diff --git a/roles/koji_builder/templates/builder.conf b/roles/koji_builder/templates/builder.conf
index 754ccaffb1..98a7e61f4c 100644
--- a/roles/koji_builder/templates/builder.conf
+++ b/roles/koji_builder/templates/builder.conf
@@ -4,7 +4,7 @@ server = https://api.openshift.com/
 [composer:oauth]
 client_id = {{koji_builder_client_id}}
 client_secret = {{koji_builder_client_secret}}
-token_url = https://identity.api.openshift.com/auth/realms/rhoas/protocol/openid-connect/token
+token_url = https://sso.redhat.com/auth/realms/redhat-external/protocol/openid-connect/token
 
 [koji]
 server = https://koji.fedoraproject.org/kojihub
diff --git a/roles/koji_builder/templates/builder.conf.stg b/roles/koji_builder/templates/builder.conf.stg
index d33ee8a07d..75eaed35f4 100644
--- a/roles/koji_builder/templates/builder.conf.stg
+++ b/roles/koji_builder/templates/builder.conf.stg
@@ -4,7 +4,7 @@ server = https://api.stage.openshift.com/
 [composer:oauth]
 client_id = {{koji_builder_client_id_stg}}
 client_secret = {{koji_builder_client_secret_stg}}
-token_url = https://identity.api.openshift.com/auth/realms/rhoas/protocol/openid-connect/token
+token_url = https://sso.redhat.com/auth/realms/redhat-external/protocol/openid-connect/token
 
 [koji]
 server = https://koji.stg.fedoraproject.org/kojihub
diff --git a/roles/koji_builder/templates/osbuildapi-update.sh b/roles/koji_builder/templates/osbuildapi-update.sh
index 45a854e754..e15cec371c 100644
--- a/roles/koji_builder/templates/osbuildapi-update.sh
+++ b/roles/koji_builder/templates/osbuildapi-update.sh
@@ -19,10 +19,8 @@ do
      /usr/sbin/ipset add osbuildapi $j
 done
 
-{% if env == 'staging' %}
-# in stg we need to add identity.api because we are using api.stage above. 
-# in prod this is already the same as api.openshift.com, so skip it.
-RESOLVEQUERY=`resolvectl -4 --cache=no --legend=no query identity.api.openshift.com 2> /dev/null`
+# both stage and prod authenticate using sso.redhat.com
+RESOLVEQUERY=`resolvectl -4 --cache=no --legend=no query sso.redhat.com 2> /dev/null`
 test $? -eq 0 || exit $?
 
 NEWIDENTITYIPS=`echo "$RESOLVEQUERY" | grep link | sed -E 's/.* ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+).*/\1/g' | sort -n`
@@ -31,4 +29,3 @@ for j in $NEWIDENTITYIPS
 do
      /usr/sbin/ipset add osbuildapi $j
 done
-{% endif %}