diff --git a/auth_oauth_link_by_email/README.rst b/auth_oauth_link_by_email/README.rst
new file mode 100644
index 0000000000..8d01888741
--- /dev/null
+++ b/auth_oauth_link_by_email/README.rst
@@ -0,0 +1,124 @@
+====================================
+OAuth - Link existing users by email
+====================================
+
+.. 
+   !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+   !! This file is generated by oca-gen-addon-readme !!
+   !! changes will be overwritten.                   !!
+   !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+   !! source digest: sha256:7b1f947b629d3f0ea59aca3c89d6656b6a1e8ae5c4378ec0650e9ca03cc54e9f
+   !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+
+.. |badge1| image:: https://img.shields.io/badge/maturity-Beta-yellow.png
+    :target: https://odoo-community.org/page/development-status
+    :alt: Beta
+.. |badge2| image:: https://img.shields.io/badge/licence-AGPL--3-blue.png
+    :target: http://www.gnu.org/licenses/agpl-3.0-standalone.html
+    :alt: License: AGPL-3
+.. |badge3| image:: https://img.shields.io/badge/github-OCA%2Fserver--auth-lightgray.png?logo=github
+    :target: https://github.com/OCA/server-auth/tree/17.0/auth_oauth_link_by_email
+    :alt: OCA/server-auth
+.. |badge4| image:: https://img.shields.io/badge/weblate-Translate%20me-F47D42.png
+    :target: https://translation.odoo-community.org/projects/server-auth-17-0/server-auth-17-0-auth_oauth_link_by_email
+    :alt: Translate me on Weblate
+.. |badge5| image:: https://img.shields.io/badge/runboat-Try%20me-875A7B.png
+    :target: https://runboat.odoo-community.org/builds?repo=OCA/server-auth&target_branch=17.0
+    :alt: Try me on Runboat
+
+|badge1| |badge2| |badge3| |badge4| |badge5|
+
+When installed, this module automatically links existing Odoo users to
+an OAuth provider on their first login, by matching the email address
+from the OAuth token with the user's login (which is their email in
+Odoo).
+
+This is useful when users already exist in Odoo (created manually or
+imported) and you want them to authenticate via an OAuth provider
+without having to recreate their accounts.
+
+**Table of contents**
+
+.. contents::
+   :local:
+
+Installation
+============
+
+No additional installation steps are required beyond installing the
+module itself. It depends only on the standard ``auth_oauth`` module.
+
+Configuration
+=============
+
+No configuration is required. The auto-link feature is active as soon as
+the module is installed.
+
+How it works
+------------
+
+When a user attempts to log in through an OAuth provider and no Odoo
+user is found with a matching ``oauth_uid`` + ``oauth_provider_id``,
+this module will:
+
+1. Extract the ``email`` claim from the OAuth token validation response.
+2. Search for an active Odoo user whose ``login`` matches that email.
+3. If found, write the ``oauth_provider_id``, ``oauth_uid``, and
+   ``oauth_access_token`` onto that user record and return their login.
+4. Subsequent logins will resolve directly via ``oauth_uid`` as usual.
+
+If no matching user is found, or the email claim is absent, the standard
+``auth_oauth`` flow continues (raising ``AccessDenied`` for unknown
+accounts).
+
+Changelog
+=========
+
+17.0.1.0.0 (2026)
+-----------------
+
+- Initial release. Auto-links existing Odoo users to OAuth providers by
+  email on first login. The feature is active as soon as the module is
+  installed.
+
+Bug Tracker
+===========
+
+Bugs are tracked on `GitHub Issues <https://github.com/OCA/server-auth/issues>`_.
+In case of trouble, please check there if your issue has already been reported.
+If you spotted it first, help us to smash it by providing a detailed and welcomed
+`feedback <https://github.com/OCA/server-auth/issues/new?body=module:%20auth_oauth_link_by_email%0Aversion:%2017.0%0A%0A**Steps%20to%20reproduce**%0A-%20...%0A%0A**Current%20behavior**%0A%0A**Expected%20behavior**>`_.
+
+Do not contact contributors directly about support or help with technical issues.
+
+Credits
+=======
+
+Authors
+-------
+
+* Heligrafics Fotogrametria S.L.
+
+Contributors
+------------
+
+- `Heligrafics <https://www.heligrafics.net>`__
+
+  - Jose Zambudio Bernabeu <zamberjo@gmail.com>
+
+Maintainers
+-----------
+
+This module is maintained by the OCA.
+
+.. image:: https://odoo-community.org/logo.png
+   :alt: Odoo Community Association
+   :target: https://odoo-community.org
+
+OCA, or the Odoo Community Association, is a nonprofit organization whose
+mission is to support the collaborative development of Odoo features and
+promote its widespread use.
+
+This module is part of the `OCA/server-auth <https://github.com/OCA/server-auth/tree/17.0/auth_oauth_link_by_email>`_ project on GitHub.
+
+You are welcome to contribute. To learn how please visit https://odoo-community.org/page/Contribute.
diff --git a/auth_oauth_link_by_email/__init__.py b/auth_oauth_link_by_email/__init__.py
new file mode 100644
index 0000000000..93ff268207
--- /dev/null
+++ b/auth_oauth_link_by_email/__init__.py
@@ -0,0 +1,4 @@
+# Copyright 2026 Heligrafics <https://www.heligrafics.net>
+# License: AGPL-3.0 or later (http://www.gnu.org/licenses/agpl)
+
+from . import models
diff --git a/auth_oauth_link_by_email/__manifest__.py b/auth_oauth_link_by_email/__manifest__.py
new file mode 100644
index 0000000000..32ae82eab1
--- /dev/null
+++ b/auth_oauth_link_by_email/__manifest__.py
@@ -0,0 +1,16 @@
+# Copyright 2026 Heligrafics <https://www.heligrafics.net>
+# License: AGPL-3.0 or later (http://www.gnu.org/licenses/agpl)
+
+{
+    "name": "OAuth - Link existing users by email",
+    "version": "17.0.1.0.0",
+    "license": "AGPL-3",
+    "author": "Heligrafics Fotogrametria S.L., Odoo Community Association (OCA)",
+    "website": "https://github.com/OCA/server-auth",
+    "summary": (
+        "Automatically link existing Odoo users to an OAuth provider "
+        "on first login by matching their email address."
+    ),
+    "depends": ["auth_oauth"],
+    "installable": True,
+}
diff --git a/auth_oauth_link_by_email/i18n/auth_oauth_link_by_email.pot b/auth_oauth_link_by_email/i18n/auth_oauth_link_by_email.pot
new file mode 100644
index 0000000000..d59b93d4c4
--- /dev/null
+++ b/auth_oauth_link_by_email/i18n/auth_oauth_link_by_email.pot
@@ -0,0 +1,14 @@
+# Translation of Odoo Server.
+# This file contains the translation of the following modules:
+#	* auth_oauth_link_by_email
+#
+msgid ""
+msgstr ""
+"Project-Id-Version: Odoo Server 17.0\n"
+"Report-Msgid-Bugs-To: \n"
+"Last-Translator: \n"
+"Language-Team: \n"
+"MIME-Version: 1.0\n"
+"Content-Type: text/plain; charset=UTF-8\n"
+"Content-Transfer-Encoding: \n"
+"Plural-Forms: \n"
diff --git a/auth_oauth_link_by_email/models/__init__.py b/auth_oauth_link_by_email/models/__init__.py
new file mode 100644
index 0000000000..858adbc1aa
--- /dev/null
+++ b/auth_oauth_link_by_email/models/__init__.py
@@ -0,0 +1,4 @@
+# Copyright 2026 Heligrafics <https://www.heligrafics.net>
+# License: AGPL-3.0 or later (http://www.gnu.org/licenses/agpl)
+
+from . import res_users
diff --git a/auth_oauth_link_by_email/models/res_users.py b/auth_oauth_link_by_email/models/res_users.py
new file mode 100644
index 0000000000..6680773d61
--- /dev/null
+++ b/auth_oauth_link_by_email/models/res_users.py
@@ -0,0 +1,56 @@
+# Copyright 2026 Heligrafics <https://www.heligrafics.net>
+# License: AGPL-3.0 or later (http://www.gnu.org/licenses/agpl)
+
+import logging
+
+from odoo import api, models
+
+_logger = logging.getLogger(__name__)
+
+
+class ResUsers(models.Model):
+    _inherit = "res.users"
+
+    @api.model
+    def _oauth_link_user_by_email(self, provider, oauth_uid, email, access_token):
+        user = self.search([("login", "=", email)], limit=1)
+        if not user:
+            _logger.warning(
+                "OAuth link by email: no user found with login=%s, skipping.",
+                email,
+            )
+            return None
+        user.write(
+            {
+                "oauth_provider_id": provider,
+                "oauth_uid": oauth_uid,
+                "oauth_access_token": access_token,
+            }
+        )
+        _logger.info(
+            "OAuth link by email: user '%s' linked to provider %s with oauth_uid=%s.",
+            user.login,
+            provider,
+            oauth_uid,
+        )
+        return user
+
+    @api.model
+    def _auth_oauth_signin(self, provider, validation, params):
+        oauth_uid = validation["user_id"]
+        already_linked = self.search(
+            [
+                ("oauth_uid", "=", oauth_uid),
+                ("oauth_provider_id", "=", provider),
+            ],
+            limit=1,
+        )
+        if not already_linked:
+            email = validation.get("email")
+            if email:
+                linked_user = self._oauth_link_user_by_email(
+                    provider, oauth_uid, email, params["access_token"]
+                )
+                if linked_user:
+                    return linked_user.login
+        return super()._auth_oauth_signin(provider, validation, params)
diff --git a/auth_oauth_link_by_email/pyproject.toml b/auth_oauth_link_by_email/pyproject.toml
new file mode 100644
index 0000000000..4231d0cccb
--- /dev/null
+++ b/auth_oauth_link_by_email/pyproject.toml
@@ -0,0 +1,3 @@
+[build-system]
+requires = ["whool"]
+build-backend = "whool.buildapi"
diff --git a/auth_oauth_link_by_email/readme/CONFIGURE.md b/auth_oauth_link_by_email/readme/CONFIGURE.md
new file mode 100644
index 0000000000..5812ac843c
--- /dev/null
+++ b/auth_oauth_link_by_email/readme/CONFIGURE.md
@@ -0,0 +1,16 @@
+No configuration is required. The auto-link feature is active as soon as the
+module is installed.
+
+## How it works
+
+When a user attempts to log in through an OAuth provider and no Odoo user is
+found with a matching ``oauth_uid`` + ``oauth_provider_id``, this module will:
+
+1. Extract the ``email`` claim from the OAuth token validation response.
+2. Search for an active Odoo user whose ``login`` matches that email.
+3. If found, write the ``oauth_provider_id``, ``oauth_uid``, and
+   ``oauth_access_token`` onto that user record and return their login.
+4. Subsequent logins will resolve directly via ``oauth_uid`` as usual.
+
+If no matching user is found, or the email claim is absent, the standard
+``auth_oauth`` flow continues (raising ``AccessDenied`` for unknown accounts).
diff --git a/auth_oauth_link_by_email/readme/CONTRIBUTORS.md b/auth_oauth_link_by_email/readme/CONTRIBUTORS.md
new file mode 100644
index 0000000000..fbad4f5128
--- /dev/null
+++ b/auth_oauth_link_by_email/readme/CONTRIBUTORS.md
@@ -0,0 +1,2 @@
+* [Heligrafics](https://www.heligrafics.net)
+  - Jose Zambudio Bernabeu \<<zamberjo@gmail.com>\>
diff --git a/auth_oauth_link_by_email/readme/DESCRIPTION.md b/auth_oauth_link_by_email/readme/DESCRIPTION.md
new file mode 100644
index 0000000000..074cc879b9
--- /dev/null
+++ b/auth_oauth_link_by_email/readme/DESCRIPTION.md
@@ -0,0 +1,7 @@
+When installed, this module automatically links existing Odoo users to an
+OAuth provider on their first login, by matching the email address from the
+OAuth token with the user's login (which is their email in Odoo).
+
+This is useful when users already exist in Odoo (created manually or imported)
+and you want them to authenticate via an OAuth provider without having to
+recreate their accounts.
diff --git a/auth_oauth_link_by_email/readme/HISTORY.md b/auth_oauth_link_by_email/readme/HISTORY.md
new file mode 100644
index 0000000000..8becd2613c
--- /dev/null
+++ b/auth_oauth_link_by_email/readme/HISTORY.md
@@ -0,0 +1,4 @@
+## 17.0.1.0.0 (2026)
+
+* Initial release. Auto-links existing Odoo users to OAuth providers by email
+  on first login. The feature is active as soon as the module is installed.
diff --git a/auth_oauth_link_by_email/readme/INSTALL.md b/auth_oauth_link_by_email/readme/INSTALL.md
new file mode 100644
index 0000000000..7348c5e7f2
--- /dev/null
+++ b/auth_oauth_link_by_email/readme/INSTALL.md
@@ -0,0 +1,2 @@
+No additional installation steps are required beyond installing the module
+itself. It depends only on the standard ``auth_oauth`` module.
diff --git a/auth_oauth_link_by_email/static/description/icon.png b/auth_oauth_link_by_email/static/description/icon.png
new file mode 100644
index 0000000000..3a0328b516
Binary files /dev/null and b/auth_oauth_link_by_email/static/description/icon.png differ
diff --git a/auth_oauth_link_by_email/static/description/index.html b/auth_oauth_link_by_email/static/description/index.html
new file mode 100644
index 0000000000..c7cdae006a
--- /dev/null
+++ b/auth_oauth_link_by_email/static/description/index.html
@@ -0,0 +1,478 @@
+<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
+<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
+<head>
+<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
+<meta name="generator" content="Docutils: https://docutils.sourceforge.io/" />
+<title>OAuth - Link existing users by email</title>
+<style type="text/css">
+
+/*
+:Author: David Goodger (goodger@python.org)
+:Id: $Id: html4css1.css 9511 2024-01-13 09:50:07Z milde $
+:Copyright: This stylesheet has been placed in the public domain.
+
+Default cascading style sheet for the HTML output of Docutils.
+Despite the name, some widely supported CSS2 features are used.
+
+See https://docutils.sourceforge.io/docs/howto/html-stylesheets.html for how to
+customize this style sheet.
+*/
+
+/* used to remove borders from tables and images */
+.borderless, table.borderless td, table.borderless th {
+  border: 0 }
+
+table.borderless td, table.borderless th {
+  /* Override padding for "table.docutils td" with "! important".
+     The right padding separates the table cells. */
+  padding: 0 0.5em 0 0 ! important }
+
+.first {
+  /* Override more specific margin styles with "! important". */
+  margin-top: 0 ! important }
+
+.last, .with-subtitle {
+  margin-bottom: 0 ! important }
+
+.hidden {
+  display: none }
+
+.subscript {
+  vertical-align: sub;
+  font-size: smaller }
+
+.superscript {
+  vertical-align: super;
+  font-size: smaller }
+
+a.toc-backref {
+  text-decoration: none ;
+  color: black }
+
+blockquote.epigraph {
+  margin: 2em 5em ; }
+
+dl.docutils dd {
+  margin-bottom: 0.5em }
+
+object[type="image/svg+xml"], object[type="application/x-shockwave-flash"] {
+  overflow: hidden;
+}
+
+/* Uncomment (and remove this text!) to get bold-faced definition list terms
+dl.docutils dt {
+  font-weight: bold }
+*/
+
+div.abstract {
+  margin: 2em 5em }
+
+div.abstract p.topic-title {
+  font-weight: bold ;
+  text-align: center }
+
+div.admonition, div.attention, div.caution, div.danger, div.error,
+div.hint, div.important, div.note, div.tip, div.warning {
+  margin: 2em ;
+  border: medium outset ;
+  padding: 1em }
+
+div.admonition p.admonition-title, div.hint p.admonition-title,
+div.important p.admonition-title, div.note p.admonition-title,
+div.tip p.admonition-title {
+  font-weight: bold ;
+  font-family: sans-serif }
+
+div.attention p.admonition-title, div.caution p.admonition-title,
+div.danger p.admonition-title, div.error p.admonition-title,
+div.warning p.admonition-title, .code .error {
+  color: red ;
+  font-weight: bold ;
+  font-family: sans-serif }
+
+/* Uncomment (and remove this text!) to get reduced vertical space in
+   compound paragraphs.
+div.compound .compound-first, div.compound .compound-middle {
+  margin-bottom: 0.5em }
+
+div.compound .compound-last, div.compound .compound-middle {
+  margin-top: 0.5em }
+*/
+
+div.dedication {
+  margin: 2em 5em ;
+  text-align: center ;
+  font-style: italic }
+
+div.dedication p.topic-title {
+  font-weight: bold ;
+  font-style: normal }
+
+div.figure {
+  margin-left: 2em ;
+  margin-right: 2em }
+
+div.footer, div.header {
+  clear: both;
+  font-size: smaller }
+
+div.line-block {
+  display: block ;
+  margin-top: 1em ;
+  margin-bottom: 1em }
+
+div.line-block div.line-block {
+  margin-top: 0 ;
+  margin-bottom: 0 ;
+  margin-left: 1.5em }
+
+div.sidebar {
+  margin: 0 0 0.5em 1em ;
+  border: medium outset ;
+  padding: 1em ;
+  background-color: #ffffee ;
+  width: 40% ;
+  float: right ;
+  clear: right }
+
+div.sidebar p.rubric {
+  font-family: sans-serif ;
+  font-size: medium }
+
+div.system-messages {
+  margin: 5em }
+
+div.system-messages h1 {
+  color: red }
+
+div.system-message {
+  border: medium outset ;
+  padding: 1em }
+
+div.system-message p.system-message-title {
+  color: red ;
+  font-weight: bold }
+
+div.topic {
+  margin: 2em }
+
+h1.section-subtitle, h2.section-subtitle, h3.section-subtitle,
+h4.section-subtitle, h5.section-subtitle, h6.section-subtitle {
+  margin-top: 0.4em }
+
+h1.title {
+  text-align: center }
+
+h2.subtitle {
+  text-align: center }
+
+hr.docutils {
+  width: 75% }
+
+img.align-left, .figure.align-left, object.align-left, table.align-left {
+  clear: left ;
+  float: left ;
+  margin-right: 1em }
+
+img.align-right, .figure.align-right, object.align-right, table.align-right {
+  clear: right ;
+  float: right ;
+  margin-left: 1em }
+
+img.align-center, .figure.align-center, object.align-center {
+  display: block;
+  margin-left: auto;
+  margin-right: auto;
+}
+
+table.align-center {
+  margin-left: auto;
+  margin-right: auto;
+}
+
+.align-left {
+  text-align: left }
+
+.align-center {
+  clear: both ;
+  text-align: center }
+
+.align-right {
+  text-align: right }
+
+/* reset inner alignment in figures */
+div.align-right {
+  text-align: inherit }
+
+/* div.align-center * { */
+/*   text-align: left } */
+
+.align-top    {
+  vertical-align: top }
+
+.align-middle {
+  vertical-align: middle }
+
+.align-bottom {
+  vertical-align: bottom }
+
+ol.simple, ul.simple {
+  margin-bottom: 1em }
+
+ol.arabic {
+  list-style: decimal }
+
+ol.loweralpha {
+  list-style: lower-alpha }
+
+ol.upperalpha {
+  list-style: upper-alpha }
+
+ol.lowerroman {
+  list-style: lower-roman }
+
+ol.upperroman {
+  list-style: upper-roman }
+
+p.attribution {
+  text-align: right ;
+  margin-left: 50% }
+
+p.caption {
+  font-style: italic }
+
+p.credits {
+  font-style: italic ;
+  font-size: smaller }
+
+p.label {
+  white-space: nowrap }
+
+p.rubric {
+  font-weight: bold ;
+  font-size: larger ;
+  color: maroon ;
+  text-align: center }
+
+p.sidebar-title {
+  font-family: sans-serif ;
+  font-weight: bold ;
+  font-size: larger }
+
+p.sidebar-subtitle {
+  font-family: sans-serif ;
+  font-weight: bold }
+
+p.topic-title {
+  font-weight: bold }
+
+pre.address {
+  margin-bottom: 0 ;
+  margin-top: 0 ;
+  font: inherit }
+
+pre.literal-block, pre.doctest-block, pre.math, pre.code {
+  margin-left: 2em ;
+  margin-right: 2em }
+
+pre.code .ln { color: gray; } /* line numbers */
+pre.code, code { background-color: #eeeeee }
+pre.code .comment, code .comment { color: #5C6576 }
+pre.code .keyword, code .keyword { color: #3B0D06; font-weight: bold }
+pre.code .literal.string, code .literal.string { color: #0C5404 }
+pre.code .name.builtin, code .name.builtin { color: #352B84 }
+pre.code .deleted, code .deleted { background-color: #DEB0A1}
+pre.code .inserted, code .inserted { background-color: #A3D289}
+
+span.classifier {
+  font-family: sans-serif ;
+  font-style: oblique }
+
+span.classifier-delimiter {
+  font-family: sans-serif ;
+  font-weight: bold }
+
+span.interpreted {
+  font-family: sans-serif }
+
+span.option {
+  white-space: nowrap }
+
+span.pre {
+  white-space: pre }
+
+span.problematic, pre.problematic {
+  color: red }
+
+span.section-subtitle {
+  /* font-size relative to parent (h1..h6 element) */
+  font-size: 80% }
+
+table.citation {
+  border-left: solid 1px gray;
+  margin-left: 1px }
+
+table.docinfo {
+  margin: 2em 4em }
+
+table.docutils {
+  margin-top: 0.5em ;
+  margin-bottom: 0.5em }
+
+table.footnote {
+  border-left: solid 1px black;
+  margin-left: 1px }
+
+table.docutils td, table.docutils th,
+table.docinfo td, table.docinfo th {
+  padding-left: 0.5em ;
+  padding-right: 0.5em ;
+  vertical-align: top }
+
+table.docutils th.field-name, table.docinfo th.docinfo-name {
+  font-weight: bold ;
+  text-align: left ;
+  white-space: nowrap ;
+  padding-left: 0 }
+
+/* "booktabs" style (no vertical lines) */
+table.docutils.booktabs {
+  border: 0px;
+  border-top: 2px solid;
+  border-bottom: 2px solid;
+  border-collapse: collapse;
+}
+table.docutils.booktabs * {
+  border: 0px;
+}
+table.docutils.booktabs th {
+  border-bottom: thin solid;
+  text-align: left;
+}
+
+h1 tt.docutils, h2 tt.docutils, h3 tt.docutils,
+h4 tt.docutils, h5 tt.docutils, h6 tt.docutils {
+  font-size: 100% }
+
+ul.auto-toc {
+  list-style-type: none }
+
+</style>
+</head>
+<body>
+<div class="document" id="oauth-link-existing-users-by-email">
+<h1 class="title">OAuth - Link existing users by email</h1>
+
+<!-- !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!! This file is generated by oca-gen-addon-readme !!
+!! changes will be overwritten.                   !!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!! source digest: sha256:7b1f947b629d3f0ea59aca3c89d6656b6a1e8ae5c4378ec0650e9ca03cc54e9f
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! -->
+<p><a class="reference external image-reference" href="https://odoo-community.org/page/development-status"><img alt="Beta" src="https://img.shields.io/badge/maturity-Beta-yellow.png" /></a> <a class="reference external image-reference" href="http://www.gnu.org/licenses/agpl-3.0-standalone.html"><img alt="License: AGPL-3" src="https://img.shields.io/badge/licence-AGPL--3-blue.png" /></a> <a class="reference external image-reference" href="https://github.com/OCA/server-auth/tree/17.0/auth_oauth_link_by_email"><img alt="OCA/server-auth" src="https://img.shields.io/badge/github-OCA%2Fserver--auth-lightgray.png?logo=github" /></a> <a class="reference external image-reference" href="https://translation.odoo-community.org/projects/server-auth-17-0/server-auth-17-0-auth_oauth_link_by_email"><img alt="Translate me on Weblate" src="https://img.shields.io/badge/weblate-Translate%20me-F47D42.png" /></a> <a class="reference external image-reference" href="https://runboat.odoo-community.org/builds?repo=OCA/server-auth&amp;target_branch=17.0"><img alt="Try me on Runboat" src="https://img.shields.io/badge/runboat-Try%20me-875A7B.png" /></a></p>
+<p>When installed, this module automatically links existing Odoo users to
+an OAuth provider on their first login, by matching the email address
+from the OAuth token with the user’s login (which is their email in
+Odoo).</p>
+<p>This is useful when users already exist in Odoo (created manually or
+imported) and you want them to authenticate via an OAuth provider
+without having to recreate their accounts.</p>
+<p><strong>Table of contents</strong></p>
+<div class="contents local topic" id="contents">
+<ul class="simple">
+<li><a class="reference internal" href="#installation" id="toc-entry-1">Installation</a></li>
+<li><a class="reference internal" href="#configuration" id="toc-entry-2">Configuration</a><ul>
+<li><a class="reference internal" href="#how-it-works" id="toc-entry-3">How it works</a></li>
+</ul>
+</li>
+<li><a class="reference internal" href="#changelog" id="toc-entry-4">Changelog</a><ul>
+<li><a class="reference internal" href="#section-1" id="toc-entry-5">17.0.1.0.0 (2026)</a></li>
+</ul>
+</li>
+<li><a class="reference internal" href="#bug-tracker" id="toc-entry-6">Bug Tracker</a></li>
+<li><a class="reference internal" href="#credits" id="toc-entry-7">Credits</a><ul>
+<li><a class="reference internal" href="#authors" id="toc-entry-8">Authors</a></li>
+<li><a class="reference internal" href="#contributors" id="toc-entry-9">Contributors</a></li>
+<li><a class="reference internal" href="#maintainers" id="toc-entry-10">Maintainers</a></li>
+</ul>
+</li>
+</ul>
+</div>
+<div class="section" id="installation">
+<h1><a class="toc-backref" href="#toc-entry-1">Installation</a></h1>
+<p>No additional installation steps are required beyond installing the
+module itself. It depends only on the standard <tt class="docutils literal">auth_oauth</tt> module.</p>
+</div>
+<div class="section" id="configuration">
+<h1><a class="toc-backref" href="#toc-entry-2">Configuration</a></h1>
+<p>No configuration is required. The auto-link feature is active as soon as
+the module is installed.</p>
+<div class="section" id="how-it-works">
+<h2><a class="toc-backref" href="#toc-entry-3">How it works</a></h2>
+<p>When a user attempts to log in through an OAuth provider and no Odoo
+user is found with a matching <tt class="docutils literal">oauth_uid</tt> + <tt class="docutils literal">oauth_provider_id</tt>,
+this module will:</p>
+<ol class="arabic simple">
+<li>Extract the <tt class="docutils literal">email</tt> claim from the OAuth token validation response.</li>
+<li>Search for an active Odoo user whose <tt class="docutils literal">login</tt> matches that email.</li>
+<li>If found, write the <tt class="docutils literal">oauth_provider_id</tt>, <tt class="docutils literal">oauth_uid</tt>, and
+<tt class="docutils literal">oauth_access_token</tt> onto that user record and return their login.</li>
+<li>Subsequent logins will resolve directly via <tt class="docutils literal">oauth_uid</tt> as usual.</li>
+</ol>
+<p>If no matching user is found, or the email claim is absent, the standard
+<tt class="docutils literal">auth_oauth</tt> flow continues (raising <tt class="docutils literal">AccessDenied</tt> for unknown
+accounts).</p>
+</div>
+</div>
+<div class="section" id="changelog">
+<h1><a class="toc-backref" href="#toc-entry-4">Changelog</a></h1>
+<div class="section" id="section-1">
+<h2><a class="toc-backref" href="#toc-entry-5">17.0.1.0.0 (2026)</a></h2>
+<ul class="simple">
+<li>Initial release. Auto-links existing Odoo users to OAuth providers by
+email on first login. The feature is active as soon as the module is
+installed.</li>
+</ul>
+</div>
+</div>
+<div class="section" id="bug-tracker">
+<h1><a class="toc-backref" href="#toc-entry-6">Bug Tracker</a></h1>
+<p>Bugs are tracked on <a class="reference external" href="https://github.com/OCA/server-auth/issues">GitHub Issues</a>.
+In case of trouble, please check there if your issue has already been reported.
+If you spotted it first, help us to smash it by providing a detailed and welcomed
+<a class="reference external" href="https://github.com/OCA/server-auth/issues/new?body=module:%20auth_oauth_link_by_email%0Aversion:%2017.0%0A%0A**Steps%20to%20reproduce**%0A-%20...%0A%0A**Current%20behavior**%0A%0A**Expected%20behavior**">feedback</a>.</p>
+<p>Do not contact contributors directly about support or help with technical issues.</p>
+</div>
+<div class="section" id="credits">
+<h1><a class="toc-backref" href="#toc-entry-7">Credits</a></h1>
+<div class="section" id="authors">
+<h2><a class="toc-backref" href="#toc-entry-8">Authors</a></h2>
+<ul class="simple">
+<li>Heligrafics Fotogrametria S.L.</li>
+</ul>
+</div>
+<div class="section" id="contributors">
+<h2><a class="toc-backref" href="#toc-entry-9">Contributors</a></h2>
+<ul class="simple">
+<li><a class="reference external" href="https://www.heligrafics.net">Heligrafics</a><ul>
+<li>Jose Zambudio Bernabeu &lt;<a class="reference external" href="mailto:zamberjo&#64;gmail.com">zamberjo&#64;gmail.com</a>&gt;</li>
+</ul>
+</li>
+</ul>
+</div>
+<div class="section" id="maintainers">
+<h2><a class="toc-backref" href="#toc-entry-10">Maintainers</a></h2>
+<p>This module is maintained by the OCA.</p>
+<a class="reference external image-reference" href="https://odoo-community.org">
+<img alt="Odoo Community Association" src="https://odoo-community.org/logo.png" />
+</a>
+<p>OCA, or the Odoo Community Association, is a nonprofit organization whose
+mission is to support the collaborative development of Odoo features and
+promote its widespread use.</p>
+<p>This module is part of the <a class="reference external" href="https://github.com/OCA/server-auth/tree/17.0/auth_oauth_link_by_email">OCA/server-auth</a> project on GitHub.</p>
+<p>You are welcome to contribute. To learn how please visit <a class="reference external" href="https://odoo-community.org/page/Contribute">https://odoo-community.org/page/Contribute</a>.</p>
+</div>
+</div>
+</div>
+</body>
+</html>
diff --git a/auth_oauth_link_by_email/tests/__init__.py b/auth_oauth_link_by_email/tests/__init__.py
new file mode 100644
index 0000000000..2780ba47a3
--- /dev/null
+++ b/auth_oauth_link_by_email/tests/__init__.py
@@ -0,0 +1,4 @@
+# Copyright 2026 Heligrafics <https://www.heligrafics.net>
+# License: AGPL-3.0 or later (http://www.gnu.org/licenses/agpl)
+
+from . import test_auth_oauth_link_by_email
diff --git a/auth_oauth_link_by_email/tests/test_auth_oauth_link_by_email.py b/auth_oauth_link_by_email/tests/test_auth_oauth_link_by_email.py
new file mode 100644
index 0000000000..0706088ad1
--- /dev/null
+++ b/auth_oauth_link_by_email/tests/test_auth_oauth_link_by_email.py
@@ -0,0 +1,136 @@
+# Copyright 2026 Heligrafics <https://www.heligrafics.net>
+# License: AGPL-3.0 or later (http://www.gnu.org/licenses/agpl)
+
+from odoo.exceptions import AccessDenied
+from odoo.tests import common
+from odoo.tools import mute_logger
+
+
+class TestOAuthLinkByEmail(common.TransactionCase):
+    @classmethod
+    def setUpClass(cls):
+        super().setUpClass()
+        cls._provider_id = (
+            cls.env["auth.oauth.provider"]
+            .create(
+                {
+                    "name": "Test OAuth Provider",
+                    "client_id": "test-client",
+                    "body": "Log in with Test OAuth",
+                    "auth_endpoint": "http://example.com/auth",
+                    "validation_endpoint": "http://example.com/userinfo",
+                    "scope": "openid email",
+                    "enabled": True,
+                }
+            )
+            .id
+        )
+        cls._test_user_id = (
+            cls.env["res.users"]
+            .create(
+                {
+                    "name": "OAuth Test User",
+                    "login": "oauth.test@example.com",
+                    "email": "oauth.test@example.com",
+                    "groups_id": [(6, 0, [cls.env.ref("base.group_user").id])],
+                }
+            )
+            .id
+        )
+
+    def setUp(self):
+        super().setUp()
+        self.provider = self.env["auth.oauth.provider"].browse(
+            self.__class__._provider_id
+        )
+        self.test_user = self.env["res.users"].browse(self.__class__._test_user_id)
+
+    def _make_validation(self, user_id="sub-uuid-1234", email="oauth.test@example.com"):
+        return {"user_id": user_id, "email": email}
+
+    def _make_params(self, access_token="test_token"):
+        return {"access_token": access_token, "state": "{}"}
+
+    def test_link_user_by_email_links_and_returns_user(self):
+        """Links the user found by email and returns the recordset."""
+        oauth_uid = "sub-uuid-9999"
+        result = self.env["res.users"]._oauth_link_user_by_email(
+            self.provider.id, oauth_uid, "oauth.test@example.com", "token-abc"
+        )
+        self.assertEqual(result, self.test_user)
+        self.assertEqual(self.test_user.oauth_uid, oauth_uid)
+        self.assertEqual(self.test_user.oauth_provider_id, self.provider)
+        self.assertEqual(self.test_user.oauth_access_token, "token-abc")
+
+    def test_link_user_by_email_no_user_returns_none(self):
+        """Returns None without raising when no user matches the email."""
+        result = self.env["res.users"]._oauth_link_user_by_email(
+            self.provider.id, "sub-x", "unknown@example.com", "token"
+        )
+        self.assertIsNone(result)
+
+    def test_link_user_by_email_inactive_user_returns_none(self):
+        """Inactive users are excluded by the default active_test context."""
+        self.test_user.active = False
+        result = self.env["res.users"]._oauth_link_user_by_email(
+            self.provider.id, "sub-x", "oauth.test@example.com", "token"
+        )
+        self.assertIsNone(result)
+
+    def test_signin_links_and_returns_login_when_enabled(self):
+        """The user is linked on first login."""
+        login = self.env["res.users"]._auth_oauth_signin(
+            self.provider.id,
+            self._make_validation(user_id="sub-first-login"),
+            self._make_params(),
+        )
+        self.assertEqual(login, self.test_user.login)
+        self.assertEqual(self.test_user.oauth_uid, "sub-first-login")
+
+    def test_signin_subsequent_login_uses_oauth_uid(self):
+        """After the first link, subsequent logins resolve via oauth_uid directly."""
+        self.test_user.write(
+            {
+                "oauth_provider_id": self.provider.id,
+                "oauth_uid": "sub-already-set",
+            }
+        )
+        login = self.env["res.users"]._auth_oauth_signin(
+            self.provider.id,
+            self._make_validation(user_id="sub-already-set"),
+            self._make_params(),
+        )
+        self.assertEqual(login, self.test_user.login)
+
+    def test_signin_no_email_claim_falls_through(self):
+        """Without an email claim in the token, auto-link is skipped."""
+        ResUsers = self.env["res.users"].with_context(no_user_creation=True)
+        result = ResUsers._auth_oauth_signin(
+            self.provider.id,
+            {"user_id": "sub-no-email"},
+            self._make_params(),
+        )
+        self.assertIsNone(result)
+        self.assertFalse(self.test_user.oauth_uid)
+
+    def test_signin_unknown_email_falls_through(self):
+        """With an email not present in Odoo, auto-link is skipped."""
+        ResUsers = self.env["res.users"].with_context(no_user_creation=True)
+        result = ResUsers._auth_oauth_signin(
+            self.provider.id,
+            self._make_validation(email="nobody@example.com"),
+            self._make_params(),
+        )
+        self.assertIsNone(result)
+        self.assertFalse(self.test_user.oauth_uid)
+
+    @mute_logger("odoo.sql_db")
+    def test_signin_inactive_user_not_linked(self):
+        """An inactive user is not linked → AccessDenied."""
+        self.test_user.active = False
+        with self.assertRaises(AccessDenied):
+            self.env["res.users"]._auth_oauth_signin(
+                self.provider.id,
+                self._make_validation(),
+                self._make_params(),
+            )