diff --git a/webui/.env b/webui/.env
index 0b060fb..9f41072 100644
--- a/webui/.env
+++ b/webui/.env
@@ -14,11 +14,24 @@ OPENAI_API_KEY=sk-XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
 # ------------------------------------------------------------------
 #  OIDC / Keycloak configuration
 # ------------------------------------------------------------------
-OIDC_ENABLED=true                                     # enable OIDC
-OIDC_ISSUER=https://keycloak.example.com/realms/myrealm  # Keycloak realm URL
-OIDC_CLIENT_ID=openwebui-client                      # client ID created in Keycloak
-OIDC_CLIENT_SECRET=your-client-secret                # client secret (if confidential)
-OIDC_REDIRECT_URI=https://your-domain.com/auth/callback  # exact redirect URI in Keycloak
-OIDC_SCOPE=openid email profile                      # scopes you want to request
-OIDC_PKCE=true                                        # PKCE (recommended)
+# General
+WEBUI_URL=https://ai.example.com
+
+# Keycloak / OIDC Settings
+OAUTH_CLIENT_ID=open-webui
+OAUTH_CLIENT_SECRET=your_keycloak_client_secret_here
+OPENID_PROVIDER_URL=https://auth.example.com/realms/your-realm/.well-known/openid-configuration
+OAUTH_PROVIDER_NAME=Keycloak
+
+# Logic & Scopes
+ENABLE_OAUTH_SIGNUP=true
+OAUTH_MERGE_ACCOUNTS_BY_EMAIL=true
+OAUTH_SCOPES=openid email profile groups
+OAUTH_CODE_CHALLENGE_METHOD=S256
+
+# Role Management
+ENABLE_OAUTH_ROLE_MANAGEMENT=true
+OAUTH_ROLES_CLAIM=groups
+OAUTH_ALLOWED_ROLES=openwebui,openwebui-admin
+OAUTH_ADMIN_ROLES=openwebui-admin
 LOG_LEVEL=debug
\ No newline at end of file