diff --git a/.secrets-baseline b/.secrets-baseline
index b6abfbf..6ee7add 100644
--- a/.secrets-baseline
+++ b/.secrets-baseline
@@ -158,31 +158,7 @@
         "filename": "core/authelia.yml",
         "hashed_secret": "a32b08d97b1615dc27f58b6b17f67624c04e2c4f",
         "is_verified": false,
-        "line_number": 182,
-        "is_secret": false
-      },
-      {
-        "type": "Secret Keyword",
-        "filename": "core/authelia.yml",
-        "hashed_secret": "d16a67474cca598880e37d64557f1264586386bd",
-        "is_verified": false,
-        "line_number": 248,
-        "is_secret": false
-      },
-      {
-        "type": "Secret Keyword",
-        "filename": "core/authelia.yml",
-        "hashed_secret": "7e1f5e63ab2c1f926e5fb81cc004dc24af411376",
-        "is_verified": false,
-        "line_number": 249,
-        "is_secret": false
-      },
-      {
-        "type": "Secret Keyword",
-        "filename": "core/authelia.yml",
-        "hashed_secret": "0bb90d739912b79b54b811fec298da9f59008a26",
-        "is_verified": false,
-        "line_number": 304,
+        "line_number": 187,
         "is_secret": false
       }
     ],
@@ -237,5 +213,5 @@
       }
     ]
   },
-  "generated_at": "2023-07-07T00:58:58Z"
+  "generated_at": "2023-07-07T07:39:31Z"
 }
diff --git a/core/authelia.yml b/core/authelia.yml
index eb3cc86..fd366e0 100644
--- a/core/authelia.yml
+++ b/core/authelia.yml
@@ -157,7 +157,7 @@ access_control:
       networks:
         - internal
       policy: one_factor
- 
+
     - domain: '*.{{ with nomadVar "nomad/jobs" }}{{ .base_hostname }}{{ end }}'
       policy: two_factor
 
@@ -242,118 +242,9 @@ notifier:
     startup_check_address: test@iamthefij.com
 {{- end }}
 
-# identity_providers:
-  ##
-  ## OpenID Connect (Identity Provider)
-  ##
-  ## It's recommended you read the documentation before configuration of this section:
-  ## https://www.authelia.com/c/oidc
-  # oidc:
-    ## The hmac_secret is used to sign OAuth2 tokens (authorization code, access tokens and refresh tokens).
-    ## HMAC Secret can also be set using a secret: https://www.authelia.com/c/secrets
-    # hmac_secret: this_is_a_secret_abc123abc123abc
+identity_providers:
+  oidc:
+    # hmac_secret: <file>
+    # issuer_private_key: <file>
 
-    ## The issuer_private_key is used to sign the JWT forged by OpenID Connect.
-    ## Issuer Private Key can also be set using a secret: https://www.authelia.com/c/secrets
-    # issuer_private_key: |
-    #   --- KEY START
-    #   --- KEY END
-
-    ## The lifespans configure the expiration for these token types.
-    # access_token_lifespan: 1h
-    # authorize_code_lifespan: 1m
-    # id_token_lifespan: 1h
-    # refresh_token_lifespan: 90m
-
-    ## Enables additional debug messages.
-    # enable_client_debug_messages: false
-
-    ## SECURITY NOTICE: It's not recommended changing this option, and highly discouraged to have it below 8 for
-    ## security reasons.
-    # minimum_parameter_entropy: 8
-
-    ## SECURITY NOTICE: It's not recommended changing this option, and highly discouraged to have it set to 'never'
-    ## for security reasons.
-    # enforce_pkce: public_clients_only
-
-    ## Cross-Origin Resource Sharing (CORS) settings.
-    # cors:
-      ## List of endpoints in addition to the metadata endpoints to permit cross-origin requests on.
-      # endpoints:
-      #    - authorization
-      #    - token
-      #    - revocation
-      #    - introspection
-      #    - userinfo
-
-      ## List of allowed origins.
-      ## Any origin with https is permitted unless this option is configured or the
-      ## allowed_origins_from_client_redirect_uris option is enabled.
-      # allowed_origins:
-      #   - https://example.com
-
-      ## Automatically adds the origin portion of all redirect URI's on all clients to the list of allowed_origins,
-      ## provided they have the scheme http or https and do not have the hostname of localhost.
-      # allowed_origins_from_client_redirect_uris: false
-
-    ## Clients is a list of known clients and their configuration.
-    # clients:
-      # -
-        ## The ID is the OpenID Connect ClientID which is used to link an application to a configuration.
-        # id: myapp
-
-        ## The description to show to users when they end up on the consent screen. Defaults to the ID above.
-        # description: My Application
-
-        ## The client secret is a shared secret between Authelia and the consumer of this client.
-        # secret: this_is_a_secret
-
-        ## Sector Identifiers are occasionally used to generate pairwise subject identifiers. In most cases this is not
-        ## necessary. Read the documentation for more information.
-        ## The subject identifier must be the host component of a URL, which is a domain name with an optional port.
-        # sector_identifier: example.com
-
-        ## Sets the client to public. This should typically not be set, please see the documentation for usage.
-        # public: false
-
-        ## The policy to require for this client; one_factor or two_factor.
-        # authorization_policy: two_factor
-
-        ## By default users cannot remember pre-configured consents. Setting this value to a period of time using a
-        ## duration notation will enable users to remember consent for this client. The time configured is the amount
-        ## of time the pre-configured consent is valid for granting new authorizations to the user.
-        # pre_configured_consent_duration:
-
-        ## Audience this client is allowed to request.
-        # audience: []
-
-        ## Scopes this client is allowed to request.
-        # scopes:
-          # - openid
-          # - groups
-          # - email
-          # - profile
-
-        ## Redirect URI's specifies a list of valid case-sensitive callbacks for this client.
-        # redirect_uris:
-        # - https://oidc.example.com:8080/oauth2/callback
-
-        ## Grant Types configures which grants this client can obtain.
-        ## It's not recommended to define this unless you know what you're doing.
-        # grant_types:
-          # - refresh_token
-          # - authorization_code
-
-        ## Response Types configures which responses this client can be sent.
-        ## It's not recommended to define this unless you know what you're doing.
-        # response_types:
-          # - code
-
-        ## Response Modes configures which response modes this client supports.
-        # response_modes:
-          # - form_post
-          # - query
-          # - fragment
-
-        ## The algorithm used to sign userinfo endpoint responses for this client, either none or RS256.
-        # userinfo_signing_algorithm: none
+    clients: {{ with nomadVar "nomad/jobs/authelia" }}{{ .oidc_clients.Value }}{{ end }}
diff --git a/core/main.tf b/core/main.tf
index e44681d..e4acaec 100644
--- a/core/main.tf
+++ b/core/main.tf
@@ -65,12 +65,15 @@ module "authelia" {
   service_port = 9091
   # metrics_port = 9959
   env = {
-    AUTHELIA_AUTHENTICATION_BACKEND_LDAP_PASSWORD_FILE = "$${NOMAD_SECRETS_DIR}/ldap_password.txt"
-    AUTHELIA_JWT_SECRET_FILE                           = "$${NOMAD_SECRETS_DIR}/jwt_secret.txt"
-    AUTHELIA_SESSION_SECRET_FILE                       = "$${NOMAD_SECRETS_DIR}/session_secret.txt"
-    AUTHELIA_STORAGE_ENCRYPTION_KEY_FILE               = "$${NOMAD_SECRETS_DIR}/storage_encryption_key.txt"
-    AUTHELIA_STORAGE_MYSQL_PASSWORD_FILE               = "$${NOMAD_SECRETS_DIR}/mysql_password.txt"
-    AUTHELIA_NOTIFIER_SMTP_PASSWORD_FILE               = "$${NOMAD_SECRETS_DIR}/smtp_password.txt"
+    AUTHELIA_AUTHENTICATION_BACKEND_LDAP_PASSWORD_FILE       = "$${NOMAD_SECRETS_DIR}/ldap_password.txt"
+    AUTHELIA_JWT_SECRET_FILE                                 = "$${NOMAD_SECRETS_DIR}/jwt_secret.txt"
+    AUTHELIA_SESSION_SECRET_FILE                             = "$${NOMAD_SECRETS_DIR}/session_secret.txt"
+    AUTHELIA_STORAGE_ENCRYPTION_KEY_FILE                     = "$${NOMAD_SECRETS_DIR}/storage_encryption_key.txt"
+    AUTHELIA_STORAGE_MYSQL_PASSWORD_FILE                     = "$${NOMAD_SECRETS_DIR}/mysql_password.txt"
+    AUTHELIA_NOTIFIER_SMTP_PASSWORD_FILE                     = "$${NOMAD_SECRETS_DIR}/smtp_password.txt"
+    AUTHELIA_IDENTITY_PROVIDERS_OIDC_HMAC_SECRET_FILE        = "$${NOMAD_SECRETS_DIR}/oidc_hmac_secret.txt"
+    AUTHELIA_IDENTITY_PROVIDERS_OIDC_ISSUER_PRIVATE_KEY_FILE = "$${NOMAD_SECRETS_DIR}/oidc_issuer_private_key.txt"
+    # AUTHELIA_IDENTITY_PROVIDERS_OIDC_ISSUER_CERTIFICATE_CHAIN_FILE  = "$${NOMAD_SECRETS_DIR}/oidc_issuer_certificate_chain.txt"
   }
 
   use_mysql = true
@@ -125,6 +128,24 @@ module "authelia" {
       dest        = "mysql_password.txt"
       mount       = false
     },
+    {
+      data        = "{{ with nomadVar \"nomad/jobs/authelia\" }}{{ .oidc_hmac_secret }}{{ end }}"
+      dest_prefix = "$${NOMAD_SECRETS_DIR}"
+      dest        = "oidc_hmac_secret.txt"
+      mount       = false
+    },
+    {
+      data        = "{{ with nomadVar \"nomad/jobs/authelia\" }}{{ .oidc_issuer_private_key }}{{ end }}"
+      dest_prefix = "$${NOMAD_SECRETS_DIR}"
+      dest        = "oidc_issuer_private_key.txt"
+      mount       = false
+    },
+    {
+      data        = "{{ with nomadVar \"nomad/jobs/authelia\" }}{{ .oidc_issuer_certificate_chain }}{{ end }}"
+      dest_prefix = "$${NOMAD_SECRETS_DIR}"
+      dest        = "oidc_issuer_certificate_chain.txt"
+      mount       = false
+    },
     {
       data        = "{{ with nomadVar \"nomad/jobs\" }}{{ .smtp_password }}{{ end }}"
       dest_prefix = "$${NOMAD_SECRETS_DIR}"