diff --git a/.gitlab-ci-template.yml b/.gitlab-ci-template.yml
index 5323670..3c89e54 100644
--- a/.gitlab-ci-template.yml
+++ b/.gitlab-ci-template.yml
@@ -66,6 +66,7 @@
     ssh -p "$PORT" "$DEPLOY_USER@$HOST" "mkdir -p $REMOTE_ENV_PATH"
     scp -P "$PORT" docker-compose.yml "$DEPLOY_USER@$HOST:$REMOTE_ENV_PATH/docker-compose.yml"
     scp -P "$PORT" nginx.conf "$DEPLOY_USER@$HOST:$REMOTE_ENV_PATH/nginx.conf"
+    scp -P "$PORT" auth.lua "$DEPLOY_USER@$HOST:$REMOTE_ENV_PATH/auth.lua"
     
     echo "Deploying DEMO on $HOST"
     ssh -p "$PORT" "$DEPLOY_USER@$HOST" "
diff --git a/auth.lua b/auth.lua
new file mode 100644
index 0000000..6b7771d
--- /dev/null
+++ b/auth.lua
@@ -0,0 +1,22 @@
+local openidc = require("resty.openidc")
+
+local opts = {
+  redirect_uri_path = "/redirect_uri",
+  discovery = "https://kc.boomlab.party/realms/rhein-sw/.well-known/openid-configuration",
+  client_id = "demo-sso",
+  client_secret = os.getenv("KEYCLOAK_CLIENT_SECRET"),
+  redirect_uri_scheme = "https",
+  scope = "openid email profile"
+}
+
+local res, err = openidc.authenticate(opts)
+
+if err then
+  ngx.status = 403
+  ngx.say("Authentication failed: " .. err)
+  ngx.exit(ngx.HTTP_FORBIDDEN)
+end
+
+-- Optional: Forward useful info to upstream
+ngx.req.set_header("X-User", res.user.preferred_username or "")
+ngx.req.set_header("X-Email", res.user.email or "")
diff --git a/docker-compose.yml b/docker-compose.yml
index e518592..457c23b 100644
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -6,6 +6,11 @@ services:
       - "25700:80"
     volumes:
       - ./nginx.conf:/etc/nginx/nginx.conf:ro
+      - ./auth.lua:/etc/nginx/auth.lua:ro
+    environment:
+      - KEYCLOAK_CLIENT_SECRET=${KEYCLOAK_CLIENT_SECRET}
+    env_file:
+      - .env
     networks:
       - demos-net
 
diff --git a/nginx.conf b/nginx.conf
index a0e1628..a545ddb 100644
--- a/nginx.conf
+++ b/nginx.conf
@@ -5,6 +5,11 @@ events {
 }
 
 http {
+  lua_package_path "/etc/nginx/lua/?.lua;;";
+  lua_shared_dict discovery 1m;
+  lua_shared_dict jwks 1m;
+  lua_shared_dict sessions 10m;
+
   include       mime.types;
   default_type  application/octet-stream;
   sendfile        on;
@@ -15,10 +20,11 @@ http {
 
     # Automatically redirect URLs missing trailing slash (but not files like .js, .css, etc.)
     #if ($request_uri ~ ^([^.\?\#]*[^/])$) {
-     # return 301 $request_uri/;
-   # }
+    #  return 301 $request_uri/;
+    # }
 
-    location / {
+    # Public route: /auth selection page, no login required
+    location /auth {
       proxy_pass http://main-website:3000;
       proxy_set_header Host $host;
       proxy_set_header X-Real-IP $remote_addr;
@@ -26,10 +32,23 @@ http {
       proxy_set_header X-Forwarded-Proto $scheme;
     }
 
+    # Protected root route (main site)
+    location / {
+      access_by_lua_file /etc/nginx/auth.lua;
+
+      proxy_pass http://main-website:3000;
+      proxy_set_header Host $host;
+      proxy_set_header X-Real-IP $remote_addr;
+      proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+      proxy_set_header X-Forwarded-Proto $scheme;
+    }
+
+    # Protected demo route
     location /lawfirm/demo1/ {
-      proxy_pass http://ld1:3000/;
+      access_by_lua_file /etc/nginx/auth.lua;
 
       rewrite ^/lawfirm/demo1(/.*)$ $1 break;
+      proxy_pass http://ld1:3000;
 
       proxy_set_header Host $host;
       proxy_set_header X-Real-IP $remote_addr;