diff --git a/Auth-Provider-Configuration.md b/Auth-Provider-Configuration.md
index 6fba104..85af704 100644
--- a/Auth-Provider-Configuration.md
+++ b/Auth-Provider-Configuration.md
@@ -100,6 +100,32 @@ acl:
     - "@cn=mygroup,ou=groups,dc=example,dc=com"
 ```
 
+## OpenID Connect (`oidc`)
+
+This provider sends the user to the configured OpenID Connect provider for oAuth2 login and returns their identification afterwards as the user.
+
+```yaml
+providers:
+  oidc:
+    client_id: ""
+    client_secret: ""
+    redirect_url: "https://login.luzifer.io/login"
+    # Optional, defaults to "OpenID Connect"
+    issuer_name: ""
+    issuer_url: ""
+
+    # Optional, defaults to no limitations
+    require_domain: "example.com"
+    # Optional, defaults to "user-id"
+    user_id_method: "full-email"
+```
+
+The `redirect_url` **must** point back to the `/login` path of nginx-sso to complete the login process. With the `require_domain` parameter you can limit the users being allowed to sign in to users of a specific domain (useful for company internal portals with whitelisting for the company domain).
+
+By default the user identifier will be the `subject`, which is defined by your OIDC provider. Also supported are the `user_id_method`s of `full-email` and `local-part` which both are derived from the users email address. For the user `knut@example.com` the `full-email` will set the username to `knut@example.com` while `local-part` will set it to `knut`.
+
+After a new user signed up you can point them to the `/debug` route in your nginx-sso instance and let them send you the displayed username (user ID) for assigning to ACLs.
+
 ## Simple Auth (`simple`)
 
 The simple auth provider consists of a static mapping between users and passwords and groups and users. This can be seen as the replacement of htpasswd files.