diff --git a/default.nix b/default.nix
index 45875a3..7d63cd0 100644
--- a/default.nix
+++ b/default.nix
@@ -358,6 +358,21 @@ in
       };
     };
 
+    oauth = {
+      enable = mkEnableOption "OAuth 2.0 support";
+
+      backendConfigFile = mkOption {
+        type = types.path;
+        default = null;
+        description = ''
+          Path to the dovecot backend configuration file. See
+          https://doc.dovecot.org/2.3/configuration_manual/authentication/oauth2/
+          for more information.
+        '';
+        example = "/var/lib/dovecot/dovecot-oauth2.conf.ext";
+      };
+    };
+
     indexDir = mkOption {
       type = types.nullOr types.str;
       default = null;
diff --git a/mail-server/dovecot.nix b/mail-server/dovecot.nix
index 11f2708..59ec2bc 100644
--- a/mail-server/dovecot.nix
+++ b/mail-server/dovecot.nix
@@ -324,6 +324,14 @@ in
         }
         ''}
 
+        ${lib.optionalString cfg.oauth.enable ''
+        passdb {
+          driver = oauth2
+          mechanisms = xoauth2 oauthbearer
+          args = ${cfg.oauth.backendConfigFile}
+        }
+        ''}
+
         service auth {
           unix_listener auth {
             mode = 0660
@@ -332,7 +340,7 @@ in
           }
         }
 
-        auth_mechanisms = plain login
+        auth_mechanisms = plain login${lib.optionalString cfg.oauth.enable " oauthbearer xoauth2"}
 
         namespace inbox {
           separator = ${cfg.hierarchySeparator}