diff --git a/conf/config.yaml b/conf/config.yaml
index 47b16d2..6d65a8b 100644
--- a/conf/config.yaml
+++ b/conf/config.yaml
@@ -611,36 +611,36 @@ tls-certificate-key: ""
 # internal oauth flow will be used, where users sign in to GtS with username/password.
 # Options: [true, false]
 # Default: false
-oidc-enabled: false
+oidc-enabled: __OIDC_ENABLED__
 
 # String. Name of the oidc idp (identity provider). This will be shown to users when
 # they log in.
 # Examples: ["Google", "Dex", "Auth0"]
 # Default: ""
-oidc-idp-name: ""
+oidc-idp-name: "__OIDC_IDP_NAME__"
 
 # Bool. Skip the normal verification flow of tokens returned from the OIDC provider, ie.,
 # don't check the expiry or signature. This should only be used in debugging or testing,
 # never ever in a production environment as it's extremely unsafe!
 # Options: [true, false]
 # Default: false
-oidc-skip-verification: false
+oidc-skip-verification: __OIDC_SKIP_VERIFICATION__
 
 # String. The OIDC issuer URI. This is where GtS will redirect users to for login.
 # Typically this will look like a standard web URL.
 # Examples: ["https://auth.example.org", "https://example.org/auth"]
 # Default: ""
-oidc-issuer: ""
+oidc-issuer: "__OIDC_ISSUER__"
 
 # String. The ID for this client as registered with the OIDC provider.
 # Examples: ["some-client-id", "fda3772a-ad35-41c9-9a59-f1943ad18f54"]
 # Default: ""
-oidc-client-id: ""
+oidc-client-id: "__OIDC_CLIENT_ID__"
 
 # String. The secret for this client as registered with the OIDC provider.
 # Examples: ["super-secret-business", "79379cf5-8057-426d-bb83-af504d98a7b0"]
 # Default: ""
-oidc-client-secret: ""
+oidc-client-secret: "__OIDC_CLIENT_SECRET__"
 
 # Array of string. Scopes to request from the OIDC provider. The returned values will be used to
 # populate users created in GtS as a result of the authentication flow. 'openid' and 'email' are required.
diff --git a/config_panel.toml b/config_panel.toml
index a3325eb..44fca7a 100644
--- a/config_panel.toml
+++ b/config_panel.toml
@@ -406,6 +406,72 @@ Cette limite est basée sur des estimations de la taille des objets en mémoire
 Exemples : 100MiB, 200MiB, 500MiB, 1GiB; Par défaut : 100MiB"""
 type = "string"
 
+####################
+#### OIDC SETTINGS
+####################
+
+[main.OIDC]
+
+name = "OpenID Connect settings"
+
+help = "Settings pertaining to... OpenID Connect"
+
+[main.OIDC.oidc_enabled]
+ask.en = "Activate OpenID Connect?"
+ask.fr = "Activer OpenID Connect ?"
+bind = "oidc-enabled:__FINALPATH__/config.yaml"
+choices = ["true", "false"]
+default = "false"
+help.en = "Enable authentication with external OIDC provider."
+help.fr = "Activer l'authentification avec un fournisseur OIDC externe"
+type = "select"
+
+[main.cache.oidc_idp_name]
+ask.en = "Name of the OIDC IDP (identity provider)"
+ask.fr = "Nom de l'OIDC IDP (identity provider)"
+bind = "oidc-idp-name:__FINALPATH__/config.yaml"
+default = ""
+help.en = "This will be shown to users when they log in. Examples: \"Dex\" or \"YunoHost\""
+help.fr = "Sera affiché aux utilisateurices lros de leur connexion. Exemples: \"Dex\" ou \"YunoHost\""
+type = "string"
+
+[main.OIDC.oidc_skip_verification]
+ask.en = "Skip the normal verification flow of tokens returned from the OIDC provider"
+ask.fr = "Passer la vérification du flux des jetons renvoyés par le fournisseur OIDC"
+bind = "oidc-skip-verification:__FINALPATH__/config.yaml"
+choices = ["true", "false"]
+default = "false"
+help.en = "ie. don't check the expiry or signature. This should only be used in debugging or testing, never ever in a production environment as it's extremely unsafe!"
+help.fr = "C'est-à-dire, ne pas vérifier l'expiration ou la signature. Cette méthode ne doit être utilisée qu'en cas de débogage ou de test, jamais dans un environnement de production, car elle est extrêmement dangereuse !"
+type = "select"
+
+[main.OIDC.oidc_issuer]
+ask.en = "The OIDC issuer URI."
+ask.fr = "URI du fournisseur OIDC"
+bind = "oidc-issuer:__FINALPATH__/config.yaml"
+default = ""
+help.en = "This is where GtS will redirect users to for login. Typically this will look like a standard web URL. Examples: \"https://auth.example.org\", \"https://example.org/auth\""
+help.fr = ""
+type = "string"
+
+[main.OIDC.oidc_client_id]
+ask.en = "OIDC client ID"
+ask.fr = "Client ID du fournisseur OIDC"
+bind = "oidc-client-id:__FINALPATH__/config.yaml"
+default = ""
+help.en = "The ID for this client as registered with the OIDC provider."
+help.fr = ""
+type = "string"
+
+[main.OIDC.oidc_client_secret]
+ask.en = "OIDC client secret (password)"
+ask.fr = "Client secret (mot de passe) du fournisseur OIDC"
+bind = "oidc-client-secret:__FINALPATH__/config.yaml"
+default = ""
+help.en = "The secret for this client as registered with the OIDC provider."
+help.fr = ""
+type = "string"
+
 ####################
 #### ADVANCED SETTINGS
 ####################
diff --git a/scripts/install b/scripts/install
index ba267d9..12b1c9c 100755
--- a/scripts/install
+++ b/scripts/install
@@ -76,6 +76,13 @@ statuses_poll_max_options="6"
 statuses_poll_option_max_chars="50"
 statuses_media_max_files="6"
 
+oidc_enabled="false"
+oidc_idp_name=""
+oidc_skip_verification="false"
+oidc_issuer=""
+oidc_client_id=""
+oidc_client_secret=""
+
 smtp_host="localhost"
 smtp_port="25"
 smtp_username=""
diff --git a/scripts/restore b/scripts/restore
index f14ca9d..1b8b050 100755
--- a/scripts/restore
+++ b/scripts/restore
@@ -81,6 +81,13 @@ statuses_poll_max_options=$(ynh_app_setting_get --app="$app" --key=statuses_poll
 statuses_poll_option_max_chars=$(ynh_app_setting_get --app="$app" --key=statuses_poll_option_max_chars)
 statuses_media_max_files=$(ynh_app_setting_get --app="$app" --key=statuses_media_max_files)
 
+oidc_enabled=$(ynh_app_setting_get --app="$app" --key=oidc_enabled)
+oidc_idp_name=$(ynh_app_setting_get --app="$app" --key=oidc_idp_name)
+oidc_skip_verification=$(ynh_app_setting_get --app="$app" --key=oidc_skip_verification)
+oidc_issuer=$(ynh_app_setting_get --app="$app" --key=oidc_issuer)
+oidc_client_id=$(ynh_app_setting_get --app="$app" --key=oidc_client_id)
+oidc_client_secret=$(ynh_app_setting_get --app="$app" --key=oidc_client_secret)
+
 smtp_host=$(ynh_app_setting_get --app="$app" --key=smtp_host)
 smtp_port=$(ynh_app_setting_get --app="$app" --key=smtp_port)
 smtp_username=$(ynh_app_setting_get --app="$app" --key=smtp_username)
diff --git a/scripts/upgrade b/scripts/upgrade
index 38d605d..ddbb328 100644
--- a/scripts/upgrade
+++ b/scripts/upgrade
@@ -69,6 +69,13 @@ statuses_poll_max_options=$(ynh_app_setting_get --app="$app" --key=statuses_poll
 statuses_poll_option_max_chars=$(ynh_app_setting_get --app="$app" --key=statuses_poll_option_max_chars)
 statuses_media_max_files=$(ynh_app_setting_get --app="$app" --key=statuses_media_max_files)
 
+oidc_enabled=$(ynh_app_setting_get --app="$app" --key=oidc_enabled)
+oidc_idp_name=$(ynh_app_setting_get --app="$app" --key=oidc_idp_name)
+oidc_skip_verification=$(ynh_app_setting_get --app="$app" --key=oidc_skip_verification)
+oidc_issuer=$(ynh_app_setting_get --app="$app" --key=oidc_issuer)
+oidc_client_id=$(ynh_app_setting_get --app="$app" --key=oidc_client_id)
+oidc_client_secret=$(ynh_app_setting_get --app="$app" --key=oidc_client_secret)
+
 smtp_host=$(ynh_app_setting_get --app="$app" --key=smtp_host)
 smtp_port=$(ynh_app_setting_get --app="$app" --key=smtp_port)
 smtp_username=$(ynh_app_setting_get --app="$app" --key=smtp_username)
@@ -336,6 +343,25 @@ then
 	ynh_app_setting_set --app="$app" --key=instance_federation_mode --value="$instance_federation_mode"
 fi
 
+# Upgrade from <0.12.1~ynh2:
+if ynh_compare_current_package_version --comparison lt --version 0.12.1~ynh2 || [ -z "$oidc_enabled" ]
+then
+	# declaration of new parameter
+	oidc_enabled="false"
+	oidc_idp_name=""
+	oidc_skip_verification="false"
+	oidc_issuer=""
+	oidc_client_id=""
+	oidc_client_secret=""
+	# registration of parameter
+	ynh_app_setting_set --app="$app" --key=oidc_enabled --value="$oidc_enabled"
+	ynh_app_setting_set --app="$app" --key=oidc_idp_name --value="$oidc_idp_name"
+	ynh_app_setting_set --app="$app" --key=oidc_skip_verification --value="$oidc_skip_verification"
+	ynh_app_setting_set --app="$app" --key=oidc_issuer --value="$oidc_issuer"
+	ynh_app_setting_set --app="$app" --key=oidc_client_id --value="$oidc_client_id"
+	ynh_app_setting_set --app="$app" --key=oidc_client_secret --value="$oidc_client_secret"
+fi
+
 #=================================================
 # CREATE DEDICATED USER
 #=================================================