diff --git a/cmd/server/main.go b/cmd/server/main.go
index cb3a207..a97022d 100644
--- a/cmd/server/main.go
+++ b/cmd/server/main.go
@@ -19,6 +19,7 @@ import (
 	"gitea.dcglab.co.uk/steve/restic-manager/internal/server/config"
 	rmhttp "gitea.dcglab.co.uk/steve/restic-manager/internal/server/http"
 	"gitea.dcglab.co.uk/steve/restic-manager/internal/server/maintenance"
+	"gitea.dcglab.co.uk/steve/restic-manager/internal/server/oidc"
 	"gitea.dcglab.co.uk/steve/restic-manager/internal/server/ui"
 	"gitea.dcglab.co.uk/steve/restic-manager/internal/server/ws"
 	"gitea.dcglab.co.uk/steve/restic-manager/internal/store"
@@ -92,6 +93,17 @@ func run() error {
 		return fmt.Errorf("ui: %w", err)
 	}
 
+	var oidcClient *oidc.Client
+	if cfg.OIDC != nil {
+		ctx, cancel := context.WithTimeout(context.Background(), 10*time.Second)
+		defer cancel()
+		oidcClient, err = oidc.New(ctx, cfg.OIDC, cfg.BaseURL)
+		if err != nil {
+			return fmt.Errorf("oidc: %w", err)
+		}
+		slog.Info("oidc enabled", "issuer", cfg.OIDC.Issuer, "display", cfg.OIDC.DisplayName)
+	}
+
 	deps := rmhttp.Deps{
 		Cfg:             cfg,
 		Store:           st,
@@ -102,6 +114,7 @@ func run() error {
 		NotificationHub: notifHub,
 		UI:              renderer,
 		Version:         version,
+		OIDC:            oidcClient,
 	}
 
 	// First-run bootstrap: if the users table is empty, mint a one-time
diff --git a/internal/alert/engine.go b/internal/alert/engine.go
index e0205b9..607ed91 100644
--- a/internal/alert/engine.go
+++ b/internal/alert/engine.go
@@ -193,6 +193,9 @@ func (e *Engine) tick(ctx context.Context, now time.Time) {
 	if _, err := e.store.CleanupExpiredSetupTokens(ctx, now); err != nil {
 		slog.Warn("alert: cleanup expired setup tokens", "err", err)
 	}
+	if _, err := e.store.CleanupExpiredOIDCState(ctx, now.Add(-5*time.Minute)); err != nil {
+		slog.Warn("alert: cleanup expired oidc state", "err", err)
+	}
 
 	hosts, err := e.store.ListHosts(ctx)
 	if err != nil {