diff --git a/config.inc.php b/config.inc.php
index 34b2e291..146bbb69 100644
--- a/config.inc.php
+++ b/config.inc.php
@@ -729,6 +729,30 @@ $CONF['xmlrpc_enabled'] = false;
 //More details in Password_Expiration.md
 $CONF['password_expiration'] = 'YES';
 
+
+/**
+ * If either of these are callables, then they will be used to perform authentication in /login.php or /users/login.php.
+ * If they return null, then it's assumed authentication failed.
+ * IF they authentication succeeds they should return the id of a user in the postfixadmin database.
+ */
+$CONF['postfixadmin_auth_admin_callback'] = null;
+$CONF['postfixadmin_auth_user_callback'] = null;
+
+/*
+$CONF['postfixadmin_auth_admin_callback'] = function () {
+    if (!isset($_SERVER['REMOTE_USER'])) {
+        return null;
+    }
+
+    $map = [
+        "david" => "root@example.com"
+    ];
+    $oauth_user = $_SERVER['REMOTE_USER'];
+    return $map[$oauth_user] ?? null;
+};
+*/
+
+
 // If defined, use this rather than trying to construct it from  $_SERVER parameters.
 // used in (at least) password-recover.php.
 $CONF['site_url'] = null;
diff --git a/public/login.php b/public/login.php
index debdc43b..929c804b 100644
--- a/public/login.php
+++ b/public/login.php
@@ -59,8 +59,21 @@ if ($_SERVER['REQUEST_METHOD'] == "POST") {
 
     $h = new AdminHandler();
 
-    $login = new Login('admin');
-    if ($login->login($fUsername, $fPassword)) {
+
+    $config = Config::getInstance()->getAll();
+    $authenticated = false;
+
+    if (is_callable($config['postfixadmin_auth_admin_callback'])) {
+        $fUsername = $config['postfixadmin_auth_admin_callback']();
+        $authenticated = is_string($fUsername);
+    } else {
+        $login = new Login('admin');
+        $authenticated = $login->login($fUsername, $fPassword);
+    }
+
+
+    if ($authenticated) {
+
         init_session($fUsername, true);
 
         # they've logged in, so see if they are a domain admin, as well.