diff --git a/ansible/roles/keystone/defaults/main.yml b/ansible/roles/keystone/defaults/main.yml
index 6e8e58a540..f3bfb094e2 100644
--- a/ansible/roles/keystone/defaults/main.yml
+++ b/ansible/roles/keystone/defaults/main.yml
@@ -225,6 +225,7 @@ keystone_host_federation_oidc_metadata_folder: "{{ node_config_directory }}/keys
keystone_host_federation_oidc_idp_certificate_folder: "{{ node_config_directory }}/keystone/federation/oidc/cert"
keystone_host_federation_oidc_attribute_mappings_folder: "{{ node_config_directory }}/keystone/federation/oidc/attribute_maps"
keystone_federation_oidc_jwks_uri: ""
+keystone_federation_oidc_additional_options: {}
# These variables are used to define multiple trusted Horizon dashboards.
# keystone_trusted_dashboards: ['', '', '']
diff --git a/ansible/roles/keystone/templates/wsgi-keystone.conf.j2 b/ansible/roles/keystone/templates/wsgi-keystone.conf.j2
index f24ac72106..26ffe493e9 100644
--- a/ansible/roles/keystone/templates/wsgi-keystone.conf.j2
+++ b/ansible/roles/keystone/templates/wsgi-keystone.conf.j2
@@ -75,6 +75,9 @@ LogLevel info
OIDCCacheType memcache
OIDCMemCacheServers "{% for host in groups['memcached'] %}{{ 'api' | kolla_address(host) | put_address_in_context('memcache') }}:{{ memcached_port }}{% if not loop.last %} {% endif %}{% endfor %}"
{% endif %}
+{% for key, value in keystone_federation_oidc_additional_options.items() %}
+ {{ key }} {{ value }}
+{% endfor %}
Require valid-user
diff --git a/doc/source/reference/shared-services/keystone-guide.rst b/doc/source/reference/shared-services/keystone-guide.rst
index dc3d766c54..c0f157cb84 100644
--- a/doc/source/reference/shared-services/keystone-guide.rst
+++ b/doc/source/reference/shared-services/keystone-guide.rst
@@ -96,6 +96,14 @@ used by OpenStack command line client. Example config shown below:
keystone_federation_oidc_jwks_uri: "https:////discovery/v2.0/keys"
+Some identity providers need additional mod_auth_openidc config.
+Example for Keycloak shown below:
+
+.. code-block:: yaml
+
+ keystone_federation_oidc_additional_options:
+ OIDCTokenBindingPolicy: disabled
+
Identity providers configurations
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
diff --git a/releasenotes/notes/keystone-oidc-options-ce8744cc8ce6aa9b.yaml b/releasenotes/notes/keystone-oidc-options-ce8744cc8ce6aa9b.yaml
new file mode 100644
index 0000000000..203842f9b6
--- /dev/null
+++ b/releasenotes/notes/keystone-oidc-options-ce8744cc8ce6aa9b.yaml
@@ -0,0 +1,5 @@
+---
+features:
+ - |
+ Adds ``keystone_federation_oidc_additional_options`` that allows to pass
+ additional OIDC options.