diff --git a/roles/koschei/frontend/tasks/main.yml b/roles/koschei/frontend/tasks/main.yml
index a0e07660bc..dc8f201c00 100644
--- a/roles/koschei/frontend/tasks/main.yml
+++ b/roles/koschei/frontend/tasks/main.yml
@@ -4,7 +4,7 @@
   - koschei-frontend
   - koschei-frontend-fedora
   - koschei-frontend-copr
-  - mod_auth_openid
+  - "{{ 'mod_auth_openidc' if env == 'staging' else 'mod_auth_openid' }}"
   tags:
   - koschei
   - packages
diff --git a/roles/koschei/frontend/templates/config-frontend.cfg.j2 b/roles/koschei/frontend/templates/config-frontend.cfg.j2
index 14412f5497..dd18b0005c 100644
--- a/roles/koschei/frontend/templates/config-frontend.cfg.j2
+++ b/roles/koschei/frontend/templates/config-frontend.cfg.j2
@@ -61,7 +61,12 @@ config = {
     "frontend": {
         "builds_per_page": 8,
         "auth": {
+            {% if env == 'staging' %}
+            "user_re": "(.+)",
+            "user_env": "OIDC_CLAIM_nickname",
+            {% else %}
             "user_re": "http://(.+)\\.id{{ env_prefix }}\\.fedoraproject\\.org/",
+            {% endif %}
         },
         "fedora_assets_url": "/global",
         "fedmenu_url": "/fedmenu",
diff --git a/roles/koschei/frontend/templates/httpd.conf.j2 b/roles/koschei/frontend/templates/httpd.conf.j2
index 8debae58d5..67032217b4 100644
--- a/roles/koschei/frontend/templates/httpd.conf.j2
+++ b/roles/koschei/frontend/templates/httpd.conf.j2
@@ -16,17 +16,34 @@
         Require all granted
     </Directory>
 
+{% if env == 'staging' %}
+    OIDCRedirectURI "{{ koschei_topurl }}/login/redirect_uri"
+    OIDCProviderMetadataURL "https://{{ koschei_openid_provider }}/openidc/wellknown_openid_configuration"
+    OIDCClientID "koschei"
+    {% if env == 'staging' %}
+    OIDCClientSecret "{{ koschei_oidc_client_secret_stg }}"
+    OIDCCryptoPassphrase "{{ koschei_oidc_crypto_secret_stg }}"
+    {% else %}
+    OIDCClientSecret "{{ koschei_oidc_client_secret }}"
+    OIDCCryptoPassphrase "{{ koschei_oidc_crypto_secret }}"
+    {% endif %}
+    OIDCSSLValidateServer On
+    OIDCResponseType "code"
+
+    OIDCScope "openid profile"
+
+    <Location /koschei/login>
+        AuthType openid-connect
+        Require valid-user
+    </Location>
+{% else %}
     <Location /koschei/login>
         Require valid-user
         AuthType OpenID
         AuthOpenIDSingleIdP https://{{ koschei_openid_provider }}/
-{% if env == 'staging' %}
-        AuthOpenIDServerName https://apps.stg.fedoraproject.org
-        AuthOpenIDTrustRoot https://apps.stg.fedoraproject.org/koschei/
-{% else %}
         AuthOpenIDServerName https://apps.fedoraproject.org
         AuthOpenIDTrustRoot https://apps.fedoraproject.org/koschei/
-{% endif %}
         AuthOpenIDUseCookie off
     </Location>
+{% endif %}
 </VirtualHost>