OAuth authentication and account password

pierinhood · February 25, 2026, 11:16am

Good morning, everyone.

I enabled OAuth authentication on my Sefile 13 Pro installation. The authentication provider is PocketID. Everything works fine, but I noticed some strange behaviour.

If I log in with the external user and go to set the password on Seafile – Settings – Password – Update, I can log in with the username xxxx@auth.local and the generated password as if I were using a local account. Is this behaviour normal?

ENABLE_OAUTH = True
OAUTH_ENABLE_INSECURE_TRANSPORT = False
OAUTH_CLIENT_ID = "xxxx"
OAUTH_CLIENT_SECRET = "xxxxxx"
OAUTH_REDIRECT_URL = 'https://seafile.url/oauth/callback/'
OAUTH_PROVIDER_DOMAIN = 'auth.url'
OAUTH_AUTHORIZATION_URL = 'https://auth.url/authorize'
OAUTH_TOKEN_URL = 'https://auth.url/api/oidc/token'
OAUTH_USER_INFO_URL = 'https://auth.url/api/oidc/userinfo'
OAUTH_SCOPE = [
    "openid",
    "profile",
    "email",
]
OAUTH_ATTRIBUTE_MAP = {
    "sub": (True, "uid"),
    "email": (False, "email"),
    "name": (False, "name"),
}

ENABLE_LDAP = False
DISABLE_ADFS_USER_PWD_LOGIN = True

Thank you for your help.

daniel.pan · February 26, 2026, 3:42am

You mentioned that you enabled OAuth authentication and have DISABLE_ADFS_USER_PWD_LOGIN = True in your configuration. According to the Seafile documentation, specifically for versions 12.0.9 beta and newer, the DISABLE_ADFS_USER_PWD_LOGIN setting is intended to force users to log in exclusively through ADFS or OAuth providers, thereby disabling traditional email and password logins for those accounts.

Given that your configuration includes DISABLE_ADFS_USER_PWD_LOGIN = True, the behavior you are describing—where an OAuth-authenticated user can set a local password and then use a username like xxxx@auth.local to log in—is not expected. If the setting is correctly applied, this local password login method for OAuth users should be disabled.