diff --git a/ansible/roles/keystone/defaults/main.yml b/ansible/roles/keystone/defaults/main.yml
index 83ae28dc79..b6d148b2bd 100644
--- a/ansible/roles/keystone/defaults/main.yml
+++ b/ansible/roles/keystone/defaults/main.yml
@@ -220,6 +220,7 @@ keystone_container_federation_oidc_attribute_mappings_folder: "{{ container_conf
keystone_host_federation_oidc_metadata_folder: "{{ node_config_directory }}/keystone/federation/oidc/metadata"
keystone_host_federation_oidc_idp_certificate_folder: "{{ node_config_directory }}/keystone/federation/oidc/cert"
keystone_host_federation_oidc_attribute_mappings_folder: "{{ node_config_directory }}/keystone/federation/oidc/attribute_maps"
+keystone_federation_oidc_jwks_uri: ""
# These variables are used to define multiple trusted Horizon dashboards.
# keystone_trusted_dashboards: ['', '', '']
diff --git a/ansible/roles/keystone/templates/wsgi-keystone.conf.j2 b/ansible/roles/keystone/templates/wsgi-keystone.conf.j2
index 5ece77026e..a78266bd77 100644
--- a/ansible/roles/keystone/templates/wsgi-keystone.conf.j2
+++ b/ansible/roles/keystone/templates/wsgi-keystone.conf.j2
@@ -39,6 +39,11 @@ LogLevel info
+{# NOTE(darmach): with external tls enabled OIDC redirection fails, as TLS terminated on haproxy keystone is not aware that redirection should use https. -#}
+{# With missing ServerName Keystone Apache uses fqdn, with http. Adding ServerName pointing to keystone_public_url corrects this. -#}
+{% if kolla_enable_tls_external | bool %}
+ ServerName {{ keystone_public_url }}
+{% endif %}
WSGIDaemonProcess keystone-public processes={{ keystone_api_workers }} threads=1 user=keystone group=keystone display-name=keystone-public
WSGIProcessGroup keystone-public
WSGIScriptAlias / {{ binary_path }}/keystone-wsgi-public
@@ -55,7 +60,7 @@ LogLevel info
SSLEngine on
SSLCertificateFile /etc/keystone/certs/keystone-cert.pem
SSLCertificateKeyFile /etc/keystone/certs/keystone-key.pem
-{% endif %}
+{% endif -%}
{% if keystone_enable_federation_openid %}
OIDCClaimPrefix "OIDC-"
@@ -63,6 +68,9 @@ LogLevel info
OIDCResponseType "{{ keystone_federation_oidc_response_type }}"
OIDCScope "{{ keystone_federation_oidc_scopes }}"
OIDCMetadataDir {{ keystone_container_federation_oidc_metadata_folder }}
+{% if keystone_federation_oidc_jwks_uri | length > 0 %}
+ OIDCOAuthVerifyJwksUri {{ keystone_federation_oidc_jwks_uri }}
+{% endif %}
{% if keystone_federation_openid_certificate_key_ids | length > 0 %}
OIDCOAuthVerifyCertFiles {{ keystone_federation_openid_certificate_key_ids | join(" ") }}
{% endif %}
@@ -96,7 +104,7 @@ LogLevel info
{# CLI / API authentication endpoint -#}
{% for idp in keystone_identity_providers %}
-{% if idp.protocol == 'openid' %}
+{% if idp.protocol == 'openid' -%}
Require valid-user
{# Note(jasonanderson): `auth-openidc` is a special auth type that can -#}
diff --git a/doc/source/reference/shared-services/keystone-guide.rst b/doc/source/reference/shared-services/keystone-guide.rst
index 9a51c93316..dc3d766c54 100644
--- a/doc/source/reference/shared-services/keystone-guide.rst
+++ b/doc/source/reference/shared-services/keystone-guide.rst
@@ -88,6 +88,14 @@ below:
- name: "mappingId1"
file: "/full/qualified/path/to/mapping/json/file/to/mappingId1"
+In some cases it's necessary to add JWKS (JSON Web Key Set) uri.
+It is required for auth-openidc endpoint - which is
+used by OpenStack command line client. Example config shown below:
+
+.. code-block:: yaml
+
+ keystone_federation_oidc_jwks_uri: "https:////discovery/v2.0/keys"
+
Identity providers configurations
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
diff --git a/releasenotes/notes/fix-keystone-oidc-8058917b14b4053c.yaml b/releasenotes/notes/fix-keystone-oidc-8058917b14b4053c.yaml
new file mode 100644
index 0000000000..d25c700528
--- /dev/null
+++ b/releasenotes/notes/fix-keystone-oidc-8058917b14b4053c.yaml
@@ -0,0 +1,7 @@
+---
+fixes:
+ - |
+ Fixes Keystone OIDC failing to validate JWT because of missing key
+ on Azure auth-oidc endpoint. Adds new variable containing JWKS uri
+ that delivers missing keys.
+ `LP#1990375 `__