diff --git a/packages/tests/src/plugins/id-and-pass-auth.ts b/packages/tests/src/plugins/id-and-pass-auth.ts
index a332f0eec..9fcdf5aa9 100644
--- a/packages/tests/src/plugins/id-and-pass-auth.ts
+++ b/packages/tests/src/plugins/id-and-pass-auth.ts
@@ -242,6 +242,29 @@ describe('Test id and pass auth plugins', function () {
     expect(laguna.pluginAuth).to.equal('peertube-plugin-test-id-pass-auth-two')
   })
 
+  it('Should not update a user if not owned by the plugin auth', async function () {
+    {
+      await server.users.update({ userId: lagunaId, videoQuota: 43000, password: 'coucou', pluginAuth: null })
+
+      const body = await server.users.get({ userId: lagunaId })
+      expect(body.videoQuota).to.equal(43000)
+      expect(body.pluginAuth).to.be.null
+    }
+
+    {
+      await server.login.login({
+        user: { username: 'laguna', password: 'laguna password' },
+        expectedStatus: HttpStatusCode.BAD_REQUEST_400
+      })
+    }
+
+    {
+      const body = await server.users.get({ userId: lagunaId })
+      expect(body.videoQuota).to.equal(43000)
+      expect(body.pluginAuth).to.be.null
+    }
+  })
+
   after(async function () {
     await cleanupTests([ server ])
   })
diff --git a/server/core/lib/auth/oauth-model.ts b/server/core/lib/auth/oauth-model.ts
index 26a9f8996..47362931f 100644
--- a/server/core/lib/auth/oauth-model.ts
+++ b/server/core/lib/auth/oauth-model.ts
@@ -89,8 +89,11 @@ async function getUser (usernameOrEmail?: string, password?: string, bypassLogin
 
     let user = await UserModel.loadByEmail(bypassLogin.user.email)
 
-    if (!user) user = await createUserFromExternal(bypassLogin.pluginName, bypassLogin.user)
-    else user = await updateUserFromExternal(user, bypassLogin.user, bypassLogin.userUpdater)
+    if (!user) {
+      user = await createUserFromExternal(bypassLogin.pluginName, bypassLogin.user)
+    } else if (user.pluginAuth === bypassLogin.pluginName) {
+      user = await updateUserFromExternal(user, bypassLogin.user, bypassLogin.userUpdater)
+    }
 
     // Cannot create a user
     if (!user) throw new AccessDeniedError('Cannot create such user: an actor with that name already exists.')
diff --git a/server/core/models/user/user.ts b/server/core/models/user/user.ts
index 3c4495e3e..84060bc08 100644
--- a/server/core/models/user/user.ts
+++ b/server/core/models/user/user.ts
@@ -873,6 +873,8 @@ export class UserModel extends Model<Partial<AttributesOnly<UserModel>>> {
   }
 
   isPasswordMatch (password: string) {
+    if (!password || !this.password) return false
+
     return comparePassword(password, this.password)
   }