Thanks a lot, @ikakavas @Dan_Moore, for your help. The last problem was because the "/" on the issuer URL, must exactly same.
So the point for anyone that wants to integrate FusionAuth OpenID with Elastic can do double-check this point if facing similar problems:
- Change the issuer claim by going to "Tenants -> Your Tenant -> General" and changing the "Issuer" value. Use your FusionAuth server URL. It was "acme.org" by default on my configuration.
- Use autogenerate access and id token on JWT configuration using RS256, because the default using HMAC256 algorithm.
- Make sure the issuer URL on FusionAuth config (Tenant or Application) exactly the same as the issuer on elasticsearch.yml.