diff --git a/roles/mas/defaults/main.json b/roles/mas/defaults/main.json
index e402ce6..cbb1c0a 100644
--- a/roles/mas/defaults/main.json
+++ b/roles/mas/defaults/main.json
@@ -12,13 +12,11 @@
 	"var_mas_matrix_secret": "REPLACE_ME",
 	"var_mas_matrix_endpoint": "http://localhost:8008/",
 	"var_mas_encryption_key": "REPLACE_ME",
-	"var_mas_authentication_upstream_active": false,
-	"var_mas_authentication_upstream_id": "default_upstream",
-	"var_mas_authentication_upstream_issuer": "https://auth.example.org",
-	"var_mas_authentication_upstream_client_id": "mas",
-	"var_mas_authentication_upstream_client_secret": "REPLACE_ME",
-	"var_mas_authentication_upstream_token_endpoint_auth_method": "client_secret_post"
-	"var_mas_authentication_upstream_scope": "openid email profile",
-	"var_mas_authentication_upstream_authorization_endpoint": "https://auth.example.org/authorize",
-	"var_mas_authentication_upstream_token_endpoint": "https://auth.example.org/token"
+	"var_mas_authentication_upstream_kind": "none",
+	"var_mas_authentication_upstream_data_authelia_url_base": "https://authelia.example.org",
+	"var_mas_authentication_upstream_data_authelia_auth_method": "client_secret_post",
+	"var_mas_authentication_upstream_data_authelia_scope": "openid profile email",
+	"var_mas_authentication_upstream_data_authelia_name": "authelia",
+	"var_mas_authentication_upstream_data_authelia_client_id": "mas",
+	"var_mas_authentication_upstream_data_authelia_client_secret": "REPLACE_ME"
 }
diff --git a/roles/mas/templates/config-base.json.j2 b/roles/mas/templates/config-base.json.j2
index 1ba74d4..f49bb37 100644
--- a/roles/mas/templates/config-base.json.j2
+++ b/roles/mas/templates/config-base.json.j2
@@ -85,18 +85,20 @@
 		],
 		"minimum_complexity": 3
 	},
-{% if var_mas_authentication_upstream_active %}
+{% if var_mas_authentication_upstream_kind == 'none' %}
+{% endif %}
+{% if var_mas_authentication_upstream_kind == 'authelia' %}
 	"upstream_oauth2": {
 		"providers": [
 			{
-				"id": "{{var_mas_authentication_upstream_id}}",
-				"issuer": "{{var_mas_authentication_upstream_issuer}}",
-				"client_id": "{{var_mas_authentication_upstream_client_id}}",
-				"client_secret": "{{var_mas_authentication_upstream_client_secret}}",
-				"token_endpoint_auth_method": "{{var_mas_authentication_upstream_token_endpoint_auth_method}}",
-				"scope": "{{var_mas_authentication_upstream_scope}}",
-				"authorization_endpoint": "{{var_mas_authentication_upstream_authorization_endpoint}}",
-				"token_endpoint": "{{var_mas_authentication_upstream_token_endpoint}}"
+				"id": "{{var_mas_authentication_upstream_data_authelia_name}}",
+				"issuer": "{{var_mas_authentication_upstream_data_authelia_url_base}}",
+				"authorization_endpoint": "{{var_mas_authentication_upstream_data_authelia_url_base}}/api/oidc/authorization",
+				"token_endpoint": "{{var_mas_authentication_upstream_data_authelia_url_base}}/api/oidc/token",
+				"token_endpoint_auth_method": "{{var_mas_authentication_upstream_data_authelia_auth_method}}",
+				"scope": "{{var_mas_authentication_upstream_data_authelia_scope}}",
+				"client_id": "{{var_mas_authentication_upstream_data_authelia_client_id}}",
+				"client_secret": "{{var_mas_authentication_upstream_data_authelia_client_secret}}"
 			}
 		]
 	},
diff --git a/roles/mas/vardef.json b/roles/mas/vardef.json
index dc301b8..04f210e 100644
--- a/roles/mas/vardef.json
+++ b/roles/mas/vardef.json
@@ -43,40 +43,36 @@
 		"type": "string",
 		"mandatory": false
 	},
-	"authentication_upstream_active": {
+	"authentication_upstream_kind": {
 		"nullable": false,
-		"type": "boolean"
+		"type": "string",
+		"options": [
+			"none",
+			"authelia"
+		]
 	},
-	"authentication_upstream_id": {
-		"nullable": false,
-		"type": "string"
+	"authentication_upstream_data_authelia_url_base": {
+		"type": "string",
+		"mandatory": false
 	},
-	"authentication_upstream_issuer": {
-		"nullable": false,
-		"type": "string"
+	"authentication_upstream_data_authelia_auth_method": {
+		"type": "string",
+		"mandatory": false
 	},
-	"authentication_upstream_client_id": {
-		"nullable": false,
-		"type": "string"
+	"authentication_upstream_data_authelia_scope": {
+		"type": "string",
+		"mandatory": false
 	},
-	"authentication_upstream_client_secret": {
-		"nullable": false,
-		"type": "string"
+	"authentication_upstream_data_authelia_name": {
+		"type": "string",
+		"mandatory": false
 	},
-	"authentication_upstream_token_endpoint_auth_method": {
-		"nullable": false,
-		"type": "string"
+	"authentication_upstream_data_authelia_client_id": {
+		"type": "string",
+		"mandatory": false
 	},
-	"authentication_upstream_scope": {
-		"nullable": false,
-		"type": "string"
-	},
-	"authentication_upstream_authorization_endpoint": {
-		"nullable": false,
-		"type": "string"
-	},
-	"authentication_upstream_token_endpoint": {
-		"nullable": false,
-		"type": "string"
+	"authentication_upstream_data_authelia_client_secret": {
+		"type": "string",
+		"mandatory": false
 	}
 }