diff --git a/README.md b/README.md
index 79c643426170ab2eafe3ebcff4e38a01347efb47..ded9426773021b8ef8409f9d495c4009db185dd9 100644
--- a/README.md
+++ b/README.md
@@ -45,6 +45,14 @@ template.
 ```yaml
 # web server configuration. 
 Server:
+ # can be set to openid (default) and local. If openid is used rdpgw expects
+ # a configured openid provider, make sure to set caps.tokenauth to true. If local
+ # rdpgw connects to rdpgw-auth over a socket to verify users and password. Note:
+ # rdpgw-auth needs to be run as root or setuid in order to work
+ Authentication: openid
+ # The socket to connect to if using local auth. Ensure rdpgw auth is configured to
+ # use the same socket.
+ AuthSocket: /tmp/rdpgw-auth.sock
  # disable TLS if termination happens somehwere else (e.g. a load balancer)
  # Note: rdp connections over a gateway require TLS
  DisableTLS: false
diff --git a/cmd/rdpgw/config/configuration.go b/cmd/rdpgw/config/configuration.go
index f034964e6d1235beb0eb24f2371d5944fe578105..1c8db650b71e90f695282b471a42c1e7ba3dbf09 100644
--- a/cmd/rdpgw/config/configuration.go
+++ b/cmd/rdpgw/config/configuration.go
@@ -189,6 +189,10 @@ func Load(configFile string) Configuration {
 	if Conf.Server.Authentication == "local" && Conf.Server.DisableTLS {
 		log.Fatalf("basicauth=local and disabletls are mutually exclusive")
 	}
+
+	if !Conf.Caps.TokenAuth && Conf.Server.Authentication == "openid" {
+		log.Fatalf("openid is configured but tokenauth disabled")
+	}
 	return Conf
 
 }