diff --git a/.changeset/olive-dancers-lie.md b/.changeset/olive-dancers-lie.md
new file mode 100644
index 000000000..277ddee68
--- /dev/null
+++ b/.changeset/olive-dancers-lie.md
@@ -0,0 +1,9 @@
+---
+'hasura-auth': patch
+---
+
+Added support for OpenID Connect auth provider
+
+Tested with [Keycloak](http://keycloak.org/) but other OIDC providers should be working as well. It uses Authorization Code Flow.
+In addition you can enable PKCE (Proof Key for Code Exchange) via the env variable `AUTH_PROVIDER_OIDC_PKCE`.
+
diff --git a/docs/environment-variables.md b/docs/environment-variables.md
index 0208d32bf..bd26d3cfb 100644
--- a/docs/environment-variables.md
+++ b/docs/environment-variables.md
@@ -116,3 +116,12 @@
 | AUTH_PROVIDER_AZUREAD_CLIENT_ID                                                    |                                     |
 | AUTH_PROVIDER_AZUREAD_CLIENT_SECRET                                                |                                     |
 | AUTH_PROVIDER_AZUREAD_TENANT                                                       |                                     |
+| AUTH_PROVIDER_OIDC_ENABLED                                                         | `false`                             |
+| AUTH_PROVIDER_OIDC_AUTH_URL<b>\*</b>                                               |                                     |
+| AUTH_PROVIDER_OIDC_TOKEN_URL<b>\*</b>                                              |                                     |
+| AUTH_PROVIDER_OIDC_USERINFO_URL<b>\*</b>                                           |                                     |
+| AUTH_PROVIDER_OIDC_CLIENT_ID<b>\*</b>                                              |                                     |
+| AUTH_PROVIDER_OIDC_CLIENT_SECRET<b>\*</b>                                          |                                     |
+| AUTH_PROVIDER_OIDC_SCOPE                                                           | `openid profile email`              |
+| AUTH_PROVIDER_OIDC_PKCE                                                            | `false`                             |
+
diff --git a/migrations/00014_add-oidc-auth-provider.sql b/migrations/00014_add-oidc-auth-provider.sql
new file mode 100644
index 000000000..3f4030992
--- /dev/null
+++ b/migrations/00014_add-oidc-auth-provider.sql
@@ -0,0 +1,7 @@
+-- start a transaction
+BEGIN;
+INSERT INTO auth.providers (id)
+    VALUES ('oidc')
+ON CONFLICT
+    DO NOTHING;
+COMMIT;
diff --git a/src/routes/oauth/config.ts b/src/routes/oauth/config.ts
index c1d32fc3d..a75e2ef91 100644
--- a/src/routes/oauth/config.ts
+++ b/src/routes/oauth/config.ts
@@ -385,4 +385,25 @@ export const PROVIDERS_CONFIG: Record<
       next();
     },
   },
+  oidc: {
+    grant: {
+      oauth: 2,
+      nonce: true,
+      scope_delimiter: ' ',
+      scope: ['openid', 'profile', 'email'],
+      pkce: process.env.AUTH_PROVIDER_OIDC_PKCE === 'true',
+      authorize_url: `${process.env.AUTH_PROVIDER_OIDC_AUTH_URL}`,
+      access_url: `${process.env.AUTH_PROVIDER_OIDC_TOKEN_URL}`,
+      profile_url: `${process.env.AUTH_PROVIDER_OIDC_USER_INFO_URL}`,
+      client_id: process.env.AUTH_PROVIDER_OIDC_CLIEND_ID,
+      client_secret: process.env.AUTH_PROVIDER_OIDC_CLIENT_SECRET,
+    },
+    profile: ({ profile }) => ({
+      id: profile.sub,
+      email: profile.email,
+      emailVerified: profile.email_verified,
+      displayName: profile.name && profile.nickname,
+      avatarUrl: profile.picture,
+    }),
+  },
 };