fix(web): Support multiple IDPs of the same type (#1177)

Author: brendan-kellam

CHANGELOG.md

@@ -24,6 +24,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 - Upgraded `hono` to `^4.12.24`. [#1289](https://github.com/sourcebot-dev/sourcebot/pull/1289)
 - Surfaced an actionable error when the Lighthouse licensing service is unreachable, instead of a generic "unexpected error". [#1293](https://github.com/sourcebot-dev/sourcebot/pull/1293)
 - Fixed the selected language model rapidly flipping in local storage after a language model was removed. [#1295](https://github.com/sourcebot-dev/sourcebot/pull/1295)
+- Fixed issue where using multiple identity providers of the same type (e.g., gitlab) would result in unexpected behaviours. [#1177](https://github.com/sourcebot-dev/sourcebot/pull/1177)
 
 ## [5.0.1] - 2026-06-04
 

docs/docs/configuration/idp.mdx

@@ -10,7 +10,7 @@ import LicenseKeyRequired from '/snippets/license-key-required.mdx'
 You can connect Sourcebot to various **external identity providers** to associate a Sourcebot user with one or more external service accounts (ex. Google, GitHub, etc).
 
 External identity providers can be used for [authentication](/docs/configuration/auth) and/or [permission syncing](/docs/features/permission-syncing). They're defined in the
-[config file](/docs/configuration/config-file) in the top-level `identityProviders` object:
+[config file](/docs/configuration/config-file) in the top-level `identityProviders` array:
 
 ```json wrap icon="code" Example config with both google and github identity providers defined
 {
@@ -42,6 +42,8 @@ External identity providers can be used for [authentication](/docs/configuration
 
 Secret values (such as `clientId` and `clientSecret`) can be provided as environment variables or Google Cloud secrets via [tokens](/docs/configuration/config-file#tokens).
 
+To configure **multiple providers of the same type**, see [Configuring multiple providers of the same type](#configuring-multiple-providers-of-the-same-type).
+
 # Supported External Identity Providers
 
 Sourcebot uses [Auth.js](https://authjs.dev/) to connect to external identity providers. If there's a provider supported by Auth.js that you don't see below, please submit a
@@ -642,4 +644,49 @@ GCP IAP works differently from other identity providers. Instead of redirecting
 </Steps>
 </Accordion>
 
+# Configuring multiple providers of the same type
+
+By default, each provider in the `identityProviders` array is identified by an **id** equal to its `provider` value. This id determines the provider's OAuth **callback URL** (sometimes called the redirect URL):
+
+```
+<sourcebot_url>/api/auth/callback/<id>
+```
+
+This is why the examples above register callback URLs like `<sourcebot_url>/api/auth/callback/github`. The array form supports only **one instance per provider type**.
+
+To configure **multiple instances of the same provider type** (for example, gitlab.com alongside a self-hosted GitLab instance), switch `identityProviders` to its object form, where you assign each provider a unique id:
+
+```json wrap icon="code" Two GitLab providers, one for gitlab.com and one for a self-hosted instance
+{
+    "$schema": "https://raw.githubusercontent.com/sourcebot-dev/sourcebot/main/schemas/v3/index.json",
+    "identityProviders": {
+        "gitlab-cloud": {
+            "provider": "gitlab",
+            "purpose": "sso",
+            "displayName": "GitLab.com",
+            "clientId": { "env": "GITLAB_CLOUD_CLIENT_ID" },
+            "clientSecret": { "env": "GITLAB_CLOUD_CLIENT_SECRET" }
+        },
+        "gitlab-selfhosted": {
+            "provider": "gitlab",
+            "purpose": "sso",
+            "displayName": "Selfhosted GitLab",
+            "baseUrl": "https://gitlab.example.com",
+            "clientId": { "env": "GITLAB_SELFHOSTED_CLIENT_ID" },
+            "clientSecret": { "env": "GITLAB_SELFHOSTED_CLIENT_SECRET" }
+        }
+    }
+}
+```
+
+Each provider keeps the same fields documented above. The only differences are:
+
+- `identityProviders` is an **object** keyed by id instead of an array.
+- The id you choose (`gitlab-cloud`, `gitlab-selfhosted`) sets the callback URL, so you register `<sourcebot_url>/api/auth/callback/gitlab-cloud` and `<sourcebot_url>/api/auth/callback/gitlab-selfhosted` with their respective OAuth clients.
+- Set an optional `displayName` on each provider to give it a distinct label on the login screen. Without it, both instances fall back to the same provider-type name (for example, "GitLab"), making them hard to tell apart.
+
+<Note>
+Each instance needs its own OAuth client (its own `clientId` and `clientSecret`) registered with the matching callback URL.
+</Note>
+
 

docs/snippets/schemas/v3/identityProvider.schema.mdx

@@ -11,6 +11,10 @@
         "provider": {
           "const": "github"
         },
+        "displayName": {
+          "type": "string",
+          "description": "Optional human-readable label shown on the login screen. Defaults to 'GitHub'."
+        },
         "purpose": {
           "enum": [
             "sso",
@@ -107,6 +111,10 @@
         "provider": {
           "const": "gitlab"
         },
+        "displayName": {
+          "type": "string",
+          "description": "Optional human-readable label shown on the login screen. Defaults to 'GitLab'."
+        },
         "purpose": {
           "enum": [
             "sso",
@@ -203,6 +211,10 @@
         "provider": {
           "const": "google"
         },
+        "displayName": {
+          "type": "string",
+          "description": "Optional human-readable label shown on the login screen. Defaults to 'Google'."
+        },
         "purpose": {
           "const": "sso"
         },
@@ -281,6 +293,10 @@
         "provider": {
           "const": "okta"
         },
+        "displayName": {
+          "type": "string",
+          "description": "Optional human-readable label shown on the login screen. Defaults to 'Okta'."
+        },
         "purpose": {
           "const": "sso"
         },
@@ -390,6 +406,10 @@
         "provider": {
           "const": "keycloak"
         },
+        "displayName": {
+          "type": "string",
+          "description": "Optional human-readable label shown on the login screen. Defaults to 'Keycloak'."
+        },
         "purpose": {
           "const": "sso"
         },
@@ -499,6 +519,10 @@
         "provider": {
           "const": "microsoft-entra-id"
         },
+        "displayName": {
+          "type": "string",
+          "description": "Optional human-readable label shown on the login screen. Defaults to 'Microsoft Entra ID'."
+        },
         "purpose": {
           "const": "sso"
         },
@@ -608,6 +632,10 @@
         "provider": {
           "const": "gcp-iap"
         },
+        "displayName": {
+          "type": "string",
+          "description": "Optional human-readable label shown on the login screen. Defaults to 'Google Cloud IAP'."
+        },
         "purpose": {
           "const": "sso"
         },
@@ -655,6 +683,10 @@
         "provider": {
           "const": "bitbucket-cloud"
         },
+        "displayName": {
+          "type": "string",
+          "description": "Optional human-readable label shown on the login screen and account settings. Defaults to 'Bitbucket Cloud'."
+        },
         "purpose": {
           "enum": [
             "sso",
@@ -740,6 +772,10 @@
         "provider": {
           "const": "authentik"
         },
+        "displayName": {
+          "type": "string",
+          "description": "Optional human-readable label shown on the login screen. Defaults to 'Authentik'."
+        },
         "purpose": {
           "const": "sso"
         },
@@ -849,6 +885,10 @@
         "provider": {
           "const": "jumpcloud"
         },
+        "displayName": {
+          "type": "string",
+          "description": "Optional human-readable label shown on the login screen. Defaults to 'JumpCloud'."
+        },
         "purpose": {
           "const": "sso"
         },
@@ -958,6 +998,10 @@
         "provider": {
           "const": "bitbucket-server"
         },
+        "displayName": {
+          "type": "string",
+          "description": "Optional human-readable label shown on the login screen and account settings. Defaults to 'Bitbucket Server'."
+        },
         "purpose": {
           "enum": [
             "sso",
@@ -1054,6 +1098,10 @@
         "provider": {
           "const": "github"
         },
+        "displayName": {
+          "type": "string",
+          "description": "Optional human-readable label shown on the login screen. Defaults to 'GitHub'."
+        },
         "purpose": {
           "enum": [
             "sso",
@@ -1150,6 +1198,10 @@
         "provider": {
           "const": "gitlab"
         },
+        "displayName": {
+          "type": "string",
+          "description": "Optional human-readable label shown on the login screen. Defaults to 'GitLab'."
+        },
         "purpose": {
           "enum": [
             "sso",
@@ -1246,6 +1298,10 @@
         "provider": {
           "const": "google"
         },
+        "displayName": {
+          "type": "string",
+          "description": "Optional human-readable label shown on the login screen. Defaults to 'Google'."
+        },
         "purpose": {
           "const": "sso"
         },
@@ -1324,6 +1380,10 @@
         "provider": {
           "const": "okta"
         },
+        "displayName": {
+          "type": "string",
+          "description": "Optional human-readable label shown on the login screen. Defaults to 'Okta'."
+        },
         "purpose": {
           "const": "sso"
         },
@@ -1433,6 +1493,10 @@
         "provider": {
           "const": "keycloak"
         },
+        "displayName": {
+          "type": "string",
+          "description": "Optional human-readable label shown on the login screen. Defaults to 'Keycloak'."
+        },
         "purpose": {
           "const": "sso"
         },
@@ -1542,6 +1606,10 @@
         "provider": {
           "const": "microsoft-entra-id"
         },
+        "displayName": {
+          "type": "string",
+          "description": "Optional human-readable label shown on the login screen. Defaults to 'Microsoft Entra ID'."
+        },
         "purpose": {
           "const": "sso"
         },
@@ -1651,6 +1719,10 @@
         "provider": {
           "const": "gcp-iap"
         },
+        "displayName": {
+          "type": "string",
+          "description": "Optional human-readable label shown on the login screen. Defaults to 'Google Cloud IAP'."
+        },
         "purpose": {
           "const": "sso"
         },
@@ -1698,6 +1770,10 @@
         "provider": {
           "const": "authentik"
         },
+        "displayName": {
+          "type": "string",
+          "description": "Optional human-readable label shown on the login screen. Defaults to 'Authentik'."
+        },
         "purpose": {
           "const": "sso"
         },
@@ -1807,6 +1883,10 @@
         "provider": {
           "const": "bitbucket-cloud"
         },
+        "displayName": {
+          "type": "string",
+          "description": "Optional human-readable label shown on the login screen and account settings. Defaults to 'Bitbucket Cloud'."
+        },
         "purpose": {
           "enum": [
             "sso",
@@ -1892,6 +1972,10 @@
         "provider": {
           "const": "jumpcloud"
         },
+        "displayName": {
+          "type": "string",
+          "description": "Optional human-readable label shown on the login screen. Defaults to 'JumpCloud'."
+        },
         "purpose": {
           "const": "sso"
         },
@@ -2001,6 +2085,10 @@
         "provider": {
           "const": "bitbucket-server"
         },
+        "displayName": {
+          "type": "string",
+          "description": "Optional human-readable label shown on the login screen and account settings. Defaults to 'Bitbucket Server'."
+        },
         "purpose": {
           "enum": [
             "sso",