Skip to content
Latchkey

Backstage auth provider config missing in CI

When an auth provider (github, google, oidc) is configured, Backstage requires its clientId and clientSecret. In CI those come from env substitution, and a missing value fails config validation at startup.

What this error means

The backend fails with "Missing required config value at 'auth.providers.github.development.clientId'" or a similar path for the enabled provider.

backstage
Backend failed to start up Error: Missing required config value at
'auth.providers.github.development.clientId' in 'app-config.yaml'
    at ConfigReader.getString ...

Common causes

Provider enabled but credentials unset

The auth.providers block references ${AUTH_GITHUB_CLIENT_ID} and ${AUTH_GITHUB_CLIENT_SECRET}, which are not provided in CI.

A provider configured that CI does not need

A real OAuth provider is enabled for a CI job that only builds or tests, forcing credentials that are unnecessary there.

How to fix it

Provide the provider credentials as secrets

  1. Store the client id and secret as repository secrets.
  2. Map them into the step env used by the backend.
  3. Re-run so config validation finds real values.
.github/workflows/ci.yml
env:
  AUTH_GITHUB_CLIENT_ID: ${{ secrets.AUTH_GITHUB_CLIENT_ID }}
  AUTH_GITHUB_CLIENT_SECRET: ${{ secrets.AUTH_GITHUB_CLIENT_SECRET }}

Use the guest provider for CI

For build and test jobs that do not exercise login, configure the guest provider in a CI overlay so no OAuth credentials are required.

app-config.ci.yaml
auth:
  providers:
    guest: {}

How to prevent it

  • Only enable auth providers that a given job actually needs.
  • Provide provider credentials via secrets, not committed config.
  • Use a guest provider overlay for non-auth CI jobs.

Related guides

Tired of flaky CI? Latchkey auto-heals failed jobs and retries them for you. Start free →