Well, your findings are correct, sure. But login via hammer does work through Keycloack server, you just need to register hammer as a public client. That’s how support for this was implemented in hammer, since hammer can be installed on any machine (it shouldn’t be always “a part” of Foreman server) and we don’t have a decent/supported by hammer way of storing this secret.
Sorry if I missed what you’re asking help with: whether it’s more about documentation, “Confidential” access type support or a better error message?