diff --git a/doc/soju.1.scd b/doc/soju.1.scd
index 5ebced0..02c7736 100644
--- a/doc/soju.1.scd
+++ b/doc/soju.1.scd
@@ -185,6 +185,9 @@ The following directives are supported:
 	This can be used together with _disable-inactive-user_ to seamlessly
 	disable and re-enable users during lengthy inactivity.
 
+	When external authentication is used (e.g. _auth oauth2_), bouncer users
+	are automatically created after successfull authentication.
+
 *auth* <driver> ...
 	Set the authentication method. By default, internal authentication is used.
 
diff --git a/downstream.go b/downstream.go
index d6983c6..3ba1968 100644
--- a/downstream.go
+++ b/downstream.go
@@ -1260,6 +1260,20 @@ func unmarshalUsername(rawUsername string) (username, client, network string) {
 
 func (dc *downstreamConn) setUser(username, clientName, networkName string) error {
 	dc.user = dc.srv.getUser(username)
+	if dc.user == nil && dc.user.srv.Config().EnableUsersOnAuth {
+		ctx := context.TODO()
+		if _, err := dc.user.srv.db.GetUser(ctx, username); err != nil {
+			// Can't find the user in the DB -- try to create it
+			record := database.User{
+				Username: username,
+				Enabled:  true,
+			}
+			dc.user, err = dc.user.srv.createUser(ctx, &record)
+			if err != nil {
+				return fmt.Errorf("failed to automatically create user %q after successful authentication: %v", username, err)
+			}
+		}
+	}
 	if dc.user == nil {
 		return fmt.Errorf("user exists in the DB but hasn't been loaded by the bouncer -- a restart may help")
 	}