diff --git a/ansible/roles/keystone/templates/wsgi-keystone.conf.j2 b/ansible/roles/keystone/templates/wsgi-keystone.conf.j2
index 8275b8b917..427c36d105 100644
--- a/ansible/roles/keystone/templates/wsgi-keystone.conf.j2
+++ b/ansible/roles/keystone/templates/wsgi-keystone.conf.j2
@@ -58,7 +58,9 @@ LogLevel info
 {% endif -%}
 
 {% if keystone_enable_federation_openid | bool %}
+{% if keystone_federation_oidc_forwarded_headers | length > 0 %}
     OIDCXForwardedHeaders "{{ keystone_federation_oidc_forwarded_headers }}"
+{% endif %}
     OIDCClaimPrefix "OIDC-"
     OIDCClaimDelimiter "{{ keystone_federation_oidc_claim_delimiter }}"
     OIDCResponseType "{{ keystone_federation_oidc_response_type }}"
diff --git a/releasenotes/notes/fix-oidc-x-forwarded-headers-option-edb945bfcb98c691.yaml b/releasenotes/notes/fix-oidc-x-forwarded-headers-option-edb945bfcb98c691.yaml
new file mode 100644
index 0000000000..0f3d9c6ecb
--- /dev/null
+++ b/releasenotes/notes/fix-oidc-x-forwarded-headers-option-edb945bfcb98c691.yaml
@@ -0,0 +1,7 @@
+---
+fixes:
+  - |
+    Fixes the bug where Keystone become unable to start when the option
+    ``OIDCXForwardedHeaders`` is set with empty string in
+    ``wsgi-keystone.conf``.
+    `LP#2119344 <https://bugs.launchpad.net/kolla-ansible/+bug/2119344>`__