I think this is what was discussed in the following thread:
GitHub - jdennis/keycloak-httpd-client-install: Python support for Keycloak doesn’t know that on Debian the config is in /etc/apache2 vs /etc/httpd (like on CentOS), and miss-places it.
I think it’s the RequestHeader set REMOTE_USER %{REMOTE_USER}e and friends from the Apache config I posted above.
To elaborate a bit more on the architecture behind our setup and “how it should work”:
- We used to deploy Foreman with Passenger as an Apache module, which meant that the Foreman application ran inside the Apache process and had access to environment variables Apache and its modules set.
- This is also how most of the
mod_auth_somethingmodules work: you configure them to talk to some kind of authentication service (Kerberos, Keycloak, you name it) and after the authentication succeeded they set a few environment variables to let “the rest of the stack” (other modules, applications, etc) know who is logged in. - With Foreman 2.1 we moved the deployment to Puma, which is running as a standalone process and Apache is talking HTTP to it. That especially means that any application running inside Puma can’t access environment variables from Apache, thus breaking authentication.
- With Foreman 2.3 we fixed that by forwarding the relevant variables as HTTP headers.
And I think the last bit was missing in your setup, and was now corrected by the installer.