Avoid basic auth when using x.509 authentication

Question

I have created an REST API based on Spring WebFlux that is protected through X.509 authentication. I followed this guide https://www.baeldung.com/x-509-authentication-in-spring-security to create all the certificates.

The router implementation:

@Configuration
class LogRouter {

    @Bean
    fun functionalRoutes(handler: LogHandler): RouterFunction<ServerResponse> =
        route()
            .route(RequestPredicates.path("/")) {
                ServerResponse.ok().body(Mono.just("I am alive"))
            }
            .nest(RequestPredicates.path("/api").and(RequestPredicates.accept(MediaType.APPLICATION_JSON))) { builder ->
                builder.GET("/fn/mono", handler::monoMessage)
                    .POST("/fn/mono", handler::monoPostMessage)
            }
            .build()
}

and app implementation:

@SpringBootApplication
@EnableWebFluxSecurity
class RestplayApplication {

    @Bean
    fun securityWebFilterChain(http: ServerHttpSecurity): SecurityWebFilterChain? {
        val principalExtractor = SubjectDnX509PrincipalExtractor()

        principalExtractor.setSubjectDnRegex("OU=(.*?)(?:,|$)")

        val authenticationManager = ReactiveAuthenticationManager { authentication: Authentication ->
            authentication.isAuthenticated = "Trusted Org Unit" == authentication.name
            Mono.just(authentication)
        }

        http
            .x509 { x509 ->
                x509
                    .principalExtractor(principalExtractor)
                    .authenticationManager(authenticationManager)
            }
            .authorizeExchange { exchanges ->
                exchanges
                    .anyExchange().authenticated()
            }
        return http.build()

    }
}

fun main(args: Array<String>) {
    runApplication<RestplayApplication>( *args)
}

I use Firefox browser to test the x.509 authentication and I have added the self signed certificate(rootCA.crt) to the Firefox:

included client certificate(clientBob.p12).

When calling the link in the browser it shows basic authentication form:

However, I expect the authentication form not to be appeared because I have provided a valid client certificate in the browser.

Why the basic form appears every time?

The code is hosted on https://github.com/softshipper/restplay. The password for certificates are always changeit.