diff --git a/template/stacks/core/forgejo/secret.yaml b/template/stacks/core/forgejo/secret.yaml
new file mode 100644
index 0000000..231a7f0
--- /dev/null
+++ b/template/stacks/core/forgejo/secret.yaml
@@ -0,0 +1,9 @@
+apiVersion: v1
+kind: Secret
+metadata:
+  name: gitea-credentials
+  namespace: gitea
+type: Opaque
+stringData:
+  key: forgejo
+  secret: nEJ7tmVYLjwuycF4vhBzCY8BVfk9LHDY
\ No newline at end of file
diff --git a/template/stacks/core/forgejo/values.yaml b/template/stacks/core/forgejo/values.yaml
index bfcd384..b763f93 100644
--- a/template/stacks/core/forgejo/values.yaml
+++ b/template/stacks/core/forgejo/values.yaml
@@ -27,6 +27,12 @@ gitea:
     server:
       DOMAIN: 'gitea.{{{ .Env.DOMAIN }}}'
       ROOT_URL: 'https://gitea.{{{ .Env.DOMAIN }}}:443'
+  oauth:
+    - name: 'Keycloak'
+      provider: 'openidConnect'
+      # or with 'key' and 'secret' parameter directly
+      existingSecret: gitea-credentials
+      autoDiscoverUrl: 'https://gitea.example.com/.well-known/openid-configuration'
 
 service:
   ssh:
diff --git a/template/stacks/ref-implementation/keycloak/manifests/keycloak-config.yaml b/template/stacks/ref-implementation/keycloak/manifests/keycloak-config.yaml
index e2a0981..0627306 100644
--- a/template/stacks/ref-implementation/keycloak/manifests/keycloak-config.yaml
+++ b/template/stacks/ref-implementation/keycloak/manifests/keycloak-config.yaml
@@ -181,6 +181,35 @@ data:
       ]
     }
 
+  forgejo-client-payload.json: |
+    {
+      "protocol": "openid-connect",
+      "clientId": "forgejo",
+      "name": "Forgejo Client",
+      "description": "Used for Forgejo SSO",
+      "publicClient": false,
+      "authorizationServicesEnabled": false,
+      "serviceAccountsEnabled": false,
+      "implicitFlowEnabled": false,
+      "directAccessGrantsEnabled": true,
+      "standardFlowEnabled": true,
+      "frontchannelLogout": true,
+      "attributes": {
+        "saml_idp_initiated_sso_url_name": "",
+        "oauth2.device.authorization.grant.enabled": false,
+        "oidc.ciba.grant.enabled": false
+      },
+      "alwaysDisplayInConsole": false,
+      "rootUrl": "https://{{{ .Env.DOMAIN }}}",
+      "baseUrl": "",
+      "redirectUris": [
+        "https://{{{ .Env.DOMAIN }}}/*"
+      ],
+      "webOrigins": [
+        "/*"
+      ]
+    }
+
 ---
 apiVersion: batch/v1
 kind: Job