diff --git a/authentik-application/Chart.yaml b/authentik-application/Chart.yaml
index 87f5883..7e307f7 100644
--- a/authentik-application/Chart.yaml
+++ b/authentik-application/Chart.yaml
@@ -3,4 +3,4 @@ name: authentik-application
 description: A Chart to deploy a secret for the authentik blueprint-sidecar
 type: application
 
-version: 0.2.0
\ No newline at end of file
+version: 0.3.0
\ No newline at end of file
diff --git a/authentik-application/templates/ingress.yaml b/authentik-application/templates/ingress.yaml
new file mode 100644
index 0000000..9796044
--- /dev/null
+++ b/authentik-application/templates/ingress.yaml
@@ -0,0 +1,20 @@
+{{- if and .Values.blueprint.provider.enabled (eq .Values.blueprint.provider.type "proxy") .Values.blueprint.provider.proxy.ingress.enabled }}
+---
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: {{ include "authentik-application.fullname" . }}
+  labels:
+    {{- include "authentik-application.labels" . | nindent 4 }}
+spec:
+  rules:
+    - host: {{ .Values.blueprint.provider.proxy.ingress.domain | quote }}
+      http:
+        paths:
+          - path: "/outpost.goauthentik.io/"
+            pathType: Prefix
+            backend:
+              name: {{ .Values.blueprint.provider.proxy.ingress.backend | quote }}
+              port:
+                name: http
+{{- end }}
\ No newline at end of file
diff --git a/authentik-application/templates/secrets.yaml b/authentik-application/templates/secrets.yaml
index 4472209..eee6e23 100644
--- a/authentik-application/templates/secrets.yaml
+++ b/authentik-application/templates/secrets.yaml
@@ -1,7 +1,7 @@
-{{- $clientID := .Values.blueprint.provider.clientID }}
-{{- $clientSecret := .Values.blueprint.provider.clientSecret }}
+{{- $clientID := .Values.blueprint.provider.oidc.clientID }}
+{{- $clientSecret := .Values.blueprint.provider.oidc.clientSecret }}
 {{- $bindPolicyID := .Values.blueprint.application.bindPolicyID }}
-{{- if or (and .Values.blueprint.provider.enabled (not $clientID)  (not $clientSecret)) (and (not $bindPolicyID) (eq (len .Values.blueprint.groups) 0)) }}
+{{- if or (and .Values.blueprint.provider.enabled (eq .Values.blueprint.provider.type "oidc") (not $clientID) (not $clientSecret)) (and (not $bindPolicyID) (eq (len .Values.blueprint.groups) 0)) }}
 ---
 {{- $secretName :=  .Values.secret.name | default (include "authentik-application.fullname" .) }}
 apiVersion: v1
@@ -24,6 +24,7 @@ stringData:
   {{- if .Values.blueprint.provider.enabled }}
   issuerURL: {{ print .Values.blueprint.authentik.domain "/application/o/" .Values.blueprint.application.slug "/" }}
 
+  {{- with .Values.blueprint.provider.oidc }}
   {{- $clientIDCoded := (get $secretData "clientID") | default (randAlphaNum 32 | b64enc) }}
   {{- $clientID = $clientID | default ($clientIDCoded | b64dec) }}
   clientID: {{ $clientID | quote }}
@@ -32,24 +33,25 @@ stringData:
   {{- $clientSecret = $clientSecret | default ($clientSecretCoded | b64dec) }}
   clientSecret: {{ $clientSecret | quote }}
 
-  redirectURL: {{ .Values.blueprint.provider.redirectURL }}
+  redirectURL: {{ .redirectURL }}
 
-  {{- with .Values.blueprint.provider.tokenDuration }}
+  {{- with .tokenDuration }}
   tokenDuration: {{ . | quote }}
   {{- end }} 
 
-  {{- with .Values.blueprint.provider.scopes }}
+  {{- with .scopes }}
   customScopes: {{ . | join "," | quote }}
   {{- end }} 
 
-  {{- with .Values.blueprint.provider.claimUsername }}
+  {{- with .claimUsername }}
   claimUsername: {{ . | quote }}
   {{- end }} 
 
-  {{- with .Values.blueprint.provider.claimGroups }}
+  {{- with .claimGroups }}
   claimGroups: {{ . | quote }}
   {{- end }}
   {{- end }}
+  {{- end }}{{/* end when-oidc */}}
 {{- end }}
 ---
 apiVersion: v1
@@ -69,6 +71,7 @@ stringData:
     entries:
 
       {{- if .Values.blueprint.provider.enabled }}
+      {{- if (eq .Values.blueprint.provider.type "oidc") }}
       - model: authentik_providers_oauth2.OAuth2Provider
         id: {{ .Values.blueprint.provider.name | default (include "authentik-application.fullname" .) }}
         identifiers:
@@ -76,22 +79,39 @@ stringData:
         state: present
         attrs:
           authorization_flow: !Find [authentik_flows.flow, [slug, {{ .Values.blueprint.provider.authorizationFlow }}]]
-          client_type: {{ .Values.blueprint.provider.clientType | quote }}
+          {{- with .Values.blueprint.provider.oidc }}
+          client_type: {{ .clientType | quote }}
           client_id: {{ $clientID | quote }}
           client_secret: {{ $clientSecret | quote }}
-          redirect_uris: {{ .Values.blueprint.provider.redirectURL }}
-          {{- with .Values.blueprint.provider.tokenDuration }}
+          redirect_uris: {{ .redirectURL }}
+          {{- with .tokenDuration }}
           access_token_validity: {{ . | quote }}
           {{- end }} 
-          {{- with .Values.blueprint.provider.signingKey }}
+          {{- with .signingKey }}
           signing_key: !Find [authentik_crypto.CertificateKeyPair, [name, {{ . }}]]
           {{- end }}
-          {{- with .Values.blueprint.provider.scopes }}
+          {{- with .scopes }}
           property_mappings:
             {{- range . }}
             - !Find [authentik_providers_oauth2.ScopeMapping, [scope_name, {{ . }}]]
             {{- end }}
           {{- end }}
+          {{- end }}{{/* with-oidc */}}
+      {{- end }}{{/* if-oidc */}}
+
+      {{- if (eq .Values.blueprint.provider.type "proxy") }}
+      - model: authentik_providers_proxy.ProxyProvider
+        id: {{ .Values.blueprint.provider.name | default (include "authentik-application.fullname" .) }}
+        identifiers:
+          name: {{ .Values.blueprint.provider.name | default (include "authentik-application.fullname" .) }}
+        state: present
+        attrs:
+          authorization_flow: !Find [authentik_flows.flow, [slug, {{ .Values.blueprint.provider.authorizationFlow }}]]
+          mode: "forward_single"
+          {{- with .Values.blueprint.provider.proxy }}
+          external_host: {{ .externalHost | quote }}
+          {{- end }}{{/* with-proxy */}}
+      {{- end }}{{/* if-proxy */}}
       {{- end }}
     
       - model: authentik_core.Application
diff --git a/authentik-application/values.yaml b/authentik-application/values.yaml
index 81beabe..7058ac9 100644
--- a/authentik-application/values.yaml
+++ b/authentik-application/values.yaml
@@ -11,16 +11,28 @@ blueprint:
     enabled: true
     name: ""
     authorizationFlow: "default-provider-authorization-implicit-consent"
-    clientType: "confidential"
-    # -- client id - generated if secret enabled
-    clientID:
-    # -- client secret - generated if secret enabled
-    clientSecret:
-    redirectURL: ""
-    # -- Need for non-curve / RSA
-    signingKey: ""
-    # -- Scope
-    scopes:
+    type: "oidc" # or proxy
+    # used for oidc provider
+    oidc:
+      clientType: "confidential"
+      # -- client id - generated if secret enabled
+      clientID:
+      # -- client secret - generated if secret enabled
+      clientSecret:
+      redirectURL: ""
+      # -- Need for non-curve / RSA
+      signingKey: ""
+      # -- Scope
+      scopes:
+    # -- used for proxy provider
+    proxy:
+      externalHost:
+      # -- not yet supported
+      ingress:
+         enabled: false
+         domain:
+         # service backend
+         backend: authentik 
   application:
     name: ""
     slug: "app-name"