Support Questions
Find answers, ask questions, and share your expertise
Alert: Welcome to the Unified Cloudera Community. Former HCC members be sure to read and learn how to activate your account here.

NiFi OpenID Authentication - Forward All Challenges to OpenID Endpoint?

NiFi OpenID Authentication - Forward All Challenges to OpenID Endpoint?

New Contributor

I've recently setup NiFi to use Keycloak as an authentication method for users. I was wondering if my understanding of NiFi's security is correct, in that NiFi will always require a certificate challenge, and regardless if that certificate challenge passes or fails, NiFi will not use Keycloak. If the certificate challenge is declined, then, and only then, will Keycloak be called upon for authentication.

Originally, I wanted to be able to use Keycloak as the one and only authentication method when logging into NiFi. However, after setting up SSL and the OpenID endpoints for Keycloak, I've found that NiFi will not call upon Keycloak unless the certificate challenge is specifically declined on the browser (as well as if there isn't an applicable certificate for the challenge). Is there anyway to force NiFi to use Keycloak for all challenges? Or, at the very least, if the certificate challenge fails, to redirect the user to Keycloak to try and login? As, during a failure, NiFi stays on a screen with the certificate's properties, but doesn't offer any other redirection outside of going to the homepage (which just directs back to the certificate challenge).

For versions, I'm using:

NiFi: 1.9.2

Keycloak: 4.8.3


Re: NiFi OpenID Authentication - Forward All Challenges to OpenID Endpoint?

New Contributor

It appears I can't edit my question because of the NiFi tag, but here's more information, if it helps.

After testing and poking around some more, I've found that the process described here is essentially what I'm after, but with certificates instead of a username/password form. If go directly to /nifi on my NiFi server, I get stuck with NiFi's certificate challenge and Keycloak is not used. I did at least find a pattern that gives me what I want, but it isn't ideal:

  1. Go to the NiFi server without any paths attached to the URL (ex: https://localhost:8080/) and get prompted for a certificate -> Decline giving a certificate
  2. Land on the page that tells you that it's going to redirect you to /nifi. After five seconds, I get redirected (to https://localhost:8080/nifi) and prompted for a certificate again -> This time I give a valid certificate
  3. Land on the Keycloak login, which confirms the certificate being used
  4. Successfully login to NiFi

I'd want to avoid this, since it isn't exactly straight forward.

Don't have an account?
Coming from Hortonworks? Activate your account here