diff --git a/idm/external-authelia.yml b/idm/external-authelia.yml
new file mode 100644
index 0000000..e4f5322
--- /dev/null
+++ b/idm/external-authelia.yml
@@ -0,0 +1,14 @@
+---
+services:
+  opencloud:
+    environment:
+      # enable opaque access tokens
+      PROXY_OIDC_ACCESS_TOKEN_VERIFY_METHOD: "none"
+      PROXY_OIDC_SKIP_VERIFICATION: "false"
+
+      # oidc assignment driver currently doesn't work with the desktop client: https://github.com/opencloud-eu/desktop/issues/217
+      PROXY_ROLE_ASSIGNMENT_DRIVER: "default"
+      GRAPH_ASSIGN_DEFAULT_USER_ROLE: "true"
+
+      PROXY_ROLE_ASSIGNMENT_OIDC_CLAIM: "groups"
+      WEB_OIDC_SCOPE: "openid profile email groups"