diff --git a/internal/config/struct.go b/internal/config/struct.go
index ec3411ada..df3cf3df5 100644
--- a/internal/config/struct.go
+++ b/internal/config/struct.go
@@ -18,9 +18,10 @@ type Config struct {
 	// Outpost specific config
 	// These are only relevant for proxy/ldap outposts, and cannot be set via YAML
 	// They are loaded via this config loader to support file:// schemas
-	AuthentikHost     string `env:"AUTHENTIK_HOST"`
-	AuthentikToken    string `env:"AUTHENTIK_TOKEN"`
-	AuthentikInsecure bool   `env:"AUTHENTIK_INSECURE"`
+	AuthentikHost        string `env:"AUTHENTIK_HOST"`
+	AuthentikHostBrowser string `env:"AUTHENTIK_HOST_BROWSER"`
+	AuthentikToken       string `env:"AUTHENTIK_TOKEN"`
+	AuthentikInsecure    bool   `env:"AUTHENTIK_INSECURE"`
 }
 
 type RedisConfig struct {
diff --git a/internal/outpost/proxyv2/application/endpoint.go b/internal/outpost/proxyv2/application/endpoint.go
index 28735db14..de6ec3662 100644
--- a/internal/outpost/proxyv2/application/endpoint.go
+++ b/internal/outpost/proxyv2/application/endpoint.go
@@ -2,11 +2,11 @@ package application
 
 import (
 	"net/url"
-	"os"
 	"strings"
 
 	log "github.com/sirupsen/logrus"
 	"goauthentik.io/api/v3"
+	"goauthentik.io/internal/config"
 	"golang.org/x/oauth2"
 )
 
@@ -33,11 +33,12 @@ func GetOIDCEndpoint(p api.ProxyOutpostConfig, authentikHost string, embedded bo
 	endUrl := p.OidcConfiguration.EndSessionEndpoint
 	tokenUrl := p.OidcConfiguration.TokenEndpoint
 	jwksUrl := p.OidcConfiguration.JwksUri
-	if browserHost, found := os.LookupEnv("AUTHENTIK_HOST_BROWSER"); found && browserHost != "" {
-		host := os.Getenv("AUTHENTIK_HOST")
-		authUrl = strings.ReplaceAll(authUrl, host, browserHost)
-		endUrl = strings.ReplaceAll(endUrl, host, browserHost)
-		jwksUrl = strings.ReplaceAll(jwksUrl, host, browserHost)
+	issuer := p.OidcConfiguration.Issuer
+	if config.Get().AuthentikHostBrowser != "" {
+		authUrl = strings.ReplaceAll(authUrl, authentikHost, config.Get().AuthentikHostBrowser)
+		endUrl = strings.ReplaceAll(endUrl, authentikHost, config.Get().AuthentikHostBrowser)
+		jwksUrl = strings.ReplaceAll(jwksUrl, authentikHost, config.Get().AuthentikHostBrowser)
+		issuer = strings.ReplaceAll(issuer, authentikHost, config.Get().AuthentikHostBrowser)
 	}
 	ep := OIDCEndpoint{
 		Endpoint: oauth2.Endpoint{
@@ -48,7 +49,7 @@ func GetOIDCEndpoint(p api.ProxyOutpostConfig, authentikHost string, embedded bo
 		EndSessionEndpoint: endUrl,
 		JwksUri:            jwksUrl,
 		TokenIntrospection: p.OidcConfiguration.IntrospectionEndpoint,
-		Issuer:             p.OidcConfiguration.Issuer,
+		Issuer:             issuer,
 	}
 	if !embedded {
 		return ep