diff --git a/infrastructure/argocd/argocd-oauth.configmap.yaml b/infrastructure/argocd/argocd-oauth.configmap.yaml
index 607719d..33ba59c 100644
--- a/infrastructure/argocd/argocd-oauth.configmap.yaml
+++ b/infrastructure/argocd/argocd-oauth.configmap.yaml
@@ -12,13 +12,11 @@ data:
     # If you want to store sensitive data in another Kubernetes Secret, instead of argocd-secret. ArgoCD knows to check the keys under data in your Kubernetes Secret for a corresponding key whenever a value in a configmap or secret starts with $, then your Kubernetes Secret name and : (colon).
     clientSecret: $argocd-oauth:client-secret
 
-    skipAudienceCheckWhenTokenHasNoAudience: true
 
     # Optional set of OIDC scopes to request. If omitted, defaults to: ["openid", "profile", "email", "groups"]
     requestedScopes: ["openid", "profile", "email", "groups"]
 
     # Optional set of OIDC claims to request on the ID token.
     requestedIDTokenClaims: {"groups": {"essential": true}}
-    allowedAudiences:
-    - argocd
+
   
\ No newline at end of file
diff --git a/infrastructure/argocd/argocd-rbac.configmap.yaml b/infrastructure/argocd/argocd-rbac.configmap.yaml
index 75354d2..94df62f 100644
--- a/infrastructure/argocd/argocd-rbac.configmap.yaml
+++ b/infrastructure/argocd/argocd-rbac.configmap.yaml
@@ -6,4 +6,6 @@ data:
   policy.csv: |
     # use oidc group apps_admin as admin group in argocd
     g, apps_admin, role:admin
-  policy.default: role:readonly
+    g, argocd, role:readonly
+  # all other user that might have entered via oidc, are blocked: deny everything
+  policy.default: deny