diff --git a/roles/web-app-openwebui/config/main.yml b/roles/web-app-openwebui/config/main.yml
index 7be7c365..74d2b037 100644
--- a/roles/web-app-openwebui/config/main.yml
+++ b/roles/web-app-openwebui/config/main.yml
@@ -6,6 +6,7 @@ features:
   logout:           true
   javascript:       false
   local_ai:         true
+  oidc:             true
 server:
   domains:
     canonical:
diff --git a/roles/web-app-openwebui/schema/main.yml b/roles/web-app-openwebui/schema/main.yml
new file mode 100644
index 00000000..e69de29b
diff --git a/roles/web-app-openwebui/templates/env.j2 b/roles/web-app-openwebui/templates/env.j2
index 24d9a6bb..d801eeac 100644
--- a/roles/web-app-openwebui/templates/env.j2
+++ b/roles/web-app-openwebui/templates/env.j2
@@ -1,5 +1,49 @@
-# Open WebUI
+# Documentation: https://docs.openwebui.com/getting-started/env-configuration/
+
+# =========================
+# Open WebUI Base Settings
+# =========================
 OLLAMA_BASE_URL={{ OLLAMA_BASE_LOCAL_URL }}
 OFFLINE_MODE={{ OPENWEBUI_OFFLINE_MODE | ternary(1, 0) }}
 HF_HUB_OFFLINE={{ OPENWEBUI_HF_HUB_OFFLINE | ternary(1, 0) }}
-ENABLE_PERSISTENT_CONFIG=False
+ENABLE_PERSISTENT_CONFIG=false
+
+{% if OPENWEBUI_OIDC_ENABLED %}
+# =========================
+# OIDC / OAuth2 Settings
+# =========================
+# Enable sign-up/login via OIDC provider
+ENABLE_OAUTH_SIGNUP=true
+
+# Client credentials (must match Keycloak client)
+OAUTH_CLIENT_ID={{ OIDC.CLIENT.ID }}
+OAUTH_CLIENT_SECRET={{ OIDC.CLIENT.SECRET }}
+
+# Well-known configuration URL from Keycloak
+OPENID_PROVIDER_URL={{ OIDC.CLIENT.DISCOVERY_DOCUMENT }}
+
+# Redirect URI (must match what is configured in Keycloak client)
+OPENID_REDIRECT_URI={{ (domains | get_url(application_id, WEB_PROTOCOL)) ~ '/oauth/oidc/callback' }}
+
+# Display name of the provider in the login button
+OAUTH_PROVIDER_NAME={{ OIDC.BUTTON_TEXT }}
+
+# Scopes to request (openid is required; email/profile recommended)
+OAUTH_SCOPES=openid email profile
+
+# =========================
+# Optional: Role Management
+# =========================
+# Enable automatic role mapping from token claims
+# ENABLE_OAUTH_ROLE_MANAGEMENT=true
+# OAUTH_ROLES_CLAIM=roles
+# OAUTH_ALLOWED_ROLES=user
+# OAUTH_ADMIN_ROLES=admin
+
+# =========================
+# Optional: Group Management
+# =========================
+# ENABLE_OAUTH_GROUP_MANAGEMENT=true
+# ENABLE_OAUTH_GROUP_CREATION=false
+# OAUTH_GROUP_CLAIM={{ RBAC.GROUP.CLAIM }}
+{% endif %}
\ No newline at end of file
diff --git a/roles/web-app-openwebui/vars/main.yml b/roles/web-app-openwebui/vars/main.yml
index 975fa8a0..8f2036c4 100644
--- a/roles/web-app-openwebui/vars/main.yml
+++ b/roles/web-app-openwebui/vars/main.yml
@@ -15,3 +15,4 @@ OPENWEBUI_OFFLINE_MODE:               "{{ applications | get_app_conf(applicatio
 OPENWEBUI_HF_HUB_OFFLINE:             "{{ applications | get_app_conf(application_id, 'docker.services.openwebui.hf_hub_offline') }}"
 OPENWEBUI_VOLUME:                     "{{ applications | get_app_conf(application_id, 'docker.volumes.openwebui') }}"
 OPENWEBUI_PORT_PUBLIC:                "{{ ports.localhost.http[application_id] }}"
+OPENWEBUI_OIDC_ENABLED:               "{{ applications | get_app_conf(application_id, 'features.oidc') }}"
\ No newline at end of file