diff --git a/services/grafana/default.nix b/services/grafana/default.nix
index 20439a6..a59afb8 100644
--- a/services/grafana/default.nix
+++ b/services/grafana/default.nix
@@ -19,11 +19,17 @@ in
     };
   };
   config = lib.mkIf cfg.enable {
-    age.secrets.grafana-db = {
-      file  = ./secrets/grafana-db.age;
-      owner = "grafana";
+    age.secrets ={
+      grafana-db = {
+        file  = ./secrets/grafana-db.age;
+        owner = "grafana";
+      };
+      grafana-oauth_secret = {
+        file  = ./secrets/grafana-oauth_secret.age;
+        owner = "grafana";
+      };
+      kuma-token.file  = ./secrets/kuma-token.age;
     };
-    age.secrets.kuma-token.file  = ./secrets/kuma-token.age;
     services.rsyslogd = {
       enable = true;
       extraConfig = ''
@@ -37,10 +43,10 @@ in
         module(load="imtcp")
         input(type="imtcp" port="514" ruleset="remote")
       '';
-    };  
+    };
     services.influxdb2 = {
       enable = true;
-    };  
+    };
     services.grafana = {
       enable = true;
       settings = {
@@ -59,6 +65,19 @@ in
           user     = "grafana";
           password = "\$__file{${config.age.secrets.grafana-db.path}}";
         };
+        "auth.generic_oauth" = {
+          enabled = true;
+          name = "authentik";
+          allow_sign_up = true;
+          client_id = "WYrvCg9SYRPxHFZ7ag4oxlPRBNFUSC5M4uPZQMIqi";
+          client_secret = "\$__file{${config.age.secrets.grafana-oauth_secret.path}}";
+          scopes = [ "openid" "email" "profile" ];
+          auth_url = "https://auth.omero-fbi.fr/application/o/authorize/";
+          token_url = "https://auth.omero-fbi.fr/application/o/token/";
+          api_url = "https://auth.omero-fbi.fr/application/o/userinfo/";
+          role_attribute_path = "contains(groups, 'project_admins') && 'Admin' || contains(groups, 'project_agent') && 'Editor' || 'Viewer';role_attribute_strict = false";
+          allow_assign_grafana_admin = true;
+        };
       };
     };
     services.prometheus = {
diff --git a/services/grafana/secrets/grafana-oauth_secret.age b/services/grafana/secrets/grafana-oauth_secret.age
new file mode 100644
index 0000000..25e5f6b
--- /dev/null
+++ b/services/grafana/secrets/grafana-oauth_secret.age
@@ -0,0 +1 @@
+S0VJw2OdQPMPNaKwoIS86tm8sGyTOZzauK7h6AhNfeYJiLUtVJgOcIhydxHtBqVPwNE2WagYHEaDjGnS2sJjWMzZNbm1ZjOuorYYRQhpR0w33lAfu4bsU9Lof2JjSvtP