diff --git a/server/bundles/io.cloudbeaver.model/src/io/cloudbeaver/model/session/WebSessionAuthProcessor.java b/server/bundles/io.cloudbeaver.model/src/io/cloudbeaver/model/session/WebSessionAuthProcessor.java
index e94167c33d..d08768b66f 100644
--- a/server/bundles/io.cloudbeaver.model/src/io/cloudbeaver/model/session/WebSessionAuthProcessor.java
+++ b/server/bundles/io.cloudbeaver.model/src/io/cloudbeaver/model/session/WebSessionAuthProcessor.java
@@ -17,7 +17,6 @@
 
 package io.cloudbeaver.model.session;
 
-import io.cloudbeaver.DBWConstants;
 import io.cloudbeaver.DBWUserIdentity;
 import io.cloudbeaver.DBWebException;
 import io.cloudbeaver.auth.SMAuthProviderExternal;
@@ -38,7 +37,6 @@
 
 import java.time.OffsetDateTime;
 import java.util.ArrayList;
-import java.util.Collections;
 import java.util.List;
 import java.util.Map;
 
@@ -114,15 +112,6 @@ private List<WebAuthInfo> finishWebSessionAuthorization(SMAuthInfo authInfo) thr
                 SMAuthProviderExternal<?> authProviderExternal = authProviderInstance instanceof SMAuthProviderExternal<?> ?
                     (SMAuthProviderExternal<?>) authProviderInstance : null;
 
-                boolean providerDisabled = !isProviderEnabled(providerId);
-                if (configMode || webSession.hasPermission(DBWConstants.PERMISSION_ADMIN)) {
-                    // 1. Admin can authorize in any providers
-                    // 2. When it authorizes in non-local provider for the first time we force linkUser flag
-                    if (providerDisabled && webSession.getUser() != null) {
-                        linkWithActiveUser = true;
-                    }
-                }
-
                 SMSession authSession;
 
                 if (authProviderExternal != null && !configMode && !alreadyLoggedIn) {
diff --git a/server/bundles/io.cloudbeaver.service.auth/src/io/cloudbeaver/service/auth/impl/WebServiceAuthImpl.java b/server/bundles/io.cloudbeaver.service.auth/src/io/cloudbeaver/service/auth/impl/WebServiceAuthImpl.java
index 0fb04946ba..6496f65ec4 100644
--- a/server/bundles/io.cloudbeaver.service.auth/src/io/cloudbeaver/service/auth/impl/WebServiceAuthImpl.java
+++ b/server/bundles/io.cloudbeaver.service.auth/src/io/cloudbeaver/service/auth/impl/WebServiceAuthImpl.java
@@ -68,6 +68,11 @@ public WebAuthStatus authLogin(
         if (CommonUtils.isEmpty(providerId)) {
             throw new DBWebException("Missing auth provider parameter");
         }
+        WebAuthProviderDescriptor authProviderDescriptor = WebAuthProviderRegistry.getInstance()
+            .getAuthProvider(providerId);
+        if (authProviderDescriptor.isTrusted()) {
+            throw new DBWebException(authProviderDescriptor.getLabel() + " not allowed for authorization via GQL API");
+        }
         if (authParameters == null) {
             authParameters = Map.of();
         }
diff --git a/server/bundles/io.cloudbeaver.service.security/src/io/cloudbeaver/service/security/CBEmbeddedSecurityController.java b/server/bundles/io.cloudbeaver.service.security/src/io/cloudbeaver/service/security/CBEmbeddedSecurityController.java
index 8c9c332dd1..5e53e4c5df 100644
--- a/server/bundles/io.cloudbeaver.service.security/src/io/cloudbeaver/service/security/CBEmbeddedSecurityController.java
+++ b/server/bundles/io.cloudbeaver.service.security/src/io/cloudbeaver/service/security/CBEmbeddedSecurityController.java
@@ -1241,6 +1241,9 @@ private String createSmSession(
 
     @Override
     public SMAuthInfo authenticateAnonymousUser(@NotNull String appSessionId, @NotNull Map<String, Object> sessionParameters, @NotNull SMSessionType sessionType) throws DBException {
+        if (!application.getAppConfiguration().isAnonymousAccessEnabled()) {
+            throw new SMException("Anonymous access restricted");
+        }
         try (Connection dbCon = database.openConnection()) {
             try (JDBCTransaction txn = new JDBCTransaction(dbCon)) {
                 var smSessionId = createSmSession(appSessionId, null, sessionParameters, sessionType, dbCon);
@@ -1276,6 +1279,9 @@ public SMAuthInfo authenticate(
         @Nullable String authProviderConfigurationId,
         @NotNull Map<String, Object> userCredentials
     ) throws DBException {
+        if (isProviderDisabled(authProviderId, authProviderConfigurationId)) {
+            throw new SMException("Unsupported authentication provider: " + authProviderId);
+        }
         var authProgressMonitor = new LoggingProgressMonitor(log);
         try (Connection dbCon = database.openConnection()) {
             try (JDBCTransaction txn = new JDBCTransaction(dbCon)) {
@@ -2726,9 +2732,17 @@ private String getUserIdOrNull() {
         return activeUserCredentials.getUserId();
     }
 
-    private boolean isProviderEnabled(@NotNull String providerId) {
+    private boolean isProviderDisabled(@NotNull String providerId, @Nullable String authConfigurationId) {
         WebAuthConfiguration appConfiguration = application.getAuthConfiguration();
-        return appConfiguration.isAuthProviderEnabled(providerId);
+        if (!appConfiguration.isAuthProviderEnabled(providerId)) {
+            return true;
+        }
+        if (authConfigurationId != null) {
+            SMAuthProviderCustomConfiguration configuration =
+                appConfiguration.getAuthProviderConfiguration(authConfigurationId);
+            return configuration == null || configuration.isDisabled();
+        }
+        return false;
     }
 
     public void clearOldAuthAttemptInfo() throws DBException {