diff --git a/www/app/layout.tsx b/www/app/layout.tsx
index 99733717..e98b2cc4 100644
--- a/www/app/layout.tsx
+++ b/www/app/layout.tsx
@@ -1,6 +1,7 @@
 import "./styles/globals.scss";
 import { Roboto } from "next/font/google";
 import { Metadata } from "next";
+import { FiefAuthProvider } from "@fief/fief/nextjs/react";
 
 const roboto = Roboto({ subsets: ["latin"], weight: "400" });
 
@@ -50,10 +51,14 @@ export const metadata: Metadata = {
 
 export default function RootLayout({ children }) {
   return (
-    <html lang="en">
-      <body className={roboto.className + " flex flex-col min-h-screen"}>
-        {children}
-      </body>
-    </html>
+    <FiefAuthProvider currentUserPath="/api/current-user">
+      {" "}
+      {}
+      <html lang="en">
+        <body className={roboto.className + " flex flex-col min-h-screen"}>
+          {children}
+        </body>
+      </html>
+    </FiefAuthProvider>
   );
 }
diff --git a/www/app/lib/fief.ts b/www/app/lib/fief.ts
new file mode 100644
index 00000000..4b83a03b
--- /dev/null
+++ b/www/app/lib/fief.ts
@@ -0,0 +1,46 @@
+import { Fief, FiefUserInfo } from "@fief/fief";
+import { FiefAuth, IUserInfoCache } from "@fief/fief/nextjs";
+
+export const SESSION_COOKIE_NAME = "reflector-auth";
+
+export const fiefClient = new Fief({
+  baseURL: process.env.FIEF_URL ?? "",
+  clientId: process.env.FIEF_CLIENT_ID ?? "",
+  clientSecret: process.env.FIEF_CLIENT_SECRET ?? "",
+});
+
+class MemoryUserInfoCache implements IUserInfoCache {
+  private storage: Record<string, any>;
+
+  constructor() {
+    this.storage = {};
+  }
+
+  async get(id: string): Promise<FiefUserInfo | null> {
+    const userinfo = this.storage[id];
+    if (userinfo) {
+      return userinfo;
+    }
+    return null;
+  }
+
+  async set(id: string, userinfo: FiefUserInfo): Promise<void> {
+    this.storage[id] = userinfo;
+  }
+
+  async remove(id: string): Promise<void> {
+    this.storage[id] = undefined;
+  }
+
+  async clear(): Promise<void> {
+    this.storage = {};
+  }
+}
+
+export const fiefAuth = new FiefAuth({
+  client: fiefClient,
+  sessionCookieName: SESSION_COOKIE_NAME,
+  redirectURI: "http://localhost:3000/auth-callback",
+  logoutRedirectURI: "http://localhost:3000",
+  userInfoCache: new MemoryUserInfoCache(),
+});
diff --git a/www/middleware.ts b/www/middleware.ts
new file mode 100644
index 00000000..f65a3a67
--- /dev/null
+++ b/www/middleware.ts
@@ -0,0 +1,20 @@
+import type { NextRequest } from "next/server";
+
+import { fiefAuth } from "./app/lib/fief";
+
+const authMiddleware = fiefAuth.middleware([
+  {
+    matcher: "/private",
+    parameters: {},
+  },
+  {
+    matcher: "/castles/:path*",
+    parameters: {
+      permissions: ["castles:read"],
+    },
+  },
+]);
+
+export async function middleware(request: NextRequest) {
+  return authMiddleware(request);
+}
diff --git a/www/package.json b/www/package.json
index ee03840a..2173ce5a 100644
--- a/www/package.json
+++ b/www/package.json
@@ -11,6 +11,7 @@
     "openapi": "openapi-generator-cli generate -i http://localhost:1250/openapi.json -g typescript-fetch -o app/api && yarn format"
   },
   "dependencies": {
+    "@fief/fief": "^0.13.5",
     "@fortawesome/fontawesome-svg-core": "^6.4.0",
     "@fortawesome/free-solid-svg-icons": "^6.4.0",
     "@fortawesome/react-fontawesome": "^0.2.0",
diff --git a/www/pages/api/current-user.ts b/www/pages/api/current-user.ts
new file mode 100644
index 00000000..ccb53362
--- /dev/null
+++ b/www/pages/api/current-user.ts
@@ -0,0 +1,3 @@
+import { fiefAuth } from "../../app/lib/fief";
+
+export default fiefAuth.currentUser();
diff --git a/www/pages/forbidden.tsx b/www/pages/forbidden.tsx
new file mode 100644
index 00000000..31a746fc
--- /dev/null
+++ b/www/pages/forbidden.tsx
@@ -0,0 +1,7 @@
+import type { NextPage } from "next";
+
+const Forbidden: NextPage = () => {
+  return <h2>Sorry, you are not authorized to access this page.</h2>;
+};
+
+export default Forbidden;
diff --git a/www/yarn.lock b/www/yarn.lock
index d2ae9035..dc6ec909 100644
--- a/www/yarn.lock
+++ b/www/yarn.lock
@@ -14,6 +14,16 @@
   dependencies:
     regenerator-runtime "^0.14.0"
 
+"@fief/fief@^0.13.5":
+  version "0.13.5"
+  resolved "https://registry.yarnpkg.com/@fief/fief/-/fief-0.13.5.tgz#01ac833ddff0b84f2e1737cc168721568b0e7a39"
+  integrity sha512-st4+/Rc1rw18B6RtqLmC6t9k0pnYLG7AqMe0JYjKYcamCNnABwl198ZJt6HShtaZKI5maHsh99UoCA3MqpbWsQ==
+  dependencies:
+    encoding "^0.1.13"
+    jose "^4.6.0"
+    node-fetch "^2.6.7"
+    path-to-regexp "^6.2.1"
+
 "@fortawesome/fontawesome-common-types@6.4.0":
   version "6.4.0"
   resolved "https://registry.npmjs.org/@fortawesome/fontawesome-common-types/-/fontawesome-common-types-6.4.0.tgz"
@@ -868,6 +878,13 @@ emoji-regex@^8.0.0:
   resolved "https://registry.yarnpkg.com/emoji-regex/-/emoji-regex-8.0.0.tgz#e818fd69ce5ccfcb404594f842963bf53164cc37"
   integrity sha512-MSjYzcWNOA0ewAHpz0MxpYFvwg6yjy1NG3xteoqz644VCo/RPgnr1/GGt+ic3iJTzQ8Eu3TdM14SawnVUmGE6A==
 
+encoding@^0.1.13:
+  version "0.1.13"
+  resolved "https://registry.yarnpkg.com/encoding/-/encoding-0.1.13.tgz#56574afdd791f54a8e9b2785c0582a2d26210fa9"
+  integrity sha512-ETBauow1T35Y/WZMkio9jiM0Z5xjHHmJ4XmjZOq1l/dXz3lr2sRn87nJy20RupqSh1F2m3HHPSp8ShIPQJrJ3A==
+  dependencies:
+    iconv-lite "^0.6.2"
+
 err-code@^3.0.1:
   version "3.0.1"
   resolved "https://registry.npmjs.org/err-code/-/err-code-3.0.1.tgz"
@@ -1108,6 +1125,13 @@ iconv-lite@^0.4.24:
   dependencies:
     safer-buffer ">= 2.1.2 < 3"
 
+iconv-lite@^0.6.2:
+  version "0.6.3"
+  resolved "https://registry.yarnpkg.com/iconv-lite/-/iconv-lite-0.6.3.tgz#a52f80bf38da1952eb5c681790719871a1a72501"
+  integrity sha512-4fCk79wshMdzMp2rH06qWrJE4iolqLhCUH+OiuIgU++RB0+94NlDL81atO7GX55uUKueo0txHNtvEyI6D7WdMw==
+  dependencies:
+    safer-buffer ">= 2.1.2 < 3.0.0"
+
 ieee754@^1.1.13, ieee754@^1.2.1:
   version "1.2.1"
   resolved "https://registry.npmjs.org/ieee754/-/ieee754-1.2.1.tgz"
@@ -1247,6 +1271,11 @@ jiti@^1.18.2:
   resolved "https://registry.npmjs.org/jiti/-/jiti-1.19.1.tgz"
   integrity sha512-oVhqoRDaBXf7sjkll95LHVS6Myyyb1zaunVwk4Z0+WPSW4gjS0pl01zYKHScTuyEhQsFxV5L4DR5r+YqSyqyyg==
 
+jose@^4.6.0:
+  version "4.14.4"
+  resolved "https://registry.yarnpkg.com/jose/-/jose-4.14.4.tgz#59e09204e2670c3164ee24cbfe7115c6f8bff9ca"
+  integrity sha512-j8GhLiKmUAh+dsFXlX1aJCbt5KMibuKb+d7j1JaOJG6s2UjX1PQlW+OKB/sD4a/5ZYF4RcmYmLSndOoU3Lt/3g==
+
 "js-tokens@^3.0.0 || ^4.0.0":
   version "4.0.0"
   resolved "https://registry.npmjs.org/js-tokens/-/js-tokens-4.0.0.tgz"
@@ -1529,6 +1558,11 @@ path-to-regexp@3.2.0:
   resolved "https://registry.yarnpkg.com/path-to-regexp/-/path-to-regexp-3.2.0.tgz#fa7877ecbc495c601907562222453c43cc204a5f"
   integrity sha512-jczvQbCUS7XmS7o+y1aEO9OBVFeZBQ1MDSEqmO7xSoPgOPoowY/SxLpZ6Vh97/8qHZOteiCKb7gkG9gA2ZUxJA==
 
+path-to-regexp@^6.2.1:
+  version "6.2.1"
+  resolved "https://registry.yarnpkg.com/path-to-regexp/-/path-to-regexp-6.2.1.tgz#d54934d6798eb9e5ef14e7af7962c945906918e5"
+  integrity sha512-JLyh7xT1kizaEvcaXOQwOc2/Yhw6KZOvPf1S8401UyLk86CU79LN3vl7ztXGm/pZ+YjoyAJ4rxmHwbkBXJX+yw==
+
 picocolors@^1.0.0:
   version "1.0.0"
   resolved "https://registry.npmjs.org/picocolors/-/picocolors-1.0.0.tgz"
@@ -1786,7 +1820,7 @@ safe-buffer@^5.1.0, safe-buffer@~5.2.0:
   resolved "https://registry.npmjs.org/safe-buffer/-/safe-buffer-5.2.1.tgz"
   integrity sha512-rp3So07KcdmmKbGvgaNxQSJr7bGVSVk5S9Eq1F+ppbRo70+YeaDxkw5Dd8NPN+GD6bjnYm2VuPuCXmpuYvmCXQ==
 
-"safer-buffer@>= 2.1.2 < 3":
+"safer-buffer@>= 2.1.2 < 3", "safer-buffer@>= 2.1.2 < 3.0.0":
   version "2.1.2"
   resolved "https://registry.yarnpkg.com/safer-buffer/-/safer-buffer-2.1.2.tgz#44fa161b0187b9549dd84bb91802f9bd8385cd6a"
   integrity sha512-YZo3K82SD7Riyi0E1EQPojLz7kpepnSQI9IyPbHHg1XXXevb5dJI7tpyN2ADxGcQbHG7vcyRHk0cbwqcQriUtg==