof("SSH auth granted: user '%s' authorized for OS user '%s' via wildcard (index: %d)", jwtUserID, osUsername, userIndex)
-			return nil
+			return fmt.Sprintf("granted via wildcard (index: %d)", userIndex), nil
 		}
 	}

@@ -141,18 +137,15 @@ func (a *Authorizer) checkMachineUserMapping(jwtUserID, osUsername string, userI
 	allowedIndexes, hasMachineUserMapping := a.machineUsers[osUsername]
 	if !hasMachineUserMapping {
 		// No mapping for this OS user - deny by default (fail closed)
-		log.Warnf("SSH auth denied: no machine user mapping for OS user '%s' (JWT user: %s)", osUsername, jwtUserID)
-		return ErrNoMachineUserMapping
+		return "", fmt.Errorf("no machine user mapping for OS user %q (JWT user: %s): %w", osUsername, jwtUserID, ErrNoMachineUserMapping)
 	}

 	// Check if user's index is in the allowed indexes for this specific OS user
 	if !a.isIndexInList(uint32(userIndex), allowedIndexes) {
-		log.Warnf("SSH auth denied: user '%s' not mapped to OS user '%s' (user index: %d)", jwtUserID, osUsername, userIndex)
-		return ErrUserNotMappedToOSUser
+		return "", fmt.Errorf("user %q not mapped to OS user %q (index: %d): %w", jwtUserID, osUsername, userIndex, ErrUserNotMappedToOSUser)
 	}

-	log.Infof("SSH auth granted: user '%s' authorized for OS user '%s' (index: %d)", jwtUserID, osUsername, userIndex)
-	return nil
+	return fmt.Sprintf("granted (index: %d)", userIndex), nil
 }

 // GetUserIDClaim returns the JWT claim name used to extract user IDs
--- a/client/ssh/auth/auth_test.go
+++ b/client/ssh/auth/auth_test.go
@@ -24,7 +24,7 @@ func TestAuthorizer_Authorize_UserNotInList(t *testing.T) {
 	authorizer.Update(config)

 	// Try to authorize a different user
-	err = authorizer.Authorize("unauthorized-user", "root")
+	_, err = authorizer.Authorize("unauthorized-user", "root")
 	assert.Error(t, err)
 	assert.ErrorIs(t, err, ErrUserNotAuthorized)
 }
@@ -45,15 +45,15 @@ func TestAuthorizer_Authorize_UserInList_NoMachineUserRestrictions(t *testing.T)
 	authorizer.Update(config)

 	// All attempts should fail when no machine user mappings exist (fail closed)
-	err = authorizer.Authorize("user1", "root")
+	_, err = authorizer.Authorize("user1", "root")
 	assert.Error(t, err)
 	assert.ErrorIs(t, err, ErrNoMachineUserMapping)

-	err = authorizer.Authorize("user2", "admin")
+	_, err = authorizer.Authorize("user2", "admin")
 	assert.Error(t, err)
 	assert.ErrorIs(t, err, ErrNoMachineUserMapping)

-	err = authorizer.Authorize("user1", "postgres")
+	_, err = authorizer.Authorize("user1", "postgres")
 	assert.Error(t, err)
 	assert.ErrorIs(t, err, ErrNoMachineUserMapping)
 }
@@ -80,21 +80,21 @@ func TestAuthorizer_Authorize_UserInList_WithMachineUserMapping_Allowed(t *testi
 	authorizer.Update(config)

 	// user1 (index 0) should access root and admin
-	err = authorizer.Authorize("user1", "root")
+	_, err = authorizer.Authorize("user1", "root")
 	assert.NoError(t, err)

-	err = authorizer.Authorize("user1", "admin")
+	_, err = authorizer.Authorize("user1", "admin")
 	assert.NoError(t, err)

 	// user2 (index 1) should access root and postgres
-	err = authorizer.Authorize("user2", "root")
+	_, err = authorizer.Authorize("user2", "root")
 	assert.NoError(t, err)

-	err = authorizer.Authorize("user2", "postgres")
+	_, err = authorizer.Authorize("user2", "postgres")
 	assert.NoError(t, err)

 	// user3 (index 2) should access postgres
-	err = authorizer.Authorize("user3", "postgres")
+	_, err = authorizer.Authorize("user3", "postgres")
 	assert.NoError(t, err)
 }

@@ -121,22 +121,22 @@ func TestAuthorizer_Authorize_UserInList_WithMachineUserMapping_Denied(t *testin
 	authorizer.Update(config)

 	// user1 (index 0) should NOT access postgres
-	err = authorizer.Authorize("user1", "postgres")
+	_, err = authorizer.Authorize("user1", "postgres")
 	assert.Error(t, err)
 	assert.ErrorIs(t, err, ErrUserNotMappedToOSUser)

 	// user2 (index 1) should NOT access admin
-	err = authorizer.Authorize("user2", "admin")
+	_, err = authorizer.Authorize("user2", "admin")
 	assert.Error(t, err)
 	assert.ErrorIs(t, err, ErrUserNotMappedToOSUser)

 	// user3 (index 2) should NOT access root
-	err = authorizer.Authorize("user3", "root")
+	_, err = authorizer.Authorize("user3", "root")
 	assert.Error(t, err)
 	assert.ErrorIs(t, err, ErrUserNotMappedToOSUser)

 	// user3 (index 2) should NOT access admin
-	err = authorizer.Authorize("user3", "admin")
+	_, err = authorizer.Authorize("user3", "admin")
 	assert.Error(t, err)
 	assert.ErrorIs(t, err, ErrUserNotMappedToOSUser)
 }
@@ -158,7 +158,7 @@ func TestAuthorizer_Authorize_UserInList_OSUserNotInMapping(t *testing.T) {
 	authorizer.Update(config)

 	// user1 should NOT access an unmapped OS user (fail closed)
-	err = authorizer.Authorize("user1", "postgres")
+	_, err = authorizer.Authorize("user1", "postgres")
 	assert.Error(t, err)
 	assert.ErrorIs(t, err, ErrNoMachineUserMapping)
 }
@@ -178,7 +178,7 @@ func TestAuthorizer_Authorize_EmptyJWTUserID(t *testing.T) {
 	authorizer.Update(config)

 	// Empty user ID should fail
-	err = authorizer.Authorize("", "root")
+	_, err = authorizer.Authorize("", "root")
 	assert.Error(t, err)
 	assert.ErrorIs(t, err, ErrEmptyUserID)
 }
@@ -211,12 +211,12 @@ func TestAuthorizer_Authorize_MultipleUsersInList(t *testing.T) {

 	// All users should be authorized for root
 	for i := 0; i < 10; i++ {
-		err := authorizer.Authorize("user"+string(rune('0'+i)), "root")
+		_, err := authorizer.Authorize("user"+string(rune('0'+i)), "root")
 		assert.NoError(t, err, "user%d should be authorized", i)
 	}

 	// User not in list should fail
-	err := authorizer.Authorize("unknown-user", "root")
+	_, err := authorizer.Authorize("unknown-user", "root")
 	assert.Error(t, err)
 	assert.ErrorIs(t, err, ErrUserNotAuthorized)
 }
@@ -236,14 +236,14 @@ func TestAuthorizer_Update_ClearsConfiguration(t *testing.T) {
 	authorizer.Update(config)

 	// user1 should be authorized
-	err = authorizer.Authorize("user1", "root")
+	_, err = authorizer.Authorize("user1", "root")
 	assert.NoError(t, err)

 	// Clear configuration
 	authorizer.Update(nil)

 	// user1 should no longer be authorized
-	err = authorizer.Authorize("user1", "root")
+	_, err = authorizer.Authorize("user1", "root")
 	assert.Error(t, err)
 	assert.ErrorIs(t, err, ErrUserNotAuthorized)
 }
@@ -267,16 +267,16 @@ func TestAuthorizer_Update_EmptyMachineUsersListEntries(t *testing.T) {
 	authorizer.Update(config)

 	// root should work
-	err = authorizer.Authorize("user1", "root")
+	_, err = authorizer.Authorize("user1", "root")
 	assert.NoError(t, err)

 	// postgres should fail (no mapping)
-	err = authorizer.Authorize("user1", "postgres")
+	_, err = authorizer.Authorize("user1", "postgres")
 	assert.Error(t, err)
 	assert.ErrorIs(t, err, ErrNoMachineUserMapping)

 	// admin should fail (no mapping)
-	err = authorizer.Authorize("user1", "admin")
+	_, err = authorizer.Authorize("user1", "admin")
 	assert.Error(t, err)
 	assert.ErrorIs(t, err, ErrNoMachineUserMapping)
 }
@@ -301,7 +301,7 @@ func TestAuthorizer_CustomUserIDClaim(t *testing.T) {
 	assert.Equal(t, "email", authorizer.GetUserIDClaim())

 	// Authorize with email as user ID
-	err = authorizer.Authorize("user@example.com", "root")
+	_, err = authorizer.Authorize("user@example.com", "root")
 	assert.NoError(t, err)
 }

@@ -349,19 +349,19 @@ func TestAuthorizer_MachineUserMapping_LargeIndexes(t *testing.T) {
 	authorizer.Update(config)

 	// First user should have access
-	err := authorizer.Authorize("user"+string(rune(0)), "root")
+	_, err := authorizer.Authorize("user"+string(rune(0)), "root")
 	assert.NoError(t, err)

 	// Middle user should have access
-	err = authorizer.Authorize("user"+string(rune(500)), "root")
+	_, err = authorizer.Authorize("user"+string(rune(500)), "root")
 	assert.NoError(t, err)

 	// Last user should have access
-	err = authorizer.Authorize("user"+string(rune(999)), "root")
+	_, err = authorizer.Authorize("user"+string(rune(999)), "root")
 	assert.NoError(t, err)

 	// User not in mapping should NOT have access
-	err = authorizer.Authorize("user"+string(rune(100)), "root")
+	_, err = authorizer.Authorize("user"+string(rune(100)), "root")
 	assert.Error(t, err)
 }

@@ -393,7 +393,7 @@ func TestAuthorizer_ConcurrentAuthorization(t *testing.T) {
 			if idx%2 == 0 {
 				user = "user2"
 			}
-			err := authorizer.Authorize(user, "root")
+			_, err := authorizer.Authorize(user, "root")
 			errChan <- err
 		}(i)
 	}
@@ -426,22 +426,22 @@ func TestAuthorizer_Wildcard_AllowsAllAuthorizedUsers(t *testing.T) {
 	authorizer.Update(config)

 	// All authorized users should be able to access any OS user
-	err = authorizer.Authorize("user1", "root")
+	_, err = authorizer.Authorize("user1", "root")
 	assert.NoError(t, err)

-	err = authorizer.Authorize("user2", "postgres")
+	_, err = authorizer.Authorize("user2", "postgres")
 	assert.NoError(t, err)

-	err = authorizer.Authorize("user3", "admin")
+	_, err = authorizer.Authorize("user3", "admin")
 	assert.NoError(t, err)

-	err = authorizer.Authorize("user1", "ubuntu")
+	_, err = authorizer.Authorize("user1", "ubuntu")
 	assert.NoError(t, err)

-	err = authorizer.Authorize("user2", "nginx")
+	_, err = authorizer.Authorize("user2", "nginx")
 	assert.NoError(t, err)

-	err = authorizer.Authorize("user3", "docker")
+	_, err = authorizer.Authorize("user3", "docker")
 	assert.NoError(t, err)
 }

@@ -462,11 +462,11 @@ func TestAuthorizer_Wildcard_UnauthorizedUserStillDenied(t *testing.T) {
 	authorizer.Update(config)

 	// user1 should have access
-	err = authorizer.Authorize("user1", "root")
+	_, err = authorizer.Authorize("user1", "root")
 	assert.NoError(t, err)

 	// Unauthorized user should still be denied even with wildcard
-	err = authorizer.Authorize("unauthorized-user", "root")
+	_, err = authorizer.Authorize("unauthorized-user", "root")
 	assert.Error(t, err)
 	assert.ErrorIs(t, err, ErrUserNotAuthorized)
 }
@@ -492,17 +492,17 @@ func TestAuthorizer_Wildcard_TakesPrecedenceOverSpecificMappings(t *testing.T) {
 	authorizer.Update(config)

 	// Both users should be able to access root via wildcard (takes precedence over specific mapping)
-	err = authorizer.Authorize("user1", "root")
+	_, err = authorizer.Authorize("user1", "root")
 	assert.NoError(t, err)

-	err = authorizer.Authorize("user2", "root")
+	_, err = authorizer.Authorize("user2", "root")
 	assert.NoError(t, err)

 	// Both users should be able to access any other OS user via wildcard
-	err = authorizer.Authorize("user1", "postgres")
+	_, err = authorizer.Authorize("user1", "postgres")
 	assert.NoError(t, err)

-	err = authorizer.Authorize("user2", "admin")
+	_, err = authorizer.Authorize("user2", "admin")
 	assert.NoError(t, err)
 }

@@ -526,29 +526,29 @@ func TestAuthorizer_NoWildcard_SpecificMappingsOnly(t *testing.T) {
 	authorizer.Update(config)

 	// user1 can access root
-	err = authorizer.Authorize("user1", "root")
+	_, err = authorizer.Authorize("user1", "root")
 	assert.NoError(t, err)

 	// user2 can access postgres
-	err = authorizer.Authorize("user2", "postgres")
+	_, err = authorizer.Authorize("user2", "postgres")
 	assert.NoError(t, err)

 	// user1 cannot access postgres
-	err = authorizer.Authorize("user1", "postgres")
+	_, err = authorizer.Authorize("user1", "postgres")
 	assert.Error(t, err)
 	assert.ErrorIs(t, err, ErrUserNotMappedToOSUser)

 	// user2 cannot access root
-	err = authorizer.Authorize("user2", "root")
+	_, err = authorizer.Authorize("user2", "root")
 	assert.Error(t, err)
 	assert.ErrorIs(t, err, ErrUserNotMappedToOSUser)

 	// Neither can access unmapped OS users
-	err = authorizer.Authorize("user1", "admin")
+	_, err = authorizer.Authorize("user1", "admin")
 	assert.Error(t, err)
 	assert.ErrorIs(t, err, ErrNoMachineUserMapping)

-	err = authorizer.Authorize("user2", "admin")
+	_, err = authorizer.Authorize("user2", "admin")
 	assert.Error(t, err)
 	assert.ErrorIs(t, err, ErrNoMachineUserMapping)
 }
@@ -578,35 +578,35 @@ func TestAuthorizer_Wildcard_WithPartialIndexes_AllowsAllUsers(t *testing.T) {
 	authorizer.Update(config)

 	// wasm (index 0) should access any OS user via wildcard
-	err = authorizer.Authorize("wasm", "root")
+	_, err = authorizer.Authorize("wasm", "root")
 	assert.NoError(t, err, "wasm should access root via wildcard")

-	err = authorizer.Authorize("wasm", "alice")
+	_, err = authorizer.Authorize("wasm", "alice")
 	assert.NoError(t, err, "wasm should access alice via wildcard")

-	err = authorizer.Authorize("wasm", "bob")
+	_, err = authorizer.Authorize("wasm", "bob")
 	assert.NoError(t, err, "wasm should access bob via wildcard")

-	err = authorizer.Authorize("wasm", "postgres")
+	_, err = authorizer.Authorize("wasm", "postgres")
 	assert.NoError(t, err, "wasm should access postgres via wildcard")

 	// user2 (index 1) should only access alice and bob (explicitly mapped), NOT root or postgres
-	err = authorizer.Authorize("user2", "alice")
+	_, err = authorizer.Authorize("user2", "alice")
 	assert.NoError(t, err, "user2 should access alice via explicit mapping")

-	err = authorizer.Authorize("user2", "bob")
+	_, err = authorizer.Authorize("user2", "bob")
 	assert.NoError(t, err, "user2 should access bob via explicit mapping")

-	err = authorizer.Authorize("user2", "root")
+	_, err = authorizer.Authorize("user2", "root")
 	assert.Error(t, err, "user2 should NOT access root (not in wildcard indexes)")
 	assert.ErrorIs(t, err, ErrNoMachineUserMapping)

-	err = authorizer.Authorize("user2", "postgres")
+	_, err = authorizer.Authorize("user2", "postgres")
 	assert.Error(t, err, "user2 should NOT access postgres (not explicitly mapped)")
 	assert.ErrorIs(t, err, ErrNoMachineUserMapping)

 	// Unauthorized user should still be denied
-	err = authorizer.Authorize("user3", "root")
+	_, err = authorizer.Authorize("user3", "root")
 	assert.Error(t, err)
 	assert.ErrorIs(t, err, ErrUserNotAuthorized, "unauthorized user should be denied")
 }
--- a/client/ssh/client/client.go
+++ b/client/ssh/client/client.go
@@ -4,7 +4,6 @@ import (
 	"context"
 	"errors"
 	"fmt"
-	"io"
 	"net"
 	"os"
 	"path/filepath"
@@ -551,14 +550,15 @@ func (c *Client) LocalPortForward(ctx context.Context, localAddr, remoteAddr str
 func (c *Client) handleLocalForward(localConn net.Conn, remoteAddr string) {
 	defer func() {
 		if err := localConn.Close(); err != nil {
-			log.Debugf("local connection close error: %v", err)
+			log.Debugf("local port forwarding: close local connection: %v", err)
 		}
 	}()

 	channel, err := c.client.Dial("tcp", remoteAddr)
 	if err != nil {
-		if strings.Contains(err.Error(), "administratively prohibited") {
-			_, _ = fmt.Fprintf(os.Stderr, "channel open failed: administratively prohibited: port forwarding is disabled\n")
+		var openErr *ssh.OpenChannelError
+		if errors.As(err, &openErr) && openErr.Reason == ssh.Prohibited {
+			_, _ = fmt.Fprintf(os.Stderr, "channel open failed: port forwarding is disabled\n")
 		} else {
 			log.Debugf("local port forwarding to %s failed: %v", remoteAddr, err)
 		}
@@ -566,19 +566,11 @@ func (c *Client) handleLocalForward(localConn net.Conn, remoteAddr string) {
 	}
 	defer func() {
 		if err := channel.Close(); err != nil {
-			log.Debugf("remote channel close error: %v", err)
+			log.Debugf("local port forwarding: close remote channel: %v", err)
 		}
 	}()

-	go func() {
-		if _, err := io.Copy(channel, localConn); err != nil {
-			log.Debugf("local forward copy error (local->remote): %v", err)
-		}
-	}()
-
-	if _, err := io.Copy(localConn, channel); err != nil {
-		log.Debugf("local forward copy error (remote->local): %v", err)
-	}
+	nbssh.BidirectionalCopy(log.NewEntry(log.StandardLogger()), localConn, channel)
 }

 // RemotePortForward sets up remote port forwarding, binding on remote and forwarding to localAddr
@@ -633,7 +625,7 @@ func (c *Client) sendTCPIPForwardRequest(req tcpipForwardMsg) error {
 		return fmt.Errorf("send tcpip-forward request: %w", err)
 	}
 	if !ok {
-		return fmt.Errorf("remote port forwarding denied by server (check if --allow-ssh-remote-port-forwarding is enabled)")
+		return fmt.Errorf("remote port forwarding denied by server")
 	}
 	return nil
 }
@@ -676,7 +668,7 @@ func (c *Client) handleRemoteForwardChannel(newChan ssh.NewChannel, localAddr st
 	}
 	defer func() {
 		if err := channel.Close(); err != nil {
-			log.Debugf("remote channel close error: %v", err)
+			log.Debugf("remote port forwarding: close remote channel: %v", err)
 		}
 	}()

@@ -688,19 +680,11 @@ func (c *Client) handleRemoteForwardChannel(newChan ssh.NewChannel, localAddr st
 	}
 	defer func() {
 		if err := localConn.Close(); err != nil {
-			log.Debugf("local connection close error: %v", err)
+			log.Debugf("remote port forwarding: close local connection: %v", err)
 		}
 	}()

-	go func() {
-		if _, err := io.Copy(localConn, channel); err != nil {
-			log.Debugf("remote forward copy error (remote->local): %v", err)
-		}
-	}()
-
-	if _, err := io.Copy(channel, localConn); err != nil {
-		log.Debugf("remote forward copy error (local->remote): %v", err)
-	}
+	nbssh.BidirectionalCopy(log.NewEntry(log.StandardLogger()), localConn, channel)
 }

 // tcpipForwardMsg represents the structure for tcpip-forward requests
--- a/client/ssh/common.go
+++ b/client/ssh/common.go
@@ -193,3 +193,64 @@ func buildAddressList(hostname string, remote net.Addr) []string {
 	}
 	return addresses
 }
+
+// BidirectionalCopy copies data bidirectionally between two io.ReadWriter connections.
+// It waits for both directions to complete before returning.
+// The caller is responsible for closing the connections.
+func BidirectionalCopy(logger *log.Entry, rw1, rw2 io.ReadWriter) {
+	done := make(chan struct{}, 2)
+
+	go func() {
+		if _, err := io.Copy(rw2, rw1); err != nil && !isExpectedCopyError(err) {
+			logger.Debugf("copy error (1->2): %v", err)
+		}
+		done <- struct{}{}
+	}()
+
+	go func() {
+		if _, err := io.Copy(rw1, rw2); err != nil && !isExpectedCopyError(err) {
+			logger.Debugf("copy error (2->1): %v", err)
+		}
+		done <- struct{}{}
+	}()
+
+	<-done
+	<-done
+}
+
+func isExpectedCopyError(err error) bool {
+	return errors.Is(err, io.EOF) || errors.Is(err, context.Canceled)
+}
+
+// BidirectionalCopyWithContext copies data bidirectionally between two io.ReadWriteCloser connections.
+// It waits for both directions to complete or for context cancellation before returning.
+// Both connections are closed when the function returns.
+func BidirectionalCopyWithContext(logger *log.Entry, ctx context.Context, conn1, conn2 io.ReadWriteCloser) {
+	done := make(chan struct{}, 2)
+
+	go func() {
+		if _, err := io.Copy(conn2, conn1); err != nil && !isExpectedCopyError(err) {
+			logger.Debugf("copy error (1->2): %v", err)
+		}
+		done <- struct{}{}
+	}()
+
+	go func() {
+		if _, err := io.Copy(conn1, conn2); err != nil && !isExpectedCopyError(err) {
+			logger.Debugf("copy error (2->1): %v", err)
+		}
+		done <- struct{}{}
+	}()
+
+	select {
+	case <-ctx.Done():
+	case <-done:
+		select {
+		case <-ctx.Done():
+		case <-done:
+		}
+	}
+
+	_ = conn1.Close()
+	_ = conn2.Close()
+}
--- a/client/ssh/proxy/proxy.go
+++ b/client/ssh/proxy/proxy.go
@@ -2,6 +2,7 @@ package proxy

 import (
 	"context"
+	"encoding/binary"
 	"errors"
 	"fmt"
 	"io"
@@ -42,6 +43,14 @@ type SSHProxy struct {
 	conn          *grpc.ClientConn
 	daemonClient  proto.DaemonServiceClient
 	browserOpener func(string) error
+
+	mu            sync.RWMutex
+	backendClient *cryptossh.Client
+	// jwtToken is set once in runProxySSHServer before any handlers are called,
+	// so concurrent access is safe without additional synchronization.
+	jwtToken string
+
+	forwardedChannelsOnce sync.Once
 }

 func New(daemonAddr, targetHost string, targetPort int, stderr io.Writer, browserOpener func(string) error) (*SSHProxy, error) {
@@ -63,6 +72,17 @@ func New(daemonAddr, targetHost string, targetPort int, stderr io.Writer, browse
 }

 func (p *SSHProxy) Close() error {
+	p.mu.Lock()
+	backendClient := p.backendClient
+	p.backendClient = nil
+	p.mu.Unlock()
+
+	if backendClient != nil {
+		if err := backendClient.Close(); err != nil {
+			log.Debugf("close backend client: %v", err)
+		}
+	}
+
 	if p.conn != nil {
 		return p.conn.Close()
 	}
@@ -77,16 +97,16 @@ func (p *SSHProxy) Connect(ctx context.Context) error {
 		return fmt.Errorf(jwtAuthErrorMsg, err)
 	}

-	return p.runProxySSHServer(ctx, jwtToken)
+	log.Debugf("JWT authentication successful, starting proxy to %s:%d", p.targetHost, p.targetPort)
+	return p.runProxySSHServer(jwtToken)
 }

-func (p *SSHProxy) runProxySSHServer(ctx context.Context, jwtToken string) error {
+func (p *SSHProxy) runProxySSHServer(jwtToken string) error {
+	p.jwtToken = jwtToken
 	serverVersion := fmt.Sprintf("%s-%s", detection.ProxyIdentifier, version.NetbirdVersion())

 	sshServer := &ssh.Server{
-		Handler: func(s ssh.Session) {
-			p.handleSSHSession(ctx, s, jwtToken)
-		},
+		Handler: p.handleSSHSession,
 		ChannelHandlers: map[string]ssh.ChannelHandler{
 			"session":      ssh.DefaultSessionHandler,
 			"direct-tcpip": p.directTCPIPHandler,
@@ -119,15 +139,20 @@ func (p *SSHProxy) runProxySSHServer(ctx context.Context, jwtToken string) error
 	return nil
 }

-func (p *SSHProxy) handleSSHSession(ctx context.Context, session ssh.Session, jwtToken string) {
-	targetAddr := net.JoinHostPort(p.targetHost, strconv.Itoa(p.targetPort))
+func (p *SSHProxy) handleSSHSession(session ssh.Session) {
+	ptyReq, winCh, isPty := session.Pty()
+	hasCommand := len(session.Command()) > 0

-	sshClient, err := p.dialBackend(ctx, targetAddr, session.User(), jwtToken)
+	sshClient, err := p.getOrCreateBackendClient(session.Context(), session.User())
 	if err != nil {
 		_, _ = fmt.Fprintf(p.stderr, "SSH connection to NetBird server failed: %v\n", err)
 		return
 	}
-	defer func() { _ = sshClient.Close() }()
+
+	if !isPty && !hasCommand {
+		p.handleNonInteractiveSession(session, sshClient)
+		return
+	}

 	serverSession, err := sshClient.NewSession()
 	if err != nil {
@@ -140,7 +165,6 @@ func (p *SSHProxy) handleSSHSession(ctx context.Context, session ssh.Session, jw
 	serverSession.Stdout = session
 	serverSession.Stderr = session.Stderr()

-	ptyReq, winCh, isPty := session.Pty()
 	if isPty {
 		if err := serverSession.RequestPty(ptyReq.Term, ptyReq.Window.Width, ptyReq.Window.Height, nil); err != nil {
 			log.Debugf("PTY request to backend: %v", err)
@@ -155,7 +179,7 @@ func (p *SSHProxy) handleSSHSession(ctx context.Context, session ssh.Session, jw
 		}()
 	}

-	if len(session.Command()) > 0 {
+	if hasCommand {
 		if err := serverSession.Run(strings.Join(session.Command(), " ")); err != nil {
 			log.Debugf("run command: %v", err)
 			p.handleProxyExitCode(session, err)
@@ -176,12 +200,29 @@ func (p *SSHProxy) handleSSHSession(ctx context.Context, session ssh.Session, jw
 func (p *SSHProxy) handleProxyExitCode(session ssh.Session, err error) {
 	var exitErr *cryptossh.ExitError
 	if errors.As(err, &exitErr) {
-		if exitErr := session.Exit(exitErr.ExitStatus()); exitErr != nil {
-			log.Debugf("set exit status: %v", exitErr)
+		if err := session.Exit(exitErr.ExitStatus()); err != nil {
+			log.Debugf("set exit status: %v", err)
 		}
 	}
 }

+func (p *SSHProxy) handleNonInteractiveSession(session ssh.Session, sshClient *cryptossh.Client) {
+	// Create a backend session to mirror the client's session request.
+	// This keeps the connection alive on the server side while port forwarding channels operate.
+	serverSession, err := sshClient.NewSession()
+	if err != nil {
+		_, _ = fmt.Fprintf(p.stderr, "create server session: %v\n", err)
+		return
+	}
+	defer func() { _ = serverSession.Close() }()
+
+	<-session.Context().Done()
+
+	if err := session.Exit(0); err != nil {
+		log.Debugf("session exit: %v", err)
+	}
+}
+
 func generateHostKey() (ssh.Signer, error) {
 	keyPEM, err := nbssh.GeneratePrivateKey(nbssh.ED25519)
 	if err != nil {
@@ -250,8 +291,52 @@ func (c *stdioConn) SetWriteDeadline(_ time.Time) error {
 	return nil
 }

-func (p *SSHProxy) directTCPIPHandler(_ *ssh.Server, _ *cryptossh.ServerConn, newChan cryptossh.NewChannel, _ ssh.Context) {
-	_ = newChan.Reject(cryptossh.Prohibited, "port forwarding not supported in proxy")
+// directTCPIPHandler handles local port forwarding (direct-tcpip channel).
+func (p *SSHProxy) directTCPIPHandler(_ *ssh.Server, _ *cryptossh.ServerConn, newChan cryptossh.NewChannel, sshCtx ssh.Context) {
+	var payload struct {
+		DestAddr   string
+		DestPort   uint32
+		OriginAddr string
+		OriginPort uint32
+	}
+	if err := cryptossh.Unmarshal(newChan.ExtraData(), &payload); err != nil {
+		_, _ = fmt.Fprintf(p.stderr, "parse direct-tcpip payload: %v\n", err)
+		_ = newChan.Reject(cryptossh.ConnectionFailed, "invalid payload")
+		return
+	}
+
+	dest := fmt.Sprintf("%s:%d", payload.DestAddr, payload.DestPort)
+	log.Debugf("local port forwarding: %s", dest)
+
+	backendClient, err := p.getOrCreateBackendClient(sshCtx, sshCtx.User())
+	if err != nil {
+		_, _ = fmt.Fprintf(p.stderr, "backend connection for port forwarding: %v\n", err)
+		_ = newChan.Reject(cryptossh.ConnectionFailed, "backend connection failed")
+		return
+	}
+
+	backendChan, backendReqs, err := backendClient.OpenChannel("direct-tcpip", newChan.ExtraData())
+	if err != nil {
+		_, _ = fmt.Fprintf(p.stderr, "open backend channel for %s: %v\n", dest, err)
+		var openErr *cryptossh.OpenChannelError
+		if errors.As(err, &openErr) {
+			_ = newChan.Reject(openErr.Reason, openErr.Message)
+		} else {
+			_ = newChan.Reject(cryptossh.ConnectionFailed, err.Error())
+		}
+		return
+	}
+	go cryptossh.DiscardRequests(backendReqs)
+
+	clientChan, clientReqs, err := newChan.Accept()
+	if err != nil {
+		log.Debugf("local port forwarding: accept channel: %v", err)
+		_ = backendChan.Close()
+		return
+	}
+	go cryptossh.DiscardRequests(clientReqs)
+
+	nbssh.BidirectionalCopyWithContext(log.NewEntry(log.StandardLogger()), sshCtx, clientChan, backendChan)
 }

 func (p *SSHProxy) sftpSubsystemHandler(s ssh.Session, jwtToken string) {
@@ -354,12 +439,143 @@ func (p *SSHProxy) runSFTPBridge(ctx context.Context, s ssh.Session, stdin io.Wr
 	}
 }

-func (p *SSHProxy) tcpipForwardHandler(_ ssh.Context, _ *ssh.Server, _ *cryptossh.Request) (bool, []byte) {
-	return false, []byte("port forwarding not supported in proxy")
+// tcpipForwardHandler handles remote port forwarding (tcpip-forward request).
+func (p *SSHProxy) tcpipForwardHandler(sshCtx ssh.Context, _ *ssh.Server, req *cryptossh.Request) (bool, []byte) {
+	var reqPayload struct {
+		Host string
+		Port uint32
+	}
+	if err := cryptossh.Unmarshal(req.Payload, &reqPayload); err != nil {
+		_, _ = fmt.Fprintf(p.stderr, "parse tcpip-forward payload: %v\n", err)
+		return false, nil
+	}
+
+	log.Debugf("tcpip-forward request for %s:%d", reqPayload.Host, reqPayload.Port)
+
+	backendClient, err := p.getOrCreateBackendClient(sshCtx, sshCtx.User())
+	if err != nil {
+		_, _ = fmt.Fprintf(p.stderr, "backend connection for remote port forwarding: %v\n", err)
+		return false, nil
+	}
+
+	ok, payload, err := backendClient.SendRequest(req.Type, req.WantReply, req.Payload)
+	if err != nil {
+		_, _ = fmt.Fprintf(p.stderr, "forward tcpip-forward request for %s:%d: %v\n", reqPayload.Host, reqPayload.Port, err)
+		return false, nil
+	}
+
+	if ok {
+		actualPort := reqPayload.Port
+		if reqPayload.Port == 0 && len(payload) >= 4 {
+			actualPort = binary.BigEndian.Uint32(payload)
+		}
+		log.Debugf("remote port forwarding established for %s:%d", reqPayload.Host, actualPort)
+		p.forwardedChannelsOnce.Do(func() {
+			go p.handleForwardedChannels(sshCtx, backendClient)
+		})
+	}
+
+	return ok, payload
 }

-func (p *SSHProxy) cancelTcpipForwardHandler(_ ssh.Context, _ *ssh.Server, _ *cryptossh.Request) (bool, []byte) {
-	return true, nil
+// cancelTcpipForwardHandler handles cancel-tcpip-forward request.
+func (p *SSHProxy) cancelTcpipForwardHandler(_ ssh.Context, _ *ssh.Server, req *cryptossh.Request) (bool, []byte) {
+	var reqPayload struct {
+		Host string
+		Port uint32
+	}
+	if err := cryptossh.Unmarshal(req.Payload, &reqPayload); err != nil {
+		_, _ = fmt.Fprintf(p.stderr, "parse cancel-tcpip-forward payload: %v\n", err)
+		return false, nil
+	}
+
+	log.Debugf("cancel-tcpip-forward request for %s:%d", reqPayload.Host, reqPayload.Port)
+
+	backendClient := p.getBackendClient()
+	if backendClient == nil {
+		return false, nil
+	}
+
+	ok, payload, err := backendClient.SendRequest(req.Type, req.WantReply, req.Payload)
+	if err != nil {
+		_, _ = fmt.Fprintf(p.stderr, "cancel-tcpip-forward for %s:%d: %v\n", reqPayload.Host, reqPayload.Port, err)
+		return false, nil
+	}
+
+	return ok, payload
+}
+
+// getOrCreateBackendClient returns the existing backend client or creates a new one.
+func (p *SSHProxy) getOrCreateBackendClient(ctx context.Context, user string) (*cryptossh.Client, error) {
+	p.mu.Lock()
+	defer p.mu.Unlock()
+
+	if p.backendClient != nil {
+		return p.backendClient, nil
+	}
+
+	targetAddr := net.JoinHostPort(p.targetHost, strconv.Itoa(p.targetPort))
+	log.Debugf("connecting to backend %s", targetAddr)
+
+	client, err := p.dialBackend(ctx, targetAddr, user, p.jwtToken)
+	if err != nil {
+		return nil, err
+	}
+
+	log.Debugf("backend connection established to %s", targetAddr)
+	p.backendClient = client
+	return client, nil
+}
+
+// getBackendClient returns the existing backend client or nil.
+func (p *SSHProxy) getBackendClient() *cryptossh.Client {
+	p.mu.RLock()
+	defer p.mu.RUnlock()
+	return p.backendClient
+}
+
+// handleForwardedChannels handles forwarded-tcpip channels from the backend for remote port forwarding.
+// When the backend receives incoming connections on the forwarded port, it sends them as
+// "forwarded-tcpip" channels which we need to proxy to the client.
+func (p *SSHProxy) handleForwardedChannels(sshCtx ssh.Context, backendClient *cryptossh.Client) {
+	sshConn, ok := sshCtx.Value(ssh.ContextKeyConn).(*cryptossh.ServerConn)
+	if !ok || sshConn == nil {
+		log.Debugf("no SSH connection in context for forwarded channels")
+		return
+	}
+
+	channelChan := backendClient.HandleChannelOpen("forwarded-tcpip")
+	for {
+		select {
+		case <-sshCtx.Done():
+			return
+		case newChannel, ok := <-channelChan:
+			if !ok {
+				return
+			}
+			go p.handleForwardedChannel(sshCtx, sshConn, newChannel)
+		}
+	}
+}
+
+// handleForwardedChannel handles a single forwarded-tcpip channel from the backend.
+func (p *SSHProxy) handleForwardedChannel(sshCtx ssh.Context, sshConn *cryptossh.ServerConn, newChannel cryptossh.NewChannel) {
+	backendChan, backendReqs, err := newChannel.Accept()
+	if err != nil {
+		log.Debugf("remote port forwarding: accept from backend: %v", err)
+		return
+	}
+	go cryptossh.DiscardRequests(backendReqs)
+
+	clientChan, clientReqs, err := sshConn.OpenChannel("forwarded-tcpip", newChannel.ExtraData())
+	if err != nil {
+		log.Debugf("remote port forwarding: open to client: %v", err)
+		_ = backendChan.Close()
+		return
+	}
+	go cryptossh.DiscardRequests(clientReqs)
+
+	nbssh.BidirectionalCopyWithContext(log.NewEntry(log.StandardLogger()), sshCtx, clientChan, backendChan)
 }

 func (p *SSHProxy) dialBackend(ctx context.Context, addr, user, jwtToken string) (*cryptossh.Client, error) {
--- a/client/ssh/server/jwt_test.go
+++ b/client/ssh/server/jwt_test.go
@@ -602,12 +602,13 @@ func TestJWTAuthentication(t *testing.T) {
 			require.NoError(t, err)

 			var authMethods []cryptossh.AuthMethod
-			if tc.token == "valid" {
+			switch tc.token {
+			case "valid":
 				token := generateValidJWT(t, privateKey, issuer, audience)
 				authMethods = []cryptossh.AuthMethod{
 					cryptossh.Password(token),
 				}
-			} else if tc.token == "invalid" {
+			case "invalid":
 				invalidToken := "eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ.invalid"
 				authMethods = []cryptossh.AuthMethod{
 					cryptossh.Password(invalidToken),
--- a/client/ssh/server/port_forwarding.go
+++ b/client/ssh/server/port_forwarding.go
@@ -1,25 +1,32 @@
+// Package server implements port forwarding for the SSH server.
+//
+// Security note: Port forwarding runs in the main server process without privilege separation.
+// The attack surface is primarily io.Copy through well-tested standard library code, making it
+// lower risk than shell execution which uses privilege-separated child processes. We enforce
+// user-level port restrictions: non-privileged users cannot bind to ports < 1024.
 package server

 import (
 	"encoding/binary"
 	"fmt"
-	"io"
 	"net"
+	"runtime"
 	"strconv"

 	"github.com/gliderlabs/ssh"
 	log "github.com/sirupsen/logrus"
 	cryptossh "golang.org/x/crypto/ssh"
+
+	nbssh "github.com/netbirdio/netbird/client/ssh"
 )

-// SessionKey uniquely identifies an SSH session
-type SessionKey string
+const privilegedPortThreshold = 1024

-// ConnectionKey uniquely identifies a port forwarding connection within a session
-type ConnectionKey string
+// sessionKey uniquely identifies an SSH session
+type sessionKey string

-// ForwardKey uniquely identifies a port forwarding listener
-type ForwardKey string
+// forwardKey uniquely identifies a port forwarding listener
+type forwardKey string

 // tcpipForwardMsg represents the structure for tcpip-forward SSH requests
 type tcpipForwardMsg struct {
@@ -47,34 +54,32 @@ func (s *Server) configurePortForwarding(server *ssh.Server) {
 	allowRemote := s.allowRemotePortForwarding

 	server.LocalPortForwardingCallback = func(ctx ssh.Context, dstHost string, dstPort uint32) bool {
+		logger := s.getRequestLogger(ctx)
 		if !allowLocal {
-			log.Warnf("local port forwarding denied for %s from %s: disabled by configuration",
-				net.JoinHostPort(dstHost, fmt.Sprintf("%d", dstPort)), ctx.RemoteAddr())
+			logger.Warnf("local port forwarding denied for %s:%d: disabled", dstHost, dstPort)
 			return false
 		}

 		if err := s.checkPortForwardingPrivileges(ctx, "local", dstPort); err != nil {
-			log.Warnf("local port forwarding denied for %s:%d from %s: %v", dstHost, dstPort, ctx.RemoteAddr(), err)
+			logger.Warnf("local port forwarding denied for %s:%d: %v", dstHost, dstPort, err)
 			return false
 		}

-		log.Debugf("local port forwarding allowed: %s:%d", dstHost, dstPort)
 		return true
 	}

 	server.ReversePortForwardingCallback = func(ctx ssh.Context, bindHost string, bindPort uint32) bool {
+		logger := s.getRequestLogger(ctx)
 		if !allowRemote {
-			log.Warnf("remote port forwarding denied for %s from %s: disabled by configuration",
-				net.JoinHostPort(bindHost, fmt.Sprintf("%d", bindPort)), ctx.RemoteAddr())
+			logger.Warnf("remote port forwarding denied for %s:%d: disabled", bindHost, bindPort)
 			return false
 		}

 		if err := s.checkPortForwardingPrivileges(ctx, "remote", bindPort); err != nil {
-			log.Warnf("remote port forwarding denied for %s:%d from %s: %v", bindHost, bindPort, ctx.RemoteAddr(), err)
+			logger.Warnf("remote port forwarding denied for %s:%d: %v", bindHost, bindPort, err)
 			return false
 		}

-		log.Debugf("remote port forwarding allowed: %s:%d", bindHost, bindPort)
 		return true
 	}

@@ -82,23 +87,20 @@ func (s *Server) configurePortForwarding(server *ssh.Server) {
 }

 // checkPortForwardingPrivileges validates privilege requirements for port forwarding operations.
-// Returns nil if allowed, error if denied.
+// For remote port forwarding (binding), it enforces that non-privileged users cannot bind to
+// ports below 1024, mirroring the restriction they would face if binding directly.
+//
+// Note: FeatureSupportsUserSwitch is true because we accept requests from any authenticated user,
+// though we don't actually switch users - port forwarding runs in the server process. The resolved
+// user is used for privileged port access checks.
 func (s *Server) checkPortForwardingPrivileges(ctx ssh.Context, forwardType string, port uint32) error {
 	if ctx == nil {
 		return fmt.Errorf("%s port forwarding denied: no context", forwardType)
 	}

-	username := ctx.User()
-	remoteAddr := "unknown"
-	if ctx.RemoteAddr() != nil {
-		remoteAddr = ctx.RemoteAddr().String()
-	}
-
-	logger := log.WithFields(log.Fields{"user": username, "remote": remoteAddr, "port": port})
-
 	result := s.CheckPrivileges(PrivilegeCheckRequest{
-		RequestedUsername:         username,
-		FeatureSupportsUserSwitch: false,
+		RequestedUsername:         ctx.User(),
+		FeatureSupportsUserSwitch: true,
 		FeatureName:               forwardType + " port forwarding",
 	})

@@ -106,12 +108,42 @@ func (s *Server) checkPortForwardingPrivileges(ctx ssh.Context, forwardType stri
 		return result.Error
 	}

-	logger.Debugf("%s port forwarding allowed: user %s validated (port %d)",
-		forwardType, result.User.Username, port)
+	if err := s.checkPrivilegedPortAccess(forwardType, port, result); err != nil {
+		return err
+	}

 	return nil
 }

+// checkPrivilegedPortAccess enforces that non-privileged users cannot bind to privileged ports.
+// This applies to remote port forwarding where the server binds a port on behalf of the user.
+// On Windows, there is no privileged port restriction, so this check is skipped.
+func (s *Server) checkPrivilegedPortAccess(forwardType string, port uint32, result PrivilegeCheckResult) error {
+	if runtime.GOOS == "windows" {
+		return nil
+	}
+
+	isBindOperation := forwardType == "remote" || forwardType == "tcpip-forward"
+	if !isBindOperation {
+		return nil
+	}
+
+	// Port 0 means "pick any available port", which will be >= 1024
+	if port == 0 || port >= privilegedPortThreshold {
+		return nil
+	}
+
+	if result.User != nil && isPrivilegedUsername(result.User.Username) {
+		return nil
+	}
+
+	username := "unknown"
+	if result.User != nil {
+		username = result.User.Username
+	}
+	return fmt.Errorf("user %s cannot bind to privileged port %d (requires root)", username, port)
+}
+
 // tcpipForwardHandler handles tcpip-forward requests for remote port forwarding.
 func (s *Server) tcpipForwardHandler(ctx ssh.Context, _ *ssh.Server, req *cryptossh.Request) (bool, []byte) {
 	logger := s.getRequestLogger(ctx)
@@ -132,8 +164,6 @@ func (s *Server) tcpipForwardHandler(ctx ssh.Context, _ *ssh.Server, req *crypto
 		return false, nil
 	}

-	logger.Debugf("tcpip-forward request: %s:%d", payload.Host, payload.Port)
-
 	sshConn, err := s.getSSHConnection(ctx)
 	if err != nil {
 		logger.Warnf("tcpip-forward request denied: %v", err)
@@ -153,8 +183,10 @@ func (s *Server) cancelTcpipForwardHandler(ctx ssh.Context, _ *ssh.Server, req *
 		return false, nil
 	}

-	key := ForwardKey(fmt.Sprintf("%s:%d", payload.Host, payload.Port))
+	key := forwardKey(fmt.Sprintf("%s:%d", payload.Host, payload.Port))
 	if s.removeRemoteForwardListener(key) {
+		forwardAddr := fmt.Sprintf("-R %s:%d", payload.Host, payload.Port)
+		s.removeConnectionPortForward(ctx.RemoteAddr(), forwardAddr)
 		logger.Infof("remote port forwarding cancelled: %s:%d", payload.Host, payload.Port)
 		return true, nil
 	}
@@ -165,14 +197,11 @@ func (s *Server) cancelTcpipForwardHandler(ctx ssh.Context, _ *ssh.Server, req *

 // handleRemoteForwardListener handles incoming connections for remote port forwarding.
 func (s *Server) handleRemoteForwardListener(ctx ssh.Context, ln net.Listener, host string, port uint32) {
-	log.Debugf("starting remote forward listener handler for %s:%d", host, port)
+	logger := s.getRequestLogger(ctx)

 	defer func() {
-		log.Debugf("cleaning up remote forward listener for %s:%d", host, port)
 		if err := ln.Close(); err != nil {
-			log.Debugf("remote forward listener close error: %v", err)
-		} else {
-			log.Debugf("remote forward listener closed successfully for %s:%d", host, port)
+			logger.Debugf("remote forward listener close error for %s:%d: %v", host, port, err)
 		}
 	}()

@@ -196,28 +225,43 @@ func (s *Server) handleRemoteForwardListener(ctx ssh.Context, ln net.Listener, h
 		select {
 		case result := <-acceptChan:
 			if result.err != nil {
-				log.Debugf("remote forward accept error: %v", result.err)
+				logger.Debugf("remote forward accept error: %v", result.err)
 				return
 			}
 			go s.handleRemoteForwardConnection(ctx, result.conn, host, port)
 		case <-ctx.Done():
-			log.Debugf("remote forward listener shutting down due to context cancellation for %s:%d", host, port)
+			logger.Debugf("remote forward listener shutting down for %s:%d", host, port)
 			return
 		}
 	}
 }

-// getRequestLogger creates a logger with user and remote address context
+// getRequestLogger creates a logger with session/conn and jwt_user context
 func (s *Server) getRequestLogger(ctx ssh.Context) *log.Entry {
-	remoteAddr := "unknown"
-	username := "unknown"
-	if ctx != nil {
-		if ctx.RemoteAddr() != nil {
-			remoteAddr = ctx.RemoteAddr().String()
+	sessionKey := s.findSessionKeyByContext(ctx)
+
+	s.mu.RLock()
+	defer s.mu.RUnlock()
+
+	if state, exists := s.sessions[sessionKey]; exists {
+		logger := log.WithField("session", sessionKey)
+		if state.jwtUsername != "" {
+			logger = logger.WithField("jwt_user", state.jwtUsername)
 		}
-		username = ctx.User()
+		return logger
 	}
-	return log.WithFields(log.Fields{"user": username, "remote": remoteAddr})
+
+	if ctx.RemoteAddr() != nil {
+		if connState, exists := s.connections[connKey(ctx.RemoteAddr().String())]; exists {
+			return s.connLogger(connState)
+		}
+	}
+
+	remoteAddr := "unknown"
+	if ctx.RemoteAddr() != nil {
+		remoteAddr = ctx.RemoteAddr().String()
+	}
+	return log.WithField("session", fmt.Sprintf("%s@%s", ctx.User(), remoteAddr))
 }

 // isRemotePortForwardingAllowed checks if remote port forwarding is enabled
@@ -227,6 +271,13 @@ func (s *Server) isRemotePortForwardingAllowed() bool {
 	return s.allowRemotePortForwarding
 }

+// isPortForwardingEnabled checks if any port forwarding (local or remote) is enabled
+func (s *Server) isPortForwardingEnabled() bool {
+	s.mu.RLock()
+	defer s.mu.RUnlock()
+	return s.allowLocalPortForwarding || s.allowRemotePortForwarding
+}
+
 // parseTcpipForwardRequest parses the SSH request payload
 func (s *Server) parseTcpipForwardRequest(req *cryptossh.Request) (*tcpipForwardMsg, error) {
 	var payload tcpipForwardMsg
@@ -267,10 +318,11 @@ func (s *Server) setupDirectForward(ctx ssh.Context, logger *log.Entry, sshConn
 		logger.Debugf("tcpip-forward allocated port %d for %s", actualPort, payload.Host)
 	}

-	key := ForwardKey(fmt.Sprintf("%s:%d", payload.Host, payload.Port))
+	key := forwardKey(fmt.Sprintf("%s:%d", payload.Host, payload.Port))
 	s.storeRemoteForwardListener(key, ln)

-	s.markConnectionActivePortForward(sshConn, ctx.User(), ctx.RemoteAddr().String())
+	forwardAddr := fmt.Sprintf("-R %s:%d", payload.Host, actualPort)
+	s.addConnectionPortForward(ctx.User(), ctx.RemoteAddr(), forwardAddr)
 	go s.handleRemoteForwardListener(ctx, ln, payload.Host, actualPort)

 	response := make([]byte, 4)
@@ -288,44 +340,34 @@ type acceptResult struct {

 // handleRemoteForwardConnection handles a single remote port forwarding connection
 func (s *Server) handleRemoteForwardConnection(ctx ssh.Context, conn net.Conn, host string, port uint32) {
-	sessionKey := s.findSessionKeyByContext(ctx)
-	connID := fmt.Sprintf("pf-%s->%s:%d", conn.RemoteAddr(), host, port)
-	logger := log.WithFields(log.Fields{
-		"session": sessionKey,
-		"conn":    connID,
-	})
+	logger := s.getRequestLogger(ctx)

-	defer func() {
-		if err := conn.Close(); err != nil {
-			logger.Debugf("connection close error: %v", err)
-		}
-	}()
-
-	sshConn := ctx.Value(ssh.ContextKeyConn).(*cryptossh.ServerConn)
-	if sshConn == nil {
+	sshConn, ok := ctx.Value(ssh.ContextKeyConn).(*cryptossh.ServerConn)
+	if !ok || sshConn == nil {
 		logger.Debugf("remote forward: no SSH connection in context")
+		_ = conn.Close()
 		return
 	}

 	remoteAddr, ok := conn.RemoteAddr().(*net.TCPAddr)
 	if !ok {
 		logger.Warnf("remote forward: non-TCP connection type: %T", conn.RemoteAddr())
+		_ = conn.Close()
 		return
 	}

-	channel, err := s.openForwardChannel(sshConn, host, port, remoteAddr, logger)
+	channel, err := s.openForwardChannel(sshConn, host, port, remoteAddr)
 	if err != nil {
-		logger.Debugf("open forward channel: %v", err)
+		logger.Debugf("open forward channel for %s:%d: %v", host, port, err)
+		_ = conn.Close()
 		return
 	}

-	s.proxyForwardConnection(ctx, logger, conn, channel)
+	nbssh.BidirectionalCopyWithContext(logger, ctx, conn, channel)
 }

 // openForwardChannel creates an SSH forwarded-tcpip channel
-func (s *Server) openForwardChannel(sshConn *cryptossh.ServerConn, host string, port uint32, remoteAddr *net.TCPAddr, logger *log.Entry) (cryptossh.Channel, error) {
-	logger.Tracef("opening forwarded-tcpip channel for %s:%d", host, port)
-
+func (s *Server) openForwardChannel(sshConn *cryptossh.ServerConn, host string, port uint32, remoteAddr *net.TCPAddr) (cryptossh.Channel, error) {
 	payload := struct {
 		ConnectedAddress  string
 		ConnectedPort     uint32
@@ -346,41 +388,3 @@ func (s *Server) openForwardChannel(sshConn *cryptossh.ServerConn, host string,
 	go cryptossh.DiscardRequests(reqs)
 	return channel, nil
 }
-
-// proxyForwardConnection handles bidirectional data transfer between connection and SSH channel
-func (s *Server) proxyForwardConnection(ctx ssh.Context, logger *log.Entry, conn net.Conn, channel cryptossh.Channel) {
-	done := make(chan struct{}, 2)
-
-	go func() {
-		if _, err := io.Copy(channel, conn); err != nil {
-			logger.Debugf("copy error (conn->channel): %v", err)
-		}
-		done <- struct{}{}
-	}()
-
-	go func() {
-		if _, err := io.Copy(conn, channel); err != nil {
-			logger.Debugf("copy error (channel->conn): %v", err)
-		}
-		done <- struct{}{}
-	}()
-
-	select {
-	case <-ctx.Done():
-		logger.Debugf("session ended, closing connections")
-	case <-done:
-		// First copy finished, wait for second copy or context cancellation
-		select {
-		case <-ctx.Done():
-			logger.Debugf("session ended, closing connections")
-		case <-done:
-		}
-	}
-
-	if err := channel.Close(); err != nil {
-		logger.Debugf("channel close error: %v", err)
-	}
-	if err := conn.Close(); err != nil {
-		logger.Debugf("connection close error: %v", err)
-	}
-}
--- a/client/ssh/server/server.go
+++ b/client/ssh/server/server.go
@@ -9,6 +9,7 @@ import (
 	"io"
 	"net"
 	"net/netip"
+	"slices"
 	"strings"
 	"sync"
 	"time"
@@ -40,6 +41,11 @@ const (

 	msgPrivilegedUserDisabled = "privileged user login is disabled"

+	cmdInteractiveShell = "<interactive shell>"
+	cmdPortForwarding   = "<port forwarding>"
+	cmdSFTP             = "<sftp>"
+	cmdNonInteractive   = "<idle>"
+
 	// DefaultJWTMaxTokenAge is the default maximum age for JWT tokens accepted by the SSH server
 	DefaultJWTMaxTokenAge = 5 * 60
 )
@@ -90,10 +96,10 @@ func logSessionExitError(logger *log.Entry, err error) {
 	}
 }

-// safeLogCommand returns a safe representation of the command for logging
+// safeLogCommand returns a safe representation of the command for logging.
 func safeLogCommand(cmd []string) string {
 	if len(cmd) == 0 {
-		return "<interactive shell>"
+		return cmdInteractiveShell
 	}
 	if len(cmd) == 1 {
 		return cmd[0]
@@ -101,26 +107,50 @@ func safeLogCommand(cmd []string) string {
 	return fmt.Sprintf("%s [%d args]", cmd[0], len(cmd)-1)
 }

-type sshConnectionState struct {
-	hasActivePortForward bool
-	username             string
-	remoteAddr           string
+// connState tracks the state of an SSH connection for port forwarding and status display.
+type connState struct {
+	username     string
+	remoteAddr   net.Addr
+	portForwards []string
+	jwtUsername  string
 }

+// authKey uniquely identifies an authentication attempt by username and remote address.
+// Used to temporarily store JWT username between passwordHandler and sessionHandler.
 type authKey string

+// connKey uniquely identifies an SSH connection by its remote address.
+// Used to track authenticated connections for status display and port forwarding.
+type connKey string
+
 func newAuthKey(username string, remoteAddr net.Addr) authKey {
 	return authKey(fmt.Sprintf("%s@%s", username, remoteAddr.String()))
 }

+// sessionState tracks an active SSH session (shell, command, or subsystem like SFTP).
+type sessionState struct {
+	session     ssh.Session
+	sessionType string
+	jwtUsername string
+}
+
 type Server struct {
-	sshServer       *ssh.Server
-	mu              sync.RWMutex
-	hostKeyPEM      []byte
-	sessions        map[SessionKey]ssh.Session
-	sessionCancels  map[ConnectionKey]context.CancelFunc
-	sessionJWTUsers map[SessionKey]string
-	pendingAuthJWT  map[authKey]string
+	sshServer  *ssh.Server
+	listener   net.Listener
+	mu         sync.RWMutex
+	hostKeyPEM []byte
+
+	// sessions tracks active SSH sessions (shell, command, SFTP).
+	// These are created when a client opens a session channel and requests shell/exec/subsystem.
+	sessions map[sessionKey]*sessionState
+
+	// pendingAuthJWT temporarily stores JWT username during the auth→session handoff.
+	// Populated in passwordHandler, consumed in sessionHandler/sftpSubsystemHandler.
+	pendingAuthJWT map[authKey]string
+
+	// connections tracks all SSH connections by their remote address.
+	// Populated at authentication time, stores JWT username and port forwards for status display.
+	connections map[connKey]*connState

 	allowLocalPortForwarding  bool
 	allowRemotePortForwarding bool
@@ -132,8 +162,7 @@ type Server struct {

 	wgAddress wgaddr.Address

-	remoteForwardListeners map[ForwardKey]net.Listener
-	sshConnections         map[*cryptossh.ServerConn]*sshConnectionState
+	remoteForwardListeners map[forwardKey]net.Listener

 	jwtValidator *jwt.Validator
 	jwtExtractor *jwt.ClaimsExtractor
@@ -167,6 +196,7 @@ type SessionInfo struct {
 	RemoteAddress string
 	Command       string
 	JWTUsername   string
+	PortForwards  []string
 }

 // New creates an SSH server instance with the provided host key and optional JWT configuration
@@ -175,11 +205,10 @@ func New(config *Config) *Server {
 	s := &Server{
 		mu:                     sync.RWMutex{},
 		hostKeyPEM:             config.HostKeyPEM,
-		sessions:               make(map[SessionKey]ssh.Session),
-		sessionJWTUsers:        make(map[SessionKey]string),
+		sessions:               make(map[sessionKey]*sessionState),
 		pendingAuthJWT:         make(map[authKey]string),
-		remoteForwardListeners: make(map[ForwardKey]net.Listener),
-		sshConnections:         make(map[*cryptossh.ServerConn]*sshConnectionState),
+		remoteForwardListeners: make(map[forwardKey]net.Listener),
+		connections:            make(map[connKey]*connState),
 		jwtEnabled:             config.JWT != nil,
 		jwtConfig:              config.JWT,
 		authorizer:             sshauth.NewAuthorizer(), // Initialize with empty config
@@ -211,6 +240,7 @@ func (s *Server) Start(ctx context.Context, addr netip.AddrPort) error {
 		return fmt.Errorf("create SSH server: %w", err)
 	}

+	s.listener = ln
 	s.sshServer = sshServer
 	log.Infof("SSH server started on %s", addrDesc)

@@ -263,16 +293,11 @@ func (s *Server) Stop() error {
 	}

 	s.sshServer = nil
+	s.listener = nil

 	maps.Clear(s.sessions)
-	maps.Clear(s.sessionJWTUsers)
 	maps.Clear(s.pendingAuthJWT)
-	maps.Clear(s.sshConnections)
-
-	for _, cancelFunc := range s.sessionCancels {
-		cancelFunc()
-	}
-	maps.Clear(s.sessionCancels)
+	maps.Clear(s.connections)

 	for _, listener := range s.remoteForwardListeners {
 		if err := listener.Close(); err != nil {
@@ -284,32 +309,82 @@ func (s *Server) Stop() error {
 	return nil
 }

-// GetStatus returns the current status of the SSH server and active sessions
+// Addr returns the address the SSH server is listening on, or nil if the server is not running
+func (s *Server) Addr() net.Addr {
+	s.mu.RLock()
+	defer s.mu.RUnlock()
+
+	if s.listener == nil {
+		return nil
+	}
+
+	return s.listener.Addr()
+}
+
+// GetStatus returns the current status of the SSH server and active sessions.
 func (s *Server) GetStatus() (enabled bool, sessions []SessionInfo) {
 	s.mu.RLock()
 	defer s.mu.RUnlock()

 	enabled = s.sshServer != nil
+	reportedAddrs := make(map[string]bool)

-	for sessionKey, session := range s.sessions {
-		cmd := "<interactive shell>"
-		if len(session.Command()) > 0 {
-			cmd = safeLogCommand(session.Command())
+	for _, state := range s.sessions {
+		info := s.buildSessionInfo(state)
+		reportedAddrs[info.RemoteAddress] = true
+		sessions = append(sessions, info)
+	}
+
+	// Add authenticated connections without sessions (e.g., -N/-T or port-forwarding only)
+	for key, connState := range s.connections {
+		remoteAddr := string(key)
+		if reportedAddrs[remoteAddr] {
+			continue
+		}
+		cmd := cmdNonInteractive
+		if len(connState.portForwards) > 0 {
+			cmd = cmdPortForwarding
 		}
-
-		jwtUsername := s.sessionJWTUsers[sessionKey]
-
 		sessions = append(sessions, SessionInfo{
-			Username:      session.User(),
-			RemoteAddress: session.RemoteAddr().String(),
+			Username:      connState.username,
+			RemoteAddress: remoteAddr,
 			Command:       cmd,
-			JWTUsername:   jwtUsername,
+			JWTUsername:   connState.jwtUsername,
+			PortForwards:  connState.portForwards,
 		})
 	}

 	return enabled, sessions
 }

+func (s *Server) buildSessionInfo(state *sessionState) SessionInfo {
+	session := state.session
+	cmd := state.sessionType
+	if cmd == "" {
+		cmd = safeLogCommand(session.Command())
+	}
+
+	remoteAddr := session.RemoteAddr().String()
+	info := SessionInfo{
+		Username:      session.User(),
+		RemoteAddress: remoteAddr,
+		Command:       cmd,
+		JWTUsername:   state.jwtUsername,
+	}
+
+	connState, exists := s.connections[connKey(remoteAddr)]
+	if !exists {
+		return info
+	}
+
+	info.PortForwards = connState.portForwards
+	if len(connState.portForwards) > 0 && (cmd == cmdInteractiveShell || cmd == cmdNonInteractive) {
+		info.Command = cmdPortForwarding
+	}
+
+	return info
+}
+
 // SetNetstackNet sets the netstack network for userspace networking
 func (s *Server) SetNetstackNet(net *netstack.Net) {
 	s.mu.Lock()
@@ -520,69 +595,129 @@ func (s *Server) parseTokenWithoutValidation(tokenString string) (map[string]int
 func (s *Server) passwordHandler(ctx ssh.Context, password string) bool {
 	osUsername := ctx.User()
 	remoteAddr := ctx.RemoteAddr()
+	logger := s.getRequestLogger(ctx)

 	if err := s.ensureJWTValidator(); err != nil {
-		log.Errorf("JWT validator initialization failed for user %s from %s: %v", osUsername, remoteAddr, err)
+		logger.Errorf("JWT validator initialization failed: %v", err)
 		return false
 	}

 	token, err := s.validateJWTToken(password)
 	if err != nil {
-		log.Warnf("JWT authentication failed for user %s from %s: %v", osUsername, remoteAddr, err)
+		logger.Warnf("JWT authentication failed: %v", err)
 		return false
 	}

 	userAuth, err := s.extractAndValidateUser(token)
 	if err != nil {
-		log.Warnf("User validation failed for user %s from %s: %v", osUsername, remoteAddr, err)
+		logger.Warnf("user validation failed: %v", err)
 		return false
 	}

+	logger = logger.WithField("jwt_user", userAuth.UserId)
+
 	s.mu.RLock()
 	authorizer := s.authorizer
 	s.mu.RUnlock()

-	if err := authorizer.Authorize(userAuth.UserId, osUsername); err != nil {
-		log.Warnf("SSH authorization denied for user %s (JWT user ID: %s) from %s: %v", osUsername, userAuth.UserId, remoteAddr, err)
+	msg, err := authorizer.Authorize(userAuth.UserId, osUsername)
+	if err != nil {
+		logger.Warnf("SSH auth denied: %v", err)
 		return false
 	}

+	logger.Infof("SSH auth %s", msg)
+
 	key := newAuthKey(osUsername, remoteAddr)
+	remoteAddrStr := ctx.RemoteAddr().String()
 	s.mu.Lock()
 	s.pendingAuthJWT[key] = userAuth.UserId
+	s.connections[connKey(remoteAddrStr)] = &connState{
+		username:    ctx.User(),
+		remoteAddr:  ctx.RemoteAddr(),
+		jwtUsername: userAuth.UserId,
+	}
 	s.mu.Unlock()

-	log.Infof("JWT authentication successful for user %s (JWT user ID: %s) from %s", osUsername, userAuth.UserId, remoteAddr)
 	return true
 }

-func (s *Server) markConnectionActivePortForward(sshConn *cryptossh.ServerConn, username, remoteAddr string) {
+func (s *Server) addConnectionPortForward(username string, remoteAddr net.Addr, forwardAddr string) {
 	s.mu.Lock()
 	defer s.mu.Unlock()

-	if state, exists := s.sshConnections[sshConn]; exists {
-		state.hasActivePortForward = true
-	} else {
-		s.sshConnections[sshConn] = &sshConnectionState{
-			hasActivePortForward: true,
-			username:             username,
-			remoteAddr:           remoteAddr,
+	key := connKey(remoteAddr.String())
+	if state, exists := s.connections[key]; exists {
+		if !slices.Contains(state.portForwards, forwardAddr) {
+			state.portForwards = append(state.portForwards, forwardAddr)
 		}
+		return
+	}
+
+	// Connection not in connections (non-JWT auth path)
+	s.connections[key] = &connState{
+		username:     username,
+		remoteAddr:   remoteAddr,
+		portForwards: []string{forwardAddr},
+		jwtUsername:  s.pendingAuthJWT[newAuthKey(username, remoteAddr)],
 	}
 }

-func (s *Server) connectionCloseHandler(conn net.Conn, err error) {
-	// We can't extract the SSH connection from net.Conn directly
-	// Connection cleanup will happen during session cleanup or via timeout
-	log.Debugf("SSH connection failed for %s: %v", conn.RemoteAddr(), err)
+func (s *Server) removeConnectionPortForward(remoteAddr net.Addr, forwardAddr string) {
+	s.mu.Lock()
+	defer s.mu.Unlock()
+
+	state, exists := s.connections[connKey(remoteAddr.String())]
+	if !exists {
+		return
+	}
+
+	state.portForwards = slices.DeleteFunc(state.portForwards, func(addr string) bool {
+		return addr == forwardAddr
+	})
 }

-func (s *Server) findSessionKeyByContext(ctx ssh.Context) SessionKey {
+// trackedConn wraps a net.Conn to detect when it closes
+type trackedConn struct {
+	net.Conn
+	server     *Server
+	remoteAddr string
+	onceClose  sync.Once
+}
+
+func (c *trackedConn) Close() error {
+	err := c.Conn.Close()
+	c.onceClose.Do(func() {
+		c.server.handleConnectionClose(c.remoteAddr)
+	})
+	return err
+}
+
+func (s *Server) handleConnectionClose(remoteAddr string) {
+	s.mu.Lock()
+	defer s.mu.Unlock()
+
+	key := connKey(remoteAddr)
+	state, exists := s.connections[key]
+	if exists && len(state.portForwards) > 0 {
+		s.connLogger(state).Info("port forwarding connection closed")
+	}
+	delete(s.connections, key)
+}
+
+func (s *Server) connLogger(state *connState) *log.Entry {
+	logger := log.WithField("session", fmt.Sprintf("%s@%s", state.username, state.remoteAddr))
+	if state.jwtUsername != "" {
+		logger = logger.WithField("jwt_user", state.jwtUsername)
+	}
+	return logger
+}
+
+func (s *Server) findSessionKeyByContext(ctx ssh.Context) sessionKey {
 	if ctx == nil {
 		return "unknown"
 	}

-	// Try to match by SSH connection
 	sshConn := ctx.Value(ssh.ContextKeyConn)
 	if sshConn == nil {
 		return "unknown"
@@ -591,19 +726,14 @@ func (s *Server) findSessionKeyByContext(ctx ssh.Context) SessionKey {
 	s.mu.RLock()
 	defer s.mu.RUnlock()

-	// Look through sessions to find one with matching connection
-	for sessionKey, session := range s.sessions {
-		if session.Context().Value(ssh.ContextKeyConn) == sshConn {
+	for sessionKey, state := range s.sessions {
+		if state.session.Context().Value(ssh.ContextKeyConn) == sshConn {
 			return sessionKey
 		}
 	}

-	// If no session found, this might be during early connection setup
-	// Return a temporary key that we'll fix up later
 	if ctx.User() != "" && ctx.RemoteAddr() != nil {
-		tempKey := SessionKey(fmt.Sprintf("%s@%s", ctx.User(), ctx.RemoteAddr().String()))
-		log.Debugf("Using temporary session key for early port forward tracking: %s (will be updated when session established)", tempKey)
-		return tempKey
+		return sessionKey(fmt.Sprintf("%s@%s", ctx.User(), ctx.RemoteAddr().String()))
 	}

 	return "unknown"
@@ -644,7 +774,11 @@ func (s *Server) connectionValidator(_ ssh.Context, conn net.Conn) net.Conn {
 	}

 	log.Infof("SSH connection from NetBird peer %s allowed", tcpAddr)
-	return conn
+	return &trackedConn{
+		Conn:       conn,
+		server:     s,
+		remoteAddr: conn.RemoteAddr().String(),
+	}
 }

 func (s *Server) createSSHServer(addr net.Addr) (*ssh.Server, error) {
@@ -672,9 +806,8 @@ func (s *Server) createSSHServer(addr net.Addr) (*ssh.Server, error) {
 			"tcpip-forward":        s.tcpipForwardHandler,
 			"cancel-tcpip-forward": s.cancelTcpipForwardHandler,
 		},
-		ConnCallback:             s.connectionValidator,
-		ConnectionFailedCallback: s.connectionCloseHandler,
-		Version:                  serverVersion,
+		ConnCallback: s.connectionValidator,
+		Version:      serverVersion,
 	}

 	if s.jwtEnabled {
@@ -690,13 +823,13 @@ func (s *Server) createSSHServer(addr net.Addr) (*ssh.Server, error) {
 	return server, nil
 }

-func (s *Server) storeRemoteForwardListener(key ForwardKey, ln net.Listener) {
+func (s *Server) storeRemoteForwardListener(key forwardKey, ln net.Listener) {
 	s.mu.Lock()
 	defer s.mu.Unlock()
 	s.remoteForwardListeners[key] = ln
 }

-func (s *Server) removeRemoteForwardListener(key ForwardKey) bool {
+func (s *Server) removeRemoteForwardListener(key forwardKey) bool {
 	s.mu.Lock()
 	defer s.mu.Unlock()

@@ -714,6 +847,8 @@ func (s *Server) removeRemoteForwardListener(key ForwardKey) bool {
 }

 func (s *Server) directTCPIPHandler(srv *ssh.Server, conn *cryptossh.ServerConn, newChan cryptossh.NewChannel, ctx ssh.Context) {
+	logger := s.getRequestLogger(ctx)
+
 	var payload struct {
 		Host           string
 		Port           uint32
@@ -723,7 +858,7 @@ func (s *Server) directTCPIPHandler(srv *ssh.Server, conn *cryptossh.ServerConn,

 	if err := cryptossh.Unmarshal(newChan.ExtraData(), &payload); err != nil {
 		if err := newChan.Reject(cryptossh.ConnectionFailed, "parse payload"); err != nil {
-			log.Debugf("channel reject error: %v", err)
+			logger.Debugf("channel reject error: %v", err)
 		}
 		return
 	}
@@ -733,19 +868,20 @@ func (s *Server) directTCPIPHandler(srv *ssh.Server, conn *cryptossh.ServerConn,
 	s.mu.RUnlock()

 	if !allowLocal {
-		log.Warnf("local port forwarding denied for %s:%d: disabled by configuration", payload.Host, payload.Port)
+		logger.Warnf("local port forwarding denied for %s:%d: disabled", payload.Host, payload.Port)
 		_ = newChan.Reject(cryptossh.Prohibited, "local port forwarding disabled")
 		return
 	}

-	// Check privilege requirements for the destination port
 	if err := s.checkPortForwardingPrivileges(ctx, "local", payload.Port); err != nil {
-		log.Warnf("local port forwarding denied for %s:%d: %v", payload.Host, payload.Port, err)
+		logger.Warnf("local port forwarding denied for %s:%d: %v", payload.Host, payload.Port, err)
 		_ = newChan.Reject(cryptossh.Prohibited, "insufficient privileges")
 		return
 	}

-	log.Infof("local port forwarding: %s:%d", payload.Host, payload.Port)
+	forwardAddr := fmt.Sprintf("-L %s:%d", payload.Host, payload.Port)
+	s.addConnectionPortForward(ctx.User(), ctx.RemoteAddr(), forwardAddr)
+	logger.Infof("local port forwarding: %s:%d", payload.Host, payload.Port)

 	ssh.DirectTCPIPHandler(srv, conn, newChan, ctx)
 }
--- a/client/ssh/server/server_config_test.go
+++ b/client/ssh/server/server_config_test.go
@@ -224,6 +224,96 @@ func TestServer_PortForwardingRestriction(t *testing.T) {
 	}
 }

+func TestServer_PrivilegedPortAccess(t *testing.T) {
+	hostKey, err := ssh.GeneratePrivateKey(ssh.ED25519)
+	require.NoError(t, err)
+
+	serverConfig := &Config{
+		HostKeyPEM: hostKey,
+	}
+	server := New(serverConfig)
+	server.SetAllowRemotePortForwarding(true)
+
+	tests := []struct {
+		name          string
+		forwardType   string
+		port          uint32
+		username      string
+		expectError   bool
+		errorMsg      string
+		skipOnWindows bool
+	}{
+		{
+			name:          "non-root user remote forward privileged port",
+			forwardType:   "remote",
+			port:          80,
+			username:      "testuser",
+			expectError:   true,
+			errorMsg:      "cannot bind to privileged port",
+			skipOnWindows: true,
+		},
+		{
+			name:          "non-root user tcpip-forward privileged port",
+			forwardType:   "tcpip-forward",
+			port:          443,
+			username:      "testuser",
+			expectError:   true,
+			errorMsg:      "cannot bind to privileged port",
+			skipOnWindows: true,
+		},
+		{
+			name:        "non-root user remote forward unprivileged port",
+			forwardType: "remote",
+			port:        8080,
+			username:    "testuser",
+			expectError: false,
+		},
+		{
+			name:        "non-root user remote forward port 0",
+			forwardType: "remote",
+			port:        0,
+			username:    "testuser",
+			expectError: false,
+		},
+		{
+			name:        "root user remote forward privileged port",
+			forwardType: "remote",
+			port:        22,
+			username:    "root",
+			expectError: false,
+		},
+		{
+			name:        "local forward privileged port allowed for non-root",
+			forwardType: "local",
+			port:        80,
+			username:    "testuser",
+			expectError: false,
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			if tt.skipOnWindows && runtime.GOOS == "windows" {
+				t.Skip("Windows does not have privileged port restrictions")
+			}
+
+			result := PrivilegeCheckResult{
+				Allowed: true,
+				User:    &user.User{Username: tt.username},
+			}
+
+			err := server.checkPrivilegedPortAccess(tt.forwardType, tt.port, result)
+
+			if tt.expectError {
+				require.Error(t, err)
+				assert.Contains(t, err.Error(), tt.errorMsg)
+			} else {
+				require.NoError(t, err)
+			}
+		})
+	}
+}
+
 func TestServer_PortConflictHandling(t *testing.T) {
 	// Test that multiple sessions requesting the same local port are handled naturally by the OS
 	// Get current user for SSH connection
@@ -392,3 +482,95 @@ func TestServer_IsPrivilegedUser(t *testing.T) {
 		})
 	}
 }
+
+func TestServer_PortForwardingOnlySession(t *testing.T) {
+	// Test that sessions without PTY and command are allowed when port forwarding is enabled
+	currentUser, err := user.Current()
+	require.NoError(t, err, "Should be able to get current user")
+
+	// Generate host key for server
+	hostKey, err := ssh.GeneratePrivateKey(ssh.ED25519)
+	require.NoError(t, err)
+
+	tests := []struct {
+		name                  string
+		allowLocalForwarding  bool
+		allowRemoteForwarding bool
+		expectAllowed         bool
+		description           string
+	}{
+		{
+			name:                  "session_allowed_with_local_forwarding",
+			allowLocalForwarding:  true,
+			allowRemoteForwarding: false,
+			expectAllowed:         true,
+			description:           "Port-forwarding-only session should be allowed when local forwarding is enabled",
+		},
+		{
+			name:                  "session_allowed_with_remote_forwarding",
+			allowLocalForwarding:  false,
+			allowRemoteForwarding: true,
+			expectAllowed:         true,
+			description:           "Port-forwarding-only session should be allowed when remote forwarding is enabled",
+		},
+		{
+			name:                  "session_allowed_with_both",
+			allowLocalForwarding:  true,
+			allowRemoteForwarding: true,
+			expectAllowed:         true,
+			description:           "Port-forwarding-only session should be allowed when both forwarding types enabled",
+		},
+		{
+			name:                  "session_denied_without_forwarding",
+			allowLocalForwarding:  false,
+			allowRemoteForwarding: false,
+			expectAllowed:         false,
+			description:           "Port-forwarding-only session should be denied when all forwarding is disabled",
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			serverConfig := &Config{
+				HostKeyPEM: hostKey,
+				JWT:        nil,
+			}
+			server := New(serverConfig)
+			server.SetAllowRootLogin(true)
+			server.SetAllowLocalPortForwarding(tt.allowLocalForwarding)
+			server.SetAllowRemotePortForwarding(tt.allowRemoteForwarding)
+
+			serverAddr := StartTestServer(t, server)
+			defer func() {
+				_ = server.Stop()
+			}()
+
+			// Connect to the server without requesting PTY or command
+			ctx, cancel := context.WithTimeout(context.Background(), 5*time.Second)
+			defer cancel()
+
+			client, err := sshclient.Dial(ctx, serverAddr, currentUser.Username, sshclient.DialOptions{
+				InsecureSkipVerify: true,
+			})
+			require.NoError(t, err)
+			defer func() {
+				_ = client.Close()
+			}()
+
+			// Execute a command without PTY - this simulates ssh -T with no command
+			// The server should either allow it (port forwarding enabled) or reject it
+			output, err := client.ExecuteCommand(ctx, "")
+			if tt.expectAllowed {
+				// When allowed, the session stays open until cancelled
+				// ExecuteCommand with empty command should return without error
+				assert.NoError(t, err, "Session should be allowed when port forwarding is enabled")
+				assert.NotContains(t, output, "port forwarding is disabled",
+					"Output should not contain port forwarding disabled message")
+			} else if err != nil {
+				// When denied, we expect an error message about port forwarding being disabled
+				assert.Contains(t, err.Error(), "port forwarding is disabled",
+					"Should get port forwarding disabled message")
+			}
+		})
+	}
+}
--- a/client/ssh/server/session_handlers.go
+++ b/client/ssh/server/session_handlers.go
@@ -6,37 +6,45 @@ import (
 	"errors"
 	"fmt"
 	"io"
-	"strings"
 	"time"

 	"github.com/gliderlabs/ssh"
 	log "github.com/sirupsen/logrus"
-	cryptossh "golang.org/x/crypto/ssh"
 )

+// associateJWTUsername extracts pending JWT username for the session and associates it with the session state.
+// Returns the JWT username (empty if none) for logging purposes.
+func (s *Server) associateJWTUsername(sess ssh.Session, sessionKey sessionKey) string {
+	key := newAuthKey(sess.User(), sess.RemoteAddr())
+
+	s.mu.Lock()
+	defer s.mu.Unlock()
+
+	jwtUsername := s.pendingAuthJWT[key]
+	if jwtUsername == "" {
+		return ""
+	}
+
+	if state, exists := s.sessions[sessionKey]; exists {
+		state.jwtUsername = jwtUsername
+	}
+	delete(s.pendingAuthJWT, key)
+	return jwtUsername
+}
+
 // sessionHandler handles SSH sessions
 func (s *Server) sessionHandler(session ssh.Session) {
-	sessionKey := s.registerSession(session)
-
-	key := newAuthKey(session.User(), session.RemoteAddr())
-	s.mu.Lock()
-	jwtUsername := s.pendingAuthJWT[key]
-	if jwtUsername != "" {
-		s.sessionJWTUsers[sessionKey] = jwtUsername
-		delete(s.pendingAuthJWT, key)
-	}
-	s.mu.Unlock()
+	sessionKey := s.registerSession(session, "")
+	jwtUsername := s.associateJWTUsername(session, sessionKey)

 	logger := log.WithField("session", sessionKey)
 	if jwtUsername != "" {
 		logger = logger.WithField("jwt_user", jwtUsername)
-		logger.Infof("SSH session started (JWT user: %s)", jwtUsername)
-	} else {
-		logger.Infof("SSH session started")
 	}
+	logger.Info("SSH session started")
 	sessionStart := time.Now()

-	defer s.unregisterSession(sessionKey, session)
+	defer s.unregisterSession(sessionKey)
 	defer func() {
 		duration := time.Since(sessionStart).Round(time.Millisecond)
 		if err := session.Close(); err != nil && !errors.Is(err, io.EOF) {
@@ -65,27 +73,52 @@ func (s *Server) sessionHandler(session ssh.Session) {
 		// ssh <host> <cmd> - non-Pty command execution
 		s.handleCommand(logger, session, privilegeResult, nil)
 	default:
-		s.rejectInvalidSession(logger, session)
+		// ssh -T (or ssh -N) - no PTY, no command
+		s.handleNonInteractiveSession(logger, session)
 	}
 }

-func (s *Server) rejectInvalidSession(logger *log.Entry, session ssh.Session) {
-	if _, err := io.WriteString(session, "no command specified and Pty not requested\n"); err != nil {
-		logger.Debugf(errWriteSession, err)
+// handleNonInteractiveSession handles sessions that have no PTY and no command.
+// These are typically used for port forwarding (ssh -L/-R) or tunneling (ssh -N).
+func (s *Server) handleNonInteractiveSession(logger *log.Entry, session ssh.Session) {
+	s.updateSessionType(session, cmdNonInteractive)
+
+	if !s.isPortForwardingEnabled() {
+		if _, err := io.WriteString(session, "port forwarding is disabled on this server\n"); err != nil {
+			logger.Debugf(errWriteSession, err)
+		}
+		if err := session.Exit(1); err != nil {
+			logSessionExitError(logger, err)
+		}
+		logger.Infof("rejected non-interactive session: port forwarding disabled")
+		return
 	}
-	if err := session.Exit(1); err != nil {
+
+	<-session.Context().Done()
+
+	if err := session.Exit(0); err != nil {
 		logSessionExitError(logger, err)
 	}
-	logger.Infof("rejected non-Pty session without command from %s", session.RemoteAddr())
 }

-func (s *Server) registerSession(session ssh.Session) SessionKey {
+func (s *Server) updateSessionType(session ssh.Session, sessionType string) {
+	s.mu.Lock()
+	defer s.mu.Unlock()
+
+	for _, state := range s.sessions {
+		if state.session == session {
+			state.sessionType = sessionType
+			return
+		}
+	}
+}
+
+func (s *Server) registerSession(session ssh.Session, sessionType string) sessionKey {
 	sessionID := session.Context().Value(ssh.ContextKeySessionID)
 	if sessionID == nil {
 		sessionID = fmt.Sprintf("%p", session)
 	}

-	// Create a short 4-byte identifier from the full session ID
 	hasher := sha256.New()
 	hasher.Write([]byte(fmt.Sprintf("%v", sessionID)))
 	hash := hasher.Sum(nil)
@@ -93,43 +126,23 @@ func (s *Server) registerSession(session ssh.Session) SessionKey {

 	remoteAddr := session.RemoteAddr().String()
 	username := session.User()
-	sessionKey := SessionKey(fmt.Sprintf("%s@%s-%s", username, remoteAddr, shortID))
+	sessionKey := sessionKey(fmt.Sprintf("%s@%s-%s", username, remoteAddr, shortID))

 	s.mu.Lock()
-	s.sessions[sessionKey] = session
+	s.sessions[sessionKey] = &sessionState{
+		session:     session,
+		sessionType: sessionType,
+	}
 	s.mu.Unlock()

 	return sessionKey
 }

-func (s *Server) unregisterSession(sessionKey SessionKey, session ssh.Session) {
+func (s *Server) unregisterSession(sessionKey sessionKey) {
 	s.mu.Lock()
+	defer s.mu.Unlock()
+
 	delete(s.sessions, sessionKey)
-	delete(s.sessionJWTUsers, sessionKey)
-
-	// Cancel all port forwarding connections for this session
-	var connectionsToCancel []ConnectionKey
-	for key := range s.sessionCancels {
-		if strings.HasPrefix(string(key), string(sessionKey)+"-") {
-			connectionsToCancel = append(connectionsToCancel, key)
-		}
-	}
-
-	for _, key := range connectionsToCancel {
-		if cancelFunc, exists := s.sessionCancels[key]; exists {
-			log.WithField("session", sessionKey).Debugf("cancelling port forwarding context: %s", key)
-			cancelFunc()
-			delete(s.sessionCancels, key)
-		}
-	}
-
-	if sshConnValue := session.Context().Value(ssh.ContextKeyConn); sshConnValue != nil {
-		if sshConn, ok := sshConnValue.(*cryptossh.ServerConn); ok {
-			delete(s.sshConnections, sshConn)
-		}
-	}
-
-	s.mu.Unlock()
 }

 func (s *Server) handlePrivError(logger *log.Entry, session ssh.Session, err error) {
--- a/client/ssh/server/sftp.go
+++ b/client/ssh/server/sftp.go
@@ -18,14 +18,26 @@ func (s *Server) SetAllowSFTP(allow bool) {

 // sftpSubsystemHandler handles SFTP subsystem requests
 func (s *Server) sftpSubsystemHandler(sess ssh.Session) {
+	sessionKey := s.registerSession(sess, cmdSFTP)
+	defer s.unregisterSession(sessionKey)
+
+	jwtUsername := s.associateJWTUsername(sess, sessionKey)
+
+	logger := log.WithField("session", sessionKey)
+	if jwtUsername != "" {
+		logger = logger.WithField("jwt_user", jwtUsername)
+	}
+	logger.Info("SFTP session started")
+	defer logger.Info("SFTP session closed")
+
 	s.mu.RLock()
 	allowSFTP := s.allowSFTP
 	s.mu.RUnlock()

 	if !allowSFTP {
-		log.Debugf("SFTP subsystem request denied: SFTP disabled")
+		logger.Debug("SFTP subsystem request denied: SFTP disabled")
 		if err := sess.Exit(1); err != nil {
-			log.Debugf("SFTP session exit failed: %v", err)
+			logger.Debugf("SFTP session exit: %v", err)
 		}
 		return
 	}
@@ -37,31 +49,27 @@ func (s *Server) sftpSubsystemHandler(sess ssh.Session) {
 	})

 	if !result.Allowed {
-		log.Warnf("SFTP access denied for user %s from %s: %v", sess.User(), sess.RemoteAddr(), result.Error)
+		logger.Warnf("SFTP access denied: %v", result.Error)
 		if err := sess.Exit(1); err != nil {
-			log.Debugf("exit SFTP session: %v", err)
+			logger.Debugf("exit SFTP session: %v", err)
 		}
 		return
 	}

-	log.Debugf("SFTP subsystem request from user %s (effective user %s)", sess.User(), result.User.Username)
-
 	if !result.RequiresUserSwitching {
 		if err := s.executeSftpDirect(sess); err != nil {
-			log.Errorf("SFTP direct execution: %v", err)
+			logger.Errorf("SFTP direct execution: %v", err)
 		}
 		return
 	}

 	if err := s.executeSftpWithPrivilegeDrop(sess, result.User); err != nil {
-		log.Errorf("SFTP privilege drop execution: %v", err)
+		logger.Errorf("SFTP privilege drop execution: %v", err)
 	}
 }

 // executeSftpDirect executes SFTP directly without privilege dropping
 func (s *Server) executeSftpDirect(sess ssh.Session) error {
-	log.Debugf("starting SFTP session for user %s (no privilege dropping)", sess.User())
-
 	sftpServer, err := sftp.NewServer(sess)
 	if err != nil {
 		return fmt.Errorf("SFTP server creation: %w", err)
--- a/client/ssh/server/test.go
+++ b/client/ssh/server/test.go
@@ -3,7 +3,6 @@ package server
 import (
 	"context"
 	"fmt"
-	"net"
 	"net/netip"
 	"testing"
 	"time"
@@ -14,23 +13,21 @@ func StartTestServer(t *testing.T, server *Server) string {
 	errChan := make(chan error, 1)

 	go func() {
-		ln, err := net.Listen("tcp", "127.0.0.1:0")
-		if err != nil {
-			errChan <- err
-			return
-		}
-		actualAddr := ln.Addr().String()
-		if err := ln.Close(); err != nil {
-			errChan <- fmt.Errorf("close temp listener: %w", err)
-			return
-		}
-
-		addrPort := netip.MustParseAddrPort(actualAddr)
+		// Use port 0 to let the OS assign a free port
+		addrPort := netip.MustParseAddrPort("127.0.0.1:0")
 		if err := server.Start(context.Background(), addrPort); err != nil {
 			errChan <- err
 			return
 		}
-		started <- actualAddr
+
+		// Get the actual listening address from the server
+		actualAddr := server.Addr()
+		if actualAddr == nil {
+			errChan <- fmt.Errorf("server started but no listener address available")
+			return
+		}
+
+		started <- actualAddr.String()
 	}()

 	select {
--- a/client/status/status.go
+++ b/client/status/status.go
@@ -82,10 +82,11 @@ type NsServerGroupStateOutput struct {
 }

 type SSHSessionOutput struct {
-	Username      string `json:"username" yaml:"username"`
-	RemoteAddress string `json:"remoteAddress" yaml:"remoteAddress"`
-	Command       string `json:"command" yaml:"command"`
-	JWTUsername   string `json:"jwtUsername,omitempty" yaml:"jwtUsername,omitempty"`
+	Username      string   `json:"username" yaml:"username"`
+	RemoteAddress string   `json:"remoteAddress" yaml:"remoteAddress"`
+	Command       string   `json:"command" yaml:"command"`
+	JWTUsername   string   `json:"jwtUsername,omitempty" yaml:"jwtUsername,omitempty"`
+	PortForwards  []string `json:"portForwards,omitempty" yaml:"portForwards,omitempty"`
 }

 type SSHServerStateOutput struct {
@@ -220,6 +221,7 @@ func mapSSHServer(sshServerState *proto.SSHServerState) SSHServerStateOutput {
 			RemoteAddress: session.GetRemoteAddress(),
 			Command:       session.GetCommand(),
 			JWTUsername:   session.GetJwtUsername(),
+			PortForwards:  session.GetPortForwards(),
 		})
 	}

@@ -475,6 +477,9 @@ func ParseGeneralSummary(overview OutputOverview, showURL bool, showRelays bool,
 					)
 				}
 				sshServerStatus += "\n  " + sessionDisplay
+				for _, pf := range session.PortForwards {
+					sshServerStatus += "\n    " + pf
+				}
 			}
 		}
 	}
--- a/client/system/info_android.go
+++ b/client/system/info_android.go
@@ -1,6 +1,3 @@
-//go:build android
-// +build android
-
 package system

 import (
--- a/client/system/info_darwin.go
+++ b/client/system/info_darwin.go
@@ -1,5 +1,4 @@
 //go:build !ios
-// +build !ios

 package system

--- a/client/system/info_ios.go
+++ b/client/system/info_ios.go
@@ -1,6 +1,3 @@
-//go:build ios
-// +build ios
-
 package system

 import (
--- a/client/ui/client_ui.go
+++ b/client/ui/client_ui.go
@@ -510,7 +510,7 @@ func (s *serviceClient) saveSettings() {
 		// Continue with default behavior if features can't be retrieved
 	} else if features != nil && features.DisableUpdateSettings {
 		log.Warn("Configuration updates are disabled by daemon")
-		dialog.ShowError(fmt.Errorf("Configuration updates are disabled by daemon"), s.wSettings)
+		dialog.ShowError(fmt.Errorf("configuration updates are disabled by daemon"), s.wSettings)
 		return
 	}

@@ -540,7 +540,7 @@ func (s *serviceClient) saveSettings() {
 func (s *serviceClient) validateSettings() error {
 	if s.iPreSharedKey.Text != "" && s.iPreSharedKey.Text != censoredPreSharedKey {
 		if _, err := wgtypes.ParseKey(s.iPreSharedKey.Text); err != nil {
-			return fmt.Errorf("Invalid Pre-shared Key Value")
+			return fmt.Errorf("invalid pre-shared key value")
 		}
 	}
 	return nil
@@ -549,10 +549,10 @@ func (s *serviceClient) validateSettings() error {
 func (s *serviceClient) parseNumericSettings() (int64, int64, error) {
 	port, err := strconv.ParseInt(s.iInterfacePort.Text, 10, 64)
 	if err != nil {
-		return 0, 0, errors.New("Invalid interface port")
+		return 0, 0, errors.New("invalid interface port")
 	}
 	if port < 1 || port > 65535 {
-		return 0, 0, errors.New("Invalid interface port: out of range 1-65535")
+		return 0, 0, errors.New("invalid interface port: out of range 1-65535")
 	}

 	var mtu int64
@@ -560,7 +560,7 @@ func (s *serviceClient) parseNumericSettings() (int64, int64, error) {
 	if mtuText != "" {
 		mtu, err = strconv.ParseInt(mtuText, 10, 64)
 		if err != nil {
-			return 0, 0, errors.New("Invalid MTU value")
+			return 0, 0, errors.New("invalid MTU value")
 		}
 		if mtu < iface.MinMTU || mtu > iface.MaxMTU {
 			return 0, 0, fmt.Errorf("MTU must be between %d and %d bytes", iface.MinMTU, iface.MaxMTU)
@@ -645,7 +645,7 @@ func (s *serviceClient) buildSetConfigRequest(iMngURL string, port, mtu int64) (
 	if sshJWTCacheTTLText != "" {
 		sshJWTCacheTTL, err := strconv.ParseInt(sshJWTCacheTTLText, 10, 32)
 		if err != nil {
-			return nil, errors.New("Invalid SSH JWT Cache TTL value")
+			return nil, errors.New("invalid SSH JWT Cache TTL value")
 		}
 		if sshJWTCacheTTL < 0 || sshJWTCacheTTL > maxSSHJWTCacheTTL {
 			return nil, fmt.Errorf("SSH JWT Cache TTL must be between 0 and %d seconds", maxSSHJWTCacheTTL)
--- a/client/ui/signal_windows.go
+++ b/client/ui/signal_windows.go
@@ -164,7 +164,7 @@ func sendShowWindowSignal(pid int32) error {

 	err = windows.SetEvent(eventHandle)
 	if err != nil {
-		return fmt.Errorf("Error setting event: %w", err)
+		return fmt.Errorf("error setting event: %w", err)
 	}

 	return nil
--- a/go.mod
+++ b/go.mod
@@ -1,6 +1,8 @@
 module github.com/netbirdio/netbird

-go 1.24.10
+go 1.25
+
+toolchain go1.25.5

 require (
 	cunicu.li/go-rosenpass v0.4.0
@@ -8,22 +10,22 @@ require (
 	github.com/cloudflare/circl v1.3.3 // indirect
 	github.com/golang/protobuf v1.5.4
 	github.com/google/uuid v1.6.0
-	github.com/gorilla/mux v1.8.0
+	github.com/gorilla/mux v1.8.1
 	github.com/kardianos/service v1.2.3-0.20240613133416-becf2eb62b83
 	github.com/onsi/ginkgo v1.16.5
 	github.com/onsi/gomega v1.27.6
 	github.com/rs/cors v1.8.0
 	github.com/sirupsen/logrus v1.9.3
-	github.com/spf13/cobra v1.7.0
-	github.com/spf13/pflag v1.0.5
+	github.com/spf13/cobra v1.10.1
+	github.com/spf13/pflag v1.0.9
 	github.com/vishvananda/netlink v1.3.1
-	golang.org/x/crypto v0.45.0
-	golang.org/x/sys v0.38.0
+	golang.org/x/crypto v0.46.0
+	golang.org/x/sys v0.39.0
 	golang.zx2c4.com/wireguard v0.0.0-20230704135630-469159ecf7d1
 	golang.zx2c4.com/wireguard/wgctrl v0.0.0-20230429144221-925a1e7659e6
 	golang.zx2c4.com/wireguard/windows v0.5.3
-	google.golang.org/grpc v1.75.0
-	google.golang.org/protobuf v1.36.8
+	google.golang.org/grpc v1.77.0
+	google.golang.org/protobuf v1.36.10
 	gopkg.in/natefinch/lumberjack.v2 v2.0.0
 )

@@ -40,7 +42,8 @@ require (
 	github.com/cilium/ebpf v0.15.0
 	github.com/coder/websocket v1.8.13
 	github.com/coreos/go-iptables v0.7.0
-	github.com/creack/pty v1.1.18
+	github.com/creack/pty v1.1.24
+	github.com/dexidp/dex v0.0.0-00010101000000-000000000000
 	github.com/dexidp/dex/api/v2 v2.4.0
 	github.com/eko/gocache/lib/v4 v4.2.0
 	github.com/eko/gocache/store/go_cache/v4 v4.2.2
@@ -79,8 +82,8 @@ require (
 	github.com/pion/transport/v3 v3.0.7
 	github.com/pion/turn/v3 v3.0.1
 	github.com/pkg/sftp v1.13.9
-	github.com/prometheus/client_golang v1.22.0
-	github.com/quic-go/quic-go v0.49.1
+	github.com/prometheus/client_golang v1.23.2
+	github.com/quic-go/quic-go v0.55.0
 	github.com/redis/go-redis/v9 v9.7.3
 	github.com/rs/xid v1.3.0
 	github.com/shirou/gopsutil/v3 v3.24.4
@@ -97,39 +100,44 @@ require (
 	github.com/vmihailenco/msgpack/v5 v5.4.1
 	github.com/yusufpapurcu/wmi v1.2.4
 	github.com/zcalusic/sysinfo v1.1.3
-	go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.49.0
-	go.opentelemetry.io/otel v1.37.0
+	go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.61.0
+	go.opentelemetry.io/otel v1.38.0
 	go.opentelemetry.io/otel/exporters/prometheus v0.48.0
-	go.opentelemetry.io/otel/metric v1.37.0
-	go.opentelemetry.io/otel/sdk/metric v1.37.0
-	go.uber.org/mock v0.5.0
+	go.opentelemetry.io/otel/metric v1.38.0
+	go.opentelemetry.io/otel/sdk/metric v1.38.0
+	go.uber.org/mock v0.5.2
 	go.uber.org/zap v1.27.0
 	goauthentik.io/api/v3 v3.2023051.3
 	golang.org/x/exp v0.0.0-20240506185415-9bf2ced13842
 	golang.org/x/mobile v0.0.0-20251113184115-a159579294ab
 	golang.org/x/mod v0.30.0
 	golang.org/x/net v0.47.0
-	golang.org/x/oauth2 v0.30.0
-	golang.org/x/sync v0.18.0
-	golang.org/x/term v0.37.0
-	golang.org/x/time v0.12.0
-	google.golang.org/api v0.177.0
+	golang.org/x/oauth2 v0.34.0
+	golang.org/x/sync v0.19.0
+	golang.org/x/term v0.38.0
+	golang.org/x/time v0.14.0
+	google.golang.org/api v0.257.0
 	gopkg.in/yaml.v3 v3.0.1
 	gorm.io/driver/mysql v1.5.7
 	gorm.io/driver/postgres v1.5.7
 	gorm.io/driver/sqlite v1.5.7
 	gorm.io/gorm v1.25.12
-	gvisor.dev/gvisor v0.0.0-20231020174304-b8a429915ff1
+	gvisor.dev/gvisor v0.0.0-20251031020517-ecfcdd2f171c
 )

 require (
-	cloud.google.com/go/auth v0.3.0 // indirect
-	cloud.google.com/go/auth/oauth2adapt v0.2.2 // indirect
-	cloud.google.com/go/compute/metadata v0.7.0 // indirect
-	dario.cat/mergo v1.0.0 // indirect
+	cloud.google.com/go/auth v0.17.0 // indirect
+	cloud.google.com/go/auth/oauth2adapt v0.2.8 // indirect
+	cloud.google.com/go/compute/metadata v0.9.0 // indirect
+	dario.cat/mergo v1.0.1 // indirect
 	filippo.io/edwards25519 v1.1.0 // indirect
+	github.com/AppsFlyer/go-sundheit v0.6.0 // indirect
 	github.com/Azure/go-ansiterm v0.0.0-20230124172434-306776ec8161 // indirect
+	github.com/Azure/go-ntlmssp v0.0.0-20221128193559-754e69321358 // indirect
 	github.com/BurntSushi/toml v1.5.0 // indirect
+	github.com/Masterminds/goutils v1.1.1 // indirect
+	github.com/Masterminds/semver/v3 v3.3.0 // indirect
+	github.com/Masterminds/sprig/v3 v3.3.0 // indirect
 	github.com/Microsoft/go-winio v0.6.2 // indirect
 	github.com/Microsoft/hcsshim v0.12.3 // indirect
 	github.com/anmitsu/go-shlex v0.0.0-20200514113438-38f4b401e2be // indirect
@@ -150,12 +158,14 @@ require (
 	github.com/aws/aws-sdk-go-v2/service/ssooidc v1.30.1 // indirect
 	github.com/aws/aws-sdk-go-v2/service/sts v1.33.19 // indirect
 	github.com/aws/smithy-go v1.22.2 // indirect
+	github.com/beevik/etree v1.6.0 // indirect
 	github.com/beorn7/perks v1.0.1 // indirect
 	github.com/caddyserver/zerossl v0.1.3 // indirect
 	github.com/cespare/xxhash/v2 v2.3.0 // indirect
 	github.com/containerd/containerd v1.7.29 // indirect
 	github.com/containerd/log v0.1.0 // indirect
 	github.com/containerd/platforms v0.2.1 // indirect
+	github.com/coreos/go-oidc/v3 v3.14.1 // indirect
 	github.com/cpuguy83/dockercfg v0.3.2 // indirect
 	github.com/davecgh/go-spew v1.1.1 // indirect
 	github.com/dgryski/go-rendezvous v0.0.0-20200823014737-9f7001d12a5f // indirect
@@ -169,26 +179,28 @@ require (
 	github.com/fyne-io/glfw-js v0.3.0 // indirect
 	github.com/fyne-io/image v0.1.1 // indirect
 	github.com/fyne-io/oksvg v0.2.0 // indirect
+	github.com/go-asn1-ber/asn1-ber v1.5.8-0.20250403174932-29230038a667 // indirect
 	github.com/go-gl/gl v0.0.0-20231021071112-07e5d0ea2e71 // indirect
 	github.com/go-gl/glfw/v3.3/glfw v0.0.0-20240506104042-037f3cc74f2a // indirect
+	github.com/go-jose/go-jose/v4 v4.1.3 // indirect
+	github.com/go-ldap/ldap/v3 v3.4.12 // indirect
 	github.com/go-logr/logr v1.4.3 // indirect
 	github.com/go-logr/stdr v1.2.2 // indirect
 	github.com/go-ole/go-ole v1.3.0 // indirect
-	github.com/go-sql-driver/mysql v1.8.1 // indirect
-	github.com/go-task/slim-sprig v0.0.0-20230315185526-52ccab3ef572 // indirect
+	github.com/go-sql-driver/mysql v1.9.3 // indirect
 	github.com/go-text/render v0.2.0 // indirect
 	github.com/go-text/typesetting v0.2.1 // indirect
 	github.com/gogo/protobuf v1.3.2 // indirect
-	github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da // indirect
 	github.com/google/btree v1.1.2 // indirect
-	github.com/google/pprof v0.0.0-20211214055906-6f57359322fd // indirect
-	github.com/google/s2a-go v0.1.7 // indirect
-	github.com/googleapis/enterprise-certificate-proxy v0.3.2 // indirect
-	github.com/googleapis/gax-go/v2 v2.12.3 // indirect
+	github.com/google/s2a-go v0.1.9 // indirect
+	github.com/googleapis/enterprise-certificate-proxy v0.3.7 // indirect
+	github.com/googleapis/gax-go/v2 v2.15.0 // indirect
+	github.com/gorilla/handlers v1.5.2 // indirect
 	github.com/hack-pad/go-indexeddb v0.3.2 // indirect
 	github.com/hack-pad/safejs v0.1.0 // indirect
 	github.com/hashicorp/errwrap v1.1.0 // indirect
 	github.com/hashicorp/go-uuid v1.0.3 // indirect
+	github.com/huandu/xstrings v1.5.0 // indirect
 	github.com/inconshreveable/mousetrap v1.1.0 // indirect
 	github.com/jackc/pgpassfile v1.0.0 // indirect
 	github.com/jackc/pgservicefile v0.0.0-20221227161230-091c0ba34f0a // indirect
@@ -197,18 +209,23 @@ require (
 	github.com/jinzhu/inflection v1.0.0 // indirect
 	github.com/jinzhu/now v1.1.5 // indirect
 	github.com/jmespath/go-jmespath v0.4.0 // indirect
+	github.com/jonboulle/clockwork v0.5.0 // indirect
 	github.com/jsummers/gobmp v0.0.0-20230614200233-a9de23ed2e25 // indirect
 	github.com/kelseyhightower/envconfig v1.4.0 // indirect
 	github.com/klauspost/compress v1.18.0 // indirect
 	github.com/klauspost/cpuid/v2 v2.2.7 // indirect
 	github.com/kr/fs v0.1.0 // indirect
+	github.com/lib/pq v1.10.9 // indirect
 	github.com/libdns/libdns v0.2.2 // indirect
 	github.com/lufia/plan9stats v0.0.0-20240513124658-fba389f38bae // indirect
 	github.com/magiconair/properties v1.8.7 // indirect
-	github.com/mattn/go-sqlite3 v1.14.22 // indirect
+	github.com/mattermost/xml-roundtrip-validator v0.1.0 // indirect
+	github.com/mattn/go-sqlite3 v1.14.32 // indirect
 	github.com/mdlayher/genetlink v1.3.2 // indirect
 	github.com/mdlayher/netlink v1.7.3-0.20250113171957-fbb4dce95f42 // indirect
 	github.com/mholt/acmez/v2 v2.0.1 // indirect
+	github.com/mitchellh/copystructure v1.2.0 // indirect
+	github.com/mitchellh/reflectwalk v1.0.2 // indirect
 	github.com/moby/docker-image-spec v1.3.1 // indirect
 	github.com/moby/patternmatcher v0.6.0 // indirect
 	github.com/moby/sys/sequential v0.5.0 // indirect
@@ -231,11 +248,14 @@ require (
 	github.com/pkg/errors v0.9.1 // indirect
 	github.com/pmezard/go-difflib v1.0.0 // indirect
 	github.com/power-devops/perfstat v0.0.0-20240221224432-82ca36839d55 // indirect
-	github.com/prometheus/client_model v0.6.1 // indirect
-	github.com/prometheus/common v0.62.0 // indirect
-	github.com/prometheus/procfs v0.15.1 // indirect
+	github.com/prometheus/client_model v0.6.2 // indirect
+	github.com/prometheus/common v0.66.1 // indirect
+	github.com/prometheus/procfs v0.16.1 // indirect
+	github.com/russellhaering/goxmldsig v1.5.0 // indirect
 	github.com/rymdport/portal v0.4.2 // indirect
 	github.com/shoenig/go-m1cpu v0.1.6 // indirect
+	github.com/shopspring/decimal v1.4.0 // indirect
+	github.com/spf13/cast v1.7.0 // indirect
 	github.com/srwiley/oksvg v0.0.0-20221011165216-be6e8873101c // indirect
 	github.com/srwiley/rasterx v0.0.0-20220730225603-2ab79fcdd4ef // indirect
 	github.com/stretchr/objx v0.5.2 // indirect
@@ -246,17 +266,17 @@ require (
 	github.com/wlynxg/anet v0.0.3 // indirect
 	github.com/yuin/goldmark v1.7.8 // indirect
 	github.com/zeebo/blake3 v0.2.3 // indirect
-	go.opencensus.io v0.24.0 // indirect
-	go.opentelemetry.io/auto/sdk v1.1.0 // indirect
-	go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.51.0 // indirect
-	go.opentelemetry.io/otel/sdk v1.37.0 // indirect
-	go.opentelemetry.io/otel/trace v1.37.0 // indirect
+	go.opentelemetry.io/auto/sdk v1.2.1 // indirect
+	go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.61.0 // indirect
+	go.opentelemetry.io/otel/sdk v1.38.0 // indirect
+	go.opentelemetry.io/otel/trace v1.38.0 // indirect
 	go.uber.org/multierr v1.11.0 // indirect
+	go.yaml.in/yaml/v2 v2.4.2 // indirect
 	golang.org/x/image v0.33.0 // indirect
-	golang.org/x/text v0.31.0 // indirect
+	golang.org/x/text v0.32.0 // indirect
 	golang.org/x/tools v0.39.0 // indirect
 	golang.zx2c4.com/wintun v0.0.0-20230126152724-0fa3db229ce2 // indirect
-	google.golang.org/genproto/googleapis/rpc v0.0.0-20250707201910-8d1bb00bc6a7 // indirect
+	google.golang.org/genproto/googleapis/rpc v0.0.0-20251124214823-79d6a2a48846 // indirect
 	gopkg.in/square/go-jose.v2 v2.6.0 // indirect
 	gopkg.in/tomb.v1 v1.0.0-20141024135613-dd632973f1e7 // indirect
 )
@@ -265,10 +285,12 @@ replace github.com/kardianos/service => github.com/netbirdio/service v0.0.0-2024

 replace github.com/getlantern/systray => github.com/netbirdio/systray v0.0.0-20231030152038-ef1ed2a27949

-replace golang.zx2c4.com/wireguard => github.com/netbirdio/wireguard-go v0.0.0-20241230120307-6a676aebaaf6
+replace golang.zx2c4.com/wireguard => github.com/netbirdio/wireguard-go v0.0.0-20260107100953-33b7c9d03db0

 replace github.com/cloudflare/circl => github.com/cunicu/circl v0.0.0-20230801113412-fec58fc7b5f6

 replace github.com/pion/ice/v4 => github.com/netbirdio/ice/v4 v4.0.0-20250908184934-6202be846b51

 replace github.com/libp2p/go-netroute => github.com/netbirdio/go-netroute v0.0.0-20240611143515-f59b0e1d3944
+
+replace github.com/dexidp/dex => github.com/netbirdio/dex v0.244.0
--- a/go.sum
+++ b/go.sum
@@ -1,15 +1,14 @@
-cloud.google.com/go v0.26.0/go.mod h1:aQUYkXzVsufM+DwF1aE+0xfcU+56JwCaLick0ClmMTw=
-cloud.google.com/go/auth v0.3.0 h1:PRyzEpGfx/Z9e8+lHsbkoUVXD0gnu4MNmm7Gp8TQNIs=
-cloud.google.com/go/auth v0.3.0/go.mod h1:lBv6NKTWp8E3LPzmO1TbiiRKc4drLOfHsgmlH9ogv5w=
-cloud.google.com/go/auth/oauth2adapt v0.2.2 h1:+TTV8aXpjeChS9M+aTtN/TjdQnzJvmzKFt//oWu7HX4=
-cloud.google.com/go/auth/oauth2adapt v0.2.2/go.mod h1:wcYjgpZI9+Yu7LyYBg4pqSiaRkfEK3GQcpb7C/uyF1Q=
+cloud.google.com/go/auth v0.17.0 h1:74yCm7hCj2rUyyAocqnFzsAYXgJhrG26XCFimrc/Kz4=
+cloud.google.com/go/auth v0.17.0/go.mod h1:6wv/t5/6rOPAX4fJiRjKkJCvswLwdet7G8+UGXt7nCQ=
+cloud.google.com/go/auth/oauth2adapt v0.2.8 h1:keo8NaayQZ6wimpNSmW5OPc283g65QNIiLpZnkHRbnc=
+cloud.google.com/go/auth/oauth2adapt v0.2.8/go.mod h1:XQ9y31RkqZCcwJWNSx2Xvric3RrU88hAYYbjDWYDL+c=
 cloud.google.com/go/compute/metadata v0.2.0/go.mod h1:zFmK7XCadkQkj6TtorcaGlCW1hT1fIilQDwofLpJ20k=
-cloud.google.com/go/compute/metadata v0.7.0 h1:PBWF+iiAerVNe8UCHxdOt6eHLVc3ydFeOCw78U8ytSU=
-cloud.google.com/go/compute/metadata v0.7.0/go.mod h1:j5MvL9PprKL39t166CoB1uVHfQMs4tFQZZcKwksXUjo=
+cloud.google.com/go/compute/metadata v0.9.0 h1:pDUj4QMoPejqq20dK0Pg2N4yG9zIkYGdBtwLoEkH9Zs=
+cloud.google.com/go/compute/metadata v0.9.0/go.mod h1:E0bWwX5wTnLPedCKqk3pJmVgCBSM6qQI1yTBdEb3C10=
 cunicu.li/go-rosenpass v0.4.0 h1:LtPtBgFWY/9emfgC4glKLEqS0MJTylzV6+ChRhiZERw=
 cunicu.li/go-rosenpass v0.4.0/go.mod h1:MPbjH9nxV4l3vEagKVdFNwHOketqgS5/To1VYJplf/M=
-dario.cat/mergo v1.0.0 h1:AGCNq9Evsj31mOgNPcLyXc+4PNABt905YmuqPYYpBWk=
-dario.cat/mergo v1.0.0/go.mod h1:uNxQE+84aUszobStD9th8a29P2fMDhsBdgRYvZOxGmk=
+dario.cat/mergo v1.0.1 h1:Ra4+bf83h2ztPIQYNP99R6m+Y7KfnARDfID+a+vLl4s=
+dario.cat/mergo v1.0.1/go.mod h1:uNxQE+84aUszobStD9th8a29P2fMDhsBdgRYvZOxGmk=
 filippo.io/edwards25519 v1.1.0 h1:FNf4tywRC1HmFuKW5xopWpigGjJKiJSV0Cqo0cJWDaA=
 filippo.io/edwards25519 v1.1.0/go.mod h1:BxyFTGdWcka3PhytdK4V28tE5sGfRvvvRV7EaN4VDT4=
 fyne.io/fyne/v2 v2.7.0 h1:GvZSpE3X0liU/fqstInVvRsaboIVpIWQ4/sfjDGIGGQ=
@@ -18,17 +17,28 @@ fyne.io/systray v1.11.1-0.20250603113521-ca66a66d8b58 h1:eA5/u2XRd8OUkoMqEv3IBlF
 fyne.io/systray v1.11.1-0.20250603113521-ca66a66d8b58/go.mod h1:RVwqP9nYMo7h5zViCBHri2FgjXF7H2cub7MAq4NSoLs=
 github.com/AdaLogics/go-fuzz-headers v0.0.0-20230811130428-ced1acdcaa24 h1:bvDV9vkmnHYOMsOr4WLk+Vo07yKIzd94sVoIqshQ4bU=
 github.com/AdaLogics/go-fuzz-headers v0.0.0-20230811130428-ced1acdcaa24/go.mod h1:8o94RPi1/7XTJvwPpRSzSUedZrtlirdB3r9Z20bi2f8=
+github.com/AppsFlyer/go-sundheit v0.6.0 h1:d2hBvCjBSb2lUsEWGfPigr4MCOt04sxB+Rppl0yUMSk=
+github.com/AppsFlyer/go-sundheit v0.6.0/go.mod h1:LDdBHD6tQBtmHsdW+i1GwdTt6Wqc0qazf5ZEJVTbTME=
 github.com/Azure/go-ansiterm v0.0.0-20230124172434-306776ec8161 h1:L/gRVlceqvL25UVaW/CKtUDjefjrs0SPonmDGUVOYP0=
 github.com/Azure/go-ansiterm v0.0.0-20230124172434-306776ec8161/go.mod h1:xomTg63KZ2rFqZQzSB4Vz2SUXa1BpHTVz9L5PTmPC4E=
-github.com/BurntSushi/toml v0.3.1/go.mod h1:xHWCNGjB5oqiDr8zfno3MHue2Ht5sIBksp03qcyfWMU=
+github.com/Azure/go-ntlmssp v0.0.0-20221128193559-754e69321358 h1:mFRzDkZVAjdal+s7s0MwaRv9igoPqLRdzOLzw/8Xvq8=
+github.com/Azure/go-ntlmssp v0.0.0-20221128193559-754e69321358/go.mod h1:chxPXzSsl7ZWRAuOIE23GDNzjWuZquvFlgA8xmpunjU=
 github.com/BurntSushi/toml v1.5.0 h1:W5quZX/G/csjUnuI8SUYlsHs9M38FC7znL0lIO+DvMg=
 github.com/BurntSushi/toml v1.5.0/go.mod h1:ukJfTF/6rtPPRCnwkur4qwRxa8vTRFBF0uk2lLoLwho=
+github.com/Masterminds/goutils v1.1.1 h1:5nUrii3FMTL5diU80unEVvNevw1nH4+ZV4DSLVJLSYI=
+github.com/Masterminds/goutils v1.1.1/go.mod h1:8cTjp+g8YejhMuvIA5y2vz3BpJxksy863GQaJW2MFNU=
+github.com/Masterminds/semver/v3 v3.3.0 h1:B8LGeaivUe71a5qox1ICM/JLl0NqZSW5CHyL+hmvYS0=
+github.com/Masterminds/semver/v3 v3.3.0/go.mod h1:4V+yj/TJE1HU9XfppCwVMZq3I84lprf4nC11bSS5beM=
+github.com/Masterminds/sprig/v3 v3.3.0 h1:mQh0Yrg1XPo6vjYXgtf5OtijNAKJRNcTdOOGZe3tPhs=
+github.com/Masterminds/sprig/v3 v3.3.0/go.mod h1:Zy1iXRYNqNLUolqCpL4uhk6SHUMAOSCzdgBfDb35Lz0=
 github.com/Microsoft/go-winio v0.6.2 h1:F2VQgta7ecxGYO8k3ZZz3RS8fVIXVxONVUPlNERoyfY=
 github.com/Microsoft/go-winio v0.6.2/go.mod h1:yd8OoFMLzJbo9gZq8j5qaps8bJ9aShtEA8Ipt1oGCvU=
 github.com/Microsoft/hcsshim v0.12.3 h1:LS9NXqXhMoqNCplK1ApmVSfB4UnVLRDWRapB6EIlxE0=
 github.com/Microsoft/hcsshim v0.12.3/go.mod h1:Iyl1WVpZzr+UkzjekHZbV8o5Z9ZkxNGx6CtY2Qg/JVQ=
 github.com/TheJumpCloud/jcapi-go v3.0.0+incompatible h1:hqcTK6ZISdip65SR792lwYJTa/axESA0889D3UlZbLo=
 github.com/TheJumpCloud/jcapi-go v3.0.0+incompatible/go.mod h1:6B1nuc1MUs6c62ODZDl7hVE5Pv7O2XGSkgg2olnq34I=
+github.com/alexbrainman/sspi v0.0.0-20250919150558-7d374ff0d59e h1:4dAU9FXIyQktpoUAgOJK3OTFc/xug0PCXYCqU0FgDKI=
+github.com/alexbrainman/sspi v0.0.0-20250919150558-7d374ff0d59e/go.mod h1:cEWa1LVoE5KvSD9ONXsZrj0z6KqySlCCNKHlLzbqAt4=
 github.com/anmitsu/go-shlex v0.0.0-20200514113438-38f4b401e2be h1:9AeTilPcZAjCFIImctFaOjnTIavg87rW78vTPkQqLI8=
 github.com/anmitsu/go-shlex v0.0.0-20200514113438-38f4b401e2be/go.mod h1:ySMOLuWl6zY27l47sB3qLNK6tF2fkHG55UZxx8oIVo4=
 github.com/awnumar/memcall v0.4.0 h1:B7hgZYdfH6Ot1Goaz8jGne/7i8xD4taZie/PNSFZ29g=
@@ -73,6 +83,8 @@ github.com/aws/aws-sdk-go-v2/service/sts v1.33.19 h1:1XuUZ8mYJw9B6lzAkXhqHlJd/Xv
 github.com/aws/aws-sdk-go-v2/service/sts v1.33.19/go.mod h1:cQnB8CUnxbMU82JvlqjKR2HBOm3fe9pWorWBza6MBJ4=
 github.com/aws/smithy-go v1.22.2 h1:6D9hW43xKFrRx/tXXfAlIZc4JI+yQe6snnWcQyxSyLQ=
 github.com/aws/smithy-go v1.22.2/go.mod h1:irrKGvNn1InZwb2d7fkIRNucdfwR8R+Ts3wxYa/cJHg=
+github.com/beevik/etree v1.6.0 h1:u8Kwy8pp9D9XeITj2Z0XtA5qqZEmtJtuXZRQi+j03eE=
+github.com/beevik/etree v1.6.0/go.mod h1:bh4zJxiIr62SOf9pRzN7UUYaEDa9HEKafK25+sLc0Gc=
 github.com/beorn7/perks v1.0.1 h1:VlbKKnNfV8bJzeqoa4cOKqO6bYr3WgKZxO8Z16+hsOM=
 github.com/beorn7/perks v1.0.1/go.mod h1:G2ZrVWU2WbWT9wwq4/hrbKbnv/1ERSJQ0ibhJ6rlkpw=
 github.com/bsm/ginkgo/v2 v2.12.0 h1:Ny8MWAHyOepLGlLKYmXG4IEkioBysk6GpaRTLC8zwWs=
@@ -87,16 +99,10 @@ github.com/caddyserver/zerossl v0.1.3 h1:onS+pxp3M8HnHpN5MMbOMyNjmTheJyWRaZYwn+Y
 github.com/caddyserver/zerossl v0.1.3/go.mod h1:CxA0acn7oEGO6//4rtrRjYgEoa4MFw/XofZnrYwGqG4=
 github.com/cenkalti/backoff/v4 v4.3.0 h1:MyRJ/UdXutAwSAT+s3wNd7MfTIcy71VQueUuFK343L8=
 github.com/cenkalti/backoff/v4 v4.3.0/go.mod h1:Y3VNntkOUPxTVeUxJ/G5vcM//AlwfmyYozVcomhLiZE=
-github.com/census-instrumentation/opencensus-proto v0.2.1/go.mod h1:f6KPmirojxKA12rnyqOA5BBL4O983OfeGPqjHWSTneU=
 github.com/cespare/xxhash/v2 v2.3.0 h1:UL815xU9SqsFlibzuggzjXhog7bL6oX9BbNZnL2UFvs=
 github.com/cespare/xxhash/v2 v2.3.0/go.mod h1:VGX0DQ3Q6kWi7AoAeZDth3/j3BFtOZR5XLFGgcrjCOs=
-github.com/chzyer/logex v1.1.10/go.mod h1:+Ywpsq7O8HXn0nuIou7OrIPyXbp3wmkHB+jjWRnGsAI=
-github.com/chzyer/readline v0.0.0-20180603132655-2972be24d48e/go.mod h1:nSuG5e5PlCu98SY8svDHJxuZscDgtXS6KTTbou5AhLI=
-github.com/chzyer/test v0.0.0-20180213035817-a1ea475d72b1/go.mod h1:Q3SI9o4m/ZMnBNeIyt5eFwwo7qiLfzFZmjNmxjkiQlU=
 github.com/cilium/ebpf v0.15.0 h1:7NxJhNiBT3NG8pZJ3c+yfrVdHY8ScgKD27sScgjLMMk=
 github.com/cilium/ebpf v0.15.0/go.mod h1:DHp1WyrLeiBh19Cf/tfiSMhqheEiK8fXFZ4No0P1Hso=
-github.com/client9/misspell v0.3.4/go.mod h1:qj6jICC3Q7zFZvVWo7KLAzC3yx5G7kyvSDkc90ppPyw=
-github.com/cncf/udpa/go v0.0.0-20191209042840-269d4d468f6f/go.mod h1:M8M6+tZqaGXZJjfX53e64911xZQV5JYwmTeXPW+k8Sc=
 github.com/coder/websocket v1.8.13 h1:f3QZdXy7uGVz+4uCJy2nTZyM0yTBj8yANEHhqlXZ9FE=
 github.com/coder/websocket v1.8.13/go.mod h1:LNVeNrXQZfe5qhS9ALED3uA+l5pPqvwXg3CKoDBB2gs=
 github.com/containerd/containerd v1.7.29 h1:90fWABQsaN9mJhGkoVnuzEY+o1XDPbg9BTC9QTAHnuE=
@@ -107,11 +113,13 @@ github.com/containerd/platforms v0.2.1 h1:zvwtM3rz2YHPQsF2CHYM8+KtB5dvhISiXh5ZpS
 github.com/containerd/platforms v0.2.1/go.mod h1:XHCb+2/hzowdiut9rkudds9bE5yJ7npe7dG/wG+uFPw=
 github.com/coreos/go-iptables v0.7.0 h1:XWM3V+MPRr5/q51NuWSgU0fqMad64Zyxs8ZUoMsamr8=
 github.com/coreos/go-iptables v0.7.0/go.mod h1:Qe8Bv2Xik5FyTXwgIbLAnv2sWSBmvWdFETJConOQ//Q=
+github.com/coreos/go-oidc/v3 v3.14.1 h1:9ePWwfdwC4QKRlCXsJGou56adA/owXczOzwKdOumLqk=
+github.com/coreos/go-oidc/v3 v3.14.1/go.mod h1:HaZ3szPaZ0e4r6ebqvsLWlk2Tn+aejfmrfah6hnSYEU=
 github.com/cpuguy83/dockercfg v0.3.2 h1:DlJTyZGBDlXqUZ2Dk2Q3xHs/FtnooJJVaad2S9GKorA=
 github.com/cpuguy83/dockercfg v0.3.2/go.mod h1:sugsbF4//dDlL/i+S+rtpIWp+5h0BHJHfjj5/jFyUJc=
-github.com/cpuguy83/go-md2man/v2 v2.0.2/go.mod h1:tgQtvFlXSQOSOSIRvRPT7W67SCa46tRHOmNcaadrF8o=
-github.com/creack/pty v1.1.18 h1:n56/Zwd5o6whRC5PMGretI4IdRLlmBXYNjScPaBgsbY=
-github.com/creack/pty v1.1.18/go.mod h1:MOBLtS5ELjhRRrroQr9kyvTxUAFNvYEK993ew/Vr4O4=
+github.com/cpuguy83/go-md2man/v2 v2.0.6/go.mod h1:oOW0eioCTA6cOiMLiUPZOpcVxMig6NIQQ7OS05n1F4g=
+github.com/creack/pty v1.1.24 h1:bJrF4RRfyJnbTJqzRLHzcGaZK1NeM5kTC9jGgovnR1s=
+github.com/creack/pty v1.1.24/go.mod h1:08sCNb52WyoAwi2QDyzUCTgcvVFhUzewun7wtTfvcwE=
 github.com/cunicu/circl v0.0.0-20230801113412-fec58fc7b5f6 h1:/DS5cDX3FJdl+XaN2D7XAwFpuanTxnp52DBLZAaJKx0=
 github.com/cunicu/circl v0.0.0-20230801113412-fec58fc7b5f6/go.mod h1:+CauBF6R70Jqcyl8N2hC8pAXYbWkGIezuSbuGLtRhnw=
 github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
@@ -135,14 +143,14 @@ github.com/eko/gocache/store/go_cache/v4 v4.2.2 h1:tAI9nl6TLoJyKG1ujF0CS0n/IgTEM
 github.com/eko/gocache/store/go_cache/v4 v4.2.2/go.mod h1:T9zkHokzr8K9EiC7RfMbDg6HSwaV6rv3UdcNu13SGcA=
 github.com/eko/gocache/store/redis/v4 v4.2.2 h1:Thw31fzGuH3WzJywsdbMivOmP550D6JS7GDHhvCJPA0=
 github.com/eko/gocache/store/redis/v4 v4.2.2/go.mod h1:LaTxLKx9TG/YUEybQvPMij++D7PBTIJ4+pzvk0ykz0w=
-github.com/envoyproxy/go-control-plane v0.9.0/go.mod h1:YTl/9mNaCwkRvm6d1a2C3ymFceY/DCBVvsKhRF0iEA4=
-github.com/envoyproxy/go-control-plane v0.9.1-0.20191026205805-5f8ba28d4473/go.mod h1:YTl/9mNaCwkRvm6d1a2C3ymFceY/DCBVvsKhRF0iEA4=
-github.com/envoyproxy/go-control-plane v0.9.4/go.mod h1:6rpuAdCZL397s3pYoYcLgu1mIlRU8Am5FuJP05cCM98=
-github.com/envoyproxy/protoc-gen-validate v0.1.0/go.mod h1:iSmxcyjqTsJpI2R4NaDN7+kN2VEUnK/pcBlmesArF7c=
 github.com/felixge/fgprof v0.9.3 h1:VvyZxILNuCiUCSXtPtYmmtGvb65nqXh2QFWc0Wpf2/g=
 github.com/felixge/fgprof v0.9.3/go.mod h1:RdbpDgzqYVh/T9fPELJyV7EYJuHB55UTEULNun8eiPw=
 github.com/felixge/httpsnoop v1.0.4 h1:NFTV2Zj1bL4mc9sqWACXbQFVBBg2W3GPvqp8/ESS2Wg=
 github.com/felixge/httpsnoop v1.0.4/go.mod h1:m8KPJKqk1gH5J9DgRY2ASl2lWCfGKXixSwevea8zH2U=
+github.com/fortytw2/leaktest v1.3.0 h1:u8491cBMTQ8ft8aeV+adlcytMZylmA5nnwwkRZjI8vw=
+github.com/fortytw2/leaktest v1.3.0/go.mod h1:jDsjWgpAGjm2CA7WthBh/CdZYEPF31XHquHwclZch5g=
+github.com/frankban/quicktest v1.14.6 h1:7Xjx+VpznH+oBnejlPUj8oUpdxnVs4f8XU8WnHkI4W8=
+github.com/frankban/quicktest v1.14.6/go.mod h1:4ptaffx2x8+WTWXmUCuVU6aPUX1/Mz7zb5vbUoiM6w0=
 github.com/fredbi/uri v1.1.1 h1:xZHJC08GZNIUhbP5ImTHnt5Ya0T8FI2VAwI/37kh2Ko=
 github.com/fredbi/uri v1.1.1/go.mod h1:4+DZQ5zBjEwQCDmXW5JdIjz0PUA+yJbvtBv+u+adr5o=
 github.com/fsnotify/fsnotify v1.4.7/go.mod h1:jwhsz4b93w/PPRr/qN1Yymfu8t87LnFCMoQvtojpjFo=
@@ -161,10 +169,16 @@ github.com/gin-contrib/sse v0.1.0/go.mod h1:RHrZQHXnP2xjPF+u1gW/2HnVO7nvIa9PG3Gm
 github.com/gin-gonic/gin v1.5.0/go.mod h1:Nd6IXA8m5kNZdNEHMBd93KT+mdY3+bewLgRvmCsR2Do=
 github.com/gliderlabs/ssh v0.3.8 h1:a4YXD1V7xMF9g5nTkdfnja3Sxy1PVDCj1Zg4Wb8vY6c=
 github.com/gliderlabs/ssh v0.3.8/go.mod h1:xYoytBv1sV0aL3CavoDuJIQNURXkkfPA/wxQ1pL1fAU=
+github.com/go-asn1-ber/asn1-ber v1.5.8-0.20250403174932-29230038a667 h1:BP4M0CvQ4S3TGls2FvczZtj5Re/2ZzkV9VwqPHH/3Bo=
+github.com/go-asn1-ber/asn1-ber v1.5.8-0.20250403174932-29230038a667/go.mod h1:hEBeB/ic+5LoWskz+yKT7vGhhPYkProFKoKdwZRWMe0=
 github.com/go-gl/gl v0.0.0-20231021071112-07e5d0ea2e71 h1:5BVwOaUSBTlVZowGO6VZGw2H/zl9nrd3eCZfYV+NfQA=
 github.com/go-gl/gl v0.0.0-20231021071112-07e5d0ea2e71/go.mod h1:9YTyiznxEY1fVinfM7RvRcjRHbw2xLBJ3AAGIT0I4Nw=
 github.com/go-gl/glfw/v3.3/glfw v0.0.0-20240506104042-037f3cc74f2a h1:vxnBhFDDT+xzxf1jTJKMKZw3H0swfWk9RpWbBbDK5+0=
 github.com/go-gl/glfw/v3.3/glfw v0.0.0-20240506104042-037f3cc74f2a/go.mod h1:tQ2UAYgL5IevRw8kRxooKSPJfGvJ9fJQFa0TUsXzTg8=
+github.com/go-jose/go-jose/v4 v4.1.3 h1:CVLmWDhDVRa6Mi/IgCgaopNosCaHz7zrMeF9MlZRkrs=
+github.com/go-jose/go-jose/v4 v4.1.3/go.mod h1:x4oUasVrzR7071A4TnHLGSPpNOm2a21K9Kf04k1rs08=
+github.com/go-ldap/ldap/v3 v3.4.12 h1:1b81mv7MagXZ7+1r7cLTWmyuTqVqdwbtJSjC0DAp9s4=
+github.com/go-ldap/ldap/v3 v3.4.12/go.mod h1:+SPAGcTtOfmGsCb3h1RFiq4xpp4N636G75OEace8lNo=
 github.com/go-logr/logr v1.2.2/go.mod h1:jdQByPbusPIv2/zmleS9BjJVeZ6kBagPoEUsqbVz/1A=
 github.com/go-logr/logr v1.4.3 h1:CjnDlHq8ikf6E492q6eKboGOC0T8CDaOvkHCIg8idEI=
 github.com/go-logr/logr v1.4.3/go.mod h1:9T104GzyrTigFIr8wt5mBrctHMim0Nb2HLGrmQ40KvY=
@@ -180,8 +194,8 @@ github.com/go-quicktest/qt v1.101.0/go.mod h1:14Bz/f7NwaXPtdYEgzsx46kqSxVwTbzVZs
 github.com/go-redis/redis/v8 v8.11.5 h1:AcZZR7igkdvfVmQTPnu9WE37LRrO/YrBH5zWyjDC0oI=
 github.com/go-redis/redis/v8 v8.11.5/go.mod h1:gREzHqY1hg6oD9ngVRbLStwAWKhA0FEgq8Jd4h5lpwo=
 github.com/go-sql-driver/mysql v1.7.0/go.mod h1:OXbVy3sEdcQ2Doequ6Z5BW6fXNQTmx+9S1MCJN5yJMI=
-github.com/go-sql-driver/mysql v1.8.1 h1:LedoTUt/eveggdHS9qUFC1EFSa8bU2+1pZjSRpvNJ1Y=
-github.com/go-sql-driver/mysql v1.8.1/go.mod h1:wEBSXgmK//2ZFJyE+qWnIsVGmvmEKlqwuVSjsCm7DZg=
+github.com/go-sql-driver/mysql v1.9.3 h1:U/N249h2WzJ3Ukj8SowVFjdtZKfu9vlLZxjPXV1aweo=
+github.com/go-sql-driver/mysql v1.9.3/go.mod h1:qn46aNg1333BRMNU69Lq93t8du/dwxI64Gl8i5p1WMU=
 github.com/go-task/slim-sprig v0.0.0-20210107165309-348f09dbbbc0/go.mod h1:fyg7847qk6SyHyPtNmDHnmrv/HOrqktSC+C9fM+CJOE=
 github.com/go-task/slim-sprig v0.0.0-20230315185526-52ccab3ef572 h1:tfuBGBXKqDEevZMzYi5KSi8KkcZtzBcTgAUUtapy0OI=
 github.com/go-task/slim-sprig v0.0.0-20230315185526-52ccab3ef572/go.mod h1:9Pwr4B2jHnOSGXyyzV8ROjYa2ojvAY6HCGYYfMoC3Ls=
@@ -197,11 +211,6 @@ github.com/gogo/protobuf v1.3.2 h1:Ov1cvc58UF3b5XjBnZv7+opcTcQFZebYjWzi34vdm4Q=
 github.com/gogo/protobuf v1.3.2/go.mod h1:P1XiOD3dCwIKUDQYPy72D8LYyHL2YPYrpS2s69NZV8Q=
 github.com/golang-jwt/jwt/v5 v5.3.0 h1:pv4AsKCKKZuqlgs5sUmn4x8UlGa0kEVt/puTpKx9vvo=
 github.com/golang-jwt/jwt/v5 v5.3.0/go.mod h1:fxCRLWMO43lRc8nhHWY6LGqRcf+1gQWArsqaEUEa5bE=
-github.com/golang/glog v0.0.0-20160126235308-23def4e6c14b/go.mod h1:SBH7ygxi8pfUlaOkMMuAQtPIUF8ecWP5IEl/CR7VP2Q=
-github.com/golang/groupcache v0.0.0-20200121045136-8c9f03a8e57e/go.mod h1:cIg4eruTrX1D+g88fzRXU5OdNfaM+9IcxsU14FzY7Hc=
-github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da h1:oI5xCqsCo564l8iNU+DwB5epxmsaqB+rhGL0m5jtYqE=
-github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da/go.mod h1:cIg4eruTrX1D+g88fzRXU5OdNfaM+9IcxsU14FzY7Hc=
-github.com/golang/mock v1.1.1/go.mod h1:oTYuIxOrZwtPieC+H1uAHpcLFnEyAGVDL/k47Jfbm0A=
 github.com/golang/mock v1.6.0 h1:ErTB+efbowRARo13NNdxyJji2egdxLGQhRaY+DUumQc=
 github.com/golang/mock v1.6.0/go.mod h1:p6yTPP+5HYm5mzsMV8JkE6ZKdX+/wYM6Hr+LicevLPs=
 github.com/golang/protobuf v1.2.0/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U=
@@ -212,9 +221,7 @@ github.com/golang/protobuf v1.4.0-rc.1.0.20200221234624-67d41d38c208/go.mod h1:x
 github.com/golang/protobuf v1.4.0-rc.2/go.mod h1:LlEzMj4AhA7rCAGe4KMBDvJI+AwstrUpVNzEA03Pprs=
 github.com/golang/protobuf v1.4.0-rc.4.0.20200313231945-b860323f09d0/go.mod h1:WU3c8KckQ9AFe+yFwt9sWVRKCVIyN9cPHBJSNnbL67w=
 github.com/golang/protobuf v1.4.0/go.mod h1:jodUvKwWbYaEsadDk5Fwe5c77LiNKVO9IDvqG2KuDX0=
-github.com/golang/protobuf v1.4.1/go.mod h1:U8fpvMrcmy5pZrNK1lt4xCsGvpyWQ/VVv6QDs8UjoX8=
 github.com/golang/protobuf v1.4.2/go.mod h1:oDoupMAO8OvCJWAcko0GGGIgR6R6ocIYbsSw735rRwI=
-github.com/golang/protobuf v1.4.3/go.mod h1:oDoupMAO8OvCJWAcko0GGGIgR6R6ocIYbsSw735rRwI=
 github.com/golang/protobuf v1.5.0/go.mod h1:FsONVRAS9T7sI+LIUmWTfcYkHO4aIWwzhcaSAoJOfIk=
 github.com/golang/protobuf v1.5.2/go.mod h1:XVQd3VNwM+JqD3oG2Ue2ip4fOMUkwXdXDdiuN0vRsmY=
 github.com/golang/protobuf v1.5.3/go.mod h1:XVQd3VNwM+JqD3oG2Ue2ip4fOMUkwXdXDdiuN0vRsmY=
@@ -222,12 +229,9 @@ github.com/golang/protobuf v1.5.4 h1:i7eJL8qZTpSEXOPTxNKhASYpMn+8e5Q6AdndVa1dWek
 github.com/golang/protobuf v1.5.4/go.mod h1:lnTiLA8Wa4RWRcIUkrtSVa5nRhsEGBg48fD6rSs7xps=
 github.com/google/btree v1.1.2 h1:xf4v41cLI2Z6FxbKm+8Bu+m8ifhj15JuZ9sa0jZCMUU=
 github.com/google/btree v1.1.2/go.mod h1:qOPhT0dTNdNzV6Z/lhRX0YXUafgPLFUh+gZMl761Gm4=
-github.com/google/go-cmp v0.2.0/go.mod h1:oXzfMopK8JAjlY9xF4vHSVASa0yLyX7SntLO5aqRK0M=
 github.com/google/go-cmp v0.3.0/go.mod h1:8QqcDgzrUqlUb/G2PQTWiueGozuR1884gddMywk6iLU=
 github.com/google/go-cmp v0.3.1/go.mod h1:8QqcDgzrUqlUb/G2PQTWiueGozuR1884gddMywk6iLU=
 github.com/google/go-cmp v0.4.0/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=
-github.com/google/go-cmp v0.5.0/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=
-github.com/google/go-cmp v0.5.3/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=
 github.com/google/go-cmp v0.5.5/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=
 github.com/google/go-cmp v0.5.6/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=
 github.com/google/go-cmp v0.5.8/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY=
@@ -242,23 +246,24 @@ github.com/google/nftables v0.3.0 h1:bkyZ0cbpVeMHXOrtlFc8ISmfVqq5gPJukoYieyVmITg
 github.com/google/nftables v0.3.0/go.mod h1:BCp9FsrbF1Fn/Yu6CLUc9GGZFw/+hsxfluNXXmxBfRM=
 github.com/google/pprof v0.0.0-20211214055906-6f57359322fd h1:1FjCyPC+syAzJ5/2S8fqdZK1R22vvA0J7JZKcuOIQ7Y=
 github.com/google/pprof v0.0.0-20211214055906-6f57359322fd/go.mod h1:KgnwoLYCZ8IQu3XUZ8Nc/bM9CCZFOyjUNOSygVozoDg=
-github.com/google/s2a-go v0.1.7 h1:60BLSyTrOV4/haCDW4zb1guZItoSq8foHCXrAnjBo/o=
-github.com/google/s2a-go v0.1.7/go.mod h1:50CgR4k1jNlWBu4UfS4AcfhVe1r6pdZPygJ3R8F0Qdw=
-github.com/google/uuid v1.1.2/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
+github.com/google/s2a-go v0.1.9 h1:LGD7gtMgezd8a/Xak7mEWL0PjoTQFvpRudN895yqKW0=
+github.com/google/s2a-go v0.1.9/go.mod h1:YA0Ei2ZQL3acow2O62kdp9UlnvMmU7kA6Eutn0dXayM=
 github.com/google/uuid v1.6.0 h1:NIvaJDMOsjHA8n1jAhLSgzrAzy1Hgr+hNrb57e+94F0=
 github.com/google/uuid v1.6.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
-github.com/googleapis/enterprise-certificate-proxy v0.3.2 h1:Vie5ybvEvT75RniqhfFxPRy3Bf7vr3h0cechB90XaQs=
-github.com/googleapis/enterprise-certificate-proxy v0.3.2/go.mod h1:VLSiSSBs/ksPL8kq3OBOQ6WRI2QnaFynd1DCjZ62+V0=
-github.com/googleapis/gax-go/v2 v2.12.3 h1:5/zPPDvw8Q1SuXjrqrZslrqT7dL/uJT2CQii/cLCKqA=
-github.com/googleapis/gax-go/v2 v2.12.3/go.mod h1:AKloxT6GtNbaLm8QTNSidHUVsHYcBHwWRvkNFJUQcS4=
+github.com/googleapis/enterprise-certificate-proxy v0.3.7 h1:zrn2Ee/nWmHulBx5sAVrGgAa0f2/R35S4DJwfFaUPFQ=
+github.com/googleapis/enterprise-certificate-proxy v0.3.7/go.mod h1:MkHOF77EYAE7qfSuSS9PU6g4Nt4e11cnsDUowfwewLA=
+github.com/googleapis/gax-go/v2 v2.15.0 h1:SyjDc1mGgZU5LncH8gimWo9lW1DtIfPibOG81vgd/bo=
+github.com/googleapis/gax-go/v2 v2.15.0/go.mod h1:zVVkkxAQHa1RQpg9z2AUCMnKhi0Qld9rcmyfL1OZhoc=
 github.com/gopacket/gopacket v1.1.1 h1:zbx9F9d6A7sWNkFKrvMBZTfGgxFoY4NgUudFVVHMfcw=
 github.com/gopacket/gopacket v1.1.1/go.mod h1:HavMeONEl7W9036of9LbSWoonqhH7HA1+ZRO+rMIvFs=
-github.com/gorilla/mux v1.8.0 h1:i40aqfkR1h2SlN9hojwV5ZA91wcXFOvkdNIeFDP5koI=
-github.com/gorilla/mux v1.8.0/go.mod h1:DVbg23sWSpFRCP0SfiEN6jmj59UnW/n46BH5rLB71So=
+github.com/gorilla/handlers v1.5.2 h1:cLTUSsNkgcwhgRqvCNmdbRWG0A3N4F+M2nWKdScwyEE=
+github.com/gorilla/handlers v1.5.2/go.mod h1:dX+xVpaxdSw+q0Qek8SSsl3dfMk3jNddUkMzo0GtH0w=
+github.com/gorilla/mux v1.8.1 h1:TuBL49tXwgrFYWhqrNgrUNEY92u81SPhu7sTdzQEiWY=
+github.com/gorilla/mux v1.8.1/go.mod h1:AKf9I4AEqPTmMytcMc0KkNouC66V3BtZ4qD5fmWSiMQ=
 github.com/grpc-ecosystem/go-grpc-middleware/v2 v2.0.2-0.20240212192251-757544f21357 h1:Fkzd8ktnpOR9h47SXHe2AYPwelXLH2GjGsjlAloiWfo=
 github.com/grpc-ecosystem/go-grpc-middleware/v2 v2.0.2-0.20240212192251-757544f21357/go.mod h1:w9Y7gY31krpLmrVU5ZPG9H7l9fZuRu5/3R3S3FMtVQ4=
-github.com/grpc-ecosystem/grpc-gateway/v2 v2.16.0 h1:YBftPWNWd4WwGqtY2yeZL2ef8rHAxPBD8KFhJpmcqms=
-github.com/grpc-ecosystem/grpc-gateway/v2 v2.16.0/go.mod h1:YN5jB8ie0yfIUg6VvR9Kz84aCaG7AsGZnLjhHbUqwPg=
+github.com/grpc-ecosystem/grpc-gateway/v2 v2.26.3 h1:5ZPtiqj0JL5oKWmcsq4VMaAW5ukBEgSGXEN89zeH1Jo=
+github.com/grpc-ecosystem/grpc-gateway/v2 v2.26.3/go.mod h1:ndYquD05frm2vACXE1nsccT4oJzjhw2arTS2cpUD1PI=
 github.com/hack-pad/go-indexeddb v0.3.2 h1:DTqeJJYc1usa45Q5r52t01KhvlSN02+Oq+tQbSBI91A=
 github.com/hack-pad/go-indexeddb v0.3.2/go.mod h1:QvfTevpDVlkfomY498LhstjwbPW6QC4VC/lxYb0Kom0=
 github.com/hack-pad/safejs v0.1.0 h1:qPS6vjreAqh2amUqj4WNG1zIw7qlRQJ9K10eDKMCnE8=
@@ -276,7 +281,8 @@ github.com/hashicorp/go-uuid v1.0.3/go.mod h1:6SBZvOh/SIDV7/2o3Jml5SYk/TvGqwFJ/b
 github.com/hashicorp/go-version v1.6.0 h1:feTTfFNnjP967rlCxM/I9g701jU+RN74YKx2mOkIeek=
 github.com/hashicorp/go-version v1.6.0/go.mod h1:fltr4n8CU8Ke44wwGCBoEymUuxUHl09ZGVZPK5anwXA=
 github.com/hpcloud/tail v1.0.0/go.mod h1:ab1qPbhIpdTxEkNHXyeSf5vhxWSCs/tWer42PpOxQnU=
-github.com/ianlancetaylor/demangle v0.0.0-20210905161508-09a460cdf81d/go.mod h1:aYm2/VgdVmcIU8iMfdMvDMsRAQjcfZSKFby6HOFvi/w=
+github.com/huandu/xstrings v1.5.0 h1:2ag3IFq9ZDANvthTwTiqSSZLjDc+BedvHPAp5tJy2TI=
+github.com/huandu/xstrings v1.5.0/go.mod h1:y5/lhBue+AyNmUVz9RLU9xbLR0o4KIIExikq4ovT0aE=
 github.com/inconshreveable/mousetrap v1.1.0 h1:wN+x4NVGpMsO7ErUn/mUI3vEoE6Jt13X2s0bqwp9tc8=
 github.com/inconshreveable/mousetrap v1.1.0/go.mod h1:vpF70FUmC8bwa3OWnCshd2FqLfsEA9PFc4w1p2J65bw=
 github.com/jackc/pgpassfile v1.0.0 h1:/6Hmqy13Ss2zCq62VdNG8tM1wchn8zjSGOBJ6icpsIM=
@@ -287,6 +293,18 @@ github.com/jackc/pgx/v5 v5.5.5 h1:amBjrZVmksIdNjxGW/IiIMzxMKZFelXbUoPNb+8sjQw=
 github.com/jackc/pgx/v5 v5.5.5/go.mod h1:ez9gk+OAat140fv9ErkZDYFWmXLfV+++K0uAOiwgm1A=
 github.com/jackc/puddle/v2 v2.2.1 h1:RhxXJtFG022u4ibrCSMSiu5aOq1i77R3OHKNJj77OAk=
 github.com/jackc/puddle/v2 v2.2.1/go.mod h1:vriiEXHvEE654aYKXXjOvZM39qJ0q+azkZFrfEOc3H4=
+github.com/jcmturner/aescts/v2 v2.0.0 h1:9YKLH6ey7H4eDBXW8khjYslgyqG2xZikXP0EQFKrle8=
+github.com/jcmturner/aescts/v2 v2.0.0/go.mod h1:AiaICIRyfYg35RUkr8yESTqvSy7csK90qZ5xfvvsoNs=
+github.com/jcmturner/dnsutils/v2 v2.0.0 h1:lltnkeZGL0wILNvrNiVCR6Ro5PGU/SeBvVO/8c/iPbo=
+github.com/jcmturner/dnsutils/v2 v2.0.0/go.mod h1:b0TnjGOvI/n42bZa+hmXL+kFJZsFT7G4t3HTlQ184QM=
+github.com/jcmturner/gofork v1.7.6 h1:QH0l3hzAU1tfT3rZCnW5zXl+orbkNMMRGJfdJjHVETg=
+github.com/jcmturner/gofork v1.7.6/go.mod h1:1622LH6i/EZqLloHfE7IeZ0uEJwMSUyQ/nDd82IeqRo=
+github.com/jcmturner/goidentity/v6 v6.0.1 h1:VKnZd2oEIMorCTsFBnJWbExfNN7yZr3EhJAxwOkZg6o=
+github.com/jcmturner/goidentity/v6 v6.0.1/go.mod h1:X1YW3bgtvwAXju7V3LCIMpY0Gbxyjn/mY9zx4tFonSg=
+github.com/jcmturner/gokrb5/v8 v8.4.4 h1:x1Sv4HaTpepFkXbt2IkL29DXRf8sOfZXo8eRKh687T8=
+github.com/jcmturner/gokrb5/v8 v8.4.4/go.mod h1:1btQEpgT6k+unzCwX1KdWMEwPPkkgBtP+F6aCACiMrs=
+github.com/jcmturner/rpc/v2 v2.0.3 h1:7FXXj8Ti1IaVFpSAziCZWNzbNuZmnvw/i6CqLNdWfZY=
+github.com/jcmturner/rpc/v2 v2.0.3/go.mod h1:VUJYCIDm3PVOEHw8sgt091/20OJjskO/YJki3ELg/Hc=
 github.com/jeandeaual/go-locale v0.0.0-20250612000132-0ef82f21eade h1:FmusiCI1wHw+XQbvL9M+1r/C3SPqKrmBaIOYwVfQoDE=
 github.com/jeandeaual/go-locale v0.0.0-20250612000132-0ef82f21eade/go.mod h1:ZDXo8KHryOWSIqnsb/CiDq7hQUYryCgdVnxbj8tDG7o=
 github.com/jinzhu/inflection v1.0.0 h1:K317FqzuhWc8YvSVlFMCCUb36O/S9MCKRDI7QkRKD/E=
@@ -297,6 +315,8 @@ github.com/jmespath/go-jmespath v0.4.0 h1:BEgLn5cpjn8UN1mAw4NjwDrS35OdebyEtFe+9Y
 github.com/jmespath/go-jmespath v0.4.0/go.mod h1:T8mJZnbsbmF+m6zOOFylbeCJqk5+pHWvzYPziyZiYoo=
 github.com/jmespath/go-jmespath/internal/testify v1.5.1 h1:shLQSRRSCCPj3f2gpwzGwWFoC7ycTf1rcQZHOlsJ6N8=
 github.com/jmespath/go-jmespath/internal/testify v1.5.1/go.mod h1:L3OGu8Wl2/fWfCI6z80xFu9LTZmf1ZRjMHUOPmWr69U=
+github.com/jonboulle/clockwork v0.5.0 h1:Hyh9A8u51kptdkR+cqRpT1EebBwTn1oK9YfGYbdFz6I=
+github.com/jonboulle/clockwork v0.5.0/go.mod h1:3mZlmanh0g2NDKO5TWZVJAfofYk64M7XN3SzBPjZF60=
 github.com/json-iterator/go v1.1.7/go.mod h1:KdQUCv79m/52Kvf8AW2vK1V8akMuk1QjK/uOdHXbAo4=
 github.com/jsummers/gobmp v0.0.0-20230614200233-a9de23ed2e25 h1:YLvr1eE6cdCqjOe972w/cYF+FjW34v27+9Vo5106B4M=
 github.com/jsummers/gobmp v0.0.0-20230614200233-a9de23ed2e25/go.mod h1:kLgvv7o6UM+0QSf0QjAse3wReFDsb9qbZJdfexWlrQw=
@@ -311,8 +331,11 @@ github.com/klauspost/cpuid/v2 v2.2.7 h1:ZWSB3igEs+d0qvnxR/ZBzXVmxkgt8DdzP6m9pfuV
 github.com/klauspost/cpuid/v2 v2.2.7/go.mod h1:Lcz8mBdAVJIBVzewtcLocK12l3Y+JytZYpaMropDUws=
 github.com/kr/fs v0.1.0 h1:Jskdu9ieNAYnjxsi0LbQp1ulIKZV1LAFgK1tWhpZgl8=
 github.com/kr/fs v0.1.0/go.mod h1:FFnZGqtBN9Gxj7eW1uZ42v5BccTP0vu6NEaFoC2HwRg=
+github.com/kr/pretty v0.1.0/go.mod h1:dAy3ld7l9f0ibDNOQOHHMYYIIbhfbHSm3C4ZsoJORNo=
 github.com/kr/pretty v0.3.1 h1:flRD4NNwYAUpkphVc1HcthR4KEIFJ65n8Mw5qdRn3LE=
 github.com/kr/pretty v0.3.1/go.mod h1:hoEshYVHaxMs3cyo3Yncou5ZscifuDolrwPKZanG3xk=
+github.com/kr/pty v1.1.1/go.mod h1:pFQYn66WHrOpPYNljwOMqo10TkYh1fy3cYio2l3bCsQ=
+github.com/kr/text v0.1.0/go.mod h1:4Jbv+DJW3UT/LiOwJeYQe1efqtUx/iVham/4vfdArNI=
 github.com/kr/text v0.2.0 h1:5Nx0Ya0ZqY2ygV366QzturHI13Jq95ApcVaJBhpS+AY=
 github.com/kr/text v0.2.0/go.mod h1:eLer722TekiGuMkidMxC/pM04lWEeraHUUmBw8l2grE=
 github.com/kylelemons/godebug v1.1.0 h1:RPNrshWIDI6G2gRW9EHilWtl7Z6Sb1BR0xunSBf0SNc=
@@ -331,9 +354,11 @@ github.com/lufia/plan9stats v0.0.0-20240513124658-fba389f38bae h1:dIZY4ULFcto4tA
 github.com/lufia/plan9stats v0.0.0-20240513124658-fba389f38bae/go.mod h1:ilwx/Dta8jXAgpFYFvSWEMwxmbWXyiUHkd5FwyKhb5k=
 github.com/magiconair/properties v1.8.7 h1:IeQXZAiQcpL9mgcAe1Nu6cX9LLw6ExEHKjN0VQdvPDY=
 github.com/magiconair/properties v1.8.7/go.mod h1:Dhd985XPs7jluiymwWYZ0G4Z61jb3vdS329zhj2hYo0=
+github.com/mattermost/xml-roundtrip-validator v0.1.0 h1:RXbVD2UAl7A7nOTR4u7E3ILa4IbtvKBHw64LDsmu9hU=
+github.com/mattermost/xml-roundtrip-validator v0.1.0/go.mod h1:qccnGMcpgwcNaBnxqpJpWWUiPNr5H3O8eDgGV9gT5To=
 github.com/mattn/go-isatty v0.0.9/go.mod h1:YNRxwqDuOph6SZLI9vUUz6OYw3QyUt7WiY2yME+cCiQ=
-github.com/mattn/go-sqlite3 v1.14.22 h1:2gZY6PC6kBnID23Tichd1K+Z0oS6nE/XwU+Vz/5o4kU=
-github.com/mattn/go-sqlite3 v1.14.22/go.mod h1:Uh1q+B4BYcTPb+yiD3kU8Ct7aC0hY9fxUwlHK0RXw+Y=
+github.com/mattn/go-sqlite3 v1.14.32 h1:JD12Ag3oLy1zQA+BNn74xRgaBbdhbNIDYvQUEuuErjs=
+github.com/mattn/go-sqlite3 v1.14.32/go.mod h1:Uh1q+B4BYcTPb+yiD3kU8Ct7aC0hY9fxUwlHK0RXw+Y=
 github.com/mdlayher/genetlink v1.3.2 h1:KdrNKe+CTu+IbZnm/GVUMXSqBBLqcGpRDa0xkQy56gw=
 github.com/mdlayher/genetlink v1.3.2/go.mod h1:tcC3pkCrPUGIKKsCsp0B3AdaaKuHtaxoJRz3cc+528o=
 github.com/mdlayher/netlink v1.7.3-0.20250113171957-fbb4dce95f42 h1:A1Cq6Ysb0GM0tpKMbdCXCIfBclan4oHk1Jb+Hrejirg=
@@ -346,8 +371,12 @@ github.com/miekg/dns v1.1.59 h1:C9EXc/UToRwKLhK5wKU/I4QVsBUc8kE6MkHBkeypWZs=
 github.com/miekg/dns v1.1.59/go.mod h1:nZpewl5p6IvctfgrckopVx2OlSEHPRO/U4SYkRklrEk=
 github.com/mikioh/ipaddr v0.0.0-20190404000644-d465c8ab6721 h1:RlZweED6sbSArvlE924+mUcZuXKLBHA35U7LN621Bws=
 github.com/mikioh/ipaddr v0.0.0-20190404000644-d465c8ab6721/go.mod h1:Ickgr2WtCLZ2MDGd4Gr0geeCH5HybhRJbonOgQpvSxc=
+github.com/mitchellh/copystructure v1.2.0 h1:vpKXTN4ewci03Vljg/q9QvCGUDttBOGBIa15WveJJGw=
+github.com/mitchellh/copystructure v1.2.0/go.mod h1:qLl+cE2AmVv+CoeAwDPye/v+N2HKCj9FbZEVFJRxO9s=
 github.com/mitchellh/hashstructure/v2 v2.0.2 h1:vGKWl0YJqUNxE8d+h8f6NJLcCJrgbhC4NcD46KavDd4=
 github.com/mitchellh/hashstructure/v2 v2.0.2/go.mod h1:MG3aRVU/N29oo/V/IhBX8GR/zz4kQkprJgF2EVszyDE=
+github.com/mitchellh/reflectwalk v1.0.2 h1:G2LzWKi524PWgd3mLHV8Y5k7s6XUvT0Gef6zxSIeXaQ=
+github.com/mitchellh/reflectwalk v1.0.2/go.mod h1:mSTlrgnPZtwu0c4WaC2kGObEpuNDbx0jmZXqmk4esnw=
 github.com/moby/docker-image-spec v1.3.1 h1:jMKff3w6PgbfSa69GfNg+zN/XLhfXJGnEx3Nl2EsFP0=
 github.com/moby/docker-image-spec v1.3.1/go.mod h1:eKmb5VW8vQEh/BAr2yvVNvuiJuY6UIocYsFu/DxxRpo=
 github.com/moby/patternmatcher v0.6.0 h1:GmP9lR19aU5GqSSFko+5pRqHi+Ohk1O69aFiKkVGiPk=
@@ -366,6 +395,8 @@ github.com/morikuni/aec v1.0.0 h1:nP9CBfwrvYnBRgY6qfDQkygYDmYwOilePFkwzv4dU8A=
 github.com/morikuni/aec v1.0.0/go.mod h1:BbKIizmSmc5MMPqRYbxO4ZU0S0+P200+tUnFx7PXmsc=
 github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 h1:C3w9PqII01/Oq1c1nUAm88MOHcQC9l5mIlSMApZMrHA=
 github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822/go.mod h1:+n7T8mK8HuQTcFwEeznm/DIxMOiR9yIdICNftLE1DvQ=
+github.com/netbirdio/dex v0.244.0 h1:1GOvi8wnXYassnKGildzNqRHq0RbcfEUw7LKYpKIN7U=
+github.com/netbirdio/dex v0.244.0/go.mod h1:STGInJhPcAflrHmDO7vyit2kSq03PdL+8zQPoGALtcU=
 github.com/netbirdio/go-netroute v0.0.0-20240611143515-f59b0e1d3944 h1:TDtJKmM6Sf8uYFx/dMeqNOL90KUoRscdfpFZ3Im89uk=
 github.com/netbirdio/go-netroute v0.0.0-20240611143515-f59b0e1d3944/go.mod h1:sHA6TRxjQ6RLbnI+3R4DZo2Eseg/iKiPRfNmcuNySVQ=
 github.com/netbirdio/ice/v4 v4.0.0-20250908184934-6202be846b51 h1:Ov4qdafATOgGMB1wbSuh+0aAHcwz9hdvB6VZjh1mVMI=
@@ -376,8 +407,8 @@ github.com/netbirdio/service v0.0.0-20240911161631-f62744f42502 h1:3tHlFmhTdX9ax
 github.com/netbirdio/service v0.0.0-20240911161631-f62744f42502/go.mod h1:CIMRFEJVL+0DS1a3Nx06NaMn4Dz63Ng6O7dl0qH0zVM=
 github.com/netbirdio/signal-dispatcher/dispatcher v0.0.0-20250805121659-6b4ac470ca45 h1:ujgviVYmx243Ksy7NdSwrdGPSRNE3pb8kEDSpH0QuAQ=
 github.com/netbirdio/signal-dispatcher/dispatcher v0.0.0-20250805121659-6b4ac470ca45/go.mod h1:5/sjFmLb8O96B5737VCqhHyGRzNFIaN/Bu7ZodXc3qQ=
-github.com/netbirdio/wireguard-go v0.0.0-20241230120307-6a676aebaaf6 h1:X5h5QgP7uHAv78FWgHV8+WYLjHxK9v3ilkVXT1cpCrQ=
-github.com/netbirdio/wireguard-go v0.0.0-20241230120307-6a676aebaaf6/go.mod h1:tkCQ4FQXmpAgYVh++1cq16/dH4QJtmvpRv19DWGAHSA=
+github.com/netbirdio/wireguard-go v0.0.0-20260107100953-33b7c9d03db0 h1:h/QnNzm7xzHPm+gajcblYUOclrW2FeNeDlUNj6tTWKQ=
+github.com/netbirdio/wireguard-go v0.0.0-20260107100953-33b7c9d03db0/go.mod h1:rpwXGsirqLqN2L0JDJQlwOboGHmptD5ZD6T2VmcqhTw=
 github.com/nfnt/resize v0.0.0-20180221191011-83c6a9932646 h1:zYyBkD/k9seD2A7fsi6Oo2LfFZAehjjQMERAvZLEDnQ=
 github.com/nfnt/resize v0.0.0-20180221191011-83c6a9932646/go.mod h1:jpp1/29i3P1S/RLdc7JQKbRpFeM1dOBd8T9ki5s+AY8=
 github.com/nicksnyder/go-i18n/v2 v2.5.1 h1:IxtPxYsR9Gp60cGXjfuR/llTqV8aYMsC472zD0D1vHk=
@@ -436,6 +467,7 @@ github.com/pion/turn/v3 v3.0.1 h1:wLi7BTQr6/Q20R0vt/lHbjv6y4GChFtC33nkYbasoT8=
 github.com/pion/turn/v3 v3.0.1/go.mod h1:MrJDKgqryDyWy1/4NT9TWfXWGMC7UHT6pJIv1+gMeNE=
 github.com/pion/turn/v4 v4.1.1 h1:9UnY2HB99tpDyz3cVVZguSxcqkJ1DsTSZ+8TGruh4fc=
 github.com/pion/turn/v4 v4.1.1/go.mod h1:2123tHk1O++vmjI5VSD0awT50NywDAq5A2NNNU4Jjs8=
+github.com/pkg/errors v0.8.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=
 github.com/pkg/errors v0.9.1 h1:FEBLx1zS214owpjy7qsBeixbURkuhQAwrK5UwLGTwt4=
 github.com/pkg/errors v0.9.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=
 github.com/pkg/profile v1.7.0 h1:hnbDkaNWPCLMO9wGLdBFTIZvzDrDfBM2072E1S9gJkA=
@@ -447,25 +479,26 @@ github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZN
 github.com/power-devops/perfstat v0.0.0-20210106213030-5aafc221ea8c/go.mod h1:OmDBASR4679mdNQnz2pUhc2G8CO2JrUAVFDRBDP/hJE=
 github.com/power-devops/perfstat v0.0.0-20240221224432-82ca36839d55 h1:o4JXh1EVt9k/+g42oCprj/FisM4qX9L3sZB3upGN2ZU=
 github.com/power-devops/perfstat v0.0.0-20240221224432-82ca36839d55/go.mod h1:OmDBASR4679mdNQnz2pUhc2G8CO2JrUAVFDRBDP/hJE=
-github.com/prometheus/client_golang v1.22.0 h1:rb93p9lokFEsctTys46VnV1kLCDpVZ0a/Y92Vm0Zc6Q=
-github.com/prometheus/client_golang v1.22.0/go.mod h1:R7ljNsLXhuQXYZYtw6GAE9AZg8Y7vEW5scdCXrWRXC0=
-github.com/prometheus/client_model v0.0.0-20190812154241-14fe0d1b01d4/go.mod h1:xMI15A0UPsDsEKsMN9yxemIoYk6Tm2C1GtYGdfGttqA=
-github.com/prometheus/client_model v0.6.1 h1:ZKSh/rekM+n3CeS952MLRAdFwIKqeY8b62p8ais2e9E=
-github.com/prometheus/client_model v0.6.1/go.mod h1:OrxVMOVHjw3lKMa8+x6HeMGkHMQyHDk9E3jmP2AmGiY=
-github.com/prometheus/common v0.62.0 h1:xasJaQlnWAeyHdUBeGjXmutelfJHWMRr+Fg4QszZ2Io=
-github.com/prometheus/common v0.62.0/go.mod h1:vyBcEuLSvWos9B1+CyL7JZ2up+uFzXhkqml0W5zIY1I=
-github.com/prometheus/procfs v0.15.1 h1:YagwOFzUgYfKKHX6Dr+sHT7km/hxC76UB0learggepc=
-github.com/prometheus/procfs v0.15.1/go.mod h1:fB45yRUv8NstnjriLhBQLuOUt+WW4BsoGhij/e3PBqk=
-github.com/quic-go/quic-go v0.49.1 h1:e5JXpUyF0f2uFjckQzD8jTghZrOUK1xxDqqZhlwixo0=
-github.com/quic-go/quic-go v0.49.1/go.mod h1:s2wDnmCdooUQBmQfpUSTCYBl1/D4FcqbULMMkASvR6s=
+github.com/prometheus/client_golang v1.23.2 h1:Je96obch5RDVy3FDMndoUsjAhG5Edi49h0RJWRi/o0o=
+github.com/prometheus/client_golang v1.23.2/go.mod h1:Tb1a6LWHB3/SPIzCoaDXI4I8UHKeFTEQ1YCr+0Gyqmg=
+github.com/prometheus/client_model v0.6.2 h1:oBsgwpGs7iVziMvrGhE53c/GrLUsZdHnqNwqPLxwZyk=
+github.com/prometheus/client_model v0.6.2/go.mod h1:y3m2F6Gdpfy6Ut/GBsUqTWZqCUvMVzSfMLjcu6wAwpE=
+github.com/prometheus/common v0.66.1 h1:h5E0h5/Y8niHc5DlaLlWLArTQI7tMrsfQjHV+d9ZoGs=
+github.com/prometheus/common v0.66.1/go.mod h1:gcaUsgf3KfRSwHY4dIMXLPV0K/Wg1oZ8+SbZk/HH/dA=
+github.com/prometheus/procfs v0.16.1 h1:hZ15bTNuirocR6u0JZ6BAHHmwS1p8B4P6MRqxtzMyRg=
+github.com/prometheus/procfs v0.16.1/go.mod h1:teAbpZRB1iIAJYREa1LsoWUXykVXA1KlTmWl8x/U+Is=
+github.com/quic-go/quic-go v0.55.0 h1:zccPQIqYCXDt5NmcEabyYvOnomjs8Tlwl7tISjJh9Mk=
+github.com/quic-go/quic-go v0.55.0/go.mod h1:DR51ilwU1uE164KuWXhinFcKWGlEjzys2l8zUl5Ss1U=
 github.com/redis/go-redis/v9 v9.7.3 h1:YpPyAayJV+XErNsatSElgRZZVCwXX9QzkKYNvO7x0wM=
 github.com/redis/go-redis/v9 v9.7.3/go.mod h1:bGUrSggJ9X9GUmZpZNEOQKaANxSGgOEBRltRTZHSvrA=
-github.com/rogpeppe/go-internal v1.13.1 h1:KvO1DLK/DRN07sQ1LQKScxyZJuNnedQ5/wKSR38lUII=
-github.com/rogpeppe/go-internal v1.13.1/go.mod h1:uMEvuHeurkdAXX61udpOXGD/AzZDWNMNyH2VO9fmH0o=
+github.com/rogpeppe/go-internal v1.14.1 h1:UQB4HGPB6osV0SQTLymcB4TgvyWu6ZyliaW0tI/otEQ=
+github.com/rogpeppe/go-internal v1.14.1/go.mod h1:MaRKkUm5W0goXpeCfT7UZI6fk/L7L7so1lCWt35ZSgc=
 github.com/rs/cors v1.8.0 h1:P2KMzcFwrPoSjkF1WLRPsp3UMLyql8L4v9hQpVeK5so=
 github.com/rs/cors v1.8.0/go.mod h1:EBwu+T5AvHOcXwvZIkQFjUN6s8Czyqw12GL/Y0tUyRM=
 github.com/rs/xid v1.3.0 h1:6NjYksEUlhurdVehpc7S7dk6DAmcKv8V9gG0FsVN2U4=
 github.com/rs/xid v1.3.0/go.mod h1:trrq9SKmegXys3aeAKXMUTdJsYXVwGY3RLcfgqegfbg=
+github.com/russellhaering/goxmldsig v1.5.0 h1:AU2UkkYIUOTyZRbe08XMThaOCelArgvNfYapcmSjBNw=
+github.com/russellhaering/goxmldsig v1.5.0/go.mod h1:x98CjQNFJcWfMxeOrMnMKg70lvDP6tE0nTaeUnjXDmk=
 github.com/russross/blackfriday/v2 v2.1.0/go.mod h1:+Rmxgy9KzJVeS9/2gXHxylqXiyQDYRxCVz55jmeOWTM=
 github.com/rymdport/portal v0.4.2 h1:7jKRSemwlTyVHHrTGgQg7gmNPJs88xkbKcIL3NlcmSU=
 github.com/rymdport/portal v0.4.2/go.mod h1:kFF4jslnJ8pD5uCi17brj/ODlfIidOxlgUDTO5ncnC4=
@@ -475,21 +508,26 @@ github.com/shoenig/go-m1cpu v0.1.6 h1:nxdKQNcEB6vzgA2E2bvzKIYRuNj7XNJ4S/aRSwKzFt
 github.com/shoenig/go-m1cpu v0.1.6/go.mod h1:1JJMcUBvfNwpq05QDQVAnx3gUHr9IYF7GNg9SUEw2VQ=
 github.com/shoenig/test v0.6.4 h1:kVTaSd7WLz5WZ2IaoM0RSzRsUD+m8wRR+5qvntpn4LU=
 github.com/shoenig/test v0.6.4/go.mod h1:byHiCGXqrVaflBLAMq/srcZIHynQPQgeyvkvXnjqq0k=
+github.com/shopspring/decimal v1.4.0 h1:bxl37RwXBklmTi0C79JfXCEBD1cqqHt0bbgBAGFp81k=
+github.com/shopspring/decimal v1.4.0/go.mod h1:gawqmDU56v4yIKSwfBSFip1HdCCXN8/+DMd9qYNcwME=
 github.com/sirupsen/logrus v1.9.3 h1:dueUQJ1C2q9oE3F7wvmSGAaVtTmUizReu6fjN8uqzbQ=
 github.com/sirupsen/logrus v1.9.3/go.mod h1:naHLuLoDiP4jHNo9R0sCBMtWGeIprob74mVsIT4qYEQ=
 github.com/skratchdot/open-golang v0.0.0-20200116055534-eef842397966 h1:JIAuq3EEf9cgbU6AtGPK4CTG3Zf6CKMNqf0MHTggAUA=
 github.com/skratchdot/open-golang v0.0.0-20200116055534-eef842397966/go.mod h1:sUM3LWHvSMaG192sy56D9F7CNvL7jUJVXoqM1QKLnog=
 github.com/songgao/water v0.0.0-20200317203138-2b4b6d7c09d8 h1:TG/diQgUe0pntT/2D9tmUCz4VNwm9MfrtPr0SU2qSX8=
 github.com/songgao/water v0.0.0-20200317203138-2b4b6d7c09d8/go.mod h1:P5HUIBuIWKbyjl083/loAegFkfbFNx5i2qEP4CNbm7E=
-github.com/spf13/cobra v1.7.0 h1:hyqWnYt1ZQShIddO5kBpj3vu05/++x6tJ6dg8EC572I=
-github.com/spf13/cobra v1.7.0/go.mod h1:uLxZILRyS/50WlhOIKD7W6V5bgeIt+4sICxh6uRMrb0=
-github.com/spf13/pflag v1.0.5 h1:iy+VFUOCP1a+8yFto/drg2CJ5u0yRoB7fZw3DKv/JXA=
-github.com/spf13/pflag v1.0.5/go.mod h1:McXfInJRrz4CZXVZOBLb0bTZqETkiAhM9Iw0y3An2Bg=
+github.com/spf13/cast v1.7.0 h1:ntdiHjuueXFgm5nzDRdOS4yfT43P5Fnud6DH50rz/7w=
+github.com/spf13/cast v1.7.0/go.mod h1:ancEpBxwJDODSW/UG4rDrAqiKolqNNh2DX3mk86cAdo=
+github.com/spf13/cobra v1.10.1 h1:lJeBwCfmrnXthfAupyUTzJ/J4Nc1RsHC/mSRU2dll/s=
+github.com/spf13/cobra v1.10.1/go.mod h1:7SmJGaTHFVBY0jW4NXGluQoLvhqFQM+6XSKD+P4XaB0=
+github.com/spf13/pflag v1.0.9 h1:9exaQaMOCwffKiiiYk6/BndUBv+iRViNW+4lEMi0PvY=
+github.com/spf13/pflag v1.0.9/go.mod h1:McXfInJRrz4CZXVZOBLb0bTZqETkiAhM9Iw0y3An2Bg=
 github.com/srwiley/oksvg v0.0.0-20221011165216-be6e8873101c h1:km8GpoQut05eY3GiYWEedbTT0qnSxrCjsVbb7yKY1KE=
 github.com/srwiley/oksvg v0.0.0-20221011165216-be6e8873101c/go.mod h1:cNQ3dwVJtS5Hmnjxy6AgTPd0Inb3pW05ftPSX7NZO7Q=
 github.com/srwiley/rasterx v0.0.0-20220730225603-2ab79fcdd4ef h1:Ch6Q+AZUxDBCVqdkI8FSpFyZDtCVBc2VmejdNrm5rRQ=
 github.com/srwiley/rasterx v0.0.0-20220730225603-2ab79fcdd4ef/go.mod h1:nXTWP6+gD5+LUJ8krVhhoeHjvHTutPxMYl5SvkcnJNE=
 github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
+github.com/stretchr/objx v0.2.0/go.mod h1:qt09Ya8vawLte6SNmTgCsAVtYtaKzEcn8ATUoHMkEqE=
 github.com/stretchr/objx v0.4.0/go.mod h1:YvHI0jy2hoMjB+UWwv71VJQ9isScKT/TqJzVSSt89Yw=
 github.com/stretchr/objx v0.5.0/go.mod h1:Yh+to48EsGEfYuaHDzXPcE3xhTkx73EhmCGUpEOglKo=
 github.com/stretchr/objx v0.5.2 h1:xuMeJ0Sdp5ZMRXx/aWO6RZxdr3beISkG5/G/aIRr3pY=
@@ -501,7 +539,6 @@ github.com/stretchr/testify v1.6.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/
 github.com/stretchr/testify v1.7.0/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
 github.com/stretchr/testify v1.7.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
 github.com/stretchr/testify v1.8.0/go.mod h1:yNjHg4UonilssWZ8iaSj1OCr/vHnekPRkoO+kdMU+MU=
-github.com/stretchr/testify v1.8.1/go.mod h1:w2LPCIKwWwSfY2zedu0+kehJoqGctiVI29o6fzry7u4=
 github.com/stretchr/testify v1.8.3/go.mod h1:sz/lmYIOXD/1dqDmKjjqLyZ2RngseejIcXlSw2iwfAo=
 github.com/stretchr/testify v1.8.4/go.mod h1:sz/lmYIOXD/1dqDmKjjqLyZ2RngseejIcXlSw2iwfAo=
 github.com/stretchr/testify v1.9.0/go.mod h1:r2ic/lqez/lEtzL7wO/rwa5dbSLXVDPFyf8C91i36aY=
@@ -555,40 +592,40 @@ github.com/zeebo/blake3 v0.2.3 h1:TFoLXsjeXqRNFxSbk35Dk4YtszE/MQQGK10BH4ptoTg=
 github.com/zeebo/blake3 v0.2.3/go.mod h1:mjJjZpnsyIVtVgTOSpJ9vmRE4wgDeyt2HU3qXvvKCaQ=
 github.com/zeebo/pcg v1.0.1 h1:lyqfGeWiv4ahac6ttHs+I5hwtH/+1mrhlCtVNQM2kHo=
 github.com/zeebo/pcg v1.0.1/go.mod h1:09F0S9iiKrwn9rlI5yjLkmrug154/YRW6KnnXVDM/l4=
-go.opencensus.io v0.24.0 h1:y73uSU6J157QMP2kn2r30vwW1A2W2WFwSCGnAVxeaD0=
-go.opencensus.io v0.24.0/go.mod h1:vNK8G9p7aAivkbmorf4v+7Hgx+Zs0yY+0fOtgBfjQKo=
-go.opentelemetry.io/auto/sdk v1.1.0 h1:cH53jehLUN6UFLY71z+NDOiNJqDdPRaXzTel0sJySYA=
-go.opentelemetry.io/auto/sdk v1.1.0/go.mod h1:3wSPjt5PWp2RhlCcmmOial7AvC4DQqZb7a7wCow3W8A=
-go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.49.0 h1:4Pp6oUg3+e/6M4C0A/3kJ2VYa++dsWVTtGgLVj5xtHg=
-go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.49.0/go.mod h1:Mjt1i1INqiaoZOMGR1RIUJN+i3ChKoFRqzrRQhlkbs0=
-go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.51.0 h1:Xs2Ncz0gNihqu9iosIZ5SkBbWo5T8JhhLJFMQL1qmLI=
-go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.51.0/go.mod h1:vy+2G/6NvVMpwGX/NyLqcC41fxepnuKHk16E6IZUcJc=
-go.opentelemetry.io/otel v1.37.0 h1:9zhNfelUvx0KBfu/gb+ZgeAfAgtWrfHJZcAqFC228wQ=
-go.opentelemetry.io/otel v1.37.0/go.mod h1:ehE/umFRLnuLa/vSccNq9oS1ErUlkkK71gMcN34UG8I=
+go.opentelemetry.io/auto/sdk v1.2.1 h1:jXsnJ4Lmnqd11kwkBV2LgLoFMZKizbCi5fNZ/ipaZ64=
+go.opentelemetry.io/auto/sdk v1.2.1/go.mod h1:KRTj+aOaElaLi+wW1kO/DZRXwkF4C5xPbEe3ZiIhN7Y=
+go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.61.0 h1:q4XOmH/0opmeuJtPsbFNivyl7bCt7yRBbeEm2sC/XtQ=
+go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.61.0/go.mod h1:snMWehoOh2wsEwnvvwtDyFCxVeDAODenXHtn5vzrKjo=
+go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.61.0 h1:F7Jx+6hwnZ41NSFTO5q4LYDtJRXBf2PD0rNBkeB/lus=
+go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.61.0/go.mod h1:UHB22Z8QsdRDrnAtX4PntOl36ajSxcdUMt1sF7Y6E7Q=
+go.opentelemetry.io/otel v1.38.0 h1:RkfdswUDRimDg0m2Az18RKOsnI8UDzppJAtj01/Ymk8=
+go.opentelemetry.io/otel v1.38.0/go.mod h1:zcmtmQ1+YmQM9wrNsTGV/q/uyusom3P8RxwExxkZhjM=
 go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.19.0 h1:Mne5On7VWdx7omSrSSZvM4Kw7cS7NQkOOmLcgscI51U=
 go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.19.0/go.mod h1:IPtUMKL4O3tH5y+iXVyAXqpAwMuzC1IrxVS81rummfE=
 go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp v1.19.0 h1:IeMeyr1aBvBiPVYihXIaeIZba6b8E1bYp7lbdxK8CQg=
 go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp v1.19.0/go.mod h1:oVdCUtjq9MK9BlS7TtucsQwUcXcymNiEDjgDD2jMtZU=
 go.opentelemetry.io/otel/exporters/prometheus v0.48.0 h1:sBQe3VNGUjY9IKWQC6z2lNqa5iGbDSxhs60ABwK4y0s=
 go.opentelemetry.io/otel/exporters/prometheus v0.48.0/go.mod h1:DtrbMzoZWwQHyrQmCfLam5DZbnmorsGbOtTbYHycU5o=
-go.opentelemetry.io/otel/metric v1.37.0 h1:mvwbQS5m0tbmqML4NqK+e3aDiO02vsf/WgbsdpcPoZE=
-go.opentelemetry.io/otel/metric v1.37.0/go.mod h1:04wGrZurHYKOc+RKeye86GwKiTb9FKm1WHtO+4EVr2E=
-go.opentelemetry.io/otel/sdk v1.37.0 h1:ItB0QUqnjesGRvNcmAcU0LyvkVyGJ2xftD29bWdDvKI=
-go.opentelemetry.io/otel/sdk v1.37.0/go.mod h1:VredYzxUvuo2q3WRcDnKDjbdvmO0sCzOvVAiY+yUkAg=
-go.opentelemetry.io/otel/sdk/metric v1.37.0 h1:90lI228XrB9jCMuSdA0673aubgRobVZFhbjxHHspCPc=
-go.opentelemetry.io/otel/sdk/metric v1.37.0/go.mod h1:cNen4ZWfiD37l5NhS+Keb5RXVWZWpRE+9WyVCpbo5ps=
-go.opentelemetry.io/otel/trace v1.37.0 h1:HLdcFNbRQBE2imdSEgm/kwqmQj1Or1l/7bW6mxVK7z4=
-go.opentelemetry.io/otel/trace v1.37.0/go.mod h1:TlgrlQ+PtQO5XFerSPUYG0JSgGyryXewPGyayAWSBS0=
+go.opentelemetry.io/otel/metric v1.38.0 h1:Kl6lzIYGAh5M159u9NgiRkmoMKjvbsKtYRwgfrA6WpA=
+go.opentelemetry.io/otel/metric v1.38.0/go.mod h1:kB5n/QoRM8YwmUahxvI3bO34eVtQf2i4utNVLr9gEmI=
+go.opentelemetry.io/otel/sdk v1.38.0 h1:l48sr5YbNf2hpCUj/FoGhW9yDkl+Ma+LrVl8qaM5b+E=
+go.opentelemetry.io/otel/sdk v1.38.0/go.mod h1:ghmNdGlVemJI3+ZB5iDEuk4bWA3GkTpW+DOoZMYBVVg=
+go.opentelemetry.io/otel/sdk/metric v1.38.0 h1:aSH66iL0aZqo//xXzQLYozmWrXxyFkBJ6qT5wthqPoM=
+go.opentelemetry.io/otel/sdk/metric v1.38.0/go.mod h1:dg9PBnW9XdQ1Hd6ZnRz689CbtrUp0wMMs9iPcgT9EZA=
+go.opentelemetry.io/otel/trace v1.38.0 h1:Fxk5bKrDZJUH+AMyyIXGcFAPah0oRcT+LuNtJrmcNLE=
+go.opentelemetry.io/otel/trace v1.38.0/go.mod h1:j1P9ivuFsTceSWe1oY+EeW3sc+Pp42sO++GHkg4wwhs=
 go.opentelemetry.io/proto/otlp v1.0.0 h1:T0TX0tmXU8a3CbNXzEKGeU5mIVOdf0oykP+u2lIVU/I=
 go.opentelemetry.io/proto/otlp v1.0.0/go.mod h1:Sy6pihPLfYHkr3NkUbEhGHFhINUSI/v80hjKIs5JXpM=
 go.uber.org/goleak v1.3.0 h1:2K3zAYmnTNqV73imy9J1T3WC+gmCePx2hEGkimedGto=
 go.uber.org/goleak v1.3.0/go.mod h1:CoHD4mav9JJNrW/WLlf7HGZPjdw8EucARQHekz1X6bE=
-go.uber.org/mock v0.5.0 h1:KAMbZvZPyBPWgD14IrIQ38QCyjwpvVVV6K/bHl1IwQU=
-go.uber.org/mock v0.5.0/go.mod h1:ge71pBPLYDk7QIi1LupWxdAykm7KIEFchiOqd6z7qMM=
+go.uber.org/mock v0.5.2 h1:LbtPTcP8A5k9WPXj54PPPbjcI4Y6lhyOZXn+VS7wNko=
+go.uber.org/mock v0.5.2/go.mod h1:wLlUxC2vVTPTaE3UD51E0BGOAElKrILxhVSDYQLld5o=
 go.uber.org/multierr v1.11.0 h1:blXXJkSxSSfBVBlC76pxqeO+LN3aDfLQo+309xJstO0=
 go.uber.org/multierr v1.11.0/go.mod h1:20+QtiLqy0Nd6FdQB9TLXag12DsQkrbs3htMFfDN80Y=
 go.uber.org/zap v1.27.0 h1:aJMhYGrd5QSmlpLMr2MftRKl7t8J8PTZPA732ud/XR8=
 go.uber.org/zap v1.27.0/go.mod h1:GB2qFLM7cTU87MWRP2mPIjqfIDnGu+VIO4V/SdhGo2E=
+go.yaml.in/yaml/v2 v2.4.2 h1:DzmwEr2rDGHl7lsFgAHxmNz/1NlQ7xLIrlN2h5d1eGI=
+go.yaml.in/yaml/v2 v2.4.2/go.mod h1:081UH+NErpNdqlCXm3TtEran0rJZGxAYx9hb/ELlsPU=
 goauthentik.io/api/v3 v3.2023051.3 h1:NebAhD/TeTWNo/9X3/Uj+rM5fG1HaiLOlKTNLQv9Qq4=
 goauthentik.io/api/v3 v3.2023051.3/go.mod h1:nYECml4jGbp/541hj8GcylKQG1gVBsKppHy4+7G8u4U=
 golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w=
@@ -602,16 +639,12 @@ golang.org/x/crypto v0.18.0/go.mod h1:R0j02AL6hcrfOiy9T4ZYp/rcWeMxM3L6QYxlOuEG1m
 golang.org/x/crypto v0.19.0/go.mod h1:Iy9bg/ha4yyC70EfRS8jz+B6ybOBKMaSxLj6P6oBDfU=
 golang.org/x/crypto v0.23.0/go.mod h1:CKFgDieR+mRhux2Lsu27y0fO304Db0wZe70UKqHu0v8=
 golang.org/x/crypto v0.31.0/go.mod h1:kDsLvtWBEx7MV9tJOj9bnXsPbxwJQ6csT/x4KIN4Ssk=
-golang.org/x/crypto v0.45.0 h1:jMBrvKuj23MTlT0bQEOBcAE0mjg8mK9RXFhRH6nyF3Q=
-golang.org/x/crypto v0.45.0/go.mod h1:XTGrrkGJve7CYK7J8PEww4aY7gM3qMCElcJQ8n8JdX4=
-golang.org/x/exp v0.0.0-20190121172915-509febef88a4/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA=
+golang.org/x/crypto v0.46.0 h1:cKRW/pmt1pKAfetfu+RCEvjvZkA9RimPbh7bhFjGVBU=
+golang.org/x/crypto v0.46.0/go.mod h1:Evb/oLKmMraqjZ2iQTwDwvCtJkczlDuTmdJXoZVzqU0=
 golang.org/x/exp v0.0.0-20240506185415-9bf2ced13842 h1:vr/HnozRka3pE4EsMEg1lgkXJkTFJCVUX+S/ZT6wYzM=
 golang.org/x/exp v0.0.0-20240506185415-9bf2ced13842/go.mod h1:XtvwrStGgqGPLc4cjQfWqZHG1YFdYs6swckp8vpsjnc=
 golang.org/x/image v0.33.0 h1:LXRZRnv1+zGd5XBUVRFmYEphyyKJjQjCRiOuAP3sZfQ=
 golang.org/x/image v0.33.0/go.mod h1:DD3OsTYT9chzuzTQt+zMcOlBHgfoKQb1gry8p76Y1sc=
-golang.org/x/lint v0.0.0-20181026193005-c67002cb31c3/go.mod h1:UVdnD1Gm6xHRNCYTkRU2/jEulfH38KcIWyp/GAMgvoE=
-golang.org/x/lint v0.0.0-20190227174305-5b3e6a55c961/go.mod h1:wehouNa3lNwaWXcvxsM5YxQ5yQlVC4a0KAMCusXpPoU=
-golang.org/x/lint v0.0.0-20190313153728-d0100b6bd8b3/go.mod h1:6SW0HCj/g11FgYtHlgUYUwCkIfeOF89ocIRzGO/8vkc=
 golang.org/x/lint v0.0.0-20200302205851-738671d3881b/go.mod h1:3xt1FjdF8hUf6vQPIChWIBhFzV8gjjsPE/fR3IyQdNY=
 golang.org/x/mobile v0.0.0-20251113184115-a159579294ab h1:Iqyc+2zr7aGyLuEadIm0KRJP0Wwt+fhlXLa51Fxf1+Q=
 golang.org/x/mobile v0.0.0-20251113184115-a159579294ab/go.mod h1:Eq3Nh/5pFSWug2ohiudJ1iyU59SO78QFuh4qTTN++I0=
@@ -626,18 +659,13 @@ golang.org/x/mod v0.15.0/go.mod h1:hTbmBsO62+eylJbnUtE2MGJUyE7QWk4xUqPFrRgJ+7c=
 golang.org/x/mod v0.17.0/go.mod h1:hTbmBsO62+eylJbnUtE2MGJUyE7QWk4xUqPFrRgJ+7c=
 golang.org/x/mod v0.30.0 h1:fDEXFVZ/fmCKProc/yAXXUijritrDzahmwwefnjoPFk=
 golang.org/x/mod v0.30.0/go.mod h1:lAsf5O2EvJeSFMiBxXDki7sCgAxEUcZHXoXMKT4GJKc=
-golang.org/x/net v0.0.0-20180724234803-3673e40ba225/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
-golang.org/x/net v0.0.0-20180826012351-8a410e7b638d/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
 golang.org/x/net v0.0.0-20180906233101-161cd47e91fd/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
-golang.org/x/net v0.0.0-20190213061140-3a22650c66bd/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
-golang.org/x/net v0.0.0-20190311183353-d8887717615a/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=
 golang.org/x/net v0.0.0-20190404232315-eb5bcb51f2a3/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=
 golang.org/x/net v0.0.0-20190603091049-60506f45cf65/go.mod h1:HSz+uSET+XFnRR8LxR5pz3Of3rY3CfYBVs4xY44aLks=
 golang.org/x/net v0.0.0-20190620200207-3b0461eec859/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
 golang.org/x/net v0.0.0-20200226121028-0de0cce0169b/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
 golang.org/x/net v0.0.0-20200520004742-59133d7f0dd7/go.mod h1:qpuaurCH72eLCgpAm/N6yyVIVM9cpaDIP3A8BGJEC5A=
 golang.org/x/net v0.0.0-20201021035429-f5854403a974/go.mod h1:sp8m0HH+o8qH0wwXwYZr8TS3Oi6o0r6Gce1SSxlDquU=
-golang.org/x/net v0.0.0-20201110031124-69a78807bb2b/go.mod h1:sp8m0HH+o8qH0wwXwYZr8TS3Oi6o0r6Gce1SSxlDquU=
 golang.org/x/net v0.0.0-20210226172049-e18ecbb05110/go.mod h1:m0MpNAwzfU5UDzcl9v0D8zg8gWTRqZa9RBIspLL5mdg=
 golang.org/x/net v0.0.0-20210405180319-a5a99cb37ef4/go.mod h1:p54w0d4576C0XHj96bSt6lcn1PtDYWL6XObtHCRCNQM=
 golang.org/x/net v0.0.0-20220722155237-a158d28d115b/go.mod h1:XRhObCWvk6IyKnWLug+ECip1KBveYUHfp+8e9klMJ9c=
@@ -651,12 +679,10 @@ golang.org/x/net v0.21.0/go.mod h1:bIjVDfnllIU7BJ2DNgfnXvpSvtn8VRwhlsaeUTyUS44=
 golang.org/x/net v0.25.0/go.mod h1:JkAGAh7GEvH74S6FOH42FLoXpXbE/aqXSrIQjXgsiwM=
 golang.org/x/net v0.47.0 h1:Mx+4dIFzqraBXUugkia1OOvlD6LemFo1ALMHjrXDOhY=
 golang.org/x/net v0.47.0/go.mod h1:/jNxtkgq5yWUGYkaZGqo27cfGZ1c5Nen03aYrrKpVRU=
-golang.org/x/oauth2 v0.0.0-20180821212333-d2e6202438be/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U=
 golang.org/x/oauth2 v0.8.0/go.mod h1:yr7u4HXZRm1R1kBWqr/xKNqewf0plRYoB7sla+BCIXE=
-golang.org/x/oauth2 v0.30.0 h1:dnDm7JmhM45NNpd8FDDeLhK6FwqbOf4MLCM9zb1BOHI=
-golang.org/x/oauth2 v0.30.0/go.mod h1:B++QgG3ZKulg6sRPGD/mqlHQs5rB3Ml9erfeDY7xKlU=
+golang.org/x/oauth2 v0.34.0 h1:hqK/t4AKgbqWkdkcAeI8XLmbK+4m4G5YeQRrmiotGlw=
+golang.org/x/oauth2 v0.34.0/go.mod h1:lzm5WQJQwKZ3nwavOZ3IS5Aulzxi68dUSgRHujetwEA=
 golang.org/x/sync v0.0.0-20180314180146-1d60e4601c6f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
-golang.org/x/sync v0.0.0-20181108010431-42b317875d0f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20190911185100-cd5d95a43a6e/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20201020160332-67f06af15bc9/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
@@ -667,9 +693,8 @@ golang.org/x/sync v0.3.0/go.mod h1:FU7BRWz2tNW+3quACPkgCx/L+uEAv1htQ0V83Z9Rj+Y=
 golang.org/x/sync v0.6.0/go.mod h1:Czt+wKu1gCyEFDUtn0jG5QVvpJ6rzVqr5aXyt9drQfk=
 golang.org/x/sync v0.7.0/go.mod h1:Czt+wKu1gCyEFDUtn0jG5QVvpJ6rzVqr5aXyt9drQfk=
 golang.org/x/sync v0.10.0/go.mod h1:Czt+wKu1gCyEFDUtn0jG5QVvpJ6rzVqr5aXyt9drQfk=
-golang.org/x/sync v0.18.0 h1:kr88TuHDroi+UVf+0hZnirlk8o8T+4MrK6mr60WkH/I=
-golang.org/x/sync v0.18.0/go.mod h1:9KTHXmSnoGruLpwFjVSX0lNNA75CykiMECbovNTZqGI=
-golang.org/x/sys v0.0.0-20180830151530-49385e6e1522/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
+golang.org/x/sync v0.19.0 h1:vV+1eWNmZ5geRlYjzm2adRgW2/mcpevXNg50YZtPCE4=
+golang.org/x/sync v0.19.0/go.mod h1:9KTHXmSnoGruLpwFjVSX0lNNA75CykiMECbovNTZqGI=
 golang.org/x/sys v0.0.0-20180909124046-d0be0721c37e/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20190412213103-97732733099d/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
@@ -688,7 +713,6 @@ golang.org/x/sys v0.0.0-20210330210617-4fbd30eecc44/go.mod h1:h1NjWce9XRLGQEsW7w
 golang.org/x/sys v0.0.0-20210510120138-977fb7262007/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20210615035016-665e8c7367d1/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20210616094352-59db8d763f22/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.0.0-20211007075335-d3039528d8ac/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20220520151302-bc2c85ada10a/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20220715151400-c0bba94af5f8/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20220722155257-8c9f86f7a55f/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
@@ -705,8 +729,8 @@ golang.org/x/sys v0.17.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
 golang.org/x/sys v0.19.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
 golang.org/x/sys v0.20.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
 golang.org/x/sys v0.28.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
-golang.org/x/sys v0.38.0 h1:3yZWxaJjBmCWXqhN1qh02AkOnCQ1poK6oF+a7xWL6Gc=
-golang.org/x/sys v0.38.0/go.mod h1:OgkHotnGiDImocRcuBABYBEXf8A9a87e/uXjp9XT3ks=
+golang.org/x/sys v0.39.0 h1:CvCKL8MeisomCi6qNZ+wbb0DN9E5AATixKsvNtMoMFk=
+golang.org/x/sys v0.39.0/go.mod h1:OgkHotnGiDImocRcuBABYBEXf8A9a87e/uXjp9XT3ks=
 golang.org/x/telemetry v0.0.0-20240228155512-f48c80bd79b2/go.mod h1:TeRTkGYfJXctD9OcfyVLyj2J3IxLnKwHJR8f4D8a3YE=
 golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo=
 golang.org/x/term v0.0.0-20210927222741-03fcf44c2211/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8=
@@ -719,8 +743,8 @@ golang.org/x/term v0.16.0/go.mod h1:yn7UURbUtPyrVJPGPq404EukNFxcm/foM+bV/bfcDsY=
 golang.org/x/term v0.17.0/go.mod h1:lLRBjIVuehSbZlaOtGMbcMncT+aqLLLmKrsjNrUguwk=
 golang.org/x/term v0.20.0/go.mod h1:8UkIAJTvZgivsXaD6/pH6U9ecQzZ45awqEOzuCvwpFY=
 golang.org/x/term v0.27.0/go.mod h1:iMsnZpn0cago0GOrHO2+Y7u7JPn5AylBrcoWkElMTSM=
-golang.org/x/term v0.37.0 h1:8EGAD0qCmHYZg6J17DvsMy9/wJ7/D/4pV/wfnld5lTU=
-golang.org/x/term v0.37.0/go.mod h1:5pB4lxRNYYVZuTLmy8oR2BH8dflOR+IbTYFD8fi3254=
+golang.org/x/term v0.38.0 h1:PQ5pkm/rLO6HnxFR7N2lJHOZX6Kez5Y1gDSJla6jo7Q=
+golang.org/x/term v0.38.0/go.mod h1:bSEAKrOT1W+VSu9TSCMtoGEOUcKxOKgl3LE5QEF/xVg=
 golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
 golang.org/x/text v0.3.2/go.mod h1:bEr9sfX3Q8Zfm5fL9x+3itogRgK3+ptLWKqgva+5dAk=
 golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
@@ -732,15 +756,11 @@ golang.org/x/text v0.13.0/go.mod h1:TvPlkZtksWOMsz7fbANvkp4WM8x/WCo/om8BMLbz+aE=
 golang.org/x/text v0.14.0/go.mod h1:18ZOQIKpY8NJVqYksKHtTdi31H5itFRjB5/qKTNYzSU=
 golang.org/x/text v0.15.0/go.mod h1:18ZOQIKpY8NJVqYksKHtTdi31H5itFRjB5/qKTNYzSU=
 golang.org/x/text v0.21.0/go.mod h1:4IBbMaMmOPCJ8SecivzSH54+73PCFmPWxNTLm+vZkEQ=
-golang.org/x/text v0.31.0 h1:aC8ghyu4JhP8VojJ2lEHBnochRno1sgL6nEi9WGFGMM=
-golang.org/x/text v0.31.0/go.mod h1:tKRAlv61yKIjGGHX/4tP1LTbc13YSec1pxVEWXzfoeM=
-golang.org/x/time v0.12.0 h1:ScB/8o8olJvc+CQPWrK3fPZNfh7qgwCrY0zJmoEQLSE=
-golang.org/x/time v0.12.0/go.mod h1:CDIdPxbZBQxdj6cxyCIdrNogrJKMJ7pr37NYpMcMDSg=
+golang.org/x/text v0.32.0 h1:ZD01bjUt1FQ9WJ0ClOL5vxgxOI/sVCNgX1YtKwcY0mU=
+golang.org/x/text v0.32.0/go.mod h1:o/rUWzghvpD5TXrTIBuJU77MTaN0ljMWE47kxGJQ7jY=
+golang.org/x/time v0.14.0 h1:MRx4UaLrDotUKUdCIqzPC48t1Y9hANFKIRpNx+Te8PI=
+golang.org/x/time v0.14.0/go.mod h1:eL/Oa2bBBK0TkX57Fyni+NgnyQQN4LitPmob2Hjnqw4=
 golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
-golang.org/x/tools v0.0.0-20190114222345-bf090417da8b/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
-golang.org/x/tools v0.0.0-20190226205152-f727befe758c/go.mod h1:9Yl7xja0Znq3iFh3HoIrodX9oNMXvdceNzlUR8zjMvY=
-golang.org/x/tools v0.0.0-20190311212946-11955173bddd/go.mod h1:LCzVGOaR6xXOjkQ3onu1FJEFr0SW1gC7cKk1uF8kGRs=
-golang.org/x/tools v0.0.0-20190524140312-2c0ae7006135/go.mod h1:RgjU9mgBXZiqYHBnxXauZ1Gv1EHHAz9KjViQ78xBX0Q=
 golang.org/x/tools v0.0.0-20191119224855-298f0cb1881e/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo=
 golang.org/x/tools v0.0.0-20200130002326-2f3ba24bd6e7/go.mod h1:TB2adYChydJhpapKDTa4BR/hXlZSLoq2Wpct/0txZ28=
 golang.org/x/tools v0.0.0-20200619180055-7c47624df98f/go.mod h1:EkVYQZoAsY45+roYkvgYkIh4xh/qjgUK9TdY2XT94GE=
@@ -765,42 +785,31 @@ golang.zx2c4.com/wireguard/windows v0.5.3 h1:On6j2Rpn3OEMXqBq00QEDC7bWSZrPIHKIus
 golang.zx2c4.com/wireguard/windows v0.5.3/go.mod h1:9TEe8TJmtwyQebdFwAkEWOPr3prrtqm+REGFifP60hI=
 gonum.org/v1/gonum v0.16.0 h1:5+ul4Swaf3ESvrOnidPp4GZbzf0mxVQpDCYUQE7OJfk=
 gonum.org/v1/gonum v0.16.0/go.mod h1:fef3am4MQ93R2HHpKnLk4/Tbh/s0+wqD5nfa6Pnwy4E=
-google.golang.org/api v0.177.0 h1:8a0p/BbPa65GlqGWtUKxot4p0TV8OGOfyTjtmkXNXmk=
-google.golang.org/api v0.177.0/go.mod h1:srbhue4MLjkjbkux5p3dw/ocYOSZTaIEvf7bCOnFQDw=
-google.golang.org/appengine v1.1.0/go.mod h1:EbEs0AVv82hx2wNQdGPgUI5lhzA/G0D9YwlJXL52JkM=
-google.golang.org/appengine v1.4.0/go.mod h1:xpcJRLb0r/rnEns0DIKYYv+WjYCduHsrkT7/EB5XEv4=
+google.golang.org/api v0.257.0 h1:8Y0lzvHlZps53PEaw+G29SsQIkuKrumGWs9puiexNAA=
+google.golang.org/api v0.257.0/go.mod h1:4eJrr+vbVaZSqs7vovFd1Jb/A6ml6iw2e6FBYf3GAO4=
 google.golang.org/appengine v1.6.7/go.mod h1:8WjMMxjGQR8xUklV/ARdw2HLXBOI7O7uCIDZVag1xfc=
-google.golang.org/genproto v0.0.0-20180817151627-c66870c02cf8/go.mod h1:JiN7NxoALGmiZfu7CAH4rXhgtRTLTxftemlI0sWmxmc=
-google.golang.org/genproto v0.0.0-20190819201941-24fa4b261c55/go.mod h1:DMBHOl98Agz4BDEuKkezgsaosCRResVns1a3J2ZsMNc=
-google.golang.org/genproto v0.0.0-20200526211855-cb27e3aa2013/go.mod h1:NbSheEEYHJ7i3ixzK3sjbqSGDJWnxyFXZblF3eUsNvo=
-google.golang.org/genproto v0.0.0-20240123012728-ef4313101c80 h1:KAeGQVN3M9nD0/bQXnr/ClcEMJ968gUXJQ9pwfSynuQ=
-google.golang.org/genproto/googleapis/api v0.0.0-20250707201910-8d1bb00bc6a7 h1:FiusG7LWj+4byqhbvmB+Q93B/mOxJLN2DTozDuZm4EU=
-google.golang.org/genproto/googleapis/api v0.0.0-20250707201910-8d1bb00bc6a7/go.mod h1:kXqgZtrWaf6qS3jZOCnCH7WYfrvFjkC51bM8fz3RsCA=
-google.golang.org/genproto/googleapis/rpc v0.0.0-20250707201910-8d1bb00bc6a7 h1:pFyd6EwwL2TqFf8emdthzeX+gZE1ElRq3iM8pui4KBY=
-google.golang.org/genproto/googleapis/rpc v0.0.0-20250707201910-8d1bb00bc6a7/go.mod h1:qQ0YXyHHx3XkvlzUtpXDkS29lDSafHMZBAZDc03LQ3A=
-google.golang.org/grpc v1.19.0/go.mod h1:mqu4LbDTu4XGKhr4mRzUsmM4RtVoemTSY81AxZiDr8c=
-google.golang.org/grpc v1.23.0/go.mod h1:Y5yQAOtifL1yxbo5wqy6BxZv8vAUGQwXBOALyacEbxg=
-google.golang.org/grpc v1.25.1/go.mod h1:c3i+UQWmh7LiEpx4sFZnkU36qjEYZ0imhYfXVyQciAY=
-google.golang.org/grpc v1.27.0/go.mod h1:qbnxyOmOxrQa7FizSgH+ReBfzJrCY1pSN7KXBS8abTk=
-google.golang.org/grpc v1.33.2/go.mod h1:JMHMWHQWaTccqQQlmk3MJZS+GWXOdAesneDmEnv2fbc=
-google.golang.org/grpc v1.75.0 h1:+TW+dqTd2Biwe6KKfhE5JpiYIBWq865PhKGSXiivqt4=
-google.golang.org/grpc v1.75.0/go.mod h1:JtPAzKiq4v1xcAB2hydNlWI2RnF85XXcV0mhKXr2ecQ=
+google.golang.org/genproto v0.0.0-20250603155806-513f23925822 h1:rHWScKit0gvAPuOnu87KpaYtjK5zBMLcULh7gxkCXu4=
+google.golang.org/genproto v0.0.0-20250603155806-513f23925822/go.mod h1:HubltRL7rMh0LfnQPkMH4NPDFEWp0jw3vixw7jEM53s=
+google.golang.org/genproto/googleapis/api v0.0.0-20251022142026-3a174f9686a8 h1:mepRgnBZa07I4TRuomDE4sTIYieg/osKmzIf4USdWS4=
+google.golang.org/genproto/googleapis/api v0.0.0-20251022142026-3a174f9686a8/go.mod h1:fDMmzKV90WSg1NbozdqrE64fkuTv6mlq2zxo9ad+3yo=
+google.golang.org/genproto/googleapis/rpc v0.0.0-20251124214823-79d6a2a48846 h1:Wgl1rcDNThT+Zn47YyCXOXyX/COgMTIdhJ717F0l4xk=
+google.golang.org/genproto/googleapis/rpc v0.0.0-20251124214823-79d6a2a48846/go.mod h1:7i2o+ce6H/6BluujYR+kqX3GKH+dChPTQU19wjRPiGk=
+google.golang.org/grpc v1.77.0 h1:wVVY6/8cGA6vvffn+wWK5ToddbgdU3d8MNENr4evgXM=
+google.golang.org/grpc v1.77.0/go.mod h1:z0BY1iVj0q8E1uSQCjL9cppRj+gnZjzDnzV0dHhrNig=
 google.golang.org/protobuf v0.0.0-20200109180630-ec00e32a8dfd/go.mod h1:DFci5gLYBciE7Vtevhsrf46CRTquxDuWsQurQQe4oz8=
 google.golang.org/protobuf v0.0.0-20200221191635-4d8936d0db64/go.mod h1:kwYJMbMJ01Woi6D6+Kah6886xMZcty6N08ah7+eCXa0=
 google.golang.org/protobuf v0.0.0-20200228230310-ab0ca4ff8a60/go.mod h1:cfTl7dwQJ+fmap5saPgwCLgHXTUD7jkjRqWcaiX5VyM=
 google.golang.org/protobuf v1.20.1-0.20200309200217-e05f789c0967/go.mod h1:A+miEFZTKqfCUM6K7xSMQL9OKL/b6hQv+e19PK+JZNE=
 google.golang.org/protobuf v1.21.0/go.mod h1:47Nbq4nVaFHyn7ilMalzfO3qCViNmqZ2kzikPIcrTAo=
-google.golang.org/protobuf v1.22.0/go.mod h1:EGpADcykh3NcUnDUJcl1+ZksZNG86OlYog2l/sGQquU=
 google.golang.org/protobuf v1.23.0/go.mod h1:EGpADcykh3NcUnDUJcl1+ZksZNG86OlYog2l/sGQquU=
-google.golang.org/protobuf v1.23.1-0.20200526195155-81db48ad09cc/go.mod h1:EGpADcykh3NcUnDUJcl1+ZksZNG86OlYog2l/sGQquU=
-google.golang.org/protobuf v1.25.0/go.mod h1:9JNX74DMeImyA3h4bdi1ymwjUzf21/xIlbajtzgsN7c=
 google.golang.org/protobuf v1.26.0-rc.1/go.mod h1:jlhhOSvTdKEhbULTjvd4ARK9grFBp09yW+WbY/TyQbw=
 google.golang.org/protobuf v1.26.0/go.mod h1:9q0QmTI4eRPtz6boOQmLYwt+qCgq0jsYwAQnmE0givc=
 google.golang.org/protobuf v1.28.0/go.mod h1:HV8QOd/L58Z+nl8r43ehVNZIU/HEI6OcFqwMG9pJV4I=
 google.golang.org/protobuf v1.30.0/go.mod h1:HV8QOd/L58Z+nl8r43ehVNZIU/HEI6OcFqwMG9pJV4I=
-google.golang.org/protobuf v1.36.8 h1:xHScyCOEuuwZEc6UtSOvPbAT4zRh0xcNRYekJwfqyMc=
-google.golang.org/protobuf v1.36.8/go.mod h1:fuxRtAxBytpl4zzqUh6/eyUujkJdNiuEkXntxiD/uRU=
+google.golang.org/protobuf v1.36.10 h1:AYd7cD/uASjIL6Q9LiTjz8JLcrh/88q5UObnmY3aOOE=
+google.golang.org/protobuf v1.36.10/go.mod h1:HTf+CrKn2C3g5S8VImy6tdcUvCska2kB7j23XfzDpco=
 gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
+gopkg.in/check.v1 v1.0.0-20190902080502-41f04d3bba15/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
 gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c h1:Hei/4ADfdWqJk1ZMxUNpqntNwaWcugrBjAiHlqqRiVk=
 gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c/go.mod h1:JHkPIbrfpd72SG/EVd6muEfDQjcINNoR0C8j2r3qZ4Q=
 gopkg.in/fsnotify.v1 v1.4.7/go.mod h1:Tz8NjZHkW78fSQdbUxIjBTcgA1z1m8ZHf0WmKUhAMys=
@@ -834,7 +843,5 @@ gorm.io/gorm v1.25.12 h1:I0u8i2hWQItBq1WfE0o2+WuL9+8L21K9e2HHSTE/0f8=
 gorm.io/gorm v1.25.12/go.mod h1:xh7N7RHfYlNc5EmcI/El95gXusucDrQnHXe0+CgWcLQ=
 gotest.tools/v3 v3.5.0 h1:Ljk6PdHdOhAb5aDMWXjDLMMhph+BpztA4v1QdqEW2eY=
 gotest.tools/v3 v3.5.0/go.mod h1:isy3WKz7GK6uNw/sbHzfKBLvlvXwUyV06n6brMxxopU=
-gvisor.dev/gvisor v0.0.0-20231020174304-b8a429915ff1 h1:qDCwdCWECGnwQSQC01Dpnp09fRHxJs9PbktotUqG+hs=
-gvisor.dev/gvisor v0.0.0-20231020174304-b8a429915ff1/go.mod h1:8hmigyCdYtw5xJGfQDJzSH5Ju8XEIDBnpyi8+O6GRt8=
-honnef.co/go/tools v0.0.0-20190102054323-c2f93a96b099/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4=
-honnef.co/go/tools v0.0.0-20190523083050-ea95bdfd59fc/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4=
+gvisor.dev/gvisor v0.0.0-20251031020517-ecfcdd2f171c h1:pfzmXIkkDgydR4ZRP+e1hXywZfYR21FA0Fbk6ptMkiA=
+gvisor.dev/gvisor v0.0.0-20251031020517-ecfcdd2f171c/go.mod h1:/mc6CfwbOm5KKmqoV7Qx20Q+Ja8+vO4g7FuCdlVoAfQ=
--- a/idp/dex/config.go
+++ b/idp/dex/config.go
@@ -0,0 +1,301 @@
+package dex
+
+import (
+	"encoding/base64"
+	"encoding/json"
+	"fmt"
+	"log/slog"
+	"os"
+	"time"
+
+	"golang.org/x/crypto/bcrypt"
+	"gopkg.in/yaml.v3"
+
+	"github.com/dexidp/dex/server"
+	"github.com/dexidp/dex/storage"
+	"github.com/dexidp/dex/storage/sql"
+
+	"github.com/netbirdio/netbird/idp/dex/web"
+)
+
+// parseDuration parses a duration string (e.g., "6h", "24h", "168h").
+func parseDuration(s string) (time.Duration, error) {
+	return time.ParseDuration(s)
+}
+
+// YAMLConfig represents the YAML configuration file format (mirrors dex's config format)
+type YAMLConfig struct {
+	Issuer   string   `yaml:"issuer" json:"issuer"`
+	Storage  Storage  `yaml:"storage" json:"storage"`
+	Web      Web      `yaml:"web" json:"web"`
+	GRPC     GRPC     `yaml:"grpc" json:"grpc"`
+	OAuth2   OAuth2   `yaml:"oauth2" json:"oauth2"`
+	Expiry   Expiry   `yaml:"expiry" json:"expiry"`
+	Logger   Logger   `yaml:"logger" json:"logger"`
+	Frontend Frontend `yaml:"frontend" json:"frontend"`
+
+	// StaticConnectors are user defined connectors specified in the config file
+	StaticConnectors []Connector `yaml:"connectors" json:"connectors"`
+
+	// StaticClients cause the server to use this list of clients rather than
+	// querying the storage. Write operations, like creating a client, will fail.
+	StaticClients []storage.Client `yaml:"staticClients" json:"staticClients"`
+
+	// If enabled, the server will maintain a list of passwords which can be used
+	// to identify a user.
+	EnablePasswordDB bool `yaml:"enablePasswordDB" json:"enablePasswordDB"`
+
+	// StaticPasswords cause the server use this list of passwords rather than
+	// querying the storage.
+	StaticPasswords []Password `yaml:"staticPasswords" json:"staticPasswords"`
+}
+
+// Web is the config format for the HTTP server.
+type Web struct {
+	HTTP           string   `yaml:"http" json:"http"`
+	HTTPS          string   `yaml:"https" json:"https"`
+	AllowedOrigins []string `yaml:"allowedOrigins" json:"allowedOrigins"`
+	AllowedHeaders []string `yaml:"allowedHeaders" json:"allowedHeaders"`
+}
+
+// GRPC is the config for the gRPC API.
+type GRPC struct {
+	Addr        string `yaml:"addr" json:"addr"`
+	TLSCert     string `yaml:"tlsCert" json:"tlsCert"`
+	TLSKey      string `yaml:"tlsKey" json:"tlsKey"`
+	TLSClientCA string `yaml:"tlsClientCA" json:"tlsClientCA"`
+}
+
+// OAuth2 describes enabled OAuth2 extensions.
+type OAuth2 struct {
+	SkipApprovalScreen    bool     `yaml:"skipApprovalScreen" json:"skipApprovalScreen"`
+	AlwaysShowLoginScreen bool     `yaml:"alwaysShowLoginScreen" json:"alwaysShowLoginScreen"`
+	PasswordConnector     string   `yaml:"passwordConnector" json:"passwordConnector"`
+	ResponseTypes         []string `yaml:"responseTypes" json:"responseTypes"`
+	GrantTypes            []string `yaml:"grantTypes" json:"grantTypes"`
+}
+
+// Expiry holds configuration for the validity period of components.
+type Expiry struct {
+	SigningKeys    string              `yaml:"signingKeys" json:"signingKeys"`
+	IDTokens       string              `yaml:"idTokens" json:"idTokens"`
+	AuthRequests   string              `yaml:"authRequests" json:"authRequests"`
+	DeviceRequests string              `yaml:"deviceRequests" json:"deviceRequests"`
+	RefreshTokens  RefreshTokensExpiry `yaml:"refreshTokens" json:"refreshTokens"`
+}
+
+// RefreshTokensExpiry holds configuration for refresh token expiry.
+type RefreshTokensExpiry struct {
+	ReuseInterval     string `yaml:"reuseInterval" json:"reuseInterval"`
+	ValidIfNotUsedFor string `yaml:"validIfNotUsedFor" json:"validIfNotUsedFor"`
+	AbsoluteLifetime  string `yaml:"absoluteLifetime" json:"absoluteLifetime"`
+	DisableRotation   bool   `yaml:"disableRotation" json:"disableRotation"`
+}
+
+// Logger holds configuration required to customize logging.
+type Logger struct {
+	Level  string `yaml:"level" json:"level"`
+	Format string `yaml:"format" json:"format"`
+}
+
+// Frontend holds the server's frontend templates and assets config.
+type Frontend struct {
+	Dir     string            `yaml:"dir" json:"dir"`
+	Theme   string            `yaml:"theme" json:"theme"`
+	Issuer  string            `yaml:"issuer" json:"issuer"`
+	LogoURL string            `yaml:"logoURL" json:"logoURL"`
+	Extra   map[string]string `yaml:"extra" json:"extra"`
+}
+
+// Storage holds app's storage configuration.
+type Storage struct {
+	Type   string                 `yaml:"type" json:"type"`
+	Config map[string]interface{} `yaml:"config" json:"config"`
+}
+
+// Password represents a static user configuration
+type Password storage.Password
+
+func (p *Password) UnmarshalYAML(node *yaml.Node) error {
+	var data struct {
+		Email       string `yaml:"email"`
+		Username    string `yaml:"username"`
+		UserID      string `yaml:"userID"`
+		Hash        string `yaml:"hash"`
+		HashFromEnv string `yaml:"hashFromEnv"`
+	}
+	if err := node.Decode(&data); err != nil {
+		return err
+	}
+	*p = Password(storage.Password{
+		Email:    data.Email,
+		Username: data.Username,
+		UserID:   data.UserID,
+	})
+	if len(data.Hash) == 0 && len(data.HashFromEnv) > 0 {
+		data.Hash = os.Getenv(data.HashFromEnv)
+	}
+	if len(data.Hash) == 0 {
+		return fmt.Errorf("no password hash provided for user %s", data.Email)
+	}
+
+	// If this value is a valid bcrypt, use it.
+	_, bcryptErr := bcrypt.Cost([]byte(data.Hash))
+	if bcryptErr == nil {
+		p.Hash = []byte(data.Hash)
+		return nil
+	}
+
+	// For backwards compatibility try to base64 decode this value.
+	hashBytes, err := base64.StdEncoding.DecodeString(data.Hash)
+	if err != nil {
+		return fmt.Errorf("malformed bcrypt hash: %v", bcryptErr)
+	}
+	if _, err := bcrypt.Cost(hashBytes); err != nil {
+		return fmt.Errorf("malformed bcrypt hash: %v", err)
+	}
+	p.Hash = hashBytes
+	return nil
+}
+
+// Connector is a connector configuration that can unmarshal YAML dynamically.
+type Connector struct {
+	Type   string                 `yaml:"type" json:"type"`
+	Name   string                 `yaml:"name" json:"name"`
+	ID     string                 `yaml:"id" json:"id"`
+	Config map[string]interface{} `yaml:"config" json:"config"`
+}
+
+// ToStorageConnector converts a Connector to storage.Connector type.
+func (c *Connector) ToStorageConnector() (storage.Connector, error) {
+	data, err := json.Marshal(c.Config)
+	if err != nil {
+		return storage.Connector{}, fmt.Errorf("failed to marshal connector config: %v", err)
+	}
+
+	return storage.Connector{
+		ID:     c.ID,
+		Type:   c.Type,
+		Name:   c.Name,
+		Config: data,
+	}, nil
+}
+
+// StorageConfig is a configuration that can create a storage.
+type StorageConfig interface {
+	Open(logger *slog.Logger) (storage.Storage, error)
+}
+
+// OpenStorage opens a storage based on the config
+func (s *Storage) OpenStorage(logger *slog.Logger) (storage.Storage, error) {
+	switch s.Type {
+	case "sqlite3":
+		file, _ := s.Config["file"].(string)
+		if file == "" {
+			return nil, fmt.Errorf("sqlite3 storage requires 'file' config")
+		}
+		return (&sql.SQLite3{File: file}).Open(logger)
+	default:
+		return nil, fmt.Errorf("unsupported storage type: %s", s.Type)
+	}
+}
+
+// Validate validates the configuration
+func (c *YAMLConfig) Validate() error {
+	if c.Issuer == "" {
+		return fmt.Errorf("no issuer specified in config file")
+	}
+	if c.Storage.Type == "" {
+		return fmt.Errorf("no storage type specified in config file")
+	}
+	if c.Web.HTTP == "" && c.Web.HTTPS == "" {
+		return fmt.Errorf("must supply a HTTP/HTTPS address to listen on")
+	}
+	if !c.EnablePasswordDB && len(c.StaticPasswords) != 0 {
+		return fmt.Errorf("cannot specify static passwords without enabling password db")
+	}
+	return nil
+}
+
+// ToServerConfig converts YAMLConfig to dex server.Config
+func (c *YAMLConfig) ToServerConfig(stor storage.Storage, logger *slog.Logger) server.Config {
+	cfg := server.Config{
+		Issuer:             c.Issuer,
+		Storage:            stor,
+		Logger:             logger,
+		SkipApprovalScreen: c.OAuth2.SkipApprovalScreen,
+		AllowedOrigins:     c.Web.AllowedOrigins,
+		AllowedHeaders:     c.Web.AllowedHeaders,
+		Web: server.WebConfig{
+			Issuer:  c.Frontend.Issuer,
+			LogoURL: c.Frontend.LogoURL,
+			Theme:   c.Frontend.Theme,
+			Dir:     c.Frontend.Dir,
+			Extra:   c.Frontend.Extra,
+		},
+	}
+
+	// Use embedded NetBird-styled templates if no custom dir specified
+	if c.Frontend.Dir == "" {
+		cfg.Web.WebFS = web.FS()
+	}
+
+	if len(c.OAuth2.ResponseTypes) > 0 {
+		cfg.SupportedResponseTypes = c.OAuth2.ResponseTypes
+	}
+
+	// Apply expiry settings
+	if c.Expiry.SigningKeys != "" {
+		if d, err := parseDuration(c.Expiry.SigningKeys); err == nil {
+			cfg.RotateKeysAfter = d
+		}
+	}
+	if c.Expiry.IDTokens != "" {
+		if d, err := parseDuration(c.Expiry.IDTokens); err == nil {
+			cfg.IDTokensValidFor = d
+		}
+	}
+	if c.Expiry.AuthRequests != "" {
+		if d, err := parseDuration(c.Expiry.AuthRequests); err == nil {
+			cfg.AuthRequestsValidFor = d
+		}
+	}
+	if c.Expiry.DeviceRequests != "" {
+		if d, err := parseDuration(c.Expiry.DeviceRequests); err == nil {
+			cfg.DeviceRequestsValidFor = d
+		}
+	}
+
+	return cfg
+}
+
+// GetRefreshTokenPolicy creates a RefreshTokenPolicy from the expiry config.
+// This should be called after ToServerConfig and the policy set on the config.
+func (c *YAMLConfig) GetRefreshTokenPolicy(logger *slog.Logger) (*server.RefreshTokenPolicy, error) {
+	return server.NewRefreshTokenPolicy(
+		logger,
+		c.Expiry.RefreshTokens.DisableRotation,
+		c.Expiry.RefreshTokens.ValidIfNotUsedFor,
+		c.Expiry.RefreshTokens.AbsoluteLifetime,
+		c.Expiry.RefreshTokens.ReuseInterval,
+	)
+}
+
+// LoadConfig loads configuration from a YAML file
+func LoadConfig(path string) (*YAMLConfig, error) {
+	data, err := os.ReadFile(path)
+	if err != nil {
+		return nil, fmt.Errorf("failed to read config file: %w", err)
+	}
+
+	var cfg YAMLConfig
+	if err := yaml.Unmarshal(data, &cfg); err != nil {
+		return nil, fmt.Errorf("failed to parse config file: %w", err)
+	}
+
+	if err := cfg.Validate(); err != nil {
+		return nil, err
+	}
+
+	return &cfg, nil
+}
--- a/idp/dex/logrus_handler.go
+++ b/idp/dex/logrus_handler.go
@@ -0,0 +1,113 @@
+package dex
+
+import (
+	"context"
+	"log/slog"
+
+	"github.com/sirupsen/logrus"
+
+	"github.com/netbirdio/netbird/formatter"
+)
+
+// LogrusHandler is an slog.Handler that delegates to logrus.
+// This allows Dex to use the same log format as the rest of NetBird.
+type LogrusHandler struct {
+	logger *logrus.Logger
+	attrs  []slog.Attr
+	groups []string
+}
+
+// NewLogrusHandler creates a new slog handler that wraps logrus with NetBird's text formatter.
+func NewLogrusHandler(level slog.Level) *LogrusHandler {
+	logger := logrus.New()
+	formatter.SetTextFormatter(logger)
+
+	// Map slog level to logrus level
+	switch level {
+	case slog.LevelDebug:
+		logger.SetLevel(logrus.DebugLevel)
+	case slog.LevelInfo:
+		logger.SetLevel(logrus.InfoLevel)
+	case slog.LevelWarn:
+		logger.SetLevel(logrus.WarnLevel)
+	case slog.LevelError:
+		logger.SetLevel(logrus.ErrorLevel)
+	default:
+		logger.SetLevel(logrus.WarnLevel)
+	}
+
+	return &LogrusHandler{logger: logger}
+}
+
+// Enabled reports whether the handler handles records at the given level.
+func (h *LogrusHandler) Enabled(_ context.Context, level slog.Level) bool {
+	switch level {
+	case slog.LevelDebug:
+		return h.logger.IsLevelEnabled(logrus.DebugLevel)
+	case slog.LevelInfo:
+		return h.logger.IsLevelEnabled(logrus.InfoLevel)
+	case slog.LevelWarn:
+		return h.logger.IsLevelEnabled(logrus.WarnLevel)
+	case slog.LevelError:
+		return h.logger.IsLevelEnabled(logrus.ErrorLevel)
+	default:
+		return true
+	}
+}
+
+// Handle handles the Record.
+func (h *LogrusHandler) Handle(_ context.Context, r slog.Record) error {
+	fields := make(logrus.Fields)
+
+	// Add pre-set attributes
+	for _, attr := range h.attrs {
+		fields[attr.Key] = attr.Value.Any()
+	}
+
+	// Add record attributes
+	r.Attrs(func(attr slog.Attr) bool {
+		fields[attr.Key] = attr.Value.Any()
+		return true
+	})
+
+	entry := h.logger.WithFields(fields)
+
+	switch r.Level {
+	case slog.LevelDebug:
+		entry.Debug(r.Message)
+	case slog.LevelInfo:
+		entry.Info(r.Message)
+	case slog.LevelWarn:
+		entry.Warn(r.Message)
+	case slog.LevelError:
+		entry.Error(r.Message)
+	default:
+		entry.Info(r.Message)
+	}
+
+	return nil
+}
+
+// WithAttrs returns a new Handler with the given attributes added.
+func (h *LogrusHandler) WithAttrs(attrs []slog.Attr) slog.Handler {
+	newAttrs := make([]slog.Attr, len(h.attrs)+len(attrs))
+	copy(newAttrs, h.attrs)
+	copy(newAttrs[len(h.attrs):], attrs)
+	return &LogrusHandler{
+		logger: h.logger,
+		attrs:  newAttrs,
+		groups: h.groups,
+	}
+}
+
+// WithGroup returns a new Handler with the given group appended to the receiver's groups.
+func (h *LogrusHandler) WithGroup(name string) slog.Handler {
+	newGroups := make([]string, len(h.groups)+1)
+	copy(newGroups, h.groups)
+	newGroups[len(h.groups)] = name
+	return &LogrusHandler{
+		logger: h.logger,
+		attrs:  h.attrs,
+		groups: newGroups,
+	}
+}
--- a/idp/dex/provider.go
+++ b/idp/dex/provider.go
@@ -0,0 +1,948 @@
+// Package dex provides an embedded Dex OIDC identity provider.
+package dex
+
+import (
+	"context"
+	"encoding/base64"
+	"encoding/json"
+	"errors"
+	"fmt"
+	"log/slog"
+	"net"
+	"net/http"
+	"os"
+	"path/filepath"
+	"strings"
+	"sync"
+	"time"
+
+	dexapi "github.com/dexidp/dex/api/v2"
+	"github.com/dexidp/dex/server"
+	"github.com/dexidp/dex/storage"
+	"github.com/dexidp/dex/storage/sql"
+	"github.com/google/uuid"
+	"github.com/prometheus/client_golang/prometheus"
+	"golang.org/x/crypto/bcrypt"
+	"google.golang.org/grpc"
+)
+
+// Config matches what management/internals/server/server.go expects
+type Config struct {
+	Issuer  string
+	Port    int
+	DataDir string
+	DevMode bool
+
+	// GRPCAddr is the address for the gRPC API (e.g., ":5557"). Empty disables gRPC.
+	GRPCAddr string
+}
+
+// Provider wraps a Dex server
+type Provider struct {
+	config       *Config
+	yamlConfig   *YAMLConfig
+	dexServer    *server.Server
+	httpServer   *http.Server
+	listener     net.Listener
+	grpcServer   *grpc.Server
+	grpcListener net.Listener
+	storage      storage.Storage
+	logger       *slog.Logger
+	mu           sync.Mutex
+	running      bool
+}
+
+// NewProvider creates and initializes the Dex server
+func NewProvider(ctx context.Context, config *Config) (*Provider, error) {
+	if config.Issuer == "" {
+		return nil, fmt.Errorf("issuer is required")
+	}
+	if config.Port <= 0 {
+		return nil, fmt.Errorf("invalid port")
+	}
+	if config.DataDir == "" {
+		return nil, fmt.Errorf("data directory is required")
+	}
+
+	logger := slog.New(slog.NewTextHandler(os.Stderr, nil))
+
+	// Ensure data directory exists
+	if err := os.MkdirAll(config.DataDir, 0700); err != nil {
+		return nil, fmt.Errorf("failed to create data directory: %w", err)
+	}
+
+	// Initialize SQLite storage
+	dbPath := filepath.Join(config.DataDir, "oidc.db")
+	sqliteConfig := &sql.SQLite3{File: dbPath}
+	stor, err := sqliteConfig.Open(logger)
+	if err != nil {
+		return nil, fmt.Errorf("failed to open storage: %w", err)
+	}
+
+	// Ensure a local connector exists (for password authentication)
+	if err := ensureLocalConnector(ctx, stor); err != nil {
+		stor.Close()
+		return nil, fmt.Errorf("failed to ensure local connector: %w", err)
+	}
+
+	// Ensure issuer ends with /oauth2 for proper path mounting
+	issuer := strings.TrimSuffix(config.Issuer, "/")
+	if !strings.HasSuffix(issuer, "/oauth2") {
+		issuer += "/oauth2"
+	}
+
+	// Build refresh token policy (required to avoid nil pointer panics)
+	refreshPolicy, err := server.NewRefreshTokenPolicy(logger, false, "", "", "")
+	if err != nil {
+		stor.Close()
+		return nil, fmt.Errorf("failed to create refresh token policy: %w", err)
+	}
+
+	// Build Dex server config - use Dex's types directly
+	dexConfig := server.Config{
+		Issuer:                 issuer,
+		Storage:                stor,
+		SkipApprovalScreen:     true,
+		SupportedResponseTypes: []string{"code"},
+		Logger:                 logger,
+		PrometheusRegistry:     prometheus.NewRegistry(),
+		RotateKeysAfter:        6 * time.Hour,
+		IDTokensValidFor:       24 * time.Hour,
+		RefreshTokenPolicy:     refreshPolicy,
+		Web: server.WebConfig{
+			Issuer: "NetBird",
+		},
+	}
+
+	dexSrv, err := server.NewServer(ctx, dexConfig)
+	if err != nil {
+		stor.Close()
+		return nil, fmt.Errorf("failed to create dex server: %w", err)
+	}
+
+	return &Provider{
+		config:    config,
+		dexServer: dexSrv,
+		storage:   stor,
+		logger:    logger,
+	}, nil
+}
+
+// NewProviderFromYAML creates and initializes the Dex server from a YAMLConfig
+func NewProviderFromYAML(ctx context.Context, yamlConfig *YAMLConfig) (*Provider, error) {
+	// Configure log level from config, default to WARN to avoid logging sensitive data (emails)
+	logLevel := slog.LevelWarn
+	if yamlConfig.Logger.Level != "" {
+		switch strings.ToLower(yamlConfig.Logger.Level) {
+		case "debug":
+			logLevel = slog.LevelDebug
+		case "info":
+			logLevel = slog.LevelInfo
+		case "warn", "warning":
+			logLevel = slog.LevelWarn
+		case "error":
+			logLevel = slog.LevelError
+		}
+	}
+	logger := slog.New(NewLogrusHandler(logLevel))
+
+	stor, err := yamlConfig.Storage.OpenStorage(logger)
+	if err != nil {
+		return nil, fmt.Errorf("failed to open storage: %w", err)
+	}
+
+	if err := initializeStorage(ctx, stor, yamlConfig); err != nil {
+		stor.Close()
+		return nil, err
+	}
+
+	dexConfig := buildDexConfig(yamlConfig, stor, logger)
+	dexConfig.RefreshTokenPolicy, err = yamlConfig.GetRefreshTokenPolicy(logger)
+	if err != nil {
+		stor.Close()
+		return nil, fmt.Errorf("failed to create refresh token policy: %w", err)
+	}
+
+	dexSrv, err := server.NewServer(ctx, dexConfig)
+	if err != nil {
+		stor.Close()
+		return nil, fmt.Errorf("failed to create dex server: %w", err)
+	}
+
+	return &Provider{
+		config:     &Config{Issuer: yamlConfig.Issuer, GRPCAddr: yamlConfig.GRPC.Addr},
+		yamlConfig: yamlConfig,
+		dexServer:  dexSrv,
+		storage:    stor,
+		logger:     logger,
+	}, nil
+}
+
+// initializeStorage sets up connectors, passwords, and clients in storage
+func initializeStorage(ctx context.Context, stor storage.Storage, cfg *YAMLConfig) error {
+	if cfg.EnablePasswordDB {
+		if err := ensureLocalConnector(ctx, stor); err != nil {
+			return fmt.Errorf("failed to ensure local connector: %w", err)
+		}
+	}
+	if err := ensureStaticPasswords(ctx, stor, cfg.StaticPasswords); err != nil {
+		return err
+	}
+	if err := ensureStaticClients(ctx, stor, cfg.StaticClients); err != nil {
+		return err
+	}
+	return ensureStaticConnectors(ctx, stor, cfg.StaticConnectors)
+}
+
+// ensureStaticPasswords creates or updates static passwords in storage
+func ensureStaticPasswords(ctx context.Context, stor storage.Storage, passwords []Password) error {
+	for _, pw := range passwords {
+		existing, err := stor.GetPassword(ctx, pw.Email)
+		if errors.Is(err, storage.ErrNotFound) {
+			if err := stor.CreatePassword(ctx, storage.Password(pw)); err != nil {
+				return fmt.Errorf("failed to create password for %s: %w", pw.Email, err)
+			}
+			continue
+		}
+		if err != nil {
+			return fmt.Errorf("failed to get password for %s: %w", pw.Email, err)
+		}
+		if string(existing.Hash) != string(pw.Hash) {
+			if err := stor.UpdatePassword(ctx, pw.Email, func(old storage.Password) (storage.Password, error) {
+				old.Hash = pw.Hash
+				old.Username = pw.Username
+				return old, nil
+			}); err != nil {
+				return fmt.Errorf("failed to update password for %s: %w", pw.Email, err)
+			}
+		}
+	}
+	return nil
+}
+
+// ensureStaticClients creates or updates static clients in storage
+func ensureStaticClients(ctx context.Context, stor storage.Storage, clients []storage.Client) error {
+	for _, client := range clients {
+		_, err := stor.GetClient(ctx, client.ID)
+		if errors.Is(err, storage.ErrNotFound) {
+			if err := stor.CreateClient(ctx, client); err != nil {
+				return fmt.Errorf("failed to create client %s: %w", client.ID, err)
+			}
+			continue
+		}
+		if err != nil {
+			return fmt.Errorf("failed to get client %s: %w", client.ID, err)
+		}
+		if err := stor.UpdateClient(ctx, client.ID, func(old storage.Client) (storage.Client, error) {
+			old.RedirectURIs = client.RedirectURIs
+			old.Name = client.Name
+			old.Public = client.Public
+			return old, nil
+		}); err != nil {
+			return fmt.Errorf("failed to update client %s: %w", client.ID, err)
+		}
+	}
+	return nil
+}
+
+// ensureStaticConnectors creates or updates static connectors in storage
+func ensureStaticConnectors(ctx context.Context, stor storage.Storage, connectors []Connector) error {
+	for _, conn := range connectors {
+		storConn, err := conn.ToStorageConnector()
+		if err != nil {
+			return fmt.Errorf("failed to convert connector %s: %w", conn.ID, err)
+		}
+		_, err = stor.GetConnector(ctx, conn.ID)
+		if errors.Is(err, storage.ErrNotFound) {
+			if err := stor.CreateConnector(ctx, storConn); err != nil {
+				return fmt.Errorf("failed to create connector %s: %w", conn.ID, err)
+			}
+			continue
+		}
+		if err != nil {
+			return fmt.Errorf("failed to get connector %s: %w", conn.ID, err)
+		}
+		if err := stor.UpdateConnector(ctx, conn.ID, func(old storage.Connector) (storage.Connector, error) {
+			old.Name = storConn.Name
+			old.Config = storConn.Config
+			return old, nil
+		}); err != nil {
+			return fmt.Errorf("failed to update connector %s: %w", conn.ID, err)
+		}
+	}
+	return nil
+}
+
+// buildDexConfig creates a server.Config with defaults applied
+func buildDexConfig(yamlConfig *YAMLConfig, stor storage.Storage, logger *slog.Logger) server.Config {
+	cfg := yamlConfig.ToServerConfig(stor, logger)
+	cfg.PrometheusRegistry = prometheus.NewRegistry()
+	if cfg.RotateKeysAfter == 0 {
+		cfg.RotateKeysAfter = 24 * 30 * time.Hour
+	}
+	if cfg.IDTokensValidFor == 0 {
+		cfg.IDTokensValidFor = 24 * time.Hour
+	}
+	if cfg.Web.Issuer == "" {
+		cfg.Web.Issuer = "NetBird"
+	}
+	if len(cfg.SupportedResponseTypes) == 0 {
+		cfg.SupportedResponseTypes = []string{"code"}
+	}
+	return cfg
+}
+
+// Start starts the HTTP server and optionally the gRPC API server
+func (p *Provider) Start(_ context.Context) error {
+	p.mu.Lock()
+	defer p.mu.Unlock()
+
+	if p.running {
+		return fmt.Errorf("already running")
+	}
+
+	// Determine listen address from config
+	var addr string
+	if p.yamlConfig != nil {
+		addr = p.yamlConfig.Web.HTTP
+		if addr == "" {
+			addr = p.yamlConfig.Web.HTTPS
+		}
+	} else if p.config != nil && p.config.Port > 0 {
+		addr = fmt.Sprintf(":%d", p.config.Port)
+	}
+	if addr == "" {
+		return fmt.Errorf("no listen address configured")
+	}
+
+	listener, err := net.Listen("tcp", addr)
+	if err != nil {
+		return fmt.Errorf("failed to listen on %s: %w", addr, err)
+	}
+	p.listener = listener
+
+	// Mount Dex at /oauth2/ path for reverse proxy compatibility
+	// Don't strip the prefix - Dex's issuer includes /oauth2 so it expects the full path
+	mux := http.NewServeMux()
+	mux.Handle("/oauth2/", p.dexServer)
+
+	p.httpServer = &http.Server{Handler: mux}
+	p.running = true
+
+	go func() {
+		if err := p.httpServer.Serve(listener); err != nil && err != http.ErrServerClosed {
+			p.logger.Error("http server error", "error", err)
+		}
+	}()
+
+	// Start gRPC API server if configured
+	if p.config.GRPCAddr != "" {
+		if err := p.startGRPCServer(); err != nil {
+			// Clean up HTTP server on failure
+			_ = p.httpServer.Close()
+			_ = p.listener.Close()
+			return fmt.Errorf("failed to start gRPC server: %w", err)
+		}
+	}
+
+	p.logger.Info("HTTP server started", "addr", addr)
+	return nil
+}
+
+// startGRPCServer starts the gRPC API server using Dex's built-in API
+func (p *Provider) startGRPCServer() error {
+	grpcListener, err := net.Listen("tcp", p.config.GRPCAddr)
+	if err != nil {
+		return fmt.Errorf("failed to listen on %s: %w", p.config.GRPCAddr, err)
+	}
+	p.grpcListener = grpcListener
+
+	p.grpcServer = grpc.NewServer()
+	// Use Dex's built-in API server implementation
+	// server.NewAPI(storage, logger, version, dexServer)
+	dexapi.RegisterDexServer(p.grpcServer, server.NewAPI(p.storage, p.logger, "netbird-dex", p.dexServer))
+
+	go func() {
+		if err := p.grpcServer.Serve(grpcListener); err != nil {
+			p.logger.Error("grpc server error", "error", err)
+		}
+	}()
+
+	p.logger.Info("gRPC API server started", "addr", p.config.GRPCAddr)
+	return nil
+}
+
+// Stop gracefully shuts down
+func (p *Provider) Stop(ctx context.Context) error {
+	p.mu.Lock()
+	defer p.mu.Unlock()
+
+	if !p.running {
+		return nil
+	}
+
+	var errs []error
+
+	// Stop gRPC server first
+	if p.grpcServer != nil {
+		p.grpcServer.GracefulStop()
+		p.grpcServer = nil
+	}
+	if p.grpcListener != nil {
+		p.grpcListener.Close()
+		p.grpcListener = nil
+	}
+
+	if p.httpServer != nil {
+		if err := p.httpServer.Shutdown(ctx); err != nil {
+			errs = append(errs, err)
+		}
+	}
+
+	// Explicitly close listener as fallback (Shutdown should do this, but be safe)
+	if p.listener != nil {
+		if err := p.listener.Close(); err != nil {
+			// Ignore "use of closed network connection" - expected after Shutdown
+			if !strings.Contains(err.Error(), "use of closed") {
+				errs = append(errs, err)
+			}
+		}
+		p.listener = nil
+	}
+
+	if p.storage != nil {
+		if err := p.storage.Close(); err != nil {
+			errs = append(errs, err)
+		}
+	}
+
+	p.httpServer = nil
+	p.running = false
+
+	if len(errs) > 0 {
+		return fmt.Errorf("shutdown errors: %v", errs)
+	}
+	return nil
+}
+
+// EnsureDefaultClients creates dashboard and CLI OAuth clients
+// Uses Dex's storage.Client directly - no custom wrappers
+func (p *Provider) EnsureDefaultClients(ctx context.Context, dashboardURIs, cliURIs []string) error {
+	clients := []storage.Client{
+		{
+			ID:           "netbird-dashboard",
+			Name:         "NetBird Dashboard",
+			RedirectURIs: dashboardURIs,
+			Public:       true,
+		},
+		{
+			ID:           "netbird-cli",
+			Name:         "NetBird CLI",
+			RedirectURIs: cliURIs,
+			Public:       true,
+		},
+	}
+
+	for _, client := range clients {
+		_, err := p.storage.GetClient(ctx, client.ID)
+		if err == storage.ErrNotFound {
+			if err := p.storage.CreateClient(ctx, client); err != nil {
+				return fmt.Errorf("failed to create client %s: %w", client.ID, err)
+			}
+			continue
+		}
+		if err != nil {
+			return fmt.Errorf("failed to get client %s: %w", client.ID, err)
+		}
+		// Update if exists
+		if err := p.storage.UpdateClient(ctx, client.ID, func(old storage.Client) (storage.Client, error) {
+			old.RedirectURIs = client.RedirectURIs
+			return old, nil
+		}); err != nil {
+			return fmt.Errorf("failed to update client %s: %w", client.ID, err)
+		}
+	}
+
+	p.logger.Info("default OIDC clients ensured")
+	return nil
+}
+
+// Storage returns the underlying Dex storage for direct access
+// Users can use storage.Client, storage.Password, storage.Connector directly
+func (p *Provider) Storage() storage.Storage {
+	return p.storage
+}
+
+// Handler returns the Dex server as an http.Handler for embedding in another server.
+// The handler expects requests with path prefix "/oauth2/".
+func (p *Provider) Handler() http.Handler {
+	return p.dexServer
+}
+
+// CreateUser creates a new user with the given email, username, and password.
+// Returns the encoded user ID in Dex's format (base64-encoded protobuf with connector ID).
+func (p *Provider) CreateUser(ctx context.Context, email, username, password string) (string, error) {
+	hash, err := bcrypt.GenerateFromPassword([]byte(password), bcrypt.DefaultCost)
+	if err != nil {
+		return "", fmt.Errorf("failed to hash password: %w", err)
+	}
+
+	userID := uuid.New().String()
+	err = p.storage.CreatePassword(ctx, storage.Password{
+		Email:    email,
+		Username: username,
+		UserID:   userID,
+		Hash:     hash,
+	})
+	if err != nil {
+		return "", err
+	}
+
+	// Encode the user ID in Dex's format: base64(protobuf{user_id, connector_id})
+	// This matches the format Dex uses in JWT tokens
+	encodedID := EncodeDexUserID(userID, "local")
+	return encodedID, nil
+}
+
+// EncodeDexUserID encodes user ID and connector ID into Dex's base64-encoded protobuf format.
+// Dex uses this format for the 'sub' claim in JWT tokens.
+// Format: base64(protobuf message with field 1 = user_id, field 2 = connector_id)
+func EncodeDexUserID(userID, connectorID string) string {
+	// Manually encode protobuf: field 1 (user_id) and field 2 (connector_id)
+	// Wire type 2 (length-delimited) for strings
+	var buf []byte
+
+	// Field 1: user_id (tag = 0x0a = field 1, wire type 2)
+	buf = append(buf, 0x0a)
+	buf = append(buf, byte(len(userID)))
+	buf = append(buf, []byte(userID)...)
+
+	// Field 2: connector_id (tag = 0x12 = field 2, wire type 2)
+	buf = append(buf, 0x12)
+	buf = append(buf, byte(len(connectorID)))
+	buf = append(buf, []byte(connectorID)...)
+
+	return base64.RawStdEncoding.EncodeToString(buf)
+}
+
+// DecodeDexUserID decodes Dex's base64-encoded user ID back to the raw user ID and connector ID.
+func DecodeDexUserID(encodedID string) (userID, connectorID string, err error) {
+	// Try RawStdEncoding first, then StdEncoding (with padding)
+	buf, err := base64.RawStdEncoding.DecodeString(encodedID)
+	if err != nil {
+		buf, err = base64.StdEncoding.DecodeString(encodedID)
+		if err != nil {
+			return "", "", fmt.Errorf("failed to decode base64: %w", err)
+		}
+	}
+
+	// Parse protobuf manually
+	i := 0
+	for i < len(buf) {
+		if i >= len(buf) {
+			break
+		}
+		tag := buf[i]
+		i++
+
+		fieldNum := tag >> 3
+		wireType := tag & 0x07
+
+		if wireType != 2 { // We only expect length-delimited strings
+			return "", "", fmt.Errorf("unexpected wire type %d", wireType)
+		}
+
+		if i >= len(buf) {
+			return "", "", fmt.Errorf("truncated message")
+		}
+		length := int(buf[i])
+		i++
+
+		if i+length > len(buf) {
+			return "", "", fmt.Errorf("truncated string field")
+		}
+		value := string(buf[i : i+length])
+		i += length
+
+		switch fieldNum {
+		case 1:
+			userID = value
+		case 2:
+			connectorID = value
+		}
+	}
+
+	return userID, connectorID, nil
+}
+
+// GetUser returns a user by email
+func (p *Provider) GetUser(ctx context.Context, email string) (storage.Password, error) {
+	return p.storage.GetPassword(ctx, email)
+}
+
+// GetUserByID returns a user by user ID.
+// The userID can be either an encoded Dex ID (base64 protobuf) or a raw UUID.
+// Note: This requires iterating through all users since dex storage doesn't index by userID.
+func (p *Provider) GetUserByID(ctx context.Context, userID string) (storage.Password, error) {
+	// Try to decode the user ID in case it's encoded
+	rawUserID, _, err := DecodeDexUserID(userID)
+	if err != nil {
+		// If decoding fails, assume it's already a raw UUID
+		rawUserID = userID
+	}
+
+	users, err := p.storage.ListPasswords(ctx)
+	if err != nil {
+		return storage.Password{}, fmt.Errorf("failed to list users: %w", err)
+	}
+	for _, user := range users {
+		if user.UserID == rawUserID {
+			return user, nil
+		}
+	}
+	return storage.Password{}, storage.ErrNotFound
+}
+
+// DeleteUser removes a user by email
+func (p *Provider) DeleteUser(ctx context.Context, email string) error {
+	return p.storage.DeletePassword(ctx, email)
+}
+
+// ListUsers returns all users
+func (p *Provider) ListUsers(ctx context.Context) ([]storage.Password, error) {
+	return p.storage.ListPasswords(ctx)
+}
+
+// ensureLocalConnector creates a local (password) connector if none exists
+func ensureLocalConnector(ctx context.Context, stor storage.Storage) error {
+	connectors, err := stor.ListConnectors(ctx)
+	if err != nil {
+		return fmt.Errorf("failed to list connectors: %w", err)
+	}
+
+	// If any connector exists, we're good
+	if len(connectors) > 0 {
+		return nil
+	}
+
+	// Create a local connector for password authentication
+	localConnector := storage.Connector{
+		ID:   "local",
+		Type: "local",
+		Name: "Email",
+	}
+
+	if err := stor.CreateConnector(ctx, localConnector); err != nil {
+		return fmt.Errorf("failed to create local connector: %w", err)
+	}
+
+	return nil
+}
+
+// ConnectorConfig represents the configuration for an identity provider connector
+type ConnectorConfig struct {
+	// ID is the unique identifier for the connector
+	ID string
+	// Name is a human-readable name for the connector
+	Name string
+	// Type is the connector type (oidc, google, microsoft)
+	Type string
+	// Issuer is the OIDC issuer URL (for OIDC-based connectors)
+	Issuer string
+	// ClientID is the OAuth2 client ID
+	ClientID string
+	// ClientSecret is the OAuth2 client secret
+	ClientSecret string
+	// RedirectURI is the OAuth2 redirect URI
+	RedirectURI string
+}
+
+// CreateConnector creates a new connector in Dex storage.
+// It maps the connector config to the appropriate Dex connector type and configuration.
+func (p *Provider) CreateConnector(ctx context.Context, cfg *ConnectorConfig) (*ConnectorConfig, error) {
+	// Fill in the redirect URI if not provided
+	if cfg.RedirectURI == "" {
+		cfg.RedirectURI = p.GetRedirectURI()
+	}
+
+	storageConn, err := p.buildStorageConnector(cfg)
+	if err != nil {
+		return nil, fmt.Errorf("failed to build connector: %w", err)
+	}
+
+	if err := p.storage.CreateConnector(ctx, storageConn); err != nil {
+		return nil, fmt.Errorf("failed to create connector: %w", err)
+	}
+
+	p.logger.Info("connector created", "id", cfg.ID, "type", cfg.Type)
+	return cfg, nil
+}
+
+// GetConnector retrieves a connector by ID from Dex storage.
+func (p *Provider) GetConnector(ctx context.Context, id string) (*ConnectorConfig, error) {
+	conn, err := p.storage.GetConnector(ctx, id)
+	if err != nil {
+		if err == storage.ErrNotFound {
+			return nil, err
+		}
+		return nil, fmt.Errorf("failed to get connector: %w", err)
+	}
+
+	return p.parseStorageConnector(conn)
+}
+
+// ListConnectors returns all connectors from Dex storage (excluding the local connector).
+func (p *Provider) ListConnectors(ctx context.Context) ([]*ConnectorConfig, error) {
+	connectors, err := p.storage.ListConnectors(ctx)
+	if err != nil {
+		return nil, fmt.Errorf("failed to list connectors: %w", err)
+	}
+
+	result := make([]*ConnectorConfig, 0, len(connectors))
+	for _, conn := range connectors {
+		// Skip the local password connector
+		if conn.ID == "local" && conn.Type == "local" {
+			continue
+		}
+
+		cfg, err := p.parseStorageConnector(conn)
+		if err != nil {
+			p.logger.Warn("failed to parse connector", "id", conn.ID, "error", err)
+			continue
+		}
+		result = append(result, cfg)
+	}
+
+	return result, nil
+}
+
+// UpdateConnector updates an existing connector in Dex storage.
+func (p *Provider) UpdateConnector(ctx context.Context, cfg *ConnectorConfig) error {
+	storageConn, err := p.buildStorageConnector(cfg)
+	if err != nil {
+		return fmt.Errorf("failed to build connector: %w", err)
+	}
+
+	if err := p.storage.UpdateConnector(ctx, cfg.ID, func(old storage.Connector) (storage.Connector, error) {
+		return storageConn, nil
+	}); err != nil {
+		return fmt.Errorf("failed to update connector: %w", err)
+	}
+
+	p.logger.Info("connector updated", "id", cfg.ID, "type", cfg.Type)
+	return nil
+}
+
+// DeleteConnector removes a connector from Dex storage.
+func (p *Provider) DeleteConnector(ctx context.Context, id string) error {
+	// Prevent deletion of the local connector
+	if id == "local" {
+		return fmt.Errorf("cannot delete the local password connector")
+	}
+
+	if err := p.storage.DeleteConnector(ctx, id); err != nil {
+		return fmt.Errorf("failed to delete connector: %w", err)
+	}
+
+	p.logger.Info("connector deleted", "id", id)
+	return nil
+}
+
+// buildStorageConnector creates a storage.Connector from ConnectorConfig.
+// It handles the type-specific configuration for each connector type.
+func (p *Provider) buildStorageConnector(cfg *ConnectorConfig) (storage.Connector, error) {
+	redirectURI := p.resolveRedirectURI(cfg.RedirectURI)
+
+	var dexType string
+	var configData []byte
+	var err error
+
+	switch cfg.Type {
+	case "oidc", "zitadel", "entra", "okta", "pocketid", "authentik", "keycloak":
+		dexType = "oidc"
+		configData, err = buildOIDCConnectorConfig(cfg, redirectURI)
+	case "google":
+		dexType = "google"
+		configData, err = buildOAuth2ConnectorConfig(cfg, redirectURI)
+	case "microsoft":
+		dexType = "microsoft"
+		configData, err = buildOAuth2ConnectorConfig(cfg, redirectURI)
+	default:
+		return storage.Connector{}, fmt.Errorf("unsupported connector type: %s", cfg.Type)
+	}
+	if err != nil {
+		return storage.Connector{}, err
+	}
+
+	return storage.Connector{ID: cfg.ID, Type: dexType, Name: cfg.Name, Config: configData}, nil
+}
+
+// resolveRedirectURI returns the redirect URI, using a default if not provided
+func (p *Provider) resolveRedirectURI(redirectURI string) string {
+	if redirectURI != "" || p.config == nil {
+		return redirectURI
+	}
+	issuer := strings.TrimSuffix(p.config.Issuer, "/")
+	if !strings.HasSuffix(issuer, "/oauth2") {
+		issuer += "/oauth2"
+	}
+	return issuer + "/callback"
+}
+
+// buildOIDCConnectorConfig creates config for OIDC-based connectors
+func buildOIDCConnectorConfig(cfg *ConnectorConfig, redirectURI string) ([]byte, error) {
+	oidcConfig := map[string]interface{}{
+		"issuer":       cfg.Issuer,
+		"clientID":     cfg.ClientID,
+		"clientSecret": cfg.ClientSecret,
+		"redirectURI":  redirectURI,
+		"scopes":       []string{"openid", "profile", "email"},
+	}
+	switch cfg.Type {
+	case "zitadel":
+		oidcConfig["getUserInfo"] = true
+	case "entra":
+		oidcConfig["insecureSkipEmailVerified"] = true
+		oidcConfig["claimMapping"] = map[string]string{"email": "preferred_username"}
+	case "okta":
+		oidcConfig["insecureSkipEmailVerified"] = true
+	}
+	return encodeConnectorConfig(oidcConfig)
+}
+
+// buildOAuth2ConnectorConfig creates config for OAuth2 connectors (google, microsoft)
+func buildOAuth2ConnectorConfig(cfg *ConnectorConfig, redirectURI string) ([]byte, error) {
+	return encodeConnectorConfig(map[string]interface{}{
+		"clientID":     cfg.ClientID,
+		"clientSecret": cfg.ClientSecret,
+		"redirectURI":  redirectURI,
+	})
+}
+
+// parseStorageConnector converts a storage.Connector back to ConnectorConfig.
+// It infers the original identity provider type from the Dex connector type and ID.
+func (p *Provider) parseStorageConnector(conn storage.Connector) (*ConnectorConfig, error) {
+	cfg := &ConnectorConfig{
+		ID:   conn.ID,
+		Name: conn.Name,
+	}
+
+	if len(conn.Config) == 0 {
+		cfg.Type = conn.Type
+		return cfg, nil
+	}
+
+	var configMap map[string]interface{}
+	if err := decodeConnectorConfig(conn.Config, &configMap); err != nil {
+		return nil, fmt.Errorf("failed to parse connector config: %w", err)
+	}
+
+	// Extract common fields
+	if v, ok := configMap["clientID"].(string); ok {
+		cfg.ClientID = v
+	}
+	if v, ok := configMap["clientSecret"].(string); ok {
+		cfg.ClientSecret = v
+	}
+	if v, ok := configMap["redirectURI"].(string); ok {
+		cfg.RedirectURI = v
+	}
+	if v, ok := configMap["issuer"].(string); ok {
+		cfg.Issuer = v
+	}
+
+	// Infer the original identity provider type from Dex connector type and ID
+	cfg.Type = inferIdentityProviderType(conn.Type, conn.ID, configMap)
+
+	return cfg, nil
+}
+
+// inferIdentityProviderType determines the original identity provider type
+// based on the Dex connector type, connector ID, and configuration.
+func inferIdentityProviderType(dexType, connectorID string, _ map[string]interface{}) string {
+	if dexType != "oidc" {
+		return dexType
+	}
+	return inferOIDCProviderType(connectorID)
+}
+
+// inferOIDCProviderType infers the specific OIDC provider from connector ID
+func inferOIDCProviderType(connectorID string) string {
+	connectorIDLower := strings.ToLower(connectorID)
+	for _, provider := range []string{"pocketid", "zitadel", "entra", "okta", "authentik", "keycloak"} {
+		if strings.Contains(connectorIDLower, provider) {
+			return provider
+		}
+	}
+	return "oidc"
+}
+
+// encodeConnectorConfig serializes connector config to JSON bytes.
+func encodeConnectorConfig(config map[string]interface{}) ([]byte, error) {
+	return json.Marshal(config)
+}
+
+// decodeConnectorConfig deserializes connector config from JSON bytes.
+func decodeConnectorConfig(data []byte, v interface{}) error {
+	return json.Unmarshal(data, v)
+}
+
+// GetRedirectURI returns the default redirect URI for connectors.
+func (p *Provider) GetRedirectURI() string {
+	if p.config == nil {
+		return ""
+	}
+	issuer := strings.TrimSuffix(p.config.Issuer, "/")
+	if !strings.HasSuffix(issuer, "/oauth2") {
+		issuer += "/oauth2"
+	}
+	return issuer + "/callback"
+}
+
+// GetIssuer returns the OIDC issuer URL.
+func (p *Provider) GetIssuer() string {
+	if p.config == nil {
+		return ""
+	}
+	issuer := strings.TrimSuffix(p.config.Issuer, "/")
+	if !strings.HasSuffix(issuer, "/oauth2") {
+		issuer += "/oauth2"
+	}
+	return issuer
+}
+
+// GetKeysLocation returns the JWKS endpoint URL for token validation.
+func (p *Provider) GetKeysLocation() string {
+	issuer := p.GetIssuer()
+	if issuer == "" {
+		return ""
+	}
+	return issuer + "/keys"
+}
+
+// GetTokenEndpoint returns the OAuth2 token endpoint URL.
+func (p *Provider) GetTokenEndpoint() string {
+	issuer := p.GetIssuer()
+	if issuer == "" {
+		return ""
+	}
+	return issuer + "/token"
+}
+
+// GetDeviceAuthEndpoint returns the OAuth2 device authorization endpoint URL.
+func (p *Provider) GetDeviceAuthEndpoint() string {
+	issuer := p.GetIssuer()
+	if issuer == "" {
+		return ""
+	}
+	return issuer + "/device/code"
+}
+
+// GetAuthorizationEndpoint returns the OAuth2 authorization endpoint URL.
+func (p *Provider) GetAuthorizationEndpoint() string {
+	issuer := p.GetIssuer()
+	if issuer == "" {
+		return ""
+	}
+	return issuer + "/auth"
+}
--- a/idp/dex/provider_test.go
+++ b/idp/dex/provider_test.go
@@ -0,0 +1,197 @@
+package dex
+
+import (
+	"context"
+	"os"
+	"path/filepath"
+	"testing"
+
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+)
+
+func TestUserCreationFlow(t *testing.T) {
+	ctx := context.Background()
+
+	// Create a temporary directory for the test
+	tmpDir, err := os.MkdirTemp("", "dex-test-*")
+	require.NoError(t, err)
+	defer os.RemoveAll(tmpDir)
+
+	// Create provider with minimal config
+	config := &Config{
+		Issuer:  "http://localhost:5556/dex",
+		Port:    5556,
+		DataDir: tmpDir,
+	}
+
+	provider, err := NewProvider(ctx, config)
+	require.NoError(t, err)
+	defer func() { _ = provider.Stop(ctx) }()
+
+	// Test user data
+	email := "test@example.com"
+	username := "testuser"
+	password := "testpassword123"
+
+	// Create the user
+	encodedID, err := provider.CreateUser(ctx, email, username, password)
+	require.NoError(t, err)
+	require.NotEmpty(t, encodedID)
+
+	t.Logf("Created user with encoded ID: %s", encodedID)
+
+	// Verify the encoded ID can be decoded
+	rawUserID, connectorID, err := DecodeDexUserID(encodedID)
+	require.NoError(t, err)
+	assert.NotEmpty(t, rawUserID)
+	assert.Equal(t, "local", connectorID)
+
+	t.Logf("Decoded: rawUserID=%s, connectorID=%s", rawUserID, connectorID)
+
+	// Verify we can look up the user by encoded ID
+	user, err := provider.GetUserByID(ctx, encodedID)
+	require.NoError(t, err)
+	assert.Equal(t, email, user.Email)
+	assert.Equal(t, username, user.Username)
+	assert.Equal(t, rawUserID, user.UserID)
+
+	// Verify we can also look up by raw UUID (backwards compatibility)
+	user2, err := provider.GetUserByID(ctx, rawUserID)
+	require.NoError(t, err)
+	assert.Equal(t, email, user2.Email)
+
+	// Verify we can look up by email
+	user3, err := provider.GetUser(ctx, email)
+	require.NoError(t, err)
+	assert.Equal(t, rawUserID, user3.UserID)
+
+	// Verify encoding produces consistent format
+	reEncodedID := EncodeDexUserID(rawUserID, "local")
+	assert.Equal(t, encodedID, reEncodedID)
+}
+
+func TestDecodeDexUserID(t *testing.T) {
+	tests := []struct {
+		name       string
+		encodedID  string
+		wantUserID string
+		wantConnID string
+		wantErr    bool
+	}{
+		{
+			name:       "valid encoded ID",
+			encodedID:  "CiQ3YWFkOGMwNS0zMjg3LTQ3M2YtYjQyYS0zNjU1MDRiZjI1ZTcSBWxvY2Fs",
+			wantUserID: "7aad8c05-3287-473f-b42a-365504bf25e7",
+			wantConnID: "local",
+			wantErr:    false,
+		},
+		{
+			name:       "invalid base64",
+			encodedID:  "not-valid-base64!!!",
+			wantUserID: "",
+			wantConnID: "",
+			wantErr:    true,
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			userID, connID, err := DecodeDexUserID(tt.encodedID)
+			if tt.wantErr {
+				assert.Error(t, err)
+				return
+			}
+			require.NoError(t, err)
+			assert.Equal(t, tt.wantUserID, userID)
+			assert.Equal(t, tt.wantConnID, connID)
+		})
+	}
+}
+
+func TestEncodeDexUserID(t *testing.T) {
+	userID := "7aad8c05-3287-473f-b42a-365504bf25e7"
+	connectorID := "local"
+
+	encoded := EncodeDexUserID(userID, connectorID)
+	assert.NotEmpty(t, encoded)
+
+	// Verify round-trip
+	decodedUserID, decodedConnID, err := DecodeDexUserID(encoded)
+	require.NoError(t, err)
+	assert.Equal(t, userID, decodedUserID)
+	assert.Equal(t, connectorID, decodedConnID)
+}
+
+func TestEncodeDexUserID_MatchesDexFormat(t *testing.T) {
+	// This is an actual ID from Dex - verify our encoding matches
+	knownEncodedID := "CiQ3YWFkOGMwNS0zMjg3LTQ3M2YtYjQyYS0zNjU1MDRiZjI1ZTcSBWxvY2Fs"
+	knownUserID := "7aad8c05-3287-473f-b42a-365504bf25e7"
+	knownConnectorID := "local"
+
+	// Decode the known ID
+	userID, connID, err := DecodeDexUserID(knownEncodedID)
+	require.NoError(t, err)
+	assert.Equal(t, knownUserID, userID)
+	assert.Equal(t, knownConnectorID, connID)
+
+	// Re-encode and verify it matches
+	reEncoded := EncodeDexUserID(knownUserID, knownConnectorID)
+	assert.Equal(t, knownEncodedID, reEncoded)
+}
+
+func TestCreateUserInTempDB(t *testing.T) {
+	ctx := context.Background()
+
+	// Create temp directory
+	tmpDir, err := os.MkdirTemp("", "dex-create-user-*")
+	require.NoError(t, err)
+	defer os.RemoveAll(tmpDir)
+
+	// Create YAML config for the test
+	yamlContent := `
+issuer: http://localhost:5556/dex
+storage:
+  type: sqlite3
+  config:
+    file: ` + filepath.Join(tmpDir, "dex.db") + `
+web:
+  http: 127.0.0.1:5556
+enablePasswordDB: true
+`
+	configPath := filepath.Join(tmpDir, "config.yaml")
+	err = os.WriteFile(configPath, []byte(yamlContent), 0644)
+	require.NoError(t, err)
+
+	// Load config and create provider
+	yamlConfig, err := LoadConfig(configPath)
+	require.NoError(t, err)
+
+	provider, err := NewProviderFromYAML(ctx, yamlConfig)
+	require.NoError(t, err)
+	defer func() { _ = provider.Stop(ctx) }()
+
+	// Create user
+	email := "newuser@example.com"
+	username := "newuser"
+	password := "securepassword123"
+
+	encodedID, err := provider.CreateUser(ctx, email, username, password)
+	require.NoError(t, err)
+
+	t.Logf("Created user: email=%s, encodedID=%s", email, encodedID)
+
+	// Verify lookup works with encoded ID
+	user, err := provider.GetUserByID(ctx, encodedID)
+	require.NoError(t, err)
+	assert.Equal(t, email, user.Email)
+	assert.Equal(t, username, user.Username)
+
+	// Decode and verify format
+	rawID, connID, err := DecodeDexUserID(encodedID)
+	require.NoError(t, err)
+	assert.Equal(t, "local", connID)
+	assert.Equal(t, rawID, user.UserID)
+
+	t.Logf("User lookup successful: rawID=%s, connectorID=%s", rawID, connID)
+}
--- a/idp/dex/web/robots.txt
+++ b/idp/dex/web/robots.txt
@@ -0,0 +1,2 @@
+User-agent: *
+Disallow: /
--- a/idp/dex/web/static/main.css
+++ b/idp/dex/web/static/main.css
@@ -0,0 +1 @@
+/* NetBird DEX Static CSS - main styles are inline in header.html */
--- a/idp/dex/web/templates/approval.html
+++ b/idp/dex/web/templates/approval.html
@@ -0,0 +1,26 @@
+{{ template "header.html" . }}
+
+<div class="nb-card">
+    <h1 class="nb-heading">Grant Access</h1>
+    <p class="nb-subheading">{{ .Client }} wants to access your account</p>
+
+    <form method="post">
+        <input type="hidden" name="req" value="{{ .ReqID }}"/>
+        <input type="hidden" name="approval" value="approve"/>
+        <button type="submit" class="nb-btn">
+            Allow Access
+        </button>
+    </form>
+
+    <div class="nb-divider"></div>
+
+    <form method="post">
+        <input type="hidden" name="req" value="{{ .ReqID }}"/>
+        <input type="hidden" name="approval" value="rejected"/>
+        <button type="submit" class="nb-btn-connector" style="margin-bottom:0">
+            Deny Access
+        </button>
+    </form>
+</div>
+
+{{ template "footer.html" . }}
--- a/idp/dex/web/templates/device.html
+++ b/idp/dex/web/templates/device.html
@@ -0,0 +1,34 @@
+{{ template "header.html" . }}
+
+<div class="nb-card">
+    <h1 class="nb-heading">Device Login</h1>
+    <p class="nb-subheading">Enter the code shown on your device</p>
+
+    <form method="post" action="{{ .PostURL }}">
+        {{ if .Invalid }}
+        <div class="nb-error">
+            Invalid user code.
+        </div>
+        {{ end }}
+
+        <div class="nb-form-group">
+            <label class="nb-label" for="user_code">Device Code</label>
+            <input
+                type="text"
+                id="user_code"
+                name="user_code"
+                class="nb-input"
+                placeholder="XXXX-XXXX"
+                {{ if .UserCode }}value="{{ .UserCode }}"{{ end }}
+                required
+                autofocus
+            >
+        </div>
+
+        <button type="submit" class="nb-btn">
+            Continue
+        </button>
+    </form>
+</div>
+
+{{ template "footer.html" . }}
--- a/idp/dex/web/templates/device_success.html
+++ b/idp/dex/web/templates/device_success.html
@@ -0,0 +1,16 @@
+{{ template "header.html" . }}
+
+<div class="nb-card">
+    <div style="text-align:center;margin-bottom:24px">
+        <svg height="48" viewBox="0 0 100 100" xmlns="http://www.w3.org/2000/svg">
+            <circle cx="50" cy="50" fill="none" r="45" stroke="#5cb85c" stroke-width="3"/>
+            <path d="M30 50 L45 65 L70 35" fill="none" stroke="#5cb85c" stroke-width="5"/>
+        </svg>
+    </div>
+    <h1 class="nb-heading">Device Authorized</h1>
+    <p class="nb-subheading">
+        Your device has been successfully authorized. You can close this window.
+    </p>
+</div>
+
+{{ template "footer.html" . }}
--- a/idp/dex/web/templates/error.html
+++ b/idp/dex/web/templates/error.html
@@ -0,0 +1,16 @@
+{{ template "header.html" . }}
+
+<div class="nb-card">
+    <div style="text-align:center;margin-bottom:24px">
+        <svg height="48" viewBox="0 0 100 100" xmlns="http://www.w3.org/2000/svg">
+            <circle cx="50" cy="50" fill="none" r="45" stroke="#f87171" stroke-width="3"/>
+            <path d="M30 30 L70 70 M30 70 L70 30" fill="none" stroke="#f87171" stroke-width="3"/>
+        </svg>
+    </div>
+    <h1 class="nb-heading">{{ .ErrType }}</h1>
+    <div class="nb-error">
+        {{ .ErrMsg }}
+    </div>
+</div>
+
+{{ template "footer.html" . }}
--- a/idp/dex/web/templates/footer.html
+++ b/idp/dex/web/templates/footer.html
@@ -0,0 +1,3 @@
+</div>
+</body>
+</html>
--- a/idp/dex/web/templates/header.html
+++ b/idp/dex/web/templates/header.html
@@ -0,0 +1,70 @@
+<!DOCTYPE html>
+<html lang="en">
+<head>
+    <meta charset="utf-8">
+    <meta http-equiv="X-UA-Compatible" content="IE=edge,chrome=1">
+    <title>{{ issuer }}</title>
+    <meta name="viewport" content="width=device-width, initial-scale=1.0">
+    <link rel="icon" type="image/x-icon" href="{{ url .ReqPath "theme/favicon.ico" }}">
+    <style>
+        *,:after,:before{box-sizing:border-box;border:0 solid #e5e7eb}
+        html,body{margin:0;padding:0;font-family:ui-sans-serif,system-ui,sans-serif,Apple Color Emoji,Segoe UI Emoji;font-size:14px;line-height:1.5;background-color:#18191d;color:#e4e7e9;min-height:100vh}
+        .nb-container{max-width:820px;margin:0 auto;padding:40px 20px;display:flex;flex-direction:column;align-items:center;justify-content:center;min-height:100vh}
+        .nb-logo{width:180px;margin-bottom:40px}
+        .nb-card{background-color:#1b1f22;border:1px solid rgba(50,54,61,.5);border-radius:12px;padding:40px;width:100%;max-width:400px;box-shadow:0 20px 25px -5px rgba(0,0,0,.1),0 8px 10px -6px rgba(0,0,0,.1)}
+        .nb-heading{font-size:24px;font-weight:500;text-align:center;margin:0 0 24px 0;color:#fff}
+        .nb-subheading{font-size:14px;color:rgba(167,177,185,.8);text-align:center;margin-bottom:24px}
+        .nb-form-group{margin-bottom:16px}
+        .nb-label{display:block;font-size:13px;font-weight:500;color:#a7b1b9;margin-bottom:6px}
+        .nb-input{width:100%;padding:10px 14px;background-color:rgba(63,68,75,.5);border:1px solid rgba(63,68,75,.8);border-radius:8px;color:#e4e7e9;font-size:14px;outline:none;transition:border-color .2s}
+        .nb-input:focus{border-color:#f68330}
+        .nb-input::placeholder{color:rgba(167,177,185,.5)}
+        .nb-btn{width:100%;padding:12px 20px;background-color:#f68330;border:none;border-radius:8px;color:#fff;font-size:14px;font-weight:500;cursor:pointer;transition:background-color .2s}
+        .nb-btn:hover{background-color:#e5722a}
+        .nb-btn:disabled{opacity:.6;cursor:not-allowed}
+        .nb-btn-connector{width:100%;padding:12px 20px;background-color:rgba(63,68,75,.5);border:1px solid rgba(63,68,75,.8);border-radius:8px;color:#e4e7e9;font-size:14px;font-weight:500;cursor:pointer;transition:all .2s;display:flex;align-items:center;justify-content:flex-start;text-decoration:none;margin-bottom:12px;gap:12px}
+        .nb-btn-connector:hover{background-color:rgba(63,68,75,.8);border-color:rgba(63,68,75,1)}
+        .nb-btn-connector .nb-icon{width:20px;height:20px;flex-shrink:0;background-size:contain;background-position:center;background-repeat:no-repeat}
+        .nb-icon-google{background-image:url("data:image/svg+xml;charset=utf-8,%3Csvg xmlns='http://www.w3.org/2000/svg' viewBox='0 0 48 48'%3E%3Cpath fill='%23FFC107' d='M43.611 20.083H42V20H24v8h11.303c-1.649 4.657-6.08 8-11.303 8-6.627 0-12-5.373-12-12s5.373-12 12-12c3.059 0 5.842 1.154 7.961 3.039l5.657-5.657C34.046 6.053 29.268 4 24 4 12.955 4 4 12.955 4 24s8.955 20 20 20 20-8.955 20-20c0-1.341-.138-2.65-.389-3.917z'/%3E%3Cpath fill='%23FF3D00' d='m6.306 14.691 6.571 4.819C14.655 15.108 18.961 12 24 12c3.059 0 5.842 1.154 7.961 3.039l5.657-5.657C34.046 6.053 29.268 4 24 4 16.318 4 9.656 8.337 6.306 14.691z'/%3E%3Cpath fill='%234CAF50' d='M24 44c5.166 0 9.86-1.977 13.409-5.192l-6.19-5.238A11.91 11.91 0 0 1 24 36c-5.202 0-9.619-3.317-11.283-7.946l-6.522 5.025C9.505 39.556 16.227 44 24 44z'/%3E%3Cpath fill='%231976D2' d='M43.611 20.083H42V20H24v8h11.303a12.04 12.04 0 0 1-4.087 5.571l.003-.002 6.19 5.238C36.971 39.205 44 34 44 24c0-1.341-.138-2.65-.389-3.917z'/%3E%3C/svg%3E")}
+        .nb-icon-github{background-image:url("data:image/svg+xml;charset=utf-8,%3Csvg xmlns='http://www.w3.org/2000/svg' width='1024' height='1024' fill='none'%3E%3Cpath fill='%23fff' fill-rule='evenodd' d='M512 0C229.12 0 0 229.12 0 512c0 226.56 146.56 417.92 350.08 485.76 25.6 4.48 35.2-10.88 35.2-24.32 0-12.16-.64-52.48-.64-95.36-128.64 23.68-161.92-31.36-172.16-60.16-5.76-14.72-30.72-60.16-52.48-72.32-17.92-9.6-43.52-33.28-.64-33.92 40.32-.64 69.12 37.12 78.72 52.48 46.08 77.44 119.68 55.68 149.12 42.24 4.48-33.28 17.92-55.68 32.64-68.48-113.92-12.8-232.96-56.96-232.96-252.8 0-55.68 19.84-101.76 52.48-137.6-5.12-12.8-23.04-65.28 5.12-135.68 0 0 42.88-13.44 140.8 52.48 40.96-11.52 84.48-17.28 128-17.28s87.04 5.76 128 17.28c97.92-66.56 140.8-52.48 140.8-52.48 28.16 70.4 10.24 122.88 5.12 135.68 32.64 35.84 52.48 81.28 52.48 137.6 0 196.48-119.68 240-233.6 252.8 18.56 16 34.56 46.72 34.56 94.72 0 68.48-.64 123.52-.64 140.8 0 13.44 9.6 29.44 35.2 24.32C877.44 929.92 1024 737.92 1024 512 1024 229.12 794.88 0 512 0' clip-rule='evenodd'/%3E%3C/svg%3E")}
+        .nb-icon-microsoft{background-image:url("data:image/svg+xml;charset=utf-8,%3Csvg xmlns='http://www.w3.org/2000/svg' width='221' height='221'%3E%3Cg fill='none'%3E%3Cpath fill='%23F1511B' d='M104.868 104.868H0V0h104.868z'/%3E%3Cpath fill='%2380CC28' d='M220.654 104.868H115.788V0h104.866z'/%3E%3Cpath fill='%2300ADEF' d='M104.865 220.695H0V115.828h104.865z'/%3E%3Cpath fill='%23FBBC09' d='M220.654 220.695H115.788V115.828h104.866z'/%3E%3C/g%3E%3C/svg%3E")}
+        .nb-icon-azure{background-image:url("data:image/svg+xml;charset=utf-8,%3Csvg xmlns='http://www.w3.org/2000/svg' width='150' height='150' viewBox='0 0 96 96'%3E%3Cdefs%3E%3ClinearGradient id='a' x1='-1032.172' x2='-1059.213' y1='145.312' y2='65.426' gradientTransform='matrix(1 0 0 -1 1075 158)' gradientUnits='userSpaceOnUse'%3E%3Cstop offset='0' stop-color='%23114a8b'/%3E%3Cstop offset='1' stop-color='%230669bc'/%3E%3C/linearGradient%3E%3ClinearGradient id='b' x1='-1023.725' x2='-1029.98' y1='108.083' y2='105.968' gradientTransform='matrix(1 0 0 -1 1075 158)' gradientUnits='userSpaceOnUse'%3E%3Cstop offset='0' stop-opacity='.3'/%3E%3Cstop offset='.071' stop-opacity='.2'/%3E%3Cstop offset='.321' stop-opacity='.1'/%3E%3Cstop offset='.623' stop-opacity='.05'/%3E%3Cstop offset='1' stop-opacity='0'/%3E%3C/linearGradient%3E%3ClinearGradient id='c' x1='-1027.165' x2='-997.482' y1='147.642' y2='68.561' gradientTransform='matrix(1 0 0 -1 1075 158)' gradientUnits='userSpaceOnUse'%3E%3Cstop offset='0' stop-color='%233ccbf4'/%3E%3Cstop offset='1' stop-color='%232892df'/%3E%3C/linearGradient%3E%3C/defs%3E%3Cpath fill='url(%23a)' d='M33.338 6.544h26.038l-27.03 80.087a4.15 4.15 0 0 1-3.933 2.824H8.149a4.145 4.145 0 0 1-3.928-5.47L29.404 9.368a4.15 4.15 0 0 1 3.934-2.825z'/%3E%3Cpath fill='%230078d4' d='M71.175 60.261h-41.29a1.911 1.911 0 0 0-1.305 3.309l26.532 24.764a4.17 4.17 0 0 0 2.846 1.121h23.38z'/%3E%3Cpath fill='url(%23b)' d='M33.338 6.544a4.12 4.12 0 0 0-3.943 2.879L4.252 83.917a4.14 4.14 0 0 0 3.908 5.538h20.787a4.44 4.44 0 0 0 3.41-2.9l5.014-14.777 17.91 16.705a4.24 4.24 0 0 0 2.666.972H81.24L71.024 60.261l-29.781.007L59.47 6.544z'/%3E%3Cpath fill='url(%23c)' d='M66.595 9.364a4.145 4.145 0 0 0-3.928-2.82H33.648a4.15 4.15 0 0 1 3.928 2.82l25.184 74.62a4.146 4.146 0 0 1-3.928 5.472h29.02a4.146 4.146 0 0 0 3.927-5.472z'/%3E%3C/svg%3E")}
+        .nb-icon-entra{background-image:url("data:image/svg+xml;charset=utf-8,%3Csvg xmlns='http://www.w3.org/2000/svg' width='18' height='18' data-name='Layer 1'%3E%3Cpath fill='%23225086' d='M3.802 14.032c.388.242 1.033.511 1.715.511.621 0 1.198-.18 1.676-.487l.002-.001L9 12.927V17a1.56 1.56 0 0 1-.824-.234z'/%3E%3Cpath fill='%236df' d='m7.853 1.507-7.5 8.46c-.579.654-.428 1.642.323 2.111l3.126 1.954c.388.242 1.033.511 1.715.511.621 0 1.198-.18 1.676-.487l.002-.001L9 12.927l-4.364-2.728 4.365-4.924V1c-.424 0-.847.169-1.147.507Z'/%3E%3Cpath fill='%23cbf8ff' d='m4.636 10.199.052.032L9 12.927h.001V5.276L9 5.275z'/%3E%3Cpath fill='%23074793' d='M17.324 12.078c.751-.469.902-1.457.323-2.111l-4.921-5.551a3.1 3.1 0 0 0-1.313-.291c-.925 0-1.752.399-2.302 1.026l-.109.123 4.364 4.924-4.365 2.728v4.073c.287 0 .573-.078.823-.234l7.5-4.688Z'/%3E%3Cpath fill='%230294e4' d='M9.001 1v4.275l.109-.123a3.05 3.05 0 0 1 2.302-1.026c.472 0 .916.107 1.313.291l-2.579-2.909A1.52 1.52 0 0 0 9 1.001Z'/%3E%3Cpath fill='%2396bcc2' d='M13.365 10.199 9.001 5.276v7.65z'/%3E%3C/svg%3E")}
+        .nb-icon-okta{background-image:url("data:image/svg+xml;charset=utf-8,%3Csvg xmlns='http://www.w3.org/2000/svg' width='36' height='36' fill='none'%3E%3Cpath fill='%23fff' fill-rule='evenodd' d='m19.8.26-.74 9.12c-.35-.04-.7-.06-1.06-.06-.45 0-.89.03-1.32.1L16.26 5c-.01-.14.1-.26.24-.26h.75L16.89.27c-.01-.14.1-.26.23-.26h2.45c.14 0 .25.12.23.26zm-6.18.45c-.04-.13-.18-.21-.31-.16l-2.3.84c-.13.05-.19.2-.13.32l1.87 4.08-.71.26c-.13.05-.19.2-.13.32l1.91 4.01c.69-.38 1.44-.67 2.23-.85L13.63.71zM7.98 3.25l5.29 7.46c-.67.44-1.28.96-1.8 1.56L8.3 9.15c-.1-.1-.09-.26.01-.35l.58-.48-3.15-3.19c-.1-.1-.09-.26.02-.35l1.87-1.57c.11-.09.26-.07.34.04zM3.54 7.57c-.11-.08-.27-.04-.34.08L1.98 9.77c-.07.12-.02.27.1.33l4.06 1.92-.38.65a.23.23 0 0 0 .11.33l4.04 1.85c.29-.75.68-1.45 1.16-2.08zM.55 13.33c.02-.14.16-.22.29-.19l8.85 2.31c-.23.75-.36 1.54-.38 2.36l-4.43-.36a.23.23 0 0 1-.21-.28l.13-.74-4.47-.42c-.14-.01-.23-.14-.21-.28l.42-2.41zm-.33 5.98c-.14.01-.23.14-.21.28L.44 22c.02.14.16.22.29.19l4.34-1.13.13.74c.02.14.16.22.29.19l4.28-1.18c-.25-.74-.41-1.53-.45-2.34l-9.11.84zm1.42 6.34a.236.236 0 0 1 .1-.33L10 21.4c.31.74.73 1.43 1.23 2.05l-3.62 2.58c-.11.08-.27.05-.34-.07l-.38-.66-3.69 2.55c-.11.08-.27.04-.34-.08l-1.23-2.12zm10.01-1.72-6.43 6.51c-.1.1-.09.26.02.35l1.88 1.57c.11.09.26.07.34-.04l2.6-3.66.58.49c.11.09.27.07.35-.05l2.52-3.66c-.68-.42-1.31-.93-1.85-1.51zm-1.27 10.45a.234.234 0 0 1-.13-.32l3.81-8.32c.7.36 1.46.63 2.25.78l-1.12 4.3c-.03.13-.18.21-.31.16l-.71-.26-1.19 4.33c-.04.13-.18.21-.31.16l-2.3-.84zm6.56-7.75-.74 9.12c-.01.14.1.26.23.26h2.45c.14 0 .25-.12.23-.26l-.36-4.47h.75c.14 0 .25-.12.24-.26l-.42-4.42c-.43.07-.87.1-1.32.1-.36 0-.71-.02-1.06-.07m8.82-24.69c.06-.13 0-.27-.13-.32l-2.3-.84c-.13-.05-.27.03-.31.16l-1.19 4.33-.71-.26c-.13-.05-.27.03-.31.16l-1.12 4.3c.8.16 1.55.43 2.25.78zm5.02 3.63-6.43 6.51a8.7 8.7 0 0 0-1.85-1.51l2.52-3.66c.08-.11.24-.14.35-.05l.58.49 2.6-3.66c.08-.11.24-.13.34-.04l1.88 1.57c.11.09.11.25.02.35zm3.48 5.12c.13-.06.17-.21.1-.33l-1.23-2.12a.246.246 0 0 0-.34-.08l-3.69 2.55-.38-.65c-.07-.12-.23-.16-.34-.07l-3.62 2.58c.5.62.91 1.31 1.23 2.05l8.26-3.92zm1.3 3.32.42 2.41c.02.14-.07.26-.21.28l-9.11.85c-.04-.82-.2-1.6-.45-2.34l4.28-1.18c.13-.04.27.05.29.19l.13.74 4.34-1.13c.13-.03.27.05.29.19zm-.41 8.85c.13.03.27-.05.29-.19l.42-2.41a.24.24 0 0 0-.21-.28l-4.47-.42.13-.74a.24.24 0 0 0-.21-.28l-4.43-.36c-.02.82-.15 1.61-.38 2.36l8.85 2.31zm-2.36 5.5c-.07.12-.23.15-.34.08l-7.53-5.2c.48-.63.87-1.33 1.16-2.08l4.04 1.85c.13.06.18.21.11.33l-.38.65 4.06 1.92c.12.06.17.21.1.33zm-10.07-3.07 5.29 7.46c.08.11.24.13.34.04l1.87-1.57c.11-.09.11-.25.02-.35l-3.15-3.19.58-.48c.11-.09.11-.25.01-.35l-3.17-3.12c-.53.6-1.13 1.13-1.8 1.56zm-.05 10.16c-.13.05-.27-.03-.31-.16l-2.42-8.82c.79-.18 1.54-.47 2.23-.85l1.91 4.01c.06.13 0 .28-.13.32l-.71.26 1.87 4.08c.06.13 0 .27-.13.32l-2.3.84z' clip-rule='evenodd'/%3E%3C/svg%3E")}
+        .nb-icon-jumpcloud{background-image:url("data:image/svg+xml;charset=utf-8,%3Csvg xmlns='http://www.w3.org/2000/svg' width='168' height='82' fill='none'%3E%3Cpath fill='%23fff' d='M167.627 58.455a22.705 22.705 0 0 1-22.707 22.707h-6.243c-.651-7.57-8.461-14.005-19.501-16.994a19.72 19.72 0 0 0 4.394-21.52 19.72 19.72 0 0 0-18.243-12.235 19.718 19.718 0 0 0-13.848 33.755 34.3 34.3 0 0 0-14.246 7.231 34.3 34.3 0 0 0-8.268-3.398 16.874 16.874 0 1 0-23.623 0C36.64 70.41 30.3 75.232 28.95 81.065h-6.243a22.73 22.73 0 0 1 0-45.438c2.89.01 5.753.567 8.437 1.64A22.66 22.66 0 0 1 51.85 24.08h1.64a29.601 29.601 0 0 1 54.429-9.642 24.1 24.1 0 0 1 21.003 3.439 24.11 24.11 0 0 1 10.092 18.738 22.66 22.66 0 0 1 28.613 21.935z'/%3E%3C/svg%3E")}
+        .nb-icon-pocketid{background-image:url("data:image/svg+xml;charset=utf-8,%3Csvg xmlns='http://www.w3.org/2000/svg' viewBox='0 0 512 512'%3E%3Ccircle cx='256' cy='256' r='256' fill='%23fff'/%3E%3Cpath d='M268.6 102.4c64.4 0 116.8 52.4 116.8 116.7 0 25.3-8 49.4-23 69.6-14.8 19.9-35 34.3-58.4 41.7l-6.5 2-15.5-76.2 4.3-2c14-6.7 23-21.1 23-36.6 0-22.4-18.2-40.6-40.6-40.6S228 195.2 228 217.6c0 15.5 9 29.8 23 36.6l4.2 2-25 153.4h-69.5V102.4z' fill='%23191919'/%3E%3C/svg%3E")}
+        .nb-icon-zitadel{background-image:url("data:image/svg+xml;charset=utf-8,%3Csvg xmlns='http://www.w3.org/2000/svg' width='80' height='79' viewBox='0 0 80 79' fill='none'%3E%3Cdefs%3E%3ClinearGradient id='a' x1='3.86' x2='76.88' y1='47.89' y2='47.89' gradientUnits='userSpaceOnUse'%3E%3Cstop stop-color='%23FF8F00'/%3E%3Cstop offset='1' stop-color='%23FE00FF'/%3E%3C/linearGradient%3E%3C/defs%3E%3Cpath fill='url(%23a)' fill-rule='evenodd' d='M17.12 39.17l1.42 5.32-6.68 6.68 9.12 2.44 1.43 5.32-19.77-5.3L17.12 39.17zM58.82 22.41l-5.32-1.43-2.44-9.12-6.68 6.68-5.32-1.43 14.47-14.47 5.3 19.77zM52.65 67.11l3.89-3.89 9.12 2.44-2.44-9.12 3.9-3.9 5.29 19.77-19.76-5.3zM36.43 69.54l-1.18-12.07 8.23 2.21-7.05 9.86zM23 23.84l5.02 11.04 6.02-6.02L23 23.84zM69.32 36.2l-12.07-1.18 2.2 8.23 9.87-7.05z' clip-rule='evenodd'/%3E%3C/svg%3E")}
+        .nb-icon-authentik{background-image:url("data:image/svg+xml;charset=utf-8,%3Csvg xmlns='http://www.w3.org/2000/svg' viewBox='-0.03 59.9 512.03 392.1'%3E%3Cpath fill='%23fd4b2d' d='M279.9 141h17.9v51.2h-17.9zm46.6-2.2h17.9v40h-17.9zM65.3 197.3c-24 0-46 13.2-57.4 34.3h30.4c13.5-11.6 33-15 47.1 0h32.2c-12.6-17.1-31.4-34.3-52.3-34.3'/%3E%3Cpath fill='%23fd4b2d' d='M108.7 262.4C66.8 350-6.6 275.3 38.3 231.5H7.9C-15.9 273 17 329 65.3 327.8c37.4 0 68.2-55.5 68.2-65.3 0-4.3-6-17.6-16-31H85.4c10.7 9.7 20 23.7 23.3 30.9'/%3E%3Cpath fill='%23fd4b2d' d='M512 140.3v231.3c0 44.3-36.1 80.4-80.4 80.4h-34.1v-78.8h-163V452h-34.1c-44.4 0-80.4-36.1-80.4-80.4v-72.8h258.4v-139H253.6V238H119.9v-97.6c0-3.1.2-6.2.5-9.2.4-3.7 1.1-7.3 2-10.8.3-1.1.6-2.3 1-3.4l.3-.8c.2-.6.4-1.1.5-1.7l.6-1.7.7-1.8.8-1.8c2-4.7 4.4-9.3 7.3-13.6l.1-.1 2.3-3.2 2-2.6 2.4-2.8 2.4-2.6.1-.1 1.4-1.4c3-2.9 6.2-5.6 9.6-8l2.8-1.9 3.3-2c2.1-1.2 4.2-2.4 6.5-3.4l2.1-1c3.1-1.3 6.2-2.5 9.4-3.4 1.2-.4 2.5-.7 3.7-1l1.8-.4c3.6-.8 7.2-1.3 10.9-1.6l1.6-.1h.8c1.2-.1 2.4-.1 3.7-.1h231.3c1.2 0 2.5 0 3.7.1h.8l1.6.1c3.7.3 7.3.8 10.9 1.6l1.8.4 3.7 1c3.2.9 6.3 2.1 9.4 3.4l2.1 1c2.2 1 4.4 2.2 6.5 3.4l3.3 2 2.8 1.9c3.9 2.8 7.6 6 11 9.4l2.4 2.6 2.4 2.8 2 2.6 2.3 3.2.1.1c2.9 4.3 5.3 8.8 7.3 13.6l.8 1.8.7 1.8.6 1.7.5 1.7.3.8 1 3.4c.9 3.6 1.6 7.2 2 10.8 0 3.1.2 6.1.2 9.2'/%3E%3Cpath fill='%23fd4b2d' d='M498.3 95.5H133.5c14.9-22.2 40-35.6 66.7-35.6h231.3c26.9 0 51.9 13.4 66.8 35.6m13.2 35.6H120.4c1.4-12.8 6-25 13.1-35.6h364.8c7.2 10.6 11.7 22.9 13.2 35.6m.5 9.2v26.4H378.3v-6.9H253.6v6.9H119.9v-26.4c0-3.1.2-6.2.5-9.2h391.1c.3 3.1.5 6.1.5 9.2M119.9 166.7h133.7v35.6H119.9zm258.4 0H512v35.6H378.3zm-258.4 35.6h133.7v35.6H119.9zm258.4 0H512v35.6H378.3z'/%3E%3C/svg%3E")}
+        .nb-icon-keycloak{background-image:url("data:image/svg+xml;charset=utf-8,%3Csvg xmlns='http://www.w3.org/2000/svg' viewBox='0 0 512 512'%3E%3Cpath fill='%234d4d4d' d='M432.9 149.2c-1.4 0-2.7-.7-3.4-2L370.1 44.1c-.7-1.2-2-2-3.5-2H124.2c-1.4 0-2.7.7-3.4 2L58.9 150.9l23.9 34.9c-.7 1.2-6.2 24-5.5 25.2L58.9 360.9l61.9 106.9c.7 1.2 2 2 3.4 2h242.4c1.4 0 2.7-.7 3.5-2l59.4-103.2c.7-1.2 2-2 3.4-2h73.8c2.4 0 4.4-2 4.4-4.4V153.6c0-2.4-2-4.4-4.4-4.4z'/%3E%3Cpath fill='%2300b8e3' d='m223.9 151-59.7 103.4c-.3.5-.4 1.1-.4 1.7h-41.7l82-142q.75.45 1.2 1.2l18.6 32.3c.5 1.1.5 2.4 0 3.4'/%3E%3Cpath fill='%2333c6e9' d='M223.8 364.9 205.3 397q-.45.75-1.2 1.2l-82-142.2h41.7c0 .6.1 1.1.4 1.6l59.6 103.2c.8 1.2.9 2.9 0 4.1'/%3E%3Cpath fill='%23008aaa' d='m204 114.2-82 141.9-20.6 35.6-19.6-34c-.3-.5-.4-1-.4-1.6s.1-1.2.4-1.7l19.9-34.4 60.4-104.5c.6-1.1 1.8-1.8 3-1.8h37.2c.6 0 1.2.2 1.7.5'/%3E%3Cpath fill='%2300b8e3' d='M204 398.2c-.5.3-1.1.5-1.8.5h-37.1c-1.3 0-2.4-.7-3-1.8l-55.2-95.6-5.5-9.5 20.6-35.6z'/%3E%3Cpath fill='%23008aaa' d='m368.9 256.1-82 142q-.75-.45-1.2-1.2L267 364.7c-.5-1-.5-2.3 0-3.3L326.7 258c.3-.5.5-1.2.5-1.8z'/%3E%3Cpath fill='%2300b8e3' d='M409.4 256.1c0 .6-.2 1.3-.5 1.8l-80.3 139.3c-.6 1-1.8 1.7-3 1.6h-37c-.6 0-1.2-.2-1.8-.5L368.9 256l20.6-35.6 19.5 33.8c.3.7.4 1.3.4 1.9'/%3E%3Cpath fill='%2300b8e3' d='M368.9 256.1h-41.7c0-.6-.2-1.2-.5-1.8L267 151.2c-.6-1.1-.6-2.5 0-3.6l18.6-32.2q.45-.75 1.2-1.2z'/%3E%3Cpath fill='%2333c6e9' d='m389.4 220.5-20.6 35.6-82-142c.6-.3 1.2-.5 1.8-.5h37.1c1.2 0 2.3.6 3 1.6z'/%3E%3C/svg%3E")}
+        .nb-icon-email{background-image:url("data:image/svg+xml;charset=utf-8,%3Csvg xmlns='http://www.w3.org/2000/svg' width='24' height='24' viewBox='0 0 24 24' fill='none' stroke='%23a7b1b9' stroke-width='2' stroke-linecap='round' stroke-linejoin='round'%3E%3Crect x='2' y='4' width='20' height='16' rx='2'/%3E%3Cpath d='m22 7-8.97 5.7a1.94 1.94 0 0 1-2.06 0L2 7'/%3E%3C/svg%3E")}
+        .nb-icon-default{background-image:url("data:image/svg+xml;charset=utf-8,%3Csvg xmlns='http://www.w3.org/2000/svg' width='24' height='24' viewBox='0 0 24 24' fill='none' stroke='%23a7b1b9' stroke-width='2' stroke-linecap='round' stroke-linejoin='round'%3E%3Cpath d='M15 3h4a2 2 0 0 1 2 2v14a2 2 0 0 1-2 2h-4'/%3E%3Cpolyline points='10 17 15 12 10 7'/%3E%3Cline x1='15' y1='12' x2='3' y2='12'/%3E%3C/svg%3E")}
+        .nb-error{background-color:rgba(153,27,27,.2);border:1px solid rgba(153,27,27,.5);border-radius:8px;padding:12px 16px;color:#f87171;font-size:13px;text-align:center;margin-bottom:16px}
+        .nb-link{color:#f68330;text-decoration:none;font-size:13px}
+        .nb-link:hover{text-decoration:underline}
+        .nb-back-link{text-align:center;margin-top:20px}
+        .nb-divider{height:1px;background-color:rgba(63,68,75,.5);margin:24px 0}
+    </style>
+</head>
+<body>
+<div class="nb-container">
+    <div class="nb-logo">
+        <svg width="180" height="31" viewBox="0 0 133 23" fill="none" xmlns="http://www.w3.org/2000/svg">
+            <g clip-path="url(#clip0)">
+                <path d="M46.9438 7.5013C48.1229 8.64688 48.7082 10.3025 48.7082 12.4683V21.6663H46.1411V12.8362C46.1411 11.2809 45.7481 10.0851 44.9704 9.26566C44.1928 8.43783 43.1308 8.0281 41.7846 8.0281C40.4383 8.0281 39.3345 8.45455 38.5234 9.30747C37.7123 10.1604 37.3109 11.4063 37.3109 13.0369V21.6663H34.7188V6.06305H37.3109V8.28732C37.821 7.49294 38.5234 6.87416 39.4014 6.43934C40.2878 6.00452 41.2578 5.78711 42.3197 5.78711C44.2179 5.78711 45.7565 6.36408 46.9355 7.50966L46.9438 7.5013Z" fill="#F2F2F2"/>
+                <path d="M67.1048 14.8344H54.6288C54.7208 16.373 55.2476 17.5771 56.2092 18.4384C57.1708 19.2997 58.3331 19.7345 59.6961 19.7345C60.8166 19.7345 61.7531 19.4753 62.4973 18.9485C63.2499 18.4301 63.7767 17.7277 64.0777 16.858H66.8706C66.4525 18.3548 65.6163 19.5756 64.3621 20.5205C63.1078 21.4571 61.5525 21.9337 59.6878 21.9337C58.2077 21.9337 56.8865 21.5992 55.7159 20.9386C54.5452 20.278 53.6337 19.3331 52.9648 18.1039C52.2958 16.8831 51.9697 15.4616 51.9697 13.8477C51.9697 12.2339 52.2958 10.8207 52.9397 9.60825C53.5836 8.39578 54.495 7.45924 55.6573 6.80702C56.828 6.15479 58.1659 5.82031 59.6878 5.82031C61.2096 5.82031 62.4806 6.14643 63.6178 6.79029C64.7551 7.43416 65.6331 8.32052 66.2518 9.44938C66.8706 10.5782 67.18 11.8576 67.18 13.2791C67.18 13.7725 67.1549 14.2909 67.0964 14.8428L67.1048 14.8344ZM63.8603 10.1769C63.4255 9.4661 62.8318 8.92258 62.0793 8.55465C61.3267 8.18673 60.4989 8.00277 59.5874 8.00277C58.2746 8.00277 57.1625 8.42086 56.2427 9.25705C55.3228 10.0932 54.796 11.2472 54.6623 12.7356H64.5126C64.5126 11.7489 64.2952 10.896 63.8603 10.1852V10.1769Z" fill="#F2F2F2"/>
+                <path d="M73.7695 8.20355V17.4016C73.7695 18.1626 73.9284 18.6977 74.2545 19.0071C74.5806 19.3165 75.1409 19.4754 75.9352 19.4754H77.8418V21.6662H75.5088C74.0622 21.6662 72.9835 21.3317 72.2644 20.6711C71.5452 20.0105 71.1857 18.9151 71.1857 17.3933V8.19519H69.1621V6.0629H71.1857V2.13281H73.7779V6.0629H77.8501V8.19519H73.7779L73.7695 8.20355Z" fill="#F2F2F2"/>
+                <path d="M85.9022 6.68902C86.9307 6.10369 88.093 5.80266 89.4058 5.80266C90.8106 5.80266 92.0732 6.13714 93.1937 6.79773C94.3142 7.46668 95.2006 8.39485 95.8444 9.59896C96.4883 10.8031 96.8144 12.2079 96.8144 13.7966C96.8144 15.3854 96.4883 16.7818 95.8444 18.011C95.2006 19.2486 94.3142 20.2018 93.1854 20.8875C92.0565 21.5732 90.7939 21.916 89.4141 21.916C88.0344 21.916 86.8805 21.6234 85.8687 21.0297C84.8569 20.4443 84.0876 19.6918 83.5775 18.7803V21.6568H80.9854V0.601562H83.5775V8.97182C84.1127 8.04365 84.8904 7.28272 85.9105 6.69738L85.9022 6.68902ZM93.4529 10.7362C92.9763 9.86654 92.3408 9.19759 91.5297 8.74605C90.7186 8.29451 89.8322 8.06037 88.8706 8.06037C87.909 8.06037 87.0394 8.29451 86.2366 8.75441C85.4255 9.22268 84.7817 9.89163 84.2967 10.778C83.8117 11.6643 83.5692 12.6845 83.5692 13.8384C83.5692 14.9924 83.8117 16.046 84.2967 16.9323C84.7817 17.8187 85.4255 18.4877 86.2366 18.9559C87.0394 19.4242 87.9174 19.65 88.8706 19.65C89.8239 19.65 90.727 19.4158 91.5297 18.9559C92.3324 18.4877 92.9763 17.8187 93.4529 16.9323C93.9296 16.046 94.1637 15.0091 94.1637 13.8134C94.1637 12.6176 93.9296 11.6142 93.4529 10.7362Z" fill="#F2F2F2"/>
+                <path d="M100.318 3.01864C99.9749 2.67581 99.8076 2.25771 99.8076 1.76436C99.8076 1.27101 99.9749 0.852913 100.318 0.510076C100.661 0.167238 101.079 0 101.572 0C102.065 0 102.45 0.167238 102.784 0.510076C103.119 0.852913 103.286 1.27101 103.286 1.76436C103.286 2.25771 103.119 2.67581 102.784 3.01864C102.45 3.36148 102.049 3.52872 101.572 3.52872C101.095 3.52872 100.661 3.36148 100.318 3.01864ZM102.826 6.06237V21.6657H100.234V6.06237H102.826Z" fill="#F2F2F2"/>
+                <path d="M111.773 6.52155C112.617 6.0282 113.646 5.77734 114.867 5.77734V8.45315H114.181C111.28 8.45315 109.825 10.0252 109.825 13.1776V21.6649H107.232V6.06165H109.825V8.5953C110.276 7.70058 110.928 7.00654 111.773 6.51319V6.52155Z" fill="#F2F2F2"/>
+                <path d="M117.861 9.60732C118.505 8.40321 119.391 7.46668 120.52 6.80609C121.649 6.1455 122.92 5.81102 124.325 5.81102C125.537 5.81102 126.666 6.09533 127.711 6.64721C128.757 7.20746 129.551 7.94331 130.103 8.85475V0.601562H132.72V21.6735H130.103V18.7385C129.593 19.6667 128.832 20.436 127.828 21.0297C126.825 21.6317 125.646 21.9244 124.3 21.9244C122.953 21.9244 121.657 21.5816 120.528 20.8959C119.4 20.2102 118.513 19.257 117.869 18.0194C117.226 16.7818 116.899 15.377 116.899 13.805C116.899 12.233 117.226 10.8114 117.869 9.60732H117.861ZM129.392 10.7613C128.915 9.89163 128.28 9.22268 127.469 8.75441C126.658 8.28614 125.771 8.06037 124.81 8.06037C123.848 8.06037 122.962 8.28614 122.159 8.74605C121.356 9.20595 120.729 9.86654 120.253 10.7362C119.776 11.6058 119.542 12.6343 119.542 13.8134C119.542 14.9924 119.776 16.046 120.253 16.9323C120.729 17.8187 121.365 18.4877 122.159 18.9559C122.953 19.4242 123.84 19.65 124.81 19.65C125.78 19.65 126.666 19.4158 127.469 18.9559C128.272 18.4877 128.915 17.8187 129.392 16.9323C129.869 16.046 130.103 15.0175 130.103 13.8384C130.103 12.6594 129.869 11.6393 129.392 10.7613Z" fill="#F2F2F2"/>
+                <path d="M21.4651 0.568359C17.8193 0.902835 16.0047 3.00167 15.3191 4.06363L4.66602 22.5183H17.5182L30.1949 0.568359H21.4651Z" fill="#F68330"/>
+                <path d="M17.5265 22.5187L0 3.9302C0 3.9302 19.8177 -1.39633 21.7493 15.2188L17.5265 22.5187Z" fill="#F68330"/>
+                <path d="M14.9255 4.75055L9.54883 14.0657L17.5177 22.5196L21.7405 15.2029C21.0715 9.49174 18.287 6.37276 14.9255 4.74219" fill="#F35E32"/>
+            </g>
+            <defs>
+                <clipPath id="clip0">
+                    <rect width="132.72" height="22.5186" fill="white"/>
+                </clipPath>
+            </defs>
+        </svg>
+    </div>
--- a/idp/dex/web/templates/login.html
+++ b/idp/dex/web/templates/login.html
@@ -0,0 +1,56 @@
+{{ template "header.html" . }}
+
+<div class="nb-card">
+    <h1 class="nb-heading">Sign in</h1>
+    <p class="nb-subheading">Choose your login method</p>
+
+    {{/* First pass: render Email/Local connectors at the top */}}
+    {{ range $c := .Connectors }}
+    {{- $nameLower := lower $c.Name -}}
+    {{- $idLower := lower $c.ID -}}
+    {{- if or (contains "email" $nameLower) (contains "email" $idLower) (contains "local" $nameLower) (contains "local" $idLower) -}}
+    <a href="{{ $c.URL }}" class="nb-btn-connector">
+        <span class="nb-icon nb-icon-email"></span>
+        <span>Continue with {{ $c.Name }}</span>
+    </a>
+    {{- end -}}
+    {{ end }}
+
+    {{/* Second pass: render all other connectors */}}
+    {{ range $c := .Connectors }}
+    {{- $nameLower := lower $c.Name -}}
+    {{- $idLower := lower $c.ID -}}
+    {{- if not (or (contains "email" $nameLower) (contains "email" $idLower) (contains "local" $nameLower) (contains "local" $idLower)) -}}
+    <a href="{{ $c.URL }}" class="nb-btn-connector">
+        {{- $iconClass := "nb-icon-default" -}}
+        {{- if or (contains "google" $nameLower) (contains "google" $idLower) -}}
+            {{- $iconClass = "nb-icon-google" -}}
+        {{- else if or (contains "github" $nameLower) (contains "github" $idLower) -}}
+            {{- $iconClass = "nb-icon-github" -}}
+        {{- else if or (contains "entra" $nameLower) (contains "entra" $idLower) -}}
+            {{- $iconClass = "nb-icon-entra" -}}
+        {{- else if or (contains "azure" $nameLower) (contains "azure" $idLower) -}}
+            {{- $iconClass = "nb-icon-azure" -}}
+        {{- else if or (contains "microsoft" $nameLower) (contains "microsoft" $idLower) -}}
+            {{- $iconClass = "nb-icon-microsoft" -}}
+        {{- else if or (contains "okta" $nameLower) (contains "okta" $idLower) -}}
+            {{- $iconClass = "nb-icon-okta" -}}
+        {{- else if or (contains "jumpcloud" $nameLower) (contains "jumpcloud" $idLower) -}}
+            {{- $iconClass = "nb-icon-jumpcloud" -}}
+        {{- else if or (contains "pocket" $nameLower) (contains "pocket" $idLower) -}}
+            {{- $iconClass = "nb-icon-pocketid" -}}
+        {{- else if or (contains "zitadel" $nameLower) (contains "zitadel" $idLower) -}}
+            {{- $iconClass = "nb-icon-zitadel" -}}
+        {{- else if or (contains "authentik" $nameLower) (contains "authentik" $idLower) -}}
+            {{- $iconClass = "nb-icon-authentik" -}}
+        {{- else if or (contains "keycloak" $nameLower) (contains "keycloak" $idLower) -}}
+            {{- $iconClass = "nb-icon-keycloak" -}}
+        {{- end -}}
+        <span class="nb-icon {{ $iconClass }}"></span>
+        <span>Continue with {{ $c.Name }}</span>
+    </a>
+    {{- end -}}
+    {{ end }}
+</div>
+
+{{ template "footer.html" . }}
--- a/idp/dex/web/templates/oob.html
+++ b/idp/dex/web/templates/oob.html
@@ -0,0 +1,19 @@
+{{ template "header.html" . }}
+
+<div class="nb-card">
+    <div style="text-align:center;margin-bottom:24px">
+        <svg height="48" viewBox="0 0 100 100" xmlns="http://www.w3.org/2000/svg">
+            <circle cx="50" cy="50" fill="none" r="45" stroke="#5cb85c" stroke-width="3"/>
+            <path d="M30 50 L45 65 L70 35" fill="none" stroke="#5cb85c" stroke-width="5"/>
+        </svg>
+    </div>
+    <h1 class="nb-heading">Login Successful</h1>
+    <p class="nb-subheading">
+        Copy this code back to your application:
+    </p>
+    <div style="background-color:rgba(63,68,75,.5);border-radius:8px;padding:16px;text-align:center;font-family:monospace;font-size:16px;color:#f68330;margin-top:16px">
+        {{ .Code }}
+    </div>
+</div>
+
+{{ template "footer.html" . }}
--- a/idp/dex/web/templates/password.html
+++ b/idp/dex/web/templates/password.html
@@ -0,0 +1,58 @@
+{{ template "header.html" . }}
+
+<div class="nb-card">
+    <h1 class="nb-heading">Sign in</h1>
+    <p class="nb-subheading">Enter your credentials</p>
+
+    <form method="post" action="{{ .PostURL }}">
+        {{ if .Invalid }}
+        <div class="nb-error">
+            Invalid {{ .UsernamePrompt }} or password.
+        </div>
+        {{ end }}
+
+        <div class="nb-form-group">
+            <label class="nb-label" for="login">{{ .UsernamePrompt }}</label>
+            <input
+                type="text"
+                id="login"
+                name="login"
+                class="nb-input"
+                placeholder="Enter your {{ .UsernamePrompt | lower }}"
+                {{ if .Username }}value="{{ .Username }}"{{ else }}autofocus{{ end }}
+                required
+            >
+        </div>
+
+        <div class="nb-form-group">
+            <label class="nb-label" for="password">Password</label>
+            <input
+                type="password"
+                id="password"
+                name="password"
+                class="nb-input"
+                placeholder="Enter your password"
+                {{ if .Invalid }}autofocus{{ end }}
+                required
+            >
+        </div>
+
+        <button type="submit" id="submit-login" class="nb-btn">
+            Sign in
+        </button>
+    </form>
+
+    {{ if .BackLink }}
+    <div class="nb-back-link">
+        <a href="{{ .BackLink }}" class="nb-link">Choose another login method</a>
+    </div>
+    {{ end }}
+</div>
+
+<script>
+document.querySelector('form').onsubmit = function() {
+    document.getElementById('submit-login').disabled = true;
+};
+</script>
+
+{{ template "footer.html" . }}
--- a/idp/dex/web/themes/light/favicon.ico
+++ b/idp/dex/web/themes/light/favicon.ico
--- a/idp/dex/web/themes/light/favicon.png
+++ b/idp/dex/web/themes/light/favicon.png
--- a/idp/dex/web/themes/light/logo.png
+++ b/idp/dex/web/themes/light/logo.png
--- a/idp/dex/web/themes/light/styles.css
+++ b/idp/dex/web/themes/light/styles.css
@@ -0,0 +1 @@
+/* NetBird DEX Theme - styles loaded but CSS is inline in header.html */
--- a/idp/dex/web/web.go
+++ b/idp/dex/web/web.go
@@ -0,0 +1,14 @@
+package web
+
+import (
+	"embed"
+	"io/fs"
+)
+
+//go:embed static/* templates/* themes/* robots.txt
+var files embed.FS
+
+// FS returns the embedded web assets filesystem.
+func FS() fs.FS {
+	return files
+}
--- a/idp/sdk/sdk.go
+++ b/idp/sdk/sdk.go
@@ -0,0 +1,135 @@
+// Package sdk provides an embeddable SDK for the Dex OIDC identity provider.
+package sdk
+
+import (
+	"context"
+
+	"github.com/dexidp/dex/storage"
+
+	"github.com/netbirdio/netbird/idp/dex"
+)
+
+// DexIdP wraps the Dex provider with a builder pattern
+type DexIdP struct {
+	provider   *dex.Provider
+	config     *dex.Config
+	yamlConfig *dex.YAMLConfig
+}
+
+// Option configures a DexIdP instance
+type Option func(*dex.Config)
+
+// WithIssuer sets the OIDC issuer URL
+func WithIssuer(issuer string) Option {
+	return func(c *dex.Config) { c.Issuer = issuer }
+}
+
+// WithPort sets the HTTP port
+func WithPort(port int) Option {
+	return func(c *dex.Config) { c.Port = port }
+}
+
+// WithDataDir sets the data directory for storage
+func WithDataDir(dir string) Option {
+	return func(c *dex.Config) { c.DataDir = dir }
+}
+
+// WithDevMode enables development mode (allows HTTP)
+func WithDevMode(dev bool) Option {
+	return func(c *dex.Config) { c.DevMode = dev }
+}
+
+// WithGRPCAddr sets the gRPC API address
+func WithGRPCAddr(addr string) Option {
+	return func(c *dex.Config) { c.GRPCAddr = addr }
+}
+
+// New creates a new DexIdP instance with the given options
+func New(opts ...Option) (*DexIdP, error) {
+	config := &dex.Config{
+		Port:    33081,
+		DevMode: true,
+	}
+
+	for _, opt := range opts {
+		opt(config)
+	}
+
+	return &DexIdP{config: config}, nil
+}
+
+// NewFromConfigFile creates a new DexIdP instance from a YAML config file
+func NewFromConfigFile(path string) (*DexIdP, error) {
+	yamlConfig, err := dex.LoadConfig(path)
+	if err != nil {
+		return nil, err
+	}
+	return &DexIdP{yamlConfig: yamlConfig}, nil
+}
+
+// NewFromYAMLConfig creates a new DexIdP instance from a YAMLConfig
+func NewFromYAMLConfig(yamlConfig *dex.YAMLConfig) (*DexIdP, error) {
+	return &DexIdP{yamlConfig: yamlConfig}, nil
+}
+
+// Start initializes and starts the embedded OIDC provider
+func (d *DexIdP) Start(ctx context.Context) error {
+	var err error
+	if d.yamlConfig != nil {
+		d.provider, err = dex.NewProviderFromYAML(ctx, d.yamlConfig)
+	} else {
+		d.provider, err = dex.NewProvider(ctx, d.config)
+	}
+	if err != nil {
+		return err
+	}
+	return d.provider.Start(ctx)
+}
+
+// Stop gracefully shuts down the provider
+func (d *DexIdP) Stop(ctx context.Context) error {
+	if d.provider != nil {
+		return d.provider.Stop(ctx)
+	}
+	return nil
+}
+
+// EnsureDefaultClients creates the default NetBird OAuth clients
+func (d *DexIdP) EnsureDefaultClients(ctx context.Context, dashboardURIs, cliURIs []string) error {
+	return d.provider.EnsureDefaultClients(ctx, dashboardURIs, cliURIs)
+}
+
+// Storage exposes Dex storage for direct user/client/connector management
+// Use storage.Client, storage.Password, storage.Connector directly
+func (d *DexIdP) Storage() storage.Storage {
+	return d.provider.Storage()
+}
+
+// CreateUser creates a new user with the given email, username, and password.
+// Returns the encoded user ID in Dex's format.
+func (d *DexIdP) CreateUser(ctx context.Context, email, username, password string) (string, error) {
+	return d.provider.CreateUser(ctx, email, username, password)
+}
+
+// DeleteUser removes a user by email
+func (d *DexIdP) DeleteUser(ctx context.Context, email string) error {
+	return d.provider.DeleteUser(ctx, email)
+}
+
+// ListUsers returns all users
+func (d *DexIdP) ListUsers(ctx context.Context) ([]storage.Password, error) {
+	return d.provider.ListUsers(ctx)
+}
+
+// IssuerURL returns the OIDC issuer URL
+func (d *DexIdP) IssuerURL() string {
+	if d.yamlConfig != nil {
+		return d.yamlConfig.Issuer
+	}
+	return d.config.Issuer
+}
+
+// DiscoveryEndpoint returns the OIDC discovery endpoint URL
+func (d *DexIdP) DiscoveryEndpoint() string {
+	return d.IssuerURL() + "/.well-known/openid-configuration"
+}
--- a/infrastructure_files/getting-started.sh
+++ b/infrastructure_files/getting-started.sh
@@ -0,0 +1,406 @@
+#!/bin/bash
+
+set -e
+
+# NetBird Getting Started with Embedded IdP (Dex)
+# This script sets up NetBird with the embedded Dex identity provider
+# No separate Dex container or reverse proxy needed - IdP is built into management server
+
+# Sed pattern to strip base64 padding characters
+SED_STRIP_PADDING='s/=//g'
+
+check_docker_compose() {
+  if command -v docker-compose &> /dev/null
+  then
+      echo "docker-compose"
+      return
+  fi
+  if docker compose --help &> /dev/null
+  then
+      echo "docker compose"
+      return
+  fi
+
+  echo "docker-compose is not installed or not in PATH. Please follow the steps from the official guide: https://docs.docker.com/engine/install/" > /dev/stderr
+  exit 1
+}
+
+check_jq() {
+  if ! command -v jq &> /dev/null
+  then
+    echo "jq is not installed or not in PATH, please install with your package manager. e.g. sudo apt install jq" > /dev/stderr
+    exit 1
+  fi
+  return 0
+}
+
+get_main_ip_address() {
+  if [[ "$OSTYPE" == "darwin"* ]]; then
+    interface=$(route -n get default | grep 'interface:' | awk '{print $2}')
+    ip_address=$(ifconfig "$interface" | grep 'inet ' | awk '{print $2}')
+  else
+    interface=$(ip route | grep default | awk '{print $5}' | head -n 1)
+    ip_address=$(ip addr show "$interface" | grep 'inet ' | awk '{print $2}' | cut -d'/' -f1)
+  fi
+
+  echo "$ip_address"
+  return 0
+}
+
+check_nb_domain() {
+  DOMAIN=$1
+  if [[ "$DOMAIN-x" == "-x" ]]; then
+    echo "The NETBIRD_DOMAIN variable cannot be empty." > /dev/stderr
+    return 1
+  fi
+
+  if [[ "$DOMAIN" == "netbird.example.com" ]]; then
+    echo "The NETBIRD_DOMAIN cannot be netbird.example.com" > /dev/stderr
+    return 1
+  fi
+  return 0
+}
+
+read_nb_domain() {
+  READ_NETBIRD_DOMAIN=""
+  echo -n "Enter the domain you want to use for NetBird (e.g. netbird.my-domain.com): " > /dev/stderr
+  read -r READ_NETBIRD_DOMAIN < /dev/tty
+  if ! check_nb_domain "$READ_NETBIRD_DOMAIN"; then
+    read_nb_domain
+  fi
+  echo "$READ_NETBIRD_DOMAIN"
+  return 0
+}
+
+get_turn_external_ip() {
+  TURN_EXTERNAL_IP_CONFIG="#external-ip="
+  IP=$(curl -s -4 https://jsonip.com | jq -r '.ip')
+  if [[ "x-$IP" != "x-" ]]; then
+    TURN_EXTERNAL_IP_CONFIG="external-ip=$IP"
+  fi
+  echo "$TURN_EXTERNAL_IP_CONFIG"
+  return 0
+}
+
+wait_management() {
+  set +e
+  echo -n "Waiting for Management server to become ready"
+  counter=1
+  while true; do
+    # Check the embedded IdP endpoint
+    if curl -sk -f -o /dev/null "$NETBIRD_HTTP_PROTOCOL://$NETBIRD_DOMAIN/oauth2/.well-known/openid-configuration" 2>/dev/null; then
+      break
+    fi
+    if [[ $counter -eq 60 ]]; then
+      echo ""
+      echo "Taking too long. Checking logs..."
+      $DOCKER_COMPOSE_COMMAND logs --tail=20 caddy
+      $DOCKER_COMPOSE_COMMAND logs --tail=20 management
+    fi
+    echo -n " ."
+    sleep 2
+    counter=$((counter + 1))
+  done
+  echo " done"
+  set -e
+  return 0
+}
+
+init_environment() {
+  CADDY_SECURE_DOMAIN=""
+  NETBIRD_PORT=80
+  NETBIRD_HTTP_PROTOCOL="http"
+  NETBIRD_RELAY_PROTO="rel"
+  TURN_USER="self"
+  TURN_PASSWORD=$(openssl rand -base64 32 | sed "$SED_STRIP_PADDING")
+  NETBIRD_RELAY_AUTH_SECRET=$(openssl rand -base64 32 | sed "$SED_STRIP_PADDING")
+  # Note: DataStoreEncryptionKey must keep base64 padding (=) for Go's base64.StdEncoding
+  DATASTORE_ENCRYPTION_KEY=$(openssl rand -base64 32)
+  TURN_MIN_PORT=49152
+  TURN_MAX_PORT=65535
+  TURN_EXTERNAL_IP_CONFIG=$(get_turn_external_ip)
+
+  if ! check_nb_domain "$NETBIRD_DOMAIN"; then
+    NETBIRD_DOMAIN=$(read_nb_domain)
+  fi
+
+  if [[ "$NETBIRD_DOMAIN" == "use-ip" ]]; then
+    NETBIRD_DOMAIN=$(get_main_ip_address)
+  else
+    NETBIRD_PORT=443
+    CADDY_SECURE_DOMAIN=", $NETBIRD_DOMAIN:$NETBIRD_PORT"
+    NETBIRD_HTTP_PROTOCOL="https"
+    NETBIRD_RELAY_PROTO="rels"
+  fi
+
+  check_jq
+
+  DOCKER_COMPOSE_COMMAND=$(check_docker_compose)
+
+  if [[ -f management.json ]]; then
+    echo "Generated files already exist, if you want to reinitialize the environment, please remove them first."
+    echo "You can use the following commands:"
+    echo "  $DOCKER_COMPOSE_COMMAND down --volumes # to remove all containers and volumes"
+    echo "  rm -f docker-compose.yml Caddyfile dashboard.env turnserver.conf management.json relay.env"
+    echo "Be aware that this will remove all data from the database, and you will have to reconfigure the dashboard."
+    exit 1
+  fi
+
+  echo Rendering initial files...
+  render_docker_compose > docker-compose.yml
+  render_caddyfile > Caddyfile
+  render_dashboard_env > dashboard.env
+  render_management_json > management.json
+  render_turn_server_conf > turnserver.conf
+  render_relay_env > relay.env
+
+  echo -e "\nStarting NetBird services\n"
+  $DOCKER_COMPOSE_COMMAND up -d
+
+  # Wait for management (and embedded IdP) to be ready
+  sleep 3
+  wait_management
+
+  echo -e "\nDone!\n"
+  echo "You can access the NetBird dashboard at $NETBIRD_HTTP_PROTOCOL://$NETBIRD_DOMAIN"
+  echo "Follow the onboarding steps to set up your NetBird instance."
+  return 0
+}
+
+render_caddyfile() {
+  cat <<EOF
+{  
+  servers :80,:443 {
+    protocols h1 h2c h2 h3
+  }
+}
+
+(security_headers) {
+    header * {
+        Strict-Transport-Security "max-age=3600; includeSubDomains; preload"
+        X-Content-Type-Options "nosniff"
+        X-Frame-Options "SAMEORIGIN"
+        X-XSS-Protection "1; mode=block"
+        -Server
+        Referrer-Policy strict-origin-when-cross-origin
+    }
+}
+
+:80${CADDY_SECURE_DOMAIN} {
+    import security_headers
+    # relay
+    reverse_proxy /relay* relay:80
+    # Signal
+    reverse_proxy /ws-proxy/signal* signal:80
+    reverse_proxy /signalexchange.SignalExchange/* h2c://signal:10000
+    # Management
+    reverse_proxy /api/* management:80
+    reverse_proxy /ws-proxy/management* management:80
+    reverse_proxy /management.ManagementService/* h2c://management:80
+    reverse_proxy /oauth2/* management:80
+    # Dashboard
+    reverse_proxy /* dashboard:80
+}
+EOF
+  return 0
+}
+
+render_turn_server_conf() {
+  cat <<EOF
+listening-port=3478
+$TURN_EXTERNAL_IP_CONFIG
+tls-listening-port=5349
+min-port=$TURN_MIN_PORT
+max-port=$TURN_MAX_PORT
+fingerprint
+lt-cred-mech
+user=$TURN_USER:$TURN_PASSWORD
+realm=wiretrustee.com
+cert=/etc/coturn/certs/cert.pem
+pkey=/etc/coturn/private/privkey.pem
+log-file=stdout
+no-software-attribute
+pidfile="/var/tmp/turnserver.pid"
+no-cli
+EOF
+  return 0
+}
+
+render_management_json() {
+  cat <<EOF
+{
+    "Stuns": [
+        {
+            "Proto": "udp",
+            "URI": "stun:$NETBIRD_DOMAIN:3478"
+        }
+    ],
+    "Relay": {
+        "Addresses": ["$NETBIRD_RELAY_PROTO://$NETBIRD_DOMAIN:$NETBIRD_PORT"],
+        "CredentialsTTL": "24h",
+        "Secret": "$NETBIRD_RELAY_AUTH_SECRET"
+    },
+    "Signal": {
+        "Proto": "$NETBIRD_HTTP_PROTOCOL",
+        "URI": "$NETBIRD_DOMAIN:$NETBIRD_PORT"
+    },
+    "Datadir": "/var/lib/netbird",
+    "DataStoreEncryptionKey": "$DATASTORE_ENCRYPTION_KEY",
+    "EmbeddedIdP": {
+        "Enabled": true,
+        "Issuer": "$NETBIRD_HTTP_PROTOCOL://$NETBIRD_DOMAIN/oauth2",
+        "DashboardRedirectURIs": [
+            "$NETBIRD_HTTP_PROTOCOL://$NETBIRD_DOMAIN/nb-auth",
+            "$NETBIRD_HTTP_PROTOCOL://$NETBIRD_DOMAIN/nb-silent-auth"
+        ]
+    }
+}
+EOF
+  return 0
+}
+
+render_dashboard_env() {
+  cat <<EOF
+# Endpoints
+NETBIRD_MGMT_API_ENDPOINT=$NETBIRD_HTTP_PROTOCOL://$NETBIRD_DOMAIN
+NETBIRD_MGMT_GRPC_API_ENDPOINT=$NETBIRD_HTTP_PROTOCOL://$NETBIRD_DOMAIN
+# OIDC - using embedded IdP
+AUTH_AUDIENCE=netbird-dashboard
+AUTH_CLIENT_ID=netbird-dashboard
+AUTH_CLIENT_SECRET=
+AUTH_AUTHORITY=$NETBIRD_HTTP_PROTOCOL://$NETBIRD_DOMAIN/oauth2
+USE_AUTH0=false
+AUTH_SUPPORTED_SCOPES=openid profile email offline_access
+AUTH_REDIRECT_URI=/nb-auth
+AUTH_SILENT_REDIRECT_URI=/nb-silent-auth
+# SSL
+NGINX_SSL_PORT=443
+# Letsencrypt
+LETSENCRYPT_DOMAIN=none
+EOF
+  return 0
+}
+
+render_relay_env() {
+  cat <<EOF
+NB_LOG_LEVEL=info
+NB_LISTEN_ADDRESS=:80
+NB_EXPOSED_ADDRESS=$NETBIRD_RELAY_PROTO://$NETBIRD_DOMAIN:$NETBIRD_PORT
+NB_AUTH_SECRET=$NETBIRD_RELAY_AUTH_SECRET
+EOF
+  return 0
+}
+
+render_docker_compose() {
+  cat <<EOF
+services:
+  # Caddy reverse proxy
+  caddy:
+    image: caddy
+    container_name: netbird-caddy
+    restart: unless-stopped
+    networks: [netbird]
+    ports:
+      - '443:443'
+      - '443:443/udp'
+      - '80:80'
+    volumes:
+      - netbird_caddy_data:/data
+      - ./Caddyfile:/etc/caddy/Caddyfile
+    logging:
+      driver: "json-file"
+      options:
+        max-size: "500m"
+        max-file: "2"
+
+  # UI dashboard
+  dashboard:
+    image: netbirdio/dashboard:latest
+    container_name: netbird-dashboard
+    restart: unless-stopped
+    networks: [netbird]
+    env_file:
+      - ./dashboard.env
+    logging:
+      driver: "json-file"
+      options:
+        max-size: "500m"
+        max-file: "2"
+
+  # Signal
+  signal:
+    image: netbirdio/signal:latest
+    container_name: netbird-signal
+    restart: unless-stopped
+    networks: [netbird]
+    logging:
+      driver: "json-file"
+      options:
+        max-size: "500m"
+        max-file: "2"
+
+  # Relay
+  relay:
+    image: netbirdio/relay:latest
+    container_name: netbird-relay
+    restart: unless-stopped
+    networks: [netbird]
+    env_file:
+      - ./relay.env
+    logging:
+      driver: "json-file"
+      options:
+        max-size: "500m"
+        max-file: "2"
+
+  # Management (includes embedded IdP)
+  management:
+    image: netbirdio/management:latest
+    container_name: netbird-management
+    restart: unless-stopped
+    networks: [netbird]
+    volumes:
+      - netbird_management:/var/lib/netbird
+      - ./management.json:/etc/netbird/management.json
+    command: [
+      "--port", "80",
+      "--log-file", "console",
+      "--log-level", "info",
+      "--disable-anonymous-metrics=false",
+      "--single-account-mode-domain=netbird.selfhosted",
+      "--dns-domain=netbird.selfhosted",
+      "--idp-sign-key-refresh-enabled",
+    ]
+    logging:
+      driver: "json-file"
+      options:
+        max-size: "500m"
+        max-file: "2"
+
+  # Coturn, AKA TURN server
+  coturn:
+    image: coturn/coturn
+    container_name: netbird-coturn
+    restart: unless-stopped
+    volumes:
+      - ./turnserver.conf:/etc/turnserver.conf:ro
+    network_mode: host
+    command:
+      - -c /etc/turnserver.conf
+    logging:
+      driver: "json-file"
+      options:
+        max-size: "500m"
+        max-file: "2"
+
+volumes:
+  netbird_caddy_data:
+  netbird_management:
+
+networks:
+  netbird:
+EOF
+  return 0
+}
+
+init_environment
--- a/management/cmd/management.go
+++ b/management/cmd/management.go
@@ -24,6 +24,7 @@ import (
 	"github.com/netbirdio/netbird/management/internals/server"
 	nbconfig "github.com/netbirdio/netbird/management/internals/server/config"
 	"github.com/netbirdio/netbird/util"
+	"github.com/netbirdio/netbird/util/crypt"
 )

 var newServer = func(config *nbconfig.Config, dnsDomain, mgmtSingleAccModeDomain string, mgmtPort int, mgmtMetricsPort int, disableMetrics, disableGeoliteUpdate, userDeleteFromIDPEnabled bool) server.Server {
@@ -63,7 +64,7 @@ var (
 				config.HttpConfig.IdpSignKeyRefreshEnabled = idpSignKeyRefreshEnabled
 			}

-			tlsEnabled := false
+			var tlsEnabled bool
 			if mgmtLetsencryptDomain != "" || (config.HttpConfig.CertFile != "" && config.HttpConfig.CertKey != "") {
 				tlsEnabled = true
 			}
@@ -135,76 +136,216 @@ var (

 func loadMgmtConfig(ctx context.Context, mgmtConfigPath string) (*nbconfig.Config, error) {
 	loadedConfig := &nbconfig.Config{}
-	_, err := util.ReadJsonWithEnvSub(mgmtConfigPath, loadedConfig)
+	if _, err := util.ReadJsonWithEnvSub(mgmtConfigPath, loadedConfig); err != nil {
+		return nil, err
+	}
+
+	applyCommandLineOverrides(loadedConfig)
+
+	// Apply EmbeddedIdP config to HttpConfig if embedded IdP is enabled
+	err := applyEmbeddedIdPConfig(loadedConfig)
 	if err != nil {
 		return nil, err
 	}
+
+	if err := applyOIDCConfig(ctx, loadedConfig); err != nil {
+		return nil, err
+	}
+
+	logConfigInfo(loadedConfig)
+
+	if err := ensureEncryptionKey(ctx, mgmtConfigPath, loadedConfig); err != nil {
+		return nil, err
+	}
+
+	return loadedConfig, nil
+}
+
+// applyCommandLineOverrides applies command-line flag overrides to the config
+func applyCommandLineOverrides(cfg *nbconfig.Config) {
 	if mgmtLetsencryptDomain != "" {
-		loadedConfig.HttpConfig.LetsEncryptDomain = mgmtLetsencryptDomain
+		cfg.HttpConfig.LetsEncryptDomain = mgmtLetsencryptDomain
 	}
 	if mgmtDataDir != "" {
-		loadedConfig.Datadir = mgmtDataDir
+		cfg.Datadir = mgmtDataDir
 	}
-
 	if certKey != "" && certFile != "" {
-		loadedConfig.HttpConfig.CertFile = certFile
-		loadedConfig.HttpConfig.CertKey = certKey
+		cfg.HttpConfig.CertFile = certFile
+		cfg.HttpConfig.CertKey = certKey
+	}
+}
+
+// applyEmbeddedIdPConfig populates HttpConfig and EmbeddedIdP storage from config when embedded IdP is enabled.
+// This allows users to only specify EmbeddedIdP config without duplicating values in HttpConfig.
+func applyEmbeddedIdPConfig(cfg *nbconfig.Config) error {
+	if cfg.EmbeddedIdP == nil || !cfg.EmbeddedIdP.Enabled {
+		return nil
 	}

-	oidcEndpoint := loadedConfig.HttpConfig.OIDCConfigEndpoint
-	if oidcEndpoint != "" {
-		// if OIDCConfigEndpoint is specified, we can load DeviceAuthEndpoint and TokenEndpoint automatically
-		log.WithContext(ctx).Infof("loading OIDC configuration from the provided IDP configuration endpoint %s", oidcEndpoint)
-		oidcConfig, err := fetchOIDCConfig(ctx, oidcEndpoint)
-		if err != nil {
-			return nil, err
-		}
-		log.WithContext(ctx).Infof("loaded OIDC configuration from the provided IDP configuration endpoint: %s", oidcEndpoint)
+	// apply some defaults based on the EmbeddedIdP config
+	if disableSingleAccMode {
+		// Embedded IdP requires single account mode - multiple account mode is not supported
+		return fmt.Errorf("embedded IdP requires single account mode; multiple account mode is not supported with embedded IdP. Please remove --disable-single-account-mode flag")
+	}
+	// Enable user deletion from IDP by default if EmbeddedIdP is enabled
+	userDeleteFromIDPEnabled = true

-		log.WithContext(ctx).Infof("overriding HttpConfig.AuthIssuer with a new value %s, previously configured value: %s",
-			oidcConfig.Issuer, loadedConfig.HttpConfig.AuthIssuer)
-		loadedConfig.HttpConfig.AuthIssuer = oidcConfig.Issuer
+	// Set LocalAddress for embedded IdP if enabled, used for internal JWT validation
+	cfg.EmbeddedIdP.LocalAddress = fmt.Sprintf("localhost:%d", mgmtPort)

-		log.WithContext(ctx).Infof("overriding HttpConfig.AuthKeysLocation (JWT certs) with a new value %s, previously configured value: %s",
-			oidcConfig.JwksURI, loadedConfig.HttpConfig.AuthKeysLocation)
-		loadedConfig.HttpConfig.AuthKeysLocation = oidcConfig.JwksURI
-
-		if !(loadedConfig.DeviceAuthorizationFlow == nil || strings.ToLower(loadedConfig.DeviceAuthorizationFlow.Provider) == string(nbconfig.NONE)) {
-			log.WithContext(ctx).Infof("overriding DeviceAuthorizationFlow.TokenEndpoint with a new value: %s, previously configured value: %s",
-				oidcConfig.TokenEndpoint, loadedConfig.DeviceAuthorizationFlow.ProviderConfig.TokenEndpoint)
-			loadedConfig.DeviceAuthorizationFlow.ProviderConfig.TokenEndpoint = oidcConfig.TokenEndpoint
-			log.WithContext(ctx).Infof("overriding DeviceAuthorizationFlow.DeviceAuthEndpoint with a new value: %s, previously configured value: %s",
-				oidcConfig.DeviceAuthEndpoint, loadedConfig.DeviceAuthorizationFlow.ProviderConfig.DeviceAuthEndpoint)
-			loadedConfig.DeviceAuthorizationFlow.ProviderConfig.DeviceAuthEndpoint = oidcConfig.DeviceAuthEndpoint
-
-			u, err := url.Parse(oidcEndpoint)
-			if err != nil {
-				return nil, err
-			}
-			log.WithContext(ctx).Infof("overriding DeviceAuthorizationFlow.ProviderConfig.Domain with a new value: %s, previously configured value: %s",
-				u.Host, loadedConfig.DeviceAuthorizationFlow.ProviderConfig.Domain)
-			loadedConfig.DeviceAuthorizationFlow.ProviderConfig.Domain = u.Host
-
-			if loadedConfig.DeviceAuthorizationFlow.ProviderConfig.Scope == "" {
-				loadedConfig.DeviceAuthorizationFlow.ProviderConfig.Scope = nbconfig.DefaultDeviceAuthFlowScope
-			}
-		}
-
-		if loadedConfig.PKCEAuthorizationFlow != nil {
-			log.WithContext(ctx).Infof("overriding PKCEAuthorizationFlow.TokenEndpoint with a new value: %s, previously configured value: %s",
-				oidcConfig.TokenEndpoint, loadedConfig.PKCEAuthorizationFlow.ProviderConfig.TokenEndpoint)
-			loadedConfig.PKCEAuthorizationFlow.ProviderConfig.TokenEndpoint = oidcConfig.TokenEndpoint
-			log.WithContext(ctx).Infof("overriding PKCEAuthorizationFlow.AuthorizationEndpoint with a new value: %s, previously configured value: %s",
-				oidcConfig.AuthorizationEndpoint, loadedConfig.PKCEAuthorizationFlow.ProviderConfig.AuthorizationEndpoint)
-			loadedConfig.PKCEAuthorizationFlow.ProviderConfig.AuthorizationEndpoint = oidcConfig.AuthorizationEndpoint
-		}
+	// Ensure HttpConfig exists
+	if cfg.HttpConfig == nil {
+		cfg.HttpConfig = &nbconfig.HttpServerConfig{}
 	}

-	if loadedConfig.Relay != nil {
-		log.Infof("Relay addresses: %v", loadedConfig.Relay.Addresses)
+	// Set storage defaults based on Datadir
+	if cfg.EmbeddedIdP.Storage.Type == "" {
+		cfg.EmbeddedIdP.Storage.Type = "sqlite3"
+	}
+	if cfg.EmbeddedIdP.Storage.Config.File == "" && cfg.Datadir != "" {
+		cfg.EmbeddedIdP.Storage.Config.File = path.Join(cfg.Datadir, "idp.db")
 	}

-	return loadedConfig, err
+	issuer := cfg.EmbeddedIdP.Issuer
+
+	// Set AuthIssuer from EmbeddedIdP issuer
+	if cfg.HttpConfig.AuthIssuer == "" {
+		cfg.HttpConfig.AuthIssuer = issuer
+	}
+
+	// Set AuthAudience to the dashboard client ID
+	if cfg.HttpConfig.AuthAudience == "" {
+		cfg.HttpConfig.AuthAudience = "netbird-dashboard"
+	}
+
+	// Set CLIAuthAudience to the client app client ID
+	if cfg.HttpConfig.CLIAuthAudience == "" {
+		cfg.HttpConfig.CLIAuthAudience = "netbird-cli"
+	}
+
+	// Set AuthUserIDClaim to "sub" (standard OIDC claim)
+	if cfg.HttpConfig.AuthUserIDClaim == "" {
+		cfg.HttpConfig.AuthUserIDClaim = "sub"
+	}
+
+	// Set AuthKeysLocation to the JWKS endpoint
+	if cfg.HttpConfig.AuthKeysLocation == "" {
+		cfg.HttpConfig.AuthKeysLocation = issuer + "/keys"
+	}
+
+	// Set OIDCConfigEndpoint to the discovery endpoint
+	if cfg.HttpConfig.OIDCConfigEndpoint == "" {
+		cfg.HttpConfig.OIDCConfigEndpoint = issuer + "/.well-known/openid-configuration"
+	}
+
+	// Copy SignKeyRefreshEnabled from EmbeddedIdP config
+	if cfg.EmbeddedIdP.SignKeyRefreshEnabled {
+		cfg.HttpConfig.IdpSignKeyRefreshEnabled = true
+	}
+
+	return nil
+}
+
+// applyOIDCConfig fetches and applies OIDC configuration if endpoint is specified
+func applyOIDCConfig(ctx context.Context, cfg *nbconfig.Config) error {
+	oidcEndpoint := cfg.HttpConfig.OIDCConfigEndpoint
+	if oidcEndpoint == "" || cfg.EmbeddedIdP != nil {
+		return nil
+	}
+
+	log.WithContext(ctx).Infof("loading OIDC configuration from the provided IDP configuration endpoint %s", oidcEndpoint)
+	oidcConfig, err := fetchOIDCConfig(ctx, oidcEndpoint)
+	if err != nil {
+		return err
+	}
+	log.WithContext(ctx).Infof("loaded OIDC configuration from the provided IDP configuration endpoint: %s", oidcEndpoint)
+
+	log.WithContext(ctx).Infof("overriding HttpConfig.AuthIssuer with a new value %s, previously configured value: %s",
+		oidcConfig.Issuer, cfg.HttpConfig.AuthIssuer)
+	cfg.HttpConfig.AuthIssuer = oidcConfig.Issuer
+
+	log.WithContext(ctx).Infof("overriding HttpConfig.AuthKeysLocation (JWT certs) with a new value %s, previously configured value: %s",
+		oidcConfig.JwksURI, cfg.HttpConfig.AuthKeysLocation)
+	cfg.HttpConfig.AuthKeysLocation = oidcConfig.JwksURI
+
+	if err := applyDeviceAuthFlowConfig(ctx, cfg, &oidcConfig, oidcEndpoint); err != nil {
+		return err
+	}
+	applyPKCEFlowConfig(ctx, cfg, &oidcConfig)
+
+	return nil
+}
+
+// applyDeviceAuthFlowConfig applies OIDC config to DeviceAuthorizationFlow if enabled
+func applyDeviceAuthFlowConfig(ctx context.Context, cfg *nbconfig.Config, oidcConfig *OIDCConfigResponse, oidcEndpoint string) error {
+	if cfg.DeviceAuthorizationFlow == nil || strings.ToLower(cfg.DeviceAuthorizationFlow.Provider) == string(nbconfig.NONE) {
+		return nil
+	}
+
+	log.WithContext(ctx).Infof("overriding DeviceAuthorizationFlow.TokenEndpoint with a new value: %s, previously configured value: %s",
+		oidcConfig.TokenEndpoint, cfg.DeviceAuthorizationFlow.ProviderConfig.TokenEndpoint)
+	cfg.DeviceAuthorizationFlow.ProviderConfig.TokenEndpoint = oidcConfig.TokenEndpoint
+
+	log.WithContext(ctx).Infof("overriding DeviceAuthorizationFlow.DeviceAuthEndpoint with a new value: %s, previously configured value: %s",
+		oidcConfig.DeviceAuthEndpoint, cfg.DeviceAuthorizationFlow.ProviderConfig.DeviceAuthEndpoint)
+	cfg.DeviceAuthorizationFlow.ProviderConfig.DeviceAuthEndpoint = oidcConfig.DeviceAuthEndpoint
+
+	u, err := url.Parse(oidcEndpoint)
+	if err != nil {
+		return err
+	}
+	log.WithContext(ctx).Infof("overriding DeviceAuthorizationFlow.ProviderConfig.Domain with a new value: %s, previously configured value: %s",
+		u.Host, cfg.DeviceAuthorizationFlow.ProviderConfig.Domain)
+	cfg.DeviceAuthorizationFlow.ProviderConfig.Domain = u.Host
+
+	if cfg.DeviceAuthorizationFlow.ProviderConfig.Scope == "" {
+		cfg.DeviceAuthorizationFlow.ProviderConfig.Scope = nbconfig.DefaultDeviceAuthFlowScope
+	}
+	return nil
+}
+
+// applyPKCEFlowConfig applies OIDC config to PKCEAuthorizationFlow if configured
+func applyPKCEFlowConfig(ctx context.Context, cfg *nbconfig.Config, oidcConfig *OIDCConfigResponse) {
+	if cfg.PKCEAuthorizationFlow == nil {
+		return
+	}
+	log.WithContext(ctx).Infof("overriding PKCEAuthorizationFlow.TokenEndpoint with a new value: %s, previously configured value: %s",
+		oidcConfig.TokenEndpoint, cfg.PKCEAuthorizationFlow.ProviderConfig.TokenEndpoint)
+	cfg.PKCEAuthorizationFlow.ProviderConfig.TokenEndpoint = oidcConfig.TokenEndpoint
+
+	log.WithContext(ctx).Infof("overriding PKCEAuthorizationFlow.AuthorizationEndpoint with a new value: %s, previously configured value: %s",
+		oidcConfig.AuthorizationEndpoint, cfg.PKCEAuthorizationFlow.ProviderConfig.AuthorizationEndpoint)
+	cfg.PKCEAuthorizationFlow.ProviderConfig.AuthorizationEndpoint = oidcConfig.AuthorizationEndpoint
+}
+
+// logConfigInfo logs informational messages about the loaded configuration
+func logConfigInfo(cfg *nbconfig.Config) {
+	if cfg.EmbeddedIdP != nil {
+		log.Infof("running with the embedded IdP: %v", cfg.EmbeddedIdP.Issuer)
+	}
+	if cfg.Relay != nil {
+		log.Infof("Relay addresses: %v", cfg.Relay.Addresses)
+	}
+}
+
+// ensureEncryptionKey generates and saves a DataStoreEncryptionKey if not set
+func ensureEncryptionKey(ctx context.Context, configPath string, cfg *nbconfig.Config) error {
+	if cfg.DataStoreEncryptionKey != "" {
+		return nil
+	}
+
+	log.WithContext(ctx).Infof("DataStoreEncryptionKey is not set, generating a new key")
+	key, err := crypt.GenerateKey()
+	if err != nil {
+		return fmt.Errorf("failed to generate datastore encryption key: %v", err)
+	}
+	cfg.DataStoreEncryptionKey = key
+
+	if err := util.DirectWriteJson(ctx, configPath, cfg); err != nil {
+		return fmt.Errorf("failed to save config with new encryption key: %v", err)
+	}
+	log.WithContext(ctx).Infof("DataStoreEncryptionKey generated and saved to config")
+	return nil
 }

 // OIDCConfigResponse used for parsing OIDC config response
--- a/management/internals/controllers/network_map/controller/controller.go
+++ b/management/internals/controllers/network_map/controller/controller.go
@@ -142,7 +142,7 @@ func (c *Controller) sendUpdateAccountPeers(ctx context.Context, accountID strin
 		err     error
 	)
 	if c.experimentalNetworkMap(accountID) {
-		account = c.getAccountFromHolderOrInit(accountID)
+		account = c.getAccountFromHolderOrInit(ctx, accountID)
 	} else {
 		account, err = c.requestBuffer.GetAccountWithBackpressure(ctx, accountID)
 		if err != nil {
@@ -414,7 +414,7 @@ func (c *Controller) GetValidatedPeerWithMap(ctx context.Context, isRequiresAppr
 		err     error
 	)
 	if c.experimentalNetworkMap(accountID) {
-		account = c.getAccountFromHolderOrInit(accountID)
+		account = c.getAccountFromHolderOrInit(ctx, accountID)
 	} else {
 		account, err = c.requestBuffer.GetAccountWithBackpressure(ctx, accountID)
 		if err != nil {
@@ -447,7 +447,9 @@ func (c *Controller) GetValidatedPeerWithMap(ctx context.Context, isRequiresAppr
 	if c.experimentalNetworkMap(accountID) {
 		networkMap = c.getPeerNetworkMapExp(ctx, peer.AccountID, peer.ID, approvedPeersMap, customZone, c.accountManagerMetrics)
 	} else {
-		networkMap = account.GetPeerNetworkMap(ctx, peer.ID, customZone, approvedPeersMap, account.GetResourcePoliciesMap(), account.GetResourceRoutersMap(), c.accountManagerMetrics, account.GetActiveGroupUsers())
+		resourcePolicies := account.GetResourcePoliciesMap()
+		routers := account.GetResourceRoutersMap()
+		networkMap = account.GetPeerNetworkMap(ctx, peer.ID, customZone, approvedPeersMap, resourcePolicies, routers, c.accountManagerMetrics, account.GetActiveGroupUsers())
 	}

 	proxyNetworkMap, ok := proxyNetworkMaps[peer.ID]
@@ -473,19 +475,20 @@ func (c *Controller) getPeerNetworkMapExp(
 	customZone nbdns.CustomZone,
 	metrics *telemetry.AccountManagerMetrics,
 ) *types.NetworkMap {
-	account := c.getAccountFromHolderOrInit(accountId)
+	account := c.getAccountFromHolderOrInit(ctx, accountId)
 	if account == nil {
 		log.WithContext(ctx).Warnf("account %s not found in holder when getting peer network map", accountId)
 		return &types.NetworkMap{
 			Network: &types.Network{},
 		}
 	}
+
 	return account.GetPeerNetworkMapExp(ctx, peerId, customZone, validatedPeers, metrics)
 }

-func (c *Controller) onPeerAddedUpdNetworkMapCache(account *types.Account, peerId string) error {
+func (c *Controller) onPeersAddedUpdNetworkMapCache(account *types.Account, peerIds ...string) {
 	c.enrichAccountFromHolder(account)
-	return account.OnPeerAddedUpdNetworkMapCache(peerId)
+	account.OnPeersAddedUpdNetworkMapCache(peerIds...)
 }

 func (c *Controller) onPeerDeletedUpdNetworkMapCache(account *types.Account, peerId string) error {
@@ -537,7 +540,6 @@ func (c *Controller) enrichAccountFromHolder(account *types.Account) {
 	if account.NetworkMapCache == nil {
 		return
 	}
-	account.NetworkMapCache.UpdateAccountPointer(account)
 	c.holder.AddAccount(account)
 }

@@ -545,12 +547,12 @@ func (c *Controller) getAccountFromHolder(accountID string) *types.Account {
 	return c.holder.GetAccount(accountID)
 }

-func (c *Controller) getAccountFromHolderOrInit(accountID string) *types.Account {
+func (c *Controller) getAccountFromHolderOrInit(ctx context.Context, accountID string) *types.Account {
 	a := c.holder.GetAccount(accountID)
 	if a != nil {
 		return a
 	}
-	account, err := c.holder.LoadOrStoreFunc(accountID, c.requestBuffer.GetAccountWithBackpressure)
+	account, err := c.holder.LoadOrStoreFunc(ctx, accountID, c.requestBuffer.GetAccountWithBackpressure)
 	if err != nil {
 		return nil
 	}
@@ -715,18 +717,14 @@ func (c *Controller) OnPeersUpdated(ctx context.Context, accountID string, peerI
 }

 func (c *Controller) OnPeersAdded(ctx context.Context, accountID string, peerIDs []string) error {
-	for _, peerID := range peerIDs {
-		if c.experimentalNetworkMap(accountID) {
-			account, err := c.requestBuffer.GetAccountWithBackpressure(ctx, accountID)
-			if err != nil {
-				return err
-			}
-
-			err = c.onPeerAddedUpdNetworkMapCache(account, peerID)
-			if err != nil {
-				return err
-			}
+	log.WithContext(ctx).Debugf("OnPeersAdded call to add peers: %v", peerIDs)
+	if c.experimentalNetworkMap(accountID) {
+		account, err := c.requestBuffer.GetAccountWithBackpressure(ctx, accountID)
+		if err != nil {
+			return err
 		}
+		log.WithContext(ctx).Debugf("peers are ready to be added to networkmap cache: %v", peerIDs)
+		c.onPeersAddedUpdNetworkMapCache(account, peerIDs...)
 	}
 	return c.bufferSendUpdateAccountPeers(ctx, accountID)
 }
@@ -813,7 +811,9 @@ func (c *Controller) GetNetworkMap(ctx context.Context, peerID string) (*types.N
 	if c.experimentalNetworkMap(peer.AccountID) {
 		networkMap = c.getPeerNetworkMapExp(ctx, peer.AccountID, peerID, validatedPeers, customZone, nil)
 	} else {
-		networkMap = account.GetPeerNetworkMap(ctx, peer.ID, customZone, validatedPeers, account.GetResourcePoliciesMap(), account.GetResourceRoutersMap(), nil, account.GetActiveGroupUsers())
+		resourcePolicies := account.GetResourcePoliciesMap()
+		routers := account.GetResourceRoutersMap()
+		networkMap = account.GetPeerNetworkMap(ctx, peer.ID, customZone, validatedPeers, resourcePolicies, routers, nil, account.GetActiveGroupUsers())
 	}

 	proxyNetworkMap, ok := proxyNetworkMaps[peer.ID]
--- a/management/internals/modules/peers/ephemeral/manager/ephemeral_test.go
+++ b/management/internals/modules/peers/ephemeral/manager/ephemeral_test.go
@@ -309,7 +309,7 @@ func newAccountWithId(ctx context.Context, accountID, userID, domain string, dis
 	setupKeys := map[string]*types.SetupKey{}
 	nameServersGroups := make(map[string]*nbdns.NameServerGroup)

-	owner := types.NewOwnerUser(userID)
+	owner := types.NewOwnerUser(userID, "", "")
 	owner.AccountID = accountID
 	users[userID] = owner

--- a/management/internals/modules/peers/manager.go
+++ b/management/internals/modules/peers/manager.go
@@ -7,6 +7,8 @@ import (
 	"fmt"
 	"time"

+	log "github.com/sirupsen/logrus"
+
 	"github.com/netbirdio/netbird/management/internals/controllers/network_map"
 	"github.com/netbirdio/netbird/management/internals/modules/peers/ephemeral"
 	"github.com/netbirdio/netbird/management/server/account"
@@ -102,7 +104,7 @@ func (m *managerImpl) DeletePeers(ctx context.Context, accountID string, peerIDs

 	for _, peerID := range peerIDs {
 		var eventsToStore []func()
-		err := m.store.ExecuteInTransaction(ctx, func(transaction store.Store) error {
+		err = m.store.ExecuteInTransaction(ctx, func(transaction store.Store) error {
 			peer, err := transaction.GetPeerByID(ctx, store.LockingStrengthNone, accountID, peerID)
 			if err != nil {
 				return err
@@ -116,10 +118,6 @@ func (m *managerImpl) DeletePeers(ctx context.Context, accountID string, peerIDs
 				return fmt.Errorf("failed to remove peer %s from groups", peerID)
 			}

-			if err := m.integratedPeerValidator.PeerDeleted(ctx, accountID, peerID, settings.Extra); err != nil {
-				return err
-			}
-
 			peerPolicyRules, err := transaction.GetPolicyRulesByResourceID(ctx, store.LockingStrengthNone, accountID, peerID)
 			if err != nil {
 				return err
@@ -153,6 +151,13 @@ func (m *managerImpl) DeletePeers(ctx context.Context, accountID string, peerIDs
 		if err != nil {
 			return err
 		}
+
+		if m.integratedPeerValidator != nil {
+			if err = m.integratedPeerValidator.PeerDeleted(ctx, accountID, peerID, settings.Extra); err != nil {
+				log.WithContext(ctx).Errorf("failed to delete peer %s from integrated validator: %v", peerID, err)
+			}
+		}
+
 		for _, event := range eventsToStore {
 			event()
 		}
--- a/management/internals/server/boot.go
+++ b/management/internals/server/boot.go
@@ -21,7 +21,6 @@ import (
 	"github.com/netbirdio/management-integrations/integrations"
 	"github.com/netbirdio/netbird/encryption"
 	"github.com/netbirdio/netbird/formatter/hook"
-	nbconfig "github.com/netbirdio/netbird/management/internals/server/config"
 	nbgrpc "github.com/netbirdio/netbird/management/internals/shared/grpc"
 	"github.com/netbirdio/netbird/management/server/activity"
 	nbContext "github.com/netbirdio/netbird/management/server/context"
@@ -29,6 +28,7 @@ import (
 	"github.com/netbirdio/netbird/management/server/store"
 	"github.com/netbirdio/netbird/management/server/telemetry"
 	mgmtProto "github.com/netbirdio/netbird/shared/management/proto"
+	"github.com/netbirdio/netbird/util/crypt"
 )

 var (
@@ -62,6 +62,14 @@ func (s *BaseServer) Store() store.Store {
 			log.Fatalf("failed to create store: %v", err)
 		}

+		if s.Config.DataStoreEncryptionKey != "" {
+			fieldEncrypt, err := crypt.NewFieldEncrypt(s.Config.DataStoreEncryptionKey)
+			if err != nil {
+				log.Fatalf("failed to create field encryptor: %v", err)
+			}
+			store.SetFieldEncrypt(fieldEncrypt)
+		}
+
 		return store
 	})
 }
@@ -73,27 +81,18 @@ func (s *BaseServer) EventStore() activity.Store {
 			log.Fatalf("failed to initialize integration metrics: %v", err)
 		}

-		eventStore, key, err := integrations.InitEventStore(context.Background(), s.Config.Datadir, s.Config.DataStoreEncryptionKey, integrationMetrics)
+		eventStore, _, err := integrations.InitEventStore(context.Background(), s.Config.Datadir, s.Config.DataStoreEncryptionKey, integrationMetrics)
 		if err != nil {
 			log.Fatalf("failed to initialize event store: %v", err)
 		}

-		if s.Config.DataStoreEncryptionKey != key {
-			log.WithContext(context.Background()).Infof("update Config with activity store key")
-			s.Config.DataStoreEncryptionKey = key
-			err := updateMgmtConfig(context.Background(), nbconfig.MgmtConfigPath, s.Config)
-			if err != nil {
-				log.Fatalf("failed to update Config with activity store: %v", err)
-			}
-		}
-
 		return eventStore
 	})
 }

 func (s *BaseServer) APIHandler() http.Handler {
 	return Create(s, func() http.Handler {
-		httpAPIHandler, err := nbhttp.NewAPIHandler(context.Background(), s.AccountManager(), s.NetworksManager(), s.ResourcesManager(), s.RoutesManager(), s.GroupsManager(), s.GeoLocationManager(), s.AuthManager(), s.Metrics(), s.IntegratedValidator(), s.ProxyController(), s.PermissionsManager(), s.PeersManager(), s.SettingsManager(), s.NetworkMapController())
+		httpAPIHandler, err := nbhttp.NewAPIHandler(context.Background(), s.AccountManager(), s.NetworksManager(), s.ResourcesManager(), s.RoutesManager(), s.GroupsManager(), s.GeoLocationManager(), s.AuthManager(), s.Metrics(), s.IntegratedValidator(), s.ProxyController(), s.PermissionsManager(), s.PeersManager(), s.SettingsManager(), s.NetworkMapController(), s.IdpManager())
 		if err != nil {
 			log.Fatalf("failed to create API handler: %v", err)
 		}
@@ -145,7 +144,7 @@ func (s *BaseServer) GRPCServer() *grpc.Server {
 		}

 		gRPCAPIHandler := grpc.NewServer(gRPCOpts...)
-		srv, err := nbgrpc.NewServer(s.Config, s.AccountManager(), s.SettingsManager(), s.SecretsManager(), s.Metrics(), s.AuthManager(), s.IntegratedValidator(), s.NetworkMapController())
+		srv, err := nbgrpc.NewServer(s.Config, s.AccountManager(), s.SettingsManager(), s.SecretsManager(), s.Metrics(), s.AuthManager(), s.IntegratedValidator(), s.NetworkMapController(), s.OAuthConfigProvider())
 		if err != nil {
 			log.Fatalf("failed to create management server: %v", err)
 		}
--- a/management/internals/server/config/config.go
+++ b/management/internals/server/config/config.go
@@ -57,6 +57,10 @@ type Config struct {

 	// disable default all-to-all policy
 	DisableDefaultPolicy bool
+
+	// EmbeddedIdP contains configuration for the embedded Dex OIDC provider.
+	// When set, Dex will be embedded in the management server and serve requests at /oauth2/
+	EmbeddedIdP *idp.EmbeddedIdPConfig
 }

 // GetAuthAudiences returns the audience from the http config and device authorization flow config
@@ -98,6 +102,9 @@ type HttpServerConfig struct {
 	CertKey string
 	// AuthAudience identifies the recipients that the JWT is intended for (aud in JWT)
 	AuthAudience string
+	// CLIAuthAudience identifies the client app recipients that the JWT is intended for (aud in JWT)
+	// Used only in conjunction with EmbeddedIdP
+	CLIAuthAudience string
 	// AuthIssuer identifies principal that issued the JWT
 	AuthIssuer string
 	// AuthUserIDClaim is the name of the claim that used as user ID
--- a/management/internals/server/container.go
+++ b/management/internals/server/container.go
@@ -44,6 +44,9 @@ func maybeCreateNamed[T any](s Server, name string, createFunc func() T) (result

 func maybeCreateKeyed[T any](s Server, key string, createFunc func() T) (result T, isNew bool) {
 	if t, ok := s.GetContainer(key); ok {
+		if t == nil {
+			return result, false
+		}
 		return t.(T), false
 	}

--- a/management/internals/server/controllers.go
+++ b/management/internals/server/controllers.go
@@ -55,14 +55,34 @@ func (s *BaseServer) SecretsManager() grpc.SecretsManager {
 }

 func (s *BaseServer) AuthManager() auth.Manager {
+	audiences := s.Config.GetAuthAudiences()
+	audience := s.Config.HttpConfig.AuthAudience
+	keysLocation := s.Config.HttpConfig.AuthKeysLocation
+	signingKeyRefreshEnabled := s.Config.HttpConfig.IdpSignKeyRefreshEnabled
+	issuer := s.Config.HttpConfig.AuthIssuer
+	userIDClaim := s.Config.HttpConfig.AuthUserIDClaim
+
+	// Use embedded IdP configuration if available
+	if oauthProvider := s.OAuthConfigProvider(); oauthProvider != nil {
+		audiences = oauthProvider.GetClientIDs()
+		if len(audiences) > 0 {
+			audience = audiences[0] // Use the first client ID as the primary audience
+		}
+		// Use localhost keys location for internal validation (management has embedded Dex)
+		keysLocation = oauthProvider.GetLocalKeysLocation()
+		signingKeyRefreshEnabled = true
+		issuer = oauthProvider.GetIssuer()
+		userIDClaim = oauthProvider.GetUserIDClaim()
+	}
+
 	return Create(s, func() auth.Manager {
 		return auth.NewManager(s.Store(),
-			s.Config.HttpConfig.AuthIssuer,
-			s.Config.HttpConfig.AuthAudience,
-			s.Config.HttpConfig.AuthKeysLocation,
-			s.Config.HttpConfig.AuthUserIDClaim,
-			s.Config.GetAuthAudiences(),
-			s.Config.HttpConfig.IdpSignKeyRefreshEnabled)
+			issuer,
+			audience,
+			keysLocation,
+			userIDClaim,
+			audiences,
+			signingKeyRefreshEnabled)
 	})
 }

--- a/Show More
+++ b/Show More
Author	SHA1	Message	Date
Misha Bragin	614e7d5b90	Validate OIDC issuer when creating or updating (#5074 )	2026-01-09 09:45:43 -05:00
Misha Bragin	f7967f9ae3	Feature/resolve local jwks keys (#5073 )	2026-01-09 09:41:27 -05:00
Vlad	684fc0d2a2	[management] fix the issue with duplicated peers with the same key (#5053 )	2026-01-09 11:49:26 +01:00
Viktor Liu	0ad0c81899	[client] Reorder userspace ACL checks to fail faster for better performance (#4226 )	2026-01-09 09:13:04 +01:00
Viktor Liu	e8863fbb55	[client] Add non-root ICMP support to userspace firewall forwarder (#4792 )	2026-01-09 02:53:37 +08:00
Zoltan Papp	9c9d8e17d7	Revert "Revert "[relay] Update GO version and QUIC version (#4736 )" (#5055 )" (#5071 ) This reverts commit `24df442198`.	2026-01-08 18:58:22 +01:00
Diego Noguês	fb71b0d04b	[infrastructure] fix: disable Caddy debug (#5067 )	2026-01-08 12:49:45 +01:00
Maycon Santos	ab7d6b2196	[misc] add new getting started to release (#5057 )	2026-01-08 12:12:50 +01:00
Maycon Santos	9c5b2575e3	[misc] add embedded provider support metrics count local vs idp users if embedded	2026-01-08 12:12:19 +01:00
Bethuel Mmbaga	00e2689ffb	[management] Fix race condition in experimental network map when deleting account (#5064 )	2026-01-08 14:10:09 +03:00
Misha Bragin	cf535f8c61	[management] Fix role change in transaction and update readme (#5060 )	2026-01-08 12:07:59 +01:00
Maycon Santos	24df442198	Revert "[relay] Update GO version and QUIC version (#4736 )" (#5055 ) This reverts commit `8722b79799`.	2026-01-07 19:02:20 +01:00
Zoltan Papp	8722b79799	[relay] Update GO version and QUIC version (#4736 ) - Go 1.25.5 - QUIC 0.55.0	2026-01-07 16:30:29 +01:00
Vlad	afcdef6121	[management] add ssh authorized users to network map cache (#5048 )	2026-01-07 15:53:18 +01:00
Zoltan Papp	12a7fa24d7	Add support for disabling eBPF WireGuard proxy via environment variable (#5047 )	2026-01-07 15:34:52 +01:00
Zoltan Papp	6ff9aa0366	Refactor SSH server to manage listener lifecycle and expose active address via `Addr` method. (#5036 )	2026-01-07 15:34:26 +01:00
Misha Bragin	e586c20e36	[management, infrastructure, idp] Simplified IdP Management - Embedded IdP (#5008 ) Embed Dex as a built-in IdP to simplify self-hosting setup. Adds an embedded OIDC Identity Provider (Dex) with local user management and optional external IdP connectors (Google/GitHub/OIDC/SAML), plus device-auth flow for CLI login. Introduces instance onboarding/setup endpoints (including owner creation), field-level encryption for sensitive user data, a streamlined self-hosting provisioning script, and expanded APIs + test coverage for IdP management. more at https://github.com/netbirdio/netbird/pull/5008#issuecomment-3718987393	2026-01-07 14:52:32 +01:00
Pascal Fischer	5393ad948f	[management] fix nil handling for extra settings (#5049 )	2026-01-07 13:05:39 +01:00
Bethuel Mmbaga	20d6beff1b	[management] Increment network serial on peer update (#5051 ) Increment the serial on peer update and prevent double serial increments and account updates when updating a user while there are peers set to expire	2026-01-07 14:59:49 +03:00
Bethuel Mmbaga	d35b7d675c	[management] Refactor integrated peer deletion (#5042 )	2026-01-07 14:00:39 +03:00
Viktor Liu	f012fb8592	[client] Add port forwarding to ssh proxy (#5031 ) * Implement port forwarding for the ssh proxy * Allow user switching for port forwarding	2026-01-07 12:18:04 +08:00
Vlad	7142d45ef3	[management] network map builder concurrent batch processing for peer updates (#5040 )	2026-01-06 19:25:55 +01:00
				`@@ -0,0 +1 @@`
				`/* NetBird DEX Static CSS - main styles are inline in header.html */`
				`@@ -0,0 +1 @@`
				`/* NetBird DEX Theme - styles loaded but CSS is inline in header.html */`