diff --git a/changelog/unreleased/add-webfinger.md b/changelog/unreleased/add-webfinger.md
new file mode 100644
index 00000000000..617b02cc2e4
--- /dev/null
+++ b/changelog/unreleased/add-webfinger.md
@@ -0,0 +1,7 @@
+Enhancement: Add webfinger service
+
+Adds a webfinger service to redirect ocis clients
+
+https://github.com/owncloud/ocis/pull/5373
+https://github.com/owncloud/ocis/pull/6110
+https://github.com/owncloud/ocis/issues/6102
\ No newline at end of file
diff --git a/ocis-pkg/middleware/oidc.go b/ocis-pkg/middleware/oidc.go
index 4bab746e2bf..d66c2213e51 100644
--- a/ocis-pkg/middleware/oidc.go
+++ b/ocis-pkg/middleware/oidc.go
@@ -39,7 +39,7 @@ func OidcAuth(opts ...Option) func(http.Handler) http.Handler {
 		// it will fetch the keys from the issuer using the .well-known
 		// endpoint
 		return goidc.NewProvider(
-			context.WithValue(context.Background(), oauth2.HTTPClient, http.Client{}),
+			context.WithValue(context.Background(), oauth2.HTTPClient, &opt.HttpClient),
 			opt.OidcIssuer,
 		)
 	}
@@ -65,7 +65,7 @@ func OidcAuth(opts ...Option) func(http.Handler) http.Handler {
 				}
 
 				userInfo, err := provider.UserInfo(
-					context.WithValue(ctx, oauth2.HTTPClient, http.Client{}),
+					context.WithValue(ctx, oauth2.HTTPClient, &opt.HttpClient),
 					oauth2.StaticTokenSource(oauth2Token),
 				)
 				if err != nil {
diff --git a/ocis-pkg/middleware/options.go b/ocis-pkg/middleware/options.go
index d1a8eff6bcf..0331dbc0306 100644
--- a/ocis-pkg/middleware/options.go
+++ b/ocis-pkg/middleware/options.go
@@ -1,6 +1,8 @@
 package middleware
 
 import (
+	"net/http"
+
 	gatewayv1beta1 "github.com/cs3org/go-cs3apis/cs3/gateway/v1beta1"
 	"github.com/owncloud/ocis/v2/ocis-pkg/log"
 )
@@ -16,6 +18,8 @@ type Options struct {
 	OidcIssuer string
 	// GatewayAPIClient is a reva gateway client
 	GatewayAPIClient gatewayv1beta1.GatewayAPIClient
+	// HttpClient is a http client
+	HttpClient http.Client
 }
 
 // WithLogger provides a function to set the openid connect issuer option.
@@ -38,3 +42,10 @@ func WithGatewayAPIClient(val gatewayv1beta1.GatewayAPIClient) Option {
 		o.GatewayAPIClient = val
 	}
 }
+
+// HttpClient provides a function to set the http client option.
+func WithHttpClient(val http.Client) Option {
+	return func(o *Options) {
+		o.HttpClient = val
+	}
+}
diff --git a/services/webfinger/pkg/config/config.go b/services/webfinger/pkg/config/config.go
index aca53fdb75a..f370fd9ebff 100644
--- a/services/webfinger/pkg/config/config.go
+++ b/services/webfinger/pkg/config/config.go
@@ -22,6 +22,7 @@ type Config struct {
 	Relations []string   `yaml:"relations" env:"WEBFINGER_RELATIONS" desc:"A comma-separated list of relation URIs or registered relation types to add to webfinger responses."`
 	IDP       string     `yaml:"idp" env:"OCIS_URL;OCIS_OIDC_ISSUER;WEBFINGER_OIDC_ISSUER" desc:"The identity provider href for the openid-discovery relation."`
 	OcisURL   string     `yaml:"ocis_url" env:"OCIS_URL;WEBFINGER_OWNCLOUD_SERVER_INSTANCE_URL" desc:"The URL for the legacy ownCloud server instance relation (not to be confused with the product ownCloud Server). It defaults to the OCIS_URL but can be overridden to support some reverse proxy corner cases. To shard the deployment, multiple instances can be configured in the configuration file."`
+	Insecure  bool       `yaml:"insecure" env:"OCIS_INSECURE;WEBFINGER_INSECURE" desc:"Allow insecure connections to the WEBFINGER service."`
 
 	Context context.Context `yaml:"-"`
 }
diff --git a/services/webfinger/pkg/config/defaults/defaultconfig.go b/services/webfinger/pkg/config/defaults/defaultconfig.go
index 1fc4cf9f2e6..8f3ecbd9d83 100644
--- a/services/webfinger/pkg/config/defaults/defaultconfig.go
+++ b/services/webfinger/pkg/config/defaults/defaultconfig.go
@@ -48,6 +48,8 @@ func DefaultConfig() *config.Config {
 				},
 			},
 		},
+		IDP:      "https://localhost:9200",
+		Insecure: false,
 	}
 }
 
diff --git a/services/webfinger/pkg/server/http/server.go b/services/webfinger/pkg/server/http/server.go
index ae7af703c38..9f9aece3f54 100644
--- a/services/webfinger/pkg/server/http/server.go
+++ b/services/webfinger/pkg/server/http/server.go
@@ -1,8 +1,10 @@
 package http
 
 import (
+	"crypto/tls"
 	"net/http"
 	"net/url"
+	"time"
 
 	"github.com/go-chi/chi/v5"
 	chimiddleware "github.com/go-chi/chi/v5/middleware"
@@ -60,9 +62,21 @@ func Server(opts ...Option) (ohttp.Service, error) {
 		version.String,
 	))
 
+	var oidcHTTPClient = &http.Client{
+		Transport: &http.Transport{
+			TLSClientConfig: &tls.Config{
+				MinVersion:         tls.VersionTLS12,
+				InsecureSkipVerify: options.Config.Insecure, //nolint:gosec
+			},
+			DisableKeepAlives: true,
+		},
+		Timeout: time.Second * 10,
+	}
+
 	mux.Use(middleware.OidcAuth(
 		middleware.WithLogger(options.Logger),
 		middleware.WithOidcIssuer(options.Config.IDP),
+		middleware.WithHttpClient(*oidcHTTPClient),
 	))
 
 	// this logs http request related data