diff --git a/ansible/roles/keystone/defaults/main.yml b/ansible/roles/keystone/defaults/main.yml
index a6843774cd..2ac66c6d9a 100644
--- a/ansible/roles/keystone/defaults/main.yml
+++ b/ansible/roles/keystone/defaults/main.yml
@@ -234,6 +234,10 @@ keystone_enable_federation_openid: "{{ enable_keystone_federation | bool and key
 keystone_should_remove_attribute_mappings: False
 keystone_should_remove_identity_providers: False
 keystone_federation_oidc_response_type: "id_token"
+# can be set to any supported headers, according to
+# https://github.com/OpenIDC/mod_auth_openidc/blob/ea3af872dcdbb4634a7e541c5e8c7326dafbb090/auth_openidc.conf
+# e.g."X-Forwarded-Proto", "X-Forwarded-Port" etc.
+keystone_federation_oidc_forwarded_headers: ""
 keystone_federation_oidc_claim_delimiter: ";"
 keystone_federation_oidc_scopes: "openid email profile"
 
diff --git a/ansible/roles/keystone/templates/wsgi-keystone.conf.j2 b/ansible/roles/keystone/templates/wsgi-keystone.conf.j2
index d8db570257..8275b8b917 100644
--- a/ansible/roles/keystone/templates/wsgi-keystone.conf.j2
+++ b/ansible/roles/keystone/templates/wsgi-keystone.conf.j2
@@ -58,6 +58,7 @@ LogLevel info
 {% endif -%}
 
 {% if keystone_enable_federation_openid | bool %}
+    OIDCXForwardedHeaders "{{ keystone_federation_oidc_forwarded_headers }}"
     OIDCClaimPrefix "OIDC-"
     OIDCClaimDelimiter "{{ keystone_federation_oidc_claim_delimiter }}"
     OIDCResponseType "{{ keystone_federation_oidc_response_type }}"
diff --git a/releasenotes/notes/add-keystone-oidc-forwarded-headers-option-d153c6292cf20b26.yaml b/releasenotes/notes/add-keystone-oidc-forwarded-headers-option-d153c6292cf20b26.yaml
new file mode 100644
index 0000000000..9414e567dd
--- /dev/null
+++ b/releasenotes/notes/add-keystone-oidc-forwarded-headers-option-d153c6292cf20b26.yaml
@@ -0,0 +1,8 @@
+---
+fixes:
+  - |
+    Add an option to set OIDCX forwarded headers in keystone. This is useful
+    when keystone is behind a proxy and the proxy is adding headers to the
+    request. The new option is ``keystone_federation_oidc_forwarded_headers``.
+    The default value is empty, to preserve the current behavior.
+    `LP#2080402 <https://bugs.launchpad.net/bugs/2080402>`__