diff --git a/template/stacks/monitoring/kube-prometheus/values.yaml b/template/stacks/monitoring/kube-prometheus/values.yaml
index 9c0ca32..942f6a6 100644
--- a/template/stacks/monitoring/kube-prometheus/values.yaml
+++ b/template/stacks/monitoring/kube-prometheus/values.yaml
@@ -33,6 +33,26 @@ grafana:
       domain: {{{ .Env.DOMAIN }}}
       root_url: "%(protocol)s://%(domain)s/grafana"
       serve_from_sub_path: true
+    auth:
+      oauth_allow_insecure_email_lookup: true
+      disable_login: true
+      disable_login_form: true
+    auth.generic_oauth:
+      enabled: true
+      name: Keycloak-OAuth
+      allow_sign_up: true
+      client_id: grafana-oauth
+      #client_secret: todo need to be set elsewhere
+      scopes: openid email profile offline_access roles
+      email_attribute_path: email
+      login_attribute_path: username
+      name_attribute_path: full_name
+      tls_skip_verify_insecure: true
+      auth_url: https://{{{ .Env.DOMAIN }}}/keycloak/realms/cnoe/protocol/openid-connect/auth
+      token_url: https://{{{ .Env.DOMAIN }}}/keycloak/realms/cnoe/protocol/openid-connect/token
+      api_url: https://{{{ .Env.DOMAIN }}}/keycloak/realms/cnoe/protocol/openid-connect/userinfo
+      redirect_uri: http://{{{ .Env.DOMAIN }}}/grafana/login/generic_oauth
+      role_attribute_path: contains(roles[*], 'admin') && 'Admin' || contains(roles[*], 'editor') && 'Editor' || 'Viewer'
       
   serviceMonitor:
     # If true, a ServiceMonitor CRD is created for a prometheus operator https://github.com/coreos/prometheus-operator