smartcontractkit · stackman27 · Jun 9, 2026 · Jun 9, 2026 · Jun 9, 2026 · Jun 9, 2026
@@ -0,0 +1,5 @@
+---
+"chainlink-deployments-framework": patch
+---
+
+Accept `ONCHAIN_CANTON_OKTA_*` environment variables as legacy aliases for Canton OAuth config and infer `client_credentials` when OAuth secrets are set without `ONCHAIN_CANTON_AUTH_STRATEGY`.
@@ -786,14 +786,31 @@ func (l *chainLoaderCanton) Load(ctx context.Context, selector uint64) (fchain.B
 	return c, nil
 }
 
+// cantonEffectiveAuthStrategy resolves the auth strategy from explicit config or available credentials.
+// When auth_strategy is unset, OAuth client credentials are inferred if auth_url, client_id, and
+// client_secret are all present (e.g. ONCHAIN_CANTON_OKTA_* from chainlink-deployments CI secrets).
+func cantonEffectiveAuthStrategy(c cfgenv.CantonConfig) string {
+	if c.AuthStrategy != "" {
+		return c.AuthStrategy
+	}
+	if c.AuthURL != "" && c.ClientID != "" && c.ClientSecret != "" {
+		return cfgenv.CantonAuthStrategyClientCredentials
+	}
+	if c.AuthURL != "" && c.ClientID != "" {
+		return cfgenv.CantonAuthStrategyAuthorizationCode
+	}
+
+	return cfgenv.CantonAuthStrategyStatic
+}
+
 // cantonAuthConfigured returns true if Canton auth is configured for at least one strategy.
 func cantonAuthConfigured(c cfgenv.CantonConfig) bool {
-	switch c.AuthStrategy {
+	switch cantonEffectiveAuthStrategy(c) {
 	case cfgenv.CantonAuthStrategyClientCredentials:
 		return c.AuthURL != "" && c.ClientID != "" && c.ClientSecret != ""
 	case cfgenv.CantonAuthStrategyAuthorizationCode:
 		return c.AuthURL != "" && c.ClientID != ""
-	case "", cfgenv.CantonAuthStrategyStatic:
+	case cfgenv.CantonAuthStrategyStatic:
 		return c.JWTToken != ""
 	default:
 		return false
@@ -803,7 +820,7 @@ func cantonAuthConfigured(c cfgenv.CantonConfig) bool {
 // cantonAuthProvider builds a Canton auth Provider from config.
 func (l *chainLoaderCanton) cantonAuthProvider(ctx context.Context, selector uint64, insecureTransport bool) (cantonauth.Provider, error) {
 	c := l.cfg.Canton
-	switch c.AuthStrategy {
+	switch cantonEffectiveAuthStrategy(c) {
 	case cfgenv.CantonAuthStrategyClientCredentials:
 		provider, err := cantonclientcreds.NewDiscoveryProvider(ctx, c.AuthURL, c.ClientID, c.ClientSecret)
 		if err != nil {

@@ -1399,6 +1399,11 @@ func Test_cantonAuthConfigured(t *testing.T) {
 			config: cfgenv.CantonConfig{AuthStrategy: cfgenv.CantonAuthStrategyClientCredentials, AuthURL: "https://auth.example.com", ClientID: "id", ClientSecret: "secret"},
 			want:   true,
 		},
+		{
+			name:   "client credentials inferred without strategy",
+			config: cfgenv.CantonConfig{AuthURL: "https://auth.example.com", ClientID: "id", ClientSecret: "secret"},
+			want:   true,
+		},
 		{
 			name:   "client credentials missing secret",
 			config: cfgenv.CantonConfig{AuthStrategy: cfgenv.CantonAuthStrategyClientCredentials, AuthURL: "https://auth.example.com", ClientID: "id"},

@@ -283,9 +283,9 @@ var (
 		"onchain.ton.wallet_version":                              {"ONCHAIN_TON_WALLET_VERSION", "TON_WALLET_VERSION"},
 		"onchain.canton.auth_strategy":                            {"ONCHAIN_CANTON_AUTH_STRATEGY"},
 		"onchain.canton.jwt_token":                                {"ONCHAIN_CANTON_JWT_TOKEN"},
-		"onchain.canton.auth_url":                                 {"ONCHAIN_CANTON_AUTH_URL"},
-		"onchain.canton.client_id":                                {"ONCHAIN_CANTON_CLIENT_ID"},
-		"onchain.canton.client_secret":                            {"ONCHAIN_CANTON_CLIENT_SECRET"},
+		"onchain.canton.auth_url":                                 {"ONCHAIN_CANTON_AUTH_URL", "ONCHAIN_CANTON_OKTA_AUTHORIZER"},
+		"onchain.canton.client_id":                                {"ONCHAIN_CANTON_CLIENT_ID", "ONCHAIN_CANTON_OKTA_CLIENT_ID"},
+		"onchain.canton.client_secret":                            {"ONCHAIN_CANTON_CLIENT_SECRET", "ONCHAIN_CANTON_OKTA_CLIENT_SECRET"},
 		"offchain.job_distributor.auth.cognito_app_client_id":     {"OFFCHAIN_JD_AUTH_COGNITO_APP_CLIENT_ID", "JD_AUTH_COGNITO_APP_CLIENT_ID"},
 		"offchain.job_distributor.auth.cognito_app_client_secret": {"OFFCHAIN_JD_AUTH_COGNITO_APP_CLIENT_SECRET", "JD_AUTH_COGNITO_APP_CLIENT_SECRET"},
 		"offchain.job_distributor.auth.aws_region":                {"OFFCHAIN_JD_AUTH_AWS_REGION", "JD_AUTH_AWS_REGION"},

@@ -354,6 +354,21 @@ func Test_LoadEnv_Legacy(t *testing.T) { //nolint:paralleltest // see comment in
 	assert.Equal(t, envCfg, got)
 }
 
+func Test_LoadEnv_CantonOktaLegacyBindings(t *testing.T) { //nolint:paralleltest // see comment in setupEnvVars
+	t.Setenv("ONCHAIN_CANTON_OKTA_AUTHORIZER", "https://smartcontract.okta.com/oauth2/ausspv7t7qurBgkou5d7")
+	t.Setenv("ONCHAIN_CANTON_OKTA_CLIENT_ID", "0oat4r1zfzm83nL2m5d7")
+	t.Setenv("ONCHAIN_CANTON_OKTA_CLIENT_SECRET", "test-client-secret")
+
+	got, err := LoadEnv()
+	require.NoError(t, err)
+
+	assert.Equal(t, CantonConfig{
+		AuthURL:      "https://smartcontract.okta.com/oauth2/ausspv7t7qurBgkou5d7",
+		ClientID:     "0oat4r1zfzm83nL2m5d7",
+		ClientSecret: "test-client-secret",
+	}, got.Onchain.Canton)
+}
+
 func Test_LoadEnv_BindsCREFromEnv(t *testing.T) { //nolint:paralleltest // see comment in setupEnvVars
 	t.Setenv("CRE_API_KEY", "api-key-1")
 	t.Setenv("CRE_TENANT_ID", "tenant-1")

@@ -33,20 +33,20 @@ require (
 	github.com/smartcontractkit/ccip-owner-contracts v0.1.0
 	github.com/smartcontractkit/chain-selectors v1.0.101
 	github.com/smartcontractkit/chainlink-aptos v0.0.0-20260428085939-5c70de12dbfc
-	github.com/smartcontractkit/chainlink-canton v0.0.0-20260602133237-99f834640c9d
-	github.com/smartcontractkit/chainlink-ccip/chains/evm v0.0.0-20260512180815-d7a89b0a5784
+	github.com/smartcontractkit/chainlink-canton v0.0.0-20260609155219-dcbe77d4a320
+	github.com/smartcontractkit/chainlink-ccip/chains/evm v0.0.0-20260608180601-efa81bfdfda9
 	github.com/smartcontractkit/chainlink-ccip/chains/solana v0.0.0-20260129103204-4c8453dd8139
 	github.com/smartcontractkit/chainlink-ccip/chains/solana/gobindings v0.0.0-20260129103204-4c8453dd8139
 	github.com/smartcontractkit/chainlink-protos/job-distributor v0.18.0
 	github.com/smartcontractkit/chainlink-protos/op-catalog v0.1.0
-	github.com/smartcontractkit/chainlink-testing-framework/framework v0.16.4
+	github.com/smartcontractkit/chainlink-testing-framework/framework v0.16.5
 	github.com/smartcontractkit/chainlink-testing-framework/seth v1.51.5
 	github.com/smartcontractkit/chainlink-ton v1.0.5-0.20260514223130-48bc90aca745
 	github.com/smartcontractkit/chainlink-tron/relayer v0.0.11-0.20251014143056-a0c6328c91e9
 	github.com/smartcontractkit/freeport v0.1.3-0.20250828155247-add56fa28aad
 	github.com/smartcontractkit/go-daml v0.0.0-20260604143752-c6f6567940ba
 	github.com/smartcontractkit/libocr v0.0.0-20260304194147-a03701e2c02e
-	github.com/smartcontractkit/mcms v0.47.0
+	github.com/smartcontractkit/mcms v0.47.1-0.20260609163952-0b2bf692ba6a
 	github.com/spf13/cobra v1.10.2
 	github.com/spf13/pflag v1.0.10
 	github.com/spf13/viper v1.21.0
@@ -145,7 +145,7 @@ require (
 	github.com/aws/aws-sdk-go-v2/service/sso v1.30.13 // indirect
 	github.com/aws/aws-sdk-go-v2/service/ssooidc v1.35.17 // indirect
 	github.com/aws/aws-sdk-go-v2/service/sts v1.41.9 // indirect
-	github.com/aws/smithy-go v1.27.0 // indirect
+	github.com/aws/smithy-go v1.27.1 // indirect
 	github.com/bahlo/generic-list-go v0.2.0 // indirect
 	github.com/benbjohnson/clock v1.3.5 // indirect
 	github.com/beorn7/perks v1.0.1 // indirect
@@ -194,7 +194,7 @@ require (
 	github.com/go-ole/go-ole v1.3.0 // indirect
 	github.com/go-playground/locales v0.14.1 // indirect
 	github.com/go-playground/universal-translator v0.18.1 // indirect
-	github.com/go-playground/validator/v10 v10.30.2 // indirect
+	github.com/go-playground/validator/v10 v10.30.3 // indirect
 	github.com/go-viper/mapstructure/v2 v2.5.0
 	github.com/gofrs/flock v0.12.1 // indirect
 	github.com/gogo/protobuf v1.3.2 // indirect