to actually recognize where the redirect loops come from i should have to take a look at the /etc/apache2/sites-available/xxx.conf file. i assume that there you define your Apache2::AuthClients module to be the content handler for your site. thus every request to the location described in that config file will be answered by your module.
however, there are two ways for solving your problem: 1) use the $r->internal_redirect_handler method. you'll find an explanation of it in the docs on Apache2::SubRequest. 2.) why do you return an OK when actually you want a redirect? there is a http response code indicating a redirect: 301 (permanent redirect, probably not what you need), and 302 (temporary redirect). i don't know for the moment what the Apache2::Const denotations are, but a quick glance at the docs on Apache2::Response revealed a method called $r->custom_response which might be of a help.