diff --git a/docker-compose-oauth2.yaml b/docker-compose-oauth2.yaml
new file mode 100644
index 0000000..3b5b85e
--- /dev/null
+++ b/docker-compose-oauth2.yaml
@@ -0,0 +1,47 @@
+version: '3.9'
+
+services:
+  wgui:
+    container_name: wgui
+    image: wireguard-ui:latest
+    read_only: true
+    environment:
+      - DISABLE_LOGIN=true
+    logging:
+      driver: json-file
+      options:
+        max-size: 50m
+    volumes:
+      - ./db:/app/db
+      - ./wireguard:/etc/wireguard
+
+  oauth2-proxy:
+    container_name: wg-oauth2-proxy
+    image: quay.io/oauth2-proxy/oauth2-proxy:latest
+    read_only: true
+    command:
+      --provider="oidc"
+      --client-id="$CLIENT_ID"
+      --client-secret="$CLIENT_SECRET"
+      --login-url=https://$AUTH_SERVER/auth/realms/$REALM/protocol/openid-connect/auth
+      --redeem-url=https://$AUTH_SERVER/auth/realms/$REALM/protocol/openid-connect/token
+      --profile-url=https://$AUTH_SERVER/auth/realms/$REALM/protocol/openid-connect/userinfo
+      --validate-url=https://$AUTH_SERVER/auth/realms/$REALM/protocol/openid-connect/userinfo
+      --oidc-jwks-url=https://$AUTH_SERVER/auth/realms/$REALM/protocol/openid-connect/certs
+      --oidc-issuer-url=https://$AUTH_SERVER/auth/realms/$REALM
+      --http-address=0.0.0.0:5000
+      --cookie-secret="$COOKIE_SECRET"
+      --cookie-secure="false"
+      --email-domain=*
+      --upstream=http://wgui:5000/
+      --redirect-url=http://localhost:5000/oauth2/callback
+      --reverse-proxy="false"
+      --scope="openid email profile"
+      --pass-user-headers="true"
+      --pass-access-token="true"
+      --pass-authorization-header="true"
+      --set-authorization-header="true"
+      --set-xauthrequest="true"
+    hostname: oauth2-proxy
+    ports:
+      - 5000:5000/tcp
diff --git a/main.go b/main.go
index fe1ba68..c2e117e 100644
--- a/main.go
+++ b/main.go
@@ -43,6 +43,7 @@ const (
 func init() {
 
 	// command-line flags and env variables
+	flag.BoolVar(&flagDisableLogin, "disable-login", util.LookupEnvOrBool("DISABLE_LOGIN", flagDisableLogin), "Disable login page. Turn off authentication.")
 	flag.StringVar(&flagBindAddress, "bind-address", util.LookupEnvOrString("BIND_ADDRESS", flagBindAddress), "Address:Port to which the app will be bound.")
 	flag.StringVar(&flagSendgridApiKey, "sendgrid-api-key", util.LookupEnvOrString("SENDGRID_API_KEY", flagSendgridApiKey), "Your sendgrid api key.")
 	flag.StringVar(&flagEmailFrom, "email-from", util.LookupEnvOrString("EMAIL_FROM_ADDRESS", flagEmailFrom), "'From' email address.")