diff --git a/changelog.d/19270.doc b/changelog.d/19270.doc
new file mode 100644
index 00000000000..fdb7e2e51c7
--- /dev/null
+++ b/changelog.d/19270.doc
@@ -0,0 +1 @@
+Document the importance of `public_baseurl` when configuring OpenID Connect authentication.
diff --git a/docs/openid.md b/docs/openid.md
index 819f7543902..e91d375c41f 100644
--- a/docs/openid.md
+++ b/docs/openid.md
@@ -50,6 +50,11 @@ setting in your configuration file.
 See the [configuration manual](usage/configuration/config_documentation.md#oidc_providers) for some sample settings, as well as
 the text below for example configurations for specific providers.
 
+For setups using [`.well-known` delegation](delegate.md), make sure
+[`public_baseurl`](usage/configuration/config_documentation.md#public_baseurl) is set
+appropriately. If unset, Synapse defaults to `https://<server_name>/` which is used in
+the OIDC callback URL.
+
 ## OIDC Back-Channel Logout
 
 Synapse supports receiving [OpenID Connect Back-Channel Logout](https://openid.net/specs/openid-connect-backchannel-1_0.html) notifications.