chore: remove deprecated env-var identity provider configuration (#1297)

brendan-kellam · claude · web-flow · commit d2843aa42b44 · 2026-06-10T09:25:48.000-07:00
* chore: remove deprecated env-var identity provider configuration Removes support for configuring GitHub, GitLab, Google, Okta, Keycloak, and Microsoft Entra ID identity providers via the deprecated AUTH_EE_*_CLIENT_ID/ SECRET/etc. environment variables. These providers must now be defined through the identityProviders section of the config file. GCP IAP env vars (AUTH_EE_GCP_IAP_ENABLED / AUTH_EE_GCP_IAP_AUDIENCE) are unaffected. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com> * docs: add CHANGELOG entry for #1297 Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com> * feedback * docs: document AUTH_EE_* identity provider removal in v4-to-v5 guide Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com> * s * docs: clarify AUTH_EE_* removal lands in v5.0.2 Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com> * changelog --------- Co-authored-by: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -7,14 +7,15 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ## [Unreleased]
 
+### Changed
+- Removed support for configuring the GitHub, GitLab, Google, Okta, Keycloak, and Microsoft Entra ID identity providers via the deprecated `AUTH_EE_*` environment variables. See the [v5 migration guide](http://docs.sourcebot.dev/docs/upgrade/v4-to-v5-guide#identity-providers-must-be-configured-via-the-config-file) for more details. [#1297](https://github.com/sourcebot-dev/sourcebot/pull/1297)
+- Anthropic thinking mode (adaptive vs. extended) is now resolved from the model's capabilities via the Anthropic Models API instead of a hardcoded model list. [#1294](https://github.com/sourcebot-dev/sourcebot/pull/1294)
+
 ### Added
 - [EE] Added prompt caching for Ask Sourcebot. For Anthropic models, the static prompt prefix (tool definitions, system prompt, and conversation history) is marked with a cache breakpoint so it is billed at the provider's discounted cache-read rate on subsequent agent steps and follow-up turns. Toggle with `SOURCEBOT_CHAT_PROMPT_CACHING_ENABLED` (default `true`). [#1278](https://github.com/sourcebot-dev/sourcebot/pull/1278)
 - [EE] Added a cached-token breakdown to the Ask Sourcebot message details, showing what share of the input tokens were served from the model provider's prompt cache. [#1278](https://github.com/sourcebot-dev/sourcebot/pull/1278)
 - Added `isLanguageModelConfigured` to the service ping, indicating whether at least one language model is configured. [#1296](https://github.com/sourcebot-dev/sourcebot/pull/1296)
 
-### Changed
-- Anthropic thinking mode (adaptive vs. extended) is now resolved from the model's capabilities via the Anthropic Models API instead of a hardcoded model list. [#1294](https://github.com/sourcebot-dev/sourcebot/pull/1294)
-
 ### Fixed
 - Upgraded `protobufjs` to `^7.6.2`. [#1281](https://github.com/sourcebot-dev/sourcebot/pull/1281)
 - Upgraded `picomatch` to `^4.0.4`. [#1283](https://github.com/sourcebot-dev/sourcebot/pull/1283)
diff --git a/docs/docs/upgrade/v4-to-v5-guide.mdx b/docs/docs/upgrade/v4-to-v5-guide.mdx
@@ -176,6 +176,67 @@ docker exec sourcebot rm /data/.sourcebot/.secret /data/.sourcebot/.authjs-secre
 Sourcebot warns at startup if either file is still present.
 </Expandable>
 
+### Identity providers must be configured via the config file
+<Note>
+**Who's affected:** Deployments that configure GitHub, GitLab, Google, Okta, Keycloak, or Microsoft Entra ID single sign-on through the deprecated `AUTH_EE_*` environment variables. Deployments that already define these providers in the [`identityProviders`](/docs/configuration/idp) config file section are not affected.
+</Note>
+
+#### Description
+
+In v4, you could configure these identity providers using `AUTH_EE_*` environment variables (for example `AUTH_EE_GITHUB_CLIENT_ID`). Those variables were deprecated in favor of the [`identityProviders`](/docs/configuration/idp) section of the config file. Starting in v5.0.2, the environment variable path has been removed. Sourcebot no longer reads these variables, and any provider configured only through them will stop appearing on the login screen. This also applies if you are upgrading from an earlier v5 release (v5.0.0 or v5.0.1), where these variables were still supported.
+
+The following environment variables are no longer read:
+
+| Provider | Removed environment variables |
+| :------- | :---------------------------- |
+| GitHub | `AUTH_EE_GITHUB_CLIENT_ID`, `AUTH_EE_GITHUB_CLIENT_SECRET`, `AUTH_EE_GITHUB_BASE_URL` |
+| GitLab | `AUTH_EE_GITLAB_CLIENT_ID`, `AUTH_EE_GITLAB_CLIENT_SECRET`, `AUTH_EE_GITLAB_BASE_URL` |
+| Google | `AUTH_EE_GOOGLE_CLIENT_ID`, `AUTH_EE_GOOGLE_CLIENT_SECRET` |
+| Okta | `AUTH_EE_OKTA_CLIENT_ID`, `AUTH_EE_OKTA_CLIENT_SECRET`, `AUTH_EE_OKTA_ISSUER` |
+| Keycloak | `AUTH_EE_KEYCLOAK_CLIENT_ID`, `AUTH_EE_KEYCLOAK_CLIENT_SECRET`, `AUTH_EE_KEYCLOAK_ISSUER` |
+| Microsoft Entra ID | `AUTH_EE_MICROSOFT_ENTRA_ID_CLIENT_ID`, `AUTH_EE_MICROSOFT_ENTRA_ID_CLIENT_SECRET`, `AUTH_EE_MICROSOFT_ENTRA_ID_ISSUER` |
+
+#### Action Items
+
+<Expandable title="Migrating to the config file">
+<br/>
+
+Move each affected provider into the `identityProviders` array in your [config file](/docs/configuration/config-file). You don't need to rotate any secrets. Reference your existing environment variable values from the config using [tokens](/docs/configuration/config-file#tokens), keeping the same variable names if you like.
+
+For example, a GitHub provider previously configured with environment variables:
+
+```bash wrap icon="terminal"
+AUTH_EE_GITHUB_CLIENT_ID='your-client-id'
+AUTH_EE_GITHUB_CLIENT_SECRET='your-client-secret'
+```
+
+becomes the following in the config file:
+
+```json wrap icon="code"
+{
+    "$schema": "https://raw.githubusercontent.com/sourcebot-dev/sourcebot/main/schemas/v3/index.json",
+    "identityProviders": [
+        {
+            "provider": "github",
+            "purpose": "sso",
+            "clientId": {
+                "env": "AUTH_EE_GITHUB_CLIENT_ID"
+            },
+            "clientSecret": {
+                "env": "AUTH_EE_GITHUB_CLIENT_SECRET"
+            }
+        }
+    ]
+}
+```
+
+<Note>
+Set `purpose` to `sso` to keep the provider usable for login. For providers that take an issuer (Okta, Keycloak, Microsoft Entra ID), add an `issuer` token. For self-hosted GitHub or GitLab, add a `baseUrl` string (this replaces `AUTH_EE_GITHUB_BASE_URL` and `AUTH_EE_GITLAB_BASE_URL`).
+</Note>
+
+See the [external identity providers](/docs/configuration/idp) docs for the full per-provider config reference.
+</Expandable>
+
 
 ## Upgrading
 
diff --git a/packages/backend/src/ee/tokenRefresh.ts b/packages/backend/src/ee/tokenRefresh.ts
@@ -155,19 +155,9 @@ const refreshOAuthToken = async (
         const identityProviders = config?.identityProviders ?? [];
         const providerConfigs = identityProviders.filter(idp => idp.provider === provider);
 
-        // If no provider configs in the config file, try deprecated env vars.
+        // No provider configs in the config file — nothing to refresh against.
         if (providerConfigs.length === 0) {
-            const envCredentials = getDeprecatedEnvCredentials(provider);
-            if (envCredentials) {
-                logger.debug(`Using deprecated env vars for ${provider} token refresh`);
-                const result = await tryRefreshToken(provider, refreshToken, envCredentials);
-                if (result) {
-                    return result;
-                }
-                logger.error(`Failed to refresh ${provider} token using deprecated env credentials`);
-                return null;
-            }
-            logger.error(`No provider config or env credentials found for: ${provider}`);
+            logger.error(`No provider config found for: ${provider}`);
             return null;
         }
 
@@ -291,26 +281,4 @@ const tryRefreshToken = async (
     }
 
     return result.data;
-}
-
-/**
- * Get credentials from deprecated environment variables.
- * This is for backwards compatibility with deployments using env vars instead of config file.
- */
-const getDeprecatedEnvCredentials = (provider: string): ProviderCredentials | null => {
-    if (provider === 'github' && env.AUTH_EE_GITHUB_CLIENT_ID && env.AUTH_EE_GITHUB_CLIENT_SECRET) {
-        return {
-            clientId: env.AUTH_EE_GITHUB_CLIENT_ID,
-            clientSecret: env.AUTH_EE_GITHUB_CLIENT_SECRET,
-            baseUrl: env.AUTH_EE_GITHUB_BASE_URL,
-        };
-    }
-    if (provider === 'gitlab' && env.AUTH_EE_GITLAB_CLIENT_ID && env.AUTH_EE_GITLAB_CLIENT_SECRET) {
-        return {
-            clientId: env.AUTH_EE_GITLAB_CLIENT_ID,
-            clientSecret: env.AUTH_EE_GITLAB_CLIENT_SECRET,
-            baseUrl: env.AUTH_EE_GITLAB_BASE_URL,
-        };
-    }
-    return null;
 }
diff --git a/packages/shared/src/env.server.ts b/packages/shared/src/env.server.ts
@@ -385,94 +385,6 @@ const options = {
          * ignored.
          */
         SOURCEBOT_TELEMETRY_PII_COLLECTION_ENABLED: booleanSchema.default('false'),
-
-        //// DEPRECATED ////
-
-        /**
-         * @deprecated This setting is deprecated. Please use the `identityProviders` section of the config file instead.
-         */
-        AUTH_EE_GITHUB_CLIENT_ID: z.string().optional(),
-
-        /**
-         * @deprecated This setting is deprecated. Please use the `identityProviders` section of the config file instead.
-         */
-        AUTH_EE_GITHUB_CLIENT_SECRET: z.string().optional(),
-
-        /**
-         * @deprecated This setting is deprecated. Please use the `identityProviders` section of the config file instead.
-         */
-        AUTH_EE_GITHUB_BASE_URL: z.string().optional(),
-
-        /**
-         * @deprecated This setting is deprecated. Please use the `identityProviders` section of the config file instead.
-         */
-        AUTH_EE_GITLAB_CLIENT_ID: z.string().optional(),
-
-        /**
-         * @deprecated This setting is deprecated. Please use the `identityProviders` section of the config file instead.
-         */
-        AUTH_EE_GITLAB_CLIENT_SECRET: z.string().optional(),
-
-        /**
-         * @deprecated This setting is deprecated. Please use the `identityProviders` section of the config file instead.
-         */
-        AUTH_EE_GITLAB_BASE_URL: z.string().default("https://gitlab.com"),
-
-        /**
-         * @deprecated This setting is deprecated. Please use the `identityProviders` section of the config file instead.
-         */
-        AUTH_EE_GOOGLE_CLIENT_ID: z.string().optional(),
-
-        /**
-         * @deprecated This setting is deprecated. Please use the `identityProviders` section of the config file instead.
-         */
-        AUTH_EE_GOOGLE_CLIENT_SECRET: z.string().optional(),
-
-        /**
-         * @deprecated This setting is deprecated. Please use the `identityProviders` section of the config file instead.
-         */
-        AUTH_EE_OKTA_CLIENT_ID: z.string().optional(),
-
-        /**
-         * @deprecated This setting is deprecated. Please use the `identityProviders` section of the config file instead.
-         */
-        AUTH_EE_OKTA_CLIENT_SECRET: z.string().optional(),
-
-        /**
-         * @deprecated This setting is deprecated. Please use the `identityProviders` section of the config file instead.
-         */
-        AUTH_EE_OKTA_ISSUER: z.string().optional(),
-
-        /**
-         * @deprecated This setting is deprecated. Please use the `identityProviders` section of the config file instead.
-         */
-        AUTH_EE_KEYCLOAK_CLIENT_ID: z.string().optional(),
-
-        /**
-         * @deprecated This setting is deprecated. Please use the `identityProviders` section of the config file instead.
-         */
-        AUTH_EE_KEYCLOAK_CLIENT_SECRET: z.string().optional(),
-
-        /**
-         * @deprecated This setting is deprecated. Please use the `identityProviders` section of the config file instead.
-         */
-        AUTH_EE_KEYCLOAK_ISSUER: z.string().optional(),
-
-        /**
-         * @deprecated This setting is deprecated. Please use the `identityProviders` section of the config file instead.
-         */
-        AUTH_EE_MICROSOFT_ENTRA_ID_CLIENT_ID: z.string().optional(),
-
-        /**
-         * @deprecated
-         * This setting is deprecated. Please use the `identityProviders` section of the config file instead.
-         */
-        AUTH_EE_MICROSOFT_ENTRA_ID_CLIENT_SECRET: z.string().optional(),
-
-        /**
-         * @deprecated This setting is deprecated. Please use the `identityProviders` section of the config file instead.
-         */
-        AUTH_EE_MICROSOFT_ENTRA_ID_ISSUER: z.string().optional(),
     },
     runtimeEnv,
     emptyStringAsUndefined: true,
diff --git a/packages/web/src/ee/features/sso/sso.ts b/packages/web/src/ee/features/sso/sso.ts
@@ -160,72 +160,7 @@ export const getEEIdentityProviders = async (): Promise<IdentityProvider[]> => {
         }
     }
 
-    // @deprecate in favor of defining identity providers throught the identityProvider object in the config file. This was done to allow for more control over
-    // which identity providers are defined and their purpose. We've left this logic here to support backwards compat with deployments that expect these env vars,
-    // but this logic will be removed in the future
-    // We only go through this path if no identityProviders are defined in the config to prevent accidental duplication of providers
     if (identityProviders.length == 0) {
-        if (env.AUTH_EE_GITHUB_CLIENT_ID && env.AUTH_EE_GITHUB_CLIENT_SECRET) {
-            const baseUrl = (env.AUTH_EE_GITHUB_BASE_URL ?? 'https://github.com').replace(/\/+$/, '');
-            providers.push({
-                provider: await createGitHubProvider(
-                    env.AUTH_EE_GITHUB_CLIENT_ID,
-                    env.AUTH_EE_GITHUB_CLIENT_SECRET,
-                    baseUrl
-                ),
-                purpose: "sso",
-                issuerUrl: baseUrl
-            });
-        }
-
-        if (env.AUTH_EE_GITLAB_CLIENT_ID && env.AUTH_EE_GITLAB_CLIENT_SECRET) {
-            const baseUrl = (env.AUTH_EE_GITLAB_BASE_URL ?? 'https://gitlab.com').replace(/\/+$/, '');
-            providers.push({
-                provider: await createGitLabProvider(
-                    env.AUTH_EE_GITLAB_CLIENT_ID,
-                    env.AUTH_EE_GITLAB_CLIENT_SECRET,
-                    baseUrl,
-                ),
-                purpose: "sso",
-                issuerUrl: baseUrl
-            });
-        }
-
-        if (env.AUTH_EE_GOOGLE_CLIENT_ID && env.AUTH_EE_GOOGLE_CLIENT_SECRET) {
-            providers.push({
-                provider: createGoogleProvider(env.AUTH_EE_GOOGLE_CLIENT_ID, env.AUTH_EE_GOOGLE_CLIENT_SECRET),
-                purpose: "sso",
-                issuerUrl: 'https://accounts.google.com'
-            });
-        }
-
-        if (env.AUTH_EE_OKTA_CLIENT_ID && env.AUTH_EE_OKTA_CLIENT_SECRET && env.AUTH_EE_OKTA_ISSUER) {
-            const issuer = env.AUTH_EE_OKTA_ISSUER.replace(/\/+$/, '');
-            providers.push({
-                provider: createOktaProvider(env.AUTH_EE_OKTA_CLIENT_ID, env.AUTH_EE_OKTA_CLIENT_SECRET, issuer),
-                purpose: "sso",
-                issuerUrl: issuer
-            });
-        }
-
-        if (env.AUTH_EE_KEYCLOAK_CLIENT_ID && env.AUTH_EE_KEYCLOAK_CLIENT_SECRET && env.AUTH_EE_KEYCLOAK_ISSUER) {
-            const issuer = env.AUTH_EE_KEYCLOAK_ISSUER.replace(/\/+$/, '');
-            providers.push({
-                provider: createKeycloakProvider(env.AUTH_EE_KEYCLOAK_CLIENT_ID, env.AUTH_EE_KEYCLOAK_CLIENT_SECRET, issuer),
-                purpose: "sso",
-                issuerUrl: issuer
-            });
-        }
-
-        if (env.AUTH_EE_MICROSOFT_ENTRA_ID_CLIENT_ID && env.AUTH_EE_MICROSOFT_ENTRA_ID_CLIENT_SECRET && env.AUTH_EE_MICROSOFT_ENTRA_ID_ISSUER) {
-            const issuer = env.AUTH_EE_MICROSOFT_ENTRA_ID_ISSUER.replace(/\/+$/, '');
-            providers.push({
-                provider: createMicrosoftEntraIDProvider(env.AUTH_EE_MICROSOFT_ENTRA_ID_CLIENT_ID, env.AUTH_EE_MICROSOFT_ENTRA_ID_CLIENT_SECRET, issuer),
-                purpose: "sso",
-                issuerUrl: issuer
-            });
-        }
-
         if (env.AUTH_EE_GCP_IAP_ENABLED && env.AUTH_EE_GCP_IAP_AUDIENCE) {
             providers.push({
                 provider: createGCPIAPProvider(env.AUTH_EE_GCP_IAP_AUDIENCE),
