Protect web root

[cukal]

I've been using mod_auth_openidc & keycloak for a while now but always with uri's that needed to be protected, like https://www.example.com/protected. I now want to protect the full web root, ie: https://www.example.com/ but fail miserably.
I've done the same setup, the /auth uri's are proxied without a require valid-user part, that part is pretty much the same as our regular https://www.example.com/protected approach.

For some reason that escapes me when I hit https://www.example.com/ I get a load of redirects to /auth/realms/example/protocol/openid-connect/auth? until finally it/I fails with a 503.
The redirects don't reach Keycloak, it's httpd that's firing them. When I unprotect the web root and protect an uri, for instance https://www.example.com/protected it all works again, web root is visible and uri /protected redirects me to keycloak etc.

I am correct in thinking that it's possible to protect a web root on the same httpd virtualhost?
Where should I start looking?

Thanks!

EDIT: Debug showed some keycloak /auth uri's returning 302's as they expected valid-users , after fixing those it works.