diff --git a/README.md b/README.md
index 9742f99..791daf0 100644
--- a/README.md
+++ b/README.md
@@ -103,8 +103,9 @@ gamja default settings can be set using a `config.json` file at the root:
 		"autojoin": "#gamja",
 		// Controls how the password UI is presented to the user. Set to
 		// "mandatory" to require a password, "optional" to accept one but not
-		// require it, "disabled" to never ask for a password, or "external" to
-		// use SASL EXTERNAL. Defaults to "optional".
+		// require it, "disabled" to never ask for a password, "external" to
+		// use SASL EXTERNAL, "oauth2" to use SASL OAUTHBEARER. Defaults to
+		// "optional".
 		"auth": "optional",
 		// Default nickname (string). If it contains a "*" character, it will
 		// be replaced with a random string.
@@ -116,6 +117,19 @@ gamja default settings can be set using a `config.json` file at the root:
 		// disable. Enabling PINGs can have an impact on client power usage and
 		// should only be enabled if necessary.
 		"ping": 60
+	},
+	// OAuth 2.0 settings.
+	"oauth2": {
+		// OAuth 2.0 server URL (string). The server must support OAuth 2.0
+		// Authorization Server Metadata (RFC 8414) or OpenID Connect
+		// Discovery.
+		"url": "https://auth.example.org",
+		// OAuth 2.0 client ID (string).
+		"client_id": "asdf",
+		// OAuth 2.0 client secret (string).
+		"client_secret": "ghjk",
+		// OAuth 2.0 scope (string).
+		"scope": "profile"
 	}
 }
 ```
diff --git a/components/app.js b/components/app.js
index 5c2b76f..d3c60ae 100644
--- a/components/app.js
+++ b/components/app.js
@@ -1,5 +1,6 @@
 import * as irc from "../lib/irc.js";
 import Client from "../lib/client.js";
+import * as oauth2 from "../lib/oauth2.js";
 import Buffer from "./buffer.js";
 import BufferList from "./buffer-list.js";
 import BufferHeader from "./buffer-header.js";
@@ -249,7 +250,7 @@ export default class App extends Component {
 	 * - Default server URL constructed from the current URL location (this is
 	 *   done in fillConnectParams)
 	 */
-	handleConfig(config) {
+	async handleConfig(config) {
 		let connectParams = { ...this.state.connectParams };
 
 		if (typeof config.server.url === "string") {
@@ -277,6 +278,10 @@ export default class App extends Component {
 			console.error("Error in config.json: cannot set server.autoconnect = true and server.auth = \"mandatory\"");
 			connectParams.autoconnect = false;
 		}
+		if (config.server.auth === "oauth2" && (!config.oauth2 || !config.oauth2.url || !config.oauth2.client_id)) {
+			console.error("Error in config.json: server.auth = \"oauth2\" requires oauth2 settings");
+			config.server.auth = null;
+		}
 
 		let autoconnect = store.autoconnect.load();
 		if (autoconnect) {
@@ -329,6 +334,40 @@ export default class App extends Component {
 			connectParams.nick = connectParams.nick.replace("*", placeholder);
 		}
 
+		if (config.server.auth === "oauth2" && !connectParams.saslOauthBearer) {
+			if (queryParams.error) {
+				console.error("OAuth 2.0 authorization failed: ", queryParams.error);
+				this.showError("Authentication failed: " + (queryParams.error_description || queryParams.error));
+				return;
+			}
+
+			if (!queryParams.code) {
+				this.redirectOauth2Authorize();
+				return;
+			}
+
+			// Strip code from query params, to prevent page refreshes from
+			// trying to exchange the code again
+			let url = new URL(window.location.toString());
+			url.searchParams.delete("code");
+			url.searchParams.delete("state");
+			window.history.replaceState(null, "", url.toString());
+
+			let saslOauthBearer;
+			try {
+				saslOauthBearer = await this.exchangeOauth2Code(queryParams.code);
+			} catch (err) {
+				this.showError(err);
+				return;
+			}
+
+			connectParams.saslOauthBearer = saslOauthBearer;
+
+			if (saslOauthBearer.username && !connectParams.nick) {
+				connectParams.nick = saslOauthBearer.username;
+			}
+		}
+
 		if (autojoin.length > 0) {
 			if (connectParams.autoconnect) {
 				// Ask the user whether they want to join that new channel.
@@ -347,6 +386,59 @@ export default class App extends Component {
 		}
 	}
 
+	async redirectOauth2Authorize() {
+		let serverMetadata;
+		try {
+			serverMetadata = await oauth2.fetchServerMetadata(this.config.oauth2.url);
+		} catch (err) {
+			console.error("Failed to fetch OAuth 2.0 server metadata:", err);
+			this.showError("Failed to fetch OAuth 2.0 server metadata");
+		}
+
+		oauth2.redirectAuthorize({
+			serverMetadata,
+			clientId: this.config.oauth2.client_id,
+			redirectUri: window.location.toString(),
+			scope: this.config.oauth2.scope,
+		});
+	}
+
+	async exchangeOauth2Code(code) {
+		let serverMetadata = await oauth2.fetchServerMetadata(this.config.oauth2.url);
+
+		let redirectUri = new URL(window.location.toString());
+		redirectUri.searchParams.delete("code");
+		redirectUri.searchParams.delete("state");
+
+		let data = await oauth2.exchangeCode({
+			serverMetadata,
+			redirectUri: redirectUri.toString(),
+			code,
+			clientId: this.config.oauth2.client_id,
+			clientSecret: this.config.oauth2.client_secret,
+		});
+
+		// TODO: handle expires_in/refresh_token
+		let token = data.access_token;
+
+		let username = null;
+		if (serverMetadata.introspection_endpoint) {
+			try {
+				let data = await oauth2.introspectToken({
+					serverMetadata,
+					token,
+					clientId: this.config.oauth2.client_id,
+					clientSecret: this.config.oauth2.client_secret,
+				});
+				username = data.username;
+			} catch (err) {
+				console.warn("Failed to introspect OAuth 2.0 token:", err);
+			}
+		}
+
+		return { token, username };
+	}
+
 	showError(err) {
 		console.error("App error: ", err);
 
diff --git a/components/connect-form.js b/components/connect-form.js
index 3158daa..9283b3d 100644
--- a/components/connect-form.js
+++ b/components/connect-form.js
@@ -63,6 +63,8 @@ export default class ConnectForm extends Component {
 			};
 		} else if (this.props.auth === "external") {
 			params.saslExternal = true;
+		} else if (this.props.auth === "oauth2") {
+			params.saslOauthBearer = this.props.params.saslOauthBearer;
 		}
 
 		if (this.state.autojoin) {
@@ -110,7 +112,7 @@ export default class ConnectForm extends Component {
 		}
 
 		let auth = null;
-		if (this.props.auth !== "disabled" && this.props.auth !== "external") {
+		if (this.props.auth !== "disabled" && this.props.auth !== "external" && this.props.auth !== "oauth2") {
 			auth = html`
 				<label>
 					Password:<br/>
diff --git a/lib/client.js b/lib/client.js
index 7907015..15d1701 100644
--- a/lib/client.js
+++ b/lib/client.js
@@ -122,6 +122,7 @@ export default class Client extends EventTarget {
 		pass: null,
 		saslPlain: null,
 		saslExternal: false,
+		saslOauthBearer: null,
 		bouncerNetwork: null,
 		ping: 0,
 		eventPlayback: true,
@@ -467,6 +468,10 @@ export default class Client extends EventTarget {
 		case "EXTERNAL":
 			initialResp = { command: "AUTHENTICATE", params: [base64.encode("")] };
 			break;
+		case "OAUTHBEARER":
+			let raw = "n,,\x01auth=Bearer " + params.token + "\x01\x01";
+			initialResp = { command: "AUTHENTICATE", params: [base64.encode(raw)] };
+			break;
 		default:
 			throw new Error(`Unknown authentication mechanism '${mechanism}'`);
 		}
@@ -658,6 +663,8 @@ export default class Client extends EventTarget {
 						promise = this.authenticate("PLAIN", this.params.saslPlain);
 					} else if (this.params.saslExternal) {
 						promise = this.authenticate("EXTERNAL");
+					} else if (this.params.saslOauthBearer) {
+						promise = this.authenticate("OAUTHBEARER", this.params.saslOauthBearer);
 					}
 					(promise || Promise.resolve()).catch((err) => {
 						this.dispatchError(err);
diff --git a/lib/oauth2.js b/lib/oauth2.js
new file mode 100644
index 0000000..5ab3f95
--- /dev/null
+++ b/lib/oauth2.js
@@ -0,0 +1,109 @@
+function formatQueryString(params) {
+	let l = [];
+	for (let k in params) {
+		l.push(encodeURIComponent(k) + "=" + encodeURIComponent(params[k]));
+	}
+	return l.join("&");
+}
+
+export async function fetchServerMetadata(url) {
+	// TODO: handle path in config.oauth2.url
+	let resp;
+	try {
+		resp = await fetch(url + "/.well-known/oauth-authorization-server");
+		if (!resp.ok) {
+			throw new Error(`HTTP error: ${resp.status} ${resp.statusText}`);
+		}
+	} catch (err) {
+		console.warn("OAuth 2.0 server doesn't support Authorization Server Metadata (retrying with OpenID Connect Discovery): ", err);
+		resp = await fetch(url + "/.well-known/openid-configuration");
+		if (!resp.ok) {
+			throw new Error(`HTTP error: ${resp.status} ${resp.statusText}`);
+		}
+	}
+
+	let data = await resp.json();
+	if (!data.issuer) {
+		throw new Error("Missing issuer in response");
+	}
+	if (!data.authorization_endpoint) {
+		throw new Error("Missing authorization_endpoint in response");
+	}
+	if (!data.token_endpoint) {
+		throw new Error("Missing authorization_endpoint in response");
+	}
+	if (!data.response_types_supported.includes("code")) {
+		throw new Error("Server doesn't support authorization code response type");
+	}
+	return data;
+}
+
+export function redirectAuthorize({ serverMetadata, clientId, redirectUri, scope }) {
+	// TODO: move fragment to query string in redirect_uri
+	// TODO: use the state param to prevent cross-site request
+	// forgery
+	let params = {
+		response_type: "code",
+		client_id: clientId,
+		redirect_uri: redirectUri,
+	};
+	if (scope) {
+		params.scope = scope;
+	}
+	window.location.assign(serverMetadata.authorization_endpoint + "?" + formatQueryString(params));
+}
+
+function buildPostHeaders(clientId, clientSecret) {
+	let headers = {
+		"Content-Type": "application/x-www-form-urlencoded",
+		"Accept": "application/json",
+	};
+	if (clientSecret) {
+		headers["Authorization"] = "Basic " + btoa(encodeURIComponent(clientId) + ":" + encodeURIComponent(clientSecret));
+	}
+	return headers;
+}
+
+export async function exchangeCode({ serverMetadata, redirectUri, code, clientId, clientSecret }) {
+	let data = {
+		grant_type: "authorization_code",
+		code,
+		redirect_uri: redirectUri,
+	};
+	if (!clientSecret) {
+		data.client_id = clientId;
+	}
+
+	let resp = await fetch(serverMetadata.token_endpoint, {
+		method: "POST",
+		headers: buildPostHeaders(clientId, clientSecret),
+		body: formatQueryString(data),
+	});
+
+	if (!resp.ok) {
+		throw new Error(`HTTP error: ${resp.status} ${resp.statusText}`);
+	}
+	data = await resp.json();
+
+	if (data.error) {
+		throw new Error("Authentication failed: " + (data.error_description || data.error));
+	}
+
+	return data;
+}
+
+export async function introspectToken({ serverMetadata, token, clientId, clientSecret }) {
+	let resp = await fetch(serverMetadata.introspection_endpoint, {
+		method: "POST",
+		headers: buildPostHeaders(clientId, clientSecret),
+		body: formatQueryString({ token }),
+	});
+	if (!resp.ok) {
+		throw new Error(`HTTP error: ${resp.status} ${resp.statusText}`);
+	}
+	let data = await resp.json();
+	if (!data.active) {
+		throw new Error("Expired token");
+	}
+	return data;
+}