diff --git a/config/options.go b/config/options.go
index 57c0dd02e..1ebcdafce 100644
--- a/config/options.go
+++ b/config/options.go
@@ -841,6 +841,24 @@ func (o *Options) UseStatelessAuthenticateFlow() bool {
 	return urlutil.IsHostedAuthenticateDomain(u.Hostname())
 }
 
+// SupportsUserRefresh returns true if the config options support refreshing of user sessions.
+func (o *Options) SupportsUserRefresh() bool {
+	if o == nil {
+		return false
+	}
+
+	if o.Provider == "" {
+		return false
+	}
+
+	u, err := o.GetInternalAuthenticateURL()
+	if err != nil {
+		return false
+	}
+
+	return !urlutil.IsHostedAuthenticateDomain(u.Hostname())
+}
+
 // GetAuthorizeURLs returns the AuthorizeURLs in the options or 127.0.0.1:5443.
 func (o *Options) GetAuthorizeURLs() ([]*url.URL, error) {
 	if IsAll(o.Services) && o.AuthorizeURLString == "" && len(o.AuthorizeURLStrings) == 0 {
diff --git a/databroker/cache.go b/databroker/cache.go
index 1762e5108..79ab014d7 100644
--- a/databroker/cache.go
+++ b/databroker/cache.go
@@ -160,13 +160,15 @@ func (c *DataBroker) update(ctx context.Context, cfg *config.Config) error {
 		manager.WithEventManager(c.eventsMgr),
 	}
 
-	if cfg.Options.Provider != "" {
+	if cfg.Options.SupportsUserRefresh() {
 		authenticator, err := identity.NewAuthenticator(oauthOptions)
 		if err != nil {
 			log.Error(ctx).Err(err).Msg("databroker: failed to create authenticator")
 		} else {
 			options = append(options, manager.WithAuthenticator(authenticator))
 		}
+	} else {
+		log.Info(ctx).Msg("databroker: disabling refresh of user sessions")
 	}
 
 	if c.manager == nil {