diff --git a/dashboard/src/js/setupaccount.js b/dashboard/src/js/setupaccount.js
index 65ecd34a2..5e22e3a10 100644
--- a/dashboard/src/js/setupaccount.js
+++ b/dashboard/src/js/setupaccount.js
@@ -71,6 +71,7 @@ app.controller('SetupAccountController', ['$scope', '$translate', '$http', funct
     $scope.error = null;
     $scope.view = 'setup';
     $scope.branding = null;
+    $scope.dashboardUrl = '';
 
     $scope.profileLocked = !!search.profileLocked;
     $scope.existingUsername = !!search.username;
@@ -122,8 +123,10 @@ app.controller('SetupAccountController', ['$scope', '$translate', '$http', funct
         $http.post(API_ORIGIN + '/api/v1/auth/setup_account', data).success(function (data, status) {
             if (status !== 201) return error(data, status);
 
-            // set token to autologin
-            localStorage.token = data.accessToken;
+            // set token to autologin on first oauth flow
+            localStorage.cloudronFirstTimeToken = data.accessToken;
+
+            $scope.dashboardUrl = '/openid/auth?client_id=cid-webadmin&scope=openid email profile&response_type=code token&redirect_uri=' + window.location.origin + '/authcallback.html';
 
             $scope.view = 'done';
         }).error(error);
diff --git a/dashboard/src/setupaccount.html b/dashboard/src/setupaccount.html
index 13a0adb26..8537983c2 100644
--- a/dashboard/src/setupaccount.html
+++ b/dashboard/src/setupaccount.html
@@ -147,7 +147,7 @@
           <br/>
           <h2>{{ 'setupAccount.success.title' | tr }}</h2>
           <br/>
-          <a href="/" class="btn btn-primary">{{ 'setupAccount.success.openDashboardAction' | tr }}</a>
+          <a ng-href="dashboardUrl" class="btn btn-primary">{{ 'setupAccount.success.openDashboardAction' | tr }}</a>
         </div>
       </div>
     </div>
diff --git a/src/oidc.js b/src/oidc.js
index f22554cdf..7840c6bee 100644
--- a/src/oidc.js
+++ b/src/oidc.js
@@ -519,10 +519,10 @@ function interactionLogin(provider) {
         debug(`interactionLogin: for OpenID client ${clientId} from ${ip}`);
 
         // This is the auto login via token hack
-        if (req.body.token) {
-            if (typeof req.body.token !== 'string') return next(new HttpError(400, 'token must be string if provided'));
+        if (req.body.autoLoginToken) {
+            if (typeof req.body.autoLoginToken !== 'string') return next(new HttpError(400, 'autoLoginToken must be string if provided'));
 
-            const token = await tokens.getByAccessToken(req.body.token);
+            const token = await tokens.getByAccessToken(req.body.autoLoginToken);
             if (!token) return next(new HttpError(401, 'No such token'));
 
             const user = await users.get(token.identifier);
diff --git a/src/oidc_templates/login.ejs b/src/oidc_templates/login.ejs
index 32cf01852..9c42fc43e 100644
--- a/src/oidc_templates/login.ejs
+++ b/src/oidc_templates/login.ejs
@@ -149,16 +149,15 @@ document.getElementById('loginForm').addEventListener('submit', function (event)
     });
 });
 
-const token = location.search.slice(1);
-if (token) {
-    console.log('got token do auto login', token);
-
+// placed in local storage by setupaccount.js
+const autoLoginToken = localStorage.cloudronFirstTimeToken;
+if (autoLoginToken) {
     const apiUrl = '<%= submitUrl %>';
 
     let res;
     fetch(apiUrl, {
         method: 'POST',
-        body: JSON.stringify({ token: token }),
+        body: JSON.stringify({ autoLoginToken }),
         headers: { 'Content-type': 'application/json; charset=UTF-8' }
     }).then(function (response) {
         res = response;