So it seems that Keystone now is deployed with Apache and may rely on its authentication plugins. Once authentication is performed by the server it sets the REMOTE_USER variable in the request, which Keystone then uses as proof of authentication.