diff --git a/TEMPLATE/etc/httpd/conf.d/manageiq-external-auth-openidc.conf.erb b/TEMPLATE/etc/httpd/conf.d/manageiq-external-auth-openidc.conf.erb
index 2454b91..6f8df9c 100644
--- a/TEMPLATE/etc/httpd/conf.d/manageiq-external-auth-openidc.conf.erb
+++ b/TEMPLATE/etc/httpd/conf.d/manageiq-external-auth-openidc.conf.erb
@@ -2,15 +2,36 @@ LoadModule auth_openidc_module modules/mod_auth_openidc.so
ServerName https://<%= miq_appliance %>
LogLevel warn
-OIDCProviderMetadataURL <%= oidc_provider_metadata_url %>
-OIDCCLientID <%= oidc_client_id %>
-OIDCClientSecret <%= oidc_client_secret %>
-OIDCRedirectURI https://<%= miq_appliance %>/oidc_login/redirect_uri
-OIDCCryptoPassphrase sp-cookie
-OIDCOAuthRemoteUserClaim username
+OIDCProviderMetadataURL <%= oidc_provider_metadata_url %>
+OIDCCLientID <%= oidc_client_id %>
+OIDCClientSecret <%= oidc_client_secret %>
+OIDCRedirectURI https://<%= miq_appliance %>/oidc_login/redirect_uri
+OIDCCryptoPassphrase sp-cookie
+OIDCOAuthRemoteUserClaim username
+OIDCOAuthClientID <%= oidc_client_id %>
+OIDCOAuthClientSecret <%= oidc_client_secret %>
+OIDCOAuthIntrospectionEndpoint <%= oidc_introspection_endpoint %>
+OIDCOAuthIntrospectionEndpointAuth client_secret_basic
AuthType openid-connect
Require valid-user
+
+ SetEnvIf Authorization '^Basic +YWRtaW46' let_admin_in
+ SetEnvIf X-Auth-Token '^.+$' let_api_token_in
+ SetEnvIf X-MIQ-Token '^.+$' let_sys_token_in
+ SetEnvIf X-CSRF-Token '^.+$' let_csrf_token_in
+
+ AuthType oauth20
+ AuthName "External Authentication (oidc) for API"
+
+ Require valid-user
+ Order Allow,Deny
+ Allow from env=let_admin_in
+ Allow from env=let_api_token_in
+ Allow from env=let_sys_token_in
+ Allow from env=let_csrf_token_in
+ Satisfy Any
+