diff --git a/helm/airflow/values.yaml b/helm/airflow/values.yaml
index 66a0619..35a3eac 100644
--- a/helm/airflow/values.yaml
+++ b/helm/airflow/values.yaml
@@ -29,7 +29,27 @@ ingress:
 apiServer:
   apiServerConfig: |
     from flask_appbuilder.security.manager import AUTH_OAUTH
+    from airflow.providers.fab.auth_manager.security_manager.override import FabAirflowSecurityManagerOverride
+    import requests
 
+    class CustomSecurityManager(FabAirflowSecurityManagerOverride):
+        def get_oauth_user_info(self, provider, resp):
+            if provider == "keycloak":
+                token = resp.get("access_token")
+                url = "https://keycloak.idir-belfares.fr/auth/realms/k8s-apps/protocol/openid-connect/userinfo"
+                r = requests.get(url, headers={"Authorization": f"Bearer {token}"}, timeout=10)
+                r.raise_for_status()
+                me = r.json()
+                return {
+                    "username": me.get("preferred_username"),
+                    "email": me.get("email"),
+                    "first_name": me.get("given_name", ""),
+                    "last_name": me.get("family_name", ""),
+                    "role_keys": me.get("groups", []),
+                }
+            return super().get_oauth_user_info(provider, resp)
+
+    SECURITY_MANAGER_CLASS = CustomSecurityManager
     AUTH_TYPE = AUTH_OAUTH
     AUTH_USER_REGISTRATION = True
     AUTH_USER_REGISTRATION_ROLE = "Viewer"
@@ -41,7 +61,7 @@ apiServer:
         "icon": "fa-key",
         "remote_app": {
           "client_id": "airflow",
-          "client_secret": "AtBq4q8FcHe4tsVWfT0rrJ4RjKdzMnhG",
+          "client_secret": "TON_SECRET",
           "server_metadata_url": "https://keycloak.idir-belfares.fr/auth/realms/k8s-apps/.well-known/openid-configuration",
           "client_kwargs": {
             "scope": "openid email profile",