diff --git a/deployment/values.yml b/deployment/values.yml
index 3665162..677a2a7 100644
--- a/deployment/values.yml
+++ b/deployment/values.yml
@@ -19,9 +19,28 @@ apiServer:
         secretKeyRef:
           name: dtrack-secrets
           key: db-password
+    - name: ALPINE_OIDC_ENABLED
+      value: "true"
+    - name: ALPINE_OIDC_CLIENT_ID
+      value: "dtrack"
+    - name: ALPINE_OIDC_ISSUER
+      value: "https://auth2.hottis.de/realms/hottis"
+    - name: ALPINE_OIDC_USERNAME_CLAIM
+      value: "preferred_username"
+    - name: ALPINE_OIDC_TEAMS_CLAIM
+      value: "roles"
+    - name: ALPINE_OIDC_USER_PROVISIONING
+      value: "true"
+    - name: ALPINE_OIDC_TEAM_SYNCHRONIZATION
+      value: "true"
 
 frontend:
   apiBaseUrl: https://dtrack-api.hottis.de
+  extraEnv:
+    - name: OIDC_ISSUER
+      value: "https://auth2.hottis.de/realms/hottis"
+    - name: OIDC_CLIENT_ID
+      value: "dtrack"
 
 
 
diff --git a/tools/token-test.sh b/tools/token-test.sh
new file mode 100755
index 0000000..2a46851
--- /dev/null
+++ b/tools/token-test.sh
@@ -0,0 +1,25 @@
+#!/bin/bash
+
+echo "If something fails, remember to enable 'Direct access grants' for the client"
+
+USER="..."
+PASSWORD="..."
+CLIENT_ID="..."
+
+ISSUER=https://auth2.hottis.de/realms/hottis
+TOKEN=`curl $ISSUER/protocol/openid-connect/token \
+    -d "scope=openid profile email" \
+    -d "client_id=$CLIENT_ID" \
+    -d "grant_type=password" \
+    -d "username=$USER" \
+    -d "password=$PASSWORD"`
+echo $TOKEN
+ACCESS_TOKEN=`echo $TOKEN | jq -r .access_token`
+echo $ACCESS_TOKEN
+
+echo "userinfo:"
+curl -v $ISSUER/protocol/openid-connect/userinfo \
+    -H "Authorization: Bearer $ACCESS_TOKEN"
+echo
+
+