fix(web): Fix token refresh in back-compat case

.env.development

@@ -14,10 +14,6 @@ CTAGS_COMMAND=ctags
 AUTH_SECRET="00000000000000000000000000000000000000000000"
 AUTH_URL="http://localhost:3000"
 # AUTH_CREDENTIALS_LOGIN_ENABLED=true
-# AUTH_EE_GITHUB_CLIENT_ID=""
-# AUTH_EE_GITHUB_CLIENT_SECRET=""
-# AUTH_EE_GOOGLE_CLIENT_ID=""
-# AUTH_EE_GOOGLE_CLIENT_SECRET=""
 
 DATA_CACHE_DIR=${PWD}/.sourcebot  # Path to the sourcebot cache dir (ex. ~/sourcebot/.sourcebot)
 SOURCEBOT_PUBLIC_KEY_PATH=${PWD}/public.pem

CHANGELOG.md

@@ -15,6 +15,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ### Fixed
 - Fixed issue where certain file and folder names would cause type errors. [#862](https://github.com/sourcebot-dev/sourcebot/pull/862)
+- Fixed token refresh error "Provider config not found or invalid for: x" when a sso is configured using deprecated env vars. [#841](https://github.com/sourcebot-dev/sourcebot/pull/841)
 
 ## [4.10.27] - 2026-02-05
 

docs/docs/configuration/environment-variables.mdx

@@ -41,25 +41,7 @@ The following environment variables allow you to configure your Sourcebot deploy
 | `HTTP_PROXY` | - | <p>HTTP proxy URL for routing non-SSL requests through a proxy server (e.g., `http://proxy.company.com:8080`). Requires `NODE_USE_ENV_PROXY=1`.</p> |
 | `HTTPS_PROXY` | - | <p>HTTPS proxy URL for routing SSL requests through a proxy server (e.g., `http://proxy.company.com:8080`). Requires `NODE_USE_ENV_PROXY=1`.</p> |
 | `NO_PROXY` | - | <p>Comma-separated list of hostnames or domains that should bypass the proxy (e.g., `localhost,127.0.0.1,.internal.domain`). Requires `NODE_USE_ENV_PROXY=1`.</p> |
-
-### Enterprise Environment Variables
-| Variable | Default | Description |
-| :------- | :------ | :---------- |
 | `SOURCEBOT_EE_AUDIT_LOGGING_ENABLED` | `true` | <p>Enables/disables audit logging</p> |
-| `AUTH_EE_GITHUB_BASE_URL` | `https://github.com` | <p>The base URL for GitHub Enterprise SSO authentication.</p> |
-| `AUTH_EE_GITHUB_CLIENT_ID` | `-` | <p>The client ID for GitHub Enterprise SSO authentication.</p> |
-| `AUTH_EE_GITHUB_CLIENT_SECRET` | `-` | <p>The client secret for GitHub Enterprise SSO authentication.</p> |
-| `AUTH_EE_GITLAB_BASE_URL` | `https://gitlab.com` | <p>The base URL for GitLab Enterprise SSO authentication.</p> |
-| `AUTH_EE_GITLAB_CLIENT_ID` | `-` | <p>The client ID for GitLab Enterprise SSO authentication.</p> |
-| `AUTH_EE_GITLAB_CLIENT_SECRET` | `-` | <p>The client secret for GitLab Enterprise SSO authentication.</p> |
-| `AUTH_EE_GOOGLE_CLIENT_ID` | `-` | <p>The client ID for Google SSO authentication.</p> |
-| `AUTH_EE_GOOGLE_CLIENT_SECRET` | `-` | <p>The client secret for Google SSO authentication.</p> |
-| `AUTH_EE_KEYCLOAK_CLIENT_ID` | `-` | <p>The client ID for Keycloak SSO authentication.</p> |
-| `AUTH_EE_KEYCLOAK_CLIENT_SECRET` | `-` | <p>The client secret for Keycloak SSO authentication.</p> |
-| `AUTH_EE_KEYCLOAK_ISSUER` | `-` | <p>The issuer URL for Keycloak SSO authentication.</p> |
-| `AUTH_EE_OKTA_CLIENT_ID` | `-` | <p>The client ID for Okta SSO authentication.</p> |
-| `AUTH_EE_OKTA_CLIENT_SECRET` | `-` | <p>The client secret for Okta SSO authentication.</p> |
-| `AUTH_EE_OKTA_ISSUER` | `-` | <p>The issuer URL for Okta SSO authentication.</p> |
 | `AUTH_EE_GCP_IAP_ENABLED` | `false` | <p>When enabled, allows Sourcebot to automatically register/login from a successful GCP IAP redirect</p> |
 | `AUTH_EE_GCP_IAP_AUDIENCE` | - | <p>The GCP IAP audience to use when verifying JWT tokens. Must be set to enable GCP IAP JIT provisioning</p> | 
 | `EXPERIMENT_EE_PERMISSION_SYNC_ENABLED` | `false` | <p>Enables [permission syncing](/docs/features/permission-syncing).</p> |

docs/docs/features/permission-syncing.mdx

@@ -51,7 +51,7 @@ We are actively working on supporting more code hosts. If you'd like to see a sp
 
 Prerequisites:
 - Configure GitHub as an [external identity provider](/docs/configuration/idp).
-- **If you are using a self-hosted GitHub instance**, you must also set `AUTH_EE_GITHUB_BASE_URL` to the base URL of your GitHub instance (e.g. `https://github.example.com`).
+- **If you are using a self-hosted GitHub instance**, you must also set the `baseUrl` property of the `github` identity provider in the [config file](/docs/configuration/config-file) to the base URL of your GitHub instance (e.g. `https://github.example.com`).
 
 Permission syncing works with **GitHub.com**, **GitHub Enterprise Cloud**, and **GitHub Enterprise Server**. For organization-owned repositories, users that have **read-only** access (or above) via the following methods will have their access synced to Sourcebot:
 - Outside collaborators
@@ -68,7 +68,7 @@ Permission syncing works with **GitHub.com**, **GitHub Enterprise Cloud**, and *
 
 Prerequisites:
 - Configure GitLab as an [external identity provider](/docs/configuration/idp).
-- **If you are using a self-hosted GitLab instance**, you must also set `AUTH_EE_GITLAB_BASE_URL` to the base URL of your GitLab instance (e.g. `https://gitlab.example.com`).
+- **If you are using a self-hosted GitLab instance**, you must also set the `baseUrl` property of the `gitlab` identity provider in the [config file](/docs/configuration/config-file) to the base URL of your GitLab instance (e.g. `https://gitlab.example.com`).
 
 Permission syncing works with **GitLab Self-managed** and **GitLab Cloud**. Users with **Guest** role or above with membership to a group or project will have their access synced to Sourcebot. Both direct and indirect membership to a group or project will be synced with Sourcebot. For more details, see the [GitLab docs](https://docs.gitlab.com/user/project/members/#membership-types).
 

packages/shared/src/env.server.ts

@@ -141,35 +141,11 @@ export const env = createEnv({
         AUTH_EMAIL_CODE_LOGIN_ENABLED: booleanSchema.default('false'),
 
         // Enterprise Auth
-
         AUTH_EE_ALLOW_EMAIL_ACCOUNT_LINKING:
             booleanSchema
             .default('false')
             .describe('When enabled, different SSO accounts with the same email address will automatically be linked.'),
 
-        AUTH_EE_GITHUB_CLIENT_ID: z.string().optional(),
-        AUTH_EE_GITHUB_CLIENT_SECRET: z.string().optional(),
-        AUTH_EE_GITHUB_BASE_URL: z.string().optional(),
-
-        AUTH_EE_GITLAB_CLIENT_ID: z.string().optional(),
-        AUTH_EE_GITLAB_CLIENT_SECRET: z.string().optional(),
-        AUTH_EE_GITLAB_BASE_URL: z.string().default("https://gitlab.com"),
-
-        AUTH_EE_GOOGLE_CLIENT_ID: z.string().optional(),
-        AUTH_EE_GOOGLE_CLIENT_SECRET: z.string().optional(),
-
-        AUTH_EE_OKTA_CLIENT_ID: z.string().optional(),
-        AUTH_EE_OKTA_CLIENT_SECRET: z.string().optional(),
-        AUTH_EE_OKTA_ISSUER: z.string().optional(),
-
-        AUTH_EE_KEYCLOAK_CLIENT_ID: z.string().optional(),
-        AUTH_EE_KEYCLOAK_CLIENT_SECRET: z.string().optional(),
-        AUTH_EE_KEYCLOAK_ISSUER: z.string().optional(),
-
-        AUTH_EE_MICROSOFT_ENTRA_ID_CLIENT_ID: z.string().optional(),
-        AUTH_EE_MICROSOFT_ENTRA_ID_CLIENT_SECRET: z.string().optional(),
-        AUTH_EE_MICROSOFT_ENTRA_ID_ISSUER: z.string().optional(),
-
         AUTH_EE_GCP_IAP_ENABLED: booleanSchema.default('false'),
         AUTH_EE_GCP_IAP_AUDIENCE: z.string().optional(),
 
@@ -297,6 +273,92 @@ export const env = createEnv({
 
         // A comma separated list of glob patterns that shwould always be indexed regardless of their size.
         ALWAYS_INDEX_FILE_PATTERNS: z.string().optional(),
+
+        /**
+         * @deprecated This setting is deprecated. Please use the `identityProviders` section of the config file instead.
+         */
+        AUTH_EE_GITHUB_CLIENT_ID: z.string().optional(),
+
+        /**
+         * @deprecated This setting is deprecated. Please use the `identityProviders` section of the config file instead.
+         */
+        AUTH_EE_GITHUB_CLIENT_SECRET: z.string().optional(),
+
+        /**
+         * @deprecated This setting is deprecated. Please use the `identityProviders` section of the config file instead.
+         */
+        AUTH_EE_GITHUB_BASE_URL: z.string().optional(),
+
+        /**
+         * @deprecated This setting is deprecated. Please use the `identityProviders` section of the config file instead.
+         */
+        AUTH_EE_GITLAB_CLIENT_ID: z.string().optional(),
+
+        /**
+         * @deprecated This setting is deprecated. Please use the `identityProviders` section of the config file instead.
+         */
+        AUTH_EE_GITLAB_CLIENT_SECRET: z.string().optional(),
+
+        /**
+         * @deprecated This setting is deprecated. Please use the `identityProviders` section of the config file instead.
+         */
+        AUTH_EE_GITLAB_BASE_URL: z.string().default("https://gitlab.com"),
+
+        /**
+         * @deprecated This setting is deprecated. Please use the `identityProviders` section of the config file instead.
+         */
+        AUTH_EE_GOOGLE_CLIENT_ID: z.string().optional(),
+
+        /**
+         * @deprecated This setting is deprecated. Please use the `identityProviders` section of the config file instead.
+         */
+        AUTH_EE_GOOGLE_CLIENT_SECRET: z.string().optional(),
+
+        /**
+         * @deprecated This setting is deprecated. Please use the `identityProviders` section of the config file instead.
+         */
+        AUTH_EE_OKTA_CLIENT_ID: z.string().optional(),
+
+        /**
+         * @deprecated This setting is deprecated. Please use the `identityProviders` section of the config file instead.
+         */
+        AUTH_EE_OKTA_CLIENT_SECRET: z.string().optional(),
+
+        /**
+         * @deprecated This setting is deprecated. Please use the `identityProviders` section of the config file instead.
+         */
+        AUTH_EE_OKTA_ISSUER: z.string().optional(),
+
+        /**
+         * @deprecated This setting is deprecated. Please use the `identityProviders` section of the config file instead.
+         */
+        AUTH_EE_KEYCLOAK_CLIENT_ID: z.string().optional(),
+
+        /**
+         * @deprecated This setting is deprecated. Please use the `identityProviders` section of the config file instead.
+         */
+        AUTH_EE_KEYCLOAK_CLIENT_SECRET: z.string().optional(),
+
+        /**
+         * @deprecated This setting is deprecated. Please use the `identityProviders` section of the config file instead.
+         */
+        AUTH_EE_KEYCLOAK_ISSUER: z.string().optional(),
+
+        /**
+         * @deprecated This setting is deprecated. Please use the `identityProviders` section of the config file instead.
+         */
+        AUTH_EE_MICROSOFT_ENTRA_ID_CLIENT_ID: z.string().optional(),
+
+        /**
+         * @deprecated
+         * This setting is deprecated. Please use the `identityProviders` section of the config file instead.
+         */
+        AUTH_EE_MICROSOFT_ENTRA_ID_CLIENT_SECRET: z.string().optional(),
+
+        /**
+         * @deprecated This setting is deprecated. Please use the `identityProviders` section of the config file instead.
+         */
+        AUTH_EE_MICROSOFT_ENTRA_ID_ISSUER: z.string().optional(),
     },
     runtimeEnv,
     emptyStringAsUndefined: true,

packages/shared/src/index.server.ts

@@ -26,11 +26,11 @@ export {
 } from "./utils.js";
 export * from "./constants.js";
 export {
-    env,
     resolveEnvironmentVariableOverridesFromConfig,
     loadConfig,
     isRemotePath,
 } from "./env.server.js";
+export { env } from "./env.server.js"
 export {
     createLogger,
 } from "./logger.js";