diff --git a/playbooks/roles/keycloak/templates/docker-compose.yaml.j2 b/playbooks/roles/keycloak/templates/docker-compose.yaml.j2
index 0e0eeb7429..59f53de52e 100644
--- a/playbooks/roles/keycloak/templates/docker-compose.yaml.j2
+++ b/playbooks/roles/keycloak/templates/docker-compose.yaml.j2
@@ -11,6 +11,7 @@ services:
       - KEYCLOAK_USER=admin
       - KEYCLOAK_PASSWORD="{{ keycloak_admin_password }}"
       - DB_VENDOR=h2
+      - PROXY_ADDRESS_FORWARDING=true
     command:
       -Djboss.bind.address.private=127.0.0.1
       -Djboss.bind.address=127.0.0.1
diff --git a/playbooks/roles/keycloak/templates/keycloak.vhost.j2 b/playbooks/roles/keycloak/templates/keycloak.vhost.j2
index 5d78af2262..f88d2b7b37 100644
--- a/playbooks/roles/keycloak/templates/keycloak.vhost.j2
+++ b/playbooks/roles/keycloak/templates/keycloak.vhost.j2
@@ -50,6 +50,8 @@
 
   ProxyPass  / http://localhost:8080/ retry=0
   ProxyPassReverse / http://localhost:8080/
+  ProxyPreserveHost on
+  RequestHeader set "X-Forwarded-Proto" expr=%{REQUEST_SCHEME}
 
 </VirtualHost>
 
diff --git a/testinfra/test_keycloak.py b/testinfra/test_keycloak.py
index 02cd0e9f74..96ce0c885c 100644
--- a/testinfra/test_keycloak.py
+++ b/testinfra/test_keycloak.py
@@ -20,3 +20,13 @@ testinfra_hosts = ['keycloak01.opendev.org']
 def test_keycloak_listening(host):
     keycloak = host.socket("tcp://127.0.0.1:8080")
     assert keycloak.is_listening
+
+def test_keycloak_openid_config(host):
+    # This tests the proxy config since the output is determined by
+    # the proxy headers and is not hard-coded configuration.
+    cmd = host.run('curl --insecure '
+                   '--resolve keycloak.opendev.org:443:127.0.0.1 '
+                   'https://keycloak.opendev.org/auth/realms/master'
+                   '/.well-known/openid-configuration')
+    assert ('"issuer":"https://keycloak.opendev.org/auth/realms/master"'
+            in cmd.stdout)