diff --git a/helmchart/single-sign-on/templates/deployment-userfrontend.yaml b/helmchart/single-sign-on/templates/deployment-userfrontend.yaml
index b8c824ea955ddafbc11b3ed094e246ba37d0f78b..1aa814ab16d344276dd0cebb14a38537a7df3d04 100644
--- a/helmchart/single-sign-on/templates/deployment-userfrontend.yaml
+++ b/helmchart/single-sign-on/templates/deployment-userfrontend.yaml
@@ -36,9 +36,15 @@ spec:
             - name: BACKEND_API_URL
               value: http://{{ include "single-sign-on.fullname" . }}-userbackend/graphql
             - name: OAUTH_CLIENT_ID
-              value: user-panel
+              valueFrom:
+                secretKeyRef:
+                  name: {{ include "single-sign-on.fullname" . }}-oauth2client-userpanel
+                  key: client_id
             - name: OAUTH_CLIENT_SECRET
-              value: secret_secret
+              valueFrom:
+                secretKeyRef:
+                  name: {{ include "single-sign-on.fullname" . }}-oauth2client-userpanel
+                  key: client_secret
           ports:
             - name: userpanel
               containerPort: 3000
diff --git a/helmchart/single-sign-on/templates/oauth2client-user-panel.yaml b/helmchart/single-sign-on/templates/oauth2client-user-panel.yaml
new file mode 100644
index 0000000000000000000000000000000000000000..b8c0a0de3877ffcd5cdb8f8f61bd5496f67f6f26
--- /dev/null
+++ b/helmchart/single-sign-on/templates/oauth2client-user-panel.yaml
@@ -0,0 +1,13 @@
+apiVersion: hydra.ory.sh/v1alpha1
+kind: OAuth2Client
+metadata:
+  name: user-panel
+  labels:
+{{ include "single-sign-on.labels" . | indent 4 }}
+spec:
+  grantTypes: ["implicit"]
+  responseTypes: ["token"]
+  scope: "opeind profile email openappstack_roles"
+  redirectUris: [ "https://{{ .Values.userpanel.ingress.host }}/callback" ]
+  tokenEndPointAuthMethod: "client_secret_basic"
+  secretName: {{ include "single-sign-on.fullname" . }}-oauth2client-userpanel