diff --git a/roles/authentik/defaults/main.yml b/roles/authentik/defaults/main.yml
index 4c346e6..92a17df 100644
--- a/roles/authentik/defaults/main.yml
+++ b/roles/authentik/defaults/main.yml
@@ -31,3 +31,23 @@ authentik_use_ssl: true
 # Authentik environment settings
 authentik_log_level: "info"
 authentik_error_reporting_enabled: false
+
+# Blueprints
+# OIDC apps to provision
+
+authentik_oidc_apps: []
+# - slug: grafana
+#   name: Grafana
+#   client_id_env: GRAFANA_OIDC_CLIENT_ID
+#   client_secret_env: GRAFANA_OIDC_CLIENT_SECRET
+#   redirect_uris:
+#     - url: "https://grafana.example.com/login/generic_oauth"
+#       matching_mode: strict
+#   signing_key_name: "authentik Self-signed Certificate"
+#   flows:
+#     authorization_slug: default-provider-authorization-implicit-consent
+#     invalidation_slug: default-provider-invalidation-flow
+#   scopes: [openid, email, profile, offline_access]
+authentik_blueprint_env: []
+# GRAFANA_OIDC_CLIENT_ID: "grafana"
+# GRAFANA_OIDC_CLIENT_SECRET: "{{ vault_grafana_oidc_secret }}"
\ No newline at end of file
diff --git a/roles/authentik/tasks/main.yml b/roles/authentik/tasks/main.yml
index 612a224..134245e 100644
--- a/roles/authentik/tasks/main.yml
+++ b/roles/authentik/tasks/main.yml
@@ -32,6 +32,20 @@
     state: directory
     mode: '0755'
 
+- name: Create blueprints directory
+  file:
+    path: "{{ authentik_docker_volume_dir }}/blueprints"
+    state: directory
+    mode: '0755'
+
+- name: Render OIDC blueprints
+  ansible.builtin.template:
+    src: blueprints/blueprint-oidc-app.yaml.j2
+    dest: "{{ authentik_docker_volume_dir }}/blueprints/10-oidc-{{ item.slug }}.yaml"
+    mode: "0644"
+  loop: "{{ authentik_oidc_apps }}"
+  register: oidc_templates
+
 - name: Create docker-compose file for authentik
   template:
     src: docker-compose.yml.j2
@@ -42,3 +56,10 @@
   community.docker.docker_compose_v2:
     project_src: "{{ authentik_docker_compose_dir }}"
     state: present
+    recreate: >-
+      {{
+        (
+         (oidc_templates is defined and (oidc_templates.results | selectattr('changed') | list | length > 0))
+         or (proxy_templates is defined and (proxy_templates.results | selectattr('changed') | list | length > 0))
+        ) | ternary('always','auto')
+      }}
diff --git a/roles/authentik/templates/blueprints/blueprint-oidc-app.yaml.j2 b/roles/authentik/templates/blueprints/blueprint-oidc-app.yaml.j2
new file mode 100644
index 0000000..7270de8
--- /dev/null
+++ b/roles/authentik/templates/blueprints/blueprint-oidc-app.yaml.j2
@@ -0,0 +1,43 @@
+# yaml-language-server: $schema=https://goauthentik.io/blueprints/schema.json
+version: 1
+metadata:
+  name: "oidc-{{ item.slug }}"
+  labels:
+    blueprints.goauthentik.io/instantiate: "true"
+    blueprints.goauthentik.io/description: "OIDC provider + application for {{ item.slug }}"
+
+entries:
+  - model: authentik_providers_oauth2.oauth2provider
+    id: oidc-provider-{{ item.slug }}
+    identifiers:
+      name: {{ item.slug }}
+    attrs:
+      name: {{ item.slug }}
+      client_type: confidential
+      client_id: !Env {{ item.client_id_env }}
+      client_secret: !Env {{ item.client_secret_env }}
+
+      redirect_uris:
+{% for ru in item.redirect_uris %}
+        - url: "{{ ru.url }}"
+          matching_mode: {{ ru.matching_mode | default('strict') }}
+{% endfor %}
+
+      authorization_flow: !Find [authentik_flows.flow, [slug, {{ item.flows.authorization_slug | default('default-provider-authorization-implicit-consent') }}]]
+      invalidation_flow: !Find [authentik_flows.flow, [slug, {{ item.flows.invalidation_slug | default('default-provider-invalidation-flow') }}]]
+
+      property_mappings:
+{% for s in (item.scopes | default(['openid','email','profile','offline_access'])) %}
+        - !Find [authentik_providers_oauth2.scopemapping, [scope_name, {{ s }}]]
+{% endfor %}
+
+      signing_key: !Find [authentik_crypto.certificatekeypair, [name, {{ item.signing_key_name | default('authentik Self-signed Certificate') }}]]
+
+  - model: authentik_core.application
+    id: app-{{ item.slug }}
+    identifiers:
+      slug: {{ item.slug }}
+    attrs:
+      name: "{{ item.name | default(item.slug) }}"
+      slug: {{ item.slug }}
+      provider: !KeyOf oidc-provider-{{ item.slug }}
diff --git a/roles/authentik/templates/docker-compose.yml.j2 b/roles/authentik/templates/docker-compose.yml.j2
index 1b962de..c6b1460 100644
--- a/roles/authentik/templates/docker-compose.yml.j2
+++ b/roles/authentik/templates/docker-compose.yml.j2
@@ -29,7 +29,13 @@ services:
       AUTHENTIK_POSTGRESQL__PASSWORD: {{ authentik_postgres_password }}
       AUTHENTIK_LOG_LEVEL: {{ authentik_log_level }}
       AUTHENTIK_ERROR_REPORTING__ENABLED: "{{ authentik_error_reporting_enabled | lower }}"
+{% if authentik_blueprint_env|length > 0 %}
+{%  for k, v in authentik_blueprint_env.items() %}
+      {{ k }}: "{{ v }}"
+{% endfor %}
+{% endif %}
     volumes:
+      - {{ authentik_docker_volume_dir }}/blueprints:/blueprints
       - {{ authentik_docker_volume_dir }}/data:/data
       - {{ authentik_docker_volume_dir }}/templates:/templates
     depends_on:
@@ -63,10 +69,16 @@ services:
       AUTHENTIK_POSTGRESQL__PASSWORD: {{ authentik_postgres_password }}
       AUTHENTIK_LOG_LEVEL: {{ authentik_log_level }}
       AUTHENTIK_ERROR_REPORTING__ENABLED: "{{ authentik_error_reporting_enabled | lower }}"
+{% if authentik_blueprint_env|length > 0 %}
+{%  for k, v in authentik_blueprint_env.items() %}
+      {{ k }}: "{{ v }}"
+{% endfor %}
+{% endif %}
     volumes:
       - {{ authentik_docker_volume_dir }}/data:/data
       - {{ authentik_docker_volume_dir }}/certs:/certs
       - {{ authentik_docker_volume_dir }}/templates:/templates
+      - {{ authentik_docker_volume_dir }}/blueprints:/blueprints
     depends_on:
       postgres:
         condition: service_healthy