CO

This PR improves Coolify’s authentication model by decoupling OAuth2 self-registration from password-based registration and enforcing OAuth-only authentication for OAuth-origin users.

It enables administrators to fully delegate access control to an external Identity Provider (e.g. Authentik, Azure AD, Okta), making it possible to instantly revoke access across multiple Coolify instances by disabling a user in the IdP.

Changes

  • Added a new instance-level setting is_oauth_registration_enabled (Settings → Advanced)
    • Allows OAuth2 users to self-register even when general registration (is_registration_enabled) is disabled
  • Introduced an oauth_only flag on users
    • Users created via OAuth are automatically marked as oauth_only
    • oauth_only users are blocked from logging in via email/password
  • Enforced OAuth-only behavior at the authentication layer
    • Password login attempts for oauth_only users throw a validation error
  • UI updates to expose the new toggle in the admin panel
  • Added comprehensive feature tests covering:
    • Registration flag combinations
    • OAuth user creation and marking
    • Password login blocking for OAuth-only users

Issues

  • fixes: #8042
  • /claim #8042

Category

  • New feature

Screenshots or Video (if applicable)

📹 Demo video included in this PR

https://github.com/user-attachments/assets/3df607fe-24f1-42aa-bcf5-1d6acbd05298

Shows:

  • OAuth self-registration while general registration is disabled
  • Automatic oauth_only user creation
  • Password login being blocked for OAuth-only users

AI Usage

  • AI is NOT used in the process of creating this PR

Steps to Test

  1. Go to Settings → Advanced
  2. Disable General Registration
  3. Enable OAuth Registration
  4. Log out
  5. Sign in using an OAuth2 provider (e.g. Authentik)
    • Verify the user is created successfully
  6. Attempt to log in with the same user via email/password
    • Login should be blocked
  7. Disable the user in the OAuth provider
  8. Attempt OAuth login again
    • Access should be denied

Contributor Agreement

[!IMPORTANT]

  • I have read and understood the contributor guidelines. If I have failed to follow any guideline, I understand that this PR may be closed without review.
  • I have tested the changes thoroughly and am confident that they will work as expected without issues when the maintainer tests them

Claim

Total prize pool $50
Total paid $0
Status Pending
Submitted February 10, 2026
Last updated February 10, 2026

Contributors

HA

Harsh Pratap Singh

@harsh-pratap9904-gmail-com

 100%

Sponsors

KE

Kewyn Ferreira

@kewynf

$50