diff --git a/.isort.cfg b/.isort.cfg
index 1a9152748cbb0730e0c34f403a9a7f206c01ca51..444fbf680ab7878dfe5970e09b36e8e9bb812360 100644
--- a/.isort.cfg
+++ b/.isort.cfg
@@ -4,4 +4,4 @@ line_length = 88
 multi_line_output = 3
 default_sectiont = "THIRDPARTY"
 include_trailing_comma = true
-known_third_party = django,environ,wagtail
+known_third_party = django,environ,pirates,wagtail
diff --git a/majak/settings/base.py b/majak/settings/base.py
index 4c216c94cac8c0ddec193627573b6fefcef83197..3d88cb84a1a98d7866398e75a86009a27a37ab28 100644
--- a/majak/settings/base.py
+++ b/majak/settings/base.py
@@ -1,17 +1,5 @@
-"""
-Django settings for majak project.
-
-Generated by 'django-admin startproject' using Django 3.0.5.
-
-For more information on this file, see
-https://docs.djangoproject.com/en/3.0/topics/settings/
-
-For the full list of settings and their values, see
-https://docs.djangoproject.com/en/3.0/ref/settings/
-"""
-
-# Build paths inside the project like this: os.path.join(BASE_DIR, ...)
-import os
+import os.path
+from os.path import join
 
 import environ
 
@@ -21,15 +9,12 @@ PROJECT_DIR = os.path.dirname(os.path.dirname(os.path.abspath(__file__)))
 BASE_DIR = os.path.dirname(PROJECT_DIR)
 
 
-# Quick-start development settings - unsuitable for production
-# See https://docs.djangoproject.com/en/3.0/howto/deployment/checklist/
-
-
 # Application definition
 
 INSTALLED_APPS = [
     "search",
     "senator",
+    "pirates",
     "wagtail.contrib.forms",
     "wagtail.contrib.redirects",
     "wagtail.contrib.modeladmin",
@@ -72,7 +57,7 @@ ROOT_URLCONF = "majak.urls"
 TEMPLATES = [
     {
         "BACKEND": "django.template.backends.django.DjangoTemplates",
-        "DIRS": [os.path.join(PROJECT_DIR, "templates"),],
+        "DIRS": [join(PROJECT_DIR, "templates"),],
         "APP_DIRS": True,
         "OPTIONS": {
             "context_processors": [
@@ -128,19 +113,17 @@ STATICFILES_FINDERS = [
     "django.contrib.staticfiles.finders.AppDirectoriesFinder",
 ]
 
-STATICFILES_DIRS = [
-    os.path.join(PROJECT_DIR, "static"),
-]
+STATICFILES_DIRS = [join(PROJECT_DIR, "static")]
 
 # ManifestStaticFilesStorage is recommended in production, to prevent outdated
 # Javascript / CSS assets being served from cache (e.g. after a Wagtail upgrade).
 # See https://docs.djangoproject.com/en/3.0/ref/contrib/staticfiles/#manifeststaticfilesstorage
 STATICFILES_STORAGE = "django.contrib.staticfiles.storage.ManifestStaticFilesStorage"
 
-STATIC_ROOT = os.path.join(BASE_DIR, "static_files")
+STATIC_ROOT = join(BASE_DIR, "static_files")
 STATIC_URL = "/static/"
 
-MEDIA_ROOT = os.path.join(BASE_DIR, "media_files")
+MEDIA_ROOT = join(BASE_DIR, "media_files")
 MEDIA_URL = "/media/"
 
 
@@ -155,3 +138,15 @@ BASE_URL = "http://example.com"
 WAGTAIL_ALLOW_UNICODE_SLUGS = False
 
 TAGGIT_CASE_INSENSITIVE = True
+
+
+AUTHENTICATION_BACKENDS = ["pirates.auth.PiratesOIDCAuthenticationBackend"]
+
+OIDC_RP_CLIENT_ID = env.str("OIDC_RP_CLIENT_ID")
+OIDC_RP_CLIENT_SECRET = env.str("OIDC_RP_CLIENT_SECRET")
+OIDC_RP_REALM_URL = env.str("OIDC_RP_REALM_URL")
+OIDC_RP_SIGN_ALGO = "RS256"
+OIDC_OP_JWKS_ENDPOINT = join(OIDC_RP_REALM_URL, "protocol/openid-connect/certs")
+OIDC_OP_AUTHORIZATION_ENDPOINT = join(OIDC_RP_REALM_URL, "protocol/openid-connect/auth")
+OIDC_OP_TOKEN_ENDPOINT = join(OIDC_RP_REALM_URL, "protocol/openid-connect/token")
+OIDC_OP_USER_ENDPOINT = join(OIDC_RP_REALM_URL, "protocol/openid-connect/userinfo")
diff --git a/majak/urls.py b/majak/urls.py
index 2c5155b14ac101fc6a405de63bd1368682c59cf1..b2aa7c7c8af664619e70a1bfa7fb83db13453dd6 100644
--- a/majak/urls.py
+++ b/majak/urls.py
@@ -1,6 +1,7 @@
 from django.conf import settings
 from django.conf.urls import include, url
 from django.contrib import admin
+from pirates.urls import urlpatterns as pirates_urlpatterns
 from wagtail.admin import urls as wagtailadmin_urls
 from wagtail.core import urls as wagtail_urls
 from wagtail.documents import urls as wagtaildocs_urls
@@ -12,7 +13,7 @@ urlpatterns = [
     url(r"^admin/", include(wagtailadmin_urls)),
     url(r"^documents/", include(wagtaildocs_urls)),
     url(r"^search/$", search_views.search, name="search"),
-]
+] + pirates_urlpatterns
 
 
 if settings.DEBUG:
diff --git a/requirements/base.in b/requirements/base.in
index ea33a22490e281d447f78d386df4f45e118b4047..2d5e0d1bc72ca173be89c2e547a7fb61239ae505 100644
--- a/requirements/base.in
+++ b/requirements/base.in
@@ -3,3 +3,4 @@ wagtailmenus
 django-environ
 django-extensions
 psycopg2-binary
+git+https://gitlab.pirati.cz/to/pirates@v0.2.0
diff --git a/requirements/base.txt b/requirements/base.txt
index 1504c632ae47b6b99db126836de8cb233bc78537..27d6540d02a3948029f506f71cb79b2611f378ba 100644
--- a/requirements/base.txt
+++ b/requirements/base.txt
@@ -7,24 +7,34 @@
 asgiref==3.2.7            # via django
 beautifulsoup4==4.6.0     # via wagtail
 certifi==2020.4.5.1       # via requests
+cffi==1.14.0              # via cryptography
 chardet==3.0.4            # via requests
+cryptography==2.9.2       # via josepy, mozilla-django-oidc, pyopenssl
 django-cogwheels==0.3     # via wagtailmenus
 django-environ==0.4.5     # via -r base.in
 django-extensions==2.2.9  # via -r base.in
 django-modelcluster==5.0.1  # via wagtail
 django-taggit==1.2.0      # via wagtail
 django-treebeard==4.3.1   # via wagtail
-django==3.0.5             # via django-taggit, django-treebeard, djangorestframework, wagtail
+django==3.0.5             # via django-taggit, django-treebeard, djangorestframework, mozilla-django-oidc, wagtail
 djangorestframework==3.11.0  # via wagtail
 draftjs-exporter==2.1.7   # via wagtail
 html5lib==1.0.1           # via wagtail
 idna==2.9                 # via requests
+josepy==1.3.0             # via mozilla-django-oidc
 l18n==2018.5              # via wagtail
+mozilla-django-oidc==1.2.3  # via pirates
 pillow==6.2.2             # via wagtail
+git+https://gitlab.pirati.cz/to/pirates@v0.2.0  # via -r base.in
 psycopg2-binary==2.8.5    # via -r base.in
+pyasn1-modules==0.2.8     # via python-ldap
+pyasn1==0.4.8             # via pyasn1-modules, python-ldap
+pycparser==2.20           # via cffi
+pyopenssl==19.1.0         # via josepy
+python-ldap==3.2.0        # via pirates
 pytz==2019.3              # via django, django-modelcluster, l18n
-requests==2.23.0          # via wagtail
-six==1.14.0               # via django-extensions, html5lib, l18n
+requests==2.23.0          # via mozilla-django-oidc, wagtail
+six==1.14.0               # via cryptography, django-extensions, html5lib, josepy, l18n, mozilla-django-oidc, pyopenssl
 sqlparse==0.3.1           # via django
 unidecode==1.1.1          # via wagtail
 urllib3==1.25.8           # via requests
@@ -32,3 +42,6 @@ wagtail==2.8.1            # via -r base.in
 wagtailmenus==3.0.1       # via -r base.in
 webencodings==0.5.1       # via html5lib
 willow==1.3               # via wagtail
+
+# The following packages are considered to be unsafe in a requirements file:
+# setuptools