goauthentik · BeryJu · Jan 13, 2026 · Jan 10, 2026 · Jan 10, 2026 · Jan 11, 2026
diff --git a/cmd/agent_local/package/windows/Package.wxs b/cmd/agent_local/package/windows/Package.wxs
@@ -20,7 +20,7 @@
     <MediaTemplate EmbedCab="yes" />
     <MajorUpgrade DowngradeErrorMessage="A later version of [ProductName] is already installed. Setup will now exit." />
     <StandardDirectory Id="ProgramFiles64Folder">
-      <Directory Name="$(var.Manufacturer)">
+      <Directory Id="INSTALLFOLDER" Name="$(var.Manufacturer)">
         <Directory Id="sysd" Name="sysd" />
         <Directory Id="browser_support" Name="browser_support" />
         <Directory Id="wcp" Name="wcp">
@@ -30,15 +30,17 @@
         <Directory Id="agent" Name="agent" />
       </Directory>
     </StandardDirectory>
-    <StandardDirectory Id="CommonAppDataFolder" />
+    <StandardDirectory Id="CommonAppDataFolder">
+      <Directory Id="ak_ProgramDataRoot" Name="$(var.Manufacturer)">
+      </Directory>
+    </StandardDirectory>
     <Icon Id="authentik_icon" SourceFile="$(env.PWD)/package/windows/resources/icon.ico" />
     <Property Id="ARPPRODUCTICON" Value="authentik_icon" />
 
     <DirectoryRef Id="INSTALLFOLDER">
       <Component Id="sysd" Guid="bf7159f6-802c-42ed-8cc7-1866bf844e29" Bitness="always64" Directory="sysd">
-        <CreateFolder Directory="sysd" Subdirectory="domains" />
-        <CreateFolder Directory="sysd" Subdirectory="runtime" />
-        <CreateFolder Directory="CommonAppDataFolder" Subdirectory="$(var.Manufacturer)" />
+        <CreateFolder Directory="ak_ProgramDataRoot" Subdirectory="domains" />
+        <CreateFolder Directory="ak_ProgramDataRoot" Subdirectory="runtime" />
         <File Id="ak_sysd"
               Source="$(env.ROOT)/bin/agent_system/ak-sysd.exe"
               KeyPath="true" />
@@ -112,8 +114,8 @@
         <util:EventSource Log="authentik"
                           Name="authentik Credential Provider"
                           EventMessageFile="C:\Windows\System32\mscoree.dll"/>
-        <CreateFolder Directory="CommonAppDataFolder" Subdirectory="$(var.Manufacturer)\logs" />
-        <CreateFolder Directory="CommonAppDataFolder" Subdirectory="$(var.Manufacturer)\wcp-sentry" />
+        <CreateFolder Directory="ak_ProgramDataRoot" Subdirectory="logs" />
+        <CreateFolder Directory="ak_ProgramDataRoot" Subdirectory="wcp-sentry" />
 
         <File Id="wcp_ak_cef_exe" Source="$(env.ROOT)/bin/wcp/ak_cef.exe" />
         <File Id="wcp_chrome_100_percent_pak" Source="$(env.ROOT)/bin/wcp/chrome_100_percent.pak" />
@@ -125,10 +127,8 @@
         <File Id="wcp_icudtl_dat" Source="$(env.ROOT)/bin/wcp/icudtl.dat" />
         <File Id="wcp_libcef_dll" Source="$(env.ROOT)/bin/wcp/libcef.dll" />
         <File Id="wcp_ak_cred_provider_dll" Source="$(env.ROOT)/bin/wcp/ak_cred_provider.dll" KeyPath="true" />
-        <File Id="wcp_ak_cred_provider_exp" Source="$(env.ROOT)/bin/wcp/ak_cred_provider.exp" />
         <File Id="wcp_ak_cred_provider_lib" Source="$(env.ROOT)/bin/wcp/ak_cred_provider.lib" />
         <File Id="wcp_ak_cred_provider_pdb" Source="$(env.ROOT)/bin/wcp/ak_cred_provider.pdb" />
-        <File Id="wcp_libcrypto_3_x64_dll" Source="$(env.ROOT)/bin/wcp/libcrypto-3-x64.dll" />
         <File Id="wcp_libEGL_dll" Source="$(env.ROOT)/bin/wcp/libEGL.dll" />
         <File Id="wcp_libGLESv2_dll" Source="$(env.ROOT)/bin/wcp/libGLESv2.dll" />
         <File Id="wcp_resources_pak" Source="$(env.ROOT)/bin/wcp/resources.pak" />

diff --git a/cmd/agent_system/package/windows/config.json b/cmd/agent_system/package/windows/config.json
@@ -1,5 +1,5 @@
 {
   "debug": false,
-  "domains": "C:\\Program Files\\Authentik Security Inc\\sysd\\domains",
-  "runtime": "C:\\Program Files\\Authentik Security Inc\\sysd\\runtime"
+  "domains": "C:\\ProgramData\\Authentik Security Inc\\domains",
+  "runtime": "C:\\ProgramData\\Authentik Security Inc\\runtime"
 }
diff --git a/ee/wcp/CMakeLists.txt b/ee/wcp/CMakeLists.txt
@@ -228,81 +228,17 @@ if (NOT EXISTS "${CMAKE_CURRENT_SOURCE_DIR}/Release")
   endif()
 endif()
 
-# --- jwt-cpp and OpenSSL - Begin
-find_package(Perl REQUIRED)       # Needed to build OpenSSL
-set(PERL "C:\\Strawberry\\perl\\bin\\perl.exe")
-set(PERL_EXECUTABLE "C:\\Strawberry\\perl\\bin\\perl.exe")
-message(INFO " > Perl Path: ${PERL_EXECUTABLE}")
-message(INFO " > Perl Version: ${PERL_VERSION_STRING}")
-
-include(FetchContent)
-
-FetchContent_Declare(OpenSSL
-  URL https://github.com/openssl/openssl/releases/download/openssl-3.5.0/openssl-3.5.0.tar.gz
-  URL_HASH SHA256=344d0a79f1a9b08029b0744e2cc401a43f9c90acd1044d09a530b4885a8e9fc0
-  DOWNLOAD_EXTRACT_TIMESTAMP OFF
-  # OVERRIDE_FIND_PACKAGE
-)
-set(FETCHCONTENT_QUIET OFF CACHE BOOL "" FORCE)
-FetchContent_MakeAvailable(OpenSSL)
-
-if (NOT EXISTS "${openssl_SOURCE_DIR}/libssl.lib")
-  execute_process(COMMAND ${PERL_EXECUTABLE} Configure WORKING_DIRECTORY ${openssl_SOURCE_DIR})
-  execute_process(COMMAND nmake WORKING_DIRECTORY ${openssl_SOURCE_DIR})
-endif()
-if (NOT EXISTS "${openssl_SOURCE_DIR}/libssl.lib")
-  message(FATAL_ERROR "OpenSSL library files not found in build. OpenSSL build must succeed first.")
-endif()
-
-set(CMAKE_FIND_DEBUG_MODE OFF)
-
 # Always generate debug symbols
 add_compile_options("$<$<NOT:$<CONFIG:Debug>>:/Zi>")
 add_link_options("$<$<NOT:$<CONFIG:Debug>>:/DEBUG>")
 add_link_options("$<$<NOT:$<CONFIG:Debug>>:/OPT:REF>")
 add_link_options("$<$<NOT:$<CONFIG:Debug>>:/OPT:ICF>")
 
-# Set path to OpenSSL library directory for search
-set(OPENSSL_ROOT_DIR "${openssl_SOURCE_DIR}")
-
-# Test if the just built OpenSSL package can be found, so that the `jwt-cpp` would also
-# find the same package with find_package() call
-find_package(OpenSSL REQUIRED)
-
-# Display the set and detected paths
-message(INFO " > OPENSSL_ROOT_DIR:         ${OPENSSL_ROOT_DIR}")
-message(INFO "")
-message(INFO " > OPENSSL_CRYPTO_LIBRARY:   ${OPENSSL_CRYPTO_LIBRARY}")
-message(INFO " > OPENSSL_CRYPTO_LIBRARIES: ${OPENSSL_CRYPTO_LIBRARIES}")
-message(INFO " > OPENSSL_SSL_LIBRARY:      ${OPENSSL_SSL_LIBRARY}")
-message(INFO " > OPENSSL_SSL_LIBRARIES:    ${OPENSSL_SSL_LIBRARIES}")
-
-# Test if the detected OpenSSL package is indeed the one just built and not from another installation such as Strawberry Perl
-cmake_path(IS_PREFIX OPENSSL_ROOT_DIR ${OPENSSL_CRYPTO_LIBRARIES} isprefix)
-if (NOT isprefix)
-  message(FATAL_ERROR "CMake must reference the OpenSSL Crypto library in the project build directory (${OPENSSL_ROOT_DIR}) but it is instead referencing the path (${OPENSSL_CRYPTO_LIBRARIES}).")
-endif()
-cmake_path(IS_PREFIX OPENSSL_ROOT_DIR ${OPENSSL_SSL_LIBRARIES} isprefix)
-if (NOT isprefix)
-  message(FATAL_ERROR "CMake must reference the OpenSSL SSL library in the project build directory (${OPENSSL_ROOT_DIR}) but it is instead referencing the path (${OPENSSL_SSL_LIBRARIES}).")
-endif()
-
-# If OpenSSL is sorted, fetch and build jwt-cpp that relies on it
-FetchContent_Declare(jwtcpp
-  GIT_REPOSITORY https://github.com/Thalhammer/jwt-cpp.git
-  GIT_TAG v0.7.1
-  DOWNLOAD_EXTRACT_TIMESTAMP OFF
-)
-set(FETCHCONTENT_QUIET OFF CACHE BOOL "" FORCE)
-set(JWT_BUILD_EXAMPLES OFF CACHE BOOL "disable building examples" FORCE)
-FetchContent_MakeAvailable(jwtcpp)
-
-# --- jwt-cpp and OpenSSL - End
+include(FetchContent)
 
-FetchContent_Declare(
-    Corrosion
+FetchContent_Declare(Corrosion
     GIT_REPOSITORY https://github.com/corrosion-rs/corrosion.git
-    GIT_TAG v0.5 # Optionally specify a commit hash, version tag or branch here
+    GIT_TAG v0.6
 )
 # Set any global configuration variables such as `Rust_TOOLCHAIN` before this line!
 FetchContent_MakeAvailable(Corrosion)
@@ -337,15 +273,14 @@ endif()
 
 FetchContent_Declare(spdlog
   GIT_REPOSITORY https://github.com/gabime/spdlog.git
-  GIT_TAG v1.16.0
+  GIT_TAG v1.17.0
 )
 FetchContent_MakeAvailable(spdlog)
 set_property(TARGET spdlog PROPERTY MSVC_RUNTIME_LIBRARY MultiThreaded)
 
 FetchContent_Declare(sentry
   GIT_REPOSITORY https://github.com/getsentry/sentry-native.git
-  GIT_TAG 0.12.0
-  DOWNLOAD_EXTRACT_TIMESTAMP OFF
+  GIT_TAG 0.12.3
 )
 set(FETCHCONTENT_QUIET OFF CACHE BOOL "" FORCE)
 set(SENTRY_BUILD_SHARED_LIBS OFF)
@@ -359,6 +294,9 @@ set_property(TARGET sentry PROPERTY MSVC_RUNTIME_LIBRARY MultiThreaded)
 # Define CEF-based targets.
 #
 
+add_subdirectory(ak_common)
+set_property(TARGET ak_common PROPERTY MSVC_RUNTIME_LIBRARY MultiThreaded)
+
 # Include the ak_cred_provider target.
 # Comes from the libcef_dll/CMakeLists.txt file in the binary distribution
 # directory.
@@ -376,8 +314,7 @@ endif()
 # Set the project output directory for subprojects, such as `cefexe`, to copy their binaries to
 set(PROJECT_INSALL_DIR "${CMAKE_CURRENT_BINARY_DIR}/ak_cred_provider/Release")
 add_subdirectory(cefexe)
-# Copy cefexe executable and OpenSSL library file to the common build directory
-file(COPY "${OPENSSL_ROOT_DIR}/libcrypto-3-x64.dll" DESTINATION "${PROJECT_INSALL_DIR}")
+set_property(TARGET ak_cef PROPERTY MSVC_RUNTIME_LIBRARY MultiThreaded)
 
 # Display configuration settings.
 PRINT_CEF_CONFIG()

diff --git a/ee/wcp/Makefile b/ee/wcp/Makefile
@@ -2,39 +2,36 @@ include ../../common.mk
 
 .ONESHELL:
 
-TARGET := wcp
+OUT_TARGET := wcp
+
+TARGETS := ak_cred_provider ak_common cefexe cefsimple
 
 CLANG_FORMAT := "C:\Program Files\LLVM\bin\clang-format.exe"
+FORMAT_FIND_ARGS := -iname '*.h' -o -iname '*.cpp' -o -iname '*.hpp'
 
 .PHONY: bump
 bump:
-	sed -i 's/#define AK_WCP_VERSION ".*"/#define AK_WCP_VERSION ${VERSION}/g' ${PWD}/ak_cred_provider/include/ak_version.h
+	sed -i 's/#define AK_VERSION ".*"/#define AK_VERSION ${VERSION}/g' ${PWD}/ak_common/include/ak_version.h
 
 .PHONY: clean
 clean:
-	cd "${TOP}" && rm -rf "bin/${TARGET}"
+	cd "${TOP}" && rm -rf "bin/${OUT_TARGET}"
 
 .PHONY: lint
 lint:
-	find "${PWD}/ak_cred_provider" -iname '*.h' -o -iname '*.cpp' | xargs ${CLANG_FORMAT} --dry-run --Werror --verbose -i
-	find "${PWD}/cefexe" -iname '*.h' -o -iname '*.cpp' | xargs ${CLANG_FORMAT} --dry-run --Werror --verbose -i
-	find "${PWD}/cefsimple" -iname '*.h' -o -iname '*.cpp' | xargs ${CLANG_FORMAT} --dry-run --Werror --verbose -i
+	$(foreach target,$(TARGETS),$(shell find "${PWD}/${target}" ${FORMAT_FIND_ARGS} | xargs ${CLANG_FORMAT} --dry-run --Werror --verbose -i))
 
 .PHONY: lint-fix
 lint-fix:
-	find "${PWD}/ak_cred_provider" -iname '*.h' -o -iname '*.cpp' | xargs ${CLANG_FORMAT} --verbose -i
-	find "${PWD}/cefexe" -iname '*.h' -o -iname '*.cpp' | xargs ${CLANG_FORMAT} --verbose -i
-	find "${PWD}/cefsimple" -iname '*.h' -o -iname '*.cpp' | xargs ${CLANG_FORMAT} --verbose -i
+	$(foreach target,$(TARGETS),$(shell find "${PWD}/${target}" ${FORMAT_FIND_ARGS} | xargs ${CLANG_FORMAT} --verbose -i))
 
 .PHONY: build
 build:
 	${TOP}/hack/windows/setup.sh
-	mkdir -p ${TOP}/bin/${TARGET}
-	mkdir -p ${TOP}/cache/${TARGET}
-	# To avoid the OpenSSL build using linux `link.exe`
-	mv /usr/bin/link.exe /usr/bin/link_bak || true
-	powershell.exe -noprofile -executionpolicy bypass -file ./build.ps1 ${PWD} ${TOP} ${TARGET}
-	cp -r ${TOP}/cache/${TARGET}/ak_cred_provider/Release/* ${TOP}/bin/${TARGET}/
+	mkdir -p ${TOP}/bin/${OUT_TARGET}
+	mkdir -p ${TOP}/cache/${OUT_TARGET}
+	powershell.exe -noprofile -executionpolicy bypass -file ./build.ps1 ${PWD} ${TOP} ${OUT_TARGET}
+	cp -r ${TOP}/cache/${OUT_TARGET}/ak_cred_provider/Release/* ${TOP}/bin/${OUT_TARGET}/
 ifdef SENTRY_AUTH_TOKEN
-	@$(call sentry_upload_symbols,"${TOP}/bin/${TARGET}/")
+	@$(call sentry_upload_symbols,"${TOP}/bin/${OUT_TARGET}/")
 endif
diff --git a/ee/wcp/README.md b/ee/wcp/README.md
@@ -2,52 +2,24 @@
 
 ## Build tools and test environment
 
-Visual Studio 17 2022
-
-Strawberry Perl (to build OpenSSL for jwt-cpp)
-    (`winget install StrawberryPerl.StrawberryPerl`)
-
-Windows 10 x64
-
-Rust
-    `winget install -e --id Rustlang.Rustup`
+- Visual Studio 17 2022
+- Windows 10/11 x64
+- Rust (`winget install -e --id Rustlang.Rustup`)
+- Make
 
 ### Build steps
 
 #### Development
 
 ```
-mkdir build
-cd build
-cmake -G "Visual Studio 17" ..
-cmake --build . --config Release
+make ee/wcp/build
 ```
 
-Alternatively, instead of the last step, open the Visual Studio solution file `cef.sln` inside the *build* directory and build the solution (F7) inside the Visual Studio.
-
-The credential provider files are generated inside the `build/ak_cred_provider/Release` subdirectory.
-
-#### Installer package
-
-**Update:** With the python patch script `addsetup.py` in the `.utils` directory, manually performing this step can be avoided. The following information is provided as an alternate method but should not be necessary anymore.
-
-Inside the *build* directory, open the Visual Studio solution file `cef.sln`.
-
-Right click the `cef` solution in the *Solution Explorer* sub-window and click `Add->Existing Project...`.
-
-Select the Setup project file inside the **build** directory in path `build/Setup/Setup.vdproj`.
-
-`Do not` select the Setup file inside the project source under the *Setup* subdirectory.
-
-Build solution (F7) (again), or right-click the `Setup` project in the *Solution Explorer* sub-window and click `Build`.
-
-The setup package files are available in `build/Release` subdirectory.
+The credential provider files are generated inside the `cache/wcp/ak_cred_provider/Release` subdirectory.
 
 #### Testing
 
-During development, the registry setup files inside the `ak_cred_provider/Setup` path could be used to register the credential provide inside the `build` directory for testing.
-
-The setup file/ installer registers the credential provider similarly, so **take note** that either the credential provider inside the build directory or the credential provider installed via the Setup file could be displayed at the logon prompt UI at a time and not both simultaneously.
+Use the authentk Agent from https://pkg.goauthentik.io to install the current stable build of the Agent, and enable the credential provider in the setup wizard. Afterwards, copy the files from `cache/wcp/ak_cred_provider/Release` into the `C:\Program Files\Authentik Security Inc.\wcp\` folder on the target machine, overwriting all files.
 
 ## Important points
 

diff --git a/ee/wcp/ak_common/CMakeLists.txt b/ee/wcp/ak_common/CMakeLists.txt
@@ -0,0 +1,27 @@
+project(ak_common)
+
+set(CMAKE_BUILD_TYPE Release)
+set(CMAKE_CXX_STANDARD 20)
+
+set(SRCS
+  ak_log.cpp
+  ak_sentry.cpp
+  crypt.cc
+)
+
+add_library(${PROJECT_NAME} STATIC
+	${SRCS}
+)
+
+# include_directories(${PROJECT_NAME} PUBLIC ..)
+target_include_directories(${PROJECT_NAME} PUBLIC
+  ${CMAKE_CURRENT_SOURCE_DIR}/include
+)
+
+target_link_libraries(${PROJECT_NAME}
+  authentik_sys_bridge
+  spdlog
+  sentry
+)
+set_property(TARGET authentik_sys PROPERTY MSVC_RUNTIME_LIBRARY MultiThreaded)
+set_property(TARGET authentik_sys_bridge PROPERTY MSVC_RUNTIME_LIBRARY MultiThreaded)
diff --git a/ee/wcp/ak_cred_provider/ak_log.cpp → ee/wcp/ak_common/ak_log.cpp b/ee/wcp/ak_cred_provider/ak_log.cpp → ee/wcp/ak_common/ak_log.cpp
@@ -1,7 +1,5 @@
-#include "pch.h"
-
-#include "ak_log.h"
-#include "ak_version.h"
+#include "include/ak_log.h"
+#include "include/ak_version.h"
 #include "spdlog/async.h"
 #include "spdlog/sinks/rotating_file_sink.h"
 #include "spdlog/sinks/win_eventlog_sink.h"
@@ -13,14 +11,19 @@ bool g_logSetup;
 const auto _ak_log_max_size = 1024 * 1024 * 50;
 const auto _ak_log_max_files = 3;
 
-void SetupLogs(const char* logger_name) {
+void ak_setup_logs(const char* logger_name) {
   const auto logger = spdlog::rotating_logger_mt(
       logger_name,
       std::string(AK_PROGRAM_DATA).append("\\logs\\").append(logger_name).append(".log").c_str(),
       _ak_log_max_size, _ak_log_max_files);
   spdlog::set_level(spdlog::level::debug);
   spdlog::flush_every(std::chrono::seconds(5));
   spdlog::set_default_logger(logger);
-  SPDLOG_INFO("authentik Platform Credential Provider Version {}", AK_WCP_VERSION);
+  SPDLOG_INFO("authentik Platform {} Version {}", logger_name, AK_VERSION);
   g_logSetup = true;
 }
+
+void ak_teardown_logs() {
+  if (!g_logSetup) return;
+  spdlog::shutdown();
+}
diff --git a/ee/wcp/ak_cred_provider/ak_sentry.cpp → ee/wcp/ak_common/ak_sentry.cpp b/ee/wcp/ak_cred_provider/ak_sentry.cpp → ee/wcp/ak_common/ak_sentry.cpp
@@ -1,4 +1,4 @@
-#include "ak_version.h"
+#include "include/ak_version.h"
 #include <string>
 
 #define SENTRY_BUILD_STATIC 1
@@ -17,12 +17,12 @@ static void ak_sentry_log_callback(sentry_level_t level, const char* message, va
   spdlog::get("sentry")->debug(formatted_message);
 }
 
-void SentrySetup(const char* component) {
+void ak_setup_sentry(const char* component) {
   if (g_sentrySetup) return;
   spdlog::register_logger(spdlog::default_logger()->clone("sentry"));
 
   std::string release =
-      std::string("ak-platform-wcp-").append(component).append("@").append(AK_WCP_VERSION);
+      std::string("ak-platform-wcp-").append(component).append("@").append(AK_VERSION);
   sentry_options_t* options = sentry_options_new();
   sentry_options_set_database_path(options,
                                    std::string(AK_PROGRAM_DATA).append("\\wcp-sentry\\").c_str());
@@ -38,4 +38,4 @@ void SentrySetup(const char* component) {
   g_sentrySetup = true;
 }
 
-void SentryShutdown() { sentry_shutdown(); }
+void ak_teardown_sentry() { sentry_shutdown(); }