fix: use ProviderLoader for AuthConfig.sso_providers when DB providers enabled\n\nAuthConfig.sso_providers only read from YAML config, so self-hosted\nsetups with DB-configured SSO providers (e.g. Authentik via admin UI)\nhad no SSO button on the login page.\n\nWire it to ProviderLoader.load_providers when FeatureFlags.db_sso_providers?\nis true, falling back to YAML config otherwise. (#1614)

app/models/auth_config.rb

@@ -74,7 +74,17 @@ class AuthConfig
     end
 
     def sso_providers
-      Rails.configuration.x.auth.sso_providers || []
+      if FeatureFlags.db_sso_providers?
+        # After boot, OmniAuth registers successfully configured providers into
+        # Rails.configuration.x.auth.sso_providers. Prefer that filtered list
+        # so we never render login buttons for providers that couldn't be
+        # registered (e.g., missing required fields in YAML fallback).
+        # Fall back to ProviderLoader for pre-boot contexts.
+        registered = Rails.configuration.x.auth.sso_providers
+        registered&.any? ? registered : ProviderLoader.load_providers
+      else
+        Rails.configuration.x.auth.sso_providers || []
+      end
     end
   end
 end

app/models/oidc_identity.rb

@@ -95,7 +95,7 @@ class OidcIdentity < ApplicationRecord
 
   # Find the configured provider for this identity
   def provider_config
-    Rails.configuration.x.auth.sso_providers&.find { |p| p[:name] == provider || p[:id] == provider }
+    AuthConfig.sso_providers&.find { |p| p[:name] == provider || p[:id] == provider }
   end
 
   # Validate that the stored issuer matches the configured provider's issuer