chore: remove deprecated env-var identity provider configuration

brendan-kellam · claude · brendan-kellam · commit b19fa735aec0 · 2026-06-09T20:47:46.000-07:00
Removes support for configuring GitHub, GitLab, Google, Okta, Keycloak, and
Microsoft Entra ID identity providers via the deprecated AUTH_EE_*_CLIENT_ID/
SECRET/etc. environment variables. These providers must now be defined through
the identityProviders section of the config file. GCP IAP env vars
(AUTH_EE_GCP_IAP_ENABLED / AUTH_EE_GCP_IAP_AUDIENCE) are unaffected.

Co-Authored-By: Claude Opus 4.8 (1M context) &lt;noreply@anthropic.com&gt;
diff --git a/packages/backend/src/ee/tokenRefresh.ts b/packages/backend/src/ee/tokenRefresh.ts
@@ -155,19 +155,9 @@ const refreshOAuthToken = async (
         const identityProviders = config?.identityProviders ?? [];
         const providerConfigs = identityProviders.filter(idp => idp.provider === provider);
 
-        // If no provider configs in the config file, try deprecated env vars.
+        // No provider configs in the config file — nothing to refresh against.
         if (providerConfigs.length === 0) {
-            const envCredentials = getDeprecatedEnvCredentials(provider);
-            if (envCredentials) {
-                logger.debug(`Using deprecated env vars for ${provider} token refresh`);
-                const result = await tryRefreshToken(provider, refreshToken, envCredentials);
-                if (result) {
-                    return result;
-                }
-                logger.error(`Failed to refresh ${provider} token using deprecated env credentials`);
-                return null;
-            }
-            logger.error(`No provider config or env credentials found for: ${provider}`);
+            logger.error(`No provider config found for: ${provider}`);
             return null;
         }
 
@@ -291,26 +281,4 @@ const tryRefreshToken = async (
     }
 
     return result.data;
-}
-
-/**
- * Get credentials from deprecated environment variables.
- * This is for backwards compatibility with deployments using env vars instead of config file.
- */
-const getDeprecatedEnvCredentials = (provider: string): ProviderCredentials | null => {
-    if (provider === 'github' && env.AUTH_EE_GITHUB_CLIENT_ID && env.AUTH_EE_GITHUB_CLIENT_SECRET) {
-        return {
-            clientId: env.AUTH_EE_GITHUB_CLIENT_ID,
-            clientSecret: env.AUTH_EE_GITHUB_CLIENT_SECRET,
-            baseUrl: env.AUTH_EE_GITHUB_BASE_URL,
-        };
-    }
-    if (provider === 'gitlab' && env.AUTH_EE_GITLAB_CLIENT_ID && env.AUTH_EE_GITLAB_CLIENT_SECRET) {
-        return {
-            clientId: env.AUTH_EE_GITLAB_CLIENT_ID,
-            clientSecret: env.AUTH_EE_GITLAB_CLIENT_SECRET,
-            baseUrl: env.AUTH_EE_GITLAB_BASE_URL,
-        };
-    }
-    return null;
 }
diff --git a/packages/shared/src/env.server.ts b/packages/shared/src/env.server.ts
@@ -385,94 +385,6 @@ const options = {
          * ignored.
          */
         SOURCEBOT_TELEMETRY_PII_COLLECTION_ENABLED: booleanSchema.default('false'),
-
-        //// DEPRECATED ////
-
-        /**
-         * @deprecated This setting is deprecated. Please use the `identityProviders` section of the config file instead.
-         */
-        AUTH_EE_GITHUB_CLIENT_ID: z.string().optional(),
-
-        /**
-         * @deprecated This setting is deprecated. Please use the `identityProviders` section of the config file instead.
-         */
-        AUTH_EE_GITHUB_CLIENT_SECRET: z.string().optional(),
-
-        /**
-         * @deprecated This setting is deprecated. Please use the `identityProviders` section of the config file instead.
-         */
-        AUTH_EE_GITHUB_BASE_URL: z.string().optional(),
-
-        /**
-         * @deprecated This setting is deprecated. Please use the `identityProviders` section of the config file instead.
-         */
-        AUTH_EE_GITLAB_CLIENT_ID: z.string().optional(),
-
-        /**
-         * @deprecated This setting is deprecated. Please use the `identityProviders` section of the config file instead.
-         */
-        AUTH_EE_GITLAB_CLIENT_SECRET: z.string().optional(),
-
-        /**
-         * @deprecated This setting is deprecated. Please use the `identityProviders` section of the config file instead.
-         */
-        AUTH_EE_GITLAB_BASE_URL: z.string().default("https://gitlab.com"),
-
-        /**
-         * @deprecated This setting is deprecated. Please use the `identityProviders` section of the config file instead.
-         */
-        AUTH_EE_GOOGLE_CLIENT_ID: z.string().optional(),
-
-        /**
-         * @deprecated This setting is deprecated. Please use the `identityProviders` section of the config file instead.
-         */
-        AUTH_EE_GOOGLE_CLIENT_SECRET: z.string().optional(),
-
-        /**
-         * @deprecated This setting is deprecated. Please use the `identityProviders` section of the config file instead.
-         */
-        AUTH_EE_OKTA_CLIENT_ID: z.string().optional(),
-
-        /**
-         * @deprecated This setting is deprecated. Please use the `identityProviders` section of the config file instead.
-         */
-        AUTH_EE_OKTA_CLIENT_SECRET: z.string().optional(),
-
-        /**
-         * @deprecated This setting is deprecated. Please use the `identityProviders` section of the config file instead.
-         */
-        AUTH_EE_OKTA_ISSUER: z.string().optional(),
-
-        /**
-         * @deprecated This setting is deprecated. Please use the `identityProviders` section of the config file instead.
-         */
-        AUTH_EE_KEYCLOAK_CLIENT_ID: z.string().optional(),
-
-        /**
-         * @deprecated This setting is deprecated. Please use the `identityProviders` section of the config file instead.
-         */
-        AUTH_EE_KEYCLOAK_CLIENT_SECRET: z.string().optional(),
-
-        /**
-         * @deprecated This setting is deprecated. Please use the `identityProviders` section of the config file instead.
-         */
-        AUTH_EE_KEYCLOAK_ISSUER: z.string().optional(),
-
-        /**
-         * @deprecated This setting is deprecated. Please use the `identityProviders` section of the config file instead.
-         */
-        AUTH_EE_MICROSOFT_ENTRA_ID_CLIENT_ID: z.string().optional(),
-
-        /**
-         * @deprecated
-         * This setting is deprecated. Please use the `identityProviders` section of the config file instead.
-         */
-        AUTH_EE_MICROSOFT_ENTRA_ID_CLIENT_SECRET: z.string().optional(),
-
-        /**
-         * @deprecated This setting is deprecated. Please use the `identityProviders` section of the config file instead.
-         */
-        AUTH_EE_MICROSOFT_ENTRA_ID_ISSUER: z.string().optional(),
     },
     runtimeEnv,
     emptyStringAsUndefined: true,
diff --git a/packages/web/src/ee/features/sso/sso.ts b/packages/web/src/ee/features/sso/sso.ts
@@ -160,72 +160,11 @@ export const getEEIdentityProviders = async (): Promise<IdentityProvider[]> => {
         }
     }
 
-    // @deprecate in favor of defining identity providers throught the identityProvider object in the config file. This was done to allow for more control over
-    // which identity providers are defined and their purpose. We've left this logic here to support backwards compat with deployments that expect these env vars,
-    // but this logic will be removed in the future
-    // We only go through this path if no identityProviders are defined in the config to prevent accidental duplication of providers
+    // @deprecate GCP IAP is the only identity provider still configurable via env vars; every
+    // other provider must be defined through the identityProviders object in the config file.
+    // We only go through this path if no identityProviders are defined in the config to prevent
+    // accidental duplication of providers.
     if (identityProviders.length == 0) {
-        if (env.AUTH_EE_GITHUB_CLIENT_ID && env.AUTH_EE_GITHUB_CLIENT_SECRET) {
-            const baseUrl = (env.AUTH_EE_GITHUB_BASE_URL ?? 'https://github.com').replace(/\/+$/, '');
-            providers.push({
-                provider: await createGitHubProvider(
-                    env.AUTH_EE_GITHUB_CLIENT_ID,
-                    env.AUTH_EE_GITHUB_CLIENT_SECRET,
-                    baseUrl
-                ),
-                purpose: "sso",
-                issuerUrl: baseUrl
-            });
-        }
-
-        if (env.AUTH_EE_GITLAB_CLIENT_ID && env.AUTH_EE_GITLAB_CLIENT_SECRET) {
-            const baseUrl = (env.AUTH_EE_GITLAB_BASE_URL ?? 'https://gitlab.com').replace(/\/+$/, '');
-            providers.push({
-                provider: await createGitLabProvider(
-                    env.AUTH_EE_GITLAB_CLIENT_ID,
-                    env.AUTH_EE_GITLAB_CLIENT_SECRET,
-                    baseUrl,
-                ),
-                purpose: "sso",
-                issuerUrl: baseUrl
-            });
-        }
-
-        if (env.AUTH_EE_GOOGLE_CLIENT_ID && env.AUTH_EE_GOOGLE_CLIENT_SECRET) {
-            providers.push({
-                provider: createGoogleProvider(env.AUTH_EE_GOOGLE_CLIENT_ID, env.AUTH_EE_GOOGLE_CLIENT_SECRET),
-                purpose: "sso",
-                issuerUrl: 'https://accounts.google.com'
-            });
-        }
-
-        if (env.AUTH_EE_OKTA_CLIENT_ID && env.AUTH_EE_OKTA_CLIENT_SECRET && env.AUTH_EE_OKTA_ISSUER) {
-            const issuer = env.AUTH_EE_OKTA_ISSUER.replace(/\/+$/, '');
-            providers.push({
-                provider: createOktaProvider(env.AUTH_EE_OKTA_CLIENT_ID, env.AUTH_EE_OKTA_CLIENT_SECRET, issuer),
-                purpose: "sso",
-                issuerUrl: issuer
-            });
-        }
-
-        if (env.AUTH_EE_KEYCLOAK_CLIENT_ID && env.AUTH_EE_KEYCLOAK_CLIENT_SECRET && env.AUTH_EE_KEYCLOAK_ISSUER) {
-            const issuer = env.AUTH_EE_KEYCLOAK_ISSUER.replace(/\/+$/, '');
-            providers.push({
-                provider: createKeycloakProvider(env.AUTH_EE_KEYCLOAK_CLIENT_ID, env.AUTH_EE_KEYCLOAK_CLIENT_SECRET, issuer),
-                purpose: "sso",
-                issuerUrl: issuer
-            });
-        }
-
-        if (env.AUTH_EE_MICROSOFT_ENTRA_ID_CLIENT_ID && env.AUTH_EE_MICROSOFT_ENTRA_ID_CLIENT_SECRET && env.AUTH_EE_MICROSOFT_ENTRA_ID_ISSUER) {
-            const issuer = env.AUTH_EE_MICROSOFT_ENTRA_ID_ISSUER.replace(/\/+$/, '');
-            providers.push({
-                provider: createMicrosoftEntraIDProvider(env.AUTH_EE_MICROSOFT_ENTRA_ID_CLIENT_ID, env.AUTH_EE_MICROSOFT_ENTRA_ID_CLIENT_SECRET, issuer),
-                purpose: "sso",
-                issuerUrl: issuer
-            });
-        }
-
         if (env.AUTH_EE_GCP_IAP_ENABLED && env.AUTH_EE_GCP_IAP_AUDIENCE) {
             providers.push({
                 provider: createGCPIAPProvider(env.AUTH_EE_GCP_IAP_AUDIENCE),
