diff --git a/rootfs/etc/confd/conf.d/oauth2-userdb.lua.toml b/rootfs/etc/confd/conf.d/oauth2-userdb.lua.toml
new file mode 100644
index 0000000..cfb53ac
--- /dev/null
+++ b/rootfs/etc/confd/conf.d/oauth2-userdb.lua.toml
@@ -0,0 +1,3 @@
+[template]
+src = "oauth2-userdb.lua.tmpl"
+dest = "/etc/dovecot/oauth2-userdb.lua"
diff --git a/rootfs/etc/confd/templates/oauth2-userdb.lua.tmpl b/rootfs/etc/confd/templates/oauth2-userdb.lua.tmpl
new file mode 100644
index 0000000..8c843c2
--- /dev/null
+++ b/rootfs/etc/confd/templates/oauth2-userdb.lua.tmpl
@@ -0,0 +1,44 @@
+local rapidjson = require('rapidjson')
+
+local clientId = {{ getenv "CLIENT_ID" }}
+local clientSecret = {{ getenv "CLIENT_SECRET" }}
+local username = {{ getenv "OAUTH_ADMIN_USER" }}
+local password = {{ getenv "OAUTH_ADMIN_PASSWORD" }}
+local tokenUrl = {{ getenv "GRANT_URL" }}
+local userUrl = {{ "USER_URL" }}
+
+function os.capture(cmd, raw)
+  local f = assert(io.popen(cmd, 'r'))
+  local s = assert(f:read('*a'))
+  f:close()
+
+  return s
+end
+
+function auth_userdb_lookup(req)
+	local tokenCmd = "curl -L --silent -X POST -d \"grant_type=password\"" 
+	tokenCmd = tokenCmd .. " -d \"client_id=" .. clientId .. "\""
+	tokenCmd = tokenCmd .. " -d \"client_secret=" .. clientSecret .. "\""
+	tokenCmd = tokenCmd .. " -d \"username=" .. username .. "\""
+	tokenCmd = tokenCmd .. " -d \"password=" .. password .. "\""
+	tokenCmd = tokenCmd .. " \"" .. tokenUrl .. "\""
+
+	local tokenRaw = os.capture(tokenCmd)
+	local tokenJson = rapidjson.decode(tokenRaw)
+	local accessToken = tokenJson.access_token
+
+	local userCmd = "curl -L --silent -H \"Authorization: Bearer " .. accessToken .. "\" \"" .. userUrl .. req.username .. "\""
+	local userRaw = os.capture(userCmd)
+	local userJson = rapidjson.decode(userRaw)
+
+	if #userJson == 0 then
+		return dovecot.auth.USERDB_RESULT_USER_UNKNOWN, "no such user"
+	end
+
+	if userJson[1].username == req.username then
+		return dovecot.auth.USERDB_RESULT_OK, "uid=vmail gid=vmail home=/var/lib/vmail/mail/%n"
+	end
+
+	return dovecot.auth.USERDB_RESULT_USER_UNKNOWN, "no such user"
+end
+