Affected: LaunchDarkly members signed in via OAuth (Google, GitHub, or Vercel)
Symptoms
The following symptoms occur when a LaunchDarkly member account is linked to an OAuth provider:
The email field is greyed out on the LaunchDarkly profile page (https://app.launchdarkly.com/profile) and displays an error such as: "You cannot change your email address as it is connected to Google.", "You cannot change your email address as it is connected to GitHub.", or "You cannot change your email address as it is connected to Vercel." The provider name in the error matches whichever OAuth login your account is linked to.
Affected members cannot update their own email addresses when their organization is using username and password and OAuth for authentication, even after your organization disables SSO or SCIM or switches to test-drive mode.
Cause
Your LaunchDarkly member account is linked to an OAuth provider. This happens to any account that has ever signed in using a Sign in with... OAuth button on the LaunchDarkly login page, even once. After a member account is linked via OAuth, LaunchDarkly locks the email field on the profile page because the email is considered managed by that provider.
This OAuth link is a property of the individual member, not of the organization. It is independent of your organization's SAML, SSO, or SCIM configuration. Disabling SSO or switching SSO providers does not remove the link.
If you are the affected member, you will need someone with LaunchDarkly Admin access to help resolve the issue. Contact a LaunchDarkly administrator at your organization and ask them to follow the procedure in the Solution section below. The fix is administrator-only.
Solution
The only supported path to resolve this is to recreate the affected member with a new email address. Here's how to recreate the affected member:
An organization administrator removes the affected member from LaunchDarkly under Settings > Members.
The administrator invites the member again using the new email address.
The member accepts the invite and creates their LaunchDarkly account using the new email.
When signing in for the first time with the new account, the member must use email and password (or your organization's SSO or SCIM) — not a Sign in with... OAuth button. Using a Sign in with... button will re-link the new account to that OAuth provider and reproduce the same lock.
After recreation, the member can sign in normally. Custom roles, team memberships, and any personal access tokens associated with the old member account will need to be reconfigured, as they are tied to the removed account.
Planning an organization-wide migration
If you are migrating email domains, switching SSO or SCIM providers, or otherwise need to change email addresses for members in your organization, see also How to update email addresses when switching to a new domain. Expect that any member who has ever used a Sign in with... OAuth button will be in this state and will need to be recreated.
There is no bulk admin action to unlink an OAuth provider or migrate emails across the organization. Plan to:
Identify affected members in advance. These are the members whose email cannot be changed through the profile page.
Communicate the recreation step to those members in advance, including the loss of personal access tokens and per-member configuration that comes with it.
After recreation, instruct affected members not to use a Sign in with... OAuth button when signing in for the first time on the new account. Direct them to sign in through your IdP (if SSO or SCIM is enabled) or with email and password.
Plan to re-grant custom roles and team memberships after recreation.