I've installed and configured nifi and nifi-registry. Both are configured to use OIDC authentication and I can successfully access both after authenticating in my OIDC provider (a Keycloak server FWIW).
Problems arise when I want to start version control of a process group. I have configured the nifi-registry URL in nifi but I am unable to list the buckets available in nifi-registry.
And indeed when I look at the nifi-registry logs, I see this:
2021-10-21 09:36:27,487 DEBUG [NiFi Registry Web Server-17] o.a.n.r.w.s.a.IdentityFilter Attempting to extract user credentials using X509IdentityProvider
2021-10-21 09:36:27,488 DEBUG [NiFi Registry Web Server-17] o.a.n.r.w.s.a.x.X509CertificateExtractor No client certificate found in request.
2021-10-21 09:36:27,488 DEBUG [NiFi Registry Web Server-17] o.a.n.r.w.s.a.IdentityFilter Attempting to extract user credentials using JwtIdentityProvider
2021-10-21 09:36:27,488 DEBUG [NiFi Registry Web Server-17] o.a.n.r.s.a.BearerAuthIdentityProvider HTTP Bearer Auth credentials not present. Not attempting to extract credentials for authentication.
2021-10-21 09:36:27,488 DEBUG [NiFi Registry Web Server-17] o.a.n.r.w.s.a.AnonymousIdentityFilter Set SecurityContextHolder to anonymous SecurityContext
So it is seen as an anonymous request which explains why I can't see any buckets from nifi-registry.
I have not been able to find documentation explaining how security configuration should be done in this OIDC case. What am I missing here? How should user authentication be conveyed in this case?
