How to configure client for MyAcademicID using mod_auth_openidc

<VirtualHost *:443>

  OIDCProviderMetadataURL https://proxy.prod.erasmus.eduteams.org/.well-known/openid-configuration
  OIDCClientID <CLIENT_ID>
  OIDCClientSecret <CLIENT_SECRET>
  OIDCRedirectURI https://<SERVER_FQDN>/redirect_uri
  OIDCCryptoPassphrase <RANDOM-LONG_STRING>
  
  <!--
     Available scopes:
     - openid:                          mandatory
     - email:                           required in order to receive the email of the user
     - profile:                         required in order to receive the name of the user
     - schac_personal_unique_code:      required in order to receive the ESI of the user
     - voperson_external_affiliation:   required in order to receive the affiliation of the user
     - schac_home_organization:         required in order to receive the schacHomeOrganization of the user
     - eduperson_entitlement:           required in order to receive user entitlements e.g. the EWP Admin role

  -->
  OIDCScope "openid email profile"

  <!--
     The configuration of your application goes here.
     If you want to configure specific location to require
     OIDC authentication see the example below.
  -->

  <Location /<protected-resource>
    <!--
      More information about authorization can be found here:
      https://github.com/zmartzone/mod_auth_openidc/wiki/Authorization#1-mod_auth_openidc
    -->
    AuthType openid-connect
    Require valid-user
  </Location>

</VirtualHost>

<html>
  <body>
    <h1>Hello, <?php echo($_SERVER['REMOTE_USER']) ?></h1>
    <pre><?php print_r(array_map("htmlentities", apache_request_headers())); ?></pre>
    <a href="/protected/redirect_uri?logout=https%3A%2F%2Flocalhost%2Floggedout.html">Logout</a>
  </body>
</html>