diff --git a/caddy/conf/auth.caddy b/caddy/conf/auth.caddy
index f5778f5..e3e3870 100644
--- a/caddy/conf/auth.caddy
+++ b/caddy/conf/auth.caddy
@@ -1,21 +1,30 @@
 order authenticate before respond
 order authorize before reverse_proxy
 security {
+	local identity store localdb {
+		realm local
+		path /data/caddy/users.json
+	}
 	oauth identity provider generic {
-		realm mine
+		realm remote
 		driver generic
 		client_id {$OAUTH_CLIENT_ID}
 		client_secret {$OAUTH_CLIENT_SECRET}
-		scopes openid email profile
+		scopes openid email profile seafile joh
+
+		enable logout
+		# extract all from userinfo
+		extract seafile_email from userinfo
 
 		delay_start 5
 		retry_attempts 3
 		retry_interval 10
 
-		base_auth_url https://authentik.{$SUBDOMAIN}.{$DOMAIN}
-		metadata_url https://authentik.{$SUBDOMAIN}.{$DOMAIN}/application/o/caddy/.well-known/openid-configuration
+		base_auth_url https://authentik.{$DOMAIN}
+		metadata_url https://authentik.{$DOMAIN}/application/o/caddy/.well-known/openid-configuration
 	}
 	authentication portal myportal {
+		enable identity store localdb
 		enable identity provider generic
 		cookie domain {$DOMAIN}
 		ui {
@@ -24,24 +33,27 @@ security {
 				"Jellyfin" https://jellyfin.{$SUBDOMAIN}.{$DOMAIN} icon "las la-play"
 			}
 		}
-
 		transform user {
-			match realm mine
+			match realm remote
 			action add role authp/user
+			action add iets "Zo iets!" as string
+
 		}
-
 		transform user {
-			match realm mine
-
-			# Give this account admin role in the auth portal
-			match email rik.veenboer@gmail.com
-			action add role authp/admin
+			match origin local
+			action add role authp/user
 		}
 	}
 	authorization policy mypolicy {
 		set auth url https://auth.{$SUBDOMAIN}.{$DOMAIN}/oauth2/generic
 		allow roles authp/admin authp/user
 		validate bearer header
+
+		set user identity seafile_id
+
 		inject headers with claims
+		inject header "X-Seafile-Email" from "user|email"
+		inject header "X-Test" from "userinfo|seafile_email"
+		inject header "X-Onzin" from "realm"
 	}
 }
diff --git a/caddy/sites/test.caddy b/caddy/sites/test.caddy
index 10fab7c..3bdca87 100644
--- a/caddy/sites/test.caddy
+++ b/caddy/sites/test.caddy
@@ -4,7 +4,7 @@ test.{$SUBDOMAIN}.{$DOMAIN} {
 	}
 
 	authorize with mypolicy
-	reverse_proxy host:15000
+	reverse_proxy host:12345
 }
 
 auth.{$SUBDOMAIN}.{$DOMAIN} {