You can try authenticating with just mod_auth_openidc if that’s how you configured OnDemand to use Keycloak. We have something like this at /opt/rh/httpd24/root/etc/httpd/conf.d/test.conf:
Alias /secure /var/www/html/secure
<Location /secure>
AuthType openid-connect
Require valid-user
</Location>
I then have this at /var/www/html/secure/index.php
<html>
<head><title>OIDC Variables</title></head>
<body>
<table>
<?php
ksort($_SERVER);
foreach ($_SERVER as $key => $value) {
echo "<tr><td>$key</td><td>$value</td></tr>\n";
}
?>
</table>
</body>
</html>
This will tell you if REMOTE_USER is getting set which is what is used by OnDemand IIRC.