diff --git a/sssd-2.6.3.tar.gz b/sssd-2.7.4.tar.gz
similarity index 49%
rename from sssd-2.6.3.tar.gz
rename to sssd-2.7.4.tar.gz
index 70bd79a98682617417c8495dca43a4cfed7f6b07..6f3714d69ed4dfe1d77b9241ce99a26edb6c33ab 100644
Binary files a/sssd-2.6.3.tar.gz and b/sssd-2.7.4.tar.gz differ
diff --git a/sssd.spec b/sssd.spec
index 00d14c358d4a0cacce47adc4a7d9c800ae9a7944..7eb1b92a3362bf5d7dbd8e118ffdba1245177699 100644
--- a/sssd.spec
+++ b/sssd.spec
@@ -17,12 +17,12 @@
 %global samba_package_version %(rpm -q samba-devel --queryformat %{version}-%{release})
 
 Name: sssd
-Version: 2.6.3
+Version: 2.7.4
 Release: %{anolis_release}%{?dist}
 Summary: System Security Services Daemon
 License: GPLv3+
 URL: https://github.com/SSSD/sssd/
-Source0: https://github.com/SSSD/sssd/releases/download/2.6.3/sssd-2.6.3.tar.gz
+Source0: https://github.com/SSSD/sssd/releases/download/2.7.4/sssd-2.7.4.tar.gz
 
 ### Dependencies ###
 
@@ -64,6 +64,8 @@ BuildRequires: gdm-pam-extensions-devel
 BuildRequires: gettext-devel
 # required for p11_child smartcard tests
 BuildRequires: gnutls-utils
+BuildRequires: libcurl-devel
+BuildRequires: libjose-devel
 BuildRequires: keyutils-libs-devel
 BuildRequires: krb5-devel
 BuildRequires: libcmocka-devel >= 1.0.0
@@ -129,9 +131,9 @@ License: GPLv3+
 # Requires
 Requires: libldb >= %{ldb_version}
 Requires: libtevent >= 0.11.0
-Requires: sssd-client%{?_isa} = %{version}-%{release}
+Requires: sssd-client = %{version}-%{release}
 Requires: (libsss_sudo = %{version}-%{release} if sudo)
-Requires: (libsss_autofs%{?_isa} = %{version}-%{release} if autofs)
+Requires: (libsss_autofs = %{version}-%{release} if autofs)
 Requires: (sssd-nfs-idmap = %{version}-%{release} if libnfsidmap)
 Requires: libsss_idmap = %{version}-%{release}
 Requires: libsss_certmap = %{version}-%{release}
@@ -235,7 +237,7 @@ from and authenticate against an LDAP server.
 %package krb5-common
 Summary: SSSD helpers needed for Kerberos and GSSAPI authentication
 License: GPLv3+
-Requires: cyrus-sasl-gssapi%{?_isa}
+Requires: cyrus-sasl-gssapi
 Requires: sssd-common = %{version}-%{release}
 
 %description krb5-common
@@ -268,7 +270,7 @@ License: GPLv3+
 Requires: samba-client-libs >= %{samba_package_version}
 Requires: sssd-common = %{version}-%{release}
 Requires: sssd-krb5-common = %{version}-%{release}
-Requires: libipa_hbac%{?_isa} = %{version}-%{release}
+Requires: libipa_hbac = %{version}-%{release}
 Requires: libsss_certmap = %{version}-%{release}
 Recommends: bind-utils
 Requires: sssd-common-pac = %{version}-%{release}
@@ -457,6 +459,16 @@ Requires: krb5-libs >= %{krb5_version}
 An implementation of a Kerberos KCM server. Use this package if you want to
 use the KCM: Kerberos credentials cache.
 
+%package idp
+Summary: Kerberos plugins and OIDC helper for external identity providers.
+License: GPLv3+
+Requires: sssd-common = %{version}-%{release}
+ 
+%description idp
+This package provides Kerberos plugins that are required to enable
+authentication against external identity providers. Additionally a helper
+program to handle the OAuth 2.0 Device Authorization Grant is provided.
+
 %prep
 %autosetup -p1
 
@@ -520,6 +532,10 @@ mkdir -p $RPM_BUILD_ROOT/%{_sysconfdir}/krb5.conf.d
 cp $RPM_BUILD_ROOT/%{_datadir}/sssd-kcm/kcm_default_ccache \
    $RPM_BUILD_ROOT/%{_sysconfdir}/krb5.conf.d/kcm_default_ccache
 
+# Enable krb5 idp plugins by default (when sssd-idp package is installed)
+cp $RPM_BUILD_ROOT/%{_datadir}/sssd/krb5-snippets/sssd_enable_idp \
+   $RPM_BUILD_ROOT/%{_sysconfdir}/krb5.conf.d/sssd_enable_idp
+
 # krb5 configuration snippet
 cp $RPM_BUILD_ROOT/%{_datadir}/sssd/krb5-snippets/enable_sssd_conf_dir \
    $RPM_BUILD_ROOT/%{_sysconfdir}/krb5.conf.d/enable_sssd_conf_dir
@@ -812,6 +828,7 @@ done
 %{_mandir}/man8/pam_sss.8*
 %{_mandir}/man8/pam_sss_gss.8*
 %{_mandir}/man8/sssd_krb5_locator_plugin.8*
+%{_mandir}/man8/sssd_krb5_localauth_plugin.8*
 
 %files -n libsss_sudo
 %license src/sss_client/COPYING
@@ -917,6 +934,12 @@ done
 %{_unitdir}/sssd-kcm.service
 %{_mandir}/man8/sssd-kcm.8*
 
+%files idp
+%{_libexecdir}/%{servicename}/oidc_child
+%{_libdir}/%{name}/modules/sssd_krb5_idp_plugin.so
+%{_datadir}/sssd/krb5-snippets/sssd_enable_idp
+%config(noreplace) %{_sysconfdir}/krb5.conf.d/sssd_enable_idp
+
 %pre common
 getent group sssd >/dev/null || groupadd -r sssd
 getent passwd sssd >/dev/null || useradd -r -g sssd -d / -s /sbin/nologin -c "User for sssd" sssd
@@ -988,6 +1011,9 @@ fi
 %systemd_postun_with_restart sssd.service
 
 %changelog
+* Wed Sep 28 2022 mgb01105731 <mgb01105731@alibaba-inc.com> - 2.7.4-1
+- update to 2.7.4
+
 * Wed Mar 09 2022 Chunmei Xu <xuchunmei@linux.alibaba.com> - 2.6.3-1
 - init from upstream 2.6.2