diff --git a/inventory/group_vars/beaker b/inventory/group_vars/beaker
index 1b9c597141..1f51c08b65 100644
--- a/inventory/group_vars/beaker
+++ b/inventory/group_vars/beaker
@@ -27,6 +27,10 @@ beaker_server_admin_user: "{{ prod_beaker_server_admin_user }}"
 beaker_server_admin_pass: "{{ prod_beaker_server_admin_pass }}"
 beaker_server_email: "sysadmin-qa-members@fedoraproject.org"
 
+beaker_oidc_token_info_url: "https://id.fedoraproject.org/openidc/TokenInfo"
+beaker_oidc_client_id: "beaker-prod"
+beaker_oidc_client_secret: "{{ prod_beaker_oidc_client_secret }}"
+
 beaker_lab_controller_username: "host/beaker01.qa.fedoraproject.org"
 beaker_lab_controller_password: "{{ prod_beaker_lab_controller_password }}"
 
diff --git a/inventory/group_vars/beaker-stg b/inventory/group_vars/beaker-stg
index f66f2e0f49..2866daf988 100644
--- a/inventory/group_vars/beaker-stg
+++ b/inventory/group_vars/beaker-stg
@@ -27,6 +27,10 @@ beaker_server_admin_user: "{{ stg_beaker_server_admin_user }}"
 beaker_server_admin_pass: "{{ stg_beaker_server_admin_pass }}"
 beaker_server_email: "sysadmin-qa-members@fedoraproject.org"
 
+beaker_oidc_token_info_url: "https://id.stg.fedoraproject.org/openidc/TokenInfo"
+beaker_oidc_client_id: "beaker-stg"
+beaker_oidc_client_secret: "{{ stg_beaker_oidc_client_secret }}"
+
 beaker_lab_controller_username: "host/beaker-stg01.qa.fedoraproject.org"
 beaker_lab_controller_password: "{{ stg_beaker_lab_controller_password }}"
 
diff --git a/roles/beaker/server/templates/etc/beaker/server.cfg.j2 b/roles/beaker/server/templates/etc/beaker/server.cfg.j2
index 68e44fc5ac..854b9cf60e 100644
--- a/roles/beaker/server/templates/etc/beaker/server.cfg.j2
+++ b/roles/beaker/server/templates/etc/beaker/server.cfg.j2
@@ -67,6 +67,10 @@ mail.on = True
 # /etc/httpd/conf.d/beaker-server.conf.
 #identity.krb_auth_principal = "HTTP/hostname@EXAMPLE.COM"
 #identity.krb_auth_keytab = "/etc/krb5.keytab"
+# OpenID Connect authentication
+identity.oauth2_token_info_url = "{{ beaker_oidc_token_info_url }}"
+identity.oauth2_client_id = "{{ beaker_oidc_client_id }}"
+identity.oauth2_client_secret = "{{ beaker_oidc_client_secret }}"
 
 # These are used when generating absolute URLs (e.g. in e-mails sent by Beaker)
 # You should only have to set this if socket.gethostname() returns the wrong