diff --git a/core/oidc_client/.terraform.lock.hcl b/core/oidc_client/.terraform.lock.hcl
new file mode 100644
index 0000000..d59fbb1
--- /dev/null
+++ b/core/oidc_client/.terraform.lock.hcl
@@ -0,0 +1,40 @@
+# This file is maintained automatically by "terraform init".
+# Manual edits may be lost in future updates.
+
+provider "registry.terraform.io/hashicorp/nomad" {
+  version = "2.3.1"
+  hashes = [
+    "h1:lMueBNB2GJ/a5rweL9NPybwVfDH/Q1s+rQvt5Y+kuYs=",
+    "zh:1e7893a3fbebff171bcc5581b70a16eea33193c7e9dd73402ba5c04b7202f0bb",
+    "zh:252cfd3fee4811c83bc74406ba1bc1bbb83d6de20e50a86f93737f8f86864171",
+    "zh:387a7140be6dfa3f8d27f09d1eb2b9f3b84900328fe5a0478e9b3bd91a845808",
+    "zh:49848fa491ac26b0568b112a57d14cc49772607c7cf405e2f74dd537407214b1",
+    "zh:78d5eefdd9e494defcb3c68d282b8f96630502cac21d1ea161f53cfe9bb483b3",
+    "zh:7b9f345f5bb5f17c5d0bc3d373c25828934a3cbcdb331e0eab54eb47f1355fb2",
+    "zh:8e276f4de508a86e725fffc02ee891db73397c35dbd591d8918af427eeec93a1",
+    "zh:90b349933d2fd28f822a36128be4625bb816aa9f20ec314c79c77306f632ae87",
+    "zh:a0ca6fd6cd94a52684e432104d3dc170a74075f47d9d4ba725cc340a438ed75a",
+    "zh:a6cffc45535a0ff8206782538b3eeaef17dc93d0e1fd58bc1e6f7d5aa0f6ba1a",
+    "zh:c010807b5d3e03d769419787b0e5d4efa6963134e1873a413102af6bf3dd1c49",
+    "zh:faf962ee1981e897e99f7e528642c7e74beed37afd8eaf743e6ede24df812d80",
+  ]
+}
+
+provider "registry.terraform.io/hashicorp/random" {
+  version = "3.6.2"
+  hashes = [
+    "h1:wmG0QFjQ2OfyPy6BB7mQ57WtoZZGGV07uAPQeDmIrAE=",
+    "zh:0ef01a4f81147b32c1bea3429974d4d104bbc4be2ba3cfa667031a8183ef88ec",
+    "zh:1bcd2d8161e89e39886119965ef0f37fcce2da9c1aca34263dd3002ba05fcb53",
+    "zh:37c75d15e9514556a5f4ed02e1548aaa95c0ecd6ff9af1119ac905144c70c114",
+    "zh:4210550a767226976bc7e57d988b9ce48f4411fa8a60cd74a6b246baf7589dad",
+    "zh:562007382520cd4baa7320f35e1370ffe84e46ed4e2071fdc7e4b1a9b1f8ae9b",
+    "zh:5efb9da90f665e43f22c2e13e0ce48e86cae2d960aaf1abf721b497f32025916",
+    "zh:6f71257a6b1218d02a573fc9bff0657410404fb2ef23bc66ae8cd968f98d5ff6",
+    "zh:78d5eefdd9e494defcb3c68d282b8f96630502cac21d1ea161f53cfe9bb483b3",
+    "zh:9647e18f221380a85f2f0ab387c68fdafd58af6193a932417299cdcae4710150",
+    "zh:bb6297ce412c3c2fa9fec726114e5e0508dd2638cad6a0cb433194930c97a544",
+    "zh:f83e925ed73ff8a5ef6e3608ad9225baa5376446349572c2449c0c0b3cf184b7",
+    "zh:fbef0781cb64de76b1df1ca11078aecba7800d82fd4a956302734999cfd9a4af",
+  ]
+}
diff --git a/core/oidc_client/main.tf b/core/oidc_client/main.tf
new file mode 100644
index 0000000..2b0dc2c
--- /dev/null
+++ b/core/oidc_client/main.tf
@@ -0,0 +1,50 @@
+resource "random_password" "oidc_client_id" {
+  length           = 72
+  override_special = "-._~"
+}
+
+resource "random_password" "oidc_secret" {
+  length           = 72
+  override_special = "-._~"
+}
+
+resource "nomad_variable" "authelia_oidc_secret" {
+  path = "secrets/authelia/${var.name}"
+  items = {
+    client_id   = resource.random_password.oidc_client_id.result
+    secret      = resource.random_password.oidc_secret.result
+    secret_hash = resource.random_password.oidc_secret.bcrypt_hash
+  }
+}
+
+resource "nomad_variable" "authelia_access_control_oidc" {
+  path = "authelia/access_control/oidc_clients/${var.name}"
+  items = {
+    id                   = resource.random_password.oidc_client_id.result
+    description          = var.oidc_client_config.description
+    authorization_policy = var.oidc_client_config.authorization_policy
+    redirect_uris        = yamlencode(var.oidc_client_config.redirect_uris)
+    scopes               = yamlencode(var.oidc_client_config.scopes)
+  }
+}
+
+resource "nomad_acl_policy" "oidc_authelia" {
+  count       = var.job_acl != null ? 1 : 0
+  name        = "${var.name}-authelia"
+  description = "Give access to shared authelia variables"
+  rules_hcl   = <<EOH
+namespace "default" {
+  variables {
+    path "secrets/authelia/${var.name}" {
+      capabilities = ["read"]
+    }
+  }
+}
+EOH
+
+  job_acl {
+    job_id = var.job_acl.job_id
+    group  = var.job_acl.group
+    task   = var.job_acl.task
+  }
+}
diff --git a/core/oidc_client/output.tf b/core/oidc_client/output.tf
new file mode 100644
index 0000000..a3816a1
--- /dev/null
+++ b/core/oidc_client/output.tf
@@ -0,0 +1,11 @@
+output "client_id" {
+  value = resource.random_password.oidc_client_id.result
+}
+
+output "secret" {
+  value = resource.random_password.oidc_secret.result
+}
+
+output "secret_hash" {
+  value = resource.random_password.oidc_secret.bcrypt_hash
+}
diff --git a/core/oidc_client/vars.tf b/core/oidc_client/vars.tf
new file mode 100644
index 0000000..ecc882c
--- /dev/null
+++ b/core/oidc_client/vars.tf
@@ -0,0 +1,25 @@
+variable "name" {
+  description = "Name of service"
+  type        = string
+}
+
+variable "oidc_client_config" {
+  description = "Authelia oidc client configuration to enable oidc authentication"
+  type = object({
+    description          = string
+    authorization_policy = optional(string, "one_factor")
+    redirect_uris        = list(string)
+    scopes               = list(string)
+  })
+}
+
+variable "job_acl" {
+  description = "Job ACL that should be given to the secrets"
+  type = object({
+    job_id = string
+    group  = optional(string)
+    task   = optional(string)
+  })
+
+  default = null
+}