diff --git a/trino/justfile b/trino/justfile
index e1f5d7b..4d8670d 100644
--- a/trino/justfile
+++ b/trino/justfile
@@ -379,3 +379,28 @@ admin-password:
         echo "Cannot retrieve password: External Secrets not installed"
         exit 1
     fi
+
+# Connect to Trino CLI with OIDC authentication
+cli user="":
+    #!/bin/bash
+    set -euo pipefail
+    if ! command -v trino &>/dev/null; then
+        echo "Error: trino command not found"
+        echo "Please install Trino CLI first"
+        exit 1
+    fi
+    TRINO_HOST="${TRINO_HOST}"
+    while [ -z "${TRINO_HOST}" ]; do
+        TRINO_HOST=$(gum input --prompt="Trino host (FQDN): " --width=100 \
+            --placeholder="e.g., trino.buun.dev")
+    done
+    TRINO_USER="{{ user }}"
+    if [ -z "${TRINO_USER}" ]; then
+        TRINO_USER=$(gum input --prompt="Username (Keycloak username): " --width=100 \
+            --placeholder="e.g., buun")
+    fi
+    echo "Connecting to Trino at https://${TRINO_HOST} as user: ${TRINO_USER}"
+    echo "OIDC authentication will open in your browser..."
+    trino --server "https://${TRINO_HOST}" \
+        --user "${TRINO_USER}" \
+        --external-authentication
diff --git a/trino/trino-values.gomplate.yaml b/trino/trino-values.gomplate.yaml
index c4ee1bb..e1321b4 100644
--- a/trino/trino-values.gomplate.yaml
+++ b/trino/trino-values.gomplate.yaml
@@ -38,6 +38,7 @@ server:
     http-server.authentication.oauth2.userinfo-url=https://{{ .Env.KEYCLOAK_HOST }}/realms/{{ .Env.KEYCLOAK_REALM }}/protocol/openid-connect/userinfo
     http-server.authentication.oauth2.client-id=${ENV:OAUTH2_CLIENT_ID}
     http-server.authentication.oauth2.client-secret=${ENV:OAUTH2_CLIENT_SECRET}
+    http-server.authentication.oauth2.principal-field=preferred_username
     http-server.authentication.oauth2.scopes=openid,email,profile
     http-server.authentication.oauth2.oidc.discovery=true
     web-ui.authentication.type=oauth2