I've recently setup NiFi to use Keycloak as an authentication method for users. I was wondering if my understanding of NiFi's security is correct, in that NiFi will always require a certificate challenge, and regardless if that certificate challenge passes or fails, NiFi will not use Keycloak. If the certificate challenge is declined, then, and only then, will Keycloak be called upon for authentication.
Originally, I wanted to be able to use Keycloak as the one and only authentication method when logging into NiFi. However, after setting up SSL and the OpenID endpoints for Keycloak, I've found that NiFi will not call upon Keycloak unless the certificate challenge is specifically declined on the browser (as well as if there isn't an applicable certificate for the challenge). Is there anyway to force NiFi to use Keycloak for all challenges? Or, at the very least, if the certificate challenge fails, to redirect the user to Keycloak to try and login? As, during a failure, NiFi stays on a screen with the certificate's properties, but doesn't offer any other redirection outside of going to the homepage (which just directs back to the certificate challenge).
For versions, I'm using:
It appears I can't edit my question because of the NiFi tag, but here's more information, if it helps.
After testing and poking around some more, I've found that the process described here is essentially what I'm after, but with certificates instead of a username/password form. If go directly to /nifi on my NiFi server, I get stuck with NiFi's certificate challenge and Keycloak is not used. I did at least find a pattern that gives me what I want, but it isn't ideal:
I'd want to avoid this, since it isn't exactly straight forward.