diff --git a/ansible/roles/bugzilla/tasks/deploy-bugzilla.yml b/ansible/roles/bugzilla/tasks/deploy-bugzilla.yml
index 9650252..1f718ab 100644
--- a/ansible/roles/bugzilla/tasks/deploy-bugzilla.yml
+++ b/ansible/roles/bugzilla/tasks/deploy-bugzilla.yml
@@ -126,7 +126,7 @@
     name: Deploy OIDC login redirect page
     copy:
         src: oidc-login.html
-        dest: "{{ bugzilla_dir }}/oidc-login.html"
+        dest: "{{ install_dir }}/oidc-login.html"
         owner: www-data
         group: www-data
     when: oauth_client_id is defined
diff --git a/ansible/roles/bugzilla/templates/bugzilla-vhost.conf.j2 b/ansible/roles/bugzilla/templates/bugzilla-vhost.conf.j2
index fc89b8a..26311e9 100644
--- a/ansible/roles/bugzilla/templates/bugzilla-vhost.conf.j2
+++ b/ansible/roles/bugzilla/templates/bugzilla-vhost.conf.j2
@@ -25,8 +25,12 @@
     OIDCPassClaimsAs environment
     OIDCSSLValidateServer Off
     OIDCProviderEndSessionEndpoint {{ oauth_issuer_url }}/end-session/
+    OIDCDefaultURL https://{{ domain }}/
 
-    <Location />
+    # Login trigger — Alias to file outside DocumentRoot so the
+    # Directory's OIDCUnAuthAction pass does not apply here.
+    Alias /oidc-login {{ install_dir }}/oidc-login.html
+    <Location /oidc-login>
         AuthType openid-connect
         Require valid-user
     </Location>
@@ -45,7 +49,11 @@
         Options +ExecCGI +FollowSymLinks
         DirectoryIndex index.cgi index.html
         AllowOverride All
-{% if oauth_client_id is not defined %}
+{% if oauth_client_id is defined %}
+        AuthType openid-connect
+        OIDCUnAuthAction pass
+        Require valid-user
+{% else %}
         Require all granted
 {% endif %}
     </Directory>