diff --git a/monitoring/docker-compose.yml b/monitoring/docker-compose.yml
index 0c98961..7042139 100644
--- a/monitoring/docker-compose.yml
+++ b/monitoring/docker-compose.yml
@@ -129,6 +129,20 @@ services:
       GF_USERS_ALLOW_SIGN_UP: "false"
       GF_AUTH_ANONYMOUS_ENABLED: "false"
       GF_PLUGINS_PREINSTALL_DISABLED: "true"
+      # --- Authelia OIDC SSO (2026-06-06) ---
+      GF_AUTH_GENERIC_OAUTH_ENABLED: "true"
+      GF_AUTH_GENERIC_OAUTH_NAME: Authelia
+      GF_AUTH_GENERIC_OAUTH_CLIENT_ID: grafana
+      GF_AUTH_GENERIC_OAUTH_CLIENT_SECRET__FILE: /run/secrets/grafana_oidc_client_secret
+      GF_AUTH_GENERIC_OAUTH_SCOPES: "openid profile email groups"
+      GF_AUTH_GENERIC_OAUTH_AUTH_URL: https://auth.kaleschke.info/api/oidc/authorization
+      GF_AUTH_GENERIC_OAUTH_TOKEN_URL: https://auth.kaleschke.info/api/oidc/token
+      GF_AUTH_GENERIC_OAUTH_API_URL: https://auth.kaleschke.info/api/oidc/userinfo
+      GF_AUTH_GENERIC_OAUTH_USE_PKCE: "true"
+      GF_AUTH_GENERIC_OAUTH_ALLOW_SIGN_UP: "true"
+      # Proof: alle OIDC-Logins als Admin; spaeter ueber groups verfeinern
+      GF_AUTH_GENERIC_OAUTH_ROLE_ATTRIBUTE_PATH: "'Admin'"
+      GF_AUTH_GENERIC_OAUTH_ROLE_ATTRIBUTE_STRICT: "false"
     entrypoint:
       - /bin/sh
       - -c
@@ -145,6 +159,7 @@ services:
     secrets:
       - monitoring_grafana_admin_password
       - monitoring_grafana_influxdb_token
+      - grafana_oidc_client_secret
     expose:
       - "3000"
     security_opt:
@@ -160,7 +175,8 @@ services:
       - traefik.http.routers.monitoring-grafana.entrypoints=websecure
       - traefik.http.routers.monitoring-grafana.tls=true
       - traefik.http.routers.monitoring-grafana.tls.certresolver=le
-      - traefik.http.routers.monitoring-grafana.middlewares=authelia@file,secure-headers@file
+      # ForwardAuth bewusst entfernt 2026-06-06: Grafana macht jetzt eigenes OIDC-SSO gegen Authelia
+      - traefik.http.routers.monitoring-grafana.middlewares=secure-headers@file
       - traefik.http.services.monitoring-grafana.loadbalancer.server.port=3000
 
   grafana-dashboard-importer:
@@ -364,5 +380,7 @@ secrets:
     file: /mnt/user/appdata/secrets/monitoring_grafana_admin_password.txt
   monitoring_grafana_influxdb_token:
     file: /mnt/user/appdata/secrets/monitoring_grafana_influxdb_token.txt
+  grafana_oidc_client_secret:
+    file: /mnt/user/appdata/secrets/grafana_oidc_client_secret
   influxdb3_admin_token:
     file: /mnt/user/appdata/secrets/influxdb3_admin_token.json