diff --git a/roles/monitoring/templates/docker-compose.yml b/roles/monitoring/templates/docker-compose.yml
index c1c6d0b..6ccc5eb 100644
--- a/roles/monitoring/templates/docker-compose.yml
+++ b/roles/monitoring/templates/docker-compose.yml
@@ -35,14 +35,17 @@ services:
       - "GF_UNIFIED_ALERTING_ENABLED=true"
 
 {% if monitoring_grafana_oauth is defined and monitoring_grafana_oauth.enabled %}
-      - "GF_AUTH_OAUTH_AUTO_LOGIN=true"
+      - "GF_AUTH_DISABLE_LOGIN_FORM=true"
       - "GF_AUTH_SIGNOUT_REDIRECT_URL={{ monitoring_grafana_oauth.signout_url }}"
       - "GF_AUTH_GENERIC_OAUTH_ENABLED=true"
       - "GF_AUTH_GENERIC_OAUTH_ALLOW_SIGN_UP={{ monitoring_grafana_oauth.allow_sign_up }}"
+      - "GF_AUTH_GENERIC_OAUTH_AUTO_LOGIN=true"
+      - "GF_AUTH_GENERIC_OAUTH_USE_PKCE=true"
+      - "GF_AUTH_GENERIC_OAUTH_EMPTY_SCOPES=false"
       - "GF_AUTH_GENERIC_OAUTH_NAME={{ monitoring_grafana_oauth.name }}"
       - "GF_AUTH_GENERIC_OAUTH_CLIENT_ID={{ monitoring_grafana_oauth.client_id }}"
       - "GF_AUTH_GENERIC_OAUTH_CLIENT_SECRET={{ monitoring_grafana_oauth.client_secret }}"
-      - "GF_AUTH_GENERIC_OAUTH_SCOPES=openid email profile"
+      - "GF_AUTH_GENERIC_OAUTH_SCOPES=openid email profile roles offline_access"
       - "GF_AUTH_GENERIC_OAUTH_AUTH_URL={{ monitoring_grafana_oauth.auth_url }}"
       - "GF_AUTH_GENERIC_OAUTH_TOKEN_URL={{ monitoring_grafana_oauth.token_url }}"
       - "GF_AUTH_GENERIC_OAUTH_API_URL={{ monitoring_grafana_oauth.api_url }}"