diff --git a/lib/private/legacy/OC_User.php b/lib/private/legacy/OC_User.php
index de066e143b405..668032526de18 100644
--- a/lib/private/legacy/OC_User.php
+++ b/lib/private/legacy/OC_User.php
@@ -40,6 +40,7 @@
 use OCP\EventDispatcher\IEventDispatcher;
 use OCP\ILogger;
 use OCP\IUserManager;
+use OCP\User\Events\BeforeUserLoggedInEvent;
 use OCP\User\Events\UserLoggedInEvent;
 
 /**
@@ -172,6 +173,10 @@ public static function loginWithApache(\OCP\Authentication\IApacheBackend $backe
 			if (self::getUser() !== $uid) {
 				self::setUserId($uid);
 				$userSession = \OC::$server->getUserSession();
+
+				/** @var IEventDispatcher $dispatcher */
+				$dispatcher = \OC::$server->get(IEventDispatcher::class);
+
 				if ($userSession->getUser() && !$userSession->getUser()->isEnabled()) {
 					$message = \OC::$server->getL10N('lib')->t('User disabled');
 					throw new LoginException($message);
@@ -182,6 +187,10 @@ public static function loginWithApache(\OCP\Authentication\IApacheBackend $backe
 				if ($backend instanceof \OCP\Authentication\IProvideUserSecretBackend) {
 					$password = $backend->getCurrentUserSecret();
 				}
+
+				/** @var IEventDispatcher $dispatcher */
+				$dispatcher->dispatchTyped(new BeforeUserLoggedInEvent($uid, $password, $backend));
+
 				$userSession->createSessionToken($request, $uid, $uid, $password);
 				$userSession->createRememberMeToken($userSession->getUser());
 				// setup the filesystem
@@ -199,8 +208,6 @@ public static function loginWithApache(\OCP\Authentication\IApacheBackend $backe
 						'isTokenLogin' => false,
 					]
 				);
-				/** @var IEventDispatcher $dispatcher */
-				$dispatcher = \OC::$server->get(IEventDispatcher::class);
 				$dispatcher->dispatchTyped(new UserLoggedInEvent(
 						\OC::$server->get(IUserManager::class)->get($uid),
 						$uid,
diff --git a/lib/public/User/Events/BeforeUserLoggedInEvent.php b/lib/public/User/Events/BeforeUserLoggedInEvent.php
index e39cd0f116d15..ccd3d4efb3ca7 100644
--- a/lib/public/User/Events/BeforeUserLoggedInEvent.php
+++ b/lib/public/User/Events/BeforeUserLoggedInEvent.php
@@ -24,8 +24,10 @@
  * along with this program. If not, see <http://www.gnu.org/licenses/>.
  *
  */
+
 namespace OCP\User\Events;
 
+use OCP\Authentication\IApacheBackend;
 use OCP\EventDispatcher\Event;
 
 /**
@@ -39,13 +41,18 @@ class BeforeUserLoggedInEvent extends Event {
 	/** @var string */
 	private $password;
 
+	/** @var IApacheBackend|null */
+	private $backend;
+
 	/**
 	 * @since 18.0.0
+	 * @since 26.0.0 password can be null
 	 */
-	public function __construct(string $username, string $password) {
+	public function __construct(string $username, ?string $password, ?IApacheBackend $backend = null) {
 		parent::__construct();
 		$this->username = $username;
 		$this->password = $password;
+		$this->backend = $backend;
 	}
 
 	/**
@@ -59,8 +66,19 @@ public function getUsername(): string {
 
 	/**
 	 * @since 18.0.0
+	 * @since 26.0.0 value can be null
 	 */
-	public function getPassword(): string {
+	public function getPassword(): ?string {
 		return $this->password;
 	}
+
+	/**
+	 * return backend if available (or null)
+	 *
+	 * @return IApacheBackend|null
+	 * @since 26.0.0
+	 */
+	public function getBackend(): ?IApacheBackend {
+		return $this->backend;
+	}
 }