diff --git a/clientapi/routing/routing.go b/clientapi/routing/routing.go
index d72638ee..373fa03f 100644
--- a/clientapi/routing/routing.go
+++ b/clientapi/routing/routing.go
@@ -328,6 +328,15 @@ func Setup(
 		}, httputil.WithAllowGuests()),
 	).Methods(http.MethodPost, http.MethodOptions)
 
+	if m := mscCfg.MSC2965; mscCfg.Enabled("msc2965") && m != nil && m.Enabled {
+		unstableMux.Handle("/org.matrix.msc2965/auth_issuer",
+			httputil.MakeExternalAPI("auth_issuer", func(r *http.Request) util.JSONResponse {
+				return util.JSONResponse{Code: http.StatusOK, JSON: map[string]string{
+					"issuer": m.Issuer,
+				}}
+			}))
+	}
+
 	if mscCfg.Enabled("msc2753") {
 		v3mux.Handle("/peek/{roomIDOrAlias}",
 			httputil.MakeAuthAPI(spec.Peek, userAPI, func(req *http.Request, device *userapi.Device) util.JSONResponse {
diff --git a/setup/config/config_mscs.go b/setup/config/config_mscs.go
index ce491cd7..44fa5e72 100644
--- a/setup/config/config_mscs.go
+++ b/setup/config/config_mscs.go
@@ -7,8 +7,11 @@ type MSCs struct {
 	// 'msc2444': Peeking over federation - https://github.com/matrix-org/matrix-doc/pull/2444
 	// 'msc2753': Peeking via /sync - https://github.com/matrix-org/matrix-doc/pull/2753
 	// 'msc2836': Threading - https://github.com/matrix-org/matrix-doc/pull/2836
+	// 'msc2965': Delegate auth to an OIDC provider https://github.com/matrix-org/matrix-spec-proposals/pull/2965
 	MSCs []string `yaml:"mscs"`
 
+	MSC2965 *MSC2965 `yaml:"msc2965,omitempty"`
+
 	Database DatabaseOptions `yaml:"database,omitempty"`
 }
 
@@ -34,4 +37,27 @@ func (c *MSCs) Verify(configErrs *ConfigErrors) {
 	if c.Matrix.DatabaseOptions.ConnectionString == "" {
 		checkNotEmpty(configErrs, "mscs.database.connection_string", string(c.Database.ConnectionString))
 	}
+	if m := c.MSC2965; m != nil {
+		m.Verify(configErrs)
+	}
+}
+
+type MSC2965 struct {
+	Enabled              bool   `yaml:"enabled"`
+	Issuer               string `yaml:"issuer"`
+	ClientID             string `yaml:"client_id"`
+	ClientSecret         string `yaml:"client_secret"`
+	AdminToken           string `yaml:"admin_token"`
+	AccountManagementURL string `yaml:"account_management_url"`
+}
+
+func (m *MSC2965) Verify(configErrs *ConfigErrors) {
+	if !m.Enabled {
+		return
+	}
+	checkNotEmpty(configErrs, "mscs.msc2965.issuer", string(m.Issuer))
+	checkNotEmpty(configErrs, "mscs.msc2965.client_id", string(m.ClientID))
+	checkNotEmpty(configErrs, "mscs.msc2965.client_secret", string(m.ClientSecret))
+	checkNotEmpty(configErrs, "mscs.msc2965.admin_token", string(m.AdminToken))
+	checkNotEmpty(configErrs, "mscs.msc2965.account_management_url", string(m.AccountManagementURL))
 }
diff --git a/setup/mscs/mscs.go b/setup/mscs/mscs.go
index fc360b5d..91bc1a82 100644
--- a/setup/mscs/mscs.go
+++ b/setup/mscs/mscs.go
@@ -37,6 +37,7 @@ func EnableMSC(cfg *config.Dendrite, cm *sqlutil.Connections, routers httputil.R
 		return msc2836.Enable(cfg, cm, routers, monolith.RoomserverAPI, monolith.FederationAPI, monolith.UserAPI, monolith.KeyRing)
 	case "msc2444": // enabled inside federationapi
 	case "msc2753": // enabled inside clientapi
+	case "msc2965":	// enabled inside clientapi
 	default:
 		logrus.Warnf("EnableMSC: unknown MSC '%s', this MSC is either not supported or is natively supported by Dendrite", msc)
 	}