diff --git a/hosts/elisabeth/secrets/kanidm/generated/oauth2-paperless.age b/hosts/elisabeth/secrets/kanidm/generated/oauth2-paperless.age
new file mode 100644
index 0000000..516d287
Binary files /dev/null and b/hosts/elisabeth/secrets/kanidm/generated/oauth2-paperless.age differ
diff --git a/hosts/elisabeth/secrets/kanidm/secrets.nix.age b/hosts/elisabeth/secrets/kanidm/secrets.nix.age
index 4b966c8..4e84aee 100644
Binary files a/hosts/elisabeth/secrets/kanidm/secrets.nix.age and b/hosts/elisabeth/secrets/kanidm/secrets.nix.age differ
diff --git a/modules/services/kanidm.nix b/modules/services/kanidm.nix
index b6ee6a8..6328bf9 100644
--- a/modules/services/kanidm.nix
+++ b/modules/services/kanidm.nix
@@ -33,6 +33,11 @@ in {
       mode = "440";
       group = "kanidm";
     };
+    oauth2-paperless = {
+      generator.script = "alnum";
+      mode = "440";
+      group = "kanidm";
+    };
     oauth2-forgejo = {
       generator.script = "alnum";
       mode = "440";
@@ -60,6 +65,21 @@ in {
 
       inherit (config.secrets.secrets.local.kanidm) persons;
 
+      groups."paperless.access" = {
+        members = ["paperless.admins"];
+      };
+      # currently not usable
+      groups."paperless.admins" = {
+        members = ["administrator"];
+      };
+      systems.oauth2.paperless = {
+        displayName = "paperless";
+        originUrl = "https://ppl.${config.secrets.secrets.global.domains.web}/";
+        basicSecretFile = config.age.secrets.oauth2-paperless.path;
+        scopeMaps."paperless.access" = ["openid" "email" "profile"];
+        preferShortUsername = true;
+      };
+
       groups."nextcloud.access" = {
         members = ["nextcloud.admins"];
       };
diff --git a/modules/services/paperless.nix b/modules/services/paperless.nix
index 971589a..c312a2b 100644
--- a/modules/services/paperless.nix
+++ b/modules/services/paperless.nix
@@ -1,4 +1,6 @@
 {
+  pkgs,
+  nodes,
   config,
   lib,
   ...
@@ -81,6 +83,22 @@ in {
       PAPERLESS_CORS_ALLOWED_HOSTS = "https://${paperlessdomain}";
       PAPERLESS_TRUSTED_PROXIES = lib.net.cidr.host config.secrets.secrets.global.net.ips.elisabeth config.secrets.secrets.global.net.privateSubnetv4;
 
+      PAPERLESS_APPS = "allauth.socialaccount.providers.openid_connect";
+
+      PAPERLESS_SOCIALACCOUNT_PROVIDERS = builtins.toJSON {
+        openid_connect = {
+          OAUTH_PKCE_PROVIDER = "True";
+          APPS = [
+            rec {
+              provider_id = "kanidm";
+              name = "Kanidm";
+              client_id = "paperless";
+              settings.server_url = "https://auth.${config.secrets.secrets.global.domains.web}/oauth2/openid/${client_id}/.well-known/openid-configuration";
+            }
+          ];
+        };
+      };
+
       # let nginx do all the compression
       PAPERLESS_ENABLE_COMPRESSION = false;
       PAPERLESS_CONSUMER_ENABLE_BARCODES = true;
@@ -110,4 +128,15 @@ in {
       mode = "0770";
     }
   ];
+  # Mirror the original oauth2 secret
+  age.secrets.paperless-oauth2-client-secret = {
+    inherit (nodes.elisabeth-kanidm.config.age.secrets.oauth2-paperless) rekeyFile;
+    mode = "440";
+    group = "paperless";
+  };
+
+  systemd.services.paperless-web.script = lib.mkBefore ''
+    paperlessClientSecret=$(< ${config.age.secrets.paperless-oauth2-client-secret.path})
+    export PAPERLESS_SOCIALACCOUNT_PROVIDERS="$( <<< $PAPERLESS_SOCIALACCOUNT_PROVIDERS ${pkgs.jq}/bin/jq -c --arg paperlessClientSecret "$paperlessClientSecret" '.openid_connect.APPS.[0].secret = $paperlessClientSecret')"
+  '';
 }