diff --git a/releasenotes/notes/os-keystone-oidc-scope-spelling-fix-3051b95adeb37901.yaml b/releasenotes/notes/os-keystone-oidc-scope-spelling-fix-3051b95adeb37901.yaml
new file mode 100644
index 00000000..398b56fc
--- /dev/null
+++ b/releasenotes/notes/os-keystone-oidc-scope-spelling-fix-3051b95adeb37901.yaml
@@ -0,0 +1,7 @@
+---
+fixes:
+  - |
+    For deployers using Keystone as an OIDC-based Service Provider there has
+    been a spelling fix for the OIDCScope setting. Please use
+    ``keystone_sp.trusted_idp_list.0.oidc_scope`` instead of
+    ``keystone_sp.trusted_idp_list.0.idc_scope``.
diff --git a/templates/keystone-httpd.conf.j2 b/templates/keystone-httpd.conf.j2
index 066ec58e..75f65e29 100644
--- a/templates/keystone-httpd.conf.j2
+++ b/templates/keystone-httpd.conf.j2
@@ -37,7 +37,7 @@ Listen {{ keystone_service_port }}
     {% if keystone_sp_apache_mod_auth_openidc -%}
     OIDCClaimPrefix "{{ keystone_sp.trusted_idp_list.0.oidc_claim_prefix | default('OIDC-') }}"
     OIDCResponseType "{{ keystone_sp.trusted_idp_list.0.oidc_resp_type | default('id_token') }}"
-    OIDCScope "{{ keystone_sp.trusted_idp_list.0.idc_scope | default(keystone_sp.trusted_idp_list.0.oidc_scope | default('openid email profile')) }}"
+    OIDCScope "{{ keystone_sp.trusted_idp_list.0.oidc_scope | default('openid email profile') }}"
     OIDCProviderMetadataURL {{ keystone_sp.trusted_idp_list.0.oidc_provider_metadata_url }}
     OIDCClientID {{ keystone_sp.trusted_idp_list.0.oidc_client_id }}
     OIDCClientSecret {{ keystone_sp.trusted_idp_list.0.oidc_client_secret }}