diff --git a/build.gradle b/build.gradle
index f3d3213..cd42a9e 100644
--- a/build.gradle
+++ b/build.gradle
@@ -1,14 +1,14 @@
 plugins {
   id 'java'
-	id 'org.springframework.boot' version '3.1.3'
-	id "io.spring.dependency-management" version "1.1.2"
+	id 'org.springframework.boot' version '3.2.0'
+	id "io.spring.dependency-management" version "1.1.4"
 	id 'war'
 	id 'eclipse'
 	id 'application'
 }
 
 group = 'de.jottyfan.bico'
-version = '0.0.5'
+version = '0.0.6'
 
 description = """BibleClassOrganizer"""
 
@@ -44,6 +44,7 @@ dependencies {
   implementation 'de.jottyfan:bicolib:4'
 
 	implementation 'org.springframework.boot:spring-boot-starter-jooq'
+	implementation 'org.springframework.boot:spring-boot-starter-oauth2-client'
 	implementation 'org.springframework.boot:spring-boot-starter-thymeleaf'
 	implementation 'org.springframework.boot:spring-boot-starter-web'
 	implementation 'org.springframework.boot:spring-boot-starter-security'
diff --git a/src/main/java/de/jottyfan/bico/Main.java b/src/main/java/de/jottyfan/bico/Main.java
index 072cb63..985e062 100644
--- a/src/main/java/de/jottyfan/bico/Main.java
+++ b/src/main/java/de/jottyfan/bico/Main.java
@@ -4,7 +4,6 @@ import org.springframework.boot.SpringApplication;
 import org.springframework.boot.autoconfigure.SpringBootApplication;
 import org.springframework.boot.builder.SpringApplicationBuilder;
 import org.springframework.boot.web.servlet.support.SpringBootServletInitializer;
-import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
 
 /**
  *
@@ -12,8 +11,8 @@ import org.springframework.security.config.annotation.web.configuration.EnableWe
  *
  */
 @SpringBootApplication
-@EnableWebSecurity
 public class Main extends SpringBootServletInitializer {
+
 	@Override
 	protected SpringApplicationBuilder configure(SpringApplicationBuilder application) {
 		return application.sources(Main.class);
diff --git a/src/main/java/de/jottyfan/bico/config/SecurityConfig.java b/src/main/java/de/jottyfan/bico/config/SecurityConfig.java
index 3d2fb60..3ed7529 100644
--- a/src/main/java/de/jottyfan/bico/config/SecurityConfig.java
+++ b/src/main/java/de/jottyfan/bico/config/SecurityConfig.java
@@ -1,15 +1,9 @@
 package de.jottyfan.bico.config;
 
-import org.springframework.boot.autoconfigure.condition.ConditionalOnMissingBean;
-import org.springframework.context.ApplicationEventPublisher;
 import org.springframework.context.annotation.Bean;
 import org.springframework.context.annotation.Configuration;
-import org.springframework.security.authentication.AuthenticationEventPublisher;
-import org.springframework.security.authentication.DefaultAuthenticationEventPublisher;
-import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
-import org.springframework.security.core.userdetails.User;
-import org.springframework.security.core.userdetails.UserDetailsService;
-import org.springframework.security.provisioning.InMemoryUserDetailsManager;
+import org.springframework.security.config.annotation.web.builders.HttpSecurity;
+import org.springframework.security.web.SecurityFilterChain;
 
 /**
  *
@@ -17,18 +11,15 @@ import org.springframework.security.provisioning.InMemoryUserDetailsManager;
  *
  */
 @Configuration
-@EnableWebSecurity
 public class SecurityConfig {
-
 	@Bean
-	@ConditionalOnMissingBean(UserDetailsService.class)
-	InMemoryUserDetailsManager imudm() {
-		return new InMemoryUserDetailsManager(User.withUsername("user").password("{noop}password").roles("USER").build());
-	}
-
-	@Bean
-	@ConditionalOnMissingBean(AuthenticationEventPublisher.class)
-	DefaultAuthenticationEventPublisher daep(ApplicationEventPublisher delegate) {
-		return new DefaultAuthenticationEventPublisher(delegate);
+	SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
+		http.authorizeHttpRequests(
+		// @formatter:off
+			r -> r.requestMatchers("/", "/error", "/css/**", "/js/**", "/webjars/**", "/template").permitAll()
+			      .requestMatchers("/**").authenticated())
+				.oauth2Login(l -> l.authorizationEndpoint(e -> e.baseUri("/oauth2/authorize-client")));
+		// @formatter:on
+		return http.build();
 	}
 }
diff --git a/src/main/java/de/jottyfan/bico/modules/CommonController.java b/src/main/java/de/jottyfan/bico/modules/CommonController.java
index 82b0718..8485aa3 100644
--- a/src/main/java/de/jottyfan/bico/modules/CommonController.java
+++ b/src/main/java/de/jottyfan/bico/modules/CommonController.java
@@ -1,7 +1,14 @@
 package de.jottyfan.bico.modules;
 
+import java.security.Principal;
+import java.util.List;
+
 import org.springframework.beans.factory.annotation.Autowired;
-import org.springframework.ui.Model;
+import org.springframework.beans.factory.annotation.Value;
+import org.springframework.security.core.context.SecurityContextHolder;
+import org.springframework.security.oauth2.client.authentication.OAuth2AuthenticationToken;
+import org.springframework.security.oauth2.core.user.OAuth2User;
+import org.springframework.web.bind.annotation.ModelAttribute;
 
 import de.jottyfan.bico.modules.profile.ProfileService;
 
@@ -15,15 +22,31 @@ public abstract class CommonController {
 	@Autowired
 	private ProfileService profileService;
 
+	@Value("${spring.security.oauth2.client.provider.nextcloud.issuer-uri}")
+	private String nextcloudUrl;
+
+	@ModelAttribute("hasBUrole")
+	public Boolean hasBURole(Principal principal) {
+		OAuth2AuthenticationToken token = (OAuth2AuthenticationToken) principal;
+		OAuth2User user = token.getPrincipal();
+		@SuppressWarnings("unchecked")
+		List<String> roles = (List<String>) user.getAttributes().get("roles");
+		return roles.contains("Bibelunterricht");
+	}
+
 	/**
 	 * get the theme for the current session
 	 *
 	 * @return the theme; light or dark at the moment
 	 */
-	public Model useThemedModel(Model model) {
-		// TODO: add profile's user name
-		String username = "jotty";
-		model.addAttribute("theme", profileService.getTheme(username));
-		return model;
+	@ModelAttribute("theme")
+	public String getTheme() {
+		String username = SecurityContextHolder.getContext().getAuthentication().getName();
+		return profileService.getTheme(username);
+	}
+
+	@ModelAttribute("nextcloudUrl")
+	public String getNextcloudUrl() {
+		return nextcloudUrl;
 	}
 }
diff --git a/src/main/java/de/jottyfan/bico/modules/index/IndexController.java b/src/main/java/de/jottyfan/bico/modules/index/IndexController.java
index 3742aa6..0bc19d6 100644
--- a/src/main/java/de/jottyfan/bico/modules/index/IndexController.java
+++ b/src/main/java/de/jottyfan/bico/modules/index/IndexController.java
@@ -1,7 +1,6 @@
 package de.jottyfan.bico.modules.index;
 
 import org.springframework.stereotype.Controller;
-import org.springframework.ui.Model;
 import org.springframework.web.bind.annotation.GetMapping;
 
 import de.jottyfan.bico.modules.CommonController;
@@ -14,8 +13,7 @@ import de.jottyfan.bico.modules.CommonController;
 @Controller
 public class IndexController extends CommonController {
 	@GetMapping("/")
-	public String getIndex(Model model) {
-		useThemedModel(model);
+	public String getIndex() {
 		return "redirect:/sheet";
 	}
 }
diff --git a/src/main/java/de/jottyfan/bico/modules/sheet/SheetController.java b/src/main/java/de/jottyfan/bico/modules/sheet/SheetController.java
index d05a6cf..c8fb955 100644
--- a/src/main/java/de/jottyfan/bico/modules/sheet/SheetController.java
+++ b/src/main/java/de/jottyfan/bico/modules/sheet/SheetController.java
@@ -20,7 +20,7 @@ public class SheetController extends CommonController {
 
 	@GetMapping("/sheet")
 	public String getSheet(Model model) {
-		useThemedModel(model).addAttribute("list", service.getList());
+		model.addAttribute("list", service.getList());
 		return "/sheet";
 	}
 }
diff --git a/src/main/resources/META-INF/additional-spring-configuration-metadata.json b/src/main/resources/META-INF/additional-spring-configuration-metadata.json
new file mode 100644
index 0000000..f4c171d
--- /dev/null
+++ b/src/main/resources/META-INF/additional-spring-configuration-metadata.json
@@ -0,0 +1,9 @@
+{
+	"properties": [
+		{
+			"name": "nextcloud.url",
+			"type": "java.lang.String",
+			"description": "the URL to nextcloud for logout operations"
+		}
+	]
+}
\ No newline at end of file
diff --git a/src/main/resources/application.properties b/src/main/resources/application.properties
index ec543d1..9608248 100644
--- a/src/main/resources/application.properties
+++ b/src/main/resources/application.properties
@@ -10,4 +10,11 @@ spring.datasource.password = ${db.password}
 server.servlet.context-path = ${my.context-path:/BiCO}
 
 # for development only
-server.port = 8081
+server.port = ${server.port}
+
+# nextcloud open ID connection
+spring.security.oauth2.client.provider.nextcloud.issuer-uri = ${nextcloud.issuer-uri}
+spring.security.oauth2.client.registration.nextcloud.client-id = ${nextcloud.client-id}
+spring.security.oauth2.client.registration.nextcloud.client-secret = ${nextcloud.client-secret}
+spring.security.oauth2.client.registration.nextcloud.authorization-grant-type = authorization_code
+spring.security.oauth2.client.registration.nextcloud.redirect-uri = ${nextcloud.redirect-uri}
diff --git a/src/main/resources/templates/error.html b/src/main/resources/templates/error.html
new file mode 100644
index 0000000..e6988a5
--- /dev/null
+++ b/src/main/resources/templates/error.html
@@ -0,0 +1,10 @@
+<!DOCTYPE html>
+<html xmlns:th="http://www.thymeleaf.org" layout:decorate="~{template}" xmlns:layout="http://www.ultraq.net.nz/thymeleaf/layout" xmlns:sec="http://www.thymeleaf.org/extras/spring-security">
+<body>
+	<th:block layout:fragment="content">
+		<div class="borderdist">
+			<div class="alert alert-danger">Es ist ein Fehler aufgetreten. Wenden Sie sich bitte an Ihren Entwickler.</div>
+		</div>
+	</th:block>
+</body>
+</html>
\ No newline at end of file
diff --git a/src/main/resources/templates/lesson/item.html b/src/main/resources/templates/lesson/item.html
index f8015f6..d78c4c5 100644
--- a/src/main/resources/templates/lesson/item.html
+++ b/src/main/resources/templates/lesson/item.html
@@ -3,7 +3,7 @@
 <body>
 	<th:block layout:fragment="content">
 		<div class="borderdist">
-			<div class="container">
+			<div class="container" sec:authorize="hasRole('Bibelunterricht')">
 				<div class="row g-2">
 					<div class="col-sm-12">
 						<h2>Dozent-Reservierung</h2>
diff --git a/src/main/resources/templates/sheet.html b/src/main/resources/templates/sheet.html
index 5fe7e39..9c41d2f 100644
--- a/src/main/resources/templates/sheet.html
+++ b/src/main/resources/templates/sheet.html
@@ -3,7 +3,7 @@
 <body>
 	<th:block layout:fragment="content">
 		<div class="borderdist">
-			<table id="table" class="table table-striped">
+			<table id="table" class="table table-striped" sec:authorize="hasRole('Bibelunterricht')">
 				<thead>
 					<tr>
 						<th>Tag</th>
diff --git a/src/main/resources/templates/slot/delete.html b/src/main/resources/templates/slot/delete.html
index f841753..8270bd3 100644
--- a/src/main/resources/templates/slot/delete.html
+++ b/src/main/resources/templates/slot/delete.html
@@ -2,7 +2,7 @@
 <html xmlns:th="http://www.thymeleaf.org" layout:decorate="~{template}" xmlns:layout="http://www.ultraq.net.nz/thymeleaf/layout" xmlns:sec="http://www.thymeleaf.org/extras/spring-security">
 <body>
 	<th:block layout:fragment="content">
-		<div class="borderdist">
+		<div class="borderdist" sec:authorize="hasRole('Bibelunterricht')">
 			<div class="alert alert-danger" th:if="${bean}">
 				Wollen Sie den Slot <span th:text="${#temporals.format(bean.slotDay, 'dd.MM.yyyy')}"></span> wirklich löschen?<br />
 				<a th:href="@{/slot/{id}/destroy(id=${bean.pkSlot})}" class="btn btn-outline-danger" th:if="${bean.pkSlot}">Ja, definitiv</a>
diff --git a/src/main/resources/templates/slot/item.html b/src/main/resources/templates/slot/item.html
index ee77f98..a3bd614 100644
--- a/src/main/resources/templates/slot/item.html
+++ b/src/main/resources/templates/slot/item.html
@@ -3,7 +3,7 @@
 <body>
 	<th:block layout:fragment="content">
 		<div class="borderdist">
-			<div class="container">
+			<div class="container" sec:authorize="hasRole('Bibelunterricht')">
 				<div class="row g-2">
 					<div class="col-sm-12">
 						<h2>Terminfestlegung</h2>
diff --git a/src/main/resources/templates/template.html b/src/main/resources/templates/template.html
index 99020b7..2fcc1bb 100644
--- a/src/main/resources/templates/template.html
+++ b/src/main/resources/templates/template.html
@@ -21,7 +21,7 @@
 			<span class="navbar-toggler-icon"></span>
 		</button>
 		<div class="collapse navbar-collapse" id="navbarSupportedContent" style="margin-right: 20px">
-			<ul class="navbar-nav mb-2 mb-lg-0">
+			<ul class="navbar-nav mb-2 mb-lg-0" th:if="${hasBUrole}">
 				<li class="nav-item"><a class="btn btn-outline-secondary" th:href="@{/}" style="margin-left: 12px">Einteilung</a></li>
 				<li class="nav-item"><a class="btn btn-outline-secondary" th:href="@{/subject/list}" style="margin-left: 12px">Themen</a></li>
 			</ul>
@@ -34,11 +34,16 @@
 					<a href="#" class="btn btn-outline-secondary" onclick="toggleDarkMode()"><i class="bi bi-moon"></i></a>
 				</li>
 				<li class="nav-item">
-					<a th:href="@{/logout}" class="btn btn-outline-secondary">abmelden</a>
+					<a th:href="@{${nextcloudUrl}}" class="btn btn-outline-secondary">&#8594; nextcloud</a>
 				</li>
 			</ul>
 		</div>
 	</nav>
-	<div layout:fragment="content">content</div>
+	<div layout:fragment="content" th:if="${hasBUrole}">content</div>
+	<div th:unless="${hasBUrole}">
+		<div class="borderdist">
+			<div class="alert alert-danger">Leider fehlen Ihnen die Berechtigungen, um diese Anwendung nutzen zu können.</div>
+		</div>
+	</div>
 </body>
 </html>
\ No newline at end of file
diff --git a/src/main/resources/templates/theme.html b/src/main/resources/templates/theme.html
index 0bba3ac..a58eb59 100644
--- a/src/main/resources/templates/theme.html
+++ b/src/main/resources/templates/theme.html
@@ -3,7 +3,7 @@
 <body>
 	<th:block layout:fragment="content">
 		<div class="borderdist">
-			<div class="container">
+			<div class="container" sec:authorize="hasRole('Bibelunterricht')">
 				<div class="row g-2">
 					<h1>
 						Themen für den <span th:text="${#temporals.format(day, 'dd.MM.yyyy')}"></span>