diff --git a/k8s/infra/vpn/netbird/management/config/management.tmpl.json b/k8s/infra/vpn/netbird/management/config/management.json.tmpl
similarity index 63%
rename from k8s/infra/vpn/netbird/management/config/management.tmpl.json
rename to k8s/infra/vpn/netbird/management/config/management.json.tmpl
index b324897..994a8b4 100644
--- a/k8s/infra/vpn/netbird/management/config/management.tmpl.json
+++ b/k8s/infra/vpn/netbird/management/config/management.json.tmpl
@@ -20,6 +20,11 @@
     "Secret": "secret",
     "TimeBasedCredentials": false
   },
+  "Relay": {
+    "Addresses": ["${NETBIRD_RELAY_URI}"],
+    "CredentialsTTL": "24h",
+    "Secret": "${NB_AUTH_SECRET}"
+  },
   "Signal": {
     "Proto": "${NETBIRD_SIGNAL_PROTOCOL}",
     "URI": "${NETBIRD_SIGNAL_URI}",
@@ -36,32 +41,40 @@
     "OIDCConfigEndpoint": "${NETBIRD_AUTH_OIDC_CONFIGURATION_ENDPOINT}"
   },
   "IdpManagerConfig": {
-    "ManagerType": "${NETBIRD_IDP_MANAGER_TYPE}",
-    "${NETBIRD_IDP_MANAGER_TYPE^}ClientCredentials": {
-      "ClientID": "${NETBIRD_IDP_CLIENT_ID}",
-      "ClientSecret": "${NETBIRD_IDP_CLIENT_SECRET}",
-      "GrantType": "${NETBIRD_IDP_GRANT_TYPE}",
-      "Audience": "${NETBIRD_IDP_AUTH0_AUDIENCE}",
-      "AuthIssuer": "${NETBIRD_IDP_AUTH0_AUTH_ISSUER}",
-      "AdminEndpoint": "${NETBIRD_IDP_KEYCLOAK_ADMIN_ENDPOINT}",
-      "TokenEndpoint": "${NETBIRD_IDP_KEYCLOAK_TOKEN_ENDPOINT}"
-    }
+    "ManagerType": "${NETBIRD_IDP_MANAGER_TYPE:-none}",
+    "ClientConfig": {
+      "Issuer": "${NETBIRD_AUTH_AUTHORITY}",
+      "TokenEndpoint": "${NETBIRD_AUTH_TOKEN_ENDPOINT}",
+      "ClientID": "${NETBIRD_IDP_MGMT_CLIENT_ID}",
+      "ClientSecret": "${NETBIRD_IDP_MGMT_CLIENT_SECRET}",
+      "GrantType": "client_credentials"
+    },
+    "ExtraConfig": ${NETBIRD_IDP_MGMT_EXTRA_CONFIG:-null}
   },
   "DeviceAuthorizationFlow": {
     "Provider": "${NETBIRD_AUTH_DEVICE_AUTH_PROVIDER}",
     "ProviderConfig": {
       "Audience": "${NETBIRD_AUTH_DEVICE_AUTH_AUDIENCE}",
+      "AuthorizationEndpoint": "",
+      "Domain": "${NETBIRD_AUTH_DEVICE_AUTH_AUTHORITY}",
       "ClientID": "${NETBIRD_AUTH_DEVICE_AUTH_CLIENT_ID}",
       "DeviceAuthEndpoint": "${NETBIRD_AUTH_DEVICE_AUTH_DEVICE_AUTHORIZATION_ENDPOINT}",
-      "Domain": "${NETBIRD_AUTH_DEVICE_AUTH_AUTHORITY}",
       "TokenEndpoint": "${NETBIRD_AUTH_DEVICE_AUTH_TOKEN_ENDPOINT}",
       "Scope": "${NETBIRD_AUTH_DEVICE_AUTH_SCOPE}",
       "UseIDToken": ${NETBIRD_AUTH_DEVICE_AUTH_USE_ID_TOKEN:-false}
     }
   },
-  "Relay": {
-    "Addresses": ["${NETBIRD_RELAY_URI}"],
-    "CredentialsTTL": "24h",
-    "Secret": "${NB_AUTH_SECRET}"
+  "PKCEAuthorizationFlow": {
+    "ProviderConfig": {
+      "Audience": "${NETBIRD_AUTH_PKCE_AUDIENCE}",
+      "ClientID": "${NETBIRD_AUTH_CLIENT_ID}",
+      "ClientSecret": "${NETBIRD_AUTH_CLIENT_SECRET}",
+      "Domain": "",
+      "AuthorizationEndpoint": "${NETBIRD_AUTH_PKCE_AUTHORIZATION_ENDPOINT}",
+      "TokenEndpoint": "${NETBIRD_AUTH_TOKEN_ENDPOINT}",
+      "Scope": "${NETBIRD_AUTH_SUPPORTED_SCOPES}",
+      "RedirectURLs": ${NETBIRD_AUTH_PKCE_REDIRECT_URLS},
+      "UseIDToken": ${NETBIRD_AUTH_PKCE_USE_ID_TOKEN:-false}
+    }
   }
 }
diff --git a/k8s/infra/vpn/netbird/management/deployment.yaml b/k8s/infra/vpn/netbird/management/deployment.yaml
index 6010d98..8d6e810 100644
--- a/k8s/infra/vpn/netbird/management/deployment.yaml
+++ b/k8s/infra/vpn/netbird/management/deployment.yaml
@@ -33,7 +33,7 @@ spec:
           args:
             - >
               go install github.com/drone/envsubst/cmd/envsubst@latest &&
-              envsubst < /tmp/netbird/management.tmpl.json > /etc/netbird/management.json
+              envsubst < /tmp/netbird/management.json.tmpl > /etc/netbird/management.json
           securityContext:
             allowPrivilegeEscalation: false
             readOnlyRootFilesystem: false
@@ -45,14 +45,10 @@ spec:
                 name: management-auth-config
             - configMapRef:
                 name: management-connection-config
-            - configMapRef:
-                name: management-idp-config
             - secretRef:
                 name: relay-secret
             - secretRef:
                 name: coturn-credentials
-            - secretRef:
-                name: management-oidc-credentials
           volumeMounts:
             - name: config
               mountPath: /etc/netbird
diff --git a/k8s/infra/vpn/netbird/management/kustomization.yaml b/k8s/infra/vpn/netbird/management/kustomization.yaml
index cc8b0fb..8984279 100644
--- a/k8s/infra/vpn/netbird/management/kustomization.yaml
+++ b/k8s/infra/vpn/netbird/management/kustomization.yaml
@@ -9,7 +9,8 @@ configMapGenerator:
   - name: management-config-template
     namespace: netbird
     files:
-      - config/management.tmpl.json
+      # https://github.com/netbirdio/netbird/blob/main/infrastructure_files/management.json.tmpl
+      - config/management.json.tmpl
   - name: management-auth-config
     namespace: netbird
     literals:
@@ -22,6 +23,11 @@ configMapGenerator:
       - NETBIRD_AUTH_DEVICE_AUTH_TOKEN_ENDPOINT="https://keycloak.stonegarden.dev/realms/homelab/protocol/openid-connect/token"
       - NETBIRD_AUTH_DEVICE_AUTH_SCOPE="openid"
       - NETBIRD_AUTH_DEVICE_AUTH_USE_ID_TOKEN="false"
+      - NETBIRD_AUTH_AUDIENCE="netbird-dashboard"
+      - NETBIRD_AUTH_PKCE_AUDIENCE="netbird-dashboard"
+      - NETBIRD_AUTH_CLIENT_ID="netbird-dashboard"
+      - NETBIRD_AUTH_PKCE_REDIRECT_URLS='[ "http://localhost:53000" ]'
+      - NETBIRD_AUTH_SUPPORTED_SCOPES="openid profile email offline_access netbird-api"
   - name: management-connection-config
     namespace: netbird
     literals:
@@ -30,13 +36,6 @@ configMapGenerator:
       - NETBIRD_SIGNAL_PROTOCOL="https"
       - NETBIRD_STUN_URI="stun:coturn.stonegarden.dev:5349"
       - NETBIRD_TURN_URI="turn:coturn.stonegarden.dev:5349"
-  - name: management-idp-config
-    namespace: netbird
-    literals:
-      - NETBIRD_IDP_MANAGER_TYPE="keycloak"
-      - NETBIRD_IDP_GRANT_TYPE="client_credentials"
-      - NETBIRD_IDP_KEYCLOAK_ADMIN_ENDPOINT="https://keycloak.stonegarden.dev/admin/realms/homelab"
-      - NETBIRD_IDP_KEYCLOAK_TOKEN_ENDPOINT="https://keycloak.stonegarden.dev/realms/homelab/protocol/openid-connect/token"
   - name: management-runtime-config
     namespace: netbird
     literals:
@@ -52,5 +51,3 @@ resources:
   - svc.yaml
   - pvc.yaml
   - coturn-credentials.yaml
-  - oidc-credentials.yaml
-  - x-oidc-client.yaml
diff --git a/k8s/infra/vpn/netbird/management/oidc-credentials.yaml b/k8s/infra/vpn/netbird/management/oidc-credentials.yaml
deleted file mode 100644
index 6432e03..0000000
--- a/k8s/infra/vpn/netbird/management/oidc-credentials.yaml
+++ /dev/null
@@ -1,14 +0,0 @@
-apiVersion: bitnami.com/v1alpha1
-kind: SealedSecret
-metadata:
-  name: management-oidc-credentials
-  namespace: netbird
-spec:
-  encryptedData:
-    NETBIRD_IDP_CLIENT_ID: AgAkra1TkcaYxb/u9w5HSla/HqJWNeQCFVGPf5R358fl/MtSJQbmPOzJahWw3l+Ewm3ndJcXmK2e786+p8oCTogNdCg9ybo0gXNbcCkZ2DfKfowCKqHEkAvNDNY9ht9sTr8u+zJwmv3ntsifVpfpqx4uAb3lfGMm83Kinan6iMBA7k50TGjcTlTHdBew62TYn4+0D2QzMXhq+ZXA4vWv+Igc8riJcVjo+j3wEmGoAGFNnW/MgJA9OGBsfsr7BAfv6sFskyu8mloAB6FkhSvjv+hlNWNnsc24eNPRSHyO0mdoAcRG/2u/5yCHWbFklansPVT3txwgVE7sE5gjOcYbNMVIsoCL5qBz4LV06NlG2mAjRYL+FzGYptRczXfwZ1oUoyh+yVu6/gfy5Xm5ikuOaRzBDYuUWzjVyaW2CkqjyS8cSkRs+GXn1oXff4sH+l+G4lAAc619AY2AcE7Hx3ojkEywg9hLjs5egCITF6ZWYyqOslNfCkNtHE1240SXQvzgM+48rwX+vf7RB3Mx2rPJtdLzS6/nLGhOARulbnqRXwroP03Lc2ixJMsuB06gXYZSyzMrotz6fHUuVlkTAu0pog287OslP5p37F+NSmGr3hwg68hwFLUbsux343WnVsfvoE+5UUoPpZytivUpC+ftS77xC8luhvffCl/5sJfxv+nZkoz4SmAVsoL5vwr0Dzd4el4QC5eFW3h10OS1A+YmtNg=
-    NETBIRD_IDP_CLIENT_SECRET: AgC/4CORCns8DP1LECSTBvWrQn9M55ub+AWOutdQfn/8enikyc8Mhy2nvZa/anf56Gq3Xq899fxSnx7NgTyRRfkjkHf+uVWFtyusjzBD6RVIlYbFS+AG/7idQU05/+/wVI+fpZebmR/lTA3pm+vW/PeqGR41jMTVyRHjQw3/04ts1muk3ZCg2oXsrIRZtXTzq3PCsOuNug0jeZu0hohvFhp8sKTb6ltL4Y4bVQVFC7nwnSRtjvkVkG+PYUYYXGmkcwNEeZ5kOwQ1s5mRa3JtBwlZXyFOMe4QXcQQIaZmYL7aTTGUmxhlhnXs4qAnZA4bXzS4s30GeU2dNeGE2GSOLGtzaiXoJ/kCXzTsb0iqr1NMNQ8dfw2Y0GrYfDW6wP7+ymJjzUrYGvcidzslZlq1x9kBBXC5kvghCe5Q+TVCVrk3z7MNpGy98fYll3cnFnv2ljo+4gQO0N3oVa5SrjNn1VsN/yYdJsaGPz/goPQr6y4dT7nsG6c0uSl3VY0bOpkFJDPoSZaMWHVBvi/+3v8NPpo+ufJsBoWOayBCQ98cvxkyQwGe/feV55auooFPXtEW5mwmTtucWolng0+c+99GvYnpe5ffqmCJE0yCr2dxXbxCyV+lw9aP5ONt1S3R+5x/42kPW2CxR1Daymnz5+R9ypA8W0jHXcGcUOoAyTl675JG2B/O8FI6dIGU8dNFplvX2uI9rIrc6xSsfugJ3sZatHPrJz+/UhpFDQ6f6q30n+phv5CwjukhvqPK
-  template:
-    metadata:
-      name: management-oidc-credentials
-      namespace: netbird
-    type: Opaque
diff --git a/k8s/infra/vpn/netbird/management/x-oidc-client.yaml b/k8s/infra/vpn/netbird/management/x-oidc-client.yaml
deleted file mode 100644
index 91bbac4..0000000
--- a/k8s/infra/vpn/netbird/management/x-oidc-client.yaml
+++ /dev/null
@@ -1,27 +0,0 @@
-apiVersion: oidc.homelab.olav.ninja/v1alpha1
-kind: XOidcClient
-metadata:
-  name: netbird-backend
-spec:
-  realm: homelab
-  clientId: netbird-backend
-  displayName: Netbird Backend
-  description: Netbird Backend Client
-  clientSecretSecretRef:
-    name: management-oidc-credentials
-    namespace: netbird
-    key: NETBIRD_IDP_CLIENT_SECRET
-  type: CONFIDENTIAL
-  grantTypes:
-    - client_credentials
-    - code
-    - device_code
-    - password
-  redirectUris:
-    - "/*"
-  webOrigins:
-    - "+"
-  serviceAccountRoles:
-    - realm: homelab
-      client: builtin-homelab-realm-management
-      role: view-users