Backstage auth provider config missing in CI
When an auth provider (github, google, oidc) is configured, Backstage requires its clientId and clientSecret. In CI those come from env substitution, and a missing value fails config validation at startup.
What this error means
The backend fails with "Missing required config value at 'auth.providers.github.development.clientId'" or a similar path for the enabled provider.
Backend failed to start up Error: Missing required config value at
'auth.providers.github.development.clientId' in 'app-config.yaml'
at ConfigReader.getString ...Common causes
Provider enabled but credentials unset
The auth.providers block references ${AUTH_GITHUB_CLIENT_ID} and ${AUTH_GITHUB_CLIENT_SECRET}, which are not provided in CI.
A provider configured that CI does not need
A real OAuth provider is enabled for a CI job that only builds or tests, forcing credentials that are unnecessary there.
How to fix it
Provide the provider credentials as secrets
- Store the client id and secret as repository secrets.
- Map them into the step env used by the backend.
- Re-run so config validation finds real values.
env:
AUTH_GITHUB_CLIENT_ID: ${{ secrets.AUTH_GITHUB_CLIENT_ID }}
AUTH_GITHUB_CLIENT_SECRET: ${{ secrets.AUTH_GITHUB_CLIENT_SECRET }}Use the guest provider for CI
For build and test jobs that do not exercise login, configure the guest provider in a CI overlay so no OAuth credentials are required.
auth:
providers:
guest: {}How to prevent it
- Only enable auth providers that a given job actually needs.
- Provide provider credentials via secrets, not committed config.
- Use a guest provider overlay for non-auth CI jobs.