diff --git a/tofu/authentik/main.tf b/tofu/authentik/main.tf
index 95dfcd6..d453958 100644
--- a/tofu/authentik/main.tf
+++ b/tofu/authentik/main.tf
@@ -28,7 +28,7 @@ resource "authentik_group" "admins" {
 }
 
 module "argo-workflows" {
-  source              = "../modules/authentik"
+  source              = "../modules/authentik-oidc"
   app_name            = "Argo Workflows"
   app_slug            = "argo-workflows"
   client_id           = var.argo_workflows_client_id
@@ -42,7 +42,7 @@ module "argo-workflows" {
 }
 
 module "firezone" {
-  source              = "../modules/authentik"
+  source              = "../modules/authentik-oidc"
   app_name            = "Firezone"
   app_slug            = "firezone"
   client_id           = var.firezone_client_id
@@ -57,7 +57,7 @@ module "firezone" {
 }
 
 module "gitea" {
-  source              = "../modules/authentik"
+  source              = "../modules/authentik-oidc"
   app_name            = "Gitea"
   app_slug            = "gitea"
   client_id           = var.gitea_client_id
@@ -72,7 +72,7 @@ module "gitea" {
 }
 
 module "miniflux" {
-  source              = "../modules/authentik"
+  source              = "../modules/authentik-oidc"
   app_name            = "Miniflux"
   app_slug            = "miniflux"
   client_id           = var.miniflux_client_id
diff --git a/tofu/modules/authentik/main.tf b/tofu/modules/authentik-oidc/main.tf
similarity index 68%
rename from tofu/modules/authentik/main.tf
rename to tofu/modules/authentik-oidc/main.tf
index 683693a..11d25c0 100644
--- a/tofu/modules/authentik/main.tf
+++ b/tofu/modules/authentik-oidc/main.tf
@@ -7,10 +7,15 @@ terraform {
     }
   }
 }
+
 data "authentik_flow" "default-authorization-flow" {
   slug = "default-provider-authorization-implicit-consent"
 }
 
+data "authentik_flow" "default-authentication-flow" {
+  slug = "default-authentication-flow"
+}
+
 data "authentik_scope_mapping" "default-scopes" {
   managed_list = [
     "goauthentik.io/providers/oauth2/scope-email",
@@ -22,14 +27,15 @@ data "authentik_scope_mapping" "default-scopes" {
 
 
 resource "authentik_provider_oauth2" "provider_oidc" {
-  name               = var.app_name
-  client_id          = var.client_id
-  client_secret      = var.client_secret
-  authorization_flow = data.authentik_flow.default-authorization-flow.id
-  redirect_uris      = var.redirect_uris
-  property_mappings  = data.authentik_scope_mapping.default-scopes.ids
-  sub_mode           = var.sub_mode
-  signing_key        = var.oidc_signing_key
+  name                = var.app_name
+  client_id           = var.client_id
+  client_secret       = var.client_secret
+  authorization_flow  = data.authentik_flow.default-authorization-flow.id
+  authentication_flow = data.authentik_flow.default-authentication-flow.id
+  redirect_uris       = var.redirect_uris
+  property_mappings   = data.authentik_scope_mapping.default-scopes.ids
+  sub_mode            = var.sub_mode
+  signing_key         = var.oidc_signing_key
 }
 
 
diff --git a/tofu/modules/authentik/vars.tf b/tofu/modules/authentik-oidc/vars.tf
similarity index 100%
rename from tofu/modules/authentik/vars.tf
rename to tofu/modules/authentik-oidc/vars.tf
diff --git a/tofu/modules/authentik-proxy/main.tf b/tofu/modules/authentik-proxy/main.tf
new file mode 100644
index 0000000..8ab68c6
--- /dev/null
+++ b/tofu/modules/authentik-proxy/main.tf
@@ -0,0 +1,46 @@
+terraform {
+  required_version = ">= 1.6"
+  required_providers {
+    authentik = {
+      source  = "goauthentik/authentik"
+      version = "2024.2.0"
+    }
+  }
+}
+
+data "authentik_flow" "default-authorization-flow" {
+  slug = "default-provider-authorization-implicit-consent"
+}
+
+data "authentik_flow" "default-authentication-flow" {
+  slug = "default-authentication-flow"
+}
+
+
+resource "authentik_provider_proxy" "provider_proxy" {
+  authorization_flow           = data.authentik_flow.default-authorization-flow.id
+  authentication_flow          = data.authentik_flow.default-authentication-flow.id
+  external_host                = var.app_url
+  internal_host                = var.internal_host
+  name                         = var.app_name
+  internal_host_ssl_validation = var.internal_host_ssl_validation
+}
+
+
+resource "authentik_application" "app" {
+  name              = var.app_name
+  slug              = var.app_slug
+  protocol_provider = authentik_provider_proxy.provider_proxy.id
+  open_in_new_tab   = var.open_in_new_tab
+  meta_icon         = var.app_icon
+  meta_description  = var.app_description
+  meta_publisher    = var.app_publisher
+  meta_launch_url   = var.app_url
+}
+
+resource "authentik_policy_binding" "app_access" {
+  target = authentik_application.app.uuid
+  group  = var.app_access_group_id
+  order  = 0
+  count  = var.app_access_group_id != "" ? 1 : 0 # only add it if the group's name exists
+}
diff --git a/tofu/modules/authentik-proxy/vars.tf b/tofu/modules/authentik-proxy/vars.tf
new file mode 100644
index 0000000..2ed6558
--- /dev/null
+++ b/tofu/modules/authentik-proxy/vars.tf
@@ -0,0 +1,54 @@
+variable "app_name" {
+  description = "App name"
+  type        = string
+}
+
+variable "app_slug" {
+  description = "App slug, a human-readable URL identifier, e.g.: Google -> google"
+  type        = string
+}
+
+
+variable "app_access_group_id" {
+  description = "ID of a group which will have access to the app"
+  type        = string
+}
+
+
+variable "open_in_new_tab" {
+  type        = bool
+  description = "Open apps in a new tab"
+  default     = true
+}
+
+variable "app_icon" {
+  type    = string
+  default = ""
+}
+
+variable "app_description" {
+  type    = string
+  default = ""
+}
+
+variable "app_publisher" {
+  type    = string
+  default = ""
+}
+variable "app_url" {
+  type    = string
+  default = ""
+}
+
+
+
+variable "internal_host" {
+  description = "Internal, upstream host authentik will proxy to"
+  type        = string
+}
+
+variable "internal_host_ssl_validation" {
+  description = "Validate SSL certificate of the upstream servers"
+  type        = bool
+  default     = false
+}