diff --git a/includes/login.php b/includes/login.php
new file mode 100644
index 0000000..830b8fe
--- /dev/null
+++ b/includes/login.php
@@ -0,0 +1,108 @@
+<?php
+if ( ! defined( 'ABSPATH' ) ) exit;
+
+// Login-Button auf der WP-Login-Seite
+add_action( 'login_form', 'authentik_login_button' );
+function authentik_login_button() {
+    $s = authentik_get_settings();
+    if ( empty( $s['client_id'] ) || ! authentik_get_authorize_url() ) return;
+
+    $url = authentik_build_login_url();
+    ?>
+    <div style="text-align:center; margin-bottom: 16px;">
+        <a href="<?php echo esc_url( $url ); ?>"
+           style="display:inline-block; background:#fd4b2d; color:#fff; padding:10px 20px;
+                  border-radius:4px; text-decoration:none; font-weight:bold; width:100%; box-sizing:border-box; text-align:center;">
+            🔐 Login mit Authentik
+        </a>
+    </div>
+    <div style="text-align:center; margin-bottom:12px; color:#999; font-size:12px;">– oder mit Benutzername/Passwort –</div>
+    <?php
+}
+
+// Callback-Handler
+add_action( 'wp_ajax_nopriv_authentik_callback', 'authentik_handle_callback' );
+add_action( 'wp_ajax_authentik_callback', 'authentik_handle_callback' );
+function authentik_handle_callback() {
+    $code  = $_GET['code']  ?? '';
+    $state = $_GET['state'] ?? '';
+    $error = $_GET['error'] ?? '';
+
+    if ( $error ) {
+        authentik_login_error( 'Authentik-Fehler: ' . esc_html( $error ) );
+    }
+
+    // State validieren
+    if ( ! $state || ! get_transient( 'authentik_state_' . $state ) ) {
+        authentik_login_error( 'Ungültiger State-Parameter.' );
+    }
+    delete_transient( 'authentik_state_' . $state );
+
+    if ( ! $code ) {
+        authentik_login_error( 'Kein Autorisierungscode erhalten.' );
+    }
+
+    // Token holen
+    $tokens = authentik_exchange_code( $code );
+    if ( is_wp_error( $tokens ) ) {
+        authentik_login_error( $tokens->get_error_message() );
+    }
+
+    // Userinfo holen
+    $userinfo = authentik_get_userinfo( $tokens['access_token'] );
+    if ( is_wp_error( $userinfo ) || empty( $userinfo ) ) {
+        authentik_login_error( 'Benutzerinformationen konnten nicht abgerufen werden.' );
+    }
+
+    // User finden oder erstellen
+    $user = authentik_find_or_create_user( $userinfo );
+    if ( is_wp_error( $user ) ) {
+        authentik_login_error( $user->get_error_message() );
+    }
+
+    // Einloggen
+    wp_set_auth_cookie( $user->ID, true );
+    wp_set_current_user( $user->ID );
+    do_action( 'wp_login', $user->user_login, $user );
+
+    // Weiterleitung
+    $redirect = admin_url();
+    if ( ! user_can( $user->ID, 'manage_options' ) ) {
+        $redirect = home_url();
+    }
+
+    wp_redirect( $redirect );
+    exit;
+}
+
+function authentik_login_error( $message ) {
+    wp_redirect( wp_login_url() . '?authentik_error=' . urlencode( $message ) );
+    exit;
+}
+
+// Fehlermeldung anzeigen
+add_filter( 'login_message', 'authentik_show_login_message' );
+function authentik_show_login_message( $message ) {
+    if ( ! empty( $_GET['authentik_error'] ) ) {
+        $message .= '<div id="login_error">' . esc_html( urldecode( $_GET['authentik_error'] ) ) . '</div>';
+    }
+    return $message;
+}
+
+// Frontend: Verknüpfungs-Button für eingeloggte User (Shortcode)
+add_shortcode( 'authentik_link_account', 'authentik_link_account_shortcode' );
+function authentik_link_account_shortcode() {
+    if ( ! is_user_logged_in() ) return '';
+
+    $user    = wp_get_current_user();
+    $subject = get_user_meta( $user->ID, 'authentik_subject', true );
+
+    ob_start();
+    if ( $subject ) {
+        echo '<p>✓ Dein Konto ist mit Authentik verknüpft.</p>';
+    } else {
+        $url = authentik_build_login_url();
+        echo '<a href="' . esc_url( $url ) . '" class="button">Konto mit Authentik verknüpfen</a>';
+    }
+    return ob_get_clean();
+}
diff --git a/includes/oauth.php b/includes/oauth.php
new file mode 100644
index 0000000..851a7b0
--- /dev/null
+++ b/includes/oauth.php
@@ -0,0 +1,73 @@
+<?php
+if ( ! defined( 'ABSPATH' ) ) exit;
+
+function authentik_get_authorize_url() {
+    return get_option( 'authentik_oidc_authorize_url', '' );
+}
+
+function authentik_get_token_url() {
+    return get_option( 'authentik_oidc_token_url', '' );
+}
+
+function authentik_get_userinfo_url() {
+    return get_option( 'authentik_oidc_userinfo_url', '' );
+}
+
+function authentik_get_logout_url() {
+    return get_option( 'authentik_oidc_logout_url', '' );
+}
+
+function authentik_build_login_url() {
+    $s     = authentik_get_settings();
+    $state = wp_generate_password( 16, false );
+    set_transient( 'authentik_state_' . $state, 1, 300 );
+
+    $params = [
+        'response_type' => 'code',
+        'client_id'     => $s['client_id'],
+        'redirect_uri'  => $s['redirect_uri'],
+        'scope'         => 'openid email profile',
+        'state'         => $state,
+    ];
+
+    return authentik_get_authorize_url() . '?' . http_build_query( $params );
+}
+
+function authentik_exchange_code( $code ) {
+    $s   = authentik_get_settings();
+    $res = wp_remote_post( authentik_get_token_url(), [
+        'timeout' => (int) $s['timeout'],
+        'body'    => [
+            'grant_type'    => 'authorization_code',
+            'code'          => $code,
+            'redirect_uri'  => $s['redirect_uri'],
+            'client_id'     => $s['client_id'],
+            'client_secret' => $s['client_secret'],
+        ],
+    ] );
+
+    if ( is_wp_error( $res ) ) {
+        return new WP_Error( 'token_request_failed', $res->get_error_message() );
+    }
+
+    $body = json_decode( wp_remote_retrieve_body( $res ), true );
+    if ( empty( $body['access_token'] ) ) {
+        return new WP_Error( 'token_missing', 'Kein Access-Token erhalten.' );
+    }
+
+    return $body;
+}
+
+function authentik_get_userinfo( $access_token ) {
+    $s   = authentik_get_settings();
+    $res = wp_remote_get( authentik_get_userinfo_url(), [
+        'timeout' => (int) $s['timeout'],
+        'headers' => [ 'Authorization' => 'Bearer ' . $access_token ],
+    ] );
+
+    if ( is_wp_error( $res ) ) {
+        return new WP_Error( 'userinfo_failed', $res->get_error_message() );
+    }
+
+    return json_decode( wp_remote_retrieve_body( $res ), true );
+}
diff --git a/includes/settings.php b/includes/settings.php
new file mode 100644
index 0000000..9cb07d1
--- /dev/null
+++ b/includes/settings.php
@@ -0,0 +1,204 @@
+<?php
+if ( ! defined( 'ABSPATH' ) ) exit;
+
+add_action( 'admin_menu', 'authentik_admin_menu' );
+function authentik_admin_menu() {
+    add_options_page(
+        'Authentik Login',
+        'Authentik Login',
+        'manage_options',
+        'authentik-login',
+        'authentik_settings_page'
+    );
+}
+
+add_action( 'admin_init', 'authentik_register_settings' );
+function authentik_register_settings() {
+    register_setting( 'authentik_settings_group', 'authentik_settings', 'authentik_sanitize_settings' );
+}
+
+function authentik_sanitize_settings( $input ) {
+    $clean = [];
+    $fields = [
+        'client_id', 'client_secret', 'discovery_url',
+        'redirect_uri', 'default_role', 'admin_group',
+        'timeout'
+    ];
+    foreach ( $fields as $f ) {
+        $clean[ $f ] = isset( $input[ $f ] ) ? sanitize_text_field( $input[ $f ] ) : '';
+    }
+    $clean['create_users']    = ! empty( $input['create_users'] ) ? 1 : 0;
+    $clean['link_existing']   = ! empty( $input['link_existing'] ) ? 1 : 0;
+    $clean['sync_roles']      = ! empty( $input['sync_roles'] ) ? 1 : 0;
+    return $clean;
+}
+
+function authentik_get_settings() {
+    $defaults = [
+        'client_id'     => '',
+        'client_secret' => '',
+        'discovery_url' => '',
+        'redirect_uri'  => admin_url( 'admin-ajax.php?action=authentik_callback' ),
+        'default_role'  => 'subscriber',
+        'admin_group'   => 'wordpress_admin',
+        'timeout'       => 30,
+        'create_users'  => 1,
+        'link_existing' => 1,
+        'sync_roles'    => 1,
+    ];
+    $saved = get_option( 'authentik_settings', [] );
+    return wp_parse_args( $saved, $defaults );
+}
+
+function authentik_settings_page() {
+    $s = authentik_get_settings();
+    ?>
+    <div class="wrap">
+        <h1>Authentik Login – Einstellungen</h1>
+
+        <?php
+        // Discovery import
+        if ( isset( $_POST['authentik_import_discovery'] ) && check_admin_referer( 'authentik_import' ) ) {
+            $url = esc_url_raw( $_POST['discovery_url_import'] ?? '' );
+            $res = wp_remote_get( $url, [ 'timeout' => 15 ] );
+            if ( ! is_wp_error( $res ) ) {
+                $data = json_decode( wp_remote_retrieve_body( $res ), true );
+                if ( $data ) {
+                    $map = [
+                        'authorization_endpoint' => 'authorize_url',
+                        'token_endpoint'         => 'token_url',
+                        'userinfo_endpoint'      => 'userinfo_url',
+                        'jwks_uri'               => 'jwks_url',
+                        'issuer'                 => 'issuer',
+                        'end_session_endpoint'   => 'logout_url',
+                    ];
+                    foreach ( $map as $key => $opt ) {
+                        if ( isset( $data[ $key ] ) ) {
+                            update_option( 'authentik_oidc_' . $opt, $data[ $key ] );
+                        }
+                    }
+                    echo '<div class="notice notice-success"><p>Discovery-Dokument erfolgreich importiert!</p></div>';
+                }
+            } else {
+                echo '<div class="notice notice-error"><p>Fehler: ' . esc_html( $res->get_error_message() ) . '</p></div>';
+            }
+        }
+        ?>
+
+        <form method="post" action="">
+            <?php wp_nonce_field( 'authentik_import' ); ?>
+            <h2>Discovery-Dokument importieren</h2>
+            <table class="form-table">
+                <tr>
+                    <th>Discovery URL</th>
+                    <td>
+                        <input type="url" name="discovery_url_import" class="regular-text"
+                               placeholder="https://auth.example.com/application/o/app/.well-known/openid-configuration"
+                               value="<?php echo esc_attr( $s['discovery_url'] ); ?>">
+                        <input type="submit" name="authentik_import_discovery" class="button button-secondary" value="Importieren">
+                        <p class="description">Trägt alle Endpunkt-URLs automatisch ein.</p>
+                    </td>
+                </tr>
+            </table>
+        </form>
+
+        <form method="post" action="options.php">
+            <?php settings_fields( 'authentik_settings_group' ); ?>
+
+            <h2>Client-Einstellungen</h2>
+            <table class="form-table">
+                <tr>
+                    <th>Client ID</th>
+                    <td><input type="text" name="authentik_settings[client_id]" class="regular-text" value="<?php echo esc_attr( $s['client_id'] ); ?>"></td>
+                </tr>
+                <tr>
+                    <th>Client Secret</th>
+                    <td><input type="password" name="authentik_settings[client_secret]" class="regular-text" value="<?php echo esc_attr( $s['client_secret'] ); ?>"></td>
+                </tr>
+                <tr>
+                    <th>Discovery URL</th>
+                    <td>
+                        <input type="url" name="authentik_settings[discovery_url]" class="regular-text" value="<?php echo esc_attr( $s['discovery_url'] ); ?>">
+                        <p class="description">Wird gespeichert aber nicht direkt verwendet – nutze den Import-Button oben.</p>
+                    </td>
+                </tr>
+                <tr>
+                    <th>Redirect URI</th>
+                    <td>
+                        <input type="url" name="authentik_settings[redirect_uri]" class="regular-text" value="<?php echo esc_attr( $s['redirect_uri'] ); ?>">
+                        <p class="description">Diese URI muss exakt in Authentik eingetragen sein.</p>
+                    </td>
+                </tr>
+                <tr>
+                    <th>HTTP-Timeout (Sekunden)</th>
+                    <td><input type="number" name="authentik_settings[timeout]" value="<?php echo esc_attr( $s['timeout'] ); ?>" min="5" max="60"></td>
+                </tr>
+            </table>
+
+            <h2>Benutzer-Einstellungen</h2>
+            <table class="form-table">
+                <tr>
+                    <th>Neue Benutzer erstellen</th>
+                    <td><input type="checkbox" name="authentik_settings[create_users]" value="1" <?php checked( $s['create_users'], 1 ); ?>>
+                        <p class="description">Erstellt automatisch einen WordPress-Account wenn kein passender User gefunden wird.</p>
+                    </td>
+                </tr>
+                <tr>
+                    <th>Bestehende User verknüpfen</th>
+                    <td><input type="checkbox" name="authentik_settings[link_existing]" value="1" <?php checked( $s['link_existing'], 1 ); ?>>
+                        <p class="description">Verknüpft Authentik-Login mit bestehendem WordPress-Account (per E-Mail oder Benutzername).</p>
+                    </td>
+                </tr>
+                <tr>
+                    <th>Rollen synchronisieren</th>
+                    <td><input type="checkbox" name="authentik_settings[sync_roles]" value="1" <?php checked( $s['sync_roles'], 1 ); ?>>
+                        <p class="description">Überträgt Authentik-Gruppen als WordPress-Rollen.</p>
+                    </td>
+                </tr>
+                <tr>
+                    <th>Standard-Rolle</th>
+                    <td>
+                        <?php wp_dropdown_roles( $s['default_role'] ); ?>
+                        <input type="hidden" name="authentik_settings[default_role]" value="">
+                        <select name="authentik_settings[default_role]">
+                            <?php
+                            foreach ( wp_roles()->roles as $role => $data ) {
+                                echo '<option value="' . esc_attr( $role ) . '" ' . selected( $s['default_role'], $role, false ) . '>' . esc_html( $data['name'] ) . '</option>';
+                            }
+                            ?>
+                        </select>
+                        <p class="description">Rolle für neue Benutzer ohne passende Authentik-Gruppe.</p>
+                    </td>
+                </tr>
+                <tr>
+                    <th>Admin-Gruppe in Authentik</th>
+                    <td>
+                        <input type="text" name="authentik_settings[admin_group]" class="regular-text" value="<?php echo esc_attr( $s['admin_group'] ); ?>">
+                        <p class="description">Authentik-Gruppenname der WordPress-Administratoren werden soll (z.B. <code>wordpress_admin</code>).</p>
+                    </td>
+                </tr>
+            </table>
+
+            <h2>Erkannte Endpunkte</h2>
+            <table class="form-table">
+                <?php
+                $endpoints = [
+                    'authentik_oidc_authorize_url' => 'Authorize URL',
+                    'authentik_oidc_token_url'     => 'Token URL',
+                    'authentik_oidc_userinfo_url'  => 'Userinfo URL',
+                    'authentik_oidc_jwks_url'      => 'JWKS URL',
+                    'authentik_oidc_issuer'        => 'Issuer',
+                    'authentik_oidc_logout_url'    => 'Logout URL',
+                ];
+                foreach ( $endpoints as $opt => $label ) {
+                    $val = get_option( $opt, '–' );
+                    echo '<tr><th>' . esc_html( $label ) . '</th><td><code>' . esc_html( $val ) . '</code></td></tr>';
+                }
+                ?>
+            </table>
+
+            <?php submit_button( 'Einstellungen speichern' ); ?>
+        </form>
+    </div>
+    <?php
+}
diff --git a/includes/user.php b/includes/user.php
new file mode 100644
index 0000000..e419039
--- /dev/null
+++ b/includes/user.php
@@ -0,0 +1,149 @@
+<?php
+if ( ! defined( 'ABSPATH' ) ) exit;
+
+/**
+ * Findet oder erstellt einen WordPress-User anhand der Authentik-Userinfo.
+ */
+function authentik_find_or_create_user( $userinfo ) {
+    $s          = authentik_get_settings();
+    $subject    = $userinfo['sub'] ?? '';
+    $email      = $userinfo['email'] ?? '';
+    $username   = $userinfo['preferred_username'] ?? $userinfo['name'] ?? '';
+    $groups     = $userinfo['groups'] ?? [];
+
+    if ( empty( $subject ) ) {
+        return new WP_Error( 'no_sub', 'Kein Subject im Token.' );
+    }
+
+    // 1. Suche per gespeicherter Subject-ID (zuverlässigste Methode)
+    $user = authentik_find_user_by_subject( $subject );
+
+    // 2. Verknüpfe bestehenden User per E-Mail
+    if ( ! $user && $s['link_existing'] && $email ) {
+        $user = get_user_by( 'email', $email );
+        if ( $user ) {
+            update_user_meta( $user->ID, 'authentik_subject', $subject );
+        }
+    }
+
+    // 3. Verknüpfe bestehenden User per Benutzername
+    if ( ! $user && $s['link_existing'] && $username ) {
+        $user = get_user_by( 'login', $username );
+        if ( $user ) {
+            update_user_meta( $user->ID, 'authentik_subject', $subject );
+        }
+    }
+
+    // 4. Neuen User erstellen
+    if ( ! $user ) {
+        if ( ! $s['create_users'] ) {
+            return new WP_Error( 'user_not_found', 'Kein passender WordPress-Account gefunden.' );
+        }
+
+        $user_login = sanitize_user( $username ?: explode( '@', $email )[0] );
+        // Sicherstellen dass Benutzername einzigartig ist
+        if ( username_exists( $user_login ) ) {
+            $user_login = $user_login . '_' . substr( $subject, 0, 6 );
+        }
+
+        $user_id = wp_insert_user( [
+            'user_login' => $user_login,
+            'user_email' => $email,
+            'user_pass'  => wp_generate_password( 32 ),
+            'display_name' => $userinfo['name'] ?? $user_login,
+            'role'       => $s['default_role'],
+        ] );
+
+        if ( is_wp_error( $user_id ) ) {
+            return $user_id;
+        }
+
+        update_user_meta( $user_id, 'authentik_subject', $subject );
+        $user = get_user_by( 'ID', $user_id );
+    }
+
+    // 5. Rollen synchronisieren
+    if ( $s['sync_roles'] && $user ) {
+        authentik_sync_roles( $user, $groups, $s );
+    }
+
+    return $user;
+}
+
+function authentik_find_user_by_subject( $subject ) {
+    $users = get_users( [
+        'meta_key'   => 'authentik_subject',
+        'meta_value' => $subject,
+        'number'     => 1,
+    ] );
+    return ! empty( $users ) ? $users[0] : null;
+}
+
+function authentik_sync_roles( $user, $groups, $s ) {
+    $admin_group = $s['admin_group'];
+
+    if ( $admin_group && in_array( $admin_group, $groups, true ) ) {
+        $user->set_role( 'administrator' );
+    } else {
+        // Mappe Authentik-Gruppen auf WordPress-Rollen
+        $role_map = [
+            'wordpress_editor'      => 'editor',
+            'wordpress_author'      => 'author',
+            'wordpress_contributor' => 'contributor',
+            'wordpress_subscriber'  => 'subscriber',
+        ];
+
+        $assigned = false;
+        foreach ( $role_map as $group => $role ) {
+            if ( in_array( $group, $groups, true ) ) {
+                $user->set_role( $role );
+                $assigned = true;
+                break;
+            }
+        }
+
+        if ( ! $assigned ) {
+            // Behalte aktuelle Rolle wenn keine Gruppe passt
+        }
+    }
+}
+
+// Profilseite: Verknüpfungsstatus anzeigen
+add_action( 'show_user_profile', 'authentik_show_link_status' );
+add_action( 'edit_user_profile', 'authentik_show_link_status' );
+function authentik_show_link_status( $user ) {
+    $subject = get_user_meta( $user->ID, 'authentik_subject', true );
+    ?>
+    <h3>Authentik-Verknüpfung</h3>
+    <table class="form-table">
+        <tr>
+            <th>Status</th>
+            <td>
+                <?php if ( $subject ) : ?>
+                    <span style="color:green;">✓ Verknüpft</span>
+                    <p class="description">Subject: <code><?php echo esc_html( $subject ); ?></code></p>
+                    <a href="<?php echo esc_url( wp_nonce_url( admin_url( 'admin-post.php?action=authentik_unlink&user_id=' . $user->ID ), 'authentik_unlink_' . $user->ID ) ); ?>" class="button button-small">Verknüpfung aufheben</a>
+                <?php else : ?>
+                    <span style="color:orange;">✗ Nicht verknüpft</span>
+                    <p class="description">Beim nächsten Authentik-Login wird dieser Account automatisch verknüpft (wenn E-Mail oder Benutzername übereinstimmt).</p>
+                <?php endif; ?>
+            </td>
+        </tr>
+    </table>
+    <?php
+}
+
+// Verknüpfung aufheben
+add_action( 'admin_post_authentik_unlink', 'authentik_handle_unlink' );
+function authentik_handle_unlink() {
+    $user_id = (int) $_GET['user_id'];
+    check_admin_referer( 'authentik_unlink_' . $user_id );
+
+    if ( ! current_user_can( 'edit_user', $user_id ) ) {
+        wp_die( 'Keine Berechtigung.' );
+    }
+
+    delete_user_meta( $user_id, 'authentik_subject' );
+    wp_redirect( admin_url( 'user-edit.php?user_id=' . $user_id . '&authentik_unlinked=1' ) );
+    exit;
+}