diff --git a/deployment/keystone/keystone-container-puppet.yaml b/deployment/keystone/keystone-container-puppet.yaml
index c4276c992c..5b63fb0266 100644
--- a/deployment/keystone/keystone-container-puppet.yaml
+++ b/deployment/keystone/keystone-container-puppet.yaml
@@ -340,6 +340,16 @@ parameters:
     description: >-
       Attribute to be used to obtain the entity ID of the Identity Provider
       from the environment.
+  KeystoneOpenIdcEnableOAuth:
+    type: boolean
+    default: false
+    description: >-
+      Enable OAuth 2.0 integration.
+  KeystoneOpenIdcIntrospectionEndpoint:
+    type: string
+    default: ''
+    description: >-
+      OAuth 2.0 introspection endpoint for mod_auth_openidc
 
 resources:
 
@@ -552,6 +562,10 @@ outputs:
                 get_param: KeystoneOpenIdcResponseType
               keystone::federation::openidc::remote_id_attribute:
                 get_param: KeystoneOpenIdcRemoteIdAttribute
+              keystone::federation::openidc::openidc_oauth_enabled:
+                get_param: KeystoneOpenIdcEnableOAuth
+              keystone::federation::openidc::openidc_introspection_endpoint:
+                get_param: KeystoneOpenIdcIntrospectionEndpoint
             - {}
           -
             if:
diff --git a/environments/enable-federation-openidc.yaml b/environments/enable-federation-openidc.yaml
index 6b9aa06342..db1d88eda4 100644
--- a/environments/enable-federation-openidc.yaml
+++ b/environments/enable-federation-openidc.yaml
@@ -30,6 +30,10 @@ parameter_defaults:
   # Type: string
   KeystoneOpenIdcIdpName: myidp
 
+  # OAuth 2.0 introspection endpoint for mod_auth_openidc
+  # Type: string
+  KeystoneOpenIdcIntrospectionEndpoint: https://myidp.example.test/auth/realms/openstack/protocol/openid-connect/token/introspect
+
   # The url that points to your OpenID Connect provider metadata
   # Type: string
   KeystoneOpenIdcProviderMetadataUrl: https://myidp.example.test/auth/realms/openstack/.well-known/openid-configuration
@@ -70,6 +74,10 @@ parameter_defaults:
   # Type: boolean
   KeystoneOpenIdcEnable: True
 
+  # Enable OAuth 2.0 integration.
+  # Type: boolean
+  KeystoneOpenIdcEnableOAuth: True
+
   # Enable support for Web Single Sign-On
   # Type: boolean
   WebSSOEnable: True
diff --git a/sample-env-generator/openidc.yaml b/sample-env-generator/openidc.yaml
index 8e86ac22b4..03c13c9a65 100644
--- a/sample-env-generator/openidc.yaml
+++ b/sample-env-generator/openidc.yaml
@@ -16,6 +16,8 @@ environments:
           - KeystoneOpenIdcCryptoPassphrase
           - KeystoneOpenIdcResponseType
           - KeystoneOpenIdcRemoteIdAttribute
+          - KeystoneOpenIdcEnableOAuth
+          - KeystoneOpenIdcIntrospectionEndpoint
       deployment/horizon/horizon-container-puppet.yaml:
         parameters:
           - WebSSOEnable
@@ -25,16 +27,19 @@ environments:
     sample_values:
       KeystoneFederationEnable: True
       KeystoneOpenIdcEnable: True
+      KeystoneOpenIdcEnableOAuth: True
       WebSSOEnable: True
       KeystoneAuthMethods: 'password,token,openid'
       KeystoneTrustedDashboards: 'https://dashboard.example.test/dashboard/auth/websso/'
       KeystoneOpenIdcIdpName: 'myidp'
       KeystoneOpenIdcProviderMetadataUrl: 'https://myidp.example.test/auth/realms/openstack/.well-known/openid-configuration'
+      KeystoneOpenIdcIntrospectionEndpoint: 'https://myidp.example.test/auth/realms/openstack/protocol/openid-connect/token/introspect'
       KeystoneOpenIdcClientId: 'myclientid'
       KeystoneOpenIdcClientSecret: 'myclientsecret'
     static:
       - KeystoneFederationEnable
       - KeystoneOpenIdcEnable
+      - KeystoneOpenIdcEnableOAuth
       - WebSSOEnable
     description: |
       This is an example template on how to configure keystone federation for