diff --git a/HACKING.md b/HACKING.md
index 1bf174d..8e6c26d 100644
--- a/HACKING.md
+++ b/HACKING.md
@@ -62,6 +62,19 @@ build via the koji XML RPC.
 sudo  test/copy-creds.sh
 ```
 
+### Run the mock OpenID server
+
+The koji builder plugin needs to be authorized in order to be able
+to start a compose via Composer. The default authentication scheme
+is `OAuth2`. For testing purposes we can use the mock OpenID server
+that is included in the `osbuild-composer-tests` package. A helper
+script is included to start and stop the server with the correct
+parameters.
+
+```sh
+sudo test/run-openid.sh start
+```
+
 ### Run the koji builder
 
 Run the koji builder instance can be started. Here `fg` means that
diff --git a/README.md b/README.md
index ecfcada..8d9bdeb 100644
--- a/README.md
+++ b/README.md
@@ -65,6 +65,21 @@ ssl_cert = /share/worker-crt.pem, /share/worker-key.pem
 # directory containing certificates of trusted CAs.
 ssl_verify = /share/worker-ca.pem
 
+[composer:oauth]
+# Authorization via OAuth2/SSO, as alternative to client side certs.
+# The "Client Credentials Grant" (RFC 6749 section 4.4) flow is used,
+# which requires the client id and secret to be specified as well as
+# the endpoint of where to obtain tokens.
+
+# String that uniquely identifies the client (RFC 6749, 2.2).
+client_id = koji
+
+# Secret corresponding to the client id.
+client_secret = koji
+
+# URL to the endpoint that will provide the token.
+token_url = https://localhost:8081/token
+
 [koji]
 # The URL to the koji hub XML-RPC endpoint
 server = https://koji.fedoraproject.org/kojihub