diff --git a/.env.sample b/.env.sample
index bd1be81..e49be66 100644
--- a/.env.sample
+++ b/.env.sample
@@ -51,3 +51,9 @@ DEFAULT_QUOTA="10 GB"
 # OCC_CMDS="app:disable dashboard"
 # OCC_CMDS="$OCC_CMDS|config:app:set sociallogin auto_create_groups --value 1"
 # OCC_CMDS="$OCC_CMDS|config:app:set sociallogin hide_default_login --value 1"
+
+# COMPOSE_FILE="$COMPOSE_FILE:compose.authentik.yml"
+# AUTHENTIK_USER_PREFIX=authentik
+# AUTHENTIK_DOMAIN=authentik.example.com
+# AUTHENTIK_SECRET_NAME=authentik_example_com_nextcloud_secret_v1  # the same as in authentik
+# AUTHENTIK_ID_NAME=authentik_example_com_nextcloud_id_v1  # the same as in authentik
diff --git a/abra.sh b/abra.sh
index 11569be..31c14cf 100644
--- a/abra.sh
+++ b/abra.sh
@@ -32,7 +32,7 @@ set_app_config(){
     APP=$1
     KEY=$2
     VALUE=$3
-    run_occ "config:app:set $APP $KEY --value $VALUE"
+    run_occ "config:app:set $APP $KEY --value '$VALUE'"
 }
 
 install_bbb(){
@@ -52,3 +52,39 @@ install_onlyoffice(){
 set_default_quota(){
     set_app_config files default_quota '"$DEFAULT_QUOTA"'
 }
+
+set_authentik(){
+install_apps sociallogin
+AUTHENTIK_SECRET=$(cat /run/secrets/authentik_secret)
+AUTHENTIK_ID=$(cat /run/secrets/authentik_id)
+set_app_config sociallogin custom_providers "
+{
+    \"custom_oidc\":[
+    {
+        \"name\":\"$AUTHENTIK_USER_PREFIX\",
+        \"title\":\"authentik\",
+        \"authorizeUrl\": \"https://$AUTHENTIK_DOMAIN/application/o/authorize/\",
+        \"tokenUrl\": \"https://$AUTHENTIK_DOMAIN/application/o/token/\",
+        \"displayNameClaim\":\"preferred_username\",
+        \"userInfoUrl\": \"https://$AUTHENTIK_DOMAIN/application/o/userinfo/\",
+        \"logoutUrl\": \"https://$AUTHENTIK_DOMAIN/if/session-end/nextcloud/\",
+        \"clientId\":\"$AUTHENTIK_ID\",
+        \"clientSecret\":\"$AUTHENTIK_SECRET\",
+        \"scope\":\"openid profile email nextcloud\",
+        \"groupsClaim\":\"nextcloud_groups\",
+        \"style\":\"openid\",
+        \"defaultGroup\":\"\",
+        \"groupMapping\": {
+          \"admin\": \"admin\"
+        }
+    }
+]
+}"
+
+set_app_config sociallogin update_profile_on_login 1
+set_app_config sociallogin auto_create_groups 1
+set_app_config sociallogin hide_default_login 1
+run_occ 'config:system:set social_login_auto_redirect --value true'
+run_occ 'config:system:set allow_user_to_change_display_name --value=false'
+run_occ 'config:system:set lost_password_link --value=disabled'
+}
diff --git a/compose.authentik.yml b/compose.authentik.yml
new file mode 100644
index 0000000..a2969b8
--- /dev/null
+++ b/compose.authentik.yml
@@ -0,0 +1,14 @@
+version: "3.8"
+services:
+  app:
+    secrets:
+      - authentik_secret
+      - authentik_id
+
+secrets:
+  authentik_secret:
+    external: true
+    name: ${AUTHENTIK_SECRET_NAME}
+  authentik_id:
+    external: true
+    name: ${AUTHENTIK_ID_NAME}