diff --git a/Backend/Afra-App.slnx b/Backend/Afra-App.slnx
index 68c181ed..ed69dad9 100644
--- a/Backend/Afra-App.slnx
+++ b/Backend/Afra-App.slnx
@@ -2,16 +2,15 @@
   <Folder Name="/Solution Items/">
     <File Path="../compose.yaml" />
   </Folder>
-  <Project Path="Altafraner.AfraApp\Altafraner.AfraApp.csproj" Type="C#" />
+    <Project Path="Altafraner.AfraApp\Altafraner.AfraApp.csproj"/>
   <Project Path="Altafraner.Typst.Generator/Altafraner.Typst.Generator.csproj" />
-  <Project Path="Altafraner.Typst\Altafraner.Typst.csproj" Type="C#" />
-  <Project Path="Altafraner.Backbone.Abstractions\Altafraner.Backbone.Abstractions.csproj" Type="C#" />
-  <Project Path="Altafraner.Backbone.CookieAuthentication\Altafraner.Backbone.CookieAuthentication.csproj" Type="C#" />
-  <Project Path="Altafraner.Backbone.DataProtection\Altafraner.Backbone.DataProtection.csproj" Type="C#" />
-  <Project Path="Altafraner.Backbone.Defaults\Altafraner.Backbone.Defaults.csproj" Type="C#" />
-  <Project Path="Altafraner.Backbone.EmailOutbox\Altafraner.Backbone.EmailOutbox.csproj" Type="C#" />
-  <Project Path="Altafraner.Backbone.EmailSchedulingModule\Altafraner.Backbone.EmailSchedulingModule.csproj" Type="C#" />
-  <Project Path="Altafraner.Backbone.Scheduling\Altafraner.Backbone.Scheduling.csproj" Type="C#" />
-  <Project Path="Altafraner.Backbone.Utils\Altafraner.Backbone.Utils.csproj" Type="C#" />
-  <Project Path="Altafraner.Backbone\Altafraner.Backbone.csproj" Type="C#" />
+    <Project Path="Altafraner.Typst\Altafraner.Typst.csproj"/>
+    <Project Path="Altafraner.Backbone.Abstractions\Altafraner.Backbone.Abstractions.csproj"/>
+    <Project Path="Altafraner.Backbone.DataProtection\Altafraner.Backbone.DataProtection.csproj"/>
+    <Project Path="Altafraner.Backbone.Defaults\Altafraner.Backbone.Defaults.csproj"/>
+    <Project Path="Altafraner.Backbone.EmailOutbox\Altafraner.Backbone.EmailOutbox.csproj"/>
+    <Project Path="Altafraner.Backbone.EmailSchedulingModule\Altafraner.Backbone.EmailSchedulingModule.csproj"/>
+    <Project Path="Altafraner.Backbone.Scheduling\Altafraner.Backbone.Scheduling.csproj"/>
+    <Project Path="Altafraner.Backbone.Utils\Altafraner.Backbone.Utils.csproj"/>
+    <Project Path="Altafraner.Backbone\Altafraner.Backbone.csproj"/>
 </Solution>
diff --git a/Backend/Altafraner.AfraApp/Altafraner.AfraApp.csproj b/Backend/Altafraner.AfraApp/Altafraner.AfraApp.csproj
index 833fc49e..7f7e1834 100644
--- a/Backend/Altafraner.AfraApp/Altafraner.AfraApp.csproj
+++ b/Backend/Altafraner.AfraApp/Altafraner.AfraApp.csproj
@@ -8,6 +8,7 @@
     <ItemGroup>
         <PackageReference Include="Ical.Net"/>
         <PackageReference Include="MailKit"/>
+        <PackageReference Include="Microsoft.AspNetCore.Authentication.OpenIdConnect"/>
         <PackageReference Include="Microsoft.AspNetCore.DataProtection.EntityFrameworkCore"/>
         <PackageReference Include="Bogus"/>
         <PackageReference Include="Microsoft.AspNetCore.OpenApi"/>
@@ -42,7 +43,6 @@
     </ItemGroup>
 
     <ItemGroup>
-        <ProjectReference Include="..\Altafraner.Backbone.CookieAuthentication\Altafraner.Backbone.CookieAuthentication.csproj"/>
         <ProjectReference Include="..\Altafraner.Backbone.DataProtection\Altafraner.Backbone.DataProtection.csproj"/>
         <ProjectReference Include="..\Altafraner.Backbone.Utils\Altafraner.Backbone.Utils.csproj"/>
         <ProjectReference Include="..\Altafraner.Backbone.EmailOutbox\Altafraner.Backbone.EmailOutbox.csproj"/>
diff --git a/Backend/Altafraner.AfraApp/Backbone/Authorization/AfraAppClaimTypes.cs b/Backend/Altafraner.AfraApp/Backbone/Auth/AfraAppClaimTypes.cs
similarity index 96%
rename from Backend/Altafraner.AfraApp/Backbone/Authorization/AfraAppClaimTypes.cs
rename to Backend/Altafraner.AfraApp/Backbone/Auth/AfraAppClaimTypes.cs
index 20ffaaa6..c2e10888 100644
--- a/Backend/Altafraner.AfraApp/Backbone/Authorization/AfraAppClaimTypes.cs
+++ b/Backend/Altafraner.AfraApp/Backbone/Auth/AfraAppClaimTypes.cs
@@ -1,7 +1,7 @@
 using System.Security.Claims;
 using Altafraner.AfraApp.User.Domain.Models;
 
-namespace Altafraner.AfraApp.Backbone.Authorization;
+namespace Altafraner.AfraApp.Backbone.Auth;
 
 /// <summary>
 ///     Specifies the claim types used in the <see cref="ClaimsPrincipal" /> for the Afra-App
diff --git a/Backend/Altafraner.AfraApp/Backbone/Auth/AuthModule.cs b/Backend/Altafraner.AfraApp/Backbone/Auth/AuthModule.cs
new file mode 100644
index 00000000..3d77fe15
--- /dev/null
+++ b/Backend/Altafraner.AfraApp/Backbone/Auth/AuthModule.cs
@@ -0,0 +1,180 @@
+using System.ComponentModel.DataAnnotations;
+using System.Security.Claims;
+using Altafraner.AfraApp.Domain.Configuration;
+using Altafraner.AfraApp.User.Domain.Models;
+using Altafraner.AfraApp.User.Services;
+using Altafraner.AfraApp.User.Services.LDAP;
+using Altafraner.Backbone.Abstractions;
+using Altafraner.Backbone.Defaults;
+using Microsoft.AspNetCore.Authentication;
+using Microsoft.AspNetCore.Authentication.Cookies;
+using Microsoft.AspNetCore.Authentication.OpenIdConnect;
+using Microsoft.Extensions.Options;
+using Microsoft.IdentityModel.Protocols.OpenIdConnect;
+
+namespace Altafraner.AfraApp.Backbone.Auth;
+
+/// <summary>
+/// A module for handling simple authorization cases
+/// </summary>
+[DependsOn<ReverseProxyHandlerModule>]
+internal class AuthModule : IModule
+{
+    public void ConfigureServices(IServiceCollection services, IConfiguration config, IHostEnvironment env)
+    {
+        var cookieSection = config.GetSection("CookieAuthentication");
+        services.AddOptions<CookieAuthenticationSettings>().Bind(cookieSection);
+
+        var cookieSettings = cookieSection.Exists()
+            ? cookieSection.Get<CookieAuthenticationSettings>() ??
+              throw new ValidationException("Cannot bind CookieAuthenticationSettings")
+            : new CookieAuthenticationSettings();
+
+        var oidcSection = config.GetSection("Oidc");
+        services.AddOptions<OidcConfiguration>()
+            .Validate(OidcConfiguration.Validate)
+            .ValidateOnStart()
+            .Bind(oidcSection);
+
+
+        var oidcSettings = oidcSection.Exists()
+            ? oidcSection.Get<OidcConfiguration>() ??
+              throw new ValidationException("Cannot bind OidcConfiguration")
+            : new OidcConfiguration();
+
+        var authBuilder = services.AddAuthentication(options =>
+            {
+                options.DefaultAuthenticateScheme = CookieAuthenticationDefaults.AuthenticationScheme;
+                options.DefaultChallengeScheme = OpenIdConnectDefaults.AuthenticationScheme;
+                options.DefaultSignInScheme = CookieAuthenticationDefaults.AuthenticationScheme;
+            })
+            .AddCookie(options =>
+            {
+                options.ExpireTimeSpan = cookieSettings.CookieTimeout;
+                options.Cookie.HttpOnly = true;
+                options.Cookie.SameSite = cookieSettings.SameSiteMode;
+                options.Cookie.SecurePolicy = cookieSettings.SecurePolicy;
+                options.SlidingExpiration = cookieSettings.SlidingExpiration;
+            });
+
+        if (oidcSettings.Enabled)
+            authBuilder.AddOpenIdConnect(OpenIdConnectDefaults.AuthenticationScheme,
+                options =>
+                {
+                    options.SignInScheme = CookieAuthenticationDefaults.AuthenticationScheme;
+                    options.ResponseType = OpenIdConnectResponseType.Code;
+
+                    options.Authority = oidcSettings.Authority;
+                    options.ClientId = oidcSettings.ClientId;
+                    options.ClientSecret = oidcSettings.ClientSecret;
+
+                    options.CallbackPath = new PathString("/api/oidc/signin");
+                    options.SignedOutCallbackPath = new PathString("/api/oidc/signout");
+
+                    options.Scope.Add("openid");
+                    options.Scope.Add("profile");
+                    options.SaveTokens = false;
+
+                    options.Events = new OpenIdConnectEvents
+                    {
+                        OnTokenValidated = OidcOnTokenValidated,
+                        OnAccessDenied = context =>
+                        {
+                            var logger = context.HttpContext.RequestServices
+                                .GetRequiredService<ILogger<AuthModule>>();
+                            logger.LogWarning("OIDC Access Denied");
+                            context.Response.Redirect("/oidc/access-denied");
+                            context.HandleResponse();
+                            return Task.CompletedTask;
+                        },
+                        OnRemoteFailure = context =>
+                        {
+                            var logger = context.HttpContext.RequestServices
+                                .GetRequiredService<ILogger<AuthModule>>();
+                            logger.LogWarning("OIDC Unexpected Remote Error: {message}", context.Failure?.Message);
+                            context.Response.Redirect("/oidc/remote-error");
+                            context.HandleResponse();
+                            return Task.CompletedTask;
+                        }
+                    };
+                });
+
+        services.AddAuthorizationBuilder()
+            .AddPolicy(AuthorizationPolicies.StudentOnly,
+                policy => policy.RequireClaim(AfraAppClaimTypes.Role,
+                    nameof(Rolle.Oberstufe), nameof(Rolle.Mittelstufe)))
+            .AddPolicy(AuthorizationPolicies.MittelStufeStudentOnly,
+                policy => policy.RequireClaim(AfraAppClaimTypes.Role,
+                    nameof(Rolle.Mittelstufe)))
+            .AddPolicy(AuthorizationPolicies.TutorOnly,
+                policy => policy.RequireClaim(AfraAppClaimTypes.Role,
+                    nameof(Rolle.Tutor)))
+            .AddPolicy(AuthorizationPolicies.Otiumsverantwortlich,
+                policy => policy.RequireClaim(AfraAppClaimTypes.GlobalPermission,
+                    nameof(GlobalPermission.Otiumsverantwortlich)))
+            .AddPolicy(AuthorizationPolicies.ProfundumsVerantwortlich,
+                policy => policy.RequireClaim(AfraAppClaimTypes.GlobalPermission,
+                    nameof(GlobalPermission.Profundumsverantwortlich)))
+            .AddPolicy(AuthorizationPolicies.AdminOnly,
+                policy => policy.RequireClaim(AfraAppClaimTypes.GlobalPermission,
+                    nameof(GlobalPermission.Admin)))
+            .AddPolicy(AuthorizationPolicies.TeacherOrAdmin,
+                policy => policy.RequireAssertion(context =>
+                    context.User.HasClaim(AfraAppClaimTypes.GlobalPermission, nameof(GlobalPermission.Admin))
+                    || context.User.HasClaim(AfraAppClaimTypes.Role, nameof(Rolle.Tutor))));
+    }
+
+    private static async Task OidcOnTokenValidated(TokenValidatedContext context)
+    {
+        var logger = context.HttpContext.RequestServices.GetRequiredService<ILogger<OpenIdConnectEvents>>();
+        var oidcSettings = context.HttpContext.RequestServices.GetRequiredService<IOptions<OidcConfiguration>>().Value;
+
+        var oidcUser = context.Principal;
+        var userId = oidcUser?.FindFirst(oidcSettings.IdClaim!)?.Value;
+        logger.LogWarning("UserId: {userId}", userId);
+
+        if (userId is null)
+        {
+            logger.LogWarning("Received OIDC event without ID");
+            context.Fail("The authentication provider did not provide a user ID");
+            return;
+        }
+
+        var userService = context.HttpContext.RequestServices.GetRequiredService<UserService>();
+
+        var user = await userService.GetUserByLdapIdAsync(new Guid(userId));
+        if (user is null)
+        {
+            var ldapService = context.HttpContext.RequestServices.GetRequiredService<LdapService>();
+            await ldapService.SynchronizeAsync();
+            user = await userService.GetUserByIdAsync(new Guid(userId));
+            if (user is null)
+            {
+                context.Fail("User not staged for synchronization");
+                return;
+            }
+        }
+
+        var claims = UserSigninService.GenerateClaims(user);
+        var identity = new ClaimsIdentity(claims, CookieAuthenticationDefaults.AuthenticationScheme);
+        var principal = new ClaimsPrincipal(identity);
+        context.Principal = principal;
+        context.Success();
+    }
+
+    public void RegisterMiddleware(WebApplication app)
+    {
+        app.UseAuthentication();
+        app.UseAuthorization();
+    }
+
+    public void Configure(WebApplication app)
+    {
+        app.MapGet("/api/oidc/start",
+            () => TypedResults.Challenge(new AuthenticationProperties
+                {
+                    RedirectUri = "/"
+                },
+                [OpenIdConnectDefaults.AuthenticationScheme]));
+    }
+}
diff --git a/Backend/Altafraner.AfraApp/Backbone/Authorization/AuthorizationPolicies.cs b/Backend/Altafraner.AfraApp/Backbone/Auth/AuthorizationPolicies.cs
similarity index 96%
rename from Backend/Altafraner.AfraApp/Backbone/Authorization/AuthorizationPolicies.cs
rename to Backend/Altafraner.AfraApp/Backbone/Auth/AuthorizationPolicies.cs
index 54dbf258..0a42556e 100644
--- a/Backend/Altafraner.AfraApp/Backbone/Authorization/AuthorizationPolicies.cs
+++ b/Backend/Altafraner.AfraApp/Backbone/Auth/AuthorizationPolicies.cs
@@ -1,4 +1,4 @@
-namespace Altafraner.AfraApp.Backbone.Authorization;
+namespace Altafraner.AfraApp.Backbone.Auth;
 
 /// <summary>
 /// A static class containing constants for authorization policies.
diff --git a/Backend/Altafraner.Backbone.CookieAuthentication/Contracts/IAuthenticationLifetimeService.cs b/Backend/Altafraner.AfraApp/Backbone/Auth/IAuthenticationLifetimeService.cs
similarity index 89%
rename from Backend/Altafraner.Backbone.CookieAuthentication/Contracts/IAuthenticationLifetimeService.cs
rename to Backend/Altafraner.AfraApp/Backbone/Auth/IAuthenticationLifetimeService.cs
index 9e7d30d8..94d49f8b 100644
--- a/Backend/Altafraner.Backbone.CookieAuthentication/Contracts/IAuthenticationLifetimeService.cs
+++ b/Backend/Altafraner.AfraApp/Backbone/Auth/IAuthenticationLifetimeService.cs
@@ -1,6 +1,6 @@
 using System.Security.Claims;
 
-namespace Altafraner.Backbone.CookieAuthentication;
+namespace Altafraner.AfraApp.Backbone.Auth;
 
 /// <summary>
 ///     A service handling signing in and out users.
diff --git a/Backend/Altafraner.Backbone.CookieAuthentication/Services/AuthenticationLifetimeService.cs b/Backend/Altafraner.AfraApp/Backbone/Auth/Services/AuthenticationLifetimeService.cs
similarity index 91%
rename from Backend/Altafraner.Backbone.CookieAuthentication/Services/AuthenticationLifetimeService.cs
rename to Backend/Altafraner.AfraApp/Backbone/Auth/Services/AuthenticationLifetimeService.cs
index 8bca85c3..ed882337 100644
--- a/Backend/Altafraner.Backbone.CookieAuthentication/Services/AuthenticationLifetimeService.cs
+++ b/Backend/Altafraner.AfraApp/Backbone/Auth/Services/AuthenticationLifetimeService.cs
@@ -1,8 +1,7 @@
 using System.Security.Claims;
 using Microsoft.AspNetCore.Authentication;
-using Microsoft.AspNetCore.Http;
 
-namespace Altafraner.Backbone.CookieAuthentication.Services;
+namespace Altafraner.AfraApp.Backbone.Auth.Services;
 
 internal class AuthenticationLifetimeService : IAuthenticationLifetimeService
 {
diff --git a/Backend/Altafraner.AfraApp/Backbone/Authorization/AuthorizationModule.cs b/Backend/Altafraner.AfraApp/Backbone/Authorization/AuthorizationModule.cs
deleted file mode 100644
index 12181dcb..00000000
--- a/Backend/Altafraner.AfraApp/Backbone/Authorization/AuthorizationModule.cs
+++ /dev/null
@@ -1,48 +0,0 @@
-using Altafraner.AfraApp.User.Domain.Models;
-using Altafraner.Backbone.Abstractions;
-using Altafraner.Backbone.CookieAuthentication;
-using Altafraner.Backbone.Defaults;
-
-namespace Altafraner.AfraApp.Backbone.Authorization;
-
-/// <summary>
-/// A module for handling simple authorization cases
-/// </summary>
-[DependsOn<ReverseProxyHandlerModule>]
-[DependsOn<CookieAuthenticationModule>]
-public class AuthorizationModule : IModule
-{
-    /// <inheritdoc />
-    public void ConfigureServices(IServiceCollection services, IConfiguration config, IHostEnvironment env)
-    {
-        services.AddAuthorizationBuilder()
-            .AddPolicy(AuthorizationPolicies.StudentOnly,
-                policy => policy.RequireClaim(AfraAppClaimTypes.Role,
-                    nameof(Rolle.Oberstufe), nameof(Rolle.Mittelstufe)))
-            .AddPolicy(AuthorizationPolicies.MittelStufeStudentOnly,
-                policy => policy.RequireClaim(AfraAppClaimTypes.Role,
-                    nameof(Rolle.Mittelstufe)))
-            .AddPolicy(AuthorizationPolicies.TutorOnly,
-                policy => policy.RequireClaim(AfraAppClaimTypes.Role,
-                    nameof(Rolle.Tutor)))
-            .AddPolicy(AuthorizationPolicies.Otiumsverantwortlich,
-                policy => policy.RequireClaim(AfraAppClaimTypes.GlobalPermission,
-                    nameof(GlobalPermission.Otiumsverantwortlich)))
-            .AddPolicy(AuthorizationPolicies.ProfundumsVerantwortlich,
-                policy => policy.RequireClaim(AfraAppClaimTypes.GlobalPermission,
-                    nameof(GlobalPermission.Profundumsverantwortlich)))
-            .AddPolicy(AuthorizationPolicies.AdminOnly,
-                policy => policy.RequireClaim(AfraAppClaimTypes.GlobalPermission,
-                    nameof(GlobalPermission.Admin)))
-            .AddPolicy(AuthorizationPolicies.TeacherOrAdmin,
-                policy => policy.RequireAssertion(context =>
-                    context.User.HasClaim(AfraAppClaimTypes.GlobalPermission, nameof(GlobalPermission.Admin))
-                    || context.User.HasClaim(AfraAppClaimTypes.Role, nameof(Rolle.Tutor))));
-    }
-
-    /// <inheritdoc />
-    public void RegisterMiddleware(WebApplication app)
-    {
-        app.UseAuthorization();
-    }
-}
diff --git a/Backend/Altafraner.Backbone.CookieAuthentication/CookieAuthenticationSettings.cs b/Backend/Altafraner.AfraApp/Domain/Configuration/CookieAuthenticationSettings.cs
similarity index 90%
rename from Backend/Altafraner.Backbone.CookieAuthentication/CookieAuthenticationSettings.cs
rename to Backend/Altafraner.AfraApp/Domain/Configuration/CookieAuthenticationSettings.cs
index f363aafe..3500e60c 100644
--- a/Backend/Altafraner.Backbone.CookieAuthentication/CookieAuthenticationSettings.cs
+++ b/Backend/Altafraner.AfraApp/Domain/Configuration/CookieAuthenticationSettings.cs
@@ -1,6 +1,4 @@
-using Microsoft.AspNetCore.Http;
-
-namespace Altafraner.Backbone.CookieAuthentication;
+namespace Altafraner.AfraApp.Domain.Configuration;
 
 /// <summary>
 ///     Settings for handling cookie authentication
diff --git a/Backend/Altafraner.AfraApp/Domain/Configuration/OidcConfiguration.cs b/Backend/Altafraner.AfraApp/Domain/Configuration/OidcConfiguration.cs
new file mode 100644
index 00000000..8613d00a
--- /dev/null
+++ b/Backend/Altafraner.AfraApp/Domain/Configuration/OidcConfiguration.cs
@@ -0,0 +1,47 @@
+using System.ComponentModel.DataAnnotations;
+
+namespace Altafraner.AfraApp.Domain.Configuration;
+
+/// <summary>
+///     Contains OIDC Configuration
+/// </summary>
+public class OidcConfiguration
+{
+    /// <summary>
+    ///     Whether OIDC is used
+    /// </summary>
+    public bool Enabled { get; set; }
+
+    /// <summary>
+    ///     The OIDC Authority
+    /// </summary>
+    /// <example>For keycloak, use <c>https://[your-keycloak-url]/realms/[your-realm]</c></example>
+    public string? Authority { get; set; }
+
+    /// <summary>
+    ///     The name of the claim that stores the ldap objectGuid
+    /// </summary>
+    public string? IdClaim { get; set; }
+
+    /// <summary>
+    ///     The OIDC Client ID
+    /// </summary>
+    public string? ClientId { get; set; }
+
+    /// <summary>
+    ///     The OIDC Client Secret
+    /// </summary>
+    public string? ClientSecret { get; set; }
+
+    internal static bool Validate(OidcConfiguration configuration)
+    {
+        if (!configuration.Enabled) return true;
+        if (!string.IsNullOrWhiteSpace(configuration.Authority)
+            && !string.IsNullOrWhiteSpace(configuration.ClientId)
+            && !string.IsNullOrWhiteSpace(configuration.ClientSecret)
+            && !string.IsNullOrWhiteSpace(configuration.IdClaim))
+            return true;
+        throw new ValidationException(
+            $"{nameof(Authority)}, {nameof(ClientId)}, {nameof(ClientSecret)} and {nameof(IdClaim)} must be set when oidc is enabled");
+    }
+}
diff --git a/Backend/Altafraner.AfraApp/Otium/API/Endpoints/Dashboard.cs b/Backend/Altafraner.AfraApp/Otium/API/Endpoints/Dashboard.cs
index 52ccf395..32a2df46 100644
--- a/Backend/Altafraner.AfraApp/Otium/API/Endpoints/Dashboard.cs
+++ b/Backend/Altafraner.AfraApp/Otium/API/Endpoints/Dashboard.cs
@@ -1,4 +1,4 @@
-using Altafraner.AfraApp.Backbone.Authorization;
+using Altafraner.AfraApp.Backbone.Auth;
 using Altafraner.AfraApp.Otium.Services;
 using Altafraner.AfraApp.User.Domain.Models;
 using Altafraner.AfraApp.User.Services;
@@ -48,15 +48,9 @@ private static async Task<IResult> GetStudentDashboardForTeacher(OtiumEndpointSe
         Guid studentId,
         bool all = false)
     {
-        Person student;
-        try
-        {
-            student = await userService.GetUserByIdAsync(studentId);
-        }
-        catch (KeyNotFoundException)
-        {
+        var student = await userService.GetUserByIdAsync(studentId);
+        if (student is null)
             return Results.NotFound();
-        }
 
         var isMentor = await authHelper.CurrentUserIsMentorOf(student);
         var hasBypass = await authHelper.CurrentUserHasGlobalPermission(GlobalPermission.Otiumsverantwortlich) ||
diff --git a/Backend/Altafraner.AfraApp/Otium/API/Endpoints/Katalog.cs b/Backend/Altafraner.AfraApp/Otium/API/Endpoints/Katalog.cs
index 4ed862a9..e70e3175 100644
--- a/Backend/Altafraner.AfraApp/Otium/API/Endpoints/Katalog.cs
+++ b/Backend/Altafraner.AfraApp/Otium/API/Endpoints/Katalog.cs
@@ -1,4 +1,4 @@
-using Altafraner.AfraApp.Backbone.Authorization;
+using Altafraner.AfraApp.Backbone.Auth;
 using Altafraner.AfraApp.Otium.Services;
 using Altafraner.AfraApp.User.Services;
 using Microsoft.AspNetCore.Mvc;
diff --git a/Backend/Altafraner.AfraApp/Otium/API/Endpoints/Management.cs b/Backend/Altafraner.AfraApp/Otium/API/Endpoints/Management.cs
index c3b318d8..7bde4d30 100644
--- a/Backend/Altafraner.AfraApp/Otium/API/Endpoints/Management.cs
+++ b/Backend/Altafraner.AfraApp/Otium/API/Endpoints/Management.cs
@@ -1,5 +1,5 @@
 using System.ComponentModel.DataAnnotations;
-using Altafraner.AfraApp.Backbone.Authorization;
+using Altafraner.AfraApp.Backbone.Auth;
 using Altafraner.AfraApp.Otium.Domain.Contracts.Services;
 using Altafraner.AfraApp.Otium.Domain.DTO;
 using Altafraner.AfraApp.Otium.Domain.Models;
@@ -619,6 +619,7 @@ private static async Task<IResult> OtiumTerminForceUnenroll(Guid otiumTerminId,
             return Results.BadRequest("Der Block ist bereits abgeschlossen oder läuft.");
 
         var student = await userService.GetUserByIdAsync(personIdWrapper.Value);
+        if (student is null) return Results.Unauthorized();
         await enrollmentService.UnenrollAsync(otiumTerminId, student, true);
         return Results.Ok();
     }
diff --git a/Backend/Altafraner.AfraApp/Otium/API/Endpoints/Note.cs b/Backend/Altafraner.AfraApp/Otium/API/Endpoints/Note.cs
index 024a0770..10295df2 100644
--- a/Backend/Altafraner.AfraApp/Otium/API/Endpoints/Note.cs
+++ b/Backend/Altafraner.AfraApp/Otium/API/Endpoints/Note.cs
@@ -24,6 +24,8 @@ private static async Task<IResult> AddNote(NotesService service,
         if (user.Id != request.StudentId && user.Rolle != Rolle.Tutor) return Results.Forbid();
 
         var affected = await userService.GetUserByIdAsync(request.StudentId);
+        if (affected is null)
+            return Results.Unauthorized();
         if (affected.Rolle is not Rolle.Mittelstufe and not Rolle.Oberstufe) return Results.BadRequest();
 
         var success = await service.TryAddNoteAsync(request.Content, request.StudentId, request.BlockId, user.Id);
@@ -40,6 +42,7 @@ private static async Task<IResult> UpdateNote(NotesService service,
         if (user.Id != request.StudentId && user.Rolle != Rolle.Tutor) return Results.Forbid();
 
         var affected = await userService.GetUserByIdAsync(request.StudentId);
+        if (affected is null) return Results.Unauthorized();
         if (affected.Rolle is not Rolle.Mittelstufe and not Rolle.Oberstufe)
             return Results.BadRequest("The person represented by studentId is not a student.");
 
diff --git a/Backend/Altafraner.AfraApp/Otium/API/Hubs/AttendanceHub.cs b/Backend/Altafraner.AfraApp/Otium/API/Hubs/AttendanceHub.cs
index 958cd66a..1ec4c1f7 100644
--- a/Backend/Altafraner.AfraApp/Otium/API/Hubs/AttendanceHub.cs
+++ b/Backend/Altafraner.AfraApp/Otium/API/Hubs/AttendanceHub.cs
@@ -313,6 +313,7 @@ public async Task MoveStudentNow(Guid studentId,
         try
         {
             var student = await userService.GetUserByIdAsync(studentId);
+            if (student is null) throw new HubException("User not found");
             await enrollmentService.ForceMoveNow(studentId, fromData?.Termin.Id ?? Guid.Empty, toTerminId);
             if (student.Rolle == Rolle.Mittelstufe)
             {
@@ -386,6 +387,8 @@ public async Task MoveStudent(Guid studentId, Guid toTerminId, EnrollmentService
         try
         {
             var student = await userService.GetUserByIdAsync(studentId);
+            if (student is null)
+                throw new HubException("Unauthorized");
             var (fromTerminId, blockId) = await enrollmentService.ForceMove(studentId, toTerminId);
             if (student.Rolle == Rolle.Mittelstufe)
             {
@@ -428,6 +431,7 @@ public async Task ForceUnenroll(Guid studentId,
             throw new HubException("You do not have permission to unenroll students in this block.");
 
         var student = await userService.GetUserByIdAsync(studentId);
+        if (student is null) throw new HubException("Unauthorized");
         await enrollmentService.UnenrollAsync(termin.Id, student, true);
         if (student.Rolle == Rolle.Mittelstufe)
         {
diff --git a/Backend/Altafraner.AfraApp/Otium/OtiumModule.cs b/Backend/Altafraner.AfraApp/Otium/OtiumModule.cs
index 22c99af6..09f02f63 100644
--- a/Backend/Altafraner.AfraApp/Otium/OtiumModule.cs
+++ b/Backend/Altafraner.AfraApp/Otium/OtiumModule.cs
@@ -1,4 +1,4 @@
-using Altafraner.AfraApp.Backbone.Authorization;
+using Altafraner.AfraApp.Backbone.Auth;
 using Altafraner.AfraApp.Otium.API.Endpoints;
 using Altafraner.AfraApp.Otium.API.Hubs;
 using Altafraner.AfraApp.Otium.Configuration;
diff --git a/Backend/Altafraner.AfraApp/Otium/Services/AttendanceService.cs b/Backend/Altafraner.AfraApp/Otium/Services/AttendanceService.cs
index 3c1197f9..0c792ffd 100644
--- a/Backend/Altafraner.AfraApp/Otium/Services/AttendanceService.cs
+++ b/Backend/Altafraner.AfraApp/Otium/Services/AttendanceService.cs
@@ -1,5 +1,5 @@
 using System.Security.Claims;
-using Altafraner.AfraApp.Backbone.Authorization;
+using Altafraner.AfraApp.Backbone.Auth;
 using Altafraner.AfraApp.Otium.Domain.Contracts.Services;
 using Altafraner.AfraApp.Otium.Domain.Models;
 using Altafraner.AfraApp.Otium.Domain.Models.TimeInterval;
diff --git a/Backend/Altafraner.AfraApp/Profundum/API/Endpoints/Bewertung.cs b/Backend/Altafraner.AfraApp/Profundum/API/Endpoints/Bewertung.cs
index cd138fcd..019d53f2 100644
--- a/Backend/Altafraner.AfraApp/Profundum/API/Endpoints/Bewertung.cs
+++ b/Backend/Altafraner.AfraApp/Profundum/API/Endpoints/Bewertung.cs
@@ -1,5 +1,5 @@
 using System.Net.Mime;
-using Altafraner.AfraApp.Backbone.Authorization;
+using Altafraner.AfraApp.Backbone.Auth;
 using Altafraner.AfraApp.Profundum.Domain.DTO;
 using Altafraner.AfraApp.Profundum.Services;
 using Altafraner.AfraApp.User.Services;
@@ -51,6 +51,8 @@ public static void MapBewertungEndpoints(this IEndpointRouteBuilder app)
                     DateOnly ausgabedatum) =>
             {
                 var user = await userService.GetUserByIdAsync(userId);
+                if (user is null)
+                    return (Results<UnauthorizedHttpResult, FileContentHttpResult>)TypedResults.Unauthorized();
                 var fileContents =
                     await profundumManagementService.GenerateFileForPerson(user, schuljahr, halbjahr, ausgabedatum);
                 return TypedResults.File(fileContents, MediaTypeNames.Application.Pdf);
diff --git a/Backend/Altafraner.AfraApp/Profundum/API/Endpoints/Enrollment.cs b/Backend/Altafraner.AfraApp/Profundum/API/Endpoints/Enrollment.cs
index a3438d51..3404a9be 100644
--- a/Backend/Altafraner.AfraApp/Profundum/API/Endpoints/Enrollment.cs
+++ b/Backend/Altafraner.AfraApp/Profundum/API/Endpoints/Enrollment.cs
@@ -1,4 +1,4 @@
-using Altafraner.AfraApp.Backbone.Authorization;
+using Altafraner.AfraApp.Backbone.Auth;
 using Altafraner.AfraApp.Profundum.Services;
 using Altafraner.AfraApp.User.Services;
 using Microsoft.EntityFrameworkCore;
diff --git a/Backend/Altafraner.AfraApp/Profundum/API/Endpoints/Management.cs b/Backend/Altafraner.AfraApp/Profundum/API/Endpoints/Management.cs
index 24d40e49..edffb702 100644
--- a/Backend/Altafraner.AfraApp/Profundum/API/Endpoints/Management.cs
+++ b/Backend/Altafraner.AfraApp/Profundum/API/Endpoints/Management.cs
@@ -1,6 +1,6 @@
 using System.Net.Mime;
 using System.Text;
-using Altafraner.AfraApp.Backbone.Authorization;
+using Altafraner.AfraApp.Backbone.Auth;
 using Altafraner.AfraApp.Otium.API.Endpoints;
 using Altafraner.AfraApp.Profundum.Domain.DTO;
 using Altafraner.AfraApp.Profundum.Domain.Models;
diff --git a/Backend/Altafraner.AfraApp/Program.cs b/Backend/Altafraner.AfraApp/Program.cs
index 8e5c7102..8212a94d 100644
--- a/Backend/Altafraner.AfraApp/Program.cs
+++ b/Backend/Altafraner.AfraApp/Program.cs
@@ -1,6 +1,6 @@
 using System.Globalization;
 using Altafraner.AfraApp;
-using Altafraner.AfraApp.Backbone.Authorization;
+using Altafraner.AfraApp.Backbone.Auth;
 using Altafraner.AfraApp.Backbone.EmergencyBackup;
 using Altafraner.AfraApp.Calendar;
 using Altafraner.AfraApp.Domain;
@@ -10,7 +10,6 @@
 using Altafraner.AfraApp.User;
 using Altafraner.AfraApp.User.Domain.Models;
 using Altafraner.Backbone;
-using Altafraner.Backbone.CookieAuthentication;
 using Altafraner.Backbone.DataProtection;
 using Altafraner.Backbone.Defaults;
 using Altafraner.Backbone.EmailOutbox;
@@ -30,10 +29,9 @@
     .AddModule<UserModule>()
     .AddModule<SchuljahrModule>()
     .AddModule<ProfundumModule>()
-    .AddModule<AuthorizationModule>()
+    .AddModule<AuthModule>()
     .AddModule<EmergencyBackupModule>()
 // Backbone modules
-    .AddModule<CookieAuthenticationModule>()
     .AddModule<DataProtectionModule<AfraAppContext>>()
     .AddModule<EmailOutboxModule>()
     .AddModuleAndConfigure<EmailSchedulingModule<Person>, EmailSchedulingSettings<Person>>(settings =>
diff --git a/Backend/Altafraner.AfraApp/Schuljahr/API/Endpoints/Schuljahr.cs b/Backend/Altafraner.AfraApp/Schuljahr/API/Endpoints/Schuljahr.cs
index f7dd3c97..fafb4d6d 100644
--- a/Backend/Altafraner.AfraApp/Schuljahr/API/Endpoints/Schuljahr.cs
+++ b/Backend/Altafraner.AfraApp/Schuljahr/API/Endpoints/Schuljahr.cs
@@ -1,4 +1,4 @@
-using Altafraner.AfraApp.Backbone.Authorization;
+using Altafraner.AfraApp.Backbone.Auth;
 using Altafraner.AfraApp.Otium.Services;
 using Altafraner.AfraApp.Schuljahr.Domain.DTO;
 using Altafraner.AfraApp.Schuljahr.Services;
diff --git a/Backend/Altafraner.AfraApp/User/API/Endpoints/People.cs b/Backend/Altafraner.AfraApp/User/API/Endpoints/People.cs
index a3bbda41..2626d8e8 100644
--- a/Backend/Altafraner.AfraApp/User/API/Endpoints/People.cs
+++ b/Backend/Altafraner.AfraApp/User/API/Endpoints/People.cs
@@ -1,4 +1,4 @@
-using Altafraner.AfraApp.Backbone.Authorization;
+using Altafraner.AfraApp.Backbone.Auth;
 using Altafraner.AfraApp.User.Domain.DTO;
 using Altafraner.AfraApp.User.Services;
 using Microsoft.AspNetCore.Http.HttpResults;
@@ -43,6 +43,8 @@ private static async Task<IResult> GetPersonMentors(AfraAppContext dbContext, Us
         try
         {
             var student = await userService.GetUserByIdAsync(id);
+            if (student is null)
+                return Results.Unauthorized();
             var mentors = await userService.GetMentorsAsync(student);
             return Results.Ok(mentors.Select(s => new PersonInfoMinimal(s)));
         }
diff --git a/Backend/Altafraner.AfraApp/User/API/Endpoints/User.cs b/Backend/Altafraner.AfraApp/User/API/Endpoints/User.cs
index 54a3559a..7bdc4334 100644
--- a/Backend/Altafraner.AfraApp/User/API/Endpoints/User.cs
+++ b/Backend/Altafraner.AfraApp/User/API/Endpoints/User.cs
@@ -1,8 +1,7 @@
 using System.Security.Claims;
-using Altafraner.AfraApp.Backbone.Authorization;
+using Altafraner.AfraApp.Backbone.Auth;
 using Altafraner.AfraApp.User.Domain.DTO;
 using Altafraner.AfraApp.User.Services;
-using Altafraner.Backbone.CookieAuthentication;
 
 namespace Altafraner.AfraApp.User.API.Endpoints;
 
diff --git a/Backend/Altafraner.AfraApp/User/Services/UserAccessor.cs b/Backend/Altafraner.AfraApp/User/Services/UserAccessor.cs
index c124c9ad..1fe9ace2 100644
--- a/Backend/Altafraner.AfraApp/User/Services/UserAccessor.cs
+++ b/Backend/Altafraner.AfraApp/User/Services/UserAccessor.cs
@@ -1,7 +1,6 @@
 using System.Security.Claims;
-using Altafraner.AfraApp.Backbone.Authorization;
+using Altafraner.AfraApp.Backbone.Auth;
 using Altafraner.AfraApp.User.Domain.Models;
-using Altafraner.Backbone.CookieAuthentication;
 
 namespace Altafraner.AfraApp.User.Services;
 
diff --git a/Backend/Altafraner.AfraApp/User/Services/UserService.cs b/Backend/Altafraner.AfraApp/User/Services/UserService.cs
index ff48d5b0..0309119a 100644
--- a/Backend/Altafraner.AfraApp/User/Services/UserService.cs
+++ b/Backend/Altafraner.AfraApp/User/Services/UserService.cs
@@ -1,7 +1,5 @@
-using Altafraner.AfraApp.User.Configuration.LDAP;
 using Altafraner.AfraApp.User.Domain.Models;
 using Microsoft.EntityFrameworkCore;
-using Microsoft.Extensions.Options;
 
 namespace Altafraner.AfraApp.User.Services;
 
@@ -11,32 +9,33 @@ namespace Altafraner.AfraApp.User.Services;
 public class UserService
 {
     private readonly AfraAppContext _dbContext;
-    private readonly LdapConfiguration _ldapConfiguration;
 
     /// <summary>
     ///     Called by DI
     /// </summary>
-    public UserService(AfraAppContext dbContext, IOptions<LdapConfiguration> ldapConfiguration)
+    public UserService(AfraAppContext dbContext)
     {
         _dbContext = dbContext;
-        _ldapConfiguration = ldapConfiguration.Value;
     }
 
     /// <summary>
     ///     Gets a user by their ID.
     /// </summary>
     /// <returns>The users Person entity</returns>
-    public async Task<Person> GetUserByIdAsync(Guid userId)
+    public async Task<Person?> GetUserByIdAsync(Guid userId)
     {
-        try
-        {
-            return await _dbContext.Personen
-                .FirstAsync(p => p.Id == userId);
-        }
-        catch (InvalidOperationException)
-        {
-            throw new KeyNotFoundException("User not found.");
-        }
+        return await _dbContext.Personen
+            .FirstOrDefaultAsync(p => p.Id == userId);
+    }
+
+    /// <summary>
+    ///     Gets a user by their LDAP ID.
+    /// </summary>
+    /// <returns>The users Person entity</returns>
+    public async Task<Person?> GetUserByLdapIdAsync(Guid ldapId)
+    {
+        return await _dbContext.Personen
+            .FirstOrDefaultAsync(p => p.LdapObjectId == ldapId);
     }
 
     /// <summary>
diff --git a/Backend/Altafraner.AfraApp/User/Services/UserSigninService.cs b/Backend/Altafraner.AfraApp/User/Services/UserSigninService.cs
index 89f31e69..34bfc3bc 100644
--- a/Backend/Altafraner.AfraApp/User/Services/UserSigninService.cs
+++ b/Backend/Altafraner.AfraApp/User/Services/UserSigninService.cs
@@ -1,8 +1,7 @@
 using System.Security.Claims;
-using Altafraner.AfraApp.Backbone.Authorization;
+using Altafraner.AfraApp.Backbone.Auth;
 using Altafraner.AfraApp.User.Domain.Models;
 using Altafraner.AfraApp.User.Services.LDAP;
-using Altafraner.Backbone.CookieAuthentication;
 using Microsoft.AspNetCore.Authentication.Cookies;
 using Microsoft.EntityFrameworkCore;
 using Microsoft.Extensions.Caching.Memory;
@@ -103,7 +102,7 @@ private async Task SignInAsync(Models_Person user, bool rememberMe, Guid? impers
     /// </summary>
     /// <param name="user">The user to generate the <see cref="ClaimsPrincipal" /> for.</param>
     /// <returns>A <see cref="ClaimsPrincipal" /> for the user</returns>
-    private static List<Claim> GenerateClaims(Models_Person user)
+    internal static List<Claim> GenerateClaims(Models_Person user)
     {
         var claims = new List<Claim>
         {
diff --git a/Backend/Altafraner.AfraApp/User/UserModule.cs b/Backend/Altafraner.AfraApp/User/UserModule.cs
index 338897bf..e0bb708f 100644
--- a/Backend/Altafraner.AfraApp/User/UserModule.cs
+++ b/Backend/Altafraner.AfraApp/User/UserModule.cs
@@ -1,4 +1,4 @@
-using Altafraner.AfraApp.Backbone.Authorization;
+using Altafraner.AfraApp.Backbone.Auth;
 using Altafraner.AfraApp.User.API.Endpoints;
 using Altafraner.AfraApp.User.Configuration.LDAP;
 using Altafraner.AfraApp.User.Services;
@@ -11,7 +11,7 @@ namespace Altafraner.AfraApp.User;
 ///     A module for handling users
 /// </summary>
 [DependsOn<DatabaseModule>]
-[DependsOn<AuthorizationModule>]
+[DependsOn<AuthModule>]
 public class UserModule : IModule
 {
     /// <inheritdoc />
diff --git a/Backend/Altafraner.AfraApp/appsettings.Development.json b/Backend/Altafraner.AfraApp/appsettings.Development.json
index ff2fa633..4529e40b 100644
--- a/Backend/Altafraner.AfraApp/appsettings.Development.json
+++ b/Backend/Altafraner.AfraApp/appsettings.Development.json
@@ -22,6 +22,13 @@
   "CookieAuthentication": {
     "CookieTimeout": "21.00:00:00"
   },
+  "Oidc": {
+    "Enabled": true,
+    "Authority": "",
+    "ClientId": "",
+    "ClientSecret": "",
+    "IdClaim": ""
+  },
   "SMTP": {
     "Host": "localhost",
     "Port": "1025",
diff --git a/Backend/Altafraner.Backbone.CookieAuthentication/Altafraner.Backbone.CookieAuthentication.csproj b/Backend/Altafraner.Backbone.CookieAuthentication/Altafraner.Backbone.CookieAuthentication.csproj
deleted file mode 100644
index 6537ab4c..00000000
--- a/Backend/Altafraner.Backbone.CookieAuthentication/Altafraner.Backbone.CookieAuthentication.csproj
+++ /dev/null
@@ -1,9 +0,0 @@
-<Project Sdk="Microsoft.NET.Sdk">
-
-
-    <ItemGroup>
-        <ProjectReference Include="..\Altafraner.Backbone.Defaults\Altafraner.Backbone.Defaults.csproj"/>
-        <ProjectReference Include="..\Altafraner.Backbone.Abstractions\Altafraner.Backbone.Abstractions.csproj"/>
-    </ItemGroup>
-
-</Project>
diff --git a/Backend/Altafraner.Backbone.CookieAuthentication/CookieAuthenticationModule.cs b/Backend/Altafraner.Backbone.CookieAuthentication/CookieAuthenticationModule.cs
deleted file mode 100644
index 4a2fa084..00000000
--- a/Backend/Altafraner.Backbone.CookieAuthentication/CookieAuthenticationModule.cs
+++ /dev/null
@@ -1,45 +0,0 @@
-using System.ComponentModel.DataAnnotations;
-using Altafraner.Backbone.Abstractions;
-using Altafraner.Backbone.CookieAuthentication.Services;
-using Altafraner.Backbone.Defaults;
-using Microsoft.AspNetCore.Builder;
-using Microsoft.Extensions.Configuration;
-using Microsoft.Extensions.DependencyInjection;
-using Microsoft.Extensions.Hosting;
-
-namespace Altafraner.Backbone.CookieAuthentication;
-
-/// <summary>
-///     A module handling cookie authentication
-/// </summary>
-[DependsOn<HttpContextAccessorModule>]
-public class CookieAuthenticationModule : IModule
-{
-    /// <inheritdoc />
-    public void ConfigureServices(IServiceCollection services, IConfiguration config, IHostEnvironment env)
-    {
-        var section = config.GetSection("CookieAuthentication");
-        services.AddOptions<CookieAuthenticationSettings>().Bind(section);
-
-        var settings = section.Exists()
-            ? section.Get<CookieAuthenticationSettings>() ??
-              throw new ValidationException("Cannot bind CookieAuthenticationSettings")
-            : new CookieAuthenticationSettings();
-
-        services.AddAuthentication()
-            .AddCookie(options =>
-            {
-                options.ExpireTimeSpan = settings.CookieTimeout;
-                options.Cookie.SameSite = settings.SameSiteMode;
-                options.Cookie.SecurePolicy = settings.SecurePolicy;
-                options.SlidingExpiration = settings.SlidingExpiration;
-            });
-        services.AddScoped<IAuthenticationLifetimeService, AuthenticationLifetimeService>();
-    }
-
-    /// <inheritdoc />
-    public void RegisterMiddleware(WebApplication app)
-    {
-        app.UseAuthentication();
-    }
-}
diff --git a/Backend/Directory.Packages.props b/Backend/Directory.Packages.props
index 815030f1..acd5b180 100644
--- a/Backend/Directory.Packages.props
+++ b/Backend/Directory.Packages.props
@@ -6,6 +6,7 @@
     <PackageVersion Include="Bogus" Version="35.6.5" />
     <PackageVersion Include="Ical.Net" Version="5.2.1" />
     <PackageVersion Include="MailKit" Version="4.15.1" />
+    <PackageVersion Include="Microsoft.AspNetCore.Authentication.OpenIdConnect" Version="10.0.3" />
     <PackageVersion Include="Microsoft.AspNetCore.DataProtection.EntityFrameworkCore" Version="10.0.3" />
     <PackageVersion Include="Microsoft.AspNetCore.OpenApi" Version="10.0.3" />
     <PackageVersion Include="Microsoft.CodeAnalysis.Analyzers" Version="3.11.0" />
@@ -28,4 +29,4 @@
     <PackageVersion Include="Npgsql.EntityFrameworkCore.PostgreSQL" Version="10.0.0" />
     <PackageVersion Include="OpenTelemetry.Exporter.Prometheus.AspNetCore" Version="1.13.0-beta.1" />
   </ItemGroup>
-</Project>
\ No newline at end of file
+</Project>
diff --git a/WebClient/src/App.vue b/WebClient/src/App.vue
index b68b7975..c466ee09 100644
--- a/WebClient/src/App.vue
+++ b/WebClient/src/App.vue
@@ -5,27 +5,23 @@ import 'primeicons/primeicons.css';
 import DynamicDialog from 'primevue/dynamicdialog';
 import AfraNav from '@/components/AfraNav.vue';
 import { useUser } from '@/stores/user';
-import { computed } from 'vue';
-import wappenLight from '/vdaa/favicon.svg?url';
-import wappenDark from '/vdaa/favicon-dark.svg?url';
-import { ConfirmPopup, Image, Skeleton, Toast, useToast } from 'primevue';
-import Login from '@/components/Login.vue';
-import { isDark } from '@/helpers/isdark';
+import { useUserManagement } from '@/composables/userManagement.ts';
+import { ConfirmPopup, Toast, useToast } from 'primevue';
 import ReloadPrompt from '@/components/ReloadPrompt.vue';
 import { useRoute } from 'vue-router';
+import SkeletonView from '@/components/SkeletonView.vue';
 
+const userManagement = useUserManagement();
 const route = useRoute();
 const user = useUser();
 const toast = useToast();
-user.update().catch(() => {
+userManagement.updateUser().catch(() => {
     toast.add({
         severity: 'error',
         summary: 'Fehler',
         detail: 'Ein unerwarteter Fehler ist beim Laden der Nutzerdaten aufgetreten',
     });
 });
-
-const logo = computed(() => (isDark().value ? wappenDark : wappenLight));
 </script>
 
 <template>
@@ -37,50 +33,21 @@ const logo = computed(() => (isDark().value ? wappenDark : wappenLight));
     <template v-if="!user.loading">
         <afra-nav v-if="user.loggedIn" />
         <main class="flex justify-center min-h-[90vh] mt-4">
-            <div v-if="user.loggedIn" :class="route.meta.fullWidth ? 'w-19/20' : 'container'">
+            <div :class="(route.meta.fullWidth ?? false) ? 'w-19/20' : 'container'">
                 <RouterView v-slot="{ Component }">
                     <template v-if="Component">
                         <Suspense>
                             <component :is="Component" />
+                            <template #fallback>
+                                <SkeletonView />
+                            </template>
                         </Suspense>
                     </template>
                 </RouterView>
             </div>
-            <div class="min-container" v-else>
-                <div class="flex justify-center">
-                    <Image
-                        :src="logo"
-                        alt="Logo des Verein der Altafraner"
-                        height="200"
-                    ></Image>
-                </div>
-                <h1>Willkommen bei der Afra-App</h1>
-                <p>Bitte logge dich ein, um die Afra-App zu nutzen.</p>
-                <Login></Login>
-            </div>
-        </main>
-    </template>
-    <template v-else>
-        <Skeleton width="100%" height="4rem" />
-        <main class="flex justify-center min-h-[90vh] mt-4">
-            <div class="container">
-                <h1>
-                    <Skeleton width="60%" height="3rem" />
-                </h1>
-                <p class="flex gap-2 flex-col">
-                    <Skeleton width="100%" height="1rem" />
-                    <Skeleton width="100%" height="1rem" />
-                    <Skeleton width="60%" height="1rem" />
-                </p>
-                <p class="flex gap-2 flex-col">
-                    <Skeleton width="100%" height="1rem" />
-                    <Skeleton width="100%" height="1rem" />
-                    <Skeleton width="100%" height="1rem" />
-                    <Skeleton width="30%" height="1rem" />
-                </p>
-            </div>
         </main>
     </template>
+    <SkeletonView v-else />
     <footer
         class="bg-primary dark:bg-blue-950 w-full py-6 px-8 mt-[1rem] text-center text-primary-contrast sm:grid sm:grid-cols-[1fr_auto_1fr] items-center gap-3 flex flex-wrap justify-between"
     >
@@ -103,11 +70,6 @@ const logo = computed(() => (isDark().value ? wappenDark : wappenLight));
 </template>
 
 <style scoped>
-.min-container {
-    max-width: min(95%, 50rem);
-    margin-top: 5rem;
-}
-
 .container {
     width: 50rem;
 }
diff --git a/WebClient/src/Otium/components/Katalog/Termin.vue b/WebClient/src/Otium/components/Katalog/Termin.vue
index 6f4ba9aa..7e39c95c 100644
--- a/WebClient/src/Otium/components/Katalog/Termin.vue
+++ b/WebClient/src/Otium/components/Katalog/Termin.vue
@@ -12,9 +12,11 @@ import SimpleBreadcrumb from '@/components/SimpleBreadcrumb.vue';
 import MultipleEnrollmentForm from '@/Otium/components/Katalog/Forms/MultipleEnrollmentForm.vue';
 import { useConfirmPopover } from '@/composables/confirmPopover';
 import Notes from '@/Otium/components/Notes/Notes.vue';
+import { useUserManagement } from '@/composables/userManagement.ts';
 
 const settings = useOtiumStore();
 const user = useUser();
+const userManagement = useUserManagement();
 const { openConfirmDialog } = useConfirmPopover();
 const toast = useToast();
 const router = useRouter();
@@ -40,7 +42,7 @@ async function loadTermin() {
             detail: 'Es ist ein Fehler beim Laden aufgetreten.',
         });
         await router.push('/katalog');
-        await user.update();
+        await userManagement.updateUser();
     }
 }
 
diff --git a/WebClient/src/Otium/components/Management/Overview.vue b/WebClient/src/Otium/components/Management/Overview.vue
index 576d7115..9557184e 100644
--- a/WebClient/src/Otium/components/Management/Overview.vue
+++ b/WebClient/src/Otium/components/Management/Overview.vue
@@ -1,5 +1,4 @@
 <script setup>
-import { useUser } from '@/stores/user';
 import { useOtiumStore } from '@/Otium/stores/otium.js';
 import { Button, Column, DataTable, Dialog, Skeleton, useToast } from 'primevue';
 import { ref } from 'vue';
@@ -10,8 +9,9 @@ import { RouterLink } from 'vue-router';
 import OtiumKategorieTag from '@/Otium/components/Shared/OtiumKategorieTag.vue';
 import CreateOtiumForm from '@/Otium/components/Management/CreateOtiumForm.vue';
 import { useConfirmPopover } from '@/composables/confirmPopover';
+import { useUserManagement } from '@/composables/userManagement.ts';
 
-const user = useUser();
+const userManagement = useUserManagement();
 const settings = useOtiumStore();
 const toast = useToast();
 const { openConfirmDialog } = useConfirmPopover();
@@ -76,7 +76,7 @@ async function setup() {
             summary: 'Fehler',
             detail: 'Ein unerwarteter Fehler ist beim Laden der Daten aufgetreten',
         });
-        await user.update();
+        await userManagement.updateUser();
     }
 }
 
diff --git a/WebClient/src/Otium/views/Dashboard/Student.vue b/WebClient/src/Otium/views/Dashboard/Student.vue
index b735c0df..2b36ae2e 100644
--- a/WebClient/src/Otium/views/Dashboard/Student.vue
+++ b/WebClient/src/Otium/views/Dashboard/Student.vue
@@ -4,9 +4,11 @@ import { ref } from 'vue';
 import { mande } from 'mande';
 import { useUser } from '@/stores/user';
 import StudentOverview from '@/Otium/components/Overview/StudentOverview.vue';
+import { useUserManagement } from '@/composables/userManagement.ts';
 
 const loading = ref(true);
 const user = useUser();
+const userManagement = useUserManagement();
 const toast = useToast();
 const termine = ref(null);
 const all = ref(false);
@@ -18,7 +20,7 @@ async function fetchData(getAll = false) {
         termine.value = await (getAll ? dataGetter.get('all') : dataGetter.get());
         all.value = getAll;
     } catch (e) {
-        await user.update();
+        await userManagement.updateUser();
         toast.add({
             severity: 'error',
             summary: 'Fehler',
diff --git a/WebClient/src/Otium/views/Dashboard/Teacher.vue b/WebClient/src/Otium/views/Dashboard/Teacher.vue
index 8b737527..8779d9b0 100644
--- a/WebClient/src/Otium/views/Dashboard/Teacher.vue
+++ b/WebClient/src/Otium/views/Dashboard/Teacher.vue
@@ -5,9 +5,11 @@ import { ref } from 'vue';
 import { mande } from 'mande';
 import { useUser } from '@/stores/user';
 import AuslastungsTag from '@/Otium/components/Shared/AuslastungsTag.vue';
+import { useUserManagement } from '@/composables/userManagement.ts';
 
 const toast = useToast();
 const user = useUser();
+const userManagement = useUserManagement();
 const termine = ref([]);
 const mentees = ref([]);
 const loading = ref(true);
@@ -44,7 +46,7 @@ async function update() {
             summary: 'Fehler',
             detail: 'Ein unerwarteter Fehler ist beim Laden der Daten aufgetreten',
         });
-        await user.update();
+        await userManagement.updateUser();
     } finally {
         loading.value = false;
     }
diff --git a/WebClient/src/Otium/views/Katalog/Index.vue b/WebClient/src/Otium/views/Katalog/Index.vue
index c1782301..a966e70c 100644
--- a/WebClient/src/Otium/views/Katalog/Index.vue
+++ b/WebClient/src/Otium/views/Katalog/Index.vue
@@ -10,6 +10,7 @@ import { useRoute, useRouter } from 'vue-router';
 import { useOtiumStore } from '@/Otium/stores/otium.js';
 import { formatDate } from '@/helpers/formatters';
 import NavBreadcrumb from '@/components/NavBreadcrumb.vue';
+import { useUserManagement } from '@/composables/userManagement.ts';
 
 const props = defineProps({
     datum: {
@@ -30,6 +31,7 @@ const settings = useOtiumStore();
 
 const loading = ref(true);
 const user = useUser();
+const userManagement = useUserManagement();
 const datesAvailable = ref([]);
 const dateDefault = ref(null);
 const kategorieOptionsTree = ref();
@@ -102,7 +104,7 @@ async function startup() {
             summary: 'Fehler',
             detail: 'Ein unerwarteter Fehler ist beim Laden der Daten aufgetreten',
         });
-        await user.update();
+        await userManagement.updateUser();
     }
     loading.value = false;
 }
diff --git a/WebClient/src/Otium/views/Management/Termin.vue b/WebClient/src/Otium/views/Management/Termin.vue
index 5fbae0b0..6c0b8faf 100644
--- a/WebClient/src/Otium/views/Management/Termin.vue
+++ b/WebClient/src/Otium/views/Management/Termin.vue
@@ -23,6 +23,7 @@ import MoveStudentForm from '@/Otium/components/Supervision/MoveStudentForm.vue'
 import { useConfirmPopover } from '@/composables/confirmPopover';
 import { isNowInInterval } from '@/helpers/time.js';
 import SelectStudentToMoveForm from '@/Otium/components/Supervision/SelectStudentToMoveForm.vue';
+import { useUserManagement } from '@/composables/userManagement.ts';
 
 const props = defineProps({
     terminId: String,
@@ -30,6 +31,7 @@ const props = defineProps({
 
 const loading = ref(true);
 const user = useUser();
+const userManagement = useUserManagement();
 const toast = useToast();
 const dialog = useDialog();
 const { openConfirmDialog } = useConfirmPopover();
@@ -95,7 +97,7 @@ async function fetchData() {
     try {
         otium.value = await dataGetter.get();
     } catch (e) {
-        await user.update();
+        await userManagement.updateUser();
         toast.add({
             severity: 'error',
             summary: 'Fehler',
diff --git a/WebClient/src/Otium/views/Teacher/Mentee.vue b/WebClient/src/Otium/views/Teacher/Mentee.vue
index c16dc4ac..2bca3af4 100644
--- a/WebClient/src/Otium/views/Teacher/Mentee.vue
+++ b/WebClient/src/Otium/views/Teacher/Mentee.vue
@@ -6,6 +6,7 @@ import { useUser } from '@/stores/user';
 import StudentOverview from '@/Otium/components/Overview/StudentOverview.vue';
 import { formatStudent } from '@/helpers/formatters';
 import NavBreadcrumb from '@/components/NavBreadcrumb.vue';
+import { useUserManagement } from '@/composables/userManagement.ts';
 
 const props = defineProps({
     studentId: String,
@@ -14,6 +15,7 @@ const props = defineProps({
 const loading = ref(true);
 const mentee = ref(null);
 const user = useUser();
+const userManagement = useUserManagement();
 const toast = useToast();
 const termine = ref(null);
 const all = ref(false);
@@ -44,7 +46,7 @@ async function fetchData(getAll = false) {
         mentee.value = result.mentee;
         all.value = getAll;
     } catch (e) {
-        await user.update();
+        await userManagement.updateUser();
         toast.add({
             severity: 'error',
             summary: 'Fehler',
diff --git a/WebClient/src/assets/main.css b/WebClient/src/assets/main.css
index d9b75beb..898775fb 100644
--- a/WebClient/src/assets/main.css
+++ b/WebClient/src/assets/main.css
@@ -56,6 +56,7 @@
 
 :root {
     font-family: 'Inter', 'Segoe UI', 'Helvetica', 'Arial', sans-serif;
+    font-size: 16px;
 }
 
 @layer theme {
diff --git a/WebClient/src/components/AfraNav.vue b/WebClient/src/components/AfraNav.vue
index 466c5f55..1ca66f36 100644
--- a/WebClient/src/components/AfraNav.vue
+++ b/WebClient/src/components/AfraNav.vue
@@ -8,6 +8,7 @@ import wappenDark from '/vdaa/favicon-dark.svg?url';
 import { useUser } from '@/stores/user';
 import { useRouter } from 'vue-router';
 import { isDark } from '@/helpers/isdark';
+import { useUserManagement } from '@/composables/userManagement';
 
 type GlobalPermissions = 'Otiumsverantwortlich' | 'Profundumsverantwortlich' | 'Admin';
 type Role = 'Tutor' | 'Oberstufe' | 'Mittelstufe';
@@ -153,11 +154,11 @@ const all_items: MenuItemWithCondition[] = [
 const toast = useToast();
 const router = useRouter();
 const user = useUser();
+const userManagement = useUserManagement();
 
 const logout = async () => {
-    const user = useUser();
     try {
-        await user.logout();
+        await userManagement.logout();
         await router.push('/');
         toast.add({
             severity: 'success',
diff --git a/WebClient/src/components/LegacyLogin.vue b/WebClient/src/components/LegacyLogin.vue
new file mode 100644
index 00000000..9a37d2c7
--- /dev/null
+++ b/WebClient/src/components/LegacyLogin.vue
@@ -0,0 +1,78 @@
+<script setup>
+import { Form } from '@primevue/forms';
+import { Button, Checkbox, FloatLabel, InputText, Password, useToast } from 'primevue';
+import { ref } from 'vue';
+import { mande } from 'mande';
+import { useUserManagement } from '@/composables/userManagement.ts';
+
+const loading = ref(false);
+const userManagement = useUserManagement();
+const toast = useToast();
+
+const submit = async (evt) => {
+    if (loading.value) return;
+    const username = evt.states['username'].value;
+    const password = evt.states['password'].value;
+    const remember = !!evt.states['remember'].value;
+    if (!(username && password)) return;
+    loading.value = true;
+    try {
+        await mande('/api/user/login').post(
+            {
+                username: username,
+                password: password,
+                rememberMe: remember,
+            },
+            { responseAs: 'response' },
+        );
+        await userManagement.updateUser();
+    } catch (error) {
+        if (error.response.status === 401) {
+            toast.add({
+                severity: 'error',
+                summary: 'Fehler',
+                detail: 'Fehlerhafte Anmeldedaten',
+                life: 5000,
+            });
+        } else if (error.response.status === 429) {
+            toast.add({
+                severity: 'error',
+                summary: 'Zu viele Anmeldeversuche',
+                detail: 'Bitte warten Sie 5 Minuten, bevor Sie es erneut versuchen.',
+                life: 5000,
+            });
+        } else {
+            toast.add({
+                severity: 'error',
+                summary: 'Fehler',
+                detail: 'Ein unbekannter Fehler ist aufgetreten',
+                life: 5000,
+            });
+        }
+    } finally {
+        loading.value = false;
+    }
+};
+</script>
+
+<template>
+    <Form class="flex flex-col gap-6" @submit="submit">
+        <FloatLabel variant="on">
+            <InputText id="username" fluid name="username" type="text" />
+            <label for="username">Nutzername</label>
+        </FloatLabel>
+        <FloatLabel variant="on">
+            <Password :feedback="false" fluid input-id="password" name="password" toggle-mask />
+            <label for="password">Passwort</label>
+        </FloatLabel>
+        <div class="flex items-center gap-2">
+            <Checkbox binary input-id="remember" name="remember" />
+            <label class="cursor-pointer font-medium text-surface-500" for="remember"
+                >Angemeldet bleiben</label
+            >
+        </div>
+        <Button :loading="loading" fluid label="Einloggen" severity="primary" type="submit" />
+    </Form>
+</template>
+
+<style scoped></style>
diff --git a/WebClient/src/components/Login.vue b/WebClient/src/components/Login.vue
index aca7012c..260dcc39 100644
--- a/WebClient/src/components/Login.vue
+++ b/WebClient/src/components/Login.vue
@@ -1,78 +1,38 @@
-<script setup>
-import { Form } from '@primevue/forms';
-import { Button, Checkbox, FloatLabel, InputText, Password, useToast } from 'primevue';
-import { ref } from 'vue';
-import { mande } from 'mande';
-import { useUser } from '@/stores/user';
+<script lang="ts" setup>
+import { defineAsyncComponent, ref } from 'vue';
+import { Button } from 'primevue';
 
-const loading = ref(false);
-const user = useUser();
-const toast = useToast();
+const LegacyLogin = defineAsyncComponent(() => import('@/components/LegacyLogin.vue'));
 
-const submit = async (evt) => {
-    if (loading.value) return;
-    const username = evt.states['username'].value;
-    const password = evt.states['password'].value;
-    const remember = !!evt.states['remember'].value;
-    if (!(username && password)) return;
-    loading.value = true;
-    try {
-        const loginRequest = await mande('/api/user/login').post(
-            {
-                username: username,
-                password: password,
-                rememberMe: remember,
-            },
-            { responseAs: 'response' },
-        );
-        await user.update();
-    } catch (error) {
-        if (error.response.status === 401) {
-            toast.add({
-                severity: 'error',
-                summary: 'Fehler',
-                detail: 'Fehlerhafte Anmeldedaten',
-                life: 5000,
-            });
-        } else if (error.response.status === 429) {
-            toast.add({
-                severity: 'error',
-                summary: 'Zu viele Anmeldeversuche',
-                detail: 'Bitte warten Sie 5 Minuten, bevor Sie es erneut versuchen.',
-                life: 5000,
-            });
-        } else {
-            toast.add({
-                severity: 'error',
-                summary: 'Fehler',
-                detail: 'Ein unbekannter Fehler ist aufgetreten',
-                life: 5000,
-            });
-        }
-    } finally {
-        loading.value = false;
-    }
-};
+const legacy = ref(false);
 </script>
 
 <template>
-    <Form @submit="submit" class="flex flex-col gap-6 mt-8">
-        <FloatLabel variant="on">
-            <InputText id="username" fluid name="username" type="text" />
-            <label for="username">Nutzername</label>
-        </FloatLabel>
-        <FloatLabel variant="on">
-            <Password name="password" :feedback="false" fluid toggle-mask input-id="password" />
-            <label for="password">Passwort</label>
-        </FloatLabel>
-        <div class="flex items-center gap-2">
-            <Checkbox name="remember" input-id="remember" binary />
-            <label for="remember" class="cursor-pointer font-medium text-surface-500"
-                >Angemeldet bleiben</label
-            >
-        </div>
-        <Button :loading="loading" fluid label="Einloggen" severity="secondary" type="submit" />
-    </Form>
+    <div v-if="!legacy" class="flex flex-col gap-6 mt-8">
+        <Button
+            as="a"
+            fluid
+            href="/api/oidc/start"
+            label="Anmelden mit SSO"
+            severity="primary"
+        />
+        <Button
+            fluid
+            label="Anmelden mit Nutzername und Passwort"
+            severity="secondary"
+            @click="legacy = true"
+        />
+    </div>
+    <div v-if="legacy" class="flex flex-col gap-6 mt-8">
+        <LegacyLogin />
+        <Button
+            as="a"
+            fluid
+            href="/api/oidc/start"
+            label="Stattdessen Anmelden mit SSO"
+            severity="secondary"
+        />
+    </div>
 </template>
 
 <style scoped></style>
diff --git a/WebClient/src/components/SkeletonView.vue b/WebClient/src/components/SkeletonView.vue
new file mode 100644
index 00000000..24f50c2d
--- /dev/null
+++ b/WebClient/src/components/SkeletonView.vue
@@ -0,0 +1,37 @@
+<script lang="ts" setup>
+import { Skeleton } from 'primevue';
+</script>
+
+<template>
+    <Skeleton height="4rem" width="100%" />
+    <main class="flex justify-center min-h-[90vh] mt-4">
+        <div class="container">
+            <h1>
+                <Skeleton height="3rem" width="60%" />
+            </h1>
+            <p class="flex gap-2 flex-col">
+                <Skeleton height="1rem" width="100%" />
+                <Skeleton height="1rem" width="100%" />
+                <Skeleton height="1rem" width="60%" />
+            </p>
+            <p class="flex gap-2 flex-col">
+                <Skeleton height="1rem" width="100%" />
+                <Skeleton height="1rem" width="100%" />
+                <Skeleton height="1rem" width="100%" />
+                <Skeleton height="1rem" width="30%" />
+            </p>
+        </div>
+    </main>
+</template>
+
+<style scoped>
+.container {
+    width: 50rem;
+}
+
+@media screen and (width < 55rem) {
+    .container {
+        width: 95%;
+    }
+}
+</style>
diff --git a/WebClient/src/composables/userManagement.ts b/WebClient/src/composables/userManagement.ts
new file mode 100644
index 00000000..3cb5d071
--- /dev/null
+++ b/WebClient/src/composables/userManagement.ts
@@ -0,0 +1,55 @@
+import { useUser } from '@/stores/user';
+import { useRoute, useRouter } from 'vue-router';
+import { mande } from 'mande';
+import { registerLoggedInRoutes, registerLoggedOutRoutes } from '@/router/index';
+
+export function useUserManagement() {
+    const userStore = useUser();
+    const router = useRouter();
+    const route = useRoute();
+
+    async function updateUser() {
+        const fetchUser = mande('/api/user');
+
+        const wasLoggedIn = userStore.loggedIn;
+
+        const userPromise = fetchUser.get();
+        try {
+            userStore.user = await userPromise;
+            userStore.loggedIn = true;
+            if (!wasLoggedIn) {
+                registerLoggedInRoutes(router);
+                // we need to force vue router to reevaluate which route we're on since the route for our current url might have changed with logging in.
+                await router.replace(route.fullPath);
+            }
+        } catch (error) {
+            if (error.response.status === 401) {
+                userStore.loggedIn = false;
+                userStore.user = null;
+                console.info('Not logged in');
+                registerLoggedOutRoutes(router);
+            } else {
+                console.error('Error fetching user', error);
+                throw error;
+            }
+        } finally {
+            userStore.loading = false;
+        }
+    }
+
+    async function logout() {
+        const logoutUser = mande('/api/user/logout');
+        await logoutUser.get();
+        registerLoggedOutRoutes(router);
+        userStore.loggedIn = false;
+        userStore.user = null;
+        await router.replace(route.fullPath);
+    }
+
+    async function impersonateUser(userId: string) {
+        await mande(`/api/user/${userId}/impersonate`).get();
+        await updateUser();
+    }
+
+    return { updateUser, logout, impersonateUser };
+}
diff --git a/WebClient/src/main.js b/WebClient/src/main.js
index 2b124436..84ddc617 100644
--- a/WebClient/src/main.js
+++ b/WebClient/src/main.js
@@ -1,6 +1,6 @@
 import { createApp } from 'vue';
 import App from './App.vue';
-import router from './router';
+import { createAppRouter } from './router';
 import PrimeVue from 'primevue/config';
 import ToastService from 'primevue/toastservice';
 import Aura from '@primevue/themes/aura';
@@ -167,7 +167,7 @@ const pinia = createPinia();
 const app = createApp(App);
 
 app.use(pinia);
-app.use(router);
+app.use(createAppRouter());
 app.use(PrimeVue, {
     theme: {
         preset: AfraAppPreset,
diff --git a/WebClient/src/router/index.js b/WebClient/src/router/index.js
index f3195ccf..c28bfeed 100644
--- a/WebClient/src/router/index.js
+++ b/WebClient/src/router/index.js
@@ -2,8 +2,38 @@ import { createRouter, createWebHistory } from 'vue-router';
 import Home from '@/views/Home.vue';
 import { routes as otium } from '@/Otium/router/routes.js';
 import { routes as profundum } from '@/Profundum/router/routes.js';
+import LoggedOutHome from '@/views/LoggedOutHome.vue';
+import AccessDenied from '@/views/oidc/AccessDenied.vue';
+import RemoteFailure from '@/views/oidc/RemoteFailure.vue';
 
-const routes = [
+const loggedOutRoutes = [
+    {
+        path: '/',
+        name: 'Home',
+        component: LoggedOutHome,
+    },
+    {
+        path: '/oidc',
+        children: [
+            {
+                name: 'oidc-access-denied',
+                path: 'access-denied',
+                component: AccessDenied,
+            },
+            {
+                name: 'oidc-error',
+                path: 'remote-error',
+                component: RemoteFailure,
+            },
+        ],
+    },
+    {
+        path: '/:pathMatch(?!api/)(.*)*',
+        name: 'NotFound',
+        component: LoggedOutHome,
+    },
+];
+const loggedInRoutes = [
     {
         path: '/',
         name: 'Home',
@@ -28,9 +58,32 @@ const routes = [
     },
 ];
 
-const router = createRouter({
-    history: createWebHistory(import.meta.env.BASE_URL),
-    routes,
-});
+export function createAppRouter() {
+    return createRouter({
+        history: createWebHistory(import.meta.env.BASE_URL),
+        routes: loggedOutRoutes,
+    });
+}
+
+function removeRoutes(router, routes) {
+    for (const route of routes) {
+        if (route.name && router.hasRoute(route.name)) {
+            router.removeRoute(route.name);
+        }
+    }
+}
+
+function addRoutes(router, routes) {
+    for (const route of routes) {
+        router.addRoute(route);
+    }
+}
+
+export function registerLoggedInRoutes(router) {
+    addRoutes(router, loggedInRoutes);
+}
 
-export default router;
+export function registerLoggedOutRoutes(router) {
+    removeRoutes(router, loggedInRoutes);
+    addRoutes(router, loggedOutRoutes);
+}
diff --git a/WebClient/src/stores/user.ts b/WebClient/src/stores/user.ts
index 60014ab8..cb51e162 100644
--- a/WebClient/src/stores/user.ts
+++ b/WebClient/src/stores/user.ts
@@ -1,5 +1,4 @@
 import { defineStore } from 'pinia';
-import { mande } from 'mande';
 
 export const useUser = defineStore('user', {
     state: () => ({
@@ -19,33 +18,4 @@ export const useUser = defineStore('user', {
         isAdmin: (state) => state.user.berechtigungen.includes('Admin'),
         isImpersonating: (state) => state.user?.impersonationId != null,
     },
-    actions: {
-        async update() {
-            const fetchUser = mande('/api/user');
-
-            const userPromise = fetchUser.get();
-            try {
-                this.user = await userPromise;
-                this.loggedIn = true;
-            } catch (error) {
-                if (error.response.status === 401) {
-                    this.loggedIn = false;
-                    this.user = null;
-                    console.info('Not logged in');
-                } else {
-                    console.error('Error fetching user', error);
-                    throw error;
-                }
-            } finally {
-                this.loading = false;
-            }
-        },
-
-        async logout() {
-            const logoutUser = mande('/api/user/logout');
-            await logoutUser.get();
-            this.loggedIn = false;
-            this.user = null;
-        },
-    },
 });
diff --git a/WebClient/src/views/Admin.vue b/WebClient/src/views/Admin.vue
index 97069ce7..abe16040 100644
--- a/WebClient/src/views/Admin.vue
+++ b/WebClient/src/views/Admin.vue
@@ -4,11 +4,12 @@ import { useOtiumStore } from '@/Otium/stores/otium.js';
 import { computed } from 'vue';
 import { formatTutor } from '@/helpers/formatters';
 import { Button } from 'primevue';
-import { mande } from 'mande';
 import { useRouter } from 'vue-router';
 import UserPeek from '@/components/UserPeek.vue';
+import { useUserManagement } from '@/composables/userManagement.ts';
 
 const user = useUser();
+const userManagement = useUserManagement();
 const otium = useOtiumStore();
 const router = useRouter();
 
@@ -58,9 +59,7 @@ const personen = computed(() => {
 });
 
 const impersonate = async (userToImpersonate) => {
-    console.log(userToImpersonate);
-    await mande(`/api/user/${userToImpersonate.id}/impersonate`).get();
-    await user.update();
+    await userManagement.impersonateUser(userToImpersonate.id);
     await router.push('/');
 };
 </script>
diff --git a/WebClient/src/views/LoggedOutHome.vue b/WebClient/src/views/LoggedOutHome.vue
new file mode 100644
index 00000000..d3223c66
--- /dev/null
+++ b/WebClient/src/views/LoggedOutHome.vue
@@ -0,0 +1,25 @@
+<script lang="ts" setup>
+import Login from '@/components/Login.vue';
+import { Image } from 'primevue';
+import { computed } from 'vue';
+import { isDark } from '@/helpers/isdark';
+import wappenDark from '/vdaa/favicon-dark.svg';
+import wappenLight from '/vdaa/favicon.svg';
+
+const logo = computed(() => (isDark().value ? wappenDark : wappenLight));
+</script>
+
+<template>
+    <div class="mt-20 flex items-center justify-center">
+        <div>
+            <div class="flex justify-center">
+                <Image :src="logo" alt="Logo des Verein der Altafraner" height="200"></Image>
+            </div>
+            <h1>Willkommen bei der Afra-App</h1>
+            <p>Bitte logge dich ein, um die Afra-App zu nutzen.</p>
+            <Login></Login>
+        </div>
+    </div>
+</template>
+
+<style scoped></style>
diff --git a/WebClient/src/views/Settings.vue b/WebClient/src/views/Settings.vue
index dc922704..6a662da2 100644
--- a/WebClient/src/views/Settings.vue
+++ b/WebClient/src/views/Settings.vue
@@ -4,9 +4,11 @@ import { ref } from 'vue';
 import { mande } from 'mande';
 import { useUser } from '@/stores/user';
 import NavBreadcrumb from '@/components/NavBreadcrumb.vue';
+import { useUserManagement } from '@/composables/userManagement.ts';
 
 const loading = ref(false);
 const user = useUser();
+const userManagement = useUserManagement();
 const toast = useToast();
 const calLink = ref(null);
 
@@ -18,7 +20,7 @@ async function fetchNum() {
     try {
         numSubs.value = await endpoint.get();
     } catch (e) {
-        await user.update();
+        await userManagement.updateUser();
         toast.add({
             severity: 'error',
             summary: 'Fehler',
@@ -36,7 +38,7 @@ async function fetchKey() {
     try {
         calLink.value = await endpoint.get();
     } catch (e) {
-        await user.update();
+        await userManagement.updateUser();
         toast.add({
             severity: 'error',
             summary: 'Fehler',
@@ -62,7 +64,7 @@ async function deleteKeys() {
             life: 2000,
         });
     } catch (e) {
-        await user.update();
+        await userManagement.updateUser();
         toast.add({
             severity: 'error',
             summary: 'Fehler',
diff --git a/WebClient/src/views/oidc/AccessDenied.vue b/WebClient/src/views/oidc/AccessDenied.vue
new file mode 100644
index 00000000..33e82b94
--- /dev/null
+++ b/WebClient/src/views/oidc/AccessDenied.vue
@@ -0,0 +1,13 @@
+<script lang="ts" setup>
+import { Button } from 'primevue';
+import { RouterLink } from 'vue-router';
+</script>
+
+<template>
+    <h1 class="mt-20">Zugriff verweigert</h1>
+    <p>Der Authentifizierungsdienst hat den Zugriff verweigert.</p>
+    <p>Wenn dieser Fehler unerwartet ist, wenden Sie sich bitte an den Administrator.</p>
+    <Button :as="RouterLink" class="mt-2" label="Zurück zur Startseite" to="/" />
+</template>
+
+<style scoped></style>
diff --git a/WebClient/src/views/oidc/RemoteFailure.vue b/WebClient/src/views/oidc/RemoteFailure.vue
new file mode 100644
index 00000000..e3a47620
--- /dev/null
+++ b/WebClient/src/views/oidc/RemoteFailure.vue
@@ -0,0 +1,16 @@
+<script lang="ts" setup>
+import { Button } from 'primevue';
+import { RouterLink } from 'vue-router';
+</script>
+
+<template>
+    <h1 class="mt-20">Authentifizierungsfehler</h1>
+    <p>Der Authentifizierungsdienst hat einen Fehler gemeldet.</p>
+    <p>
+        Probieren Sie es später erneut. Sollte der Fehler bestehen bleiben, wenden Sie sich
+        bitte an den Administrator.
+    </p>
+    <Button :as="RouterLink" class="mt-2" label="Zurück zur Startseite" to="/" />
+</template>
+
+<style scoped></style>
diff --git a/WebClient/vite.config.js b/WebClient/vite.config.js
index c95c5f94..0c3fd849 100644
--- a/WebClient/vite.config.js
+++ b/WebClient/vite.config.js
@@ -55,8 +55,11 @@ export default defineConfig({
         proxy: {
             '/api': {
                 target: 'http://127.0.0.1:5043',
-                changeOrigin: true,
+                changeOrigin: false,
                 ws: true,
+                xfwd: true,
+                hostRewrite: true,
+                cookieDomainRewrite: 'localhost:5173',
             },
         },
     },