diff --git a/src/Squidex.Domain.Users/UserManagerExtensions.cs b/src/Squidex.Domain.Users/UserManagerExtensions.cs
index 0314c9d00..8fa0115a5 100644
--- a/src/Squidex.Domain.Users/UserManagerExtensions.cs
+++ b/src/Squidex.Domain.Users/UserManagerExtensions.cs
@@ -65,6 +65,18 @@ namespace Squidex.Domain.Users
             return await userManager.ResolveUserAsync(user);
         }
 
+        public static async Task<UserWithClaims> FindByLoginWithClaimsAsync(this UserManager<IdentityUser> userManager, string loginProvider, string providerKey)
+        {
+            if (loginProvider == null || providerKey == null)
+            {
+                return null;
+            }
+
+            var user = await userManager.FindByLoginAsync(loginProvider, providerKey);
+
+            return await userManager.ResolveUserAsync(user);
+        }
+
         public static Task<long> CountByEmailAsync(this UserManager<IdentityUser> userManager, string email = null)
         {
             var count = QueryUsers(userManager, email).LongCount();
diff --git a/src/Squidex.Web/ClearCookiesAttribute.cs b/src/Squidex.Web/ClearCookiesAttribute.cs
new file mode 100644
index 000000000..cca7789f3
--- /dev/null
+++ b/src/Squidex.Web/ClearCookiesAttribute.cs
@@ -0,0 +1,24 @@
+// ==========================================================================
+//  Squidex Headless CMS
+// ==========================================================================
+//  Copyright (c) Squidex UG (haftungsbeschränkt)
+//  All rights reserved. Licensed under the MIT license.
+// ==========================================================================
+
+using Microsoft.AspNetCore.Mvc.Filters;
+
+namespace Squidex.Web
+{
+    public sealed class ClearCookiesAttribute : ActionFilterAttribute
+    {
+        public override void OnActionExecuting(ActionExecutingContext context)
+        {
+            var cookies = context.HttpContext.Response.Cookies;
+
+            foreach (var cookie in context.HttpContext.Request.Cookies.Keys)
+            {
+                cookies.Delete(cookie);
+            }
+        }
+    }
+}
diff --git a/src/Squidex/Areas/IdentityServer/Controllers/Account/AccountController.cs b/src/Squidex/Areas/IdentityServer/Controllers/Account/AccountController.cs
index bb95b1cdf..0ced5abe7 100644
--- a/src/Squidex/Areas/IdentityServer/Controllers/Account/AccountController.cs
+++ b/src/Squidex/Areas/IdentityServer/Controllers/Account/AccountController.cs
@@ -26,6 +26,7 @@ using Squidex.Infrastructure.Tasks;
 using Squidex.Shared;
 using Squidex.Shared.Identity;
 using Squidex.Shared.Users;
+using Squidex.Web;
 
 namespace Squidex.Areas.IdentityServer.Controllers.Account
 {
@@ -164,6 +165,7 @@ namespace Squidex.Areas.IdentityServer.Controllers.Account
 
         [HttpGet]
         [Route("account/login/")]
+        [ClearCookies]
         public Task<IActionResult> Login(string returnUrl = null)
         {
             return LoginViewAsync(returnUrl, true, false);
@@ -242,7 +244,11 @@ namespace Squidex.Areas.IdentityServer.Controllers.Account
 
             UserWithClaims user = null;
 
-            if (!isLoggedIn)
+            if (isLoggedIn)
+            {
+                user = await userManager.FindByLoginWithClaimsAsync(externalLogin.LoginProvider, externalLogin.ProviderKey);
+            }
+            else
             {
                 var email = externalLogin.Principal.FindFirst(ClaimTypes.Email).Value;
 
diff --git a/src/Squidex/Areas/IdentityServer/Controllers/Error/ErrorController.cs b/src/Squidex/Areas/IdentityServer/Controllers/Error/ErrorController.cs
index 7ada38154..527dd12dd 100644
--- a/src/Squidex/Areas/IdentityServer/Controllers/Error/ErrorController.cs
+++ b/src/Squidex/Areas/IdentityServer/Controllers/Error/ErrorController.cs
@@ -9,6 +9,7 @@ using System.Threading.Tasks;
 using IdentityServer4.Models;
 using IdentityServer4.Services;
 using Microsoft.AspNetCore.Diagnostics;
+using Microsoft.AspNetCore.Identity;
 using Microsoft.AspNetCore.Mvc;
 using Squidex.Infrastructure;
 
@@ -17,15 +18,19 @@ namespace Squidex.Areas.IdentityServer.Controllers.Error
     public sealed class ErrorController : IdentityServerController
     {
         private readonly IIdentityServerInteractionService interaction;
+        private readonly SignInManager<IdentityUser> signInManager;
 
-        public ErrorController(IIdentityServerInteractionService interaction)
+        public ErrorController(IIdentityServerInteractionService interaction, SignInManager<IdentityUser> signInManager)
         {
             this.interaction = interaction;
+            this.signInManager = signInManager;
         }
 
         [Route("error/")]
         public async Task<IActionResult> Error(string errorId = null)
         {
+            await signInManager.SignOutAsync();
+
             var vm = new ErrorViewModel();
 
             if (!string.IsNullOrWhiteSpace(errorId))
diff --git a/src/Squidex/Config/Authentication/AuthenticationServices.cs b/src/Squidex/Config/Authentication/AuthenticationServices.cs
index 72f0edfb4..c086282f9 100644
--- a/src/Squidex/Config/Authentication/AuthenticationServices.cs
+++ b/src/Squidex/Config/Authentication/AuthenticationServices.cs
@@ -5,6 +5,7 @@
 //  All rights reserved. Licensed under the MIT license.
 // ==========================================================================
 
+using Microsoft.AspNetCore.Authentication;
 using Microsoft.Extensions.Configuration;
 using Microsoft.Extensions.DependencyInjection;
 
@@ -17,12 +18,22 @@ namespace Squidex.Config.Authentication
             var identityOptions = config.GetSection("identity").Get<MyIdentityOptions>();
 
             services.AddAuthentication()
+                .AddMyCookie()
                 .AddMyExternalGithubAuthentication(identityOptions)
                 .AddMyExternalGoogleAuthentication(identityOptions)
                 .AddMyExternalMicrosoftAuthentication(identityOptions)
                 .AddMyExternalOdic(identityOptions)
-                .AddMyIdentityServerAuthentication(identityOptions, config)
-                .AddCookie();
+                .AddMyIdentityServerAuthentication(identityOptions, config);
+        }
+
+        public static AuthenticationBuilder AddMyCookie(this AuthenticationBuilder builder)
+        {
+            builder.Services.ConfigureApplicationCookie(options =>
+            {
+                options.Cookie.Name = ".sq.auth";
+            });
+
+            return builder.AddCookie();
         }
     }
 }
diff --git a/src/Squidex/Config/Authentication/OidcServices.cs b/src/Squidex/Config/Authentication/OidcServices.cs
index aa51516ac..de3eebe6a 100644
--- a/src/Squidex/Config/Authentication/OidcServices.cs
+++ b/src/Squidex/Config/Authentication/OidcServices.cs
@@ -26,6 +26,7 @@ namespace Squidex.Config.Authentication
                     options.ClientId = identityOptions.OidcClient;
                     options.ClientSecret = identityOptions.OidcSecret;
                     options.Scope.Add(Constants.EmailScope);
+                    options.Scope.Add(Constants.PermissionsScope);
                     options.RequireHttpsMetadata = false;
                 });
             }
diff --git a/src/Squidex/Config/Logging.cs b/src/Squidex/Config/Logging.cs
index ca61f4a2a..cd22277af 100644
--- a/src/Squidex/Config/Logging.cs
+++ b/src/Squidex/Config/Logging.cs
@@ -38,6 +38,8 @@ namespace Squidex.Config
                     return level >= LogLevel.Warning;
                 }
 
+                return true;
+
                 if (category.StartsWith("Microsoft.AspNetCore.", StringComparison.OrdinalIgnoreCase))
                 {
                     return level > LogLevel.Information;