chore: renamed new migration files to latest timestamp (gh-action)

Merge pull request #2034 from Infisical/misc/add-on-update-trigger-oidc
misc: add onUpdate trigger to oidc config
2025-03-22 19:02:39 +00:00 · 2024-06-27 17:32:39 +00:00 · 2024-06-27 23:02:14 +05:30 · 2024-06-27 19:55:01 +08:00 · 2024-06-26 18:55:13 -04:00 · 2024-06-26 15:30:15 -04:00
250 changed files with 8077 additions and 1452 deletions
--- a/.github/workflows/build-staging-and-deploy-aws.yml
+++ b/.github/workflows/build-staging-and-deploy-aws.yml
@ -50,6 +50,13 @@ jobs:
    environment:
      name: Gamma
    steps:
+      - uses: twingate/github-action@v1
+        with:
+          # The Twingate Service Key used to connect Twingate to the proper service
+          # Learn more about [Twingate Services](https://docs.twingate.com/docs/services)
+          #
+          # Required
+          service-key: ${{ secrets.TWINGATE_SERVICE_KEY }}
      - name: Checkout code
        uses: actions/checkout@v2
      - name: Setup Node.js environment
@ -74,21 +81,21 @@ jobs:
        uses: pr-mpt/actions-commit-hash@v2
      - name: Download task definition
        run: |
-          aws ecs describe-task-definition --task-definition infisical-core-platform --query taskDefinition > task-definition.json
+          aws ecs describe-task-definition --task-definition infisical-core-gamma-stage --query taskDefinition > task-definition.json
      - name: Render Amazon ECS task definition
        id: render-web-container
        uses: aws-actions/amazon-ecs-render-task-definition@v1
        with:
          task-definition: task-definition.json
-          container-name: infisical-core-platform
+          container-name: infisical-core
          image: infisical/staging_infisical:${{ steps.commit.outputs.short }}
          environment-variables: "LOG_LEVEL=info"
      - name: Deploy to Amazon ECS service
        uses: aws-actions/amazon-ecs-deploy-task-definition@v1
        with:
          task-definition: ${{ steps.render-web-container.outputs.task-definition }}
-          service: infisical-core-platform
-          cluster: infisical-core-platform
+          service: infisical-core-gamma-stage
+          cluster: infisical-gamma-stage
          wait-for-service-stability: true

  production-postgres-deployment:
--- a/README.md
+++ b/README.md
@ -48,25 +48,26 @@

 ## Introduction

-**[Infisical](https://infisical.com)** is the open source secret management platform that teams use to centralize their secrets like API keys, database credentials, and configurations.
+**[Infisical](https://infisical.com)** is the open source secret management platform that teams use to centralize their application configuration and secrets like API keys and database credentials as well as manage their internal PKI.

-We're on a mission to make secret management more accessible to everyone, not just security teams, and that means redesigning the entire developer experience from ground up.
+We're on a mission to make security tooling more accessible to everyone, not just security teams, and that means redesigning the entire developer experience from ground up.

 ## Features

- **[User-friendly dashboard](https://infisical.com/docs/documentation/platform/project)** to manage secrets across projects and environments (e.g. development, production, etc.). 
- **[Client SDKs](https://infisical.com/docs/sdks/overview)** to fetch secrets for your apps and infrastructure on demand. 
- **[Infisical CLI](https://infisical.com/docs/cli/overview)** to fetch and inject secrets into any framework in local development and CI/CD. 
- **[Infisical API](https://infisical.com/docs/api-reference/overview/introduction)** to perform CRUD operation on secrets, users, projects, and any other resource in Infisical. 
- **[Native integrations](https://infisical.com/docs/integrations/overview)** with platforms like [GitHub](https://infisical.com/docs/integrations/cicd/githubactions), [Vercel](https://infisical.com/docs/integrations/cloud/vercel), [AWS](https://infisical.com/docs/integrations/cloud/aws-secret-manager), and tools like [Terraform](https://infisical.com/docs/integrations/frameworks/terraform), [Ansible](https://infisical.com/docs/integrations/platforms/ansible), and more. 
+- **[User-friendly dashboard](https://infisical.com/docs/documentation/platform/project)** to manage secrets across projects and environments (e.g. development, production, etc.).
+- **[Client SDKs](https://infisical.com/docs/sdks/overview)** to fetch secrets for your apps and infrastructure on demand.
+- **[Infisical CLI](https://infisical.com/docs/cli/overview)** to fetch and inject secrets into any framework in local development and CI/CD.
+- **[Infisical API](https://infisical.com/docs/api-reference/overview/introduction)** to perform CRUD operation on secrets, users, projects, and any other resource in Infisical.
+- **[Native integrations](https://infisical.com/docs/integrations/overview)** with platforms like [GitHub](https://infisical.com/docs/integrations/cicd/githubactions), [Vercel](https://infisical.com/docs/integrations/cloud/vercel), [AWS](https://infisical.com/docs/integrations/cloud/aws-secret-manager), and tools like [Terraform](https://infisical.com/docs/integrations/frameworks/terraform), [Ansible](https://infisical.com/docs/integrations/platforms/ansible), and more.
 - **[Infisical Kubernetes operator](https://infisical.com/docs/documentation/getting-started/kubernetes)** to managed secrets in k8s, automatically reload deployments, and more.
- **[Infisical Agent](https://infisical.com/docs/infisical-agent/overview)** to inject secrets into your applications without modifying any code logic. 
+- **[Infisical Agent](https://infisical.com/docs/infisical-agent/overview)** to inject secrets into your applications without modifying any code logic.
 - **[Self-hosting and on-prem](https://infisical.com/docs/self-hosting/overview)** to get complete control over your data.
- **[Secret versioning](https://infisical.com/docs/documentation/platform/secret-versioning)** and **[Point-in-Time Recovery](https://infisical.com/docs/documentation/platform/pit-recovery)** to version every secret and project state. 
- **[Audit logs](https://infisical.com/docs/documentation/platform/audit-logs)** to record every action taken in a project. 
- **[Role-based Access Controls](https://infisical.com/docs/documentation/platform/role-based-access-controls)** to create permission sets on any resource in Infisica and assign those to user or machine identities. 
+- **[Secret versioning](https://infisical.com/docs/documentation/platform/secret-versioning)** and **[Point-in-Time Recovery](https://infisical.com/docs/documentation/platform/pit-recovery)** to version every secret and project state.
+- **[Audit logs](https://infisical.com/docs/documentation/platform/audit-logs)** to record every action taken in a project.
+- **[Role-based Access Controls](https://infisical.com/docs/documentation/platform/role-based-access-controls)** to create permission sets on any resource in Infisica and assign those to user or machine identities.
 - **[Simple on-premise deployments](https://infisical.com/docs/self-hosting/overview)** to AWS, Digital Ocean, and more.
- **[Secret Scanning and Leak Prevention](https://infisical.com/docs/cli/scanning-overview)** to prevent secrets from leaking to git. 
+- **[Internal PKI](https://infisical.com/docs/documentation/platform/pki/private-ca)** to create Private CA hierarchies and start issuing and managing X.509 digital certificates.
+- **[Secret Scanning and Leak Prevention](https://infisical.com/docs/cli/scanning-overview)** to prevent secrets from leaking to git.

 And much more.

@ -74,9 +75,9 @@ And much more.

 Check out the [Quickstart Guides](https://infisical.com/docs/getting-started/introduction)

-| Use Infisical Cloud                                                                                                                                     | Deploy Infisical on premise                                                                                                                                                                                                                                                                                                                                                                                                                                           |
-| ------------------------------------------------------------------------------------------------------------------------------------------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
-| The fastest and most reliable way to <br> get started with Infisical is signing up <br> for free to [Infisical Cloud](https://app.infisical.com/login). |  <br> View all [deployment options](https://infisical.com/docs/self-hosting/overview) |
+| Use Infisical Cloud                                                                                                                                     | Deploy Infisical on premise                                                          |
+| ------------------------------------------------------------------------------------------------------------------------------------------------------- | ------------------------------------------------------------------------------------ |
+| The fastest and most reliable way to <br> get started with Infisical is signing up <br> for free to [Infisical Cloud](https://app.infisical.com/login). | <br> View all [deployment options](https://infisical.com/docs/self-hosting/overview) |

 ### Run Infisical locally

--- a/backend/package-lock.json
+++ b/backend/package-lock.json
@ -38,6 +38,7 @@
        "bcrypt": "^5.1.1",
        "bullmq": "^5.4.2",
        "cassandra-driver": "^4.7.2",
+        "connect-redis": "^7.1.1",
        "cron": "^3.1.7",
        "dotenv": "^16.4.1",
        "fastify": "^4.26.0",
@ -57,6 +58,7 @@
        "mysql2": "^3.9.8",
        "nanoid": "^5.0.4",
        "nodemailer": "^6.9.9",
+        "openid-client": "^5.6.5",
        "ora": "^7.0.1",
        "oracledb": "^6.4.0",
        "passport-github": "^1.1.0",
@ -6790,6 +6792,17 @@
      "integrity": "sha512-JsPKdmh8ZkmnHxDk55FZ1TqVLvEQTvoByJZRN9jzI0UjxK/QgAmsphz7PGtqgPieQZ/CQcHWXCR7ATDNhGe+YA==",
      "dev": true
    },
+    "node_modules/connect-redis": {
+      "version": "7.1.1",
+      "resolved": "https://registry.npmjs.org/connect-redis/-/connect-redis-7.1.1.tgz",
+      "integrity": "sha512-M+z7alnCJiuzKa8/1qAYdGUXHYfDnLolOGAUjOioB07pP39qxjG+X9ibsud7qUBc4jMV5Mcy3ugGv8eFcgamJQ==",
+      "engines": {
+        "node": ">=16"
+      },
+      "peerDependencies": {
+        "express-session": ">=1"
+      }
+    },
    "node_modules/console-control-strings": {
      "version": "1.1.0",
      "resolved": "https://registry.npmjs.org/console-control-strings/-/console-control-strings-1.1.0.tgz",
@ -7896,6 +7909,55 @@
        "node": ">= 0.10.0"
      }
    },
+    "node_modules/express-session": {
+      "version": "1.18.0",
+      "resolved": "https://registry.npmjs.org/express-session/-/express-session-1.18.0.tgz",
+      "integrity": "sha512-m93QLWr0ju+rOwApSsyso838LQwgfs44QtOP/WBiwtAgPIo/SAh1a5c6nn2BR6mFNZehTpqKDESzP+fRHVbxwQ==",
+      "peer": true,
+      "dependencies": {
+        "cookie": "0.6.0",
+        "cookie-signature": "1.0.7",
+        "debug": "2.6.9",
+        "depd": "~2.0.0",
+        "on-headers": "~1.0.2",
+        "parseurl": "~1.3.3",
+        "safe-buffer": "5.2.1",
+        "uid-safe": "~2.1.5"
+      },
+      "engines": {
+        "node": ">= 0.8.0"
+      }
+    },
+    "node_modules/express-session/node_modules/cookie": {
+      "version": "0.6.0",
+      "resolved": "https://registry.npmjs.org/cookie/-/cookie-0.6.0.tgz",
+      "integrity": "sha512-U71cyTamuh1CRNCfpGY6to28lxvNwPG4Guz/EVjgf3Jmzv0vlDp1atT9eS5dDjMYHucpHbWns6Lwf3BKz6svdw==",
+      "peer": true,
+      "engines": {
+        "node": ">= 0.6"
+      }
+    },
+    "node_modules/express-session/node_modules/cookie-signature": {
+      "version": "1.0.7",
+      "resolved": "https://registry.npmjs.org/cookie-signature/-/cookie-signature-1.0.7.tgz",
+      "integrity": "sha512-NXdYc3dLr47pBkpUCHtKSwIOQXLVn8dZEuywboCOJY/osA0wFSLlSawr3KN8qXJEyX66FcONTH8EIlVuK0yyFA==",
+      "peer": true
+    },
+    "node_modules/express-session/node_modules/debug": {
+      "version": "2.6.9",
+      "resolved": "https://registry.npmjs.org/debug/-/debug-2.6.9.tgz",
+      "integrity": "sha512-bC7ElrdJaJnPbAP+1EotYvqZsb3ecl5wi6Bfi6BJTUcNowp6cvspg0jXznRTKDjm/E7AdgFBVeAPVMNcKGsHMA==",
+      "peer": true,
+      "dependencies": {
+        "ms": "2.0.0"
+      }
+    },
+    "node_modules/express-session/node_modules/ms": {
+      "version": "2.0.0",
+      "resolved": "https://registry.npmjs.org/ms/-/ms-2.0.0.tgz",
+      "integrity": "sha512-Tpp60P6IUJDTuOq/5Z8cdskzJujfwqfOTkrwIwj7IRISpnkJnT6SyJ4PCPnGMoFjC9ddhal5KVIYtAt97ix05A==",
+      "peer": true
+    },
    "node_modules/express/node_modules/cookie": {
      "version": "0.6.0",
      "resolved": "https://registry.npmjs.org/cookie/-/cookie-0.6.0.tgz",
@ -9603,6 +9665,14 @@
        "node": ">= 0.6.0"
      }
    },
+    "node_modules/jose": {
+      "version": "4.15.5",
+      "resolved": "https://registry.npmjs.org/jose/-/jose-4.15.5.tgz",
+      "integrity": "sha512-jc7BFxgKPKi94uOvEmzlSWFFe2+vASyXaKUpdQKatWAESU2MWjDfFf0fdfc83CDKcA5QecabZeNLyfhe3yKNkg==",
+      "funding": {
+        "url": "https://github.com/sponsors/panva"
+      }
+    },
    "node_modules/joycon": {
      "version": "3.1.1",
      "resolved": "https://registry.npmjs.org/joycon/-/joycon-3.1.1.tgz",
@ -10728,6 +10798,14 @@
        "node": ">=0.10.0"
      }
    },
+    "node_modules/object-hash": {
+      "version": "2.2.0",
+      "resolved": "https://registry.npmjs.org/object-hash/-/object-hash-2.2.0.tgz",
+      "integrity": "sha512-gScRMn0bS5fH+IuwyIFgnh9zBdo4DV+6GhygmWM9HyNJSgS0hScp1f5vjtm7oIIOiT9trXrShAkLFSc2IqKNgw==",
+      "engines": {
+        "node": ">= 6"
+      }
+    },
    "node_modules/object-inspect": {
      "version": "1.13.1",
      "resolved": "https://registry.npmjs.org/object-inspect/-/object-inspect-1.13.1.tgz",
@ -10851,6 +10929,14 @@
        "@octokit/core": ">=5"
      }
    },
+    "node_modules/oidc-token-hash": {
+      "version": "5.0.3",
+      "resolved": "https://registry.npmjs.org/oidc-token-hash/-/oidc-token-hash-5.0.3.tgz",
+      "integrity": "sha512-IF4PcGgzAr6XXSff26Sk/+P4KZFJVuHAJZj3wgO3vX2bMdNVp/QXTP3P7CEm9V1IdG8lDLY3HhiqpsE/nOwpPw==",
+      "engines": {
+        "node": "^10.13.0 || >=12.0.0"
+      }
+    },
    "node_modules/on-exit-leak-free": {
      "version": "2.1.2",
      "resolved": "https://registry.npmjs.org/on-exit-leak-free/-/on-exit-leak-free-2.1.2.tgz",
@ -10870,6 +10956,15 @@
        "node": ">= 0.8"
      }
    },
+    "node_modules/on-headers": {
+      "version": "1.0.2",
+      "resolved": "https://registry.npmjs.org/on-headers/-/on-headers-1.0.2.tgz",
+      "integrity": "sha512-pZAE+FJLoyITytdqK0U5s+FIpjN0JP3OzFi/u8Rx+EV5/W+JTWGXG8xFzevE7AjBfDqHv/8vL8qQsIhHnqRkrA==",
+      "peer": true,
+      "engines": {
+        "node": ">= 0.8"
+      }
+    },
    "node_modules/once": {
      "version": "1.4.0",
      "resolved": "https://registry.npmjs.org/once/-/once-1.4.0.tgz",
@ -10897,6 +10992,20 @@
      "resolved": "https://registry.npmjs.org/openapi-types/-/openapi-types-12.1.3.tgz",
      "integrity": "sha512-N4YtSYJqghVu4iek2ZUvcN/0aqH1kRDuNqzcycDxhOUpg7GdvLa2F3DgS6yBNhInhv2r/6I0Flkn7CqL8+nIcw=="
    },
+    "node_modules/openid-client": {
+      "version": "5.6.5",
+      "resolved": "https://registry.npmjs.org/openid-client/-/openid-client-5.6.5.tgz",
+      "integrity": "sha512-5P4qO9nGJzB5PI0LFlhj4Dzg3m4odt0qsJTfyEtZyOlkgpILwEioOhVVJOrS1iVH494S4Ee5OCjjg6Bf5WOj3w==",
+      "dependencies": {
+        "jose": "^4.15.5",
+        "lru-cache": "^6.0.0",
+        "object-hash": "^2.2.0",
+        "oidc-token-hash": "^5.0.3"
+      },
+      "funding": {
+        "url": "https://github.com/sponsors/panva"
+      }
+    },
    "node_modules/optionator": {
      "version": "0.9.3",
      "resolved": "https://registry.npmjs.org/optionator/-/optionator-0.9.3.tgz",
@ -11948,6 +12057,15 @@
      "resolved": "https://registry.npmjs.org/quick-format-unescaped/-/quick-format-unescaped-4.0.4.tgz",
      "integrity": "sha512-tYC1Q1hgyRuHgloV/YXs2w15unPVh8qfu/qCTfhTYamaw7fyhumKa2yGpdSo87vY32rIclj+4fWYQXUMs9EHvg=="
    },
+    "node_modules/random-bytes": {
+      "version": "1.0.0",
+      "resolved": "https://registry.npmjs.org/random-bytes/-/random-bytes-1.0.0.tgz",
+      "integrity": "sha512-iv7LhNVO047HzYR3InF6pUcUsPQiHTM1Qal51DcGSuZFBil1aBBWG5eHPNek7bvILMaYJ/8RU1e8w1AMdHmLQQ==",
+      "peer": true,
+      "engines": {
+        "node": ">= 0.8"
+      }
+    },
    "node_modules/randombytes": {
      "version": "2.1.0",
      "resolved": "https://registry.npmjs.org/randombytes/-/randombytes-2.1.0.tgz",
@ -14027,6 +14145,18 @@
        "node": ">=0.8.0"
      }
    },
+    "node_modules/uid-safe": {
+      "version": "2.1.5",
+      "resolved": "https://registry.npmjs.org/uid-safe/-/uid-safe-2.1.5.tgz",
+      "integrity": "sha512-KPHm4VL5dDXKz01UuEd88Df+KzynaohSL9fBh096KWAxSKZQDI2uBrVqtvRM4rwrIrRRKsdLNML/lnaaVSRioA==",
+      "peer": true,
+      "dependencies": {
+        "random-bytes": "~1.0.0"
+      },
+      "engines": {
+        "node": ">= 0.8"
+      }
+    },
    "node_modules/uid2": {
      "version": "0.0.4",
      "resolved": "https://registry.npmjs.org/uid2/-/uid2-0.0.4.tgz",
--- a/backend/package.json
+++ b/backend/package.json
@ -99,6 +99,7 @@
    "bcrypt": "^5.1.1",
    "bullmq": "^5.4.2",
    "cassandra-driver": "^4.7.2",
+    "connect-redis": "^7.1.1",
    "cron": "^3.1.7",
    "dotenv": "^16.4.1",
    "fastify": "^4.26.0",
@ -118,6 +119,7 @@
    "mysql2": "^3.9.8",
    "nanoid": "^5.0.4",
    "nodemailer": "^6.9.9",
+    "openid-client": "^5.6.5",
    "ora": "^7.0.1",
    "oracledb": "^6.4.0",
    "passport-github": "^1.1.0",
--- a/backend/src/@types/fastify.d.ts
+++ b/backend/src/@types/fastify.d.ts
@ -13,6 +13,7 @@ import { TGroupServiceFactory } from "@app/ee/services/group/group-service";
 import { TIdentityProjectAdditionalPrivilegeServiceFactory } from "@app/ee/services/identity-project-additional-privilege/identity-project-additional-privilege-service";
 import { TLdapConfigServiceFactory } from "@app/ee/services/ldap-config/ldap-config-service";
 import { TLicenseServiceFactory } from "@app/ee/services/license/license-service";
+import { TOidcConfigServiceFactory } from "@app/ee/services/oidc/oidc-config-service";
 import { TPermissionServiceFactory } from "@app/ee/services/permission/permission-service";
 import { TProjectUserAdditionalPrivilegeServiceFactory } from "@app/ee/services/project-user-additional-privilege/project-user-additional-privilege-service";
 import { TRateLimitServiceFactory } from "@app/ee/services/rate-limit/rate-limit-service";
@ -102,6 +103,7 @@ declare module "fastify" {
      permission: TPermissionServiceFactory;
      org: TOrgServiceFactory;
      orgRole: TOrgRoleServiceFactory;
+      oidc: TOidcConfigServiceFactory;
      superAdmin: TSuperAdminServiceFactory;
      user: TUserServiceFactory;
      group: TGroupServiceFactory;
--- a/backend/src/@types/knex.d.ts
+++ b/backend/src/@types/knex.d.ts
@ -134,6 +134,9 @@ import {
  TLdapGroupMaps,
  TLdapGroupMapsInsert,
  TLdapGroupMapsUpdate,
+  TOidcConfigs,
+  TOidcConfigsInsert,
+  TOidcConfigsUpdate,
  TOrganizations,
  TOrganizationsInsert,
  TOrganizationsUpdate,
@ -549,6 +552,7 @@ declare module "knex/types/tables" {
      TDynamicSecretLeasesUpdate
    >;
    [TableName.SamlConfig]: Knex.CompositeTableType<TSamlConfigs, TSamlConfigsInsert, TSamlConfigsUpdate>;
+    [TableName.OidcConfig]: Knex.CompositeTableType<TOidcConfigs, TOidcConfigsInsert, TOidcConfigsUpdate>;
    [TableName.LdapConfig]: Knex.CompositeTableType<TLdapConfigs, TLdapConfigsInsert, TLdapConfigsUpdate>;
    [TableName.LdapGroupMap]: Knex.CompositeTableType<TLdapGroupMaps, TLdapGroupMapsInsert, TLdapGroupMapsUpdate>;
    [TableName.OrgBot]: Knex.CompositeTableType<TOrgBots, TOrgBotsInsert, TOrgBotsUpdate>;
--- a/backend/src/db/migrations/20240609133400_private-key-handoff.ts
+++ b/backend/src/db/migrations/20240609133400_private-key-handoff.ts
@ -0,0 +1,61 @@
+import { Knex } from "knex";
+
+import { TableName } from "../schemas";
+
+export async function up(knex: Knex): Promise<void> {
+  const doesPasswordFieldExist = await knex.schema.hasColumn(TableName.UserEncryptionKey, "hashedPassword");
+  const doesPrivateKeyFieldExist = await knex.schema.hasColumn(
+    TableName.UserEncryptionKey,
+    "serverEncryptedPrivateKey"
+  );
+  const doesPrivateKeyIVFieldExist = await knex.schema.hasColumn(
+    TableName.UserEncryptionKey,
+    "serverEncryptedPrivateKeyIV"
+  );
+  const doesPrivateKeyTagFieldExist = await knex.schema.hasColumn(
+    TableName.UserEncryptionKey,
+    "serverEncryptedPrivateKeyTag"
+  );
+  const doesPrivateKeyEncodingFieldExist = await knex.schema.hasColumn(
+    TableName.UserEncryptionKey,
+    "serverEncryptedPrivateKeyEncoding"
+  );
+  if (await knex.schema.hasTable(TableName.UserEncryptionKey)) {
+    await knex.schema.alterTable(TableName.UserEncryptionKey, (t) => {
+      if (!doesPasswordFieldExist) t.string("hashedPassword");
+      if (!doesPrivateKeyFieldExist) t.text("serverEncryptedPrivateKey");
+      if (!doesPrivateKeyIVFieldExist) t.text("serverEncryptedPrivateKeyIV");
+      if (!doesPrivateKeyTagFieldExist) t.text("serverEncryptedPrivateKeyTag");
+      if (!doesPrivateKeyEncodingFieldExist) t.text("serverEncryptedPrivateKeyEncoding");
+    });
+  }
+}
+
+export async function down(knex: Knex): Promise<void> {
+  const doesPasswordFieldExist = await knex.schema.hasColumn(TableName.UserEncryptionKey, "hashedPassword");
+  const doesPrivateKeyFieldExist = await knex.schema.hasColumn(
+    TableName.UserEncryptionKey,
+    "serverEncryptedPrivateKey"
+  );
+  const doesPrivateKeyIVFieldExist = await knex.schema.hasColumn(
+    TableName.UserEncryptionKey,
+    "serverEncryptedPrivateKeyIV"
+  );
+  const doesPrivateKeyTagFieldExist = await knex.schema.hasColumn(
+    TableName.UserEncryptionKey,
+    "serverEncryptedPrivateKeyTag"
+  );
+  const doesPrivateKeyEncodingFieldExist = await knex.schema.hasColumn(
+    TableName.UserEncryptionKey,
+    "serverEncryptedPrivateKeyEncoding"
+  );
+  if (await knex.schema.hasTable(TableName.UserEncryptionKey)) {
+    await knex.schema.alterTable(TableName.UserEncryptionKey, (t) => {
+      if (doesPasswordFieldExist) t.dropColumn("hashedPassword");
+      if (doesPrivateKeyFieldExist) t.dropColumn("serverEncryptedPrivateKey");
+      if (doesPrivateKeyIVFieldExist) t.dropColumn("serverEncryptedPrivateKeyIV");
+      if (doesPrivateKeyTagFieldExist) t.dropColumn("serverEncryptedPrivateKeyTag");
+      if (doesPrivateKeyEncodingFieldExist) t.dropColumn("serverEncryptedPrivateKeyEncoding");
+    });
+  }
+}
--- a/backend/src/db/migrations/20240624161942_add-oidc-auth.ts
+++ b/backend/src/db/migrations/20240624161942_add-oidc-auth.ts
@ -0,0 +1,49 @@
+import { Knex } from "knex";
+
+import { TableName } from "../schemas";
+
+export async function up(knex: Knex): Promise<void> {
+  if (!(await knex.schema.hasTable(TableName.OidcConfig))) {
+    await knex.schema.createTable(TableName.OidcConfig, (tb) => {
+      tb.uuid("id", { primaryKey: true }).defaultTo(knex.fn.uuid());
+      tb.string("discoveryURL");
+      tb.string("issuer");
+      tb.string("authorizationEndpoint");
+      tb.string("jwksUri");
+      tb.string("tokenEndpoint");
+      tb.string("userinfoEndpoint");
+      tb.text("encryptedClientId").notNullable();
+      tb.string("configurationType").notNullable();
+      tb.string("clientIdIV").notNullable();
+      tb.string("clientIdTag").notNullable();
+      tb.text("encryptedClientSecret").notNullable();
+      tb.string("clientSecretIV").notNullable();
+      tb.string("clientSecretTag").notNullable();
+      tb.string("allowedEmailDomains").nullable();
+      tb.boolean("isActive").notNullable();
+      tb.timestamps(true, true, true);
+      tb.uuid("orgId").notNullable().unique();
+      tb.foreign("orgId").references("id").inTable(TableName.Organization);
+    });
+  }
+
+  if (await knex.schema.hasTable(TableName.SuperAdmin)) {
+    if (!(await knex.schema.hasColumn(TableName.SuperAdmin, "trustOidcEmails"))) {
+      await knex.schema.alterTable(TableName.SuperAdmin, (tb) => {
+        tb.boolean("trustOidcEmails").defaultTo(false);
+      });
+    }
+  }
+}
+
+export async function down(knex: Knex): Promise<void> {
+  await knex.schema.dropTableIfExists(TableName.OidcConfig);
+
+  if (await knex.schema.hasTable(TableName.SuperAdmin)) {
+    if (await knex.schema.hasColumn(TableName.SuperAdmin, "trustOidcEmails")) {
+      await knex.schema.alterTable(TableName.SuperAdmin, (t) => {
+        t.dropColumn("trustOidcEmails");
+      });
+    }
+  }
+}
--- a/backend/src/db/migrations/20240624172027_default-saml-ldap-org.ts
+++ b/backend/src/db/migrations/20240624172027_default-saml-ldap-org.ts
@ -0,0 +1,27 @@
+import { Knex } from "knex";
+
+import { TableName } from "../schemas";
+
+const DEFAULT_AUTH_ORG_ID_FIELD = "defaultAuthOrgId";
+
+export async function up(knex: Knex): Promise<void> {
+  const hasDefaultOrgColumn = await knex.schema.hasColumn(TableName.SuperAdmin, DEFAULT_AUTH_ORG_ID_FIELD);
+
+  await knex.schema.alterTable(TableName.SuperAdmin, (t) => {
+    if (!hasDefaultOrgColumn) {
+      t.uuid(DEFAULT_AUTH_ORG_ID_FIELD).nullable();
+      t.foreign(DEFAULT_AUTH_ORG_ID_FIELD).references("id").inTable(TableName.Organization).onDelete("SET NULL");
+    }
+  });
+}
+
+export async function down(knex: Knex): Promise<void> {
+  const hasDefaultOrgColumn = await knex.schema.hasColumn(TableName.SuperAdmin, DEFAULT_AUTH_ORG_ID_FIELD);
+
+  await knex.schema.alterTable(TableName.SuperAdmin, (t) => {
+    if (hasDefaultOrgColumn) {
+      t.dropForeign([DEFAULT_AUTH_ORG_ID_FIELD]);
+      t.dropColumn(DEFAULT_AUTH_ORG_ID_FIELD);
+    }
+  });
+}
--- a/backend/src/db/migrations/20240624221840_certificate-alt-names.ts
+++ b/backend/src/db/migrations/20240624221840_certificate-alt-names.ts
@ -0,0 +1,24 @@
+import { Knex } from "knex";
+
+import { TableName } from "../schemas";
+
+export async function up(knex: Knex): Promise<void> {
+  if (await knex.schema.hasTable(TableName.Certificate)) {
+    const hasAltNamesColumn = await knex.schema.hasColumn(TableName.Certificate, "altNames");
+    if (!hasAltNamesColumn) {
+      await knex.schema.alterTable(TableName.Certificate, (t) => {
+        t.string("altNames").defaultTo("");
+      });
+    }
+  }
+}
+
+export async function down(knex: Knex): Promise<void> {
+  if (await knex.schema.hasTable(TableName.Certificate)) {
+    if (await knex.schema.hasColumn(TableName.Certificate, "altNames")) {
+      await knex.schema.alterTable(TableName.Certificate, (t) => {
+        t.dropColumn("altNames");
+      });
+    }
+  }
+}
--- a/backend/src/db/migrations/20240626171758_add-ldap-unique-user-attribute.ts
+++ b/backend/src/db/migrations/20240626171758_add-ldap-unique-user-attribute.ts
@ -0,0 +1,19 @@
+import { Knex } from "knex";
+
+import { TableName } from "../schemas";
+
+export async function up(knex: Knex): Promise<void> {
+  if (!(await knex.schema.hasColumn(TableName.LdapConfig, "uniqueUserAttribute"))) {
+    await knex.schema.alterTable(TableName.LdapConfig, (tb) => {
+      tb.string("uniqueUserAttribute").notNullable().defaultTo("");
+    });
+  }
+}
+
+export async function down(knex: Knex): Promise<void> {
+  if (await knex.schema.hasColumn(TableName.LdapConfig, "uniqueUserAttribute")) {
+    await knex.schema.alterTable(TableName.LdapConfig, (t) => {
+      t.dropColumn("uniqueUserAttribute");
+    });
+  }
+}
--- a/backend/src/db/migrations/20240626171943_configurable-audit-log-retention.ts
+++ b/backend/src/db/migrations/20240626171943_configurable-audit-log-retention.ts
@ -0,0 +1,19 @@
+import { Knex } from "knex";
+
+import { TableName } from "../schemas";
+
+export async function up(knex: Knex): Promise<void> {
+  if (!(await knex.schema.hasColumn(TableName.Project, "auditLogsRetentionDays"))) {
+    await knex.schema.alterTable(TableName.Project, (tb) => {
+      tb.integer("auditLogsRetentionDays").nullable();
+    });
+  }
+}
+
+export async function down(knex: Knex): Promise<void> {
+  if (await knex.schema.hasColumn(TableName.Project, "auditLogsRetentionDays")) {
+    await knex.schema.alterTable(TableName.Project, (t) => {
+      t.dropColumn("auditLogsRetentionDays");
+    });
+  }
+}
--- a/backend/src/db/migrations/20240627173239_add-oidc-updated-at-trigger.ts
+++ b/backend/src/db/migrations/20240627173239_add-oidc-updated-at-trigger.ts
@ -0,0 +1,12 @@
+import { Knex } from "knex";
+
+import { TableName } from "../schemas";
+import { createOnUpdateTrigger, dropOnUpdateTrigger } from "../utils";
+
+export async function up(knex: Knex): Promise<void> {
+  await createOnUpdateTrigger(knex, TableName.OidcConfig);
+}
+
+export async function down(knex: Knex): Promise<void> {
+  await dropOnUpdateTrigger(knex, TableName.OidcConfig);
+}
--- a/backend/src/db/schemas/certificates.ts
+++ b/backend/src/db/schemas/certificates.ts
@ -19,7 +19,8 @@ export const CertificatesSchema = z.object({
  notBefore: z.date(),
  notAfter: z.date(),
  revokedAt: z.date().nullable().optional(),
-  revocationReason: z.number().nullable().optional()
+  revocationReason: z.number().nullable().optional(),
+  altNames: z.string().default("").nullable().optional()
 });

 export type TCertificates = z.infer<typeof CertificatesSchema>;
--- a/backend/src/db/schemas/index.ts
+++ b/backend/src/db/schemas/index.ts
@ -43,6 +43,7 @@ export * from "./kms-root-config";
 export * from "./ldap-configs";
 export * from "./ldap-group-maps";
 export * from "./models";
+export * from "./oidc-configs";
 export * from "./org-bots";
 export * from "./org-memberships";
 export * from "./org-roles";
--- a/backend/src/db/schemas/ldap-configs.ts
+++ b/backend/src/db/schemas/ldap-configs.ts
@ -26,7 +26,8 @@ export const LdapConfigsSchema = z.object({
  updatedAt: z.date(),
  groupSearchBase: z.string().default(""),
  groupSearchFilter: z.string().default(""),
-  searchFilter: z.string().default("")
+  searchFilter: z.string().default(""),
+  uniqueUserAttribute: z.string().default("")
 });

 export type TLdapConfigs = z.infer<typeof LdapConfigsSchema>;
--- a/backend/src/db/schemas/models.ts
+++ b/backend/src/db/schemas/models.ts
@ -78,6 +78,7 @@ export enum TableName {
  SecretRotationOutput = "secret_rotation_outputs",
  SamlConfig = "saml_configs",
  LdapConfig = "ldap_configs",
+  OidcConfig = "oidc_configs",
  LdapGroupMap = "ldap_group_maps",
  AuditLog = "audit_logs",
  AuditLogStream = "audit_log_streams",
--- a/backend/src/db/schemas/oidc-configs.ts
+++ b/backend/src/db/schemas/oidc-configs.ts
@ -0,0 +1,34 @@
+// Code generated by automation script, DO NOT EDIT.
+// Automated by pulling database and generating zod schema
+// To update. Just run npm run generate:schema
+// Written by akhilmhdh.
+
+import { z } from "zod";
+
+import { TImmutableDBKeys } from "./models";
+
+export const OidcConfigsSchema = z.object({
+  id: z.string().uuid(),
+  discoveryURL: z.string().nullable().optional(),
+  issuer: z.string().nullable().optional(),
+  authorizationEndpoint: z.string().nullable().optional(),
+  jwksUri: z.string().nullable().optional(),
+  tokenEndpoint: z.string().nullable().optional(),
+  userinfoEndpoint: z.string().nullable().optional(),
+  encryptedClientId: z.string(),
+  configurationType: z.string(),
+  clientIdIV: z.string(),
+  clientIdTag: z.string(),
+  encryptedClientSecret: z.string(),
+  clientSecretIV: z.string(),
+  clientSecretTag: z.string(),
+  allowedEmailDomains: z.string().nullable().optional(),
+  isActive: z.boolean(),
+  createdAt: z.date(),
+  updatedAt: z.date(),
+  orgId: z.string().uuid()
+});
+
+export type TOidcConfigs = z.infer<typeof OidcConfigsSchema>;
+export type TOidcConfigsInsert = Omit<z.input<typeof OidcConfigsSchema>, TImmutableDBKeys>;
+export type TOidcConfigsUpdate = Partial<Omit<z.input<typeof OidcConfigsSchema>, TImmutableDBKeys>>;
--- a/backend/src/db/schemas/projects.ts
+++ b/backend/src/db/schemas/projects.ts
@ -17,8 +17,9 @@ export const ProjectsSchema = z.object({
  updatedAt: z.date(),
  version: z.number().default(1),
  upgradeStatus: z.string().nullable().optional(),
+  pitVersionLimit: z.number().default(10),
  kmsCertificateKeyId: z.string().uuid().nullable().optional(),
-  pitVersionLimit: z.number().default(10)
+  auditLogsRetentionDays: z.number().nullable().optional()
 });

 export type TProjects = z.infer<typeof ProjectsSchema>;
--- a/backend/src/db/schemas/super-admin.ts
+++ b/backend/src/db/schemas/super-admin.ts
@ -16,7 +16,9 @@ export const SuperAdminSchema = z.object({
  allowedSignUpDomain: z.string().nullable().optional(),
  instanceId: z.string().uuid().default("00000000-0000-0000-0000-000000000000"),
  trustSamlEmails: z.boolean().default(false).nullable().optional(),
-  trustLdapEmails: z.boolean().default(false).nullable().optional()
+  trustLdapEmails: z.boolean().default(false).nullable().optional(),
+  trustOidcEmails: z.boolean().default(false).nullable().optional(),
+  defaultAuthOrgId: z.string().uuid().nullable().optional()
 });

 export type TSuperAdmin = z.infer<typeof SuperAdminSchema>;
--- a/backend/src/db/schemas/user-encryption-keys.ts
+++ b/backend/src/db/schemas/user-encryption-keys.ts
@ -21,7 +21,12 @@ export const UserEncryptionKeysSchema = z.object({
  tag: z.string(),
  salt: z.string(),
  verifier: z.string(),
-  userId: z.string().uuid()
+  userId: z.string().uuid(),
+  hashedPassword: z.string().nullable().optional(),
+  serverEncryptedPrivateKey: z.string().nullable().optional(),
+  serverEncryptedPrivateKeyIV: z.string().nullable().optional(),
+  serverEncryptedPrivateKeyTag: z.string().nullable().optional(),
+  serverEncryptedPrivateKeyEncoding: z.string().nullable().optional()
 });

 export type TUserEncryptionKeys = z.infer<typeof UserEncryptionKeysSchema>;
--- a/backend/src/ee/routes/v1/index.ts
+++ b/backend/src/ee/routes/v1/index.ts
@ -8,6 +8,7 @@ import { registerGroupRouter } from "./group-router";
 import { registerIdentityProjectAdditionalPrivilegeRouter } from "./identity-project-additional-privilege-router";
 import { registerLdapRouter } from "./ldap-router";
 import { registerLicenseRouter } from "./license-router";
+import { registerOidcRouter } from "./oidc-router";
 import { registerOrgRoleRouter } from "./org-role-router";
 import { registerProjectRoleRouter } from "./project-role-router";
 import { registerProjectRouter } from "./project-router";
@ -64,7 +65,14 @@ export const registerV1EERoutes = async (server: FastifyZodProvider) => {
    { prefix: "/pki" }
  );

-  await server.register(registerSamlRouter, { prefix: "/sso" });
+  await server.register(
+    async (ssoRouter) => {
+      await ssoRouter.register(registerSamlRouter);
+      await ssoRouter.register(registerOidcRouter, { prefix: "/oidc" });
+    },
+    { prefix: "/sso" }
+  );
+
  await server.register(registerScimRouter, { prefix: "/scim" });
  await server.register(registerLdapRouter, { prefix: "/ldap" });
  await server.register(registerSecretScanningRouter, { prefix: "/secret-scanning" });
--- a/backend/src/ee/routes/v1/ldap-router.ts
+++ b/backend/src/ee/routes/v1/ldap-router.ts
@ -53,7 +53,7 @@ export const registerLdapRouter = async (server: FastifyZodProvider) => {
      // eslint-disable-next-line
      async (req: IncomingMessage, user, cb) => {
        try {
-          if (!user.email) throw new BadRequestError({ message: "Invalid request. Missing email." });
+          if (!user.mail) throw new BadRequestError({ message: "Invalid request. Missing mail attribute on user." });
          const ldapConfig = (req as unknown as FastifyRequest).ldapConfig as TLDAPConfig;

          let groups: { dn: string; cn: string }[] | undefined;
@ -70,10 +70,13 @@ export const registerLdapRouter = async (server: FastifyZodProvider) => {
            groups = await searchGroups(ldapConfig, groupSearchFilter, ldapConfig.groupSearchBase);
          }

+          const externalId = ldapConfig.uniqueUserAttribute ? user[ldapConfig.uniqueUserAttribute] : user.uidNumber;
+          const username = ldapConfig.uniqueUserAttribute ? externalId : user.uid;
+
          const { isUserCompleted, providerAuthToken } = await server.services.ldap.ldapLogin({
+            externalId,
+            username,
            ldapConfigId: ldapConfig.id,
-            externalId: user.uidNumber,
-            username: user.uid,
            firstName: user.givenName ?? user.cn ?? "",
            lastName: user.sn ?? "",
            email: user.mail,
@ -138,6 +141,7 @@ export const registerLdapRouter = async (server: FastifyZodProvider) => {
          url: z.string(),
          bindDN: z.string(),
          bindPass: z.string(),
+          uniqueUserAttribute: z.string(),
          searchBase: z.string(),
          searchFilter: z.string(),
          groupSearchBase: z.string(),
@ -172,6 +176,7 @@ export const registerLdapRouter = async (server: FastifyZodProvider) => {
        url: z.string().trim(),
        bindDN: z.string().trim(),
        bindPass: z.string().trim(),
+        uniqueUserAttribute: z.string().trim().default("uidNumber"),
        searchBase: z.string().trim(),
        searchFilter: z.string().trim().default("(uid={{username}})"),
        groupSearchBase: z.string().trim(),
@ -213,6 +218,7 @@ export const registerLdapRouter = async (server: FastifyZodProvider) => {
          url: z.string().trim(),
          bindDN: z.string().trim(),
          bindPass: z.string().trim(),
+          uniqueUserAttribute: z.string().trim(),
          searchBase: z.string().trim(),
          searchFilter: z.string().trim(),
          groupSearchBase: z.string().trim(),
--- a/backend/src/ee/routes/v1/oidc-router.ts
+++ b/backend/src/ee/routes/v1/oidc-router.ts
@ -0,0 +1,355 @@
+/* eslint-disable @typescript-eslint/no-explicit-any */
+/* eslint-disable @typescript-eslint/no-unsafe-return */
+/* eslint-disable @typescript-eslint/no-unsafe-member-access */
+/* eslint-disable @typescript-eslint/no-unsafe-assignment */
+/* eslint-disable @typescript-eslint/no-unsafe-call */
+/* eslint-disable @typescript-eslint/no-unsafe-argument */
+// All the any rules are disabled because passport typesense with fastify is really poor
+
+import { Authenticator, Strategy } from "@fastify/passport";
+import fastifySession from "@fastify/session";
+import RedisStore from "connect-redis";
+import { Redis } from "ioredis";
+import { z } from "zod";
+
+import { OidcConfigsSchema } from "@app/db/schemas/oidc-configs";
+import { OIDCConfigurationType } from "@app/ee/services/oidc/oidc-config-types";
+import { getConfig } from "@app/lib/config/env";
+import { authRateLimit, readLimit, writeLimit } from "@app/server/config/rateLimiter";
+import { verifyAuth } from "@app/server/plugins/auth/verify-auth";
+import { AuthMode } from "@app/services/auth/auth-type";
+
+export const registerOidcRouter = async (server: FastifyZodProvider) => {
+  const appCfg = getConfig();
+  const redis = new Redis(appCfg.REDIS_URL);
+  const passport = new Authenticator({ key: "oidc", userProperty: "passportUser" });
+
+  /*
+  - OIDC protocol cannot work without sessions: https://github.com/panva/node-openid-client/issues/190
+  - Current redis usage is not ideal and will eventually have to be refactored to use a better structure
+  - Fastify session <> Redis structure is based on the ff: https://github.com/fastify/session/blob/master/examples/redis.js
+  */
+  const redisStore = new RedisStore({
+    client: redis,
+    prefix: "oidc-session:",
+    ttl: 600 // 10 minutes
+  });
+
+  await server.register(fastifySession, {
+    secret: appCfg.COOKIE_SECRET_SIGN_KEY,
+    store: redisStore,
+    cookie: {
+      secure: appCfg.HTTPS_ENABLED,
+      sameSite: "lax" // we want cookies to be sent to Infisical in redirects originating from IDP server
+    }
+  });
+
+  await server.register(passport.initialize());
+  await server.register(passport.secureSession());
+
+  // redirect to IDP for login
+  server.route({
+    url: "/login",
+    method: "GET",
+    config: {
+      rateLimit: authRateLimit
+    },
+    schema: {
+      querystring: z.object({
+        orgSlug: z.string().trim(),
+        callbackPort: z.string().trim().optional()
+      })
+    },
+    preValidation: [
+      async (req, res) => {
+        const { orgSlug, callbackPort } = req.query;
+
+        // ensure fresh session state per login attempt
+        await req.session.regenerate();
+
+        req.session.set<any>("oidcOrgSlug", orgSlug);
+
+        if (callbackPort) {
+          req.session.set<any>("callbackPort", callbackPort);
+        }
+
+        const oidcStrategy = await server.services.oidc.getOrgAuthStrategy(orgSlug, callbackPort);
+        return (
+          passport.authenticate(oidcStrategy as Strategy, {
+            scope: "profile email openid"
+          }) as any
+        )(req, res);
+      }
+    ],
+    handler: () => {}
+  });
+
+  // callback route after login from IDP
+  server.route({
+    url: "/callback",
+    method: "GET",
+    preValidation: [
+      async (req, res) => {
+        const oidcOrgSlug = req.session.get<any>("oidcOrgSlug");
+        const callbackPort = req.session.get<any>("callbackPort");
+        const oidcStrategy = await server.services.oidc.getOrgAuthStrategy(oidcOrgSlug, callbackPort);
+
+        return (
+          passport.authenticate(oidcStrategy as Strategy, {
+            failureRedirect: "/api/v1/sso/oidc/login/error",
+            session: false,
+            failureMessage: true
+          }) as any
+        )(req, res);
+      }
+    ],
+    handler: async (req, res) => {
+      await req.session.destroy();
+
+      if (req.passportUser.isUserCompleted) {
+        return res.redirect(
+          `${appCfg.SITE_URL}/login/sso?token=${encodeURIComponent(req.passportUser.providerAuthToken)}`
+        );
+      }
+
+      // signup
+      return res.redirect(
+        `${appCfg.SITE_URL}/signup/sso?token=${encodeURIComponent(req.passportUser.providerAuthToken)}`
+      );
+    }
+  });
+
+  server.route({
+    url: "/login/error",
+    method: "GET",
+    handler: async (req, res) => {
+      await req.session.destroy();
+
+      return res.status(500).send({
+        error: "Authentication error",
+        details: req.query
+      });
+    }
+  });
+
+  server.route({
+    url: "/config",
+    method: "GET",
+    config: {
+      rateLimit: readLimit
+    },
+    onRequest: verifyAuth([AuthMode.JWT]),
+    schema: {
+      querystring: z.object({
+        orgSlug: z.string().trim()
+      }),
+      response: {
+        200: OidcConfigsSchema.pick({
+          id: true,
+          issuer: true,
+          authorizationEndpoint: true,
+          jwksUri: true,
+          tokenEndpoint: true,
+          userinfoEndpoint: true,
+          configurationType: true,
+          discoveryURL: true,
+          isActive: true,
+          orgId: true,
+          allowedEmailDomains: true
+        }).extend({
+          clientId: z.string(),
+          clientSecret: z.string()
+        })
+      }
+    },
+    handler: async (req) => {
+      const { orgSlug } = req.query;
+      const oidc = await server.services.oidc.getOidc({
+        orgSlug,
+        type: "external",
+        actor: req.permission.type,
+        actorId: req.permission.id,
+        actorOrgId: req.permission.orgId,
+        actorAuthMethod: req.permission.authMethod
+      });
+
+      return oidc;
+    }
+  });
+
+  server.route({
+    method: "PATCH",
+    url: "/config",
+    config: {
+      rateLimit: writeLimit
+    },
+    onRequest: verifyAuth([AuthMode.JWT]),
+    schema: {
+      body: z
+        .object({
+          allowedEmailDomains: z
+            .string()
+            .trim()
+            .optional()
+            .default("")
+            .transform((data) => {
+              if (data === "") return "";
+              // Trim each ID and join with ', ' to ensure formatting
+              return data
+                .split(",")
+                .map((id) => id.trim())
+                .join(", ");
+            }),
+          discoveryURL: z.string().trim(),
+          configurationType: z.nativeEnum(OIDCConfigurationType),
+          issuer: z.string().trim(),
+          authorizationEndpoint: z.string().trim(),
+          jwksUri: z.string().trim(),
+          tokenEndpoint: z.string().trim(),
+          userinfoEndpoint: z.string().trim(),
+          clientId: z.string().trim(),
+          clientSecret: z.string().trim(),
+          isActive: z.boolean()
+        })
+        .partial()
+        .merge(z.object({ orgSlug: z.string() })),
+      response: {
+        200: OidcConfigsSchema.pick({
+          id: true,
+          issuer: true,
+          authorizationEndpoint: true,
+          configurationType: true,
+          discoveryURL: true,
+          jwksUri: true,
+          tokenEndpoint: true,
+          userinfoEndpoint: true,
+          orgId: true,
+          allowedEmailDomains: true,
+          isActive: true
+        })
+      }
+    },
+    handler: async (req) => {
+      const oidc = await server.services.oidc.updateOidcCfg({
+        actor: req.permission.type,
+        actorId: req.permission.id,
+        actorAuthMethod: req.permission.authMethod,
+        actorOrgId: req.permission.orgId,
+        ...req.body
+      });
+      return oidc;
+    }
+  });
+
+  server.route({
+    method: "POST",
+    url: "/config",
+    config: {
+      rateLimit: writeLimit
+    },
+    onRequest: verifyAuth([AuthMode.JWT]),
+    schema: {
+      body: z
+        .object({
+          allowedEmailDomains: z
+            .string()
+            .trim()
+            .optional()
+            .default("")
+            .transform((data) => {
+              if (data === "") return "";
+              // Trim each ID and join with ', ' to ensure formatting
+              return data
+                .split(",")
+                .map((id) => id.trim())
+                .join(", ");
+            }),
+          configurationType: z.nativeEnum(OIDCConfigurationType),
+          issuer: z.string().trim().optional().default(""),
+          discoveryURL: z.string().trim().optional().default(""),
+          authorizationEndpoint: z.string().trim().optional().default(""),
+          jwksUri: z.string().trim().optional().default(""),
+          tokenEndpoint: z.string().trim().optional().default(""),
+          userinfoEndpoint: z.string().trim().optional().default(""),
+          clientId: z.string().trim(),
+          clientSecret: z.string().trim(),
+          isActive: z.boolean(),
+          orgSlug: z.string().trim()
+        })
+        .superRefine((data, ctx) => {
+          if (data.configurationType === OIDCConfigurationType.CUSTOM) {
+            if (!data.issuer) {
+              ctx.addIssue({
+                path: ["issuer"],
+                message: "Issuer is required",
+                code: z.ZodIssueCode.custom
+              });
+            }
+            if (!data.authorizationEndpoint) {
+              ctx.addIssue({
+                path: ["authorizationEndpoint"],
+                message: "Authorization endpoint is required",
+                code: z.ZodIssueCode.custom
+              });
+            }
+            if (!data.jwksUri) {
+              ctx.addIssue({
+                path: ["jwksUri"],
+                message: "JWKS URI is required",
+                code: z.ZodIssueCode.custom
+              });
+            }
+            if (!data.tokenEndpoint) {
+              ctx.addIssue({
+                path: ["tokenEndpoint"],
+                message: "Token endpoint is required",
+                code: z.ZodIssueCode.custom
+              });
+            }
+            if (!data.userinfoEndpoint) {
+              ctx.addIssue({
+                path: ["userinfoEndpoint"],
+                message: "Userinfo endpoint is required",
+                code: z.ZodIssueCode.custom
+              });
+            }
+          } else {
+            // eslint-disable-next-line no-lonely-if
+            if (!data.discoveryURL) {
+              ctx.addIssue({
+                path: ["discoveryURL"],
+                message: "Discovery URL is required",
+                code: z.ZodIssueCode.custom
+              });
+            }
+          }
+        }),
+      response: {
+        200: OidcConfigsSchema.pick({
+          id: true,
+          issuer: true,
+          authorizationEndpoint: true,
+          configurationType: true,
+          discoveryURL: true,
+          jwksUri: true,
+          tokenEndpoint: true,
+          userinfoEndpoint: true,
+          orgId: true,
+          isActive: true,
+          allowedEmailDomains: true
+        })
+      }
+    },
+
+    handler: async (req) => {
+      const oidc = await server.services.oidc.createOidcCfg({
+        actor: req.permission.type,
+        actorId: req.permission.id,
+        actorAuthMethod: req.permission.authMethod,
+        actorOrgId: req.permission.orgId,
+        ...req.body
+      });
+      return oidc;
+    }
+  });
+};
--- a/backend/src/ee/services/audit-log/audit-log-queue.ts
+++ b/backend/src/ee/services/audit-log/audit-log-queue.ts
@ -45,18 +45,29 @@ export const auditLogQueueServiceFactory = ({
    const { actor, event, ipAddress, projectId, userAgent, userAgentType } = job.data;
    let { orgId } = job.data;
    const MS_IN_DAY = 24 * 60 * 60 * 1000;
+    let project;

    if (!orgId) {
      // it will never be undefined for both org and project id
      // TODO(akhilmhdh): use caching here in dal to avoid db calls
-      const project = await projectDAL.findById(projectId as string);
+      project = await projectDAL.findById(projectId as string);
      orgId = project.orgId;
    }

    const plan = await licenseService.getPlan(orgId);
-    const ttl = plan.auditLogsRetentionDays * MS_IN_DAY;
-    // skip inserting if audit log retention is 0 meaning its not supported
-    if (ttl === 0) return;
+    if (plan.auditLogsRetentionDays === 0) {
+      // skip inserting if audit log retention is 0 meaning its not supported
+      return;
+    }
+
+    // For project actions, set TTL to project-level audit log retention config
+    // This condition ensures that the plan's audit log retention days cannot be bypassed
+    const ttlInDays =
+      project?.auditLogsRetentionDays && project.auditLogsRetentionDays < plan.auditLogsRetentionDays
+        ? project.auditLogsRetentionDays
+        : plan.auditLogsRetentionDays;
+
+    const ttl = ttlInDays * MS_IN_DAY;

    const auditLog = await auditLogDAL.create({
      actor: actor.type,
--- a/backend/src/ee/services/audit-log/audit-log-types.ts
+++ b/backend/src/ee/services/audit-log/audit-log-types.ts
@ -65,25 +65,31 @@ export enum EventType {
  ADD_IDENTITY_UNIVERSAL_AUTH = "add-identity-universal-auth",
  UPDATE_IDENTITY_UNIVERSAL_AUTH = "update-identity-universal-auth",
  GET_IDENTITY_UNIVERSAL_AUTH = "get-identity-universal-auth",
+  REVOKE_IDENTITY_UNIVERSAL_AUTH = "revoke-identity-universal-auth",
  LOGIN_IDENTITY_KUBERNETES_AUTH = "login-identity-kubernetes-auth",
  ADD_IDENTITY_KUBERNETES_AUTH = "add-identity-kubernetes-auth",
  UPDATE_IDENTITY_KUBENETES_AUTH = "update-identity-kubernetes-auth",
  GET_IDENTITY_KUBERNETES_AUTH = "get-identity-kubernetes-auth",
+  REVOKE_IDENTITY_KUBERNETES_AUTH = "revoke-identity-kubernetes-auth",
  CREATE_IDENTITY_UNIVERSAL_AUTH_CLIENT_SECRET = "create-identity-universal-auth-client-secret",
  REVOKE_IDENTITY_UNIVERSAL_AUTH_CLIENT_SECRET = "revoke-identity-universal-auth-client-secret",
  GET_IDENTITY_UNIVERSAL_AUTH_CLIENT_SECRETS = "get-identity-universal-auth-client-secret",
+  GET_IDENTITY_UNIVERSAL_AUTH_CLIENT_SECRET_BY_ID = "get-identity-universal-auth-client-secret-by-id",
  LOGIN_IDENTITY_GCP_AUTH = "login-identity-gcp-auth",
  ADD_IDENTITY_GCP_AUTH = "add-identity-gcp-auth",
  UPDATE_IDENTITY_GCP_AUTH = "update-identity-gcp-auth",
+  REVOKE_IDENTITY_GCP_AUTH = "revoke-identity-gcp-auth",
  GET_IDENTITY_GCP_AUTH = "get-identity-gcp-auth",
  LOGIN_IDENTITY_AWS_AUTH = "login-identity-aws-auth",
  ADD_IDENTITY_AWS_AUTH = "add-identity-aws-auth",
  UPDATE_IDENTITY_AWS_AUTH = "update-identity-aws-auth",
+  REVOKE_IDENTITY_AWS_AUTH = "revoke-identity-aws-auth",
  GET_IDENTITY_AWS_AUTH = "get-identity-aws-auth",
  LOGIN_IDENTITY_AZURE_AUTH = "login-identity-azure-auth",
  ADD_IDENTITY_AZURE_AUTH = "add-identity-azure-auth",
  UPDATE_IDENTITY_AZURE_AUTH = "update-identity-azure-auth",
  GET_IDENTITY_AZURE_AUTH = "get-identity-azure-auth",
+  REVOKE_IDENTITY_AZURE_AUTH = "revoke-identity-azure-auth",
  CREATE_ENVIRONMENT = "create-environment",
  UPDATE_ENVIRONMENT = "update-environment",
  DELETE_ENVIRONMENT = "delete-environment",
@ -434,6 +440,13 @@ interface GetIdentityUniversalAuthEvent {
  };
 }

+interface DeleteIdentityUniversalAuthEvent {
+  type: EventType.REVOKE_IDENTITY_UNIVERSAL_AUTH;
+  metadata: {
+    identityId: string;
+  };
+}
+
 interface LoginIdentityKubernetesAuthEvent {
  type: EventType.LOGIN_IDENTITY_KUBERNETES_AUTH;
  metadata: {
@ -457,6 +470,13 @@ interface AddIdentityKubernetesAuthEvent {
  };
 }

+interface DeleteIdentityKubernetesAuthEvent {
+  type: EventType.REVOKE_IDENTITY_KUBERNETES_AUTH;
+  metadata: {
+    identityId: string;
+  };
+}
+
 interface UpdateIdentityKubernetesAuthEvent {
  type: EventType.UPDATE_IDENTITY_KUBENETES_AUTH;
  metadata: {
@ -493,6 +513,14 @@ interface GetIdentityUniversalAuthClientSecretsEvent {
  };
 }

+interface GetIdentityUniversalAuthClientSecretByIdEvent {
+  type: EventType.GET_IDENTITY_UNIVERSAL_AUTH_CLIENT_SECRET_BY_ID;
+  metadata: {
+    identityId: string;
+    clientSecretId: string;
+  };
+}
+
 interface RevokeIdentityUniversalAuthClientSecretEvent {
  type: EventType.REVOKE_IDENTITY_UNIVERSAL_AUTH_CLIENT_SECRET;
  metadata: {
@ -525,6 +553,13 @@ interface AddIdentityGcpAuthEvent {
  };
 }

+interface DeleteIdentityGcpAuthEvent {
+  type: EventType.REVOKE_IDENTITY_GCP_AUTH;
+  metadata: {
+    identityId: string;
+  };
+}
+
 interface UpdateIdentityGcpAuthEvent {
  type: EventType.UPDATE_IDENTITY_GCP_AUTH;
  metadata: {
@ -570,6 +605,13 @@ interface AddIdentityAwsAuthEvent {
  };
 }

+interface DeleteIdentityAwsAuthEvent {
+  type: EventType.REVOKE_IDENTITY_AWS_AUTH;
+  metadata: {
+    identityId: string;
+  };
+}
+
 interface UpdateIdentityAwsAuthEvent {
  type: EventType.UPDATE_IDENTITY_AWS_AUTH;
  metadata: {
@ -613,6 +655,13 @@ interface AddIdentityAzureAuthEvent {
  };
 }

+interface DeleteIdentityAzureAuthEvent {
+  type: EventType.REVOKE_IDENTITY_AZURE_AUTH;
+  metadata: {
+    identityId: string;
+  };
+}
+
 interface UpdateIdentityAzureAuthEvent {
  type: EventType.UPDATE_IDENTITY_AZURE_AUTH;
  metadata: {
@ -1003,24 +1052,30 @@ export type Event =
  | LoginIdentityUniversalAuthEvent
  | AddIdentityUniversalAuthEvent
  | UpdateIdentityUniversalAuthEvent
+  | DeleteIdentityUniversalAuthEvent
  | GetIdentityUniversalAuthEvent
  | LoginIdentityKubernetesAuthEvent
+  | DeleteIdentityKubernetesAuthEvent
  | AddIdentityKubernetesAuthEvent
  | UpdateIdentityKubernetesAuthEvent
  | GetIdentityKubernetesAuthEvent
  | CreateIdentityUniversalAuthClientSecretEvent
  | GetIdentityUniversalAuthClientSecretsEvent
+  | GetIdentityUniversalAuthClientSecretByIdEvent
  | RevokeIdentityUniversalAuthClientSecretEvent
  | LoginIdentityGcpAuthEvent
  | AddIdentityGcpAuthEvent
+  | DeleteIdentityGcpAuthEvent
  | UpdateIdentityGcpAuthEvent
  | GetIdentityGcpAuthEvent
  | LoginIdentityAwsAuthEvent
  | AddIdentityAwsAuthEvent
  | UpdateIdentityAwsAuthEvent
  | GetIdentityAwsAuthEvent
+  | DeleteIdentityAwsAuthEvent
  | LoginIdentityAzureAuthEvent
  | AddIdentityAzureAuthEvent
+  | DeleteIdentityAzureAuthEvent
  | UpdateIdentityAzureAuthEvent
  | GetIdentityAzureAuthEvent
  | CreateEnvironmentEvent
--- a/backend/src/ee/services/ldap-config/ldap-config-service.ts
+++ b/backend/src/ee/services/ldap-config/ldap-config-service.ts
@ -23,6 +23,8 @@ import {
 } from "@app/lib/crypto/encryption";
 import { BadRequestError } from "@app/lib/errors";
 import { AuthMethod, AuthTokenType } from "@app/services/auth/auth-type";
+import { TAuthTokenServiceFactory } from "@app/services/auth-token/auth-token-service";
+import { TokenType } from "@app/services/auth-token/auth-token-types";
 import { TGroupProjectDALFactory } from "@app/services/group-project/group-project-dal";
 import { TOrgBotDALFactory } from "@app/services/org/org-bot-dal";
 import { TOrgDALFactory } from "@app/services/org/org-dal";
@ -30,6 +32,7 @@ import { TOrgMembershipDALFactory } from "@app/services/org-membership/org-membe
 import { TProjectDALFactory } from "@app/services/project/project-dal";
 import { TProjectBotDALFactory } from "@app/services/project-bot/project-bot-dal";
 import { TProjectKeyDALFactory } from "@app/services/project-key/project-key-dal";
+import { SmtpTemplates, TSmtpService } from "@app/services/smtp/smtp-service";
 import { getServerCfg } from "@app/services/super-admin/super-admin-service";
 import { TUserDALFactory } from "@app/services/user/user-dal";
 import { normalizeUsername } from "@app/services/user/user-fns";
@ -73,11 +76,19 @@ type TLdapConfigServiceFactoryDep = {
  >;
  userDAL: Pick<
    TUserDALFactory,
-    "create" | "findOne" | "transaction" | "updateById" | "findUserEncKeyByUserIdsBatch" | "find"
+    | "create"
+    | "findOne"
+    | "transaction"
+    | "updateById"
+    | "findUserEncKeyByUserIdsBatch"
+    | "find"
+    | "findUserEncKeyByUserId"
  >;
  userAliasDAL: Pick<TUserAliasDALFactory, "create" | "findOne">;
  permissionService: Pick<TPermissionServiceFactory, "getOrgPermission">;
  licenseService: Pick<TLicenseServiceFactory, "getPlan" | "updateSubscriptionOrgMemberCount">;
+  tokenService: Pick<TAuthTokenServiceFactory, "createTokenForUser">;
+  smtpService: Pick<TSmtpService, "sendMail">;
 };

 export type TLdapConfigServiceFactory = ReturnType<typeof ldapConfigServiceFactory>;
@ -97,7 +108,9 @@ export const ldapConfigServiceFactory = ({
  userDAL,
  userAliasDAL,
  permissionService,
-  licenseService
+  licenseService,
+  tokenService,
+  smtpService
 }: TLdapConfigServiceFactoryDep) => {
  const createLdapCfg = async ({
    actor,
@ -109,6 +122,7 @@ export const ldapConfigServiceFactory = ({
    url,
    bindDN,
    bindPass,
+    uniqueUserAttribute,
    searchBase,
    searchFilter,
    groupSearchBase,
@ -187,6 +201,7 @@ export const ldapConfigServiceFactory = ({
      encryptedBindPass,
      bindPassIV,
      bindPassTag,
+      uniqueUserAttribute,
      searchBase,
      searchFilter,
      groupSearchBase,
@ -209,6 +224,7 @@ export const ldapConfigServiceFactory = ({
    url,
    bindDN,
    bindPass,
+    uniqueUserAttribute,
    searchBase,
    searchFilter,
    groupSearchBase,
@ -231,7 +247,8 @@ export const ldapConfigServiceFactory = ({
      searchBase,
      searchFilter,
      groupSearchBase,
-      groupSearchFilter
+      groupSearchFilter,
+      uniqueUserAttribute
    };

    const orgBot = await orgBotDAL.findOne({ orgId });
@ -332,6 +349,7 @@ export const ldapConfigServiceFactory = ({
      url: ldapConfig.url,
      bindDN,
      bindPass,
+      uniqueUserAttribute: ldapConfig.uniqueUserAttribute,
      searchBase: ldapConfig.searchBase,
      searchFilter: ldapConfig.searchFilter,
      groupSearchBase: ldapConfig.groupSearchBase,
@ -368,6 +386,7 @@ export const ldapConfigServiceFactory = ({
        url: ldapConfig.url,
        bindDN: ldapConfig.bindDN,
        bindCredentials: ldapConfig.bindPass,
+        uniqueUserAttribute: ldapConfig.uniqueUserAttribute,
        searchBase: ldapConfig.searchBase,
        searchFilter: ldapConfig.searchFilter || "(uid={{username}})",
        // searchAttributes: ["uid", "uidNumber", "givenName", "sn", "mail"],
@ -488,7 +507,7 @@ export const ldapConfigServiceFactory = ({
        if (!orgMembership) {
          await orgMembershipDAL.create(
            {
-              userId: userAlias.userId,
+              userId: newUser.id,
              inviteEmail: email,
              orgId,
              role: OrgMembershipRole.Member,
@ -592,12 +611,14 @@ export const ldapConfigServiceFactory = ({
    });

    const isUserCompleted = Boolean(user.isAccepted);
+    const userEnc = await userDAL.findUserEncKeyByUserId(user.id);

    const providerAuthToken = jwt.sign(
      {
        authTokenType: AuthTokenType.PROVIDER_TOKEN,
        userId: user.id,
        username: user.username,
+        hasExchangedPrivateKey: Boolean(userEnc?.serverEncryptedPrivateKey),
        ...(user.email && { email: user.email, isEmailVerified: user.isEmailVerified }),
        firstName,
        lastName,
@ -619,6 +640,22 @@ export const ldapConfigServiceFactory = ({
      }
    );

+    if (user.email && !user.isEmailVerified) {
+      const token = await tokenService.createTokenForUser({
+        type: TokenType.TOKEN_EMAIL_VERIFICATION,
+        userId: user.id
+      });
+
+      await smtpService.sendMail({
+        template: SmtpTemplates.EmailVerification,
+        subjectLine: "Infisical confirmation code",
+        recipients: [user.email],
+        substitutions: {
+          code: token
+        }
+      });
+    }
+
    return { isUserCompleted, providerAuthToken };
  };

--- a/backend/src/ee/services/ldap-config/ldap-config-types.ts
+++ b/backend/src/ee/services/ldap-config/ldap-config-types.ts
@ -7,6 +7,7 @@ export type TLDAPConfig = {
  url: string;
  bindDN: string;
  bindPass: string;
+  uniqueUserAttribute: string;
  searchBase: string;
  groupSearchBase: string;
  groupSearchFilter: string;
@ -19,6 +20,7 @@ export type TCreateLdapCfgDTO = {
  url: string;
  bindDN: string;
  bindPass: string;
+  uniqueUserAttribute: string;
  searchBase: string;
  searchFilter: string;
  groupSearchBase: string;
@ -33,6 +35,7 @@ export type TUpdateLdapCfgDTO = {
  url: string;
  bindDN: string;
  bindPass: string;
+  uniqueUserAttribute: string;
  searchBase: string;
  searchFilter: string;
  groupSearchBase: string;
--- a/backend/src/ee/services/license/licence-fns.ts
+++ b/backend/src/ee/services/license/licence-fns.ts
@ -27,6 +27,7 @@ export const getDefaultOnPremFeatures = (): TFeatureSet => ({
  auditLogStreams: false,
  auditLogStreamLimit: 3,
  samlSSO: false,
+  oidcSSO: false,
  scim: false,
  ldap: false,
  groups: false,
--- a/backend/src/ee/services/license/license-types.ts
+++ b/backend/src/ee/services/license/license-types.ts
@ -44,6 +44,7 @@ export type TFeatureSet = {
  auditLogStreams: false;
  auditLogStreamLimit: 3;
  samlSSO: false;
+  oidcSSO: false;
  scim: false;
  ldap: false;
  groups: false;
--- a/backend/src/ee/services/oidc/oidc-config-dal.ts
+++ b/backend/src/ee/services/oidc/oidc-config-dal.ts
@ -0,0 +1,11 @@
+import { TDbClient } from "@app/db";
+import { TableName } from "@app/db/schemas";
+import { ormify } from "@app/lib/knex";
+
+export type TOidcConfigDALFactory = ReturnType<typeof oidcConfigDALFactory>;
+
+export const oidcConfigDALFactory = (db: TDbClient) => {
+  const oidcCfgOrm = ormify(db, TableName.OidcConfig);
+
+  return { ...oidcCfgOrm };
+};
--- a/backend/src/ee/services/oidc/oidc-config-service.ts
+++ b/backend/src/ee/services/oidc/oidc-config-service.ts
@ -0,0 +1,637 @@
+/* eslint-disable @typescript-eslint/no-unsafe-call */
+import { ForbiddenError } from "@casl/ability";
+import jwt from "jsonwebtoken";
+import { Issuer, Issuer as OpenIdIssuer, Strategy as OpenIdStrategy, TokenSet } from "openid-client";
+
+import { OrgMembershipRole, OrgMembershipStatus, SecretKeyEncoding, TableName, TUsers } from "@app/db/schemas";
+import { TOidcConfigsUpdate } from "@app/db/schemas/oidc-configs";
+import { TLicenseServiceFactory } from "@app/ee/services/license/license-service";
+import { OrgPermissionActions, OrgPermissionSubjects } from "@app/ee/services/permission/org-permission";
+import { TPermissionServiceFactory } from "@app/ee/services/permission/permission-service";
+import { getConfig } from "@app/lib/config/env";
+import {
+  decryptSymmetric,
+  encryptSymmetric,
+  generateAsymmetricKeyPair,
+  generateSymmetricKey,
+  infisicalSymmetricDecrypt,
+  infisicalSymmetricEncypt
+} from "@app/lib/crypto/encryption";
+import { BadRequestError } from "@app/lib/errors";
+import { AuthMethod, AuthTokenType } from "@app/services/auth/auth-type";
+import { TAuthTokenServiceFactory } from "@app/services/auth-token/auth-token-service";
+import { TokenType } from "@app/services/auth-token/auth-token-types";
+import { TOrgBotDALFactory } from "@app/services/org/org-bot-dal";
+import { TOrgDALFactory } from "@app/services/org/org-dal";
+import { TOrgMembershipDALFactory } from "@app/services/org-membership/org-membership-dal";
+import { SmtpTemplates, TSmtpService } from "@app/services/smtp/smtp-service";
+import { getServerCfg } from "@app/services/super-admin/super-admin-service";
+import { TUserDALFactory } from "@app/services/user/user-dal";
+import { normalizeUsername } from "@app/services/user/user-fns";
+import { TUserAliasDALFactory } from "@app/services/user-alias/user-alias-dal";
+import { UserAliasType } from "@app/services/user-alias/user-alias-types";
+
+import { TOidcConfigDALFactory } from "./oidc-config-dal";
+import {
+  OIDCConfigurationType,
+  TCreateOidcCfgDTO,
+  TGetOidcCfgDTO,
+  TOidcLoginDTO,
+  TUpdateOidcCfgDTO
+} from "./oidc-config-types";
+
+type TOidcConfigServiceFactoryDep = {
+  userDAL: Pick<
+    TUserDALFactory,
+    "create" | "findOne" | "transaction" | "updateById" | "findById" | "findUserEncKeyByUserId"
+  >;
+  userAliasDAL: Pick<TUserAliasDALFactory, "create" | "findOne">;
+  orgDAL: Pick<
+    TOrgDALFactory,
+    "createMembership" | "updateMembershipById" | "findMembership" | "findOrgById" | "findOne" | "updateById"
+  >;
+  orgMembershipDAL: Pick<TOrgMembershipDALFactory, "create">;
+  orgBotDAL: Pick<TOrgBotDALFactory, "findOne" | "create" | "transaction">;
+  licenseService: Pick<TLicenseServiceFactory, "getPlan" | "updateSubscriptionOrgMemberCount">;
+  tokenService: Pick<TAuthTokenServiceFactory, "createTokenForUser">;
+  smtpService: Pick<TSmtpService, "sendMail">;
+  permissionService: Pick<TPermissionServiceFactory, "getOrgPermission">;
+  oidcConfigDAL: Pick<TOidcConfigDALFactory, "findOne" | "update" | "create">;
+};
+
+export type TOidcConfigServiceFactory = ReturnType<typeof oidcConfigServiceFactory>;
+
+export const oidcConfigServiceFactory = ({
+  orgDAL,
+  orgMembershipDAL,
+  userDAL,
+  userAliasDAL,
+  licenseService,
+  permissionService,
+  tokenService,
+  orgBotDAL,
+  smtpService,
+  oidcConfigDAL
+}: TOidcConfigServiceFactoryDep) => {
+  const getOidc = async (dto: TGetOidcCfgDTO) => {
+    const org = await orgDAL.findOne({ slug: dto.orgSlug });
+    if (!org) {
+      throw new BadRequestError({
+        message: "Organization not found",
+        name: "OrgNotFound"
+      });
+    }
+    if (dto.type === "external") {
+      const { permission } = await permissionService.getOrgPermission(
+        dto.actor,
+        dto.actorId,
+        org.id,
+        dto.actorAuthMethod,
+        dto.actorOrgId
+      );
+      ForbiddenError.from(permission).throwUnlessCan(OrgPermissionActions.Read, OrgPermissionSubjects.Sso);
+    }
+
+    const oidcCfg = await oidcConfigDAL.findOne({
+      orgId: org.id
+    });
+
+    if (!oidcCfg) {
+      throw new BadRequestError({
+        message: "Failed to find organization OIDC configuration"
+      });
+    }
+
+    // decrypt and return cfg
+    const orgBot = await orgBotDAL.findOne({ orgId: oidcCfg.orgId });
+    if (!orgBot) {
+      throw new BadRequestError({ message: "Org bot not found", name: "OrgBotNotFound" });
+    }
+
+    const key = infisicalSymmetricDecrypt({
+      ciphertext: orgBot.encryptedSymmetricKey,
+      iv: orgBot.symmetricKeyIV,
+      tag: orgBot.symmetricKeyTag,
+      keyEncoding: orgBot.symmetricKeyKeyEncoding as SecretKeyEncoding
+    });
+
+    const { encryptedClientId, clientIdIV, clientIdTag, encryptedClientSecret, clientSecretIV, clientSecretTag } =
+      oidcCfg;
+
+    let clientId = "";
+    if (encryptedClientId && clientIdIV && clientIdTag) {
+      clientId = decryptSymmetric({
+        ciphertext: encryptedClientId,
+        key,
+        tag: clientIdTag,
+        iv: clientIdIV
+      });
+    }
+
+    let clientSecret = "";
+    if (encryptedClientSecret && clientSecretIV && clientSecretTag) {
+      clientSecret = decryptSymmetric({
+        key,
+        tag: clientSecretTag,
+        iv: clientSecretIV,
+        ciphertext: encryptedClientSecret
+      });
+    }
+
+    return {
+      id: oidcCfg.id,
+      issuer: oidcCfg.issuer,
+      authorizationEndpoint: oidcCfg.authorizationEndpoint,
+      configurationType: oidcCfg.configurationType,
+      discoveryURL: oidcCfg.discoveryURL,
+      jwksUri: oidcCfg.jwksUri,
+      tokenEndpoint: oidcCfg.tokenEndpoint,
+      userinfoEndpoint: oidcCfg.userinfoEndpoint,
+      orgId: oidcCfg.orgId,
+      isActive: oidcCfg.isActive,
+      allowedEmailDomains: oidcCfg.allowedEmailDomains,
+      clientId,
+      clientSecret
+    };
+  };
+
+  const oidcLogin = async ({ externalId, email, firstName, lastName, orgId, callbackPort }: TOidcLoginDTO) => {
+    const serverCfg = await getServerCfg();
+    const appCfg = getConfig();
+    const userAlias = await userAliasDAL.findOne({
+      externalId,
+      orgId,
+      aliasType: UserAliasType.OIDC
+    });
+
+    const organization = await orgDAL.findOrgById(orgId);
+    if (!organization) throw new BadRequestError({ message: "Org not found" });
+
+    let user: TUsers;
+    if (userAlias) {
+      user = await userDAL.transaction(async (tx) => {
+        const foundUser = await userDAL.findById(userAlias.userId, tx);
+        const [orgMembership] = await orgDAL.findMembership(
+          {
+            [`${TableName.OrgMembership}.userId` as "userId"]: foundUser.id,
+            [`${TableName.OrgMembership}.orgId` as "id"]: orgId
+          },
+          { tx }
+        );
+        if (!orgMembership) {
+          await orgMembershipDAL.create(
+            {
+              userId: userAlias.userId,
+              inviteEmail: email,
+              orgId,
+              role: OrgMembershipRole.Member,
+              status: foundUser.isAccepted ? OrgMembershipStatus.Accepted : OrgMembershipStatus.Invited // if user is fully completed, then set status to accepted, otherwise set it to invited so we can update it later
+            },
+            tx
+          );
+          // Only update the membership to Accepted if the user account is already completed.
+        } else if (orgMembership.status === OrgMembershipStatus.Invited && foundUser.isAccepted) {
+          await orgDAL.updateMembershipById(
+            orgMembership.id,
+            {
+              status: OrgMembershipStatus.Accepted
+            },
+            tx
+          );
+        }
+
+        return foundUser;
+      });
+    } else {
+      user = await userDAL.transaction(async (tx) => {
+        let newUser: TUsers | undefined;
+
+        if (serverCfg.trustOidcEmails) {
+          newUser = await userDAL.findOne(
+            {
+              email,
+              isEmailVerified: true
+            },
+            tx
+          );
+        }
+
+        if (!newUser) {
+          const uniqueUsername = await normalizeUsername(externalId, userDAL);
+          newUser = await userDAL.create(
+            {
+              email,
+              firstName,
+              isEmailVerified: serverCfg.trustOidcEmails,
+              username: serverCfg.trustOidcEmails ? email : uniqueUsername,
+              lastName,
+              authMethods: [],
+              isGhost: false
+            },
+            tx
+          );
+        }
+
+        await userAliasDAL.create(
+          {
+            userId: newUser.id,
+            aliasType: UserAliasType.OIDC,
+            externalId,
+            emails: email ? [email] : [],
+            orgId
+          },
+          tx
+        );
+
+        const [orgMembership] = await orgDAL.findMembership(
+          {
+            [`${TableName.OrgMembership}.userId` as "userId"]: newUser.id,
+            [`${TableName.OrgMembership}.orgId` as "id"]: orgId
+          },
+          { tx }
+        );
+
+        if (!orgMembership) {
+          await orgMembershipDAL.create(
+            {
+              userId: newUser.id,
+              inviteEmail: email,
+              orgId,
+              role: OrgMembershipRole.Member,
+              status: newUser.isAccepted ? OrgMembershipStatus.Accepted : OrgMembershipStatus.Invited // if user is fully completed, then set status to accepted, otherwise set it to invited so we can update it later
+            },
+            tx
+          );
+          // Only update the membership to Accepted if the user account is already completed.
+        } else if (orgMembership.status === OrgMembershipStatus.Invited && newUser.isAccepted) {
+          await orgDAL.updateMembershipById(
+            orgMembership.id,
+            {
+              status: OrgMembershipStatus.Accepted
+            },
+            tx
+          );
+        }
+
+        return newUser;
+      });
+    }
+
+    await licenseService.updateSubscriptionOrgMemberCount(organization.id);
+
+    const userEnc = await userDAL.findUserEncKeyByUserId(user.id);
+    const isUserCompleted = Boolean(user.isAccepted);
+    const providerAuthToken = jwt.sign(
+      {
+        authTokenType: AuthTokenType.PROVIDER_TOKEN,
+        userId: user.id,
+        username: user.username,
+        ...(user.email && { email: user.email, isEmailVerified: user.isEmailVerified }),
+        firstName,
+        lastName,
+        organizationName: organization.name,
+        organizationId: organization.id,
+        organizationSlug: organization.slug,
+        hasExchangedPrivateKey: Boolean(userEnc?.serverEncryptedPrivateKey),
+        authMethod: AuthMethod.OIDC,
+        authType: UserAliasType.OIDC,
+        isUserCompleted,
+        ...(callbackPort && { callbackPort })
+      },
+      appCfg.AUTH_SECRET,
+      {
+        expiresIn: appCfg.JWT_PROVIDER_AUTH_LIFETIME
+      }
+    );
+
+    if (user.email && !user.isEmailVerified) {
+      const token = await tokenService.createTokenForUser({
+        type: TokenType.TOKEN_EMAIL_VERIFICATION,
+        userId: user.id
+      });
+
+      await smtpService.sendMail({
+        template: SmtpTemplates.EmailVerification,
+        subjectLine: "Infisical confirmation code",
+        recipients: [user.email],
+        substitutions: {
+          code: token
+        }
+      });
+    }
+
+    return { isUserCompleted, providerAuthToken };
+  };
+
+  const updateOidcCfg = async ({
+    orgSlug,
+    allowedEmailDomains,
+    configurationType,
+    discoveryURL,
+    actor,
+    actorOrgId,
+    actorAuthMethod,
+    actorId,
+    issuer,
+    isActive,
+    authorizationEndpoint,
+    jwksUri,
+    tokenEndpoint,
+    userinfoEndpoint,
+    clientId,
+    clientSecret
+  }: TUpdateOidcCfgDTO) => {
+    const org = await orgDAL.findOne({
+      slug: orgSlug
+    });
+
+    if (!org) {
+      throw new BadRequestError({
+        message: "Organization not found"
+      });
+    }
+
+    const plan = await licenseService.getPlan(org.id);
+    if (!plan.oidcSSO)
+      throw new BadRequestError({
+        message:
+          "Failed to update OIDC SSO configuration due to plan restriction. Upgrade plan to update SSO configuration."
+      });
+
+    const { permission } = await permissionService.getOrgPermission(
+      actor,
+      actorId,
+      org.id,
+      actorAuthMethod,
+      actorOrgId
+    );
+    ForbiddenError.from(permission).throwUnlessCan(OrgPermissionActions.Edit, OrgPermissionSubjects.Sso);
+
+    const orgBot = await orgBotDAL.findOne({ orgId: org.id });
+    if (!orgBot) throw new BadRequestError({ message: "Org bot not found", name: "OrgBotNotFound" });
+    const key = infisicalSymmetricDecrypt({
+      ciphertext: orgBot.encryptedSymmetricKey,
+      iv: orgBot.symmetricKeyIV,
+      tag: orgBot.symmetricKeyTag,
+      keyEncoding: orgBot.symmetricKeyKeyEncoding as SecretKeyEncoding
+    });
+
+    const updateQuery: TOidcConfigsUpdate = {
+      allowedEmailDomains,
+      configurationType,
+      discoveryURL,
+      issuer,
+      authorizationEndpoint,
+      tokenEndpoint,
+      userinfoEndpoint,
+      jwksUri,
+      isActive
+    };
+
+    if (clientId !== undefined) {
+      const { ciphertext: encryptedClientId, iv: clientIdIV, tag: clientIdTag } = encryptSymmetric(clientId, key);
+      updateQuery.encryptedClientId = encryptedClientId;
+      updateQuery.clientIdIV = clientIdIV;
+      updateQuery.clientIdTag = clientIdTag;
+    }
+
+    if (clientSecret !== undefined) {
+      const {
+        ciphertext: encryptedClientSecret,
+        iv: clientSecretIV,
+        tag: clientSecretTag
+      } = encryptSymmetric(clientSecret, key);
+
+      updateQuery.encryptedClientSecret = encryptedClientSecret;
+      updateQuery.clientSecretIV = clientSecretIV;
+      updateQuery.clientSecretTag = clientSecretTag;
+    }
+
+    const [ssoConfig] = await oidcConfigDAL.update({ orgId: org.id }, updateQuery);
+    return ssoConfig;
+  };
+
+  const createOidcCfg = async ({
+    orgSlug,
+    allowedEmailDomains,
+    configurationType,
+    discoveryURL,
+    actor,
+    actorOrgId,
+    actorAuthMethod,
+    actorId,
+    issuer,
+    isActive,
+    authorizationEndpoint,
+    jwksUri,
+    tokenEndpoint,
+    userinfoEndpoint,
+    clientId,
+    clientSecret
+  }: TCreateOidcCfgDTO) => {
+    const org = await orgDAL.findOne({
+      slug: orgSlug
+    });
+    if (!org) {
+      throw new BadRequestError({
+        message: "Organization not found"
+      });
+    }
+
+    const plan = await licenseService.getPlan(org.id);
+    if (!plan.oidcSSO)
+      throw new BadRequestError({
+        message:
+          "Failed to create OIDC SSO configuration due to plan restriction. Upgrade plan to update SSO configuration."
+      });
+
+    const { permission } = await permissionService.getOrgPermission(
+      actor,
+      actorId,
+      org.id,
+      actorAuthMethod,
+      actorOrgId
+    );
+    ForbiddenError.from(permission).throwUnlessCan(OrgPermissionActions.Create, OrgPermissionSubjects.Sso);
+
+    const orgBot = await orgBotDAL.transaction(async (tx) => {
+      const doc = await orgBotDAL.findOne({ orgId: org.id }, tx);
+      if (doc) return doc;
+
+      const { privateKey, publicKey } = generateAsymmetricKeyPair();
+      const key = generateSymmetricKey();
+      const {
+        ciphertext: encryptedPrivateKey,
+        iv: privateKeyIV,
+        tag: privateKeyTag,
+        encoding: privateKeyKeyEncoding,
+        algorithm: privateKeyAlgorithm
+      } = infisicalSymmetricEncypt(privateKey);
+      const {
+        ciphertext: encryptedSymmetricKey,
+        iv: symmetricKeyIV,
+        tag: symmetricKeyTag,
+        encoding: symmetricKeyKeyEncoding,
+        algorithm: symmetricKeyAlgorithm
+      } = infisicalSymmetricEncypt(key);
+
+      return orgBotDAL.create(
+        {
+          name: "Infisical org bot",
+          publicKey,
+          privateKeyIV,
+          encryptedPrivateKey,
+          symmetricKeyIV,
+          symmetricKeyTag,
+          encryptedSymmetricKey,
+          symmetricKeyAlgorithm,
+          orgId: org.id,
+          privateKeyTag,
+          privateKeyAlgorithm,
+          privateKeyKeyEncoding,
+          symmetricKeyKeyEncoding
+        },
+        tx
+      );
+    });
+
+    const key = infisicalSymmetricDecrypt({
+      ciphertext: orgBot.encryptedSymmetricKey,
+      iv: orgBot.symmetricKeyIV,
+      tag: orgBot.symmetricKeyTag,
+      keyEncoding: orgBot.symmetricKeyKeyEncoding as SecretKeyEncoding
+    });
+
+    const { ciphertext: encryptedClientId, iv: clientIdIV, tag: clientIdTag } = encryptSymmetric(clientId, key);
+    const {
+      ciphertext: encryptedClientSecret,
+      iv: clientSecretIV,
+      tag: clientSecretTag
+    } = encryptSymmetric(clientSecret, key);
+
+    const oidcCfg = await oidcConfigDAL.create({
+      issuer,
+      isActive,
+      configurationType,
+      discoveryURL,
+      authorizationEndpoint,
+      allowedEmailDomains,
+      jwksUri,
+      tokenEndpoint,
+      userinfoEndpoint,
+      orgId: org.id,
+      encryptedClientId,
+      clientIdIV,
+      clientIdTag,
+      encryptedClientSecret,
+      clientSecretIV,
+      clientSecretTag
+    });
+
+    return oidcCfg;
+  };
+
+  const getOrgAuthStrategy = async (orgSlug: string, callbackPort?: string) => {
+    const appCfg = getConfig();
+
+    const org = await orgDAL.findOne({
+      slug: orgSlug
+    });
+
+    if (!org) {
+      throw new BadRequestError({
+        message: "Organization not found."
+      });
+    }
+
+    const oidcCfg = await getOidc({
+      type: "internal",
+      orgSlug
+    });
+
+    if (!oidcCfg || !oidcCfg.isActive) {
+      throw new BadRequestError({
+        message: "Failed to authenticate with OIDC SSO"
+      });
+    }
+
+    let issuer: Issuer;
+    if (oidcCfg.configurationType === OIDCConfigurationType.DISCOVERY_URL) {
+      if (!oidcCfg.discoveryURL) {
+        throw new BadRequestError({
+          message: "OIDC not configured correctly"
+        });
+      }
+      issuer = await Issuer.discover(oidcCfg.discoveryURL);
+    } else {
+      if (
+        !oidcCfg.issuer ||
+        !oidcCfg.authorizationEndpoint ||
+        !oidcCfg.jwksUri ||
+        !oidcCfg.tokenEndpoint ||
+        !oidcCfg.userinfoEndpoint
+      ) {
+        throw new BadRequestError({
+          message: "OIDC not configured correctly"
+        });
+      }
+      issuer = new OpenIdIssuer({
+        issuer: oidcCfg.issuer,
+        authorization_endpoint: oidcCfg.authorizationEndpoint,
+        jwks_uri: oidcCfg.jwksUri,
+        token_endpoint: oidcCfg.tokenEndpoint,
+        userinfo_endpoint: oidcCfg.userinfoEndpoint
+      });
+    }
+
+    const client = new issuer.Client({
+      client_id: oidcCfg.clientId,
+      client_secret: oidcCfg.clientSecret,
+      redirect_uris: [`${appCfg.SITE_URL}/api/v1/sso/oidc/callback`]
+    });
+
+    const strategy = new OpenIdStrategy(
+      {
+        client,
+        passReqToCallback: true
+      },
+      // eslint-disable-next-line @typescript-eslint/no-explicit-any
+      (_req: any, tokenSet: TokenSet, cb: any) => {
+        const claims = tokenSet.claims();
+        if (!claims.email || !claims.given_name) {
+          throw new BadRequestError({
+            message: "Invalid request. Missing email or first name"
+          });
+        }
+
+        if (oidcCfg.allowedEmailDomains) {
+          const allowedDomains = oidcCfg.allowedEmailDomains.split(", ");
+          if (!allowedDomains.includes(claims.email.split("@")[1])) {
+            throw new BadRequestError({
+              message: "Email not allowed."
+            });
+          }
+        }
+
+        oidcLogin({
+          email: claims.email,
+          externalId: claims.sub,
+          firstName: claims.given_name ?? "",
+          lastName: claims.family_name ?? "",
+          orgId: org.id,
+          callbackPort
+        })
+          .then(({ isUserCompleted, providerAuthToken }) => {
+            cb(null, { isUserCompleted, providerAuthToken });
+          })
+          .catch((error) => {
+            cb(error);
+          });
+      }
+    );
+
+    return strategy;
+  };
+
+  return { oidcLogin, getOrgAuthStrategy, getOidc, updateOidcCfg, createOidcCfg };
+};
--- a/backend/src/ee/services/oidc/oidc-config-types.ts
+++ b/backend/src/ee/services/oidc/oidc-config-types.ts
@ -0,0 +1,56 @@
+import { TGenericPermission } from "@app/lib/types";
+
+export enum OIDCConfigurationType {
+  CUSTOM = "custom",
+  DISCOVERY_URL = "discoveryURL"
+}
+
+export type TOidcLoginDTO = {
+  externalId: string;
+  email: string;
+  firstName: string;
+  lastName?: string;
+  orgId: string;
+  callbackPort?: string;
+};
+
+export type TGetOidcCfgDTO =
+  | ({
+      type: "external";
+      orgSlug: string;
+    } & TGenericPermission)
+  | {
+      type: "internal";
+      orgSlug: string;
+    };
+
+export type TCreateOidcCfgDTO = {
+  issuer?: string;
+  authorizationEndpoint?: string;
+  discoveryURL?: string;
+  configurationType: OIDCConfigurationType;
+  allowedEmailDomains?: string;
+  jwksUri?: string;
+  tokenEndpoint?: string;
+  userinfoEndpoint?: string;
+  clientId: string;
+  clientSecret: string;
+  isActive: boolean;
+  orgSlug: string;
+} & TGenericPermission;
+
+export type TUpdateOidcCfgDTO = Partial<{
+  issuer: string;
+  authorizationEndpoint: string;
+  allowedEmailDomains: string;
+  discoveryURL: string;
+  jwksUri: string;
+  configurationType: OIDCConfigurationType;
+  tokenEndpoint: string;
+  userinfoEndpoint: string;
+  clientId: string;
+  clientSecret: string;
+  isActive: boolean;
+  orgSlug: string;
+}> &
+  TGenericPermission;
--- a/backend/src/ee/services/permission/org-permission.ts
+++ b/backend/src/ee/services/permission/org-permission.ts
@ -116,7 +116,6 @@ const buildMemberPermission = () => {
  can(OrgPermissionActions.Read, OrgPermissionSubjects.Role);
  can(OrgPermissionActions.Read, OrgPermissionSubjects.Settings);
  can(OrgPermissionActions.Read, OrgPermissionSubjects.Billing);
-  can(OrgPermissionActions.Read, OrgPermissionSubjects.Sso);
  can(OrgPermissionActions.Read, OrgPermissionSubjects.IncidentAccount);

  can(OrgPermissionActions.Read, OrgPermissionSubjects.SecretScanning);
--- a/backend/src/ee/services/saml-config/saml-config-service.ts
+++ b/backend/src/ee/services/saml-config/saml-config-service.ts
@ -41,7 +41,10 @@ import { TCreateSamlCfgDTO, TGetSamlCfgDTO, TSamlLoginDTO, TUpdateSamlCfgDTO } f

 type TSamlConfigServiceFactoryDep = {
  samlConfigDAL: Pick<TSamlConfigDALFactory, "create" | "findOne" | "update" | "findById">;
-  userDAL: Pick<TUserDALFactory, "create" | "findOne" | "transaction" | "updateById" | "findById">;
+  userDAL: Pick<
+    TUserDALFactory,
+    "create" | "findOne" | "transaction" | "updateById" | "findById" | "findUserEncKeyByUserId"
+  >;
  userAliasDAL: Pick<TUserAliasDALFactory, "create" | "findOne">;
  orgDAL: Pick<
    TOrgDALFactory,
@ -452,6 +455,7 @@ export const samlConfigServiceFactory = ({
    await licenseService.updateSubscriptionOrgMemberCount(organization.id);

    const isUserCompleted = Boolean(user.isAccepted);
+    const userEnc = await userDAL.findUserEncKeyByUserId(user.id);
    const providerAuthToken = jwt.sign(
      {
        authTokenType: AuthTokenType.PROVIDER_TOKEN,
@ -464,6 +468,7 @@ export const samlConfigServiceFactory = ({
        organizationId: organization.id,
        organizationSlug: organization.slug,
        authMethod: authProvider,
+        hasExchangedPrivateKey: Boolean(userEnc?.serverEncryptedPrivateKey),
        authType: UserAliasType.SAML,
        isUserCompleted,
        ...(relayState
--- a/backend/src/ee/services/secret-snapshot/snapshot-dal.ts
+++ b/backend/src/ee/services/secret-snapshot/snapshot-dal.ts
@ -331,8 +331,8 @@ export const snapshotDALFactory = (db: TDbClient) => {
   * Prunes excess snapshots from the database to ensure only a specified number of recent snapshots are retained for each folder.
   *
   * This function operates in three main steps:
-   * 1. Pruning snapshots from root/non-versioned folders.
-   * 2. Pruning snapshots from versioned folders.
+   * 1. Pruning snapshots from current folders.
+   * 2. Pruning snapshots from non-current folders (versioned ones).
   * 3. Removing orphaned snapshots that do not belong to any existing folder or folder version.
   *
   * The function processes snapshots in batches, determined by the `PRUNE_FOLDER_BATCH_SIZE` constant,
@ -350,7 +350,7 @@ export const snapshotDALFactory = (db: TDbClient) => {

    try {
      let uuidOffset = "00000000-0000-0000-0000-000000000000";
-      // cleanup snapshots from root/non-versioned folders
+      // cleanup snapshots from current folders
      // eslint-disable-next-line no-constant-condition, no-unreachable-loop
      while (true) {
        const folderBatch = await db(TableName.SecretFolder)
@ -382,12 +382,11 @@ export const snapshotDALFactory = (db: TDbClient) => {
              .join(TableName.Environment, `${TableName.Environment}.id`, `${TableName.SecretFolder}.envId`)
              .join(TableName.Project, `${TableName.Project}.id`, `${TableName.Environment}.projectId`)
              .join("snapshot_cte", "snapshot_cte.id", `${TableName.Snapshot}.id`)
-              .whereNull(`${TableName.SecretFolder}.parentId`)
              .whereRaw(`snapshot_cte.row_num > ${TableName.Project}."pitVersionLimit"`)
              .delete();
          } catch (err) {
            logger.error(
-              `Failed to prune snapshots from root/non-versioned folders in range ${batchEntries[0]}:${
+              `Failed to prune snapshots from current folders in range ${batchEntries[0]}:${
                batchEntries[batchEntries.length - 1]
              }`
            );
@ -399,7 +398,7 @@ export const snapshotDALFactory = (db: TDbClient) => {
        }
      }

-      // cleanup snapshots from versioned folders
+      // cleanup snapshots from non-current folders
      uuidOffset = "00000000-0000-0000-0000-000000000000";
      // eslint-disable-next-line no-constant-condition
      while (true) {
@ -440,7 +439,7 @@ export const snapshotDALFactory = (db: TDbClient) => {
              .delete();
          } catch (err) {
            logger.error(
-              `Failed to prune snapshots from versioned folders in range ${batchEntries[0]}:${
+              `Failed to prune snapshots from non-current folders in range ${batchEntries[0]}:${
                batchEntries[batchEntries.length - 1]
              }`
            );
--- a/backend/src/lib/api-docs/constants.ts
+++ b/backend/src/lib/api-docs/constants.ts
@ -42,6 +42,13 @@ export const IDENTITIES = {
  },
  DELETE: {
    identityId: "The ID of the identity to delete."
+  },
+  GET_BY_ID: {
+    identityId: "The ID of the identity to get details.",
+    orgId: "The ID of the org of the identity"
+  },
+  LIST: {
+    orgId: "The ID of the organization to list identities."
  }
 } as const;

@ -65,6 +72,9 @@ export const UNIVERSAL_AUTH = {
  RETRIEVE: {
    identityId: "The ID of the identity to retrieve."
  },
+  REVOKE: {
+    identityId: "The ID of the identity to revoke."
+  },
  UPDATE: {
    identityId: "The ID of the identity to update.",
    clientSecretTrustedIps: "The new list of IPs or CIDR ranges that the Client Secret can be used from.",
@ -83,6 +93,10 @@ export const UNIVERSAL_AUTH = {
  LIST_CLIENT_SECRETS: {
    identityId: "The ID of the identity to list client secrets for."
  },
+  GET_CLIENT_SECRET: {
+    identityId: "The ID of the identity to get the client secret from.",
+    clientSecretId: "The ID of the client secret to get details."
+  },
  REVOKE_CLIENT_SECRET: {
    identityId: "The ID of the identity to revoke the client secret from.",
    clientSecretId: "The ID of the client secret to revoke."
@ -104,6 +118,27 @@ export const AWS_AUTH = {
    iamRequestBody:
      "The base64-encoded body of the signed request. Most likely, the base64-encoding of Action=GetCallerIdentity&Version=2011-06-15.",
    iamRequestHeaders: "The base64-encoded headers of the sts:GetCallerIdentity signed request."
+  },
+  REVOKE: {
+    identityId: "The ID of the identity to revoke."
+  }
+} as const;
+
+export const AZURE_AUTH = {
+  REVOKE: {
+    identityId: "The ID of the identity to revoke."
+  }
+} as const;
+
+export const GCP_AUTH = {
+  REVOKE: {
+    identityId: "The ID of the identity to revoke."
+  }
+} as const;
+
+export const KUBERNETES_AUTH = {
+  REVOKE: {
+    identityId: "The ID of the identity to revoke."
  }
 } as const;

@ -347,6 +382,7 @@ export const RAW_SECRETS = {
    tagIds: "The ID of the tags to be attached to the created secret."
  },
  GET: {
+    expand: "Whether or not to expand secret references",
    secretName: "The name of the secret to get.",
    workspaceId: "The ID of the project to get the secret from.",
    workspaceSlug: "The slug of the project to get the secret from.",
@ -804,6 +840,8 @@ export const CERTIFICATE_AUTHORITIES = {
    caId: "The ID of the CA to issue the certificate from",
    friendlyName: "A friendly name for the certificate",
    commonName: "The common name (CN) for the certificate",
+    altNames:
+      "A comma-delimited list of Subject Alternative Names (SANs) for the certificate; these can be host names or email addresses.",
    ttl: "The time to live for the certificate such as 1m, 1h, 1d, 1y, ...",
    notBefore: "The date and time when the certificate becomes valid in YYYY-MM-DDTHH:mm:ss.sssZ format",
    notAfter: "The date and time when the certificate expires in YYYY-MM-DDTHH:mm:ss.sssZ format",
--- a/backend/src/lib/config/env.ts
+++ b/backend/src/lib/config/env.ts
@ -29,7 +29,7 @@ const envSchema = z
    DB_USER: zpStr(z.string().describe("Postgres database username").optional()),
    DB_PASSWORD: zpStr(z.string().describe("Postgres database password").optional()),
    DB_NAME: zpStr(z.string().describe("Postgres database name").optional()),
-
+    BCRYPT_SALT_ROUND: z.number().default(12),
    NODE_ENV: z.enum(["development", "test", "production"]).default("production"),
    SALT_ROUNDS: z.coerce.number().default(10),
    INITIAL_ORGANIZATION_NAME: zpStr(z.string().optional()),
--- a/backend/src/lib/crypto/srp.ts
+++ b/backend/src/lib/crypto/srp.ts
@ -6,7 +6,7 @@ import tweetnacl from "tweetnacl-util";

 import { TUserEncryptionKeys } from "@app/db/schemas";

-import { decryptSymmetric, encryptAsymmetric, encryptSymmetric } from "./encryption";
+import { decryptSymmetric128BitHexKeyUTF8, encryptAsymmetric, encryptSymmetric } from "./encryption";

 export const generateSrpServerKey = async (salt: string, verifier: string) => {
  // eslint-disable-next-line new-cap
@ -97,30 +97,55 @@ export const generateUserSrpKeys = async (email: string, password: string) => {
  };
 };

-export const getUserPrivateKey = async (password: string, user: TUserEncryptionKeys) => {
-  const derivedKey = await argon2.hash(password, {
-    salt: Buffer.from(user.salt),
-    memoryCost: 65536,
-    timeCost: 3,
-    parallelism: 1,
-    hashLength: 32,
-    type: argon2.argon2id,
-    raw: true
-  });
-  if (!derivedKey) throw new Error("Failed to derive key from password");
-  const key = decryptSymmetric({
-    ciphertext: user.protectedKey!,
-    iv: user.protectedKeyIV!,
-    tag: user.protectedKeyTag!,
-    key: derivedKey.toString("base64")
-  });
-  const privateKey = decryptSymmetric({
-    ciphertext: user.encryptedPrivateKey,
-    iv: user.iv,
-    tag: user.tag,
-    key
-  });
-  return privateKey;
+export const getUserPrivateKey = async (
+  password: string,
+  user: Pick<
+    TUserEncryptionKeys,
+    | "protectedKeyTag"
+    | "protectedKey"
+    | "protectedKeyIV"
+    | "encryptedPrivateKey"
+    | "iv"
+    | "salt"
+    | "tag"
+    | "encryptionVersion"
+  >
+) => {
+  if (user.encryptionVersion === 1) {
+    return decryptSymmetric128BitHexKeyUTF8({
+      ciphertext: user.encryptedPrivateKey,
+      iv: user.iv,
+      tag: user.tag,
+      key: password.slice(0, 32).padStart(32 + (password.slice(0, 32).length - new Blob([password]).size), "0")
+    });
+  }
+  if (user.encryptionVersion === 2 && user.protectedKey && user.protectedKeyIV && user.protectedKeyTag) {
+    const derivedKey = await argon2.hash(password, {
+      salt: Buffer.from(user.salt),
+      memoryCost: 65536,
+      timeCost: 3,
+      parallelism: 1,
+      hashLength: 32,
+      type: argon2.argon2id,
+      raw: true
+    });
+    if (!derivedKey) throw new Error("Failed to derive key from password");
+    const key = decryptSymmetric128BitHexKeyUTF8({
+      ciphertext: user.protectedKey,
+      iv: user.protectedKeyIV,
+      tag: user.protectedKeyTag,
+      key: derivedKey
+    });
+
+    const privateKey = decryptSymmetric128BitHexKeyUTF8({
+      ciphertext: user.encryptedPrivateKey,
+      iv: user.iv,
+      tag: user.tag,
+      key: Buffer.from(key, "hex")
+    });
+    return privateKey;
+  }
+  throw new Error(`GetUserPrivateKey: Encryption version not found`);
 };

 export const buildUserProjectKey = async (privateKey: string, publickey: string) => {
--- a/backend/src/server/routes/index.ts
+++ b/backend/src/server/routes/index.ts
@ -32,6 +32,8 @@ import { ldapConfigServiceFactory } from "@app/ee/services/ldap-config/ldap-conf
 import { ldapGroupMapDALFactory } from "@app/ee/services/ldap-config/ldap-group-map-dal";
 import { licenseDALFactory } from "@app/ee/services/license/license-dal";
 import { licenseServiceFactory } from "@app/ee/services/license/license-service";
+import { oidcConfigDALFactory } from "@app/ee/services/oidc/oidc-config-dal";
+import { oidcConfigServiceFactory } from "@app/ee/services/oidc/oidc-config-service";
 import { permissionDALFactory } from "@app/ee/services/permission/permission-dal";
 import { permissionServiceFactory } from "@app/ee/services/permission/permission-service";
 import { projectUserAdditionalPrivilegeDALFactory } from "@app/ee/services/project-user-additional-privilege/project-user-additional-privilege-dal";
@ -250,6 +252,7 @@ export const registerRoutes = async (
  const ldapConfigDAL = ldapConfigDALFactory(db);
  const ldapGroupMapDAL = ldapGroupMapDALFactory(db);

+  const oidcConfigDAL = oidcConfigDALFactory(db);
  const accessApprovalPolicyDAL = accessApprovalPolicyDALFactory(db);
  const accessApprovalRequestDAL = accessApprovalRequestDALFactory(db);
  const accessApprovalPolicyApproverDAL = accessApprovalPolicyApproverDALFactory(db);
@ -392,7 +395,9 @@ export const registerRoutes = async (
    userDAL,
    userAliasDAL,
    permissionService,
-    licenseService
+    licenseService,
+    tokenService,
+    smtpService
  });

  const telemetryService = telemetryServiceFactory({
@ -903,6 +908,19 @@ export const registerRoutes = async (
    secretSharingDAL
  });

+  const oidcService = oidcConfigServiceFactory({
+    orgDAL,
+    orgMembershipDAL,
+    userDAL,
+    userAliasDAL,
+    licenseService,
+    tokenService,
+    smtpService,
+    orgBotDAL,
+    permissionService,
+    oidcConfigDAL
+  });
+
  await superAdminService.initServerCfg();
  //
  // setup the communication with license key server
@ -923,6 +941,7 @@ export const registerRoutes = async (
    permission: permissionService,
    org: orgService,
    orgRole: orgRoleService,
+    oidc: oidcService,
    apiKey: apiKeyService,
    authToken: tokenService,
    superAdmin: superAdminService,
--- a/backend/src/server/routes/v1/admin-router.ts
+++ b/backend/src/server/routes/v1/admin-router.ts
@ -22,6 +22,7 @@ export const registerAdminRouter = async (server: FastifyZodProvider) => {
        200: z.object({
          config: SuperAdminSchema.omit({ createdAt: true, updatedAt: true }).extend({
            isMigrationModeOn: z.boolean(),
+            defaultAuthOrgSlug: z.string().nullable(),
            isSecretScanningDisabled: z.boolean()
          })
        })
@ -51,11 +52,15 @@ export const registerAdminRouter = async (server: FastifyZodProvider) => {
        allowSignUp: z.boolean().optional(),
        allowedSignUpDomain: z.string().optional().nullable(),
        trustSamlEmails: z.boolean().optional(),
-        trustLdapEmails: z.boolean().optional()
+        trustLdapEmails: z.boolean().optional(),
+        trustOidcEmails: z.boolean().optional(),
+        defaultAuthOrgId: z.string().optional().nullable()
      }),
      response: {
        200: z.object({
-          config: SuperAdminSchema
+          config: SuperAdminSchema.extend({
+            defaultAuthOrgSlug: z.string().nullable()
+          })
        })
      }
    },
@ -79,6 +84,7 @@ export const registerAdminRouter = async (server: FastifyZodProvider) => {
    schema: {
      body: z.object({
        email: z.string().email().trim(),
+        password: z.string().trim(),
        firstName: z.string().trim(),
        lastName: z.string().trim().optional(),
        protectedKey: z.string().trim(),
--- a/backend/src/server/routes/v1/certificate-authority-router.ts
+++ b/backend/src/server/routes/v1/certificate-authority-router.ts
@ -9,7 +9,10 @@ import { verifyAuth } from "@app/server/plugins/auth/verify-auth";
 import { AuthMode } from "@app/services/auth/auth-type";
 import { CertKeyAlgorithm } from "@app/services/certificate/certificate-types";
 import { CaStatus, CaType } from "@app/services/certificate-authority/certificate-authority-types";
-import { validateCaDateField } from "@app/services/certificate-authority/certificate-authority-validators";
+import {
+  validateAltNamesField,
+  validateCaDateField
+} from "@app/services/certificate-authority/certificate-authority-validators";

 export const registerCaRouter = async (server: FastifyZodProvider) => {
  server.route({
@ -452,6 +455,7 @@ export const registerCaRouter = async (server: FastifyZodProvider) => {
        .object({
          friendlyName: z.string().optional().describe(CERTIFICATE_AUTHORITIES.ISSUE_CERT.friendlyName),
          commonName: z.string().trim().min(1).describe(CERTIFICATE_AUTHORITIES.ISSUE_CERT.commonName),
+          altNames: validateAltNamesField.describe(CERTIFICATE_AUTHORITIES.ISSUE_CERT.altNames),
          ttl: z
            .string()
            .refine((val) => ms(val) > 0, "TTL must be a positive number")
--- a/backend/src/server/routes/v1/identity-aws-iam-auth-router.ts
+++ b/backend/src/server/routes/v1/identity-aws-iam-auth-router.ts
@ -266,4 +266,51 @@ export const registerIdentityAwsAuthRouter = async (server: FastifyZodProvider)
      return { identityAwsAuth };
    }
  });
+
+  server.route({
+    method: "DELETE",
+    url: "/aws-auth/identities/:identityId",
+    config: {
+      rateLimit: writeLimit
+    },
+    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
+    schema: {
+      description: "Delete AWS Auth configuration on identity",
+      security: [
+        {
+          bearerAuth: []
+        }
+      ],
+      params: z.object({
+        identityId: z.string().describe(AWS_AUTH.REVOKE.identityId)
+      }),
+      response: {
+        200: z.object({
+          identityAwsAuth: IdentityAwsAuthsSchema
+        })
+      }
+    },
+    handler: async (req) => {
+      const identityAwsAuth = await server.services.identityAwsAuth.revokeIdentityAwsAuth({
+        actor: req.permission.type,
+        actorId: req.permission.id,
+        actorAuthMethod: req.permission.authMethod,
+        actorOrgId: req.permission.orgId,
+        identityId: req.params.identityId
+      });
+
+      await server.services.auditLog.createAuditLog({
+        ...req.auditLogInfo,
+        orgId: identityAwsAuth.orgId,
+        event: {
+          type: EventType.REVOKE_IDENTITY_AWS_AUTH,
+          metadata: {
+            identityId: identityAwsAuth.identityId
+          }
+        }
+      });
+
+      return { identityAwsAuth };
+    }
+  });
 };
--- a/backend/src/server/routes/v1/identity-azure-auth-router.ts
+++ b/backend/src/server/routes/v1/identity-azure-auth-router.ts
@ -2,6 +2,7 @@ import { z } from "zod";

 import { IdentityAzureAuthsSchema } from "@app/db/schemas";
 import { EventType } from "@app/ee/services/audit-log/audit-log-types";
+import { AZURE_AUTH } from "@app/lib/api-docs";
 import { readLimit, writeLimit } from "@app/server/config/rateLimiter";
 import { verifyAuth } from "@app/server/plugins/auth/verify-auth";
 import { AuthMode } from "@app/services/auth/auth-type";
@ -259,4 +260,51 @@ export const registerIdentityAzureAuthRouter = async (server: FastifyZodProvider
      return { identityAzureAuth };
    }
  });
+
+  server.route({
+    method: "DELETE",
+    url: "/azure-auth/identities/:identityId",
+    config: {
+      rateLimit: writeLimit
+    },
+    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
+    schema: {
+      description: "Delete Azure Auth configuration on identity",
+      security: [
+        {
+          bearerAuth: []
+        }
+      ],
+      params: z.object({
+        identityId: z.string().describe(AZURE_AUTH.REVOKE.identityId)
+      }),
+      response: {
+        200: z.object({
+          identityAzureAuth: IdentityAzureAuthsSchema
+        })
+      }
+    },
+    handler: async (req) => {
+      const identityAzureAuth = await server.services.identityAzureAuth.revokeIdentityAzureAuth({
+        actor: req.permission.type,
+        actorId: req.permission.id,
+        actorAuthMethod: req.permission.authMethod,
+        actorOrgId: req.permission.orgId,
+        identityId: req.params.identityId
+      });
+
+      await server.services.auditLog.createAuditLog({
+        ...req.auditLogInfo,
+        orgId: identityAzureAuth.orgId,
+        event: {
+          type: EventType.REVOKE_IDENTITY_AZURE_AUTH,
+          metadata: {
+            identityId: identityAzureAuth.identityId
+          }
+        }
+      });
+
+      return { identityAzureAuth };
+    }
+  });
 };
--- a/backend/src/server/routes/v1/identity-gcp-auth-router.ts
+++ b/backend/src/server/routes/v1/identity-gcp-auth-router.ts
@ -2,6 +2,7 @@ import { z } from "zod";

 import { IdentityGcpAuthsSchema } from "@app/db/schemas";
 import { EventType } from "@app/ee/services/audit-log/audit-log-types";
+import { GCP_AUTH } from "@app/lib/api-docs";
 import { readLimit, writeLimit } from "@app/server/config/rateLimiter";
 import { verifyAuth } from "@app/server/plugins/auth/verify-auth";
 import { AuthMode } from "@app/services/auth/auth-type";
@ -265,4 +266,51 @@ export const registerIdentityGcpAuthRouter = async (server: FastifyZodProvider)
      return { identityGcpAuth };
    }
  });
+
+  server.route({
+    method: "DELETE",
+    url: "/gcp-auth/identities/:identityId",
+    config: {
+      rateLimit: writeLimit
+    },
+    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
+    schema: {
+      description: "Delete GCP Auth configuration on identity",
+      security: [
+        {
+          bearerAuth: []
+        }
+      ],
+      params: z.object({
+        identityId: z.string().describe(GCP_AUTH.REVOKE.identityId)
+      }),
+      response: {
+        200: z.object({
+          identityGcpAuth: IdentityGcpAuthsSchema
+        })
+      }
+    },
+    handler: async (req) => {
+      const identityGcpAuth = await server.services.identityGcpAuth.revokeIdentityGcpAuth({
+        actor: req.permission.type,
+        actorId: req.permission.id,
+        actorAuthMethod: req.permission.authMethod,
+        actorOrgId: req.permission.orgId,
+        identityId: req.params.identityId
+      });
+
+      await server.services.auditLog.createAuditLog({
+        ...req.auditLogInfo,
+        orgId: identityGcpAuth.orgId,
+        event: {
+          type: EventType.REVOKE_IDENTITY_GCP_AUTH,
+          metadata: {
+            identityId: identityGcpAuth.identityId
+          }
+        }
+      });
+
+      return { identityGcpAuth };
+    }
+  });
 };
--- a/backend/src/server/routes/v1/identity-kubernetes-auth-router.ts
+++ b/backend/src/server/routes/v1/identity-kubernetes-auth-router.ts
@ -2,6 +2,7 @@ import { z } from "zod";

 import { IdentityKubernetesAuthsSchema } from "@app/db/schemas";
 import { EventType } from "@app/ee/services/audit-log/audit-log-types";
+import { KUBERNETES_AUTH } from "@app/lib/api-docs";
 import { readLimit, writeLimit } from "@app/server/config/rateLimiter";
 import { verifyAuth } from "@app/server/plugins/auth/verify-auth";
 import { AuthMode } from "@app/services/auth/auth-type";
@ -198,7 +199,7 @@ export const registerIdentityKubernetesRouter = async (server: FastifyZodProvide
      }),
      response: {
        200: z.object({
-          identityKubernetesAuth: IdentityKubernetesAuthsSchema
+          identityKubernetesAuth: IdentityKubernetesAuthResponseSchema
        })
      }
    },
@ -280,4 +281,54 @@ export const registerIdentityKubernetesRouter = async (server: FastifyZodProvide
      return { identityKubernetesAuth: IdentityKubernetesAuthResponseSchema.parse(identityKubernetesAuth) };
    }
  });
+
+  server.route({
+    method: "DELETE",
+    url: "/kubernetes-auth/identities/:identityId",
+    config: {
+      rateLimit: writeLimit
+    },
+    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
+    schema: {
+      description: "Delete Kubernetes Auth configuration on identity",
+      security: [
+        {
+          bearerAuth: []
+        }
+      ],
+      params: z.object({
+        identityId: z.string().describe(KUBERNETES_AUTH.REVOKE.identityId)
+      }),
+      response: {
+        200: z.object({
+          identityKubernetesAuth: IdentityKubernetesAuthResponseSchema.omit({
+            caCert: true,
+            tokenReviewerJwt: true
+          })
+        })
+      }
+    },
+    handler: async (req) => {
+      const identityKubernetesAuth = await server.services.identityKubernetesAuth.revokeIdentityKubernetesAuth({
+        actor: req.permission.type,
+        actorId: req.permission.id,
+        actorAuthMethod: req.permission.authMethod,
+        actorOrgId: req.permission.orgId,
+        identityId: req.params.identityId
+      });
+
+      await server.services.auditLog.createAuditLog({
+        ...req.auditLogInfo,
+        orgId: identityKubernetesAuth.orgId,
+        event: {
+          type: EventType.REVOKE_IDENTITY_KUBERNETES_AUTH,
+          metadata: {
+            identityId: identityKubernetesAuth.identityId
+          }
+        }
+      });
+
+      return { identityKubernetesAuth };
+    }
+  });
 };
--- a/backend/src/server/routes/v1/identity-router.ts
+++ b/backend/src/server/routes/v1/identity-router.ts
@ -1,9 +1,9 @@
 import { z } from "zod";

-import { IdentitiesSchema, OrgMembershipRole } from "@app/db/schemas";
+import { IdentitiesSchema, IdentityOrgMembershipsSchema, OrgMembershipRole, OrgRolesSchema } from "@app/db/schemas";
 import { EventType } from "@app/ee/services/audit-log/audit-log-types";
 import { IDENTITIES } from "@app/lib/api-docs";
-import { creationLimit, writeLimit } from "@app/server/config/rateLimiter";
+import { creationLimit, readLimit, writeLimit } from "@app/server/config/rateLimiter";
 import { getTelemetryDistinctId } from "@app/server/lib/telemetry";
 import { verifyAuth } from "@app/server/plugins/auth/verify-auth";
 import { AuthMode } from "@app/services/auth/auth-type";
@ -170,4 +170,94 @@ export const registerIdentityRouter = async (server: FastifyZodProvider) => {
      return { identity };
    }
  });
+
+  server.route({
+    method: "GET",
+    url: "/:identityId",
+    config: {
+      rateLimit: readLimit
+    },
+    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
+    schema: {
+      description: "Get an identity by id",
+      security: [
+        {
+          bearerAuth: []
+        }
+      ],
+      params: z.object({
+        identityId: z.string().describe(IDENTITIES.GET_BY_ID.identityId)
+      }),
+      response: {
+        200: z.object({
+          identity: IdentityOrgMembershipsSchema.extend({
+            customRole: OrgRolesSchema.pick({
+              id: true,
+              name: true,
+              slug: true,
+              permissions: true,
+              description: true
+            }).optional(),
+            identity: IdentitiesSchema.pick({ name: true, id: true, authMethod: true })
+          })
+        })
+      }
+    },
+    handler: async (req) => {
+      const identity = await server.services.identity.getIdentityById({
+        actor: req.permission.type,
+        actorId: req.permission.id,
+        actorAuthMethod: req.permission.authMethod,
+        actorOrgId: req.permission.orgId,
+        id: req.params.identityId
+      });
+
+      return { identity };
+    }
+  });
+
+  server.route({
+    method: "GET",
+    url: "/",
+    config: {
+      rateLimit: writeLimit
+    },
+    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
+    schema: {
+      description: "List identities",
+      security: [
+        {
+          bearerAuth: []
+        }
+      ],
+      querystring: z.object({
+        orgId: z.string().describe(IDENTITIES.LIST.orgId)
+      }),
+      response: {
+        200: z.object({
+          identities: IdentityOrgMembershipsSchema.extend({
+            customRole: OrgRolesSchema.pick({
+              id: true,
+              name: true,
+              slug: true,
+              permissions: true,
+              description: true
+            }).optional(),
+            identity: IdentitiesSchema.pick({ name: true, id: true, authMethod: true })
+          }).array()
+        })
+      }
+    },
+    handler: async (req) => {
+      const identities = await server.services.identity.listOrgIdentities({
+        actor: req.permission.type,
+        actorId: req.permission.id,
+        actorAuthMethod: req.permission.authMethod,
+        actorOrgId: req.permission.orgId,
+        orgId: req.query.orgId
+      });
+
+      return { identities };
+    }
+  });
 };
--- a/backend/src/server/routes/v1/identity-universal-auth-router.ts
+++ b/backend/src/server/routes/v1/identity-universal-auth-router.ts
@ -134,7 +134,7 @@ export const registerIdentityUaRouter = async (server: FastifyZodProvider) => {
      }
    },
    handler: async (req) => {
-      const identityUniversalAuth = await server.services.identityUa.attachUa({
+      const identityUniversalAuth = await server.services.identityUa.attachUniversalAuth({
        actor: req.permission.type,
        actorId: req.permission.id,
        actorOrgId: req.permission.orgId,
@ -219,7 +219,7 @@ export const registerIdentityUaRouter = async (server: FastifyZodProvider) => {
      }
    },
    handler: async (req) => {
-      const identityUniversalAuth = await server.services.identityUa.updateUa({
+      const identityUniversalAuth = await server.services.identityUa.updateUniversalAuth({
        actor: req.permission.type,
        actorId: req.permission.id,
        actorOrgId: req.permission.orgId,
@ -272,7 +272,7 @@ export const registerIdentityUaRouter = async (server: FastifyZodProvider) => {
      }
    },
    handler: async (req) => {
-      const identityUniversalAuth = await server.services.identityUa.getIdentityUa({
+      const identityUniversalAuth = await server.services.identityUa.getIdentityUniversalAuth({
        actor: req.permission.type,
        actorId: req.permission.id,
        actorAuthMethod: req.permission.authMethod,
@ -295,6 +295,53 @@ export const registerIdentityUaRouter = async (server: FastifyZodProvider) => {
    }
  });

+  server.route({
+    method: "DELETE",
+    url: "/universal-auth/identities/:identityId",
+    config: {
+      rateLimit: writeLimit
+    },
+    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
+    schema: {
+      description: "Delete Universal Auth configuration on identity",
+      security: [
+        {
+          bearerAuth: []
+        }
+      ],
+      params: z.object({
+        identityId: z.string().describe(UNIVERSAL_AUTH.REVOKE.identityId)
+      }),
+      response: {
+        200: z.object({
+          identityUniversalAuth: IdentityUniversalAuthsSchema
+        })
+      }
+    },
+    handler: async (req) => {
+      const identityUniversalAuth = await server.services.identityUa.revokeIdentityUniversalAuth({
+        actor: req.permission.type,
+        actorId: req.permission.id,
+        actorAuthMethod: req.permission.authMethod,
+        actorOrgId: req.permission.orgId,
+        identityId: req.params.identityId
+      });
+
+      await server.services.auditLog.createAuditLog({
+        ...req.auditLogInfo,
+        orgId: identityUniversalAuth.orgId,
+        event: {
+          type: EventType.REVOKE_IDENTITY_UNIVERSAL_AUTH,
+          metadata: {
+            identityId: identityUniversalAuth.identityId
+          }
+        }
+      });
+
+      return { identityUniversalAuth };
+    }
+  });
+
  server.route({
    method: "POST",
    url: "/universal-auth/identities/:identityId/client-secrets",
@ -325,14 +372,15 @@ export const registerIdentityUaRouter = async (server: FastifyZodProvider) => {
      }
    },
    handler: async (req) => {
-      const { clientSecret, clientSecretData, orgId } = await server.services.identityUa.createUaClientSecret({
-        actor: req.permission.type,
-        actorId: req.permission.id,
-        actorAuthMethod: req.permission.authMethod,
-        actorOrgId: req.permission.orgId,
-        identityId: req.params.identityId,
-        ...req.body
-      });
+      const { clientSecret, clientSecretData, orgId } =
+        await server.services.identityUa.createUniversalAuthClientSecret({
+          actor: req.permission.type,
+          actorId: req.permission.id,
+          actorAuthMethod: req.permission.authMethod,
+          actorOrgId: req.permission.orgId,
+          identityId: req.params.identityId,
+          ...req.body
+        });

      await server.services.auditLog.createAuditLog({
        ...req.auditLogInfo,
@ -374,13 +422,15 @@ export const registerIdentityUaRouter = async (server: FastifyZodProvider) => {
      }
    },
    handler: async (req) => {
-      const { clientSecrets: clientSecretData, orgId } = await server.services.identityUa.getUaClientSecrets({
-        actor: req.permission.type,
-        actorId: req.permission.id,
-        actorAuthMethod: req.permission.authMethod,
-        actorOrgId: req.permission.orgId,
-        identityId: req.params.identityId
-      });
+      const { clientSecrets: clientSecretData, orgId } = await server.services.identityUa.getUniversalAuthClientSecrets(
+        {
+          actor: req.permission.type,
+          actorId: req.permission.id,
+          actorAuthMethod: req.permission.authMethod,
+          actorOrgId: req.permission.orgId,
+          identityId: req.params.identityId
+        }
+      );

      await server.services.auditLog.createAuditLog({
        ...req.auditLogInfo,
@ -396,6 +446,56 @@ export const registerIdentityUaRouter = async (server: FastifyZodProvider) => {
    }
  });

+  server.route({
+    method: "GET",
+    url: "/universal-auth/identities/:identityId/client-secrets/:clientSecretId",
+    config: {
+      rateLimit: readLimit
+    },
+    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
+    schema: {
+      description: "Get Universal Auth Client Secret for identity",
+      security: [
+        {
+          bearerAuth: []
+        }
+      ],
+      params: z.object({
+        identityId: z.string().describe(UNIVERSAL_AUTH.GET_CLIENT_SECRET.identityId),
+        clientSecretId: z.string().describe(UNIVERSAL_AUTH.GET_CLIENT_SECRET.clientSecretId)
+      }),
+      response: {
+        200: z.object({
+          clientSecretData: sanitizedClientSecretSchema
+        })
+      }
+    },
+    handler: async (req) => {
+      const clientSecretData = await server.services.identityUa.getUniversalAuthClientSecretById({
+        actor: req.permission.type,
+        actorId: req.permission.id,
+        actorAuthMethod: req.permission.authMethod,
+        actorOrgId: req.permission.orgId,
+        identityId: req.params.identityId,
+        clientSecretId: req.params.clientSecretId
+      });
+
+      await server.services.auditLog.createAuditLog({
+        ...req.auditLogInfo,
+        orgId: clientSecretData.orgId,
+        event: {
+          type: EventType.REVOKE_IDENTITY_UNIVERSAL_AUTH_CLIENT_SECRET,
+          metadata: {
+            identityId: clientSecretData.identityId,
+            clientSecretId: clientSecretData.id
+          }
+        }
+      });
+
+      return { clientSecretData };
+    }
+  });
+
  server.route({
    method: "POST",
    url: "/universal-auth/identities/:identityId/client-secrets/:clientSecretId/revoke",
@ -421,7 +521,7 @@ export const registerIdentityUaRouter = async (server: FastifyZodProvider) => {
      }
    },
    handler: async (req) => {
-      const clientSecretData = await server.services.identityUa.revokeUaClientSecret({
+      const clientSecretData = await server.services.identityUa.revokeUniversalAuthClientSecret({
        actor: req.permission.type,
        actorId: req.permission.id,
        actorAuthMethod: req.permission.authMethod,
--- a/backend/src/server/routes/v1/index.ts
+++ b/backend/src/server/routes/v1/index.ts
@ -9,7 +9,7 @@ import { registerIdentityAzureAuthRouter } from "./identity-azure-auth-router";
 import { registerIdentityGcpAuthRouter } from "./identity-gcp-auth-router";
 import { registerIdentityKubernetesRouter } from "./identity-kubernetes-auth-router";
 import { registerIdentityRouter } from "./identity-router";
-import { registerIdentityUaRouter } from "./identity-ua";
+import { registerIdentityUaRouter } from "./identity-universal-auth-router";
 import { registerIntegrationAuthRouter } from "./integration-auth-router";
 import { registerIntegrationRouter } from "./integration-router";
 import { registerInviteOrgRouter } from "./invite-org-router";
--- a/backend/src/server/routes/v1/password-router.ts
+++ b/backend/src/server/routes/v1/password-router.ts
@ -51,7 +51,8 @@ export const registerPasswordRouter = async (server: FastifyZodProvider) => {
        encryptedPrivateKeyIV: z.string().trim(),
        encryptedPrivateKeyTag: z.string().trim(),
        salt: z.string().trim(),
-        verifier: z.string().trim()
+        verifier: z.string().trim(),
+        password: z.string().trim()
      }),
      response: {
        200: z.object({
--- a/backend/src/server/routes/v1/project-router.ts
+++ b/backend/src/server/routes/v1/project-router.ts
@ -372,6 +372,44 @@ export const registerProjectRouter = async (server: FastifyZodProvider) => {
    }
  });

+  server.route({
+    method: "PUT",
+    url: "/:workspaceSlug/audit-logs-retention",
+    config: {
+      rateLimit: writeLimit
+    },
+    schema: {
+      params: z.object({
+        workspaceSlug: z.string().trim()
+      }),
+      body: z.object({
+        auditLogsRetentionDays: z.number().min(0)
+      }),
+      response: {
+        200: z.object({
+          message: z.string(),
+          workspace: ProjectsSchema
+        })
+      }
+    },
+    onRequest: verifyAuth([AuthMode.JWT]),
+    handler: async (req) => {
+      const workspace = await server.services.project.updateAuditLogsRetention({
+        actorId: req.permission.id,
+        actor: req.permission.type,
+        actorAuthMethod: req.permission.authMethod,
+        actorOrgId: req.permission.orgId,
+        workspaceSlug: req.params.workspaceSlug,
+        auditLogsRetentionDays: req.body.auditLogsRetentionDays
+      });
+
+      return {
+        message: "Successfully updated project's audit logs retention period",
+        workspace
+      };
+    }
+  });
+
  server.route({
    method: "GET",
    url: "/:workspaceId/integrations",
--- a/backend/src/server/routes/v1/sso-router.ts
+++ b/backend/src/server/routes/v1/sso-router.ts
@ -259,4 +259,50 @@ export const registerSsoRouter = async (server: FastifyZodProvider) => {
      );
    }
  });
+
+  server.route({
+    url: "/token-exchange",
+    method: "POST",
+    schema: {
+      body: z.object({
+        providerAuthToken: z.string(),
+        email: z.string()
+      })
+    },
+    handler: async (req, res) => {
+      const userAgent = req.headers["user-agent"];
+      if (!userAgent) throw new Error("user agent header is required");
+
+      const data = await server.services.login.oauth2TokenExchange({
+        email: req.body.email,
+        ip: req.realIp,
+        userAgent,
+        providerAuthToken: req.body.providerAuthToken
+      });
+
+      if (data.isMfaEnabled) {
+        return { mfaEnabled: true, token: data.token } as const; // for discriminated union
+      }
+
+      void res.setCookie("jid", data.token.refresh, {
+        httpOnly: true,
+        path: "/",
+        sameSite: "strict",
+        secure: appCfg.HTTPS_ENABLED
+      });
+
+      return {
+        mfaEnabled: false,
+        encryptionVersion: data.user.encryptionVersion,
+        token: data.token.access,
+        publicKey: data.user.publicKey,
+        encryptedPrivateKey: data.user.encryptedPrivateKey,
+        iv: data.user.iv,
+        tag: data.user.tag,
+        protectedKey: data.user.protectedKey || null,
+        protectedKeyIV: data.user.protectedKeyIV || null,
+        protectedKeyTag: data.user.protectedKeyTag || null
+      } as const;
+    }
+  });
 };
--- a/backend/src/server/routes/v1/user-router.ts
+++ b/backend/src/server/routes/v1/user-router.ts
@ -19,7 +19,23 @@ export const registerUserRouter = async (server: FastifyZodProvider) => {
    schema: {
      response: {
        200: z.object({
-          user: UsersSchema.merge(UserEncryptionKeysSchema.omit({ verifier: true }))
+          user: UsersSchema.merge(
+            UserEncryptionKeysSchema.pick({
+              clientPublicKey: true,
+              serverPrivateKey: true,
+              encryptionVersion: true,
+              protectedKey: true,
+              protectedKeyIV: true,
+              protectedKeyTag: true,
+              publicKey: true,
+              encryptedPrivateKey: true,
+              iv: true,
+              tag: true,
+              salt: true,
+              verifier: true,
+              userId: true
+            })
+          )
        })
      }
    },
@ -30,6 +46,26 @@ export const registerUserRouter = async (server: FastifyZodProvider) => {
    }
  });

+  server.route({
+    method: "GET",
+    url: "/private-key",
+    config: {
+      rateLimit: readLimit
+    },
+    schema: {
+      response: {
+        200: z.object({
+          privateKey: z.string()
+        })
+      }
+    },
+    onRequest: verifyAuth([AuthMode.JWT], { requireOrg: false }),
+    handler: async (req) => {
+      const privateKey = await server.services.user.getUserPrivateKey(req.permission.id);
+      return { privateKey };
+    }
+  });
+
  server.route({
    method: "GET",
    url: "/:userId/unlock",
--- a/backend/src/server/routes/v2/user-router.ts
+++ b/backend/src/server/routes/v2/user-router.ts
@ -255,7 +255,23 @@ export const registerUserRouter = async (server: FastifyZodProvider) => {
      description: "Retrieve the current user on the request",
      response: {
        200: z.object({
-          user: UsersSchema.merge(UserEncryptionKeysSchema.omit({ verifier: true }))
+          user: UsersSchema.merge(
+            UserEncryptionKeysSchema.pick({
+              clientPublicKey: true,
+              serverPrivateKey: true,
+              encryptionVersion: true,
+              protectedKey: true,
+              protectedKeyIV: true,
+              protectedKeyTag: true,
+              publicKey: true,
+              encryptedPrivateKey: true,
+              iv: true,
+              tag: true,
+              salt: true,
+              verifier: true,
+              userId: true
+            })
+          )
        })
      }
    },
--- a/backend/src/server/routes/v3/login-router.ts
+++ b/backend/src/server/routes/v3/login-router.ts
@ -81,7 +81,8 @@ export const registerLoginRouter = async (server: FastifyZodProvider) => {
        email: z.string().trim(),
        providerAuthToken: z.string().trim().optional(),
        clientProof: z.string().trim(),
-        captchaToken: z.string().trim().optional()
+        captchaToken: z.string().trim().optional(),
+        password: z.string().optional()
      }),
      response: {
        200: z.discriminatedUnion("mfaEnabled", [
@ -112,7 +113,8 @@ export const registerLoginRouter = async (server: FastifyZodProvider) => {
        ip: req.realIp,
        userAgent,
        providerAuthToken: req.body.providerAuthToken,
-        clientProof: req.body.clientProof
+        clientProof: req.body.clientProof,
+        password: req.body.password
      });

      if (data.isMfaEnabled) {
--- a/backend/src/server/routes/v3/secret-router.ts
+++ b/backend/src/server/routes/v3/secret-router.ts
@ -300,6 +300,11 @@ export const registerSecretRouter = async (server: FastifyZodProvider) => {
        secretPath: z.string().trim().default("/").transform(removeTrailingSlash).describe(RAW_SECRETS.GET.secretPath),
        version: z.coerce.number().optional().describe(RAW_SECRETS.GET.version),
        type: z.nativeEnum(SecretType).default(SecretType.Shared).describe(RAW_SECRETS.GET.type),
+        expandSecretReferences: z
+          .enum(["true", "false"])
+          .default("false")
+          .transform((value) => value === "true")
+          .describe(RAW_SECRETS.GET.expand),
        include_imports: z
          .enum(["true", "false"])
          .default("false")
@ -344,6 +349,7 @@ export const registerSecretRouter = async (server: FastifyZodProvider) => {
        actor: req.permission.type,
        actorAuthMethod: req.permission.authMethod,
        actorOrgId: req.permission.orgId,
+        expandSecretReferences: req.query.expandSecretReferences,
        environment,
        projectId: workspaceId,
        projectSlug: workspaceSlug,
--- a/backend/src/server/routes/v3/signup-router.ts
+++ b/backend/src/server/routes/v3/signup-router.ts
@ -102,7 +102,8 @@ export const registerSignupRouter = async (server: FastifyZodProvider) => {
        verifier: z.string().trim(),
        organizationName: z.string().trim().min(1),
        providerAuthToken: z.string().trim().optional().nullish(),
-        attributionSource: z.string().trim().optional()
+        attributionSource: z.string().trim().optional(),
+        password: z.string()
      }),
      response: {
        200: z.object({
@ -167,6 +168,7 @@ export const registerSignupRouter = async (server: FastifyZodProvider) => {
    schema: {
      body: z.object({
        email: z.string().email().trim(),
+        password: z.string(),
        firstName: z.string().trim(),
        lastName: z.string().trim().optional(),
        protectedKey: z.string().trim(),
--- a/backend/src/services/auth/auth-fns.ts
+++ b/backend/src/services/auth/auth-fns.ts
@ -15,10 +15,10 @@ export const validateProviderAuthToken = (providerToken: string, username?: stri
  if (decodedToken.username !== username) throw new Error("Invalid auth credentials");

  if (decodedToken.organizationId) {
-    return { orgId: decodedToken.organizationId, authMethod: decodedToken.authMethod };
+    return { orgId: decodedToken.organizationId, authMethod: decodedToken.authMethod, userName: decodedToken.username };
  }

-  return { authMethod: decodedToken.authMethod, orgId: null };
+  return { authMethod: decodedToken.authMethod, orgId: null, userName: decodedToken.username };
 };

 export const validateSignUpAuthorization = (token: string, userId: string, validate = true) => {
--- a/backend/src/services/auth/auth-login-service.ts
+++ b/backend/src/services/auth/auth-login-service.ts
@ -1,3 +1,4 @@
+import bcrypt from "bcrypt";
 import jwt from "jsonwebtoken";

 import { TUsers, UserDeviceSchema } from "@app/db/schemas";
@ -5,7 +6,10 @@ import { isAuthMethodSaml } from "@app/ee/services/permission/permission-fns";
 import { getConfig } from "@app/lib/config/env";
 import { request } from "@app/lib/config/request";
 import { generateSrpServerKey, srpCheckClientProof } from "@app/lib/crypto";
+import { infisicalSymmetricEncypt } from "@app/lib/crypto/encryption";
+import { getUserPrivateKey } from "@app/lib/crypto/srp";
 import { BadRequestError, DatabaseError, UnauthorizedError } from "@app/lib/errors";
+import { logger } from "@app/lib/logger";
 import { getServerCfg } from "@app/services/super-admin/super-admin-service";

 import { TTokenDALFactory } from "../auth-token/auth-token-dal";
@ -19,6 +23,7 @@ import {
  TLoginClientProofDTO,
  TLoginGenServerPublicKeyDTO,
  TOauthLoginDTO,
+  TOauthTokenExchangeDTO,
  TVerifyMfaTokenDTO
 } from "./auth-login-type";
 import { AuthMethod, AuthModeJwtTokenPayload, AuthModeMfaJwtTokenPayload, AuthTokenType } from "./auth-type";
@ -101,7 +106,7 @@ export const authLoginServiceFactory = ({
    user: TUsers;
    ip: string;
    userAgent: string;
-    organizationId: string | undefined;
+    organizationId?: string;
    authMethod: AuthMethod;
  }) => {
    const cfg = getConfig();
@ -178,7 +183,8 @@ export const authLoginServiceFactory = ({
    ip,
    userAgent,
    providerAuthToken,
-    captchaToken
+    captchaToken,
+    password
  }: TLoginClientProofDTO) => {
    const appCfg = getConfig();

@ -196,7 +202,10 @@ export const authLoginServiceFactory = ({
      const decodedProviderToken = validateProviderAuthToken(providerAuthToken, email);

      authMethod = decodedProviderToken.authMethod;
-      if ((isAuthMethodSaml(authMethod) || authMethod === AuthMethod.LDAP) && decodedProviderToken.orgId) {
+      if (
+        (isAuthMethodSaml(authMethod) || [AuthMethod.LDAP, AuthMethod.OIDC].includes(authMethod)) &&
+        decodedProviderToken.orgId
+      ) {
        organizationId = decodedProviderToken.orgId;
      }
    }
@ -248,14 +257,35 @@ export const authLoginServiceFactory = ({
      throw new Error("Failed to authenticate. Try again?");
    }

-    await userDAL.updateUserEncryptionByUserId(userEnc.userId, {
-      serverPrivateKey: null,
-      clientPublicKey: null
-    });
-
    await userDAL.updateById(userEnc.userId, {
      consecutiveFailedPasswordAttempts: 0
    });
+    // from password decrypt the private key
+    if (password) {
+      const privateKey = await getUserPrivateKey(password, userEnc).catch((err) => {
+        logger.error(
+          err,
+          `loginExchangeClientProof: private key generation failed for [userId=${user.id}] and [email=${user.email}] `
+        );
+        return "";
+      });
+      const hashedPassword = await bcrypt.hash(password, cfg.BCRYPT_SALT_ROUND);
+      const { iv, tag, ciphertext, encoding } = infisicalSymmetricEncypt(privateKey);
+      await userDAL.updateUserEncryptionByUserId(userEnc.userId, {
+        serverPrivateKey: null,
+        clientPublicKey: null,
+        hashedPassword,
+        serverEncryptedPrivateKey: ciphertext,
+        serverEncryptedPrivateKeyIV: iv,
+        serverEncryptedPrivateKeyTag: tag,
+        serverEncryptedPrivateKeyEncoding: encoding
+      });
+    } else {
+      await userDAL.updateUserEncryptionByUserId(userEnc.userId, {
+        serverPrivateKey: null,
+        clientPublicKey: null
+      });
+    }

    // send multi factor auth token if they it enabled
    if (userEnc.isMfaEnabled && userEnc.email) {
@ -324,9 +354,12 @@ export const authLoginServiceFactory = ({
    // Check if the user actually has access to the specified organization.
    const userOrgs = await orgDAL.findAllOrgsByUserId(user.id);
    const hasOrganizationMembership = userOrgs.some((org) => org.id === organizationId);
+    const selectedOrg = await orgDAL.findById(organizationId);

    if (!hasOrganizationMembership) {
-      throw new UnauthorizedError({ message: "User does not have access to the organization" });
+      throw new UnauthorizedError({
+        message: `User does not have access to the organization named ${selectedOrg?.name}`
+      });
    }

    await tokenDAL.incrementTokenSessionVersion(user.id, decodedToken.tokenVersionId);
@ -499,8 +532,14 @@ export const authLoginServiceFactory = ({
        authMethods: [authMethod],
        isGhost: false
      });
+    } else {
+      const isLinkingRequired = !user?.authMethods?.includes(authMethod);
+      if (isLinkingRequired) {
+        user = await userDAL.updateById(user.id, { authMethods: [...(user.authMethods || []), authMethod] });
+      }
    }
-    const isLinkingRequired = !user?.authMethods?.includes(authMethod);
+
+    const userEnc = await userDAL.findUserEncKeyByUserId(user.id);
    const isUserCompleted = user.isAccepted;
    const providerAuthToken = jwt.sign(
      {
@ -511,9 +550,9 @@ export const authLoginServiceFactory = ({
        isEmailVerified: user.isEmailVerified,
        firstName: user.firstName,
        lastName: user.lastName,
+        hasExchangedPrivateKey: Boolean(userEnc?.serverEncryptedPrivateKey),
        authMethod,
        isUserCompleted,
-        isLinkingRequired,
        ...(callbackPort
          ? {
              callbackPort
@ -525,10 +564,72 @@ export const authLoginServiceFactory = ({
        expiresIn: appCfg.JWT_PROVIDER_AUTH_LIFETIME
      }
    );
-
    return { isUserCompleted, providerAuthToken };
  };

+  /**
+   * Handles OAuth2 token exchange for user login with private key handoff.
+   *
+   * The process involves exchanging a provider's authorization token for an Infisical access token.
+   * The provider token is returned to the client, who then sends it back to obtain the Infisical access token.
+   *
+   * This approach is used instead of directly sending the access token for the following reasons:
+   * 1. To facilitate easier logic changes from SRP OAuth to simple OAuth.
+   * 2. To avoid attaching the access token to the URL, which could be logged. The provider token has a very short lifespan, reducing security risks.
+   */
+  const oauth2TokenExchange = async ({ userAgent, ip, providerAuthToken, email }: TOauthTokenExchangeDTO) => {
+    const decodedProviderToken = validateProviderAuthToken(providerAuthToken, email);
+
+    const appCfg = getConfig();
+    const { authMethod, userName } = decodedProviderToken;
+    if (!userName) throw new BadRequestError({ message: "Missing user name" });
+    const organizationId =
+      (isAuthMethodSaml(authMethod) || [AuthMethod.LDAP, AuthMethod.OIDC].includes(authMethod)) &&
+      decodedProviderToken.orgId
+        ? decodedProviderToken.orgId
+        : undefined;
+
+    const userEnc = await userDAL.findUserEncKeyByUsername({
+      username: email
+    });
+    if (!userEnc) throw new BadRequestError({ message: "Invalid token" });
+    if (!userEnc.serverEncryptedPrivateKey)
+      throw new BadRequestError({ message: "Key handoff incomplete. Please try logging in again." });
+    // send multi factor auth token if they it enabled
+    if (userEnc.isMfaEnabled && userEnc.email) {
+      enforceUserLockStatus(Boolean(userEnc.isLocked), userEnc.temporaryLockDateEnd);
+
+      const mfaToken = jwt.sign(
+        {
+          authMethod,
+          authTokenType: AuthTokenType.MFA_TOKEN,
+          userId: userEnc.userId
+        },
+        appCfg.AUTH_SECRET,
+        {
+          expiresIn: appCfg.JWT_MFA_LIFETIME
+        }
+      );
+
+      await sendUserMfaCode({
+        userId: userEnc.userId,
+        email: userEnc.email
+      });
+
+      return { isMfaEnabled: true, token: mfaToken } as const;
+    }
+
+    const token = await generateUserTokens({
+      user: { ...userEnc, id: userEnc.userId },
+      ip,
+      userAgent,
+      authMethod,
+      organizationId
+    });
+
+    return { token, isMfaEnabled: false, user: userEnc } as const;
+  };
+
  /*
   * logout user by incrementing the version by 1 meaning any old session will become invalid
   * as there number is behind
@ -542,6 +643,7 @@ export const authLoginServiceFactory = ({
    loginExchangeClientProof,
    logout,
    oauth2Login,
+    oauth2TokenExchange,
    resendMfaToken,
    verifyMfaToken,
    selectOrganization,
--- a/backend/src/services/auth/auth-login-type.ts
+++ b/backend/src/services/auth/auth-login-type.ts
@ -13,6 +13,7 @@ export type TLoginClientProofDTO = {
  ip: string;
  userAgent: string;
  captchaToken?: string;
+  password?: string;
 };

 export type TVerifyMfaTokenDTO = {
@ -31,3 +32,10 @@ export type TOauthLoginDTO = {
  authMethod: AuthMethod;
  callbackPort?: string;
 };
+
+export type TOauthTokenExchangeDTO = {
+  providerAuthToken: string;
+  ip: string;
+  userAgent: string;
+  email: string;
+};
--- a/backend/src/services/auth/auth-password-service.ts
+++ b/backend/src/services/auth/auth-password-service.ts
@ -1,3 +1,4 @@
+import bcrypt from "bcrypt";
 import jwt from "jsonwebtoken";

 import { SecretEncryptionAlgo, SecretKeyEncoding } from "@app/db/schemas";
@ -57,7 +58,8 @@ export const authPaswordServiceFactory = ({
    encryptedPrivateKeyTag,
    salt,
    verifier,
-    tokenVersionId
+    tokenVersionId,
+    password
  }: TChangePasswordDTO) => {
    const userEnc = await userDAL.findUserEncKeyByUserId(userId);
    if (!userEnc) throw new Error("Failed to find user");
@ -76,6 +78,8 @@ export const authPaswordServiceFactory = ({
    );
    if (!isValidClientProof) throw new Error("Failed to authenticate. Try again?");

+    const appCfg = getConfig();
+    const hashedPassword = await bcrypt.hash(password, appCfg.BCRYPT_SALT_ROUND);
    await userDAL.updateUserEncryptionByUserId(userId, {
      encryptionVersion: 2,
      protectedKey,
@ -87,7 +91,8 @@ export const authPaswordServiceFactory = ({
      salt,
      verifier,
      serverPrivateKey: null,
-      clientPublicKey: null
+      clientPublicKey: null,
+      hashedPassword
    });

    if (tokenVersionId) {
--- a/backend/src/services/auth/auth-password-type.ts
+++ b/backend/src/services/auth/auth-password-type.ts
@ -10,6 +10,7 @@ export type TChangePasswordDTO = {
  salt: string;
  verifier: string;
  tokenVersionId?: string;
+  password: string;
 };

 export type TResetPasswordViaBackupKeyDTO = {
--- a/backend/src/services/auth/auth-signup-service.ts
+++ b/backend/src/services/auth/auth-signup-service.ts
@ -1,3 +1,4 @@
+import bcrypt from "bcrypt";
 import jwt from "jsonwebtoken";

 import { OrgMembershipStatus, TableName } from "@app/db/schemas";
@ -6,6 +7,8 @@ import { TUserGroupMembershipDALFactory } from "@app/ee/services/group/user-grou
 import { TLicenseServiceFactory } from "@app/ee/services/license/license-service";
 import { isAuthMethodSaml } from "@app/ee/services/permission/permission-fns";
 import { getConfig } from "@app/lib/config/env";
+import { infisicalSymmetricEncypt } from "@app/lib/crypto/encryption";
+import { getUserPrivateKey } from "@app/lib/crypto/srp";
 import { BadRequestError } from "@app/lib/errors";
 import { isDisposableEmail } from "@app/lib/validator";
 import { TGroupProjectDALFactory } from "@app/services/group-project/group-project-dal";
@ -119,6 +122,7 @@ export const authSignupServiceFactory = ({

  const completeEmailAccountSignup = async ({
    email,
+    password,
    firstName,
    lastName,
    providerAuthToken,
@ -137,6 +141,7 @@ export const authSignupServiceFactory = ({
    userAgent,
    authorization
  }: TCompleteAccountSignupDTO) => {
+    const appCfg = getConfig();
    const user = await userDAL.findOne({ username: email });
    if (!user || (user && user.isAccepted)) {
      throw new Error("Failed to complete account for complete user");
@ -152,6 +157,18 @@ export const authSignupServiceFactory = ({
      validateSignUpAuthorization(authorization, user.id);
    }

+    const hashedPassword = await bcrypt.hash(password, appCfg.BCRYPT_SALT_ROUND);
+    const privateKey = await getUserPrivateKey(password, {
+      salt,
+      protectedKey,
+      protectedKeyIV,
+      protectedKeyTag,
+      encryptedPrivateKey,
+      iv: encryptedPrivateKeyIV,
+      tag: encryptedPrivateKeyTag,
+      encryptionVersion: 2
+    });
+    const { tag, encoding, ciphertext, iv } = infisicalSymmetricEncypt(privateKey);
    const updateduser = await authDAL.transaction(async (tx) => {
      const us = await userDAL.updateById(user.id, { firstName, lastName, isAccepted: true }, tx);
      if (!us) throw new Error("User not found");
@ -166,12 +183,20 @@ export const authSignupServiceFactory = ({
          protectedKeyTag,
          encryptedPrivateKey,
          iv: encryptedPrivateKeyIV,
-          tag: encryptedPrivateKeyTag
+          tag: encryptedPrivateKeyTag,
+          hashedPassword,
+          serverEncryptedPrivateKeyEncoding: encoding,
+          serverEncryptedPrivateKeyTag: tag,
+          serverEncryptedPrivateKeyIV: iv,
+          serverEncryptedPrivateKey: ciphertext
        },
        tx
      );
      // If it's SAML Auth and the organization ID is present, we should check if the user has a pending invite for this org, and accept it
-      if ((isAuthMethodSaml(authMethod) || authMethod === AuthMethod.LDAP) && organizationId) {
+      if (
+        (isAuthMethodSaml(authMethod) || [AuthMethod.LDAP, AuthMethod.OIDC].includes(authMethod as AuthMethod)) &&
+        organizationId
+      ) {
        const [pendingOrgMembership] = await orgDAL.findMembership({
          [`${TableName.OrgMembership}.userId` as "userId"]: user.id,
          status: OrgMembershipStatus.Invited,
@ -227,7 +252,6 @@ export const authSignupServiceFactory = ({
      userId: updateduser.info.id
    });
    if (!tokenSession) throw new Error("Failed to create token");
-    const appCfg = getConfig();

    const accessToken = jwt.sign(
      {
@ -265,6 +289,7 @@ export const authSignupServiceFactory = ({
    ip,
    salt,
    email,
+    password,
    verifier,
    firstName,
    publicKey,
@ -295,6 +320,19 @@ export const authSignupServiceFactory = ({
        name: "complete account invite"
      });

+    const appCfg = getConfig();
+    const hashedPassword = await bcrypt.hash(password, appCfg.BCRYPT_SALT_ROUND);
+    const privateKey = await getUserPrivateKey(password, {
+      salt,
+      protectedKey,
+      protectedKeyIV,
+      protectedKeyTag,
+      encryptedPrivateKey,
+      iv: encryptedPrivateKeyIV,
+      tag: encryptedPrivateKeyTag,
+      encryptionVersion: 2
+    });
+    const { tag, encoding, ciphertext, iv } = infisicalSymmetricEncypt(privateKey);
    const updateduser = await authDAL.transaction(async (tx) => {
      const us = await userDAL.updateById(user.id, { firstName, lastName, isAccepted: true }, tx);
      if (!us) throw new Error("User not found");
@ -310,7 +348,12 @@ export const authSignupServiceFactory = ({
          protectedKeyTag,
          encryptedPrivateKey,
          iv: encryptedPrivateKeyIV,
-          tag: encryptedPrivateKeyTag
+          tag: encryptedPrivateKeyTag,
+          hashedPassword,
+          serverEncryptedPrivateKeyEncoding: encoding,
+          serverEncryptedPrivateKeyTag: tag,
+          serverEncryptedPrivateKeyIV: iv,
+          serverEncryptedPrivateKey: ciphertext
        },
        tx
      );
@ -343,7 +386,6 @@ export const authSignupServiceFactory = ({
      userId: updateduser.info.id
    });
    if (!tokenSession) throw new Error("Failed to create token");
-    const appCfg = getConfig();

    const accessToken = jwt.sign(
      {
--- a/backend/src/services/auth/auth-signup-type.ts
+++ b/backend/src/services/auth/auth-signup-type.ts
@ -1,5 +1,6 @@
 export type TCompleteAccountSignupDTO = {
  email: string;
+  password: string;
  firstName: string;
  lastName?: string;
  protectedKey: string;
@ -21,6 +22,7 @@ export type TCompleteAccountSignupDTO = {

 export type TCompleteAccountInviteDTO = {
  email: string;
+  password: string;
  firstName: string;
  lastName?: string;
  protectedKey: string;
--- a/backend/src/services/auth/auth-type.ts
+++ b/backend/src/services/auth/auth-type.ts
@ -8,7 +8,8 @@ export enum AuthMethod {
  JUMPCLOUD_SAML = "jumpcloud-saml",
  GOOGLE_SAML = "google-saml",
  KEYCLOAK_SAML = "keycloak-saml",
-  LDAP = "ldap"
+  LDAP = "ldap",
+  OIDC = "oidc"
 }

 export enum AuthTokenType {
--- a/backend/src/services/certificate-authority/certificate-authority-service.ts
+++ b/backend/src/services/certificate-authority/certificate-authority-service.ts
@ -3,6 +3,7 @@ import { ForbiddenError } from "@casl/ability";
 import * as x509 from "@peculiar/x509";
 import crypto, { KeyObject } from "crypto";
 import ms from "ms";
+import { z } from "zod";

 import { TPermissionServiceFactory } from "@app/ee/services/permission/permission-service";
 import { ProjectPermissionActions, ProjectPermissionSub } from "@app/ee/services/permission/project-permission";
@ -38,6 +39,7 @@ import {
  TSignIntermediateDTO,
  TUpdateCaDTO
 } from "./certificate-authority-types";
+import { hostnameRegex } from "./certificate-authority-validators";

 type TCertificateAuthorityServiceFactoryDep = {
  certificateAuthorityDAL: Pick<
@ -653,6 +655,7 @@ export const certificateAuthorityServiceFactory = ({
    caId,
    friendlyName,
    commonName,
+    altNames,
    ttl,
    notBefore,
    notAfter,
@ -738,6 +741,45 @@ export const certificateAuthorityServiceFactory = ({
      kmsService
    });

+    const extensions: x509.Extension[] = [
+      new x509.KeyUsagesExtension(x509.KeyUsageFlags.digitalSignature | x509.KeyUsageFlags.keyEncipherment, true),
+      new x509.BasicConstraintsExtension(false),
+      await x509.AuthorityKeyIdentifierExtension.create(caCertObj, false),
+      await x509.SubjectKeyIdentifierExtension.create(csrObj.publicKey)
+    ];
+
+    if (altNames) {
+      const altNamesArray: {
+        type: "email" | "dns";
+        value: string;
+      }[] = altNames
+        .split(",")
+        .map((name) => name.trim())
+        .map((altName) => {
+          // check if the altName is a valid email
+          if (z.string().email().safeParse(altName).success) {
+            return {
+              type: "email",
+              value: altName
+            };
+          }
+
+          // check if the altName is a valid hostname
+          if (hostnameRegex.test(altName)) {
+            return {
+              type: "dns",
+              value: altName
+            };
+          }
+
+          // If altName is neither a valid email nor a valid hostname, throw an error or handle it accordingly
+          throw new Error(`Invalid altName: ${altName}`);
+        });
+
+      const altNamesExtension = new x509.SubjectAlternativeNameExtension(altNamesArray, false);
+      extensions.push(altNamesExtension);
+    }
+
    const serialNumber = crypto.randomBytes(32).toString("hex");
    const leafCert = await x509.X509CertificateGenerator.create({
      serialNumber,
@ -748,12 +790,7 @@ export const certificateAuthorityServiceFactory = ({
      signingKey: caPrivateKey,
      publicKey: csrObj.publicKey,
      signingAlgorithm: alg,
-      extensions: [
-        new x509.KeyUsagesExtension(x509.KeyUsageFlags.digitalSignature | x509.KeyUsageFlags.keyEncipherment, true),
-        new x509.BasicConstraintsExtension(false),
-        await x509.AuthorityKeyIdentifierExtension.create(caCertObj, false),
-        await x509.SubjectKeyIdentifierExtension.create(csrObj.publicKey)
-      ]
+      extensions
    });

    const skLeafObj = KeyObject.from(leafKeys.privateKey);
@ -771,6 +808,7 @@ export const certificateAuthorityServiceFactory = ({
          status: CertStatus.ACTIVE,
          friendlyName: friendlyName || commonName,
          commonName,
+          altNames,
          serialNumber,
          notBefore: notBeforeDate,
          notAfter: notAfterDate
--- a/backend/src/services/certificate-authority/certificate-authority-types.ts
+++ b/backend/src/services/certificate-authority/certificate-authority-types.ts
@ -75,6 +75,7 @@ export type TIssueCertFromCaDTO = {
  caId: string;
  friendlyName?: string;
  commonName: string;
+  altNames: string;
  ttl: string;
  notBefore?: string;
  notAfter?: string;
--- a/backend/src/services/certificate-authority/certificate-authority-validators.ts
+++ b/backend/src/services/certificate-authority/certificate-authority-validators.ts
@ -6,3 +6,29 @@ const isValidDate = (dateString: string) => {
 };

 export const validateCaDateField = z.string().trim().refine(isValidDate, { message: "Invalid date format" });
+
+export const hostnameRegex = /^(?!:\/\/)([a-zA-Z0-9-_]{1,63}\.?)+(?!:\/\/)([a-zA-Z]{2,63})$/;
+export const validateAltNamesField = z
+  .string()
+  .trim()
+  .default("")
+  .transform((data) => {
+    if (data === "") return "";
+    // Trim each alt name and join with ', ' to ensure formatting
+    return data
+      .split(",")
+      .map((id) => id.trim())
+      .join(", ");
+  })
+  .refine(
+    (data) => {
+      if (data === "") return true;
+      // Split and validate each alt name
+      return data.split(", ").every((name) => {
+        return hostnameRegex.test(name) || z.string().email().safeParse(name).success;
+      });
+    },
+    {
+      message: "Each alt name must be a valid hostname or email address"
+    }
+  );
--- a/backend/src/services/identity-aws-auth/identity-aws-auth-service.ts
+++ b/backend/src/services/identity-aws-auth/identity-aws-auth-service.ts
@ -7,11 +7,12 @@ import { IdentityAuthMethod } from "@app/db/schemas";
 import { TLicenseServiceFactory } from "@app/ee/services/license/license-service";
 import { OrgPermissionActions, OrgPermissionSubjects } from "@app/ee/services/permission/org-permission";
 import { TPermissionServiceFactory } from "@app/ee/services/permission/permission-service";
+import { isAtLeastAsPrivileged } from "@app/lib/casl";
 import { getConfig } from "@app/lib/config/env";
-import { BadRequestError, UnauthorizedError } from "@app/lib/errors";
+import { BadRequestError, ForbiddenRequestError, UnauthorizedError } from "@app/lib/errors";
 import { extractIPDetails, isValidIpOrCidr } from "@app/lib/ip";

-import { AuthTokenType } from "../auth/auth-type";
+import { ActorType, AuthTokenType } from "../auth/auth-type";
 import { TIdentityDALFactory } from "../identity/identity-dal";
 import { TIdentityOrgDALFactory } from "../identity/identity-org-dal";
 import { TIdentityAccessTokenDALFactory } from "../identity-access-token/identity-access-token-dal";
@ -24,12 +25,13 @@ import {
  TGetAwsAuthDTO,
  TGetCallerIdentityResponse,
  TLoginAwsAuthDTO,
+  TRevokeAwsAuthDTO,
  TUpdateAwsAuthDTO
 } from "./identity-aws-auth-types";

 type TIdentityAwsAuthServiceFactoryDep = {
  identityAccessTokenDAL: Pick<TIdentityAccessTokenDALFactory, "create">;
-  identityAwsAuthDAL: Pick<TIdentityAwsAuthDALFactory, "findOne" | "transaction" | "create" | "updateById">;
+  identityAwsAuthDAL: Pick<TIdentityAwsAuthDALFactory, "findOne" | "transaction" | "create" | "updateById" | "delete">;
  identityOrgMembershipDAL: Pick<TIdentityOrgDALFactory, "findOne">;
  identityDAL: Pick<TIdentityDALFactory, "updateById">;
  licenseService: Pick<TLicenseServiceFactory, "getPlan">;
@ -301,10 +303,54 @@ export const identityAwsAuthServiceFactory = ({
    return { ...awsIdentityAuth, orgId: identityMembershipOrg.orgId };
  };

+  const revokeIdentityAwsAuth = async ({
+    identityId,
+    actorId,
+    actor,
+    actorAuthMethod,
+    actorOrgId
+  }: TRevokeAwsAuthDTO) => {
+    const identityMembershipOrg = await identityOrgMembershipDAL.findOne({ identityId });
+    if (!identityMembershipOrg) throw new BadRequestError({ message: "Failed to find identity" });
+    if (identityMembershipOrg.identity?.authMethod !== IdentityAuthMethod.AWS_AUTH)
+      throw new BadRequestError({
+        message: "The identity does not have aws auth"
+      });
+    const { permission } = await permissionService.getOrgPermission(
+      actor,
+      actorId,
+      identityMembershipOrg.orgId,
+      actorAuthMethod,
+      actorOrgId
+    );
+    ForbiddenError.from(permission).throwUnlessCan(OrgPermissionActions.Edit, OrgPermissionSubjects.Identity);
+
+    const { permission: rolePermission } = await permissionService.getOrgPermission(
+      ActorType.IDENTITY,
+      identityMembershipOrg.identityId,
+      identityMembershipOrg.orgId,
+      actorAuthMethod,
+      actorOrgId
+    );
+    const hasPriviledge = isAtLeastAsPrivileged(permission, rolePermission);
+    if (!hasPriviledge)
+      throw new ForbiddenRequestError({
+        message: "Failed to revoke aws auth of identity with more privileged role"
+      });
+
+    const revokedIdentityAwsAuth = await identityAwsAuthDAL.transaction(async (tx) => {
+      const deletedAwsAuth = await identityAwsAuthDAL.delete({ identityId }, tx);
+      await identityDAL.updateById(identityId, { authMethod: null }, tx);
+      return { ...deletedAwsAuth?.[0], orgId: identityMembershipOrg.orgId };
+    });
+    return revokedIdentityAwsAuth;
+  };
+
  return {
    login,
    attachAwsAuth,
    updateAwsAuth,
-    getAwsAuth
+    getAwsAuth,
+    revokeIdentityAwsAuth
  };
 };
--- a/backend/src/services/identity-aws-auth/identity-aws-auth-types.ts
+++ b/backend/src/services/identity-aws-auth/identity-aws-auth-types.ts
@ -52,3 +52,7 @@ export type TGetCallerIdentityResponse = {
    ResponseMetadata: { RequestId: string };
  };
 };
+
+export type TRevokeAwsAuthDTO = {
+  identityId: string;
+} & Omit<TProjectPermission, "projectId">;
--- a/backend/src/services/identity-azure-auth/identity-azure-auth-service.ts
+++ b/backend/src/services/identity-azure-auth/identity-azure-auth-service.ts
@ -5,11 +5,12 @@ import { IdentityAuthMethod } from "@app/db/schemas";
 import { TLicenseServiceFactory } from "@app/ee/services/license/license-service";
 import { OrgPermissionActions, OrgPermissionSubjects } from "@app/ee/services/permission/org-permission";
 import { TPermissionServiceFactory } from "@app/ee/services/permission/permission-service";
+import { isAtLeastAsPrivileged } from "@app/lib/casl";
 import { getConfig } from "@app/lib/config/env";
-import { BadRequestError, UnauthorizedError } from "@app/lib/errors";
+import { BadRequestError, ForbiddenRequestError, UnauthorizedError } from "@app/lib/errors";
 import { extractIPDetails, isValidIpOrCidr } from "@app/lib/ip";

-import { AuthTokenType } from "../auth/auth-type";
+import { ActorType, AuthTokenType } from "../auth/auth-type";
 import { TIdentityDALFactory } from "../identity/identity-dal";
 import { TIdentityOrgDALFactory } from "../identity/identity-org-dal";
 import { TIdentityAccessTokenDALFactory } from "../identity-access-token/identity-access-token-dal";
@ -20,11 +21,15 @@ import {
  TAttachAzureAuthDTO,
  TGetAzureAuthDTO,
  TLoginAzureAuthDTO,
+  TRevokeAzureAuthDTO,
  TUpdateAzureAuthDTO
 } from "./identity-azure-auth-types";

 type TIdentityAzureAuthServiceFactoryDep = {
-  identityAzureAuthDAL: Pick<TIdentityAzureAuthDALFactory, "findOne" | "transaction" | "create" | "updateById">;
+  identityAzureAuthDAL: Pick<
+    TIdentityAzureAuthDALFactory,
+    "findOne" | "transaction" | "create" | "updateById" | "delete"
+  >;
  identityOrgMembershipDAL: Pick<TIdentityOrgDALFactory, "findOne">;
  identityAccessTokenDAL: Pick<TIdentityAccessTokenDALFactory, "create">;
  identityDAL: Pick<TIdentityDALFactory, "updateById">;
@ -277,10 +282,54 @@ export const identityAzureAuthServiceFactory = ({
    return { ...identityAzureAuth, orgId: identityMembershipOrg.orgId };
  };

+  const revokeIdentityAzureAuth = async ({
+    identityId,
+    actorId,
+    actor,
+    actorAuthMethod,
+    actorOrgId
+  }: TRevokeAzureAuthDTO) => {
+    const identityMembershipOrg = await identityOrgMembershipDAL.findOne({ identityId });
+    if (!identityMembershipOrg) throw new BadRequestError({ message: "Failed to find identity" });
+    if (identityMembershipOrg.identity?.authMethod !== IdentityAuthMethod.AZURE_AUTH)
+      throw new BadRequestError({
+        message: "The identity does not have azure auth"
+      });
+    const { permission } = await permissionService.getOrgPermission(
+      actor,
+      actorId,
+      identityMembershipOrg.orgId,
+      actorAuthMethod,
+      actorOrgId
+    );
+    ForbiddenError.from(permission).throwUnlessCan(OrgPermissionActions.Edit, OrgPermissionSubjects.Identity);
+
+    const { permission: rolePermission } = await permissionService.getOrgPermission(
+      ActorType.IDENTITY,
+      identityMembershipOrg.identityId,
+      identityMembershipOrg.orgId,
+      actorAuthMethod,
+      actorOrgId
+    );
+    const hasPriviledge = isAtLeastAsPrivileged(permission, rolePermission);
+    if (!hasPriviledge)
+      throw new ForbiddenRequestError({
+        message: "Failed to revoke azure auth of identity with more privileged role"
+      });
+
+    const revokedIdentityAzureAuth = await identityAzureAuthDAL.transaction(async (tx) => {
+      const deletedAzureAuth = await identityAzureAuthDAL.delete({ identityId }, tx);
+      await identityDAL.updateById(identityId, { authMethod: null }, tx);
+      return { ...deletedAzureAuth?.[0], orgId: identityMembershipOrg.orgId };
+    });
+    return revokedIdentityAzureAuth;
+  };
+
  return {
    login,
    attachAzureAuth,
    updateAzureAuth,
-    getAzureAuth
+    getAzureAuth,
+    revokeIdentityAzureAuth
  };
 };
--- a/backend/src/services/identity-azure-auth/identity-azure-auth-types.ts
+++ b/backend/src/services/identity-azure-auth/identity-azure-auth-types.ts
@ -118,3 +118,7 @@ export type TDecodedAzureAuthJwt = {
    [key: string]: string;
  };
 };
+
+export type TRevokeAzureAuthDTO = {
+  identityId: string;
+} & Omit<TProjectPermission, "projectId">;
--- a/backend/src/services/identity-gcp-auth/identity-gcp-auth-service.ts
+++ b/backend/src/services/identity-gcp-auth/identity-gcp-auth-service.ts
@ -5,11 +5,12 @@ import { IdentityAuthMethod } from "@app/db/schemas";
 import { TLicenseServiceFactory } from "@app/ee/services/license/license-service";
 import { OrgPermissionActions, OrgPermissionSubjects } from "@app/ee/services/permission/org-permission";
 import { TPermissionServiceFactory } from "@app/ee/services/permission/permission-service";
+import { isAtLeastAsPrivileged } from "@app/lib/casl";
 import { getConfig } from "@app/lib/config/env";
-import { BadRequestError, UnauthorizedError } from "@app/lib/errors";
+import { BadRequestError, ForbiddenRequestError, UnauthorizedError } from "@app/lib/errors";
 import { extractIPDetails, isValidIpOrCidr } from "@app/lib/ip";

-import { AuthTokenType } from "../auth/auth-type";
+import { ActorType, AuthTokenType } from "../auth/auth-type";
 import { TIdentityDALFactory } from "../identity/identity-dal";
 import { TIdentityOrgDALFactory } from "../identity/identity-org-dal";
 import { TIdentityAccessTokenDALFactory } from "../identity-access-token/identity-access-token-dal";
@ -21,11 +22,12 @@ import {
  TGcpIdentityDetails,
  TGetGcpAuthDTO,
  TLoginGcpAuthDTO,
+  TRevokeGcpAuthDTO,
  TUpdateGcpAuthDTO
 } from "./identity-gcp-auth-types";

 type TIdentityGcpAuthServiceFactoryDep = {
-  identityGcpAuthDAL: Pick<TIdentityGcpAuthDALFactory, "findOne" | "transaction" | "create" | "updateById">;
+  identityGcpAuthDAL: Pick<TIdentityGcpAuthDALFactory, "findOne" | "transaction" | "create" | "updateById" | "delete">;
  identityOrgMembershipDAL: Pick<TIdentityOrgDALFactory, "findOne">;
  identityAccessTokenDAL: Pick<TIdentityAccessTokenDALFactory, "create">;
  identityDAL: Pick<TIdentityDALFactory, "updateById">;
@ -315,10 +317,54 @@ export const identityGcpAuthServiceFactory = ({
    return { ...identityGcpAuth, orgId: identityMembershipOrg.orgId };
  };

+  const revokeIdentityGcpAuth = async ({
+    identityId,
+    actorId,
+    actor,
+    actorAuthMethod,
+    actorOrgId
+  }: TRevokeGcpAuthDTO) => {
+    const identityMembershipOrg = await identityOrgMembershipDAL.findOne({ identityId });
+    if (!identityMembershipOrg) throw new BadRequestError({ message: "Failed to find identity" });
+    if (identityMembershipOrg.identity?.authMethod !== IdentityAuthMethod.GCP_AUTH)
+      throw new BadRequestError({
+        message: "The identity does not have gcp auth"
+      });
+    const { permission } = await permissionService.getOrgPermission(
+      actor,
+      actorId,
+      identityMembershipOrg.orgId,
+      actorAuthMethod,
+      actorOrgId
+    );
+    ForbiddenError.from(permission).throwUnlessCan(OrgPermissionActions.Edit, OrgPermissionSubjects.Identity);
+
+    const { permission: rolePermission } = await permissionService.getOrgPermission(
+      ActorType.IDENTITY,
+      identityMembershipOrg.identityId,
+      identityMembershipOrg.orgId,
+      actorAuthMethod,
+      actorOrgId
+    );
+    const hasPriviledge = isAtLeastAsPrivileged(permission, rolePermission);
+    if (!hasPriviledge)
+      throw new ForbiddenRequestError({
+        message: "Failed to revoke gcp auth of identity with more privileged role"
+      });
+
+    const revokedIdentityGcpAuth = await identityGcpAuthDAL.transaction(async (tx) => {
+      const deletedGcpAuth = await identityGcpAuthDAL.delete({ identityId }, tx);
+      await identityDAL.updateById(identityId, { authMethod: null }, tx);
+      return { ...deletedGcpAuth?.[0], orgId: identityMembershipOrg.orgId };
+    });
+    return revokedIdentityGcpAuth;
+  };
+
  return {
    login,
    attachGcpAuth,
    updateGcpAuth,
-    getGcpAuth
+    getGcpAuth,
+    revokeIdentityGcpAuth
  };
 };
--- a/backend/src/services/identity-gcp-auth/identity-gcp-auth-types.ts
+++ b/backend/src/services/identity-gcp-auth/identity-gcp-auth-types.ts
@ -76,3 +76,7 @@ export type TDecodedGcpIamAuthJwt = {
    [key: string]: string;
  };
 };
+
+export type TRevokeGcpAuthDTO = {
+  identityId: string;
+} & Omit<TProjectPermission, "projectId">;
--- a/backend/src/services/identity-kubernetes-auth/identity-kubernetes-auth-service.ts
+++ b/backend/src/services/identity-kubernetes-auth/identity-kubernetes-auth-service.ts
@ -7,6 +7,7 @@ import { IdentityAuthMethod, SecretKeyEncoding, TIdentityKubernetesAuthsUpdate }
 import { TLicenseServiceFactory } from "@app/ee/services/license/license-service";
 import { OrgPermissionActions, OrgPermissionSubjects } from "@app/ee/services/permission/org-permission";
 import { TPermissionServiceFactory } from "@app/ee/services/permission/permission-service";
+import { isAtLeastAsPrivileged } from "@app/lib/casl";
 import { getConfig } from "@app/lib/config/env";
 import {
  decryptSymmetric,
@ -16,11 +17,11 @@ import {
  infisicalSymmetricDecrypt,
  infisicalSymmetricEncypt
 } from "@app/lib/crypto/encryption";
-import { BadRequestError, UnauthorizedError } from "@app/lib/errors";
+import { BadRequestError, ForbiddenRequestError, UnauthorizedError } from "@app/lib/errors";
 import { extractIPDetails, isValidIpOrCidr } from "@app/lib/ip";
 import { TOrgBotDALFactory } from "@app/services/org/org-bot-dal";

-import { AuthTokenType } from "../auth/auth-type";
+import { ActorType, AuthTokenType } from "../auth/auth-type";
 import { TIdentityDALFactory } from "../identity/identity-dal";
 import { TIdentityOrgDALFactory } from "../identity/identity-org-dal";
 import { TIdentityAccessTokenDALFactory } from "../identity-access-token/identity-access-token-dal";
@ -32,13 +33,14 @@ import {
  TCreateTokenReviewResponse,
  TGetKubernetesAuthDTO,
  TLoginKubernetesAuthDTO,
+  TRevokeKubernetesAuthDTO,
  TUpdateKubernetesAuthDTO
 } from "./identity-kubernetes-auth-types";

 type TIdentityKubernetesAuthServiceFactoryDep = {
  identityKubernetesAuthDAL: Pick<
    TIdentityKubernetesAuthDALFactory,
-    "create" | "findOne" | "transaction" | "updateById"
+    "create" | "findOne" | "transaction" | "updateById" | "delete"
  >;
  identityAccessTokenDAL: Pick<TIdentityAccessTokenDALFactory, "create">;
  identityOrgMembershipDAL: Pick<TIdentityOrgDALFactory, "findOne" | "findById">;
@ -442,7 +444,34 @@ export const identityKubernetesAuthServiceFactory = ({

    const updatedKubernetesAuth = await identityKubernetesAuthDAL.updateById(identityKubernetesAuth.id, updateQuery);

-    return { ...updatedKubernetesAuth, orgId: identityMembershipOrg.orgId };
+    const updatedCACert =
+      updatedKubernetesAuth.encryptedCaCert && updatedKubernetesAuth.caCertIV && updatedKubernetesAuth.caCertTag
+        ? decryptSymmetric({
+            ciphertext: updatedKubernetesAuth.encryptedCaCert,
+            iv: updatedKubernetesAuth.caCertIV,
+            tag: updatedKubernetesAuth.caCertTag,
+            key
+          })
+        : "";
+
+    const updatedTokenReviewerJwt =
+      updatedKubernetesAuth.encryptedTokenReviewerJwt &&
+      updatedKubernetesAuth.tokenReviewerJwtIV &&
+      updatedKubernetesAuth.tokenReviewerJwtTag
+        ? decryptSymmetric({
+            ciphertext: updatedKubernetesAuth.encryptedTokenReviewerJwt,
+            iv: updatedKubernetesAuth.tokenReviewerJwtIV,
+            tag: updatedKubernetesAuth.tokenReviewerJwtTag,
+            key
+          })
+        : "";
+
+    return {
+      ...updatedKubernetesAuth,
+      orgId: identityMembershipOrg.orgId,
+      caCert: updatedCACert,
+      tokenReviewerJwt: updatedTokenReviewerJwt
+    };
  };

  const getKubernetesAuth = async ({
@ -506,10 +535,54 @@ export const identityKubernetesAuthServiceFactory = ({
    return { ...identityKubernetesAuth, caCert, tokenReviewerJwt, orgId: identityMembershipOrg.orgId };
  };

+  const revokeIdentityKubernetesAuth = async ({
+    identityId,
+    actorId,
+    actor,
+    actorAuthMethod,
+    actorOrgId
+  }: TRevokeKubernetesAuthDTO) => {
+    const identityMembershipOrg = await identityOrgMembershipDAL.findOne({ identityId });
+    if (!identityMembershipOrg) throw new BadRequestError({ message: "Failed to find identity" });
+    if (identityMembershipOrg.identity?.authMethod !== IdentityAuthMethod.KUBERNETES_AUTH)
+      throw new BadRequestError({
+        message: "The identity does not have kubenetes auth"
+      });
+    const { permission } = await permissionService.getOrgPermission(
+      actor,
+      actorId,
+      identityMembershipOrg.orgId,
+      actorAuthMethod,
+      actorOrgId
+    );
+    ForbiddenError.from(permission).throwUnlessCan(OrgPermissionActions.Edit, OrgPermissionSubjects.Identity);
+
+    const { permission: rolePermission } = await permissionService.getOrgPermission(
+      ActorType.IDENTITY,
+      identityMembershipOrg.identityId,
+      identityMembershipOrg.orgId,
+      actorAuthMethod,
+      actorOrgId
+    );
+    const hasPriviledge = isAtLeastAsPrivileged(permission, rolePermission);
+    if (!hasPriviledge)
+      throw new ForbiddenRequestError({
+        message: "Failed to revoke kubenetes auth of identity with more privileged role"
+      });
+
+    const revokedIdentityKubernetesAuth = await identityKubernetesAuthDAL.transaction(async (tx) => {
+      const deletedKubernetesAuth = await identityKubernetesAuthDAL.delete({ identityId }, tx);
+      await identityDAL.updateById(identityId, { authMethod: null }, tx);
+      return { ...deletedKubernetesAuth?.[0], orgId: identityMembershipOrg.orgId };
+    });
+    return revokedIdentityKubernetesAuth;
+  };
+
  return {
    login,
    attachKubernetesAuth,
    updateKubernetesAuth,
-    getKubernetesAuth
+    getKubernetesAuth,
+    revokeIdentityKubernetesAuth
  };
 };
--- a/backend/src/services/identity-kubernetes-auth/identity-kubernetes-auth-types.ts
+++ b/backend/src/services/identity-kubernetes-auth/identity-kubernetes-auth-types.ts
@ -59,3 +59,7 @@ export type TCreateTokenReviewResponse = {
  };
  status: TCreateTokenReviewSuccessResponse | TCreateTokenReviewErrorResponse;
 };
+
+export type TRevokeKubernetesAuthDTO = {
+  identityId: string;
+} & Omit<TProjectPermission, "projectId">;
--- a/backend/src/services/identity-ua/identity-ua-service.ts
+++ b/backend/src/services/identity-ua/identity-ua-service.ts
@ -25,7 +25,9 @@ import {
  TCreateUaClientSecretDTO,
  TGetUaClientSecretsDTO,
  TGetUaDTO,
+  TGetUniversalAuthClientSecretByIdDTO,
  TRevokeUaClientSecretDTO,
+  TRevokeUaDTO,
  TUpdateUaDTO
 } from "./identity-ua-types";

@ -136,7 +138,7 @@ export const identityUaServiceFactory = ({
    return { accessToken, identityUa, validClientSecretInfo, identityAccessToken, identityMembershipOrg };
  };

-  const attachUa = async ({
+  const attachUniversalAuth = async ({
    accessTokenMaxTTL,
    identityId,
    accessTokenNumUsesLimit,
@ -227,7 +229,7 @@ export const identityUaServiceFactory = ({
    return { ...identityUa, orgId: identityMembershipOrg.orgId };
  };

-  const updateUa = async ({
+  const updateUniversalAuth = async ({
    accessTokenMaxTTL,
    identityId,
    accessTokenNumUsesLimit,
@ -312,7 +314,7 @@ export const identityUaServiceFactory = ({
    return { ...updatedUaAuth, orgId: identityMembershipOrg.orgId };
  };

-  const getIdentityUa = async ({ identityId, actorId, actor, actorAuthMethod, actorOrgId }: TGetUaDTO) => {
+  const getIdentityUniversalAuth = async ({ identityId, actorId, actor, actorAuthMethod, actorOrgId }: TGetUaDTO) => {
    const identityMembershipOrg = await identityOrgMembershipDAL.findOne({ identityId });
    if (!identityMembershipOrg) throw new BadRequestError({ message: "Failed to find identity" });
    if (identityMembershipOrg.identity?.authMethod !== IdentityAuthMethod.Univeral)
@ -333,7 +335,50 @@ export const identityUaServiceFactory = ({
    return { ...uaIdentityAuth, orgId: identityMembershipOrg.orgId };
  };

-  const createUaClientSecret = async ({
+  const revokeIdentityUniversalAuth = async ({
+    identityId,
+    actorId,
+    actor,
+    actorAuthMethod,
+    actorOrgId
+  }: TRevokeUaDTO) => {
+    const identityMembershipOrg = await identityOrgMembershipDAL.findOne({ identityId });
+    if (!identityMembershipOrg) throw new BadRequestError({ message: "Failed to find identity" });
+    if (identityMembershipOrg.identity?.authMethod !== IdentityAuthMethod.Univeral)
+      throw new BadRequestError({
+        message: "The identity does not have universal auth"
+      });
+    const { permission } = await permissionService.getOrgPermission(
+      actor,
+      actorId,
+      identityMembershipOrg.orgId,
+      actorAuthMethod,
+      actorOrgId
+    );
+    ForbiddenError.from(permission).throwUnlessCan(OrgPermissionActions.Edit, OrgPermissionSubjects.Identity);
+
+    const { permission: rolePermission } = await permissionService.getOrgPermission(
+      ActorType.IDENTITY,
+      identityMembershipOrg.identityId,
+      identityMembershipOrg.orgId,
+      actorAuthMethod,
+      actorOrgId
+    );
+    const hasPriviledge = isAtLeastAsPrivileged(permission, rolePermission);
+    if (!hasPriviledge)
+      throw new ForbiddenRequestError({
+        message: "Failed to revoke universal auth of identity with more privileged role"
+      });
+
+    const revokedIdentityUniversalAuth = await identityUaDAL.transaction(async (tx) => {
+      const deletedUniversalAuth = await identityUaDAL.delete({ identityId }, tx);
+      await identityDAL.updateById(identityId, { authMethod: null }, tx);
+      return { ...deletedUniversalAuth?.[0], orgId: identityMembershipOrg.orgId };
+    });
+    return revokedIdentityUniversalAuth;
+  };
+
+  const createUniversalAuthClientSecret = async ({
    actor,
    actorId,
    actorOrgId,
@ -396,7 +441,7 @@ export const identityUaServiceFactory = ({
    };
  };

-  const getUaClientSecrets = async ({
+  const getUniversalAuthClientSecrets = async ({
    actor,
    actorId,
    actorOrgId,
@ -442,7 +487,47 @@ export const identityUaServiceFactory = ({
    return { clientSecrets, orgId: identityMembershipOrg.orgId };
  };

-  const revokeUaClientSecret = async ({
+  const getUniversalAuthClientSecretById = async ({
+    identityId,
+    actorId,
+    actor,
+    actorOrgId,
+    actorAuthMethod,
+    clientSecretId
+  }: TGetUniversalAuthClientSecretByIdDTO) => {
+    const identityMembershipOrg = await identityOrgMembershipDAL.findOne({ identityId });
+    if (!identityMembershipOrg) throw new BadRequestError({ message: "Failed to find identity" });
+    if (identityMembershipOrg.identity?.authMethod !== IdentityAuthMethod.Univeral)
+      throw new BadRequestError({
+        message: "The identity does not have universal auth"
+      });
+    const { permission } = await permissionService.getOrgPermission(
+      actor,
+      actorId,
+      identityMembershipOrg.orgId,
+      actorAuthMethod,
+      actorOrgId
+    );
+    ForbiddenError.from(permission).throwUnlessCan(OrgPermissionActions.Read, OrgPermissionSubjects.Identity);
+
+    const { permission: rolePermission } = await permissionService.getOrgPermission(
+      ActorType.IDENTITY,
+      identityMembershipOrg.identityId,
+      identityMembershipOrg.orgId,
+      actorAuthMethod,
+      actorOrgId
+    );
+    const hasPriviledge = isAtLeastAsPrivileged(permission, rolePermission);
+    if (!hasPriviledge)
+      throw new ForbiddenRequestError({
+        message: "Failed to read identity client secret of project with more privileged role"
+      });
+
+    const clientSecret = await identityUaClientSecretDAL.findById(clientSecretId);
+    return { ...clientSecret, identityId, orgId: identityMembershipOrg.orgId };
+  };
+
+  const revokeUniversalAuthClientSecret = async ({
    identityId,
    actorId,
    actor,
@ -475,7 +560,7 @@ export const identityUaServiceFactory = ({
    const hasPriviledge = isAtLeastAsPrivileged(permission, rolePermission);
    if (!hasPriviledge)
      throw new ForbiddenRequestError({
-        message: "Failed to add identity to project with more privileged role"
+        message: "Failed to revoke identity client secret with more privileged role"
      });

    const clientSecret = await identityUaClientSecretDAL.updateById(clientSecretId, {
@ -486,11 +571,13 @@ export const identityUaServiceFactory = ({

  return {
    login,
-    attachUa,
-    updateUa,
-    getIdentityUa,
-    createUaClientSecret,
-    getUaClientSecrets,
-    revokeUaClientSecret
+    attachUniversalAuth,
+    updateUniversalAuth,
+    getIdentityUniversalAuth,
+    revokeIdentityUniversalAuth,
+    createUniversalAuthClientSecret,
+    getUniversalAuthClientSecrets,
+    revokeUniversalAuthClientSecret,
+    getUniversalAuthClientSecretById
  };
 };
--- a/backend/src/services/identity-ua/identity-ua-types.ts
+++ b/backend/src/services/identity-ua/identity-ua-types.ts
@ -22,6 +22,10 @@ export type TGetUaDTO = {
  identityId: string;
 } & Omit<TProjectPermission, "projectId">;

+export type TRevokeUaDTO = {
+  identityId: string;
+} & Omit<TProjectPermission, "projectId">;
+
 export type TCreateUaClientSecretDTO = {
  identityId: string;
  description: string;
@ -37,3 +41,8 @@ export type TRevokeUaClientSecretDTO = {
  identityId: string;
  clientSecretId: string;
 } & Omit<TProjectPermission, "projectId">;
+
+export type TGetUniversalAuthClientSecretByIdDTO = {
+  identityId: string;
+  clientSecretId: string;
+} & Omit<TProjectPermission, "projectId">;
--- a/backend/src/services/identity/identity-org-dal.ts
+++ b/backend/src/services/identity/identity-org-dal.ts
@ -27,10 +27,10 @@ export const identityOrgDALFactory = (db: TDbClient) => {
    }
  };

-  const findByOrgId = async (orgId: string, tx?: Knex) => {
+  const find = async (filter: Partial<TIdentityOrgMemberships>, tx?: Knex) => {
    try {
      const docs = await (tx || db)(TableName.IdentityOrgMembership)
-        .where(`${TableName.IdentityOrgMembership}.orgId`, orgId)
+        .where(filter)
        .join(TableName.Identity, `${TableName.IdentityOrgMembership}.identityId`, `${TableName.Identity}.id`)
        .leftJoin(TableName.OrgRoles, `${TableName.IdentityOrgMembership}.roleId`, `${TableName.OrgRoles}.id`)
        .select(selectAllTableCols(TableName.IdentityOrgMembership))
@ -79,5 +79,5 @@ export const identityOrgDALFactory = (db: TDbClient) => {
    }
  };

-  return { ...identityOrgOrm, findOne, findByOrgId };
+  return { ...identityOrgOrm, find, findOne };
 };
--- a/backend/src/services/identity/identity-service.ts
+++ b/backend/src/services/identity/identity-service.ts
@ -1,6 +1,6 @@
 import { ForbiddenError } from "@casl/ability";

-import { OrgMembershipRole, TOrgRoles } from "@app/db/schemas";
+import { OrgMembershipRole, TableName, TOrgRoles } from "@app/db/schemas";
 import { OrgPermissionActions, OrgPermissionSubjects } from "@app/ee/services/permission/org-permission";
 import { TPermissionServiceFactory } from "@app/ee/services/permission/permission-service";
 import { isAtLeastAsPrivileged } from "@app/lib/casl";
@ -10,7 +10,7 @@ import { TOrgPermission } from "@app/lib/types";
 import { ActorType } from "../auth/auth-type";
 import { TIdentityDALFactory } from "./identity-dal";
 import { TIdentityOrgDALFactory } from "./identity-org-dal";
-import { TCreateIdentityDTO, TDeleteIdentityDTO, TUpdateIdentityDTO } from "./identity-types";
+import { TCreateIdentityDTO, TDeleteIdentityDTO, TGetIdentityByIdDTO, TUpdateIdentityDTO } from "./identity-types";

 type TIdentityServiceFactoryDep = {
  identityDAL: TIdentityDALFactory;
@ -126,6 +126,24 @@ export const identityServiceFactory = ({
    return { ...identity, orgId: identityOrgMembership.orgId };
  };

+  const getIdentityById = async ({ id, actor, actorId, actorOrgId, actorAuthMethod }: TGetIdentityByIdDTO) => {
+    const doc = await identityOrgMembershipDAL.find({
+      [`${TableName.IdentityOrgMembership}.identityId` as "identityId"]: id
+    });
+    const identity = doc[0];
+    if (!identity) throw new BadRequestError({ message: `Failed to find identity with id ${id}` });
+
+    const { permission } = await permissionService.getOrgPermission(
+      actor,
+      actorId,
+      identity.orgId,
+      actorAuthMethod,
+      actorOrgId
+    );
+    ForbiddenError.from(permission).throwUnlessCan(OrgPermissionActions.Read, OrgPermissionSubjects.Identity);
+    return identity;
+  };
+
  const deleteIdentity = async ({ actorId, actor, actorOrgId, actorAuthMethod, id }: TDeleteIdentityDTO) => {
    const identityOrgMembership = await identityOrgMembershipDAL.findOne({ identityId: id });
    if (!identityOrgMembership) throw new BadRequestError({ message: `Failed to find identity with id ${id}` });
@ -157,7 +175,9 @@ export const identityServiceFactory = ({
    const { permission } = await permissionService.getOrgPermission(actor, actorId, orgId, actorAuthMethod, actorOrgId);
    ForbiddenError.from(permission).throwUnlessCan(OrgPermissionActions.Read, OrgPermissionSubjects.Identity);

-    const identityMemberships = await identityOrgMembershipDAL.findByOrgId(orgId);
+    const identityMemberships = await identityOrgMembershipDAL.find({
+      [`${TableName.IdentityOrgMembership}.orgId` as "orgId"]: orgId
+    });
    return identityMemberships;
  };

@ -165,6 +185,7 @@ export const identityServiceFactory = ({
    createIdentity,
    updateIdentity,
    deleteIdentity,
-    listOrgIdentities
+    listOrgIdentities,
+    getIdentityById
  };
 };
--- a/backend/src/services/identity/identity-types.ts
+++ b/backend/src/services/identity/identity-types.ts
@ -16,6 +16,10 @@ export type TDeleteIdentityDTO = {
  id: string;
 } & Omit<TOrgPermission, "orgId">;

+export type TGetIdentityByIdDTO = {
+  id: string;
+} & Omit<TOrgPermission, "orgId">;
+
 export interface TIdentityTrustedIp {
  ipAddress: string;
  type: IPType;
--- a/backend/src/services/integration-auth/integration-sync-secret.ts
+++ b/backend/src/services/integration-auth/integration-sync-secret.ts
@ -257,14 +257,27 @@ const syncSecretsGCPSecretManager = async ({
 const syncSecretsAzureKeyVault = async ({
  integration,
  secrets,
-  accessToken
+  accessToken,
+  createManySecretsRawFn,
+  updateManySecretsRawFn
 }: {
-  integration: TIntegrations;
+  integration: TIntegrations & {
+    projectId: string;
+    environment: {
+      id: string;
+      name: string;
+      slug: string;
+    };
+    secretPath: string;
+  };
  secrets: Record<string, { value: string; comment?: string }>;
  accessToken: string;
+  createManySecretsRawFn: (params: TCreateManySecretsRawFn) => Promise<Array<TSecrets & { _id: string }>>;
+  updateManySecretsRawFn: (params: TUpdateManySecretsRawFn) => Promise<Array<TSecrets & { _id: string }>>;
 }) => {
  interface GetAzureKeyVaultSecret {
    id: string; // secret URI
+    value: string;
    attributes: {
      enabled: true;
      created: number;
@ -361,6 +374,83 @@ const syncSecretsAzureKeyVault = async ({
    }
  });

+  const secretsToAdd: { [key: string]: string } = {};
+  const secretsToUpdate: { [key: string]: string } = {};
+  const secretKeysToRemoveFromDelete = new Set<string>();
+
+  const metadata = IntegrationMetadataSchema.parse(integration.metadata);
+  if (!integration.lastUsed) {
+    Object.keys(res).forEach((key) => {
+      // first time using integration
+      const underscoredKey = key.replace(/-/g, "_");
+
+      // -> apply initial sync behavior
+      switch (metadata.initialSyncBehavior) {
+        case IntegrationInitialSyncBehavior.PREFER_TARGET: {
+          if (!(underscoredKey in secrets)) {
+            secretsToAdd[underscoredKey] = res[key].value;
+            setSecrets.push({
+              key,
+              value: res[key].value
+            });
+          } else if (secrets[underscoredKey]?.value !== res[key].value) {
+            secretsToUpdate[underscoredKey] = res[key].value;
+            const toEditSecretIndex = setSecrets.findIndex((secret) => secret.key === key);
+            if (toEditSecretIndex >= 0) {
+              setSecrets[toEditSecretIndex].value = res[key].value;
+            }
+          }
+
+          secretKeysToRemoveFromDelete.add(key);
+
+          break;
+        }
+        case IntegrationInitialSyncBehavior.PREFER_SOURCE: {
+          if (!(underscoredKey in secrets)) {
+            secretsToAdd[underscoredKey] = res[key].value;
+            setSecrets.push({
+              key,
+              value: res[key].value
+            });
+          }
+
+          secretKeysToRemoveFromDelete.add(key);
+          break;
+        }
+        default:
+          break;
+      }
+    });
+  }
+
+  if (Object.keys(secretsToUpdate).length) {
+    await updateManySecretsRawFn({
+      projectId: integration.projectId,
+      environment: integration.environment.slug,
+      path: integration.secretPath,
+      secrets: Object.keys(secretsToUpdate).map((key) => ({
+        secretName: key,
+        secretValue: secretsToUpdate[key],
+        type: SecretType.Shared,
+        secretComment: ""
+      }))
+    });
+  }
+
+  if (Object.keys(secretsToAdd).length) {
+    await createManySecretsRawFn({
+      projectId: integration.projectId,
+      environment: integration.environment.slug,
+      path: integration.secretPath,
+      secrets: Object.keys(secretsToAdd).map((key) => ({
+        secretName: key,
+        secretValue: secretsToAdd[key],
+        type: SecretType.Shared,
+        secretComment: ""
+      }))
+    });
+  }
+
  const setSecretAzureKeyVault = async ({
    key,
    value,
@ -428,7 +518,7 @@ const syncSecretsAzureKeyVault = async ({
    });
  }

-  for await (const deleteSecret of deleteSecrets) {
+  for await (const deleteSecret of deleteSecrets.filter((secret) => !secretKeysToRemoveFromDelete.has(secret.key))) {
    const { key } = deleteSecret;
    await request.delete(`${integration.app}/secrets/${key}?api-version=7.3`, {
      headers: {
@ -3512,7 +3602,9 @@ export const syncIntegrationSecrets = async ({
      await syncSecretsAzureKeyVault({
        integration,
        secrets,
-        accessToken
+        accessToken,
+        createManySecretsRawFn,
+        updateManySecretsRawFn
      });
      break;
    case Integrations.AWS_PARAMETER_STORE:
--- a/backend/src/services/project/project-service.ts
+++ b/backend/src/services/project/project-service.ts
@ -11,7 +11,7 @@ import { isAtLeastAsPrivileged } from "@app/lib/casl";
 import { getConfig } from "@app/lib/config/env";
 import { createSecretBlindIndex } from "@app/lib/crypto";
 import { infisicalSymmetricEncypt } from "@app/lib/crypto/encryption";
-import { BadRequestError, ForbiddenRequestError } from "@app/lib/errors";
+import { BadRequestError, ForbiddenRequestError, NotFoundError } from "@app/lib/errors";
 import { alphaNumericNanoId } from "@app/lib/nanoid";
 import { TProjectPermission } from "@app/lib/types";

@ -41,6 +41,7 @@ import {
  TListProjectCasDTO,
  TListProjectCertsDTO,
  TToggleProjectAutoCapitalizationDTO,
+  TUpdateAuditLogsRetentionDTO,
  TUpdateProjectDTO,
  TUpdateProjectNameDTO,
  TUpdateProjectVersionLimitDTO,
@ -446,6 +447,43 @@ export const projectServiceFactory = ({
    return projectDAL.updateById(project.id, { pitVersionLimit });
  };

+  const updateAuditLogsRetention = async ({
+    actor,
+    actorId,
+    actorOrgId,
+    actorAuthMethod,
+    auditLogsRetentionDays,
+    workspaceSlug
+  }: TUpdateAuditLogsRetentionDTO) => {
+    const project = await projectDAL.findProjectBySlug(workspaceSlug, actorOrgId);
+    if (!project) {
+      throw new NotFoundError({
+        message: "Project not found."
+      });
+    }
+
+    const { hasRole } = await permissionService.getProjectPermission(
+      actor,
+      actorId,
+      project.id,
+      actorAuthMethod,
+      actorOrgId
+    );
+
+    if (!hasRole(ProjectMembershipRole.Admin)) {
+      throw new BadRequestError({ message: "Only admins are allowed to take this action" });
+    }
+
+    const plan = await licenseService.getPlan(project.orgId);
+    if (!plan.auditLogs || auditLogsRetentionDays > plan.auditLogsRetentionDays) {
+      throw new BadRequestError({
+        message: "Failed to update audit logs retention due to plan limit reached. Upgrade plan to increase."
+      });
+    }
+
+    return projectDAL.updateById(project.id, { auditLogsRetentionDays });
+  };
+
  const updateName = async ({
    projectId,
    actor,
@ -621,6 +659,7 @@ export const projectServiceFactory = ({
    upgradeProject,
    listProjectCas,
    listProjectCertificates,
-    updateVersionLimit
+    updateVersionLimit,
+    updateAuditLogsRetention
  };
 };
--- a/backend/src/services/project/project-types.ts
+++ b/backend/src/services/project/project-types.ts
@ -49,6 +49,11 @@ export type TUpdateProjectVersionLimitDTO = {
  workspaceSlug: string;
 } & Omit<TProjectPermission, "projectId">;

+export type TUpdateAuditLogsRetentionDTO = {
+  auditLogsRetentionDays: number;
+  workspaceSlug: string;
+} & Omit<TProjectPermission, "projectId">;
+
 export type TUpdateProjectNameDTO = {
  name: string;
 } & TProjectPermission;
--- a/backend/src/services/secret-blind-index/secret-blind-index-dal.ts
+++ b/backend/src/services/secret-blind-index/secret-blind-index-dal.ts
@ -30,7 +30,6 @@ export const secretBlindIndexDALFactory = (db: TDbClient) => {
        .leftJoin(TableName.SecretFolder, `${TableName.SecretFolder}.id`, `${TableName.Secret}.folderId`)
        .leftJoin(TableName.Environment, `${TableName.Environment}.id`, `${TableName.SecretFolder}.envId`)
        .where({ projectId })
-        .whereNull("secretBlindIndex")
        .select(selectAllTableCols(TableName.Secret))
        .select(
          db.ref("slug").withSchema(TableName.Environment).as("environment"),
@ -49,7 +48,6 @@ export const secretBlindIndexDALFactory = (db: TDbClient) => {
        .leftJoin(TableName.Environment, `${TableName.Environment}.id`, `${TableName.SecretFolder}.envId`)
        .where({ projectId })
        .whereIn(`${TableName.Secret}.id`, secretIds)
-        .whereNull("secretBlindIndex")
        .select(selectAllTableCols(TableName.Secret))
        .select(
          db.ref("slug").withSchema(TableName.Environment).as("environment"),
--- a/backend/src/services/secret/secret-service.ts
+++ b/backend/src/services/secret/secret-service.ts
@ -1078,6 +1078,7 @@ export const secretServiceFactory = ({
    actor,
    environment,
    projectId: workspaceId,
+    expandSecretReferences,
    projectSlug,
    actorId,
    actorOrgId,
@ -1091,7 +1092,7 @@ export const secretServiceFactory = ({
    const botKey = await projectBotService.getBotKey(projectId);
    if (!botKey) throw new BadRequestError({ message: "Project bot not found", name: "bot_not_found_error" });

-    const secret = await getSecretByName({
+    const encryptedSecret = await getSecretByName({
      actorId,
      projectId,
      actorAuthMethod,
@ -1105,7 +1106,46 @@ export const secretServiceFactory = ({
      version
    });

-    return decryptSecretRaw(secret, botKey);
+    const decryptedSecret = decryptSecretRaw(encryptedSecret, botKey);
+
+    if (expandSecretReferences) {
+      const expandSecrets = interpolateSecrets({
+        folderDAL,
+        projectId,
+        secretDAL,
+        secretEncKey: botKey
+      });
+
+      const expandSingleSecret = async (secret: {
+        secretKey: string;
+        secretValue: string;
+        secretComment?: string;
+        secretPath: string;
+        skipMultilineEncoding: boolean | null | undefined;
+      }) => {
+        const secretRecord: Record<
+          string,
+          { value: string; comment?: string; skipMultilineEncoding: boolean | null | undefined }
+        > = {
+          [secret.secretKey]: {
+            value: secret.secretValue,
+            comment: secret.secretComment,
+            skipMultilineEncoding: secret.skipMultilineEncoding
+          }
+        };
+
+        await expandSecrets(secretRecord);
+
+        // Update the secret with the expanded value
+        // eslint-disable-next-line no-param-reassign
+        secret.secretValue = secretRecord[secret.secretKey].value;
+      };
+
+      // Expand the secret
+      await expandSingleSecret(decryptedSecret);
+    }
+
+    return decryptedSecret;
  };

  const createSecretRaw = async ({
--- a/backend/src/services/secret/secret-types.ts
+++ b/backend/src/services/secret/secret-types.ts
@ -151,6 +151,7 @@ export type TGetASecretRawDTO = {
  secretName: string;
  path: string;
  environment: string;
+  expandSecretReferences?: boolean;
  type: "shared" | "personal";
  includeImports?: boolean;
  version?: number;
--- a/backend/src/services/super-admin/super-admin-dal.ts
+++ b/backend/src/services/super-admin/super-admin-dal.ts
@ -1,7 +1,57 @@
+import { Knex } from "knex";
+
 import { TDbClient } from "@app/db";
-import { TableName } from "@app/db/schemas";
+import { TableName, TSuperAdmin, TSuperAdminUpdate } from "@app/db/schemas";
+import { DatabaseError } from "@app/lib/errors";
 import { ormify } from "@app/lib/knex";

 export type TSuperAdminDALFactory = ReturnType<typeof superAdminDALFactory>;

-export const superAdminDALFactory = (db: TDbClient) => ormify(db, TableName.SuperAdmin, {});
+export const superAdminDALFactory = (db: TDbClient) => {
+  const superAdminOrm = ormify(db, TableName.SuperAdmin);
+
+  const findById = async (id: string, tx?: Knex) => {
+    const config = await (tx || db)(TableName.SuperAdmin)
+      .where(`${TableName.SuperAdmin}.id`, id)
+      .leftJoin(TableName.Organization, `${TableName.SuperAdmin}.defaultAuthOrgId`, `${TableName.Organization}.id`)
+      .select(
+        db.ref("*").withSchema(TableName.SuperAdmin) as unknown as keyof TSuperAdmin,
+        db.ref("slug").withSchema(TableName.Organization).as("defaultAuthOrgSlug")
+      )
+      .first();
+
+    if (!config) {
+      return null;
+    }
+
+    return {
+      ...config,
+      defaultAuthOrgSlug: config?.defaultAuthOrgSlug || null
+    } as TSuperAdmin & { defaultAuthOrgSlug: string | null };
+  };
+
+  const updateById = async (id: string, data: TSuperAdminUpdate, tx?: Knex) => {
+    const updatedConfig = await (superAdminOrm || tx).transaction(async (trx: Knex) => {
+      await superAdminOrm.updateById(id, data, trx);
+      const config = await findById(id, trx);
+
+      if (!config) {
+        throw new DatabaseError({
+          error: "Failed to find updated super admin config",
+          message: "Failed to update super admin config",
+          name: "UpdateById"
+        });
+      }
+
+      return config;
+    });
+
+    return updatedConfig;
+  };
+
+  return {
+    ...superAdminOrm,
+    findById,
+    updateById
+  };
+};
--- a/backend/src/services/super-admin/super-admin-service.ts
+++ b/backend/src/services/super-admin/super-admin-service.ts
@ -1,6 +1,10 @@
+import bcrypt from "bcrypt";
+
 import { TSuperAdmin, TSuperAdminUpdate } from "@app/db/schemas";
 import { TKeyStoreFactory } from "@app/keystore/keystore";
 import { getConfig } from "@app/lib/config/env";
+import { infisicalSymmetricEncypt } from "@app/lib/crypto/encryption";
+import { getUserPrivateKey } from "@app/lib/crypto/srp";
 import { BadRequestError } from "@app/lib/errors";

 import { TAuthLoginFactory } from "../auth/auth-login-service";
@ -21,7 +25,7 @@ type TSuperAdminServiceFactoryDep = {
 export type TSuperAdminServiceFactory = ReturnType<typeof superAdminServiceFactory>;

 // eslint-disable-next-line
-export let getServerCfg: () => Promise<TSuperAdmin>;
+export let getServerCfg: () => Promise<TSuperAdmin & { defaultAuthOrgSlug: string | null }>;

 const ADMIN_CONFIG_KEY = "infisical-admin-cfg";
 const ADMIN_CONFIG_KEY_EXP = 60; // 60s
@ -38,16 +42,20 @@ export const superAdminServiceFactory = ({
    // TODO(akhilmhdh): bad  pattern time less change this later to me itself
    getServerCfg = async () => {
      const config = await keyStore.getItem(ADMIN_CONFIG_KEY);
+
      // missing in keystore means fetch from db
      if (!config) {
        const serverCfg = await serverCfgDAL.findById(ADMIN_CONFIG_DB_UUID);
-        if (serverCfg) {
-          await keyStore.setItemWithExpiry(ADMIN_CONFIG_KEY, ADMIN_CONFIG_KEY_EXP, JSON.stringify(serverCfg)); // insert it back to keystore
+
+        if (!serverCfg) {
+          throw new BadRequestError({ name: "Admin config", message: "Admin config not found" });
        }
+
+        await keyStore.setItemWithExpiry(ADMIN_CONFIG_KEY, ADMIN_CONFIG_KEY_EXP, JSON.stringify(serverCfg)); // insert it back to keystore
        return serverCfg;
      }

-      const keyStoreServerCfg = JSON.parse(config) as TSuperAdmin;
+      const keyStoreServerCfg = JSON.parse(config) as TSuperAdmin & { defaultAuthOrgSlug: string | null };
      return {
        ...keyStoreServerCfg,
        // this is to allow admin router to work
@ -61,14 +69,21 @@ export const superAdminServiceFactory = ({
    const serverCfg = await serverCfgDAL.findById(ADMIN_CONFIG_DB_UUID);
    if (serverCfg) return;

-    // @ts-expect-error id is kept as fixed for idempotence and to avoid race condition
-    const newCfg = await serverCfgDAL.create({ initialized: false, allowSignUp: true, id: ADMIN_CONFIG_DB_UUID });
+    const newCfg = await serverCfgDAL.create({
+      // @ts-expect-error id is kept as fixed for idempotence and to avoid race condition
+      id: ADMIN_CONFIG_DB_UUID,
+      initialized: false,
+      allowSignUp: true,
+      defaultAuthOrgId: null
+    });
    return newCfg;
  };

  const updateServerCfg = async (data: TSuperAdminUpdate) => {
    const updatedServerCfg = await serverCfgDAL.updateById(ADMIN_CONFIG_DB_UUID, data);
+
    await keyStore.setItemWithExpiry(ADMIN_CONFIG_KEY, ADMIN_CONFIG_KEY_EXP, JSON.stringify(updatedServerCfg));
+
    return updatedServerCfg;
  };

@ -77,6 +92,7 @@ export const superAdminServiceFactory = ({
    firstName,
    salt,
    email,
+    password,
    verifier,
    publicKey,
    protectedKey,
@ -92,6 +108,18 @@ export const superAdminServiceFactory = ({
    const existingUser = await userDAL.findOne({ email });
    if (existingUser) throw new BadRequestError({ name: "Admin sign up", message: "User already exist" });

+    const privateKey = await getUserPrivateKey(password, {
+      encryptionVersion: 2,
+      salt,
+      protectedKey,
+      protectedKeyIV,
+      protectedKeyTag,
+      encryptedPrivateKey,
+      iv: encryptedPrivateKeyIV,
+      tag: encryptedPrivateKeyTag
+    });
+    const hashedPassword = await bcrypt.hash(password, appCfg.BCRYPT_SALT_ROUND);
+    const { iv, tag, ciphertext, encoding } = infisicalSymmetricEncypt(privateKey);
    const userInfo = await userDAL.transaction(async (tx) => {
      const newUser = await userDAL.create(
        {
@ -119,7 +147,12 @@ export const superAdminServiceFactory = ({
          iv: encryptedPrivateKeyIV,
          tag: encryptedPrivateKeyTag,
          verifier,
-          userId: newUser.id
+          userId: newUser.id,
+          hashedPassword,
+          serverEncryptedPrivateKey: ciphertext,
+          serverEncryptedPrivateKeyIV: iv,
+          serverEncryptedPrivateKeyTag: tag,
+          serverEncryptedPrivateKeyEncoding: encoding
        },
        tx
      );
--- a/backend/src/services/super-admin/super-admin-types.ts
+++ b/backend/src/services/super-admin/super-admin-types.ts
@ -1,5 +1,6 @@
 export type TAdminSignUpDTO = {
  email: string;
+  password: string;
  publicKey: string;
  salt: string;
  lastName?: string;
--- a/backend/src/services/user-alias/user-alias-types.ts
+++ b/backend/src/services/user-alias/user-alias-types.ts
@ -1,4 +1,5 @@
 export enum UserAliasType {
  LDAP = "ldap",
-  SAML = "saml"
+  SAML = "saml",
+  OIDC = "oidc"
 }
--- a/backend/src/services/user/user-service.ts
+++ b/backend/src/services/user/user-service.ts
@ -1,3 +1,5 @@
+import { SecretKeyEncoding } from "@app/db/schemas";
+import { infisicalSymmetricDecrypt } from "@app/lib/crypto/encryption";
 import { BadRequestError } from "@app/lib/errors";
 import { TAuthTokenServiceFactory } from "@app/services/auth-token/auth-token-service";
 import { TokenType } from "@app/services/auth-token/auth-token-types";
@ -230,6 +232,21 @@ export const userServiceFactory = ({
    );
  };

+  const getUserPrivateKey = async (userId: string) => {
+    const user = await userDAL.findUserEncKeyByUserId(userId);
+    if (!user?.serverEncryptedPrivateKey || !user.serverEncryptedPrivateKeyIV || !user.serverEncryptedPrivateKeyTag) {
+      throw new BadRequestError({ message: "Private key not found. Please login again" });
+    }
+    const privateKey = infisicalSymmetricDecrypt({
+      ciphertext: user.serverEncryptedPrivateKey,
+      tag: user.serverEncryptedPrivateKeyTag,
+      iv: user.serverEncryptedPrivateKeyIV,
+      keyEncoding: user.serverEncryptedPrivateKeyEncoding as SecretKeyEncoding
+    });
+
+    return privateKey;
+  };
+
  return {
    sendEmailVerificationCode,
    verifyEmailVerificationCode,
@ -240,6 +257,7 @@ export const userServiceFactory = ({
    getMe,
    createUserAction,
    getUserAction,
-    unlockUser
+    unlockUser,
+    getUserPrivateKey
  };
 };
--- a/cli/go.mod
+++ b/cli/go.mod
@ -10,6 +10,7 @@ require (
 	github.com/fatih/semgroup v1.2.0
 	github.com/gitleaks/go-gitdiff v0.8.0
 	github.com/h2non/filetype v1.1.3
+	github.com/infisical/go-sdk v0.2.0
 	github.com/mattn/go-isatty v0.0.14
 	github.com/muesli/ansi v0.0.0-20221106050444-61f0cd9a192a
 	github.com/muesli/mango-cobra v1.2.0
@ -22,23 +23,48 @@ require (
 	github.com/rs/zerolog v1.26.1
 	github.com/spf13/cobra v1.6.1
 	github.com/spf13/viper v1.8.1
-	github.com/stretchr/testify v1.8.1
-	golang.org/x/crypto v0.14.0
-	golang.org/x/term v0.13.0
+	github.com/stretchr/testify v1.9.0
+	golang.org/x/crypto v0.23.0
+	golang.org/x/term v0.20.0
 	gopkg.in/yaml.v2 v2.4.0
 )

 require (
+	cloud.google.com/go/auth v0.5.1 // indirect
+	cloud.google.com/go/auth/oauth2adapt v0.2.2 // indirect
+	cloud.google.com/go/compute/metadata v0.3.0 // indirect
+	cloud.google.com/go/iam v1.1.8 // indirect
 	github.com/alessio/shellescape v1.4.1 // indirect
 	github.com/asaskevich/govalidator v0.0.0-20200907205600-7a23bdc65eef // indirect
+	github.com/aws/aws-sdk-go-v2 v1.27.2 // indirect
+	github.com/aws/aws-sdk-go-v2/config v1.27.18 // indirect
+	github.com/aws/aws-sdk-go-v2/credentials v1.17.18 // indirect
+	github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.16.5 // indirect
+	github.com/aws/aws-sdk-go-v2/internal/configsources v1.3.9 // indirect
+	github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.6.9 // indirect
+	github.com/aws/aws-sdk-go-v2/internal/ini v1.8.0 // indirect
+	github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.11.2 // indirect
+	github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.11.11 // indirect
+	github.com/aws/aws-sdk-go-v2/service/sso v1.20.11 // indirect
+	github.com/aws/aws-sdk-go-v2/service/ssooidc v1.24.5 // indirect
+	github.com/aws/aws-sdk-go-v2/service/sts v1.28.12 // indirect
+	github.com/aws/smithy-go v1.20.2 // indirect
 	github.com/chzyer/readline v1.5.1 // indirect
 	github.com/danieljoos/wincred v1.2.0 // indirect
 	github.com/davecgh/go-spew v1.1.1 // indirect
 	github.com/dvsekhvalnov/jose2go v1.5.0 // indirect
+	github.com/felixge/httpsnoop v1.0.4 // indirect
 	github.com/fsnotify/fsnotify v1.4.9 // indirect
+	github.com/go-logr/logr v1.4.1 // indirect
+	github.com/go-logr/stdr v1.2.2 // indirect
 	github.com/go-openapi/errors v0.20.2 // indirect
 	github.com/go-openapi/strfmt v0.21.3 // indirect
 	github.com/godbus/dbus/v5 v5.1.0 // indirect
+	github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da // indirect
+	github.com/golang/protobuf v1.5.4 // indirect
+	github.com/google/s2a-go v0.1.7 // indirect
+	github.com/googleapis/enterprise-certificate-proxy v0.3.2 // indirect
+	github.com/googleapis/gax-go/v2 v2.12.4 // indirect
 	github.com/hashicorp/hcl v1.0.0 // indirect
 	github.com/lucasb-eyer/go-colorful v1.2.0 // indirect
 	github.com/magiconair/properties v1.8.5 // indirect
@ -59,17 +85,30 @@ require (
 	github.com/subosito/gotenv v1.2.0 // indirect
 	github.com/xtgo/uuid v0.0.0-20140804021211-a0b114877d4c // indirect
 	go.mongodb.org/mongo-driver v1.10.0 // indirect
-	golang.org/x/net v0.17.0 // indirect
-	golang.org/x/sync v0.1.0 // indirect
-	golang.org/x/sys v0.13.0 // indirect
-	golang.org/x/text v0.13.0 // indirect
+	go.opencensus.io v0.24.0 // indirect
+	go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.49.0 // indirect
+	go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.49.0 // indirect
+	go.opentelemetry.io/otel v1.24.0 // indirect
+	go.opentelemetry.io/otel/metric v1.24.0 // indirect
+	go.opentelemetry.io/otel/trace v1.24.0 // indirect
+	golang.org/x/net v0.25.0 // indirect
+	golang.org/x/oauth2 v0.21.0 // indirect
+	golang.org/x/sync v0.7.0 // indirect
+	golang.org/x/sys v0.20.0 // indirect
+	golang.org/x/text v0.15.0 // indirect
+	golang.org/x/time v0.5.0 // indirect
+	google.golang.org/api v0.183.0 // indirect
+	google.golang.org/genproto/googleapis/api v0.0.0-20240521202816-d264139d666e // indirect
+	google.golang.org/genproto/googleapis/rpc v0.0.0-20240528184218-531527333157 // indirect
+	google.golang.org/grpc v1.64.0 // indirect
+	google.golang.org/protobuf v1.34.1 // indirect
 	gopkg.in/ini.v1 v1.62.0 // indirect
 	gopkg.in/yaml.v3 v3.0.1 // indirect
 )

 require (
 	github.com/fatih/color v1.13.0
-	github.com/go-resty/resty/v2 v2.10.0
+	github.com/go-resty/resty/v2 v2.13.1
 	github.com/inconshreveable/mousetrap v1.0.1 // indirect
 	github.com/jedib0t/go-pretty v4.3.0+incompatible
 	github.com/manifoldco/promptui v0.9.0
--- a/cli/go.sum
+++ b/cli/go.sum
@ -18,15 +18,23 @@ cloud.google.com/go v0.74.0/go.mod h1:VV1xSbzvo+9QJOxLDaJfTjx5e+MePCpCWwvftOeQmW
 cloud.google.com/go v0.78.0/go.mod h1:QjdrLG0uq+YwhjoVOLsS1t7TW8fs36kLs4XO5R5ECHg=
 cloud.google.com/go v0.79.0/go.mod h1:3bzgcEeQlzbuEAYu4mrWhKqWjmpprinYgKJLgKHnbb8=
 cloud.google.com/go v0.81.0/go.mod h1:mk/AM35KwGk/Nm2YSeZbxXdrNK3KZOYHmLkOqC2V6E0=
+cloud.google.com/go/auth v0.5.1 h1:0QNO7VThG54LUzKiQxv8C6x1YX7lUrzlAa1nVLF8CIw=
+cloud.google.com/go/auth v0.5.1/go.mod h1:vbZT8GjzDf3AVqCcQmqeeM32U9HBFc32vVVAbwDsa6s=
+cloud.google.com/go/auth/oauth2adapt v0.2.2 h1:+TTV8aXpjeChS9M+aTtN/TjdQnzJvmzKFt//oWu7HX4=
+cloud.google.com/go/auth/oauth2adapt v0.2.2/go.mod h1:wcYjgpZI9+Yu7LyYBg4pqSiaRkfEK3GQcpb7C/uyF1Q=
 cloud.google.com/go/bigquery v1.0.1/go.mod h1:i/xbL2UlR5RvWAURpBYZTtm/cXjCha9lbfbpx4poX+o=
 cloud.google.com/go/bigquery v1.3.0/go.mod h1:PjpwJnslEMmckchkHFfq+HTD2DmtT67aNFKH1/VBDHE=
 cloud.google.com/go/bigquery v1.4.0/go.mod h1:S8dzgnTigyfTmLBfrtrhyYhwRxG72rYxvftPBK2Dvzc=
 cloud.google.com/go/bigquery v1.5.0/go.mod h1:snEHRnqQbz117VIFhE8bmtwIDY80NLUZUMb4Nv6dBIg=
 cloud.google.com/go/bigquery v1.7.0/go.mod h1://okPTzCYNXSlb24MZs83e2Do+h+VXtc4gLoIoXIAPc=
 cloud.google.com/go/bigquery v1.8.0/go.mod h1:J5hqkt3O0uAFnINi6JXValWIb1v0goeZM77hZzJN/fQ=
+cloud.google.com/go/compute/metadata v0.3.0 h1:Tz+eQXMEqDIKRsmY3cHTL6FVaynIjX2QxYC4trgAKZc=
+cloud.google.com/go/compute/metadata v0.3.0/go.mod h1:zFmK7XCadkQkj6TtorcaGlCW1hT1fIilQDwofLpJ20k=
 cloud.google.com/go/datastore v1.0.0/go.mod h1:LXYbyblFSglQ5pkeyhO+Qmw7ukd3C+pD7TKLgZqpHYE=
 cloud.google.com/go/datastore v1.1.0/go.mod h1:umbIZjpQpHh4hmRpGhH4tLFup+FVzqBi1b3c64qFpCk=
 cloud.google.com/go/firestore v1.1.0/go.mod h1:ulACoGHTpvq5r8rxGJ4ddJZBZqakUQqClKRT5SZwBmk=
+cloud.google.com/go/iam v1.1.8 h1:r7umDwhj+BQyz0ScZMp4QrGXjSTI3ZINnpgU2nlB/K0=
+cloud.google.com/go/iam v1.1.8/go.mod h1:GvE6lyMmfxXauzNq8NbgJbeVQNspG+tcdL/W8QO1+zE=
 cloud.google.com/go/pubsub v1.0.1/go.mod h1:R0Gpsv3s54REJCy4fxDixWD93lHJMoZTyQ2kNxGRt3I=
 cloud.google.com/go/pubsub v1.1.0/go.mod h1:EwwdRX2sKPjnvnqCa270oGRyludottCI76h+R3AArQw=
 cloud.google.com/go/pubsub v1.2.0/go.mod h1:jhfEVHT8odbXTkndysNHCcx0awwzvfOlguIAii9o8iA=
@ -49,6 +57,32 @@ github.com/armon/go-metrics v0.0.0-20180917152333-f0300d1749da/go.mod h1:Q73ZrmV
 github.com/armon/go-radix v0.0.0-20180808171621-7fddfc383310/go.mod h1:ufUuZ+zHj4x4TnLV4JWEpy2hxWSpsRywHrMgIH9cCH8=
 github.com/asaskevich/govalidator v0.0.0-20200907205600-7a23bdc65eef h1:46PFijGLmAjMPwCCCo7Jf0W6f9slllCkkv7vyc1yOSg=
 github.com/asaskevich/govalidator v0.0.0-20200907205600-7a23bdc65eef/go.mod h1:WaHUgvxTVq04UNunO+XhnAqY/wQc+bxr74GqbsZ/Jqw=
+github.com/aws/aws-sdk-go-v2 v1.27.2 h1:pLsTXqX93rimAOZG2FIYraDQstZaaGVVN4tNw65v0h8=
+github.com/aws/aws-sdk-go-v2 v1.27.2/go.mod h1:ffIFB97e2yNsv4aTSGkqtHnppsIJzw7G7BReUZ3jCXM=
+github.com/aws/aws-sdk-go-v2/config v1.27.18 h1:wFvAnwOKKe7QAyIxziwSKjmer9JBMH1vzIL6W+fYuKk=
+github.com/aws/aws-sdk-go-v2/config v1.27.18/go.mod h1:0xz6cgdX55+kmppvPm2IaKzIXOheGJhAufacPJaXZ7c=
+github.com/aws/aws-sdk-go-v2/credentials v1.17.18 h1:D/ALDWqK4JdY3OFgA2thcPO1c9aYTT5STS/CvnkqY1c=
+github.com/aws/aws-sdk-go-v2/credentials v1.17.18/go.mod h1:JuitCWq+F5QGUrmMPsk945rop6bB57jdscu+Glozdnc=
+github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.16.5 h1:dDgptDO9dxeFkXy+tEgVkzSClHZje/6JkPW5aZyEvrQ=
+github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.16.5/go.mod h1:gjvE2KBUgUQhcv89jqxrIxH9GaKs1JbZzWejj/DaHGA=
+github.com/aws/aws-sdk-go-v2/internal/configsources v1.3.9 h1:cy8ahBJuhtM8GTTSyOkfy6WVPV1IE+SS5/wfXUYuulw=
+github.com/aws/aws-sdk-go-v2/internal/configsources v1.3.9/go.mod h1:CZBXGLaJnEZI6EVNcPd7a6B5IC5cA/GkRWtu9fp3S6Y=
+github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.6.9 h1:A4SYk07ef04+vxZToz9LWvAXl9LW0NClpPpMsi31cz0=
+github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.6.9/go.mod h1:5jJcHuwDagxN+ErjQ3PU3ocf6Ylc/p9x+BLO/+X4iXw=
+github.com/aws/aws-sdk-go-v2/internal/ini v1.8.0 h1:hT8rVHwugYE2lEfdFE0QWVo81lF7jMrYJVDWI+f+VxU=
+github.com/aws/aws-sdk-go-v2/internal/ini v1.8.0/go.mod h1:8tu/lYfQfFe6IGnaOdrpVgEL2IrrDOf6/m9RQum4NkY=
+github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.11.2 h1:Ji0DY1xUsUr3I8cHps0G+XM3WWU16lP6yG8qu1GAZAs=
+github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.11.2/go.mod h1:5CsjAbs3NlGQyZNFACh+zztPDI7fU6eW9QsxjfnuBKg=
+github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.11.11 h1:o4T+fKxA3gTMcluBNZZXE9DNaMkJuUL1O3mffCUjoJo=
+github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.11.11/go.mod h1:84oZdJ+VjuJKs9v1UTC9NaodRZRseOXCTgku+vQJWR8=
+github.com/aws/aws-sdk-go-v2/service/sso v1.20.11 h1:gEYM2GSpr4YNWc6hCd5nod4+d4kd9vWIAWrmGuLdlMw=
+github.com/aws/aws-sdk-go-v2/service/sso v1.20.11/go.mod h1:gVvwPdPNYehHSP9Rs7q27U1EU+3Or2ZpXvzAYJNh63w=
+github.com/aws/aws-sdk-go-v2/service/ssooidc v1.24.5 h1:iXjh3uaH3vsVcnyZX7MqCoCfcyxIrVE9iOQruRaWPrQ=
+github.com/aws/aws-sdk-go-v2/service/ssooidc v1.24.5/go.mod h1:5ZXesEuy/QcO0WUnt+4sDkxhdXRHTu2yG0uCSH8B6os=
+github.com/aws/aws-sdk-go-v2/service/sts v1.28.12 h1:M/1u4HBpwLuMtjlxuI2y6HoVLzF5e2mfxHCg7ZVMYmk=
+github.com/aws/aws-sdk-go-v2/service/sts v1.28.12/go.mod h1:kcfd+eTdEi/40FIbLq4Hif3XMXnl5b/+t/KTfLt9xIk=
+github.com/aws/smithy-go v1.20.2 h1:tbp628ireGtzcHDDmLT/6ADHidqnwgF57XOXZe6tp4Q=
+github.com/aws/smithy-go v1.20.2/go.mod h1:krry+ya/rV9RDcV/Q16kpu6ypI4K2czasz0NC3qS14E=
 github.com/bgentry/speakeasy v0.1.0/go.mod h1:+zsyZBPWlz7T6j88CTgSN5bM796AkVf0kBD4zp0CCIs=
 github.com/bketelsen/crypt v0.0.4/go.mod h1:aI6NrJ0pMGgvZKL1iVgXLnfIFJtfV+bKCoqOes/6LfM=
 github.com/bradleyjkemp/cupaloy/v2 v2.8.0 h1:any4BmKE+jGIaMpnU8YgH/I2LPiLBufr6oMMlVBbn9M=
@ -97,6 +131,8 @@ github.com/fatih/color v1.13.0 h1:8LOYc1KYPPmyKMuN8QV2DNRWNbLo6LZ0iLs8+mlH53w=
 github.com/fatih/color v1.13.0/go.mod h1:kLAiJbzzSOZDVNGyDpeOxJ47H46qBXwg5ILebYFFOfk=
 github.com/fatih/semgroup v1.2.0 h1:h/OLXwEM+3NNyAdZEpMiH1OzfplU09i2qXPVThGZvyg=
 github.com/fatih/semgroup v1.2.0/go.mod h1:1KAD4iIYfXjE4U13B48VM4z9QUwV5Tt8O4rS879kgm8=
+github.com/felixge/httpsnoop v1.0.4 h1:NFTV2Zj1bL4mc9sqWACXbQFVBBg2W3GPvqp8/ESS2Wg=
+github.com/felixge/httpsnoop v1.0.4/go.mod h1:m8KPJKqk1gH5J9DgRY2ASl2lWCfGKXixSwevea8zH2U=
 github.com/fsnotify/fsnotify v1.4.9 h1:hsms1Qyu0jgnwNXIxa+/V/PDsU6CfLf6CNO8H7IWoS4=
 github.com/fsnotify/fsnotify v1.4.9/go.mod h1:znqG4EE+3YCdAaPaxE2ZRY/06pZUdp0tY4IgpuI1SZQ=
 github.com/ghodss/yaml v1.0.0/go.mod h1:4dBDuWmgqj2HViK6kFavaiC9ZROes6MMH2rRYeMEF04=
@ -105,12 +141,17 @@ github.com/gitleaks/go-gitdiff v0.8.0/go.mod h1:pKz0X4YzCKZs30BL+weqBIG7mx0jl4tF
 github.com/go-gl/glfw v0.0.0-20190409004039-e6da0acd62b1/go.mod h1:vR7hzQXu2zJy9AVAgeJqvqgH9Q5CA+iKCZ2gyEVpxRU=
 github.com/go-gl/glfw/v3.3/glfw v0.0.0-20191125211704-12ad95a8df72/go.mod h1:tQ2UAYgL5IevRw8kRxooKSPJfGvJ9fJQFa0TUsXzTg8=
 github.com/go-gl/glfw/v3.3/glfw v0.0.0-20200222043503-6f7a984d4dc4/go.mod h1:tQ2UAYgL5IevRw8kRxooKSPJfGvJ9fJQFa0TUsXzTg8=
+github.com/go-logr/logr v1.2.2/go.mod h1:jdQByPbusPIv2/zmleS9BjJVeZ6kBagPoEUsqbVz/1A=
+github.com/go-logr/logr v1.4.1 h1:pKouT5E8xu9zeFC39JXRDukb6JFQPXM5p5I91188VAQ=
+github.com/go-logr/logr v1.4.1/go.mod h1:9T104GzyrTigFIr8wt5mBrctHMim0Nb2HLGrmQ40KvY=
+github.com/go-logr/stdr v1.2.2 h1:hSWxHoqTgW2S2qGc0LTAI563KZ5YKYRhT3MFKZMbjag=
+github.com/go-logr/stdr v1.2.2/go.mod h1:mMo/vtBO5dYbehREoey6XUKy/eSumjCCveDpRre4VKE=
 github.com/go-openapi/errors v0.20.2 h1:dxy7PGTqEh94zj2E3h1cUmQQWiM1+aeCROfAr02EmK8=
 github.com/go-openapi/errors v0.20.2/go.mod h1:cM//ZKUKyO06HSwqAelJ5NsEMMcpa6VpXe8DOa1Mi1M=
 github.com/go-openapi/strfmt v0.21.3 h1:xwhj5X6CjXEZZHMWy1zKJxvW9AfHC9pkyUjLvHtKG7o=
 github.com/go-openapi/strfmt v0.21.3/go.mod h1:k+RzNO0Da+k3FrrynSNN8F7n/peCmQQqbbXjtDfvmGg=
-github.com/go-resty/resty/v2 v2.10.0 h1:Qla4W/+TMmv0fOeeRqzEpXPLfTUnR5HZ1+lGs+CkiCo=
-github.com/go-resty/resty/v2 v2.10.0/go.mod h1:iiP/OpA0CkcL3IGt1O0+/SIItFUbkkyw5BGXiVdTu+A=
+github.com/go-resty/resty/v2 v2.13.1 h1:x+LHXBI2nMB1vqndymf26quycC4aggYJ7DECYbiz03g=
+github.com/go-resty/resty/v2 v2.13.1/go.mod h1:GznXlLxkq6Nh4sU59rPmUw3VtgpO3aS96ORAI6Q7d+0=
 github.com/godbus/dbus/v5 v5.0.4/go.mod h1:xhWf0FNVPg57R7Z0UbKHbJfkEywrmjJnf7w5xrFpKfA=
 github.com/godbus/dbus/v5 v5.1.0 h1:4KLkAxT3aOY8Li4FRJe/KvhoNFFxo0m6fNuFUO8QJUk=
 github.com/godbus/dbus/v5 v5.1.0/go.mod h1:xhWf0FNVPg57R7Z0UbKHbJfkEywrmjJnf7w5xrFpKfA=
@ -119,6 +160,8 @@ github.com/golang/glog v0.0.0-20160126235308-23def4e6c14b/go.mod h1:SBH7ygxi8pfU
 github.com/golang/groupcache v0.0.0-20190702054246-869f871628b6/go.mod h1:cIg4eruTrX1D+g88fzRXU5OdNfaM+9IcxsU14FzY7Hc=
 github.com/golang/groupcache v0.0.0-20191227052852-215e87163ea7/go.mod h1:cIg4eruTrX1D+g88fzRXU5OdNfaM+9IcxsU14FzY7Hc=
 github.com/golang/groupcache v0.0.0-20200121045136-8c9f03a8e57e/go.mod h1:cIg4eruTrX1D+g88fzRXU5OdNfaM+9IcxsU14FzY7Hc=
+github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da h1:oI5xCqsCo564l8iNU+DwB5epxmsaqB+rhGL0m5jtYqE=
+github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da/go.mod h1:cIg4eruTrX1D+g88fzRXU5OdNfaM+9IcxsU14FzY7Hc=
 github.com/golang/mock v1.1.1/go.mod h1:oTYuIxOrZwtPieC+H1uAHpcLFnEyAGVDL/k47Jfbm0A=
 github.com/golang/mock v1.2.0/go.mod h1:oTYuIxOrZwtPieC+H1uAHpcLFnEyAGVDL/k47Jfbm0A=
 github.com/golang/mock v1.3.1/go.mod h1:sBzyDLLjw3U8JLTeZvSv8jJB+tU5PVekmnlKIyFUx0Y=
@ -144,6 +187,8 @@ github.com/golang/protobuf v1.4.3/go.mod h1:oDoupMAO8OvCJWAcko0GGGIgR6R6ocIYbsSw
 github.com/golang/protobuf v1.5.0/go.mod h1:FsONVRAS9T7sI+LIUmWTfcYkHO4aIWwzhcaSAoJOfIk=
 github.com/golang/protobuf v1.5.1/go.mod h1:DopwsBzvsk0Fs44TXzsVbJyPhcCPeIwnvohx4u74HPM=
 github.com/golang/protobuf v1.5.2/go.mod h1:XVQd3VNwM+JqD3oG2Ue2ip4fOMUkwXdXDdiuN0vRsmY=
+github.com/golang/protobuf v1.5.4 h1:i7eJL8qZTpSEXOPTxNKhASYpMn+8e5Q6AdndVa1dWek=
+github.com/golang/protobuf v1.5.4/go.mod h1:lnTiLA8Wa4RWRcIUkrtSVa5nRhsEGBg48fD6rSs7xps=
 github.com/golang/snappy v0.0.1/go.mod h1:/XxbfmMg8lxefKM7IXC3fBNl/7bRcc72aCRzEWrmP2Q=
 github.com/google/btree v0.0.0-20180813153112-4030bb1f1f0c/go.mod h1:lNA+9X1NB3Zf8V7Ke586lFgjr2dZNuvo3lPJSGZ5JPQ=
 github.com/google/btree v1.0.0/go.mod h1:lNA+9X1NB3Zf8V7Ke586lFgjr2dZNuvo3lPJSGZ5JPQ=
@ -157,8 +202,9 @@ github.com/google/go-cmp v0.5.1/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/
 github.com/google/go-cmp v0.5.2/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=
 github.com/google/go-cmp v0.5.3/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=
 github.com/google/go-cmp v0.5.4/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=
-github.com/google/go-cmp v0.5.5 h1:Khx7svrCpmxxtHBq5j2mp/xVjsi8hQMfNLvJFAlrGgU=
 github.com/google/go-cmp v0.5.5/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=
+github.com/google/go-cmp v0.6.0 h1:ofyhxvXcZhMsU5ulbFiLKl/XBFqE1GSq7atu8tAmTRI=
+github.com/google/go-cmp v0.6.0/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY=
 github.com/google/gofuzz v1.0.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/M65Eg=
 github.com/google/martian v2.1.0+incompatible/go.mod h1:9I4somxYTbIHy5NJKHRl3wXiIaQGbYVAs8BPL6v8lEs=
 github.com/google/martian/v3 v3.0.0/go.mod h1:y5Zk1BBys9G+gd6Jrk0W3cC1+ELVxBWuIGO+w/tUAp0=
@ -175,11 +221,18 @@ github.com/google/pprof v0.0.0-20201203190320-1bf35d6f28c2/go.mod h1:kpwsk12EmLe
 github.com/google/pprof v0.0.0-20210122040257-d980be63207e/go.mod h1:kpwsk12EmLew5upagYY7GY0pfYCcupk39gWOCRROcvE=
 github.com/google/pprof v0.0.0-20210226084205-cbba55b83ad5/go.mod h1:kpwsk12EmLew5upagYY7GY0pfYCcupk39gWOCRROcvE=
 github.com/google/renameio v0.1.0/go.mod h1:KWCgfxg9yswjAJkECMjeO8J8rahYeXnNhOm40UhjYkI=
+github.com/google/s2a-go v0.1.7 h1:60BLSyTrOV4/haCDW4zb1guZItoSq8foHCXrAnjBo/o=
+github.com/google/s2a-go v0.1.7/go.mod h1:50CgR4k1jNlWBu4UfS4AcfhVe1r6pdZPygJ3R8F0Qdw=
 github.com/google/uuid v1.1.1/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
-github.com/google/uuid v1.1.2 h1:EVhdT+1Kseyi1/pUmXKaFxYsDNy9RQYkMWRH68J/W7Y=
 github.com/google/uuid v1.1.2/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
+github.com/google/uuid v1.6.0 h1:NIvaJDMOsjHA8n1jAhLSgzrAzy1Hgr+hNrb57e+94F0=
+github.com/google/uuid v1.6.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
+github.com/googleapis/enterprise-certificate-proxy v0.3.2 h1:Vie5ybvEvT75RniqhfFxPRy3Bf7vr3h0cechB90XaQs=
+github.com/googleapis/enterprise-certificate-proxy v0.3.2/go.mod h1:VLSiSSBs/ksPL8kq3OBOQ6WRI2QnaFynd1DCjZ62+V0=
 github.com/googleapis/gax-go/v2 v2.0.4/go.mod h1:0Wqv26UfaUD9n4G6kQubkQ+KchISgw+vpHVxEJEs9eg=
 github.com/googleapis/gax-go/v2 v2.0.5/go.mod h1:DWXyrwAJ9X0FpwwEdw+IPEYBICEFu5mhpdKc/us6bOk=
+github.com/googleapis/gax-go/v2 v2.12.4 h1:9gWcmF85Wvq4ryPFvGFaOgPIs1AQX0d0bcbGw4Z96qg=
+github.com/googleapis/gax-go/v2 v2.12.4/go.mod h1:KYEYLorsnIGDi/rPC8b5TdlB9kbKoFubselGIoBMCwI=
 github.com/gopherjs/gopherjs v0.0.0-20181017120253-0766667cb4d1 h1:EGx4pi6eqNxGaHF6qqu48+N2wcFQ5qg5FXgOdqsJ5d8=
 github.com/gopherjs/gopherjs v0.0.0-20181017120253-0766667cb4d1/go.mod h1:wJfORRmW1u3UXTncJ5qlYoELFm8eSnnEO6hX4iZ3EWY=
 github.com/grpc-ecosystem/grpc-gateway v1.16.0/go.mod h1:BDjrQk3hbvj6Nolgz8mAMFbcEtjT1g+wF4CSlocrBnw=
@ -210,6 +263,8 @@ github.com/ianlancetaylor/demangle v0.0.0-20181102032728-5e5cf60278f6/go.mod h1:
 github.com/ianlancetaylor/demangle v0.0.0-20200824232613-28f6c0f3b639/go.mod h1:aSSvb/t6k1mPoxDqO4vJh6VOCGPwU4O0C2/Eqndh1Sc=
 github.com/inconshreveable/mousetrap v1.0.1 h1:U3uMjPSQEBMNp1lFxmllqCPM6P5u/Xq7Pgzkat/bFNc=
 github.com/inconshreveable/mousetrap v1.0.1/go.mod h1:vpF70FUmC8bwa3OWnCshd2FqLfsEA9PFc4w1p2J65bw=
+github.com/infisical/go-sdk v0.2.0 h1:n1/KNdYpeQavSqVwC9BfeV8VRzf3N2X9zO1tzQOSj5Q=
+github.com/infisical/go-sdk v0.2.0/go.mod h1:vHTDVw3k+wfStXab513TGk1n53kaKF2xgLqpw/xvtl4=
 github.com/jedib0t/go-pretty v4.3.0+incompatible h1:CGs8AVhEKg/n9YbUenWmNStRW2PHJzaeDodcfvRAbIo=
 github.com/jedib0t/go-pretty v4.3.0+incompatible/go.mod h1:XemHduiw8R651AF9Pt4FwCTKeG3oo7hrHJAoznj9nag=
 github.com/json-iterator/go v1.1.11/go.mod h1:KdQUCv79m/52Kvf8AW2vK1V8akMuk1QjK/uOdHXbAo4=
@ -330,8 +385,9 @@ github.com/spf13/viper v1.8.1/go.mod h1:o0Pch8wJ9BVSWGQMbra6iw0oQ5oktSIBaujf1rJH
 github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
 github.com/stretchr/objx v0.1.1/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
 github.com/stretchr/objx v0.4.0/go.mod h1:YvHI0jy2hoMjB+UWwv71VJQ9isScKT/TqJzVSSt89Yw=
-github.com/stretchr/objx v0.5.0 h1:1zr/of2m5FGMsad5YfcqgdqdWrIhu+EBEJRhR1U7z/c=
 github.com/stretchr/objx v0.5.0/go.mod h1:Yh+to48EsGEfYuaHDzXPcE3xhTkx73EhmCGUpEOglKo=
+github.com/stretchr/objx v0.5.2 h1:xuMeJ0Sdp5ZMRXx/aWO6RZxdr3beISkG5/G/aIRr3pY=
+github.com/stretchr/objx v0.5.2/go.mod h1:FRsXN1f5AsAjCGJKqEizvkpNtU+EGNCLh3NxZ/8L+MA=
 github.com/stretchr/testify v1.2.2/go.mod h1:a8OnRcib4nhh0OaRAV+Yts87kKdq0PP7pXfy6kDkUVs=
 github.com/stretchr/testify v1.3.0/go.mod h1:M5WIy9Dh21IEIfnGCwXGc5bZfKNJtfHm1UVUgZn+9EI=
 github.com/stretchr/testify v1.4.0/go.mod h1:j7eGeouHqKxXV5pUuKE4zz7dFj8WfuZ+81PSLYec5m4=
@ -340,8 +396,9 @@ github.com/stretchr/testify v1.6.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/
 github.com/stretchr/testify v1.7.0/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
 github.com/stretchr/testify v1.7.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
 github.com/stretchr/testify v1.8.0/go.mod h1:yNjHg4UonilssWZ8iaSj1OCr/vHnekPRkoO+kdMU+MU=
-github.com/stretchr/testify v1.8.1 h1:w7B6lhMri9wdJUVmEZPGGhZzrYTPvgJArz7wNPgYKsk=
 github.com/stretchr/testify v1.8.1/go.mod h1:w2LPCIKwWwSfY2zedu0+kehJoqGctiVI29o6fzry7u4=
+github.com/stretchr/testify v1.9.0 h1:HtqpIVDClZ4nwg75+f6Lvsy/wHu+3BoSGCbBAcpTsTg=
+github.com/stretchr/testify v1.9.0/go.mod h1:r2ic/lqez/lEtzL7wO/rwa5dbSLXVDPFyf8C91i36aY=
 github.com/subosito/gotenv v1.2.0 h1:Slr1R9HxAlEKefgq5jn9U+DnETlIUa6HfgEzj0g5d7s=
 github.com/subosito/gotenv v1.2.0/go.mod h1:N0PQaV/YGNqwC0u51sEeR/aUtSLEXKX9iv69rRypqCw=
 github.com/tidwall/pretty v1.0.0 h1:HsD+QiTn7sK6flMKIvNmpqz1qrpP3Ps6jOKIKMooyg4=
@ -372,6 +429,18 @@ go.opencensus.io v0.22.3/go.mod h1:yxeiOL68Rb0Xd1ddK5vPZ/oVn4vY4Ynel7k9FzqtOIw=
 go.opencensus.io v0.22.4/go.mod h1:yxeiOL68Rb0Xd1ddK5vPZ/oVn4vY4Ynel7k9FzqtOIw=
 go.opencensus.io v0.22.5/go.mod h1:5pWMHQbX5EPX2/62yrJeAkowc+lfs/XD7Uxpq3pI6kk=
 go.opencensus.io v0.23.0/go.mod h1:XItmlyltB5F7CS4xOC1DcqMoFqwtC6OG2xF7mCv7P7E=
+go.opencensus.io v0.24.0 h1:y73uSU6J157QMP2kn2r30vwW1A2W2WFwSCGnAVxeaD0=
+go.opencensus.io v0.24.0/go.mod h1:vNK8G9p7aAivkbmorf4v+7Hgx+Zs0yY+0fOtgBfjQKo=
+go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.49.0 h1:4Pp6oUg3+e/6M4C0A/3kJ2VYa++dsWVTtGgLVj5xtHg=
+go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.49.0/go.mod h1:Mjt1i1INqiaoZOMGR1RIUJN+i3ChKoFRqzrRQhlkbs0=
+go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.49.0 h1:jq9TW8u3so/bN+JPT166wjOI6/vQPF6Xe7nMNIltagk=
+go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.49.0/go.mod h1:p8pYQP+m5XfbZm9fxtSKAbM6oIllS7s2AfxrChvc7iw=
+go.opentelemetry.io/otel v1.24.0 h1:0LAOdjNmQeSTzGBzduGe/rU4tZhMwL5rWgtp9Ku5Jfo=
+go.opentelemetry.io/otel v1.24.0/go.mod h1:W7b9Ozg4nkF5tWI5zsXkaKKDjdVjpD4oAt9Qi/MArHo=
+go.opentelemetry.io/otel/metric v1.24.0 h1:6EhoGWWK28x1fbpA4tYTOWBkPefTDQnb8WSGXlc88kI=
+go.opentelemetry.io/otel/metric v1.24.0/go.mod h1:VYhLe1rFfxuTXLgj4CBiyz+9WYBA8pNGJgDcSFRKBco=
+go.opentelemetry.io/otel/trace v1.24.0 h1:CsKnnL4dUAr/0llH9FKuc698G04IrpWV0MQA/Y1YELI=
+go.opentelemetry.io/otel/trace v1.24.0/go.mod h1:HPc3Xr/cOApsBI154IU0OI0HJexz+aw5uPdbs3UCjNU=
 go.uber.org/atomic v1.7.0/go.mod h1:fEN4uk6kAWBTFdckzkM89CLk9XfWZrxpCo0nPH17wJc=
 go.uber.org/multierr v1.6.0/go.mod h1:cdWPpRnG4AhwMwsgIHip0KRBQjJy5kYEpYjJxpXp9iU=
 go.uber.org/zap v1.17.0/go.mod h1:MXVU+bhUf/A7Xi2HNOnopQOrmycQ5Ih87HtOu4q5SSo=
@ -385,8 +454,9 @@ golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9/go.mod h1:LzIPMQfyMNhhGPh
 golang.org/x/crypto v0.0.0-20210921155107-089bfa567519/go.mod h1:GvvjBRRGRdwPK5ydBHafDWAxML/pGHZbMvKqRZ5+Abc=
 golang.org/x/crypto v0.0.0-20211215165025-cf75a172585e/go.mod h1:P+XmwS30IXTQdn5tA2iutPOUgjI07+tq3H3K9MVA1s8=
 golang.org/x/crypto v0.0.0-20220622213112-05595931fe9d/go.mod h1:IxCIyHEi3zRg3s0A5j5BB6A9Jmi73HwBIUl50j+osU4=
-golang.org/x/crypto v0.14.0 h1:wBqGXzWJW6m1XrIKlAH0Hs1JJ7+9KBwnIO8v66Q9cHc=
-golang.org/x/crypto v0.14.0/go.mod h1:MVFd36DqK4CsrnJYDkBA3VC4m2GkXAM0PvzMCn4JQf4=
+golang.org/x/crypto v0.19.0/go.mod h1:Iy9bg/ha4yyC70EfRS8jz+B6ybOBKMaSxLj6P6oBDfU=
+golang.org/x/crypto v0.23.0 h1:dIJU/v2J8Mdglj/8rJ6UUOM3Zc9zLZxVZwwxMooUSAI=
+golang.org/x/crypto v0.23.0/go.mod h1:CKFgDieR+mRhux2Lsu27y0fO304Db0wZe70UKqHu0v8=
 golang.org/x/exp v0.0.0-20190121172915-509febef88a4/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA=
 golang.org/x/exp v0.0.0-20190306152737-a1d7652674e8/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA=
 golang.org/x/exp v0.0.0-20190510132918-efd6b22b2522/go.mod h1:ZjyILWgesfNpC6sMxTJOJm9Kp84zZh5NQWvqDGG3Qr8=
@ -465,8 +535,9 @@ golang.org/x/net v0.0.0-20211112202133-69e39bad7dc2/go.mod h1:9nx3DQGgdP8bBQD5qx
 golang.org/x/net v0.0.0-20220722155237-a158d28d115b/go.mod h1:XRhObCWvk6IyKnWLug+ECip1KBveYUHfp+8e9klMJ9c=
 golang.org/x/net v0.6.0/go.mod h1:2Tu9+aMcznHK/AK1HMvgo6xiTLG5rD5rZLDS+rp2Bjs=
 golang.org/x/net v0.10.0/go.mod h1:0qNGK6F8kojg2nk9dLZ2mShWaEBan6FAoqfSigmmuDg=
-golang.org/x/net v0.17.0 h1:pVaXccu2ozPjCXewfr1S7xza/zcXTity9cCdXQYSjIM=
-golang.org/x/net v0.17.0/go.mod h1:NxSsAGuq816PNPmqtQdLE42eU2Fs7NoRIZrHJAlaCOE=
+golang.org/x/net v0.21.0/go.mod h1:bIjVDfnllIU7BJ2DNgfnXvpSvtn8VRwhlsaeUTyUS44=
+golang.org/x/net v0.25.0 h1:d/OCCoBEUq33pjydKrGQhw7IlUPI2Oylr+8qLx49kac=
+golang.org/x/net v0.25.0/go.mod h1:JkAGAh7GEvH74S6FOH42FLoXpXbE/aqXSrIQjXgsiwM=
 golang.org/x/oauth2 v0.0.0-20180821212333-d2e6202438be/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U=
 golang.org/x/oauth2 v0.0.0-20190226205417-e64efc72b421/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw=
 golang.org/x/oauth2 v0.0.0-20190604053449-0f29369cfe45/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw=
@ -479,6 +550,8 @@ golang.org/x/oauth2 v0.0.0-20210218202405-ba52d332ba99/go.mod h1:KelEdhl1UZF7XfJ
 golang.org/x/oauth2 v0.0.0-20210220000619-9bb904979d93/go.mod h1:KelEdhl1UZF7XfJ4dDtk6s++YSgaE7mD/BuKKDLBl4A=
 golang.org/x/oauth2 v0.0.0-20210313182246-cd4f82c27b84/go.mod h1:KelEdhl1UZF7XfJ4dDtk6s++YSgaE7mD/BuKKDLBl4A=
 golang.org/x/oauth2 v0.0.0-20210402161424-2e8d93401602/go.mod h1:KelEdhl1UZF7XfJ4dDtk6s++YSgaE7mD/BuKKDLBl4A=
+golang.org/x/oauth2 v0.21.0 h1:tsimM75w1tF/uws5rbeHzIWxEqElMehnc+iW793zsZs=
+golang.org/x/oauth2 v0.21.0/go.mod h1:XYTD2NtWslqkgxebSiOHnXEap4TF09sJSc7H1sXbhtI=
 golang.org/x/sync v0.0.0-20180314180146-1d60e4601c6f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20181108010431-42b317875d0f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20181221193216-37e7f081c4d4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
@ -491,8 +564,9 @@ golang.org/x/sync v0.0.0-20201020160332-67f06af15bc9/go.mod h1:RxMgew5VJxzue5/jJ
 golang.org/x/sync v0.0.0-20201207232520-09787c993a3a/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20210220032951-036812b2e83c/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20220722155255-886fb9371eb4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
-golang.org/x/sync v0.1.0 h1:wsuoTGHzEhffawBOhz5CYhcrV4IdKZbEyZjBMuTp12o=
 golang.org/x/sync v0.1.0/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
+golang.org/x/sync v0.7.0 h1:YsImfSBoP9QPYL0xyKJPq0gcaJdG3rInoqxTWbfQu9M=
+golang.org/x/sync v0.7.0/go.mod h1:Czt+wKu1gCyEFDUtn0jG5QVvpJ6rzVqr5aXyt9drQfk=
 golang.org/x/sys v0.0.0-20180823144017-11551d06cbcc/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20180830151530-49385e6e1522/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20181026203630-95b1ffbd15a5/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
@ -546,14 +620,16 @@ golang.org/x/sys v0.0.0-20220520151302-bc2c85ada10a/go.mod h1:oPkhp1MJrh7nUepCBc
 golang.org/x/sys v0.0.0-20220722155257-8c9f86f7a55f/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.5.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.8.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.13.0 h1:Af8nKPmuFypiUBjVoU9V20FiaFXOcuZI21p0ycVYYGE=
-golang.org/x/sys v0.13.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.17.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
+golang.org/x/sys v0.20.0 h1:Od9JTbYCk261bKm4M/mw7AklTlFYIa0bIp9BgSm1S8Y=
+golang.org/x/sys v0.20.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
 golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo=
 golang.org/x/term v0.0.0-20210927222741-03fcf44c2211/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8=
 golang.org/x/term v0.5.0/go.mod h1:jMB1sMXY+tzblOD4FWmEbocvup2/aLOaQEp7JmGp78k=
 golang.org/x/term v0.8.0/go.mod h1:xPskH00ivmX89bAKVGSKKtLOWNx2+17Eiy94tnKShWo=
-golang.org/x/term v0.13.0 h1:bb+I9cTfFazGW51MZqBVmZy7+JEJMouUHTUSKVQLBek=
-golang.org/x/term v0.13.0/go.mod h1:LTmsnFJwVN6bCy1rVCoS+qHT1HhALEFxKncY3WNNh4U=
+golang.org/x/term v0.17.0/go.mod h1:lLRBjIVuehSbZlaOtGMbcMncT+aqLLLmKrsjNrUguwk=
+golang.org/x/term v0.20.0 h1:VnkxpohqXaOBYJtBmEppKUG6mXpi+4O6purfc2+sMhw=
+golang.org/x/term v0.20.0/go.mod h1:8UkIAJTvZgivsXaD6/pH6U9ecQzZ45awqEOzuCvwpFY=
 golang.org/x/text v0.0.0-20170915032832-14c0d48ead0c/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
 golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
 golang.org/x/text v0.3.1-0.20180807135948-17ff2d5776d2/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
@ -565,13 +641,14 @@ golang.org/x/text v0.3.6/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
 golang.org/x/text v0.3.7/go.mod h1:u+2+/6zg+i71rQMx5EYifcz6MCKuco9NR6JIITiCfzQ=
 golang.org/x/text v0.7.0/go.mod h1:mrYo+phRRbMaCq/xk9113O4dZlRixOauAjOtrjsXDZ8=
 golang.org/x/text v0.9.0/go.mod h1:e1OnstbJyHTd6l/uOt8jFFHp6TRDWZR/bV3emEE/zU8=
-golang.org/x/text v0.13.0 h1:ablQoSUd0tRdKxZewP80B+BaqeKJuVhuRxj/dkrun3k=
-golang.org/x/text v0.13.0/go.mod h1:TvPlkZtksWOMsz7fbANvkp4WM8x/WCo/om8BMLbz+aE=
+golang.org/x/text v0.14.0/go.mod h1:18ZOQIKpY8NJVqYksKHtTdi31H5itFRjB5/qKTNYzSU=
+golang.org/x/text v0.15.0 h1:h1V/4gjBv8v9cjcR6+AR5+/cIYK5N/WAgiv4xlsEtAk=
+golang.org/x/text v0.15.0/go.mod h1:18ZOQIKpY8NJVqYksKHtTdi31H5itFRjB5/qKTNYzSU=
 golang.org/x/time v0.0.0-20181108054448-85acf8d2951c/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
 golang.org/x/time v0.0.0-20190308202827-9d24e82272b4/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
 golang.org/x/time v0.0.0-20191024005414-555d28b269f0/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
-golang.org/x/time v0.3.0 h1:rg5rLMjNzMS1RkNLzCG38eapWhnYLFYXDXj2gOlr8j4=
-golang.org/x/time v0.3.0/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
+golang.org/x/time v0.5.0 h1:o7cqy6amK/52YcAKIPlM3a+Fpj35zvRj2TP+e1xFSfk=
+golang.org/x/time v0.5.0/go.mod h1:3BpzKBy/shNhVucY/MWOyx10tF3SFh9QdLuxbVysPQM=
 golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
 golang.org/x/tools v0.0.0-20190114222345-bf090417da8b/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
 golang.org/x/tools v0.0.0-20190226205152-f727befe758c/go.mod h1:9Yl7xja0Znq3iFh3HoIrodX9oNMXvdceNzlUR8zjMvY=
@ -652,6 +729,8 @@ google.golang.org/api v0.40.0/go.mod h1:fYKFpnQN0DsDSKRVRcQSDQNtqWPfM9i+zNPxepjR
 google.golang.org/api v0.41.0/go.mod h1:RkxM5lITDfTzmyKFPt+wGrCJbVfniCr2ool8kTBzRTU=
 google.golang.org/api v0.43.0/go.mod h1:nQsDGjRXMo4lvh5hP0TKqF244gqhGcr/YSIykhUk/94=
 google.golang.org/api v0.44.0/go.mod h1:EBOGZqzyhtvMDoxwS97ctnh0zUmYY6CxqXsc1AvkYD8=
+google.golang.org/api v0.183.0 h1:PNMeRDwo1pJdgNcFQ9GstuLe/noWKIc89pRWRLMvLwE=
+google.golang.org/api v0.183.0/go.mod h1:q43adC5/pHoSZTx5h2mSmdF7NcyfW9JuDyIOJAgS9ZQ=
 google.golang.org/appengine v1.1.0/go.mod h1:EbEs0AVv82hx2wNQdGPgUI5lhzA/G0D9YwlJXL52JkM=
 google.golang.org/appengine v1.4.0/go.mod h1:xpcJRLb0r/rnEns0DIKYYv+WjYCduHsrkT7/EB5XEv4=
 google.golang.org/appengine v1.5.0/go.mod h1:xpcJRLb0r/rnEns0DIKYYv+WjYCduHsrkT7/EB5XEv4=
@ -700,6 +779,10 @@ google.golang.org/genproto v0.0.0-20210310155132-4ce2db91004e/go.mod h1:FWY/as6D
 google.golang.org/genproto v0.0.0-20210319143718-93e7006c17a6/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no=
 google.golang.org/genproto v0.0.0-20210402141018-6c239bbf2bb1/go.mod h1:9lPAdzaEmUacj36I+k7YKbEc5CXzPIeORRgDAUOu28A=
 google.golang.org/genproto v0.0.0-20210602131652-f16073e35f0c/go.mod h1:UODoCrxHCcBojKKwX1terBiRUaqAsFqJiF615XL43r0=
+google.golang.org/genproto/googleapis/api v0.0.0-20240521202816-d264139d666e h1:SkdGTrROJl2jRGT/Fxv5QUf9jtdKCQh4KQJXbXVLAi0=
+google.golang.org/genproto/googleapis/api v0.0.0-20240521202816-d264139d666e/go.mod h1:LweJcLbyVij6rCex8YunD8DYR5VDonap/jYl3ZRxcIU=
+google.golang.org/genproto/googleapis/rpc v0.0.0-20240528184218-531527333157 h1:Zy9XzmMEflZ/MAaA7vNcoebnRAld7FsPW1EeBB7V0m8=
+google.golang.org/genproto/googleapis/rpc v0.0.0-20240528184218-531527333157/go.mod h1:EfXuqaE1J41VCDicxHzUDm+8rk+7ZdXzHV0IhO/I6s0=
 google.golang.org/grpc v1.19.0/go.mod h1:mqu4LbDTu4XGKhr4mRzUsmM4RtVoemTSY81AxZiDr8c=
 google.golang.org/grpc v1.20.1/go.mod h1:10oTOabMzJvdu6/UiuZezV6QK5dSlG84ov/aaiqXj38=
 google.golang.org/grpc v1.21.1/go.mod h1:oYelfM1adQP15Ek0mdvEgi9Df8B9CZIaU1084ijfRaM=
@ -720,6 +803,8 @@ google.golang.org/grpc v1.35.0/go.mod h1:qjiiYl8FncCW8feJPdyg3v6XW24KsRHe+dy9BAG
 google.golang.org/grpc v1.36.0/go.mod h1:qjiiYl8FncCW8feJPdyg3v6XW24KsRHe+dy9BAGRRjU=
 google.golang.org/grpc v1.36.1/go.mod h1:qjiiYl8FncCW8feJPdyg3v6XW24KsRHe+dy9BAGRRjU=
 google.golang.org/grpc v1.38.0/go.mod h1:NREThFqKR1f3iQ6oBuvc5LadQuXVGo9rkm5ZGrQdJfM=
+google.golang.org/grpc v1.64.0 h1:KH3VH9y/MgNQg1dE7b3XfVK0GsPSIzJwdF617gUSbvY=
+google.golang.org/grpc v1.64.0/go.mod h1:oxjF8E3FBnjp+/gVFYdWacaLDx9na1aqy9oovLpxQYg=
 google.golang.org/protobuf v0.0.0-20200109180630-ec00e32a8dfd/go.mod h1:DFci5gLYBciE7Vtevhsrf46CRTquxDuWsQurQQe4oz8=
 google.golang.org/protobuf v0.0.0-20200221191635-4d8936d0db64/go.mod h1:kwYJMbMJ01Woi6D6+Kah6886xMZcty6N08ah7+eCXa0=
 google.golang.org/protobuf v0.0.0-20200228230310-ab0ca4ff8a60/go.mod h1:cfTl7dwQJ+fmap5saPgwCLgHXTUD7jkjRqWcaiX5VyM=
@ -732,6 +817,8 @@ google.golang.org/protobuf v1.24.0/go.mod h1:r/3tXBNzIEhYS9I1OUVjXDlt8tc493IdKGj
 google.golang.org/protobuf v1.25.0/go.mod h1:9JNX74DMeImyA3h4bdi1ymwjUzf21/xIlbajtzgsN7c=
 google.golang.org/protobuf v1.26.0-rc.1/go.mod h1:jlhhOSvTdKEhbULTjvd4ARK9grFBp09yW+WbY/TyQbw=
 google.golang.org/protobuf v1.26.0/go.mod h1:9q0QmTI4eRPtz6boOQmLYwt+qCgq0jsYwAQnmE0givc=
+google.golang.org/protobuf v1.34.1 h1:9ddQBjfCyZPOHPUiPxpYESBLc+T8P3E+Vo4IbKZgFWg=
+google.golang.org/protobuf v1.34.1/go.mod h1:c6P6GXX6sHbq/GpV6MGZEdwhWPcYBgnhAHhKbcUYpos=
 gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
 gopkg.in/check.v1 v1.0.0-20180628173108-788fd7840127/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
 gopkg.in/check.v1 v1.0.0-20200227125254-8fa46927fb4f/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
--- a/cli/packages/api/api.go
+++ b/cli/packages/api/api.go
@ -391,6 +391,7 @@ func CallCreateSecretsV3(httpClient *resty.Client, request CreateSecretV3Request
 }

 func CallDeleteSecretsV3(httpClient *resty.Client, request DeleteSecretV3Request) error {
+
 	var secretsResponse GetEncryptedSecretsV3Response
 	response, err := httpClient.
 		R().
@ -490,7 +491,7 @@ func CallUniversalAuthLogin(httpClient *resty.Client, request UniversalAuthLogin
 	return universalAuthLoginResponse, nil
 }

-func CallUniversalAuthRefreshAccessToken(httpClient *resty.Client, request UniversalAuthRefreshRequest) (UniversalAuthRefreshResponse, error) {
+func CallMachineIdentityRefreshAccessToken(httpClient *resty.Client, request UniversalAuthRefreshRequest) (UniversalAuthRefreshResponse, error) {
 	var universalAuthRefreshResponse UniversalAuthRefreshResponse
 	response, err := httpClient.
 		R().
@ -500,11 +501,11 @@ func CallUniversalAuthRefreshAccessToken(httpClient *resty.Client, request Unive
 		Post(fmt.Sprintf("%v/v1/auth/token/renew", config.INFISICAL_URL))

 	if err != nil {
-		return UniversalAuthRefreshResponse{}, fmt.Errorf("CallUniversalAuthRefreshAccessToken: Unable to complete api request [err=%s]", err)
+		return UniversalAuthRefreshResponse{}, fmt.Errorf("CallMachineIdentityRefreshAccessToken: Unable to complete api request [err=%s]", err)
 	}

 	if response.IsError() {
-		return UniversalAuthRefreshResponse{}, fmt.Errorf("CallUniversalAuthRefreshAccessToken: Unsuccessful response [%v %v] [status-code=%v] [response=%v]", response.Request.Method, response.Request.URL, response.StatusCode(), response.String())
+		return UniversalAuthRefreshResponse{}, fmt.Errorf("CallMachineIdentityRefreshAccessToken: Unsuccessful response [%v %v] [status-code=%v] [response=%v]", response.Request.Method, response.Request.URL, response.StatusCode(), response.String())
 	}

 	return universalAuthRefreshResponse, nil
@ -566,3 +567,39 @@ func CallCreateDynamicSecretLeaseV1(httpClient *resty.Client, request CreateDyna

 	return createDynamicSecretLeaseResponse, nil
 }
+
+func CallCreateRawSecretsV3(httpClient *resty.Client, request CreateRawSecretV3Request) error {
+	response, err := httpClient.
+		R().
+		SetHeader("User-Agent", USER_AGENT).
+		SetBody(request).
+		Post(fmt.Sprintf("%v/v3/secrets/raw/%s", config.INFISICAL_URL, request.SecretName))
+
+	if err != nil {
+		return fmt.Errorf("CallCreateRawSecretsV3: Unable to complete api request [err=%w]", err)
+	}
+
+	if response.IsError() {
+		return fmt.Errorf("CallCreateRawSecretsV3: Unsuccessful response [%v %v] [status-code=%v] [response=%v]", response.Request.Method, response.Request.URL, response.StatusCode(), response.String())
+	}
+
+	return nil
+}
+
+func CallUpdateRawSecretsV3(httpClient *resty.Client, request UpdateRawSecretByNameV3Request) error {
+	response, err := httpClient.
+		R().
+		SetHeader("User-Agent", USER_AGENT).
+		SetBody(request).
+		Patch(fmt.Sprintf("%v/v3/secrets/raw/%s", config.INFISICAL_URL, request.SecretName))
+
+	if err != nil {
+		return fmt.Errorf("CallUpdateRawSecretsV3: Unable to complete api request [err=%w]", err)
+	}
+
+	if response.IsError() {
+		return fmt.Errorf("CallUpdateRawSecretsV3: Unsuccessful response [%v %v] [status-code=%v] [response=%v]", response.Request.Method, response.Request.URL, response.StatusCode(), response.String())
+	}
+
+	return nil
+}
--- a/cli/packages/api/model.go
+++ b/cli/packages/api/model.go
@ -161,6 +161,14 @@ type Secret struct {
 	PlainTextKey            string `json:"plainTextKey"`
 }

+type RawSecret struct {
+	SecretKey     string `json:"secretKey,omitempty"`
+	SecretValue   string `json:"secretValue,omitempty"`
+	Type          string `json:"type,omitempty"`
+	SecretComment string `json:"secretComment,omitempty"`
+	ID            string `json:"id,omitempty"`
+}
+
 type GetEncryptedWorkspaceKeyRequest struct {
 	WorkspaceId string `json:"workspaceId"`
 }
@ -233,6 +241,7 @@ type GetLoginOneV2Response struct {
 type GetLoginTwoV2Request struct {
 	Email       string `json:"email"`
 	ClientProof string `json:"clientProof"`
+	Password    string `json:"password"`
 }

 type GetLoginTwoV2Response struct {
@ -409,12 +418,23 @@ type CreateSecretV3Request struct {
 	SecretPath              string `json:"secretPath"`
 }

+type CreateRawSecretV3Request struct {
+	SecretName            string `json:"-"`
+	WorkspaceID           string `json:"workspaceId"`
+	Type                  string `json:"type,omitempty"`
+	Environment           string `json:"environment"`
+	SecretPath            string `json:"secretPath,omitempty"`
+	SecretValue           string `json:"secretValue"`
+	SecretComment         string `json:"secretComment,omitempty"`
+	SkipMultilineEncoding bool   `json:"skipMultilineEncoding,omitempty"`
+}
+
 type DeleteSecretV3Request struct {
 	SecretName  string `json:"secretName"`
 	WorkspaceId string `json:"workspaceId"`
 	Environment string `json:"environment"`
-	Type        string `json:"type"`
-	SecretPath  string `json:"secretPath"`
+	Type        string `json:"type,omitempty"`
+	SecretPath  string `json:"secretPath,omitempty"`
 }

 type UpdateSecretByNameV3Request struct {
@ -427,6 +447,15 @@ type UpdateSecretByNameV3Request struct {
 	SecretValueTag        string `json:"secretValueTag"`
 }

+type UpdateRawSecretByNameV3Request struct {
+	SecretName  string `json:"-"`
+	WorkspaceID string `json:"workspaceId"`
+	Environment string `json:"environment"`
+	SecretPath  string `json:"secretPath,omitempty"`
+	SecretValue string `json:"secretValue"`
+	Type        string `json:"type,omitempty"`
+}
+
 type GetSingleSecretByNameV3Request struct {
 	SecretName  string `json:"secretName"`
 	WorkspaceId string `json:"workspaceId"`
--- a/cli/packages/cmd/agent.go
+++ b/cli/packages/cmd/agent.go
@ -20,6 +20,7 @@ import (
 	"text/template"
 	"time"

+	infisicalSdk "github.com/infisical/go-sdk"
 	"github.com/rs/zerolog/log"
 	"gopkg.in/yaml.v2"

@ -59,9 +60,26 @@ type UniversalAuth struct {
 	RemoveClientSecretOnRead bool   `yaml:"remove_client_secret_on_read"`
 }

-type OAuthConfig struct {
-	ClientID     string `yaml:"client-id"`
-	ClientSecret string `yaml:"client-secret"`
+type KubernetesAuth struct {
+	IdentityID          string `yaml:"identity-id"`
+	ServiceAccountToken string `yaml:"service-account-token"`
+}
+
+type AzureAuth struct {
+	IdentityID string `yaml:"identity-id"`
+}
+
+type GcpIdTokenAuth struct {
+	IdentityID string `yaml:"identity-id"`
+}
+
+type GcpIamAuth struct {
+	IdentityID        string `yaml:"identity-id"`
+	ServiceAccountKey string `yaml:"service-account-key"`
+}
+
+type AwsIamAuth struct {
+	IdentityID string `yaml:"identity-id"`
 }

 type Sink struct {
@ -87,15 +105,6 @@ type Template struct {
 	} `yaml:"config"`
 }

-func newAgentTemplateChannels(templates []Template) map[string]chan bool {
-	// we keep each destination as an identifier for various channel
-	templateChannel := make(map[string]chan bool)
-	for _, template := range templates {
-		templateChannel[template.DestinationPath] = make(chan bool)
-	}
-	return templateChannel
-}
-
 type DynamicSecretLease struct {
 	LeaseID     string
 	ExpireAt    time.Time
@ -256,6 +265,14 @@ func WriteBytesToFile(data *bytes.Buffer, outputPath string) error {
 	return err
 }

+func ParseAuthConfig(authConfigFile []byte, destination interface{}) error {
+	if err := yaml.Unmarshal(authConfigFile, destination); err != nil {
+		return err
+	}
+
+	return nil
+}
+
 func ParseAgentConfig(configFile []byte) (*Config, error) {
 	var rawConfig struct {
 		Infisical InfisicalConfig `yaml:"infisical"`
@ -283,36 +300,13 @@ func ParseAgentConfig(configFile []byte) (*Config, error) {
 	config := &Config{
 		Infisical: rawConfig.Infisical,
 		Auth: AuthConfig{
-			Type: rawConfig.Auth.Type,
+			Type:   rawConfig.Auth.Type,
+			Config: rawConfig.Auth.Config,
 		},
 		Sinks:     rawConfig.Sinks,
 		Templates: rawConfig.Templates,
 	}

-	// Marshal and then unmarshal the config based on the type
-	configBytes, err := yaml.Marshal(rawConfig.Auth.Config)
-	if err != nil {
-		return nil, err
-	}
-
-	switch rawConfig.Auth.Type {
-	case "universal-auth":
-		var tokenConfig UniversalAuth
-		if err := yaml.Unmarshal(configBytes, &tokenConfig); err != nil {
-			return nil, err
-		}
-
-		config.Auth.Config = tokenConfig
-	case "oauth": // aws, gcp, k8s service account, etc
-		var oauthConfig OAuthConfig
-		if err := yaml.Unmarshal(configBytes, &oauthConfig); err != nil {
-			return nil, err
-		}
-		config.Auth.Config = oauthConfig
-	default:
-		return nil, fmt.Errorf("unknown auth type: %s", rawConfig.Auth.Type)
-	}
-
 	return config, nil
 }

@ -337,7 +331,7 @@ func dynamicSecretTemplateFunction(accessToken string, dynamicSecretManager *Dyn
 	return func(args ...string) (map[string]interface{}, error) {
 		argLength := len(args)
 		if argLength != 4 && argLength != 5 {
-			return nil, fmt.Errorf("Invalid arguments found for dynamic-secret function. Check template %i", templateId)
+			return nil, fmt.Errorf("invalid arguments found for dynamic-secret function. Check template %d", templateId)
 		}

 		projectSlug, envSlug, secretPath, slug, ttl := args[0], args[1], args[2], args[3], ""
@ -421,32 +415,54 @@ func ProcessBase64Template(templateId int, encodedTemplate string, data interfac
 }

 type AgentManager struct {
-	accessToken                    string
-	accessTokenTTL                 time.Duration
-	accessTokenMaxTTL              time.Duration
-	accessTokenFetchedTime         time.Time
-	accessTokenRefreshedTime       time.Time
-	mutex                          sync.Mutex
-	filePaths                      []Sink // Store file paths if needed
-	templates                      []Template
-	dynamicSecretLeases            *DynamicSecretLeaseManager
-	clientIdPath                   string
-	clientSecretPath               string
-	newAccessTokenNotificationChan chan bool
-	removeClientSecretOnRead       bool
-	cachedClientSecret             string
-	exitAfterAuth                  bool
+	accessToken              string
+	accessTokenTTL           time.Duration
+	accessTokenMaxTTL        time.Duration
+	accessTokenFetchedTime   time.Time
+	accessTokenRefreshedTime time.Time
+	mutex                    sync.Mutex
+	filePaths                []Sink // Store file paths if needed
+	templates                []Template
+	dynamicSecretLeases      *DynamicSecretLeaseManager
+
+	authConfigBytes []byte
+	authStrategy    util.AuthStrategyType
+
+	newAccessTokenNotificationChan        chan bool
+	removeUniversalAuthClientSecretOnRead bool
+	cachedUniversalAuthClientSecret       string
+	exitAfterAuth                         bool
+
+	infisicalClient infisicalSdk.InfisicalClientInterface
 }

-func NewAgentManager(fileDeposits []Sink, templates []Template, clientIdPath string, clientSecretPath string, newAccessTokenNotificationChan chan bool, removeClientSecretOnRead bool, exitAfterAuth bool) *AgentManager {
+type NewAgentMangerOptions struct {
+	FileDeposits []Sink
+	Templates    []Template
+
+	AuthConfigBytes []byte
+	AuthStrategy    util.AuthStrategyType
+
+	NewAccessTokenNotificationChan chan bool
+	ExitAfterAuth                  bool
+}
+
+func NewAgentManager(options NewAgentMangerOptions) *AgentManager {
+
 	return &AgentManager{
-		filePaths:                      fileDeposits,
-		templates:                      templates,
-		clientIdPath:                   clientIdPath,
-		clientSecretPath:               clientSecretPath,
-		newAccessTokenNotificationChan: newAccessTokenNotificationChan,
-		removeClientSecretOnRead:       removeClientSecretOnRead,
-		exitAfterAuth:                  exitAfterAuth,
+		filePaths: options.FileDeposits,
+		templates: options.Templates,
+
+		authConfigBytes: options.AuthConfigBytes,
+		authStrategy:    options.AuthStrategy,
+
+		newAccessTokenNotificationChan: options.NewAccessTokenNotificationChan,
+		exitAfterAuth:                  options.ExitAfterAuth,
+
+		infisicalClient: infisicalSdk.NewInfisicalClient(infisicalSdk.Config{
+			SiteUrl:   config.INFISICAL_URL,
+			UserAgent: api.USER_AGENT, // ? Should we perhaps use a different user agent for the Agent for better analytics?
+		}),
 	}

 }
@ -469,52 +485,164 @@ func (tm *AgentManager) GetToken() string {
 	return tm.accessToken
 }

+func (tm *AgentManager) FetchUniversalAuthAccessToken() (credential infisicalSdk.MachineIdentityCredential, e error) {
+
+	var universalAuthConfig UniversalAuth
+	if err := ParseAuthConfig(tm.authConfigBytes, &universalAuthConfig); err != nil {
+		return infisicalSdk.MachineIdentityCredential{}, fmt.Errorf("unable to parse auth config due to error: %v", err)
+	}
+
+	clientID, err := util.GetEnvVarOrFileContent(util.INFISICAL_UNIVERSAL_AUTH_CLIENT_ID_NAME, universalAuthConfig.ClientIDPath)
+	if err != nil {
+		return infisicalSdk.MachineIdentityCredential{}, fmt.Errorf("unable to get client id: %v", err)
+	}
+
+	clientSecret, err := util.GetEnvVarOrFileContent("INFISICAL_UNIVERSAL_CLIENT_SECRET", universalAuthConfig.ClientSecretPath)
+	if err != nil {
+		if len(tm.cachedUniversalAuthClientSecret) == 0 {
+			return infisicalSdk.MachineIdentityCredential{}, fmt.Errorf("unable to get client secret: %v", err)
+		}
+		clientSecret = tm.cachedUniversalAuthClientSecret
+	}
+
+	tm.cachedUniversalAuthClientSecret = clientSecret
+	if tm.removeUniversalAuthClientSecretOnRead {
+		defer os.Remove(universalAuthConfig.ClientSecretPath)
+	}
+
+	return tm.infisicalClient.Auth().UniversalAuthLogin(clientID, clientSecret)
+
+}
+
+func (tm *AgentManager) FetchKubernetesAuthAccessToken() (credential infisicalSdk.MachineIdentityCredential, err error) {
+
+	var kubernetesAuthConfig KubernetesAuth
+	if err := ParseAuthConfig(tm.authConfigBytes, &kubernetesAuthConfig); err != nil {
+		return infisicalSdk.MachineIdentityCredential{}, fmt.Errorf("unable to parse auth config due to error: %v", err)
+	}
+
+	identityId, err := util.GetEnvVarOrFileContent(util.INFISICAL_MACHINE_IDENTITY_ID_NAME, kubernetesAuthConfig.IdentityID)
+	if err != nil {
+		return infisicalSdk.MachineIdentityCredential{}, fmt.Errorf("unable to get identity id: %v", err)
+	}
+
+	serviceAccountTokenPath := os.Getenv(util.INFISICAL_KUBERNETES_SERVICE_ACCOUNT_TOKEN_NAME)
+	if serviceAccountTokenPath == "" {
+		serviceAccountTokenPath = kubernetesAuthConfig.ServiceAccountToken
+		if serviceAccountTokenPath == "" {
+			serviceAccountTokenPath = "/var/run/secrets/kubernetes.io/serviceaccount/token"
+		}
+	}
+
+	return tm.infisicalClient.Auth().KubernetesAuthLogin(identityId, serviceAccountTokenPath)
+
+}
+
+func (tm *AgentManager) FetchAzureAuthAccessToken() (credential infisicalSdk.MachineIdentityCredential, err error) {
+
+	var azureAuthConfig AzureAuth
+	if err := ParseAuthConfig(tm.authConfigBytes, &azureAuthConfig); err != nil {
+		return infisicalSdk.MachineIdentityCredential{}, fmt.Errorf("unable to parse auth config due to error: %v", err)
+	}
+
+	identityId, err := util.GetEnvVarOrFileContent(util.INFISICAL_MACHINE_IDENTITY_ID_NAME, azureAuthConfig.IdentityID)
+	if err != nil {
+		return infisicalSdk.MachineIdentityCredential{}, fmt.Errorf("unable to get identity id: %v", err)
+	}
+
+	return tm.infisicalClient.Auth().AzureAuthLogin(identityId)
+
+}
+
+func (tm *AgentManager) FetchGcpIdTokenAuthAccessToken() (credential infisicalSdk.MachineIdentityCredential, err error) {
+
+	var gcpIdTokenAuthConfig GcpIdTokenAuth
+	if err := ParseAuthConfig(tm.authConfigBytes, &gcpIdTokenAuthConfig); err != nil {
+		return infisicalSdk.MachineIdentityCredential{}, fmt.Errorf("unable to parse auth config due to error: %v", err)
+	}
+
+	identityId, err := util.GetEnvVarOrFileContent(util.INFISICAL_MACHINE_IDENTITY_ID_NAME, gcpIdTokenAuthConfig.IdentityID)
+	if err != nil {
+		return infisicalSdk.MachineIdentityCredential{}, fmt.Errorf("unable to get identity id: %v", err)
+	}
+
+	return tm.infisicalClient.Auth().GcpIdTokenAuthLogin(identityId)
+
+}
+
+func (tm *AgentManager) FetchGcpIamAuthAccessToken() (credential infisicalSdk.MachineIdentityCredential, err error) {
+
+	var gcpIamAuthConfig GcpIamAuth
+	if err := ParseAuthConfig(tm.authConfigBytes, &gcpIamAuthConfig); err != nil {
+		return infisicalSdk.MachineIdentityCredential{}, fmt.Errorf("unable to parse auth config due to error: %v", err)
+	}
+
+	identityId, err := util.GetEnvVarOrFileContent(util.INFISICAL_MACHINE_IDENTITY_ID_NAME, gcpIamAuthConfig.IdentityID)
+	if err != nil {
+		return infisicalSdk.MachineIdentityCredential{}, fmt.Errorf("unable to get identity id: %v", err)
+	}
+
+	serviceAccountKeyPath := os.Getenv(util.INFISICAL_GCP_IAM_SERVICE_ACCOUNT_KEY_FILE_PATH_NAME)
+	if serviceAccountKeyPath == "" {
+		// we don't need to read this file, because the service account key path is directly read inside the sdk
+		serviceAccountKeyPath = gcpIamAuthConfig.ServiceAccountKey
+		if serviceAccountKeyPath == "" {
+			return infisicalSdk.MachineIdentityCredential{}, fmt.Errorf("gcp service account key path not found")
+		}
+	}
+
+	return tm.infisicalClient.Auth().GcpIamAuthLogin(identityId, serviceAccountKeyPath)
+
+}
+
+func (tm *AgentManager) FetchAwsIamAuthAccessToken() (credential infisicalSdk.MachineIdentityCredential, err error) {
+
+	var awsIamAuthConfig AwsIamAuth
+	if err := ParseAuthConfig(tm.authConfigBytes, &awsIamAuthConfig); err != nil {
+		return infisicalSdk.MachineIdentityCredential{}, fmt.Errorf("unable to parse auth config due to error: %v", err)
+	}
+
+	identityId, err := util.GetEnvVarOrFileContent(util.INFISICAL_MACHINE_IDENTITY_ID_NAME, awsIamAuthConfig.IdentityID)
+
+	if err != nil {
+		return infisicalSdk.MachineIdentityCredential{}, fmt.Errorf("unable to get identity id: %v", err)
+	}
+
+	return tm.infisicalClient.Auth().AwsIamAuthLogin(identityId)
+
+}
+
 // Fetches a new access token using client credentials
 func (tm *AgentManager) FetchNewAccessToken() error {
-	clientID := os.Getenv(util.INFISICAL_UNIVERSAL_AUTH_CLIENT_ID_NAME)
-	if clientID == "" {
-		clientIDAsByte, err := ReadFile(tm.clientIdPath)
-		if err != nil {
-			return fmt.Errorf("unable to read client id from file path '%s' due to error: %v", tm.clientIdPath, err)
-		}
-		clientID = string(clientIDAsByte)
+
+	authStrategies := map[util.AuthStrategyType]func() (credential infisicalSdk.MachineIdentityCredential, e error){
+		util.AuthStrategy.UNIVERSAL_AUTH:    tm.FetchUniversalAuthAccessToken,
+		util.AuthStrategy.KUBERNETES_AUTH:   tm.FetchKubernetesAuthAccessToken,
+		util.AuthStrategy.AZURE_AUTH:        tm.FetchAzureAuthAccessToken,
+		util.AuthStrategy.GCP_ID_TOKEN_AUTH: tm.FetchGcpIdTokenAuthAccessToken,
+		util.AuthStrategy.GCP_IAM_AUTH:      tm.FetchGcpIamAuthAccessToken,
+		util.AuthStrategy.AWS_IAM_AUTH:      tm.FetchAwsIamAuthAccessToken,
 	}

-	clientSecret := os.Getenv("INFISICAL_UNIVERSAL_CLIENT_SECRET")
-	if clientSecret == "" {
-		clientSecretAsByte, err := ReadFile(tm.clientSecretPath)
-		if err != nil {
-			if len(tm.cachedClientSecret) == 0 {
-				return fmt.Errorf("unable to read client secret from file and no cached client secret found: %v", err)
-			} else {
-				clientSecretAsByte = []byte(tm.cachedClientSecret)
-			}
-		}
-		clientSecret = string(clientSecretAsByte)
+	if _, ok := authStrategies[tm.authStrategy]; !ok {
+		return fmt.Errorf("auth strategy %s not found", tm.authStrategy)
 	}

-	// remove client secret after first read
-	if tm.removeClientSecretOnRead {
-		os.Remove(tm.clientSecretPath)
-	}
+	credential, err := authStrategies[tm.authStrategy]()

-	// save as cache in memory
-	tm.cachedClientSecret = clientSecret
-
-	loginResponse, err := util.UniversalAuthLogin(clientID, clientSecret)
 	if err != nil {
 		return err
 	}

-	accessTokenTTL := time.Duration(loginResponse.AccessTokenTTL * int(time.Second))
-	accessTokenMaxTTL := time.Duration(loginResponse.AccessTokenMaxTTL * int(time.Second))
+	accessTokenTTL := time.Duration(credential.ExpiresIn * int64(time.Second))
+	accessTokenMaxTTL := time.Duration(credential.AccessTokenMaxTTL * int64(time.Second))

 	if accessTokenTTL <= time.Duration(5)*time.Second {
-		util.PrintErrorMessageAndExit("At this this, agent does not support refresh of tokens with 5 seconds or less ttl. Please increase access token ttl and try again")
+		util.PrintErrorMessageAndExit("At this time, agent does not support refresh of tokens with 5 seconds or less ttl. Please increase access token ttl and try again")
 	}

 	tm.accessTokenFetchedTime = time.Now()
-	tm.SetToken(loginResponse.AccessToken, accessTokenTTL, accessTokenMaxTTL)
+	tm.SetToken(credential.AccessToken, accessTokenTTL, accessTokenMaxTTL)

 	return nil
 }
@ -527,7 +655,7 @@ func (tm *AgentManager) RefreshAccessToken() error {
 		SetRetryWaitTime(5 * time.Second)

 	accessToken := tm.GetToken()
-	response, err := api.CallUniversalAuthRefreshAccessToken(httpClient, api.UniversalAuthRefreshRequest{AccessToken: accessToken})
+	response, err := api.CallMachineIdentityRefreshAccessToken(httpClient, api.UniversalAuthRefreshRequest{AccessToken: accessToken})
 	if err != nil {
 		return err
 	}
@ -564,6 +692,7 @@ func (tm *AgentManager) ManageTokenLifecycle() {
 				continue
 			}
 		} else if time.Now().After(accessTokenMaxTTLExpiresInTime) {
+			// case: token has reached max ttl and we should re-authenticate entirely (cannot refresh)
 			log.Info().Msgf("token has reached max ttl, attempting to re authenticate...")
 			err := tm.FetchNewAccessToken()
 			if err != nil {
@ -574,6 +703,7 @@ func (tm *AgentManager) ManageTokenLifecycle() {
 				continue
 			}
 		} else {
+			// case: token ttl has expired, but the token is still within max ttl, so we can refresh
 			log.Info().Msgf("attempting to refresh existing token...")
 			err := tm.RefreshAccessToken()
 			if err != nil {
@ -770,18 +900,33 @@ var agentCmd = &cobra.Command{
 			return
 		}

-		if agentConfig.Auth.Type != "universal-auth" {
-			util.PrintErrorMessageAndExit("Only auth type of 'universal-auth' is supported at this time")
-		}
+		authMethodValid, authStrategy := util.IsAuthMethodValid(agentConfig.Auth.Type, false)

-		configUniversalAuthType := agentConfig.Auth.Config.(UniversalAuth)
+		if !authMethodValid {
+			util.PrintErrorMessageAndExit(fmt.Sprintf("The auth method '%s' is not supported.", agentConfig.Auth.Type))
+		}

 		tokenRefreshNotifier := make(chan bool)
 		sigChan := make(chan os.Signal, 1)
 		signal.Notify(sigChan, syscall.SIGINT, syscall.SIGTERM)

 		filePaths := agentConfig.Sinks
-		tm := NewAgentManager(filePaths, agentConfig.Templates, configUniversalAuthType.ClientIDPath, configUniversalAuthType.ClientSecretPath, tokenRefreshNotifier, configUniversalAuthType.RemoveClientSecretOnRead, agentConfig.Infisical.ExitAfterAuth)
+
+		configBytes, err := yaml.Marshal(agentConfig.Auth.Config)
+		if err != nil {
+			log.Error().Msgf("unable to marshal auth config because %v", err)
+			return
+		}
+
+		tm := NewAgentManager(NewAgentMangerOptions{
+			FileDeposits:                   filePaths,
+			Templates:                      agentConfig.Templates,
+			AuthConfigBytes:                configBytes,
+			NewAccessTokenNotificationChan: tokenRefreshNotifier,
+			ExitAfterAuth:                  agentConfig.Infisical.ExitAfterAuth,
+			AuthStrategy:                   authStrategy,
+		})
+
 		tm.dynamicSecretLeases = NewDynamicSecretLeaseManager(sigChan)

 		go tm.ManageTokenLifecycle()
--- a/cli/packages/cmd/export.go
+++ b/cli/packages/cmd/export.go
@ -55,6 +55,11 @@ var exportCmd = &cobra.Command{
 			util.HandleError(err)
 		}

+		token, err := util.GetInfisicalToken(cmd)
+		if err != nil {
+			util.HandleError(err, "Unable to parse flag")
+		}
+
 		format, err := cmd.Flags().GetString("format")
 		if err != nil {
 			util.HandleError(err)
@ -70,11 +75,6 @@ var exportCmd = &cobra.Command{
 			util.HandleError(err, "Unable to parse flag")
 		}

-		token, err := util.GetInfisicalToken(cmd)
-		if err != nil {
-			util.HandleError(err, "Unable to parse flag")
-		}
-
 		tagSlugs, err := cmd.Flags().GetString("tags")
 		if err != nil {
 			util.HandleError(err, "Unable to parse flag")
@ -169,9 +169,9 @@ func init() {
 	exportCmd.Flags().StringP("format", "f", "dotenv", "Set the format of the output file (dotenv, json, csv)")
 	exportCmd.Flags().Bool("secret-overriding", true, "Prioritizes personal secrets, if any, with the same name over shared secrets")
 	exportCmd.Flags().Bool("include-imports", true, "Imported linked secrets")
-	exportCmd.Flags().String("token", "", "Fetch secrets using the Infisical Token")
+	exportCmd.Flags().String("token", "", "Fetch secrets using service token or machine identity access token")
 	exportCmd.Flags().StringP("tags", "t", "", "filter secrets by tag slugs")
-	exportCmd.Flags().String("projectId", "", "manually set the projectId to fetch secrets from")
+	exportCmd.Flags().String("projectId", "", "manually set the projectId to export secrets from")
 	exportCmd.Flags().String("path", "/", "get secrets within a folder path")
 	exportCmd.Flags().String("template", "", "The path to the template file used to render secrets")
 }
--- a/cli/packages/cmd/folder.go
+++ b/cli/packages/cmd/folder.go
@ -1,6 +1,7 @@
 package cmd

 import (
+	"errors"
 	"fmt"

 	"github.com/Infisical/infisical-merge/packages/models"
@ -71,10 +72,6 @@ var getCmd = &cobra.Command{
 var createCmd = &cobra.Command{
 	Use:   "create",
 	Short: "Create a folder",
-	PersistentPreRun: func(cmd *cobra.Command, args []string) {
-		util.RequireLogin()
-		util.RequireLocalWorkspaceFile()
-	},
 	Run: func(cmd *cobra.Command, args []string) {
 		environmentName, _ := cmd.Flags().GetString("env")
 		if !cmd.Flags().Changed("env") {
@ -84,6 +81,16 @@ var createCmd = &cobra.Command{
 			}
 		}

+		token, err := util.GetInfisicalToken(cmd)
+		if err != nil {
+			util.HandleError(err, "Unable to parse flag")
+		}
+
+		projectId, err := cmd.Flags().GetString("projectId")
+		if err != nil {
+			util.HandleError(err, "Unable to parse flag")
+		}
+
 		folderPath, err := cmd.Flags().GetString("path")
 		if err != nil {
 			util.HandleError(err, "Unable to parse flag")
@ -95,19 +102,31 @@ var createCmd = &cobra.Command{
 		}

 		if folderName == "" {
-			util.HandleError(fmt.Errorf("Invalid folder name"), "Folder name cannot be empty")
+			util.HandleError(errors.New("invalid folder name, folder name cannot be empty"))
 		}

-		workspaceFile, err := util.GetWorkSpaceFromFile()
 		if err != nil {
 			util.HandleError(err, "Unable to get workspace file")
 		}

+		if projectId == "" {
+			workspaceFile, err := util.GetWorkSpaceFromFile()
+			if err != nil {
+				util.HandleError(err, "Unable to get workspace file")
+			}
+
+			projectId = workspaceFile.WorkspaceId
+		}
+
 		params := models.CreateFolderParameters{
 			FolderName:  folderName,
-			WorkspaceId: workspaceFile.WorkspaceId,
 			Environment: environmentName,
 			FolderPath:  folderPath,
+			WorkspaceId: projectId,
+		}
+
+		if token != nil && (token.Type == util.SERVICE_TOKEN_IDENTIFIER || token.Type == util.UNIVERSAL_AUTH_TOKEN_IDENTIFIER) {
+			params.InfisicalToken = token.Token
 		}

 		_, err = util.CreateFolder(params)
@ -124,10 +143,6 @@ var createCmd = &cobra.Command{
 var deleteCmd = &cobra.Command{
 	Use:   "delete",
 	Short: "Delete a folder",
-	PersistentPreRun: func(cmd *cobra.Command, args []string) {
-		util.RequireLogin()
-		util.RequireLocalWorkspaceFile()
-	},
 	Run: func(cmd *cobra.Command, args []string) {

 		environmentName, _ := cmd.Flags().GetString("env")
@ -138,6 +153,16 @@ var deleteCmd = &cobra.Command{
 			}
 		}

+		token, err := util.GetInfisicalToken(cmd)
+		if err != nil {
+			util.HandleError(err, "Unable to parse flag")
+		}
+
+		projectId, err := cmd.Flags().GetString("projectId")
+		if err != nil {
+			util.HandleError(err, "Unable to parse flag")
+		}
+
 		folderPath, err := cmd.Flags().GetString("path")
 		if err != nil {
 			util.HandleError(err, "Unable to parse flag")
@ -149,21 +174,29 @@ var deleteCmd = &cobra.Command{
 		}

 		if folderName == "" {
-			util.HandleError(fmt.Errorf("Invalid folder name"), "Folder name cannot be empty")
+			util.HandleError(errors.New("invalid folder name, folder name cannot be empty"))
 		}

-		workspaceFile, err := util.GetWorkSpaceFromFile()
-		if err != nil {
-			util.HandleError(err, "Unable to get workspace file")
+		if projectId == "" {
+			workspaceFile, err := util.GetWorkSpaceFromFile()
+			if err != nil {
+				util.HandleError(err, "Unable to get workspace file")
+			}
+
+			projectId = workspaceFile.WorkspaceId
 		}

 		params := models.DeleteFolderParameters{
 			FolderName:  folderName,
-			WorkspaceId: workspaceFile.WorkspaceId,
+			WorkspaceId: projectId,
 			Environment: environmentName,
 			FolderPath:  folderPath,
 		}

+		if token != nil && (token.Type == util.SERVICE_TOKEN_IDENTIFIER || token.Type == util.UNIVERSAL_AUTH_TOKEN_IDENTIFIER) {
+			params.InfisicalToken = token.Token
+		}
+
 		_, err = util.DeleteFolder(params)
 		if err != nil {
 			util.HandleError(err, "Unable to delete folder")
--- a/cli/packages/cmd/login.go
+++ b/cli/packages/cmd/login.go
@ -34,6 +34,8 @@ import (
 	"github.com/spf13/cobra"
 	"golang.org/x/crypto/argon2"
 	"golang.org/x/term"
+
+	infisicalSdk "github.com/infisical/go-sdk"
 )

 type params struct {
@ -44,6 +46,86 @@ type params struct {
 	keyLength   uint32
 }

+func handleUniversalAuthLogin(cmd *cobra.Command, infisicalClient infisicalSdk.InfisicalClientInterface) (credential infisicalSdk.MachineIdentityCredential, e error) {
+
+	clientId, err := util.GetCmdFlagOrEnv(cmd, "client-id", util.INFISICAL_UNIVERSAL_AUTH_CLIENT_ID_NAME)
+
+	if err != nil {
+		return infisicalSdk.MachineIdentityCredential{}, err
+	}
+
+	clientSecret, err := util.GetCmdFlagOrEnv(cmd, "client-secret", util.INFISICAL_UNIVERSAL_AUTH_CLIENT_SECRET_NAME)
+	if err != nil {
+		return infisicalSdk.MachineIdentityCredential{}, err
+	}
+
+	return infisicalClient.Auth().UniversalAuthLogin(clientId, clientSecret)
+}
+
+func handleKubernetesAuthLogin(cmd *cobra.Command, infisicalClient infisicalSdk.InfisicalClientInterface) (credential infisicalSdk.MachineIdentityCredential, e error) {
+
+	identityId, err := util.GetCmdFlagOrEnv(cmd, "machine-identity-id", util.INFISICAL_MACHINE_IDENTITY_ID_NAME)
+	if err != nil {
+		return infisicalSdk.MachineIdentityCredential{}, err
+	}
+
+	serviceAccountTokenPath, err := util.GetCmdFlagOrEnv(cmd, "service-account-token-path", util.INFISICAL_KUBERNETES_SERVICE_ACCOUNT_TOKEN_NAME)
+	if err != nil {
+		return infisicalSdk.MachineIdentityCredential{}, err
+	}
+
+	return infisicalClient.Auth().KubernetesAuthLogin(identityId, serviceAccountTokenPath)
+}
+
+func handleAzureAuthLogin(cmd *cobra.Command, infisicalClient infisicalSdk.InfisicalClientInterface) (credential infisicalSdk.MachineIdentityCredential, e error) {
+
+	identityId, err := util.GetCmdFlagOrEnv(cmd, "machine-identity-id", util.INFISICAL_MACHINE_IDENTITY_ID_NAME)
+	if err != nil {
+		return infisicalSdk.MachineIdentityCredential{}, err
+	}
+
+	return infisicalClient.Auth().AzureAuthLogin(identityId)
+}
+
+func handleGcpIdTokenAuthLogin(cmd *cobra.Command, infisicalClient infisicalSdk.InfisicalClientInterface) (credential infisicalSdk.MachineIdentityCredential, e error) {
+
+	identityId, err := util.GetCmdFlagOrEnv(cmd, "machine-identity-id", util.INFISICAL_MACHINE_IDENTITY_ID_NAME)
+	if err != nil {
+		return infisicalSdk.MachineIdentityCredential{}, err
+	}
+
+	return infisicalClient.Auth().GcpIdTokenAuthLogin(identityId)
+}
+
+func handleGcpIamAuthLogin(cmd *cobra.Command, infisicalClient infisicalSdk.InfisicalClientInterface) (credential infisicalSdk.MachineIdentityCredential, e error) {
+
+	identityId, err := util.GetCmdFlagOrEnv(cmd, "machine-identity-id", util.INFISICAL_MACHINE_IDENTITY_ID_NAME)
+	if err != nil {
+		return infisicalSdk.MachineIdentityCredential{}, err
+	}
+
+	serviceAccountKeyFilePath, err := util.GetCmdFlagOrEnv(cmd, "service-account-key-file-path", util.INFISICAL_GCP_IAM_SERVICE_ACCOUNT_KEY_FILE_PATH_NAME)
+	if err != nil {
+		return infisicalSdk.MachineIdentityCredential{}, err
+	}
+
+	return infisicalClient.Auth().GcpIamAuthLogin(identityId, serviceAccountKeyFilePath)
+}
+
+func handleAwsIamAuthLogin(cmd *cobra.Command, infisicalClient infisicalSdk.InfisicalClientInterface) (credential infisicalSdk.MachineIdentityCredential, e error) {
+
+	identityId, err := util.GetCmdFlagOrEnv(cmd, "machine-identity-id", util.INFISICAL_MACHINE_IDENTITY_ID_NAME)
+	if err != nil {
+		return infisicalSdk.MachineIdentityCredential{}, err
+	}
+
+	return infisicalClient.Auth().AwsIamAuthLogin(identityId)
+}
+
+func formatAuthMethod(authMethod string) string {
+	return strings.ReplaceAll(authMethod, "-", " ")
+}
+
 const ADD_USER = "Add a new account login"
 const REPLACE_USER = "Override current logged in user"
 const EXIT_USER_MENU = "Exit"
@ -56,6 +138,11 @@ var loginCmd = &cobra.Command{
 	DisableFlagsInUseLine: true,
 	Run: func(cmd *cobra.Command, args []string) {

+		infisicalClient := infisicalSdk.NewInfisicalClient(infisicalSdk.Config{
+			SiteUrl:   config.INFISICAL_URL,
+			UserAgent: api.USER_AGENT,
+		})
+
 		loginMethod, err := cmd.Flags().GetString("method")
 		if err != nil {
 			util.HandleError(err)
@ -65,12 +152,13 @@ var loginCmd = &cobra.Command{
 			util.HandleError(err)
 		}

-		if loginMethod != "user" && loginMethod != "universal-auth" {
-			util.PrintErrorMessageAndExit("Invalid login method. Please use either 'user' or 'universal-auth'")
+		authMethodValid, strategy := util.IsAuthMethodValid(loginMethod, true)
+		if !authMethodValid {
+			util.PrintErrorMessageAndExit(fmt.Sprintf("Invalid login method: %s", loginMethod))
 		}

+		// standalone user auth
 		if loginMethod == "user" {
-
 			currentLoggedInUserDetails, err := util.GetCurrentLoggedInUserDetails()
 			// if the key can't be found or there is an error getting current credentials from key ring, allow them to override
 			if err != nil && (strings.Contains(err.Error(), "we couldn't find your logged in details")) {
@ -133,7 +221,7 @@ var loginCmd = &cobra.Command{

 			err = util.StoreUserCredsInKeyRing(&userCredentialsToBeStored)
 			if err != nil {
-				log.Error().Msgf("Unable to store your credentials in system vault [%s]")
+				log.Error().Msgf("Unable to store your credentials in system vault")
 				log.Error().Msgf("\nTo trouble shoot further, read https://infisical.com/docs/cli/faq")
 				log.Debug().Err(err)
 				//return here
@ -160,47 +248,33 @@ var loginCmd = &cobra.Command{
 			fmt.Println("- Learn to inject secrets into your application at https://infisical.com/docs/cli/usage")
 			fmt.Println("- Stuck? Join our slack for quick support https://infisical.com/slack")
 			Telemetry.CaptureEvent("cli-command:login", posthog.NewProperties().Set("infisical-backend", config.INFISICAL_URL).Set("version", util.CLI_VERSION))
-		} else if loginMethod == "universal-auth" {
+		} else {

-			clientId, err := cmd.Flags().GetString("client-id")
-			if err != nil {
-				util.HandleError(err)
+			authStrategies := map[util.AuthStrategyType]func(cmd *cobra.Command, infisicalClient infisicalSdk.InfisicalClientInterface) (credential infisicalSdk.MachineIdentityCredential, e error){
+				util.AuthStrategy.UNIVERSAL_AUTH:    handleUniversalAuthLogin,
+				util.AuthStrategy.KUBERNETES_AUTH:   handleKubernetesAuthLogin,
+				util.AuthStrategy.AZURE_AUTH:        handleAzureAuthLogin,
+				util.AuthStrategy.GCP_ID_TOKEN_AUTH: handleGcpIdTokenAuthLogin,
+				util.AuthStrategy.GCP_IAM_AUTH:      handleGcpIamAuthLogin,
+				util.AuthStrategy.AWS_IAM_AUTH:      handleAwsIamAuthLogin,
 			}

-			clientSecret, err := cmd.Flags().GetString("client-secret")
-			if err != nil {
-				util.HandleError(err)
-			}
-
-			if clientId == "" {
-				clientId = os.Getenv(util.INFISICAL_UNIVERSAL_AUTH_CLIENT_ID_NAME)
-				if clientId == "" {
-					util.PrintErrorMessageAndExit("Please provide client-id")
-				}
-			}
-			if clientSecret == "" {
-				clientSecret = os.Getenv(util.INFISICAL_UNIVERSAL_AUTH_CLIENT_SECRET_NAME)
-				if clientSecret == "" {
-					util.PrintErrorMessageAndExit("Please provide client-secret")
-				}
-			}
-
-			res, err := util.UniversalAuthLogin(clientId, clientSecret)
+			credential, err := authStrategies[strategy](cmd, infisicalClient)

 			if err != nil {
-				util.HandleError(err)
+				util.HandleError(fmt.Errorf("unable to authenticate with %s [err=%v]", formatAuthMethod(loginMethod), err))
 			}

 			if plainOutput {
-				fmt.Println(res.AccessToken)
+				fmt.Println(credential.AccessToken)
 				return
 			}

 			boldGreen := color.New(color.FgGreen).Add(color.Bold)
 			boldPlain := color.New(color.Bold)
 			time.Sleep(time.Second * 1)
-			boldGreen.Printf(">>>> Successfully authenticated with Universal Auth!\n\n")
-			boldPlain.Printf("Universal Auth Access Token:\n%v", res.AccessToken)
+			boldGreen.Printf(">>>> Successfully authenticated with %s!\n\n", formatAuthMethod(loginMethod))
+			boldPlain.Printf("Access Token:\n%v", credential.AccessToken)

 			plainBold := color.New(color.Bold)
 			plainBold.Println("\n\nYou can use this access token to authenticate through other commands in the CLI.")
@ -376,9 +450,12 @@ func init() {
 	rootCmd.AddCommand(loginCmd)
 	loginCmd.Flags().BoolP("interactive", "i", false, "login via the command line")
 	loginCmd.Flags().String("method", "user", "login method [user, universal-auth]")
-	loginCmd.Flags().String("client-id", "", "client id for universal auth")
 	loginCmd.Flags().Bool("plain", false, "only output the token without any formatting")
+	loginCmd.Flags().String("client-id", "", "client id for universal auth")
 	loginCmd.Flags().String("client-secret", "", "client secret for universal auth")
+	loginCmd.Flags().String("machine-identity-id", "", "machine identity id for kubernetes, azure, gcp-id-token, gcp-iam, and aws-iam auth methods")
+	loginCmd.Flags().String("service-account-token-path", "", "service account token path for kubernetes auth")
+	loginCmd.Flags().String("service-account-key-file-path", "", "service account key file path for GCP IAM auth")
 }

 func DomainOverridePrompt() (bool, error) {
@ -539,6 +616,7 @@ func getFreshUserCredentials(email string, password string) (*api.GetLoginOneV2R
 	loginTwoResponseResult, err := api.CallLogin2V2(httpClient, api.GetLoginTwoV2Request{
 		Email:       email,
 		ClientProof: hex.EncodeToString(srpM1),
+		Password: password,
 	})

 	if err != nil {
--- a/Show More
+++ b/Show More