diff --git a/roles/pagure/tasks/main.yml b/roles/pagure/tasks/main.yml
index 4088a3e0b5..2b184a5be7 100644
--- a/roles/pagure/tasks/main.yml
+++ b/roles/pagure/tasks/main.yml
@@ -517,3 +517,14 @@
   tags:
   - pagure
   - letsencrypt
+
+# httplib2 0.10.3, as available in EL8, hardcodes TLSv1. The next version
+# (0.11.0) chooses the TLS version that is supported by both client and server.
+# That variable is only available since Python 3.5+, but EL8 has Python 3.6, so
+# we're good to patch. The alternative would be for EL8 to update httplib2 to
+# at least version 0.11.0.
+- name: Patch httplib2 to not hardcode TLSv1, which is not accepted by Ipsilon
+  ansible.builtin.replace:
+    path: /usr/lib/python3.6/site-packages/httplib2/__init__.py
+    regexp: 'ssl\.PROTOCOL_TLSv1'
+    replace: 'ssl.PROTOCOL_TLS'
diff --git a/roles/pagure/templates/client_secrets.json b/roles/pagure/templates/client_secrets.json
index f491759776..4a2a2f416c 100644
--- a/roles/pagure/templates/client_secrets.json
+++ b/roles/pagure/templates/client_secrets.json
@@ -1,8 +1,8 @@
 {
     "web": {
+        "client_id": "pagure",
 {% if env == 'pagure-staging' %}
         "auth_uri": "https://id.stg.fedoraproject.org/openidc/Authorization",
-        "client_id": "{{ pagure_oidc_client_id }}",
         "client_secret": "{{ pagure_stg_oidc_client_secret }}",
         "issuer": "https://id.stg.fedoraproject.org/openidc/",
         "redirect_uris": [
@@ -12,8 +12,7 @@
         "userinfo_uri": "https://id.stg.fedoraproject.org/openidc/UserInfo"
 {% else %}
         "auth_uri": "https://id.fedoraproject.org/openidc/Authorization",
-        "client_id": "{{ pagure_oidc_client_id }}",
-        "client_secret": "{{ pagure_stg_oidc_client_secret }}",
+        "client_secret": "{{ pagure_oidc_client_secret }}",
         "issuer": "https://id.fedoraproject.org/openidc/",
         "redirect_uris": [
             "https://pagure.io/login"
diff --git a/roles/pagure/templates/pagure.cfg b/roles/pagure/templates/pagure.cfg
index cfaf191c09..409ba264af 100644
--- a/roles/pagure/templates/pagure.cfg
+++ b/roles/pagure/templates/pagure.cfg
@@ -193,13 +193,23 @@ DISABLED_PLUGINS = ['IRC']
 # Authentication related configuration option
 
 ### Switch the authentication method
-# Specify which authentication method to use, defaults to `fas` can be or
-# `local`
+# Specify which authentication method to use: `openid`, `oidc`, `local`
 # Default: ``fas``.
 {% if env == 'pagure-staging' %}
-PAGURE_AUTH = 'openid'
-#PAGURE_AUTH = 'oidc'
-#OIDC_CLIENT_SECRETS = "/etc/pagure/client_secrets.json"
+PAGURE_AUTH = 'oidc'
+OIDC_CLIENT_SECRETS = "/etc/pagure/client_secrets.json"
+OIDC_ID_TOKEN_COOKIE_SECURE = True
+OIDC_SCOPES = [
+    'openid', 'email', 'profile',
+    'https://id.fedoraproject.org/scope/groups',
+    'https://id.fedoraproject.org/scope/agreements',
+]
+OIDC_PAGURE_EMAIL = 'email'
+OIDC_PAGURE_FULLNAME = 'fullname'
+OIDC_PAGURE_USERNAME = 'preferred_username'
+OIDC_PAGURE_SSH_KEY = 'ssh_key'
+OIDC_PAGURE_GROUPS = 'groups'
+OIDC_PAGURE_USERNAME_FALLBACK = 'nickname'
 {% else %}
 PAGURE_AUTH = 'openid'
 {% endif %}