Unfortunately, I / we are not experts on Keycloak portion
did you try setting the realm name in keycloak to oidc1 as it is defined in elasticsearch.yml perhaps they need to be consistent
You can up the logging with
PUT /_cluster/settings
{
"transient": {
"logger.org.elasticsearch.xpack.security.authc.oidc": "trace"
}
}
There is also some advice here
Post some of the additional logs and perhaps we can help.
I also notice that you elasticsearch.yml definitions do not follow the same patterns as in our example...
xpack.security.authc.realms.oidc.oidc1:
order: 2
rp.client_id: "the_client_id"
rp.response_type: code
rp.redirect_uri: "https://kibana.example.org:5601/api/security/oidc/callback"
op.issuer: "https://op.example.org"
op.authorization_endpoint: "https://op.example.org/oauth2/v1/authorize"
op.token_endpoint: "https://op.example.org/oauth2/v1/token"
op.jwkset_path: oidc/jwkset.json
op.userinfo_endpoint: "https://op.example.org/oauth2/v1/userinfo"
op.endsession_endpoint: "https://op.example.org/oauth2/v1/logout"
rp.post_logout_redirect_uri: "https://kibana.example.org:5601/security/logged_out"
claims.principal: sub
claims.groups: "http://example.info/claims/groups"`
I am not an expert on that portion but what you have does not seem to follow the patterns but perhaps you are more of the expert
Example from here