Migration path for legacy auth to embedded IDP

[calderbit]

Describe your changes

Add support for seeding an external IdP connector via the IDP_SEED_INFO environment variable when using the Embedded IdP (Dex), enabling automatic migration of existing user IDs to the Dex-encoded format.

How it works:

1. Self-hosted instance operator sets IDP_SEED_INFO to a base64-encoded JSON connector config (OIDC)
2. On startup, the connector is upserted into the Dex static connectors list
3. After initialization, a migration hook iterates all users — any user whose ID cannot be decoded as a Dex user ID is re-encoded with the seeded connector ID and
   atomically updated in the database across all referencing tables (personal_access_tokens, peers, user_invites, accounts, etc.) in a single transaction with deferred
   foreign key constraints
4. Already-migrated users (valid Dex-encoded IDs) are skipped

IDP_SEED_INFO example:

{
  "type": "oidc",
  "name": "Zitadel",
  "id": "zitadel",
  "config": {
    "issuer": "https://server.netbird.io/",
    "clientID": "360335580288057352",
    "clientSecret": "<secret>",
    "redirectURI": "https://server.netbird.io/oauth2/callback"
  }
}

Extra changes

• This PR includes support for NB_IDP_MIGRATION_DRY_RUN=true which will output in console logs with the planned oldId -> newId for validation, found it useful to verify that the encoded newId properly matched the oldId + the provided IDP id.
• I also included a small code path under management/server/user.go:235 which will keep the user name and email updated with what its received from the JWT token.

TODO

• Handle migration of IDs for events / deleted_user tables
• Write documentation PR
• Test with more providers to make sure no ID matching issues are present

Issue ticket number and link

Stack

Checklist

• Is it a bug fix
• Is a typo/documentation fix
• Is a feature enhancement
• It is a refactor
• Created tests that fail without the change (if possible)

By submitting this pull request, you confirm that you have read and agree to the terms of the Contributor License Agreement.

Documentation

Select exactly one:

• I added/updated documentation for this change
• Documentation is not needed for this change (explain why)

Docs PR URL (required if "docs added" is checked)

Paste the PR link from https://github.com/netbirdio/docs here:

https://github.com/netbirdio/docs/pull/__

[coderabbitai]

Important

Review skipped

Draft detected.

Please check the settings in the CodeRabbit UI or the .coderabbit.yaml file in this repository. To trigger a single review, invoke the @coderabbitai review command.

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Use the checkbox below for a quick retry:

• 🔍 Trigger review

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[CLAassistant]

All committers have signed the CLA.

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

[calderbit]

Closing in favor of #5586