Nifi cannot auth using OIDC keycloak with proxy server

aaaver — Sun, 19 Oct 2025 14:05:00 GMT

I launch nifi server using docker with connection to external Keycloak:

nifi:
  hostname: <IP>
  image: apache/nifi:latest
  environment:
    AUTH: oidc
    NIFI_SECURITY_USER_OIDC_DISCOVERY_URL: https://<keycloak_url>/realms/<realm>/.well-known/openid-configuration
    NIFI_SECURITY_USER_OIDC_CLIENT_ID: <client_id>
    NIFI_SECURITY_USER_OIDC_CLIENT_SECRET: <client_secret>
    NIFI_SECURITY_USER_OIDC_ADDITIONAL_SCOPES: email
    NIFI_SECURITY_USER_OIDC_CLAIM_IDENTIFYING_USER: preferred_username
    NIFI_SECURITY_USER_OIDC_TRUSTSTORE_STRATEGY: NIFI
    NIFI_CLUSTER_NODE_PROTOCOL_PORT: 6007
    NIFI_SENSITIVE_PROPS_KEY: <key>
    SINGLE_USER_CREDENTIALS_USERNAME: admin
    SINGLE_USER_CREDENTIALS_PASSWORD: <pass>
    NIFI_WEB_HTTPS_HOST: <IP>
    NIFI_WEB_PROXY_HOST: <domain>
    NIFI_WEB_HTTPS_PORT: 8443
    KEYSTORE_PATH: /opt/certs/keystore.p12
    KEYSTORE_TYPE: PKCS12
    KEYSTORE_PASSWORD: <pass>
    TRUSTSTORE_PATH: /opt/certs/truststore.p12
    TRUSTSTORE_TYPE: PKCS12
    TRUSTSTORE_PASSWORD: <pass>
    NIFI_SECURITY_USER_AUTHORIZER: single-user-authorizer
    NIFI_SECURITY_USER_LOGIN_IDENTITY_PROVIDER: single-user-provider
    NIFI_CLUSTER_IS_NODE: true
    NIFI_CLUSTER_MANAGER_ADDRESS: zookeeper
    NIFI_CLUSTER_MANAGER_PORT: 2181
    NIFI_ZK_CONNECT_STRING: "localhost:2181"
    NIFI_ELECTION_MAX_CANDIDATES: 1
    NIFI_ELECTION_MAX_TIMEOUT: "10 sec"
  volumes:
    - nifi_conf:/opt/nifi/nifi-current/conf
    - nifi_content_repository:/opt/nifi/nifi-current/content_repository
    - nifi_flowfile_repository:/opt/nifi/nifi-current/flowfile_repository
    - nifi_provenance_repository:/opt/nifi/nifi-current/provenance_repository
    - nifi_database_repository:/opt/nifi/nifi-current/database_repository
    - nifi_logs:/opt/nifi/nifi-current/logs
    - ./certs/keystore.p12:/opt/certs/keystore.p12
    - ./certs/truststore.p12:/opt/certs/truststore.p12
  network_mode: host
nginx:
  image: nginx
  container_name: nginx
  volumes:
    - ./nginx/nginx.conf:/etc/nginx/nginx.conf
    - ./nginx/certs:/keys
  network_mode: host
  restart: unless-stopped

With using proxy server nginx:

http {
  server {
    listen 443 ssl;
    server_name <domain>;
    ssl_certificate /keys/certificate.pem;
    ssl_certificate_key /keys/certificate.key;
    proxy_ssl_certificate /keys/nifi.pem;
    proxy_ssl_certificate_key /keys/nifi.key;
    proxy_ssl_trusted_certificate /keys/nifi.pem;

    location / {
      proxy_set_header Host $http_host;
      proxy_set_header X-ProxyScheme "https";
      proxy_set_header X-ProxyHost $host;
      proxy_set_header X-ProxyPort 8443;
      proxy_set_header X-ProxyContextPath "/";
      proxy_pass https://<IP>:8443;
    }
  }
}

From my local machine if I try to access via IP address, nifi redirect me to keycloak and auth working with my keycloak user.

If I try to access via domain, I already auth in nifi with tls (with using cert from proxy server, account "CN=<IP>, Ou=...") without redirect to keycloak.

Can you explain me in Nifi auth process and what can I do so that I could auth in nifi server via domain with oidc Keycloak?

Re: Nifi cannot auth using OIDC keycloak with proxy server

vafs — Sun, 15 Feb 2026 20:00:27 GMT

Hello @aaaver,

Just wanted to see if you can share little bit more details, for example, the NiFi version and if your using the CFM provided by Cloudera.

Have you followed these steps from the documentation?
https://docs.cloudera.com/cfm-operator/2.11.0/configure-nifi-cr/topics/cfm-op-configure-nifi-cr-oidc-auth.html

question Nifi cannot auth using OIDC keycloak with proxy server in Support Questions

Nifi cannot auth using OIDC keycloak with proxy server

Re: Nifi cannot auth using OIDC keycloak with proxy server