diff --git a/README.md b/README.md
index faf00be7..e95ad7a1 100644
--- a/README.md
+++ b/README.md
@@ -46,6 +46,7 @@
         - [Crowd](#crowd)
         - [Microsoft Azure](#microsoft-azure)
         - [Generic OAuth2](#Generic-OAuth2)
+        - [OpenID Connect](#openid-connect)
     - [Gitlab Pages](#gitlab-pages)
     - [External Issue Trackers](#external-issue-trackers)
     - [Host UID / GID Mapping](#host-uid--gid-mapping)
@@ -725,6 +726,30 @@ As an example this code has been tested with Keycloak, with the following variab
 
 See [GitLab documentation](https://docs.gitlab.com/ee/integration/oauth2_generic.html#sign-into-gitlab-with-almost-any-oauth2-provider) and [Omniauth-oauth2-generic documentation](https://gitlab.com/satorix/omniauth-oauth2-generic) for more details.
 
+##### OpenID Connect
+
+To enable OpenID Connect provider, you must register your application with your provider. You also need to confirm OpenID Connect provider app's ID and secret, the client options and the user's response structure.
+
+To use OIDC set at least `OAUTH_OIDC_ISSUER` and `OAUTH_OIDC_CLIENT_ID`.
+
+| GitLab setting                 | environment variable                | default value                  |
+|--------------------------------|-------------------------------------|--------------------------------|
+| `label`                        | `OAUTH_OIDC_LABEL`                  | `OpenID Connect`               |
+| `icon`                         | `OAUTH_OIDC_ICON`                   |                                |
+| `scope`                        | `OAUTH_OIDC_SCOPE`                  | `['openid','profile','email']` |
+| `response_type`                | `OAUTH_OIDC_RESPONSE_TYPE`          | `code`                         |
+| `issuer`                       | `OAUTH_OIDC_ISSUER`                 |                                |
+| `discovery`                    | `OAUTH_OIDC_DISCOVERY`              | `true`                         |
+| `client_auth_method`           | `OAUTH_OIDC_CLIENT_AUTH_METHOD`     | `basic`                        |
+| `uid_field`                    | `OAUTH_OIDC_UID_FIELD`              | `sub`                          |
+| `send_scope_to_token_endpoint` | `OAUTH_OIDC_SEND_SCOPE_TO_TOKEN_EP` | `false`                        |
+| `pkce`                         | `OAUTH_OIDC_PKCE`                   | `true`                         |
+| `client_options.identifier`    | `OAUTH_OIDC_CLIENT_ID`              |                                |
+| `client_options.secret`        | `OAUTH_OIDC_CLIENT_SECRET`          | `secret`                       |
+| `client_options.redirect_uri`  | `OAUTH_OIDC_REDIRECT_URI`           | `http://${GITLAB_HOST}/users/auth/openid_connect/callback` or `https://${GITLAB_HOST}/users/auth/openid_connect/callback` depending on the value of `GITLAB_HTTPS` |
+
+See [GitLab OIDC documentation](https://docs.gitlab.com/ee/administration/auth/oidc.html) and [OmniAuth OpenID Connect documentation](https://github.com/omniauth/omniauth_openid_connect/).
+
 #### Gitlab Pages
 
 Gitlab Pages allows a user to host static websites from a project. Gitlab pages can be enabled with setting the envrionment variable `GITLAB_PAGES_ENABLED` to `true`.
diff --git a/assets/runtime/config/gitlabhq/gitlab.yml b/assets/runtime/config/gitlabhq/gitlab.yml
index 226ced2e..f828dd6f 100644
--- a/assets/runtime/config/gitlabhq/gitlab.yml
+++ b/assets/runtime/config/gitlabhq/gitlab.yml
@@ -1031,6 +1031,23 @@ production: &base
             client_id: '{{OAUTH_AZURE_ACTIVEDIRECTORY_V2_CLIENT_ID}}',
             client_secret: '{{OAUTH_AZURE_ACTIVEDIRECTORY_V2_CLIENT_SECRET}}',
             tenant_id: '{{OAUTH_AZURE_ACTIVEDIRECTORY_V2_TENANT_ID}}' } }
+      - { name: 'openid_connect',
+          label: '{{OAUTH_OIDC_LABEL}}',
+          icon: '{{OAUTH_OIDC_ICON}}',
+          args: {
+            name: 'openid_connect',
+            scope: {{OAUTH_OIDC_SCOPE}},
+            response_type: '{{OAUTH_OIDC_RESPONSE_TYPE}}',
+            issuer: '{{OAUTH_OIDC_ISSUER}}',
+            discovery: {{OAUTH_OIDC_DISCOVERY}},
+            client_auth_method: '{{OAUTH_OIDC_CLIENT_AUTH_METHOD}}',
+            uid_field: '{{OAUTH_OIDC_UID_FIELD}}',
+            send_scope_to_token_endpoint: {{OAUTH_OIDC_SEND_SCOPE_TO_TOKEN_EP}},
+            pkce: {{OAUTH_OIDC_PKCE}},
+            client_options: {
+              identifier: '{{OAUTH_OIDC_CLIENT_ID}}',
+              secret: '{{OAUTH_OIDC_CLIENT_SECRET}}',
+              redirect_uri: '{{OAUTH_OIDC_REDIRECT_URI}}' } } }
 
     # SSO maximum session duration in seconds. Defaults to CAS default of 8 hours.
     # cas3:
diff --git a/assets/runtime/env-defaults b/assets/runtime/env-defaults
index 2484a142..7c6de6d9 100644
--- a/assets/runtime/env-defaults
+++ b/assets/runtime/env-defaults
@@ -537,6 +537,28 @@ OAUTH2_GENERIC_AUTHORIZE_PARAMS_SCOPE=${OAUTH2_GENERIC_AUTHORIZE_PARAMS_SCOPE:-}
 OAUTH2_GENERIC_LABEL=${OAUTH2_GENERIC_LABEL:-}
 OAUTH2_GENERIC_NAME=${OAUTH2_GENERIC_NAME:-}
 
+### OpenID Connect
+OAUTH_OIDC_LABEL=${OAUTH_OIDC_LABEL:-'OpenID Connect'}
+OAUTH_OIDC_ICON=${OAUTH_OIDC_ICON:-}
+OAUTH_OIDC_SCOPE=${OAUTH_OIDC_SCOPE:-"['openid','profile','email']"}
+OAUTH_OIDC_RESPONSE_TYPE=${OAUTH_OIDC_RESPONSE_TYPE:-'code'}
+OAUTH_OIDC_ISSUER=${OAUTH_OIDC_ISSUER:-}
+OAUTH_OIDC_DISCOVERY=${OAUTH_OIDC_DISCOVERY:-true}
+OAUTH_OIDC_CLIENT_AUTH_METHOD=${OAUTH_OIDC_CLIENT_AUTH_METHOD:-'basic'}
+OAUTH_OIDC_UID_FIELD=${OAUTH_OIDC_UID_FIELD:-sub}
+OAUTH_OIDC_SEND_SCOPE_TO_TOKEN_EP=${OAUTH_OIDC_SEND_SCOPE_TO_TOKEN_EP:-false}
+OAUTH_OIDC_PKCE=${OAUTH_OIDC_PKCE:-true}
+OAUTH_OIDC_CLIENT_ID=${OAUTH_OIDC_CLIENT_ID:-}
+OAUTH_OIDC_CLIENT_SECRET=${OAUTH_OIDC_CLIENT_SECRET:-'secret'}
+case $GITLAB_HTTPS in
+  true)
+    OAUTH_OIDC_REDIRECT_URI=${OAUTH_OIDC_REDIRECT_URI:-https://${GITLAB_HOST}/users/auth/openid_connect/callback}
+    ;;
+  false)
+    OAUTH_OIDC_REDIRECT_URI=${OAUTH_OIDC_REDIRECT_URI:-http://${GITLAB_HOST}/users/auth/openid_connect/callback}
+    ;;
+esac
+
 ## ANALYTICS
 
 ### GOOGLE
diff --git a/assets/runtime/functions b/assets/runtime/functions
index c603adb0..a9a778c5 100644
--- a/assets/runtime/functions
+++ b/assets/runtime/functions
@@ -793,6 +793,30 @@ gitlab_configure_oauth_azure_ad_v2() {
   fi
 }
 
+gitlab_configure_oauth_oidc() {
+  if [[ -n ${OAUTH_OIDC_ISSUER} && \
+        -n ${OAUTH_OIDC_CLIENT_ID} ]]; then
+    echo "Configuring gitlab::oauth::oidc..."
+    OAUTH_ENABLED=${OAUTH_ENABLED:-true}
+    update_template ${GITLAB_CONFIG} \
+      OAUTH_OIDC_LABEL \
+      OAUTH_OIDC_ICON \
+      OAUTH_OIDC_SCOPE \
+      OAUTH_OIDC_RESPONSE_TYPE \
+      OAUTH_OIDC_ISSUER \
+      OAUTH_OIDC_DISCOVERY \
+      OAUTH_OIDC_CLIENT_AUTH_METHOD \
+      OAUTH_OIDC_UID_FIELD \
+      OAUTH_OIDC_SEND_SCOPE_TO_TOKEN_EP \
+      OAUTH_OIDC_PKCE \
+      OAUTH_OIDC_CLIENT_ID \
+      OAUTH_OIDC_CLIENT_SECRET \
+      OAUTH_OIDC_REDIRECT_URI
+  else
+    exec_as_git sed -i "/name: 'openid_connect'/,/{{OAUTH_OIDC_REDIRECT_URI}}/d" ${GITLAB_CONFIG}
+  fi
+}
+
 gitlab_configure_oauth() {
   echo "Configuring gitlab::oauth..."
 
@@ -810,6 +834,7 @@ gitlab_configure_oauth() {
   gitlab_configure_oauth_auth0
   gitlab_configure_oauth_azure
   gitlab_configure_oauth_azure_ad_v2
+  gitlab_configure_oauth_oidc
 
   OAUTH_ENABLED=${OAUTH_ENABLED:-false}
   update_template ${GITLAB_CONFIG} \
@@ -823,7 +848,7 @@ gitlab_configure_oauth() {
     OAUTH_ALLOW_BYPASS_TWO_FACTOR
 
   case ${OAUTH_AUTO_SIGN_IN_WITH_PROVIDER} in
-    cas3|google_oauth2|facebook|twitter|github|gitlab|bitbucket|saml|crowd|azure_oauth2|azure_activedirectory_v2|oauth2_generic|$OAUTH2_GENERIC_NAME)
+    cas3|google_oauth2|facebook|twitter|github|gitlab|bitbucket|saml|crowd|azure_oauth2|azure_activedirectory_v2|oauth2_generic|$OAUTH2_GENERIC_NAME|oidc)
       update_template ${GITLAB_CONFIG} OAUTH_AUTO_SIGN_IN_WITH_PROVIDER
       ;;
     *)