I've recently setup NiFi to use Keycloak <https://www.keycloak.org/>as an authentication method for users. I was wondering if my understanding of NiFi's security is correct, in that NiFi will *always* require a certificate challenge, and regardless if that certificate challenge passes or fails, NiFi *will not* use Keycloak. If the certificate challenge is declined, then, and only then, will Keycloak be called upon for authentication.
I've found that the process described here <https://bryanbende.com/development/2017/10/03/apache-nifi-openid-connect>is essentially what I'm after, but with certificates instead of a username/password form. If go directly to /nifi on my NiFi server, I get stuck with NiFi's certificate challenge and Keycloak is not used. I did at least find a pattern that gives me what I want, but it isn't ideal: 1. Go to the NiFi server without any paths attached to the URL (ex: https://localhost:8080/) and get prompted for a certificate -> Decline giving a certificate 2. Land on the page that tells you that it's going to redirect you to /nifi. After five seconds, I get redirected (to https://localhost:8080/nifi) and prompted for a certificate again -> This time I give a valid certificate 3. Land on the Keycloak login, which confirms the certificate being used 4. Successfully login to NiFi I'd want to avoid this, since it isn't exactly straight forward. Is there anyway to force NiFi to use Keycloak for all challenges?
