diff --git a/kube-prometheus-stack/values.yaml b/kube-prometheus-stack/values.yaml
index 479fa0a..e587b2a 100644
--- a/kube-prometheus-stack/values.yaml
+++ b/kube-prometheus-stack/values.yaml
@@ -75,6 +75,20 @@ kube-prometheus-stack:
       - secretName: grafana-tls
         hosts:
         - grafana.durp.info      
+    env:
+      GF_AUTH_GENERIC_OAUTH_ENABLED: "true"
+      GF_AUTH_GENERIC_OAUTH_NAME: "authentik"
+      GF_AUTH_GENERIC_OAUTH_CLIENT_ID: "<Client ID from above>"
+      GF_AUTH_GENERIC_OAUTH_CLIENT_SECRET: "<Client Secret from above>"
+      GF_AUTH_GENERIC_OAUTH_SCOPES: "openid profile email"
+      GF_AUTH_GENERIC_OAUTH_AUTH_URL: "https://authentik.company/application/o/authorize/"
+      GF_AUTH_GENERIC_OAUTH_TOKEN_URL: "https://authentik.company/application/o/token/"
+      GF_AUTH_GENERIC_OAUTH_API_URL: "https://authentik.company/application/o/userinfo/"
+      GF_AUTH_SIGNOUT_REDIRECT_URL: "https://authentik.company/application/o/<Slug of the application from above>/end-session/"
+      # Optionally enable auto-login (bypasses Grafana login screen)
+      GF_AUTH_OAUTH_AUTO_LOGIN: "true"
+      # Optionally map user groups to Grafana roles
+      GF_AUTH_GENERIC_OAUTH_ROLE_ATTRIBUTE_PATH: "contains(groups[*], 'Grafana Admins') && 'Admin' || contains(groups[*], 'Grafana Editors') && 'Editor' || 'Viewer'"
 
   kubeApiServer:
     enabled: true