diff --git a/nixos/modules/services/security/kanidm.nix b/nixos/modules/services/security/kanidm.nix
index 8cc7e2774fd6..d17b0d22118b 100644
--- a/nixos/modules/services/security/kanidm.nix
+++ b/nixos/modules/services/security/kanidm.nix
@@ -423,7 +423,10 @@ in
 
             originUrl = lib.mkOption {
               description = "The origin URL of the service. OAuth2 redirects will only be allowed to sites under this origin. Must end with a slash.";
-              type = lib.types.strMatching ".*://.*/$";
+              type = let
+                originStrType = lib.types.strMatching ".*://.*/$";
+              in
+                lib.types.either originStrType (lib.types.nonEmptyListOf originStrType);
               example = "https://someservice.example.com/";
             };
 
diff --git a/nixos/tests/kanidm-provisioning.nix b/nixos/tests/kanidm-provisioning.nix
index 3bfdce6c912c..96d8cce1412e 100644
--- a/nixos/tests/kanidm-provisioning.nix
+++ b/nixos/tests/kanidm-provisioning.nix
@@ -158,7 +158,11 @@ import ./make-test-python.nix (
               groups.service1-admin = { };
               systems.oauth2.service1 = {
                 displayName = "Service One (changed)";
-                originUrl = "https://changed-one.example.com/";
+                  # multiple origin urls
+                originUrl = [
+                  "https://changed-one.example.com/"
+                  "https://changed-one.example.org/"
+                ];
                 originLanding = "https://changed-one.example.com/landing-changed";
                 basicSecretFile = pkgs.writeText "bs-service1" "changed-very-strong-secret-for-service1";
                 scopeMaps.service1-access = [
@@ -405,6 +409,7 @@ import ./make-test-python.nix (
             assert_contains(out, "name: service1")
             assert_contains(out, "displayname: Service One (changed)")
             assert_contains(out, "oauth2_rs_origin: https://changed-one.example.com/")
+            assert_contains(out, "oauth2_rs_origin: https://changed-one.example.org/")
             assert_contains(out, "oauth2_rs_origin_landing: https://changed-one.example.com/landing")
             assert_matches(out, 'oauth2_rs_scope_map: service1-access.*{"email", "openid"}')
             assert_matches(out, 'oauth2_rs_sup_scope_map: service1-admin.*{"adminchanged"}')
@@ -460,6 +465,7 @@ import ./make-test-python.nix (
             assert_contains(out, "name: service1")
             assert_contains(out, "displayname: Service One (changed)")
             assert_contains(out, "oauth2_rs_origin: https://changed-one.example.com/")
+            assert_lacks(out, "oauth2_rs_origin: https://changed-one.example.org/")
             assert_contains(out, "oauth2_rs_origin_landing: https://changed-one.example.com/landing")
             assert_lacks(out, "oauth2_rs_scope_map")
             assert_lacks(out, "oauth2_rs_sup_scope_map")