diff --git a/otc/observability.t09.de/stacks/core/dex/values.yaml b/otc/observability.t09.de/stacks/core/dex/values.yaml
index 4110f7b..251e546 100644
--- a/otc/observability.t09.de/stacks/core/dex/values.yaml
+++ b/otc/observability.t09.de/stacks/core/dex/values.yaml
@@ -59,11 +59,6 @@ config:
   enablePasswordDB: false
 
   staticClients:
-    - id: public-client
-      public: true
-      name: 'Public Client'
-      redirectURIs:
-        - 'https://localhost/oidc/callback'
     - id: controller-argocd-dex
       name: ArgoCD Client
       redirectURIs:
@@ -71,6 +66,6 @@ config:
       secret: "{{`{{ .Env.OIDC_DEX_ARGO_CLIENT_SECRET }}`}}"
     - id: grafana
       redirectURIs:
-        - "https://localhost/login/generic_oauth"
+        - "https://grafana.observability.t09.de/login/generic_oauth"
       name: "Grafana"
       secret: "thisisasecret"
diff --git a/otc/observability.t09.de/stacks/observability/grafana-operator/manifests/grafana.yaml b/otc/observability.t09.de/stacks/observability/grafana-operator/manifests/grafana.yaml
index 46c1e6c..fdfa4d0 100644
--- a/otc/observability.t09.de/stacks/observability/grafana-operator/manifests/grafana.yaml
+++ b/otc/observability.t09.de/stacks/observability/grafana-operator/manifests/grafana.yaml
@@ -52,9 +52,9 @@ spec:
       use_refresh_token: "true"
       client_id: grafana
       client_secret: "thisisasecret" # $__file{/etc/secrets/auth_generic_oauth/client_secret}
-      scopes: openid email profile offline_access
+      scopes: openid email profile offline_access groups
       auth_url: https://dex.observability.t09.de/auth
       token_url: https://dex.observability.t09.de/token
       api_url: https://dex.observability.t09.de/userinfo
-      redirect_uri: https://localhost/login/generic_oauth
+      redirect_uri: https://grafana.observability.t09.de/login/generic_oauth
       # role_attribute_path: ""