diff --git a/defaults/main.yml b/defaults/main.yml
index c9b1f98e..79d9d2f5 100644
--- a/defaults/main.yml
+++ b/defaults/main.yml
@@ -528,6 +528,7 @@ keystone_sp: {}
 #      oidc_oauth_introspection_endpoint: endpoint address (optional)
 #      oidc_oauth_client_id: string (optional)
 #      oidc_oauth_client_secret: secret (optional)
+#      oidc_pkce_method: plain | S256 | referred_tb (optional)
 #      oidc_outgoing_proxy: "proxy address" (optional setting)
 #      oidc_auth_request_params: param=some+url+encoded+value&param2=and+another+one (optional)
 #      oidc_state_max_number_of_cookies: 5 false (optional)
diff --git a/templates/keystone-httpd.conf.j2 b/templates/keystone-httpd.conf.j2
index b19b9844..1c68eb01 100644
--- a/templates/keystone-httpd.conf.j2
+++ b/templates/keystone-httpd.conf.j2
@@ -68,6 +68,9 @@ Listen {{ keystone_web_server_bind_address }}:{{ keystone_service_port }}
     {% if keystone_sp.trusted_idp_list.0.oidc_oauth_client_secret is defined -%}
     OIDCOAuthClientSecret {{ keystone_sp.trusted_idp_list.0.oidc_oauth_client_secret }}
     {% endif -%}
+    {% if keystone_sp.trusted_idp_list.0.oidc_pkce_method is defined -%}
+    OIDCPKCEMethod {{ keystone_sp.trusted_idp_list.0.oidc_pkce_method }}
+    {% endif -%}
     {% if keystone_cache_servers | length > 0 -%}
     OIDCCacheType memcache
     OIDCMemCacheServers "{{ keystone_cache_servers | join(' ') }}"