diff --git a/.env.sample b/.env.sample
index 2653a78..527e27a 100644
--- a/.env.sample
+++ b/.env.sample
@@ -77,6 +77,7 @@ SECRET_OTP_SECRET_VERSION=v1
 SECRET_VAPID_PRIVATE_KEY_VERSION=v1
 SECRET_DB_PASSWORD_VERSION=v1
 SECRET_SMTP_PASSWORD_VERSION=v1
+SECRET_OIDC_CLIENT_SECRET_VERSION=v1
 
 # Web Push
 # ========
@@ -170,6 +171,35 @@ DEFAULT_LOCALE=en
 # SAML_ATTRIBUTES_STATEMENTS_VERIFIED=
 # SAML_ATTRIBUTES_STATEMENTS_VERIFIED_EMAIL=
 
+# OpenID Connect
+# --------------
+# COMPOSE_FILE="compose.yml:compose.oidc.yml"
+# OIDC_ENABLED=
+# OIDC_DISPLAY_NAME=
+# OIDC_ISSUER=
+# OIDC_DISCOVERY=
+# OIDC_CLIENT_AUTH_METHOD
+# OIDC_SCOPE=
+# OIDC_RESPONSE_TYPE=
+# OIDC_RESPONSE_MODE=
+# OIDC_DISPLAY=
+# OIDC_PROMPT=
+# OIDC_SEND_NONCE=
+# OIDC_SEND_SCOPE_TO_TOKEN_ENDPOINT=
+# OIDC_IDP_LOGOUT_REDIRECT_URI=
+# OIDC_UID_FIELD=
+# OIDC_CLIENT_ID=
+# OIDC_REDIRECT_URI=
+# OIDC_HTTP_SCHEME=
+# OIDC_HOST=
+# OIDC_PORT=
+# OIDC_AUTH_ENDPOINT=
+# OIDC_TOKEN_ENDPOINT=
+# OIDC_USER_INFO_ENDPOINT=
+# OIDC_JWKS_URI=
+# OIDC_END_SESSION_ENDPOINT=
+# OIDC_SECURITY_ASSUME_EMAIL_IS_VERIFIED=
+
 # Hidden services (Not Supported)
 # ===============================
 # http_proxy=  # yes, this should be lowercase
diff --git a/abra.sh b/abra.sh
index a2293d2..f5bff7f 100644
--- a/abra.sh
+++ b/abra.sh
@@ -1,5 +1,5 @@
 # shellcheck disable=SC2148
-export ENTRYPOINT_CONF_VERSION=v1
+export ENTRYPOINT_CONF_VERSION=v3
 #MASTO_APP_DIR="mastodon/public"
 
 sub_rake() {
diff --git a/compose.oidc.yml b/compose.oidc.yml
new file mode 100644
index 0000000..b1c8368
--- /dev/null
+++ b/compose.oidc.yml
@@ -0,0 +1,17 @@
+---
+version: "3.8"
+
+services:
+  web:
+    secrets:
+      - db_password
+      - otp_secret
+      - secret_key_base
+      - smtp_password
+      - vapid_private_key
+      - oidc_client_secret
+
+secrets:
+  oidc_client_secret:
+    name: ${STACK_NAME}_oidc_client_secret_${SECRET_OIDC_CLIENT_SECRET_VERSION}
+    external: true
diff --git a/compose.yml b/compose.yml
index 50cf2be..69314b2 100644
--- a/compose.yml
+++ b/compose.yml
@@ -50,7 +50,7 @@ services:
         hard: -1
 
   web:
-    image: &image decentral1se/hometown:v1.0.5_3.4.0
+    image: &image decentral1se/hometown:v1.0.5_3.4.0_openid-sso
     command: bash -c "rm -f /mastodon/tmp/pids/server.pid; bundle exec rails s -p 3000"
     networks: &bothNetworks
       - proxy
@@ -100,90 +100,116 @@ services:
       - smtp_password
       - vapid_private_key
     environment: &env
+      - ALLOW_ACCESS_TO_HIDDEN_SERVICE
+      - ALTERNATE_DOMAINS
+      - AUTHORIZED_FETCH
+      - CACHE_REDIS_HOST
+      - CACHE_REDIS_NAMESPACE
+      - CACHE_REDIS_PORT
+      - CACHE_REDIS_URL
       - DB_HOST
-      - DB_USER
       - DB_NAME
       - DB_PASS_FILE=/run/secrets/db_password
       - DB_PORT
-      - REDIS_HOST
-      - REDIS_PORT
-      - REDIS_URL
-      - REDIS_NAMESPACE
-      - CACHE_REDIS_HOST
-      - CACHE_REDIS_PORT
-      - CACHE_REDIS_URL
-      - CACHE_REDIS_NAMESPACE
+      - DB_USER
+      - DEFAULT_LOCALE
+      - EMAIL_DOMAIN_ALLOWLIST
+      - EMAIL_DOMAIN_DENYLIST
       - ES_ENABLED
       - ES_HOST
       - ES_PORT
-      - STATSD_ADDR
-      - STATSD_NAMESPACE
-      - VAPID_PRIVATE_KEY_FILE=/run/secrets/vapid_private_key
-      - VAPID_PUBLIC_KEY
-      - OTP_SECRET_FILE=/run/secrets/otp_secret
-      - SECRET_KEY_BASE_FILE=/run/secrets/secret_key_base
-      - LOCAL_DOMAIN
-      - WEB_DOMAIN
-      - ALTERNATE_DOMAINS
-      - AUTHORIZED_FETCH
-      - LIMITED_FEDERATION_MODE
-      - RAILS_ENV
-      - RAILS_SERVE_STATIC_FILES
-      - SINGLE_USER_MODE
-      - EMAIL_DOMAIN_ALLOWLIST
-      - EMAIL_DOMAIN_DENYLIST
-      - DEFAULT_LOCALE
-      - MAX_SESSION_ACTIVATIONS
-      - USER_ACTIVE_DAYS
-      - SMTP_SERVER
-      - SMTP_PORT
-      - SMTP_LOGIN
-      - SMTP_PASSWORD_FILE=/run/secrets/smtp_password
-      - SMTP_FROM_ADDRESS
-      - SMTP_DOMAIN
-      - SMTP_DELIVERY_METHOD
-      - SMTP_AUTH_METHOD
-      - SMTP_CA_FILE
-      - SMTP_OPENSSL_VERIFY_MODE
-      - SMTP_ENABLE_STARTTLS_AUTO
-      - SMTP_TLS
-      - SMTP_SSL
-      - PAPERCLIP_ROOT_PATH
-      - PAPERCLIP_ROOT_URL
-      - OAUTH_REDIRECT_AT_SIGN_IN
-      - LDAP_ENABLED
-      - LDAP_HOST
-      - LDAP_PORT
-      - LDAP_METHOD
       - LDAP_BASE
       - LDAP_BIND_DN
-      - LDAP_PASSWORD
-      - LDAP_UID
-      - LDAP_SEARCH_FILTER
+      - LDAP_ENABLED
+      - LDAP_HOST
       - LDAP_MAIL
+      - LDAP_METHOD
+      - LDAP_PASSWORD
+      - LDAP_PORT
+      - LDAP_SEARCH_FILTER
+      - LDAP_UID
       - LDAP_UID_CONVERSTION_ENABLED
-      - SAML_ENABLED
+      - LIMITED_FEDERATION_MODE
+      - LOCAL_DOMAIN
+      - MAX_SESSION_ACTIVATIONS
+      - OAUTH_REDIRECT_AT_SIGN_IN
+      - OIDC_AUTH_ENDPOINT
+      - OIDC_CLIENT_AUTH_METHOD
+      - OIDC_CLIENT_ID
+      - OIDC_CLIENT_SECRET
+      - OIDC_DISCOVERY
+      - OIDC_DISPLAY
+      - OIDC_DISPLAY_NAME
+      - OIDC_ENABLED
+      - OIDC_END_SESSION_ENDPOINT
+      - OIDC_HOST
+      - OIDC_IDP_LOGOUT_REDIRECT_URI
+      - OIDC_ISSUER
+      - OIDC_JWKS_URI
+      - OIDC_PORT
+      - OIDC_PROMPT
+      - OIDC_REDIRECT_URI
+      - OIDC_RESPONSE_MODE
+      - OIDC_RESPONSE_TYPE
+      - OIDC_SCOPE
+      - OIDC_SECURITY_ASSUME_EMAIL_IS_VERIFIED
+      - OIDC_SEND_NONCE
+      - OIDC_SEND_SCOPE_TO_TOKEN_ENDPOINT
+      - OIDC_CLIENT_SECRET_FILE=/run/secrets/oidc_client_secret
+      - OIDC_TOKEN_ENDPOINT
+      - OIDC_UID_FIELD
+      - OIDC_USER_INFO_ENDPOINT
+      - OTP_SECRET_FILE=/run/secrets/otp_secret
+      - PAPERCLIP_ROOT_PATH
+      - PAPERCLIP_ROOT_URL
+      - RAILS_ENV
+      - RAILS_SERVE_STATIC_FILES
+      - REDIS_HOST
+      - REDIS_NAMESPACE
+      - REDIS_PORT
+      - REDIS_URL
       - SAML_ACS_URL
-      - SAML_ISSUER
-      - SAML_IDP_SSO_TARGET_URL
-      - SAML_IDP_CERT
-      - SAML_IDP_CERT_FINGERPRINT
-      - SAML_NAME_IDENTIFIER_FORMAT
-      - SAML_CERT
-      - SAML_PRIVATE_KEY
-      - SAML_SECURITY_WANT_ASSERTION_SIGNED
-      - SAML_SECURITY_WANT_ASSERTION_ENCRYPTED
-      - SAML_SECURITY_ASSUME_EMAIL_IS_VERIFIED
-      - SAML_ATTRIBUTES_STATEMENTS_UID
       - SAML_ATTRIBUTES_STATEMENTS_EMAIL
-      - SAML_ATTRIBUTES_STATEMENTS_FULL_NAME
       - SAML_ATTRIBUTES_STATEMENTS_FIRST_NAME
+      - SAML_ATTRIBUTES_STATEMENTS_FULL_NAME
       - SAML_ATTRIBUTES_STATEMENTS_LAST_NAME
-      - SAML_UID_ATTRIBUTE
+      - SAML_ATTRIBUTES_STATEMENTS_UID
       - SAML_ATTRIBUTES_STATEMENTS_VERIFIED
       - SAML_ATTRIBUTES_STATEMENTS_VERIFIED_EMAIL
+      - SAML_CERT
+      - SAML_ENABLED
+      - SAML_IDP_CERT
+      - SAML_IDP_CERT_FINGERPRINT
+      - SAML_IDP_SSO_TARGET_URL
+      - SAML_ISSUER
+      - SAML_NAME_IDENTIFIER_FORMAT
+      - SAML_PRIVATE_KEY
+      - SAML_SECURITY_ASSUME_EMAIL_IS_VERIFIED
+      - SAML_SECURITY_WANT_ASSERTION_ENCRYPTED
+      - SAML_SECURITY_WANT_ASSERTION_SIGNED
+      - SAML_UID_ATTRIBUTE
+      - SECRET_KEY_BASE_FILE=/run/secrets/secret_key_base
+      - SINGLE_USER_MODE
+      - SMTP_AUTH_METHOD
+      - SMTP_CA_FILE
+      - SMTP_DELIVERY_METHOD
+      - SMTP_DOMAIN
+      - SMTP_ENABLE_STARTTLS_AUTO
+      - SMTP_FROM_ADDRESS
+      - SMTP_LOGIN
+      - SMTP_OPENSSL_VERIFY_MODE
+      - SMTP_PASSWORD_FILE=/run/secrets/smtp_password
+      - SMTP_PORT
+      - SMTP_SERVER
+      - SMTP_SSL
+      - SMTP_TLS
+      - STATSD_ADDR
+      - STATSD_NAMESPACE
+      - USER_ACTIVE_DAYS
+      - VAPID_PRIVATE_KEY_FILE=/run/secrets/vapid_private_key
+      - VAPID_PUBLIC_KEY
+      - WEB_DOMAIN
       - http_proxy # yes, this should be lowercase
-      - ALLOW_ACCESS_TO_HIDDEN_SERVICE
 
   streaming:
     image: *image
diff --git a/entrypoint.sh.tmpl b/entrypoint.sh.tmpl
index b9cc5c1..ab15417 100644
--- a/entrypoint.sh.tmpl
+++ b/entrypoint.sh.tmpl
@@ -28,5 +28,6 @@ file_env "OTP_SECRET"
 file_env "SECRET_KEY_BASE"
 file_env "SMTP_PASSWORD"
 file_env "VAPID_PRIVATE_KEY"
+file_env "OIDC_CLIENT_SECRET"
 
 /usr/bin/tini -- "$@"