Request certificate in mTLS only for selected flow

I’m trying to config a keycloak 17/18 instance (quarkus based) on docker and no reverse proxy.

Everything is working and I managed to create a browser flow with two alternative flows: the first one is username/password form and the second is X509 Validate Username form.

As I planned, it enabled the option “Try another way” to authenticate on the login screen but keycloak keep requesting the client X509 certificate on every first request. It causes the browser prompting the user to select a certificate even before the login form is loaded.

I want permit the users to open the login screen directly and choose X509 authentication with the “Try another way” button only if they want to. The option “Certificate” is already being listed on the next screen (select-authenticator.ftl) and the certificate should be requested at that point.

I read somewhere that before TLSv1.3 it was possible to delay X509 handshake, but changing to TLSv1.2 doesn’t changed this behaviour.

My truststores are all working fine and my startup line is:

/opt/keycloak/bin/kc.sh start --https-protocols=TLSv1.2 --https-client-auth=request

Any guiding will be appreciated.