From 2cff2065eb3decd1b80a54b6dc4b1d26bac7b095 Mon Sep 17 00:00:00 2001
From: Will Wilson <will@willwilson.uk>
Date: Fri, 1 May 2026 12:31:32 +0100
Subject: [PATCH] fix: use ProviderLoader for AuthConfig.sso_providers when DB
 providers enabled\n\nAuthConfig.sso_providers only read from YAML config, so
 self-hosted\nsetups with DB-configured SSO providers (e.g. Authentik via
 admin UI)\nhad no SSO button on the login page.\n\nWire it to
 ProviderLoader.load_providers when FeatureFlags.db_sso_providers?\nis true,
 falling back to YAML config otherwise. (#1614)

---
 app/models/auth_config.rb   | 12 +++++++++++-
 app/models/oidc_identity.rb |  2 +-
 2 files changed, 12 insertions(+), 2 deletions(-)

diff --git a/app/models/auth_config.rb b/app/models/auth_config.rb
index 7cb630966..7b4c9c7a4 100644
--- a/app/models/auth_config.rb
+++ b/app/models/auth_config.rb
@@ -74,7 +74,17 @@ class AuthConfig
     end
 
     def sso_providers
-      Rails.configuration.x.auth.sso_providers || []
+      if FeatureFlags.db_sso_providers?
+        # After boot, OmniAuth registers successfully configured providers into
+        # Rails.configuration.x.auth.sso_providers. Prefer that filtered list
+        # so we never render login buttons for providers that couldn't be
+        # registered (e.g., missing required fields in YAML fallback).
+        # Fall back to ProviderLoader for pre-boot contexts.
+        registered = Rails.configuration.x.auth.sso_providers
+        registered&.any? ? registered : ProviderLoader.load_providers
+      else
+        Rails.configuration.x.auth.sso_providers || []
+      end
     end
   end
 end
diff --git a/app/models/oidc_identity.rb b/app/models/oidc_identity.rb
index e8993142f..fe85a1fdf 100644
--- a/app/models/oidc_identity.rb
+++ b/app/models/oidc_identity.rb
@@ -95,7 +95,7 @@ class OidcIdentity < ApplicationRecord
 
   # Find the configured provider for this identity
   def provider_config
-    Rails.configuration.x.auth.sso_providers&.find { |p| p[:name] == provider || p[:id] == provider }
+    AuthConfig.sso_providers&.find { |p| p[:name] == provider || p[:id] == provider }
   end
 
   # Validate that the stored issuer matches the configured provider's issuer