diff --git a/start.sh b/start.sh
index a93a3dd..55ac6a3 100755
--- a/start.sh
+++ b/start.sh
@@ -15,17 +15,6 @@ setup_oidc_source() {
         "REPLACE INTO login_source (id, type, name, is_active, cfg, created_unix, updated_unix) VALUES (1,6,'cloudron', 1,'{\"Provider\":\"openidConnect\",\"ClientID\":\"${CLOUDRON_OIDC_CLIENT_ID}\",\"ClientSecret\":\"${CLOUDRON_OIDC_CLIENT_SECRET}\",\"OpenIDConnectAutoDiscoveryURL\":\"${CLOUDRON_OIDC_ISSUER}/.well-known/openid-configuration\",\"CustomURLMapping\":null,\"IconURL\":\"\",\"Scopes\":[\"openid email profile\"],\"RequiredClaimName\":\"\",\"RequiredClaimValue\":\"\",\"GroupClaimName\":\"\",\"AdminGroup\":\"\",\"GroupTeamMap\":\"\",\"GroupTeamMapRemoval\":false,\"RestrictedGroup\":\"\"}','${now}','${now}')"
 }
 
-setup_root_user() {
-    set -eu
-
-    if sudo -H -u git /home/git/gitea/gitea admin user create --username root --password changeme --email admin@cloudron.local --admin -c /run/gitea/app.ini; then
-        echo "==> root user added"
-    else
-        echo "==> Failed to add root user"
-        exit 1
-    fi
-}
-
 setup_auth() {
     set -eu
 
@@ -45,7 +34,12 @@ setup_auth() {
     # be careful, not to create root user for existing LDAP based installs
     if [[ "${user_count}" == "0" ]]; then
         echo "==> Setting up root user for first run"
-        setup_root_user
+        if sudo -H -u git /home/git/gitea/gitea admin user create --username root --password changeme --email admin@cloudron.local --admin -c /run/gitea/app.ini; then
+            echo "==> root user added"
+        else
+            echo "==> Failed to add root user"
+            exit 1
+        fi
     fi
 }
 
@@ -124,7 +118,12 @@ echo "==> Creating dirs and changing permissions"
 mkdir -p /app/data/repository /app/data/ssh /app/data/custom /app/data/gnupg
 chown -R git:git /app/data /run/gitea
 
-# this expects app.ini to be available
-( setup_auth ) &
+# OIDC creds are read from the db at gitea startup, so if migrations have already
+# run (i.e. the user table exists), refresh the OIDC source synchronously now.
+if mysql -u"${CLOUDRON_MYSQL_USERNAME}" -p"${CLOUDRON_MYSQL_PASSWORD}" -h"${CLOUDRON_MYSQL_HOST}" -P"${CLOUDRON_MYSQL_PORT}" --database="${CLOUDRON_MYSQL_DATABASE}" -N -B -e "SELECT count(*) FROM user" >/dev/null 2>&1; then
+    [[ -n "${CLOUDRON_OIDC_ISSUER:-}" ]] && setup_oidc_source
+else
+    ( setup_auth ) &
+fi
 
 exec /usr/bin/supervisord --configuration /etc/supervisor/supervisord.conf --nodaemon -i Gitea