diff --git a/lib/private/legacy/OC_User.php b/lib/private/legacy/OC_User.php
index f955c5c6938aa..30aab34aae463 100644
--- a/lib/private/legacy/OC_User.php
+++ b/lib/private/legacy/OC_User.php
@@ -172,7 +172,9 @@ public static function loginWithApache(\OCP\Authentication\IApacheBackend $backe
 				$userSession = \OC::$server->getUserSession();
 				$userSession->setLoginName($uid);
 				$request = OC::$server->getRequest();
-				$userSession->createSessionToken($request, $uid, $uid);
+				$secret = $backend->getCurrentUserSecret();
+				$userSession->createSessionToken($request, $uid, $uid, $secret);
+				$pw = $secret === null ? '' : $secret;
 				// setup the filesystem
 				OC_Util::setupFS($uid);
 				// first call the post_login hooks, the login-process needs to be
@@ -184,7 +186,7 @@ public static function loginWithApache(\OCP\Authentication\IApacheBackend $backe
 					'post_login',
 					[
 						'uid' => $uid,
-						'password' => '',
+						'password' => $pw,
 						'isTokenLogin' => false,
 					]
 				);
diff --git a/lib/public/Authentication/IApacheBackend.php b/lib/public/Authentication/IApacheBackend.php
index 4528bef347919..68e274034b4e7 100644
--- a/lib/public/Authentication/IApacheBackend.php
+++ b/lib/public/Authentication/IApacheBackend.php
@@ -56,4 +56,12 @@ public function getLogoutUrl();
 	 * @since 6.0.0
 	 */
 	public function getCurrentUserId();
+
+	/**
+	 * Optionally returns a stable per-user secret. This secret is for
+	 * instance used to secure file encryption keys.
+	 * @return string|null
+	 * @since 21.0.0
+	 */
+	public function getCurrentUserSecret();
 }