This is a spike towards SAT-33225 and investigate the feasibility. Besides the many RFEs open, the containerization effort (SAT-23140) is the driver.

Today OIDC is partially implemented in Apache (through mod_auth_openidc) and partially in Foreman, leading to a worst of both worlds. Both parse the JWTs and implementation flaws in either can lead to security issues. There are benefits to detaching from Apache because of potential deployments in OpenShift, but relying on a common implementation also has benefits.

Another issue is that today we rely on keycloak-httpd-client-install. It doesn't integrate nicely into our installer and leads to duplication of efforts. It's also keycloak-centric.

Major open questions:

• Should we move code into Foreman or rely more on mod_auth_openidc?
• Can we configure OIDC in a generic way?
• Which work will be needed?

Expected outcomes:

• Recommendation on a path forward
• Write up stories for SAT-33225

Link to the research document:
https://docs.google.com/document/d/1UDvO1TyXBh0gOPLNteT85LRRDSSqr9UgvAgQ96Ql6p4/edit?usp=sharing