Everything is working now. I will just document it here in case someone else needs this information, because it was a somewhat painful process for me. I assume I was doing something in a weird/wrong way, and I am not suggesting this is the way to do it. (You should not do this on production anyways)
elasticsearch.yml
xpack.security.enabled: true
xpack.security.transport.ssl.enabled: true
xpack.security.transport.ssl.verification_mode: certificate
xpack.security.transport.ssl.keystore.path: elastic-certificates.p12
xpack.security.transport.ssl.truststore.path: elastic-certificates.p12
xpack.security.http.ssl.enabled: true
xpack.security.http.ssl.keystore.path: elastic-stack-ca.p12
xpack.security.http.ssl.truststore.path: elastic-stack-ca.p12
xpack.security.authc.token.enabled: true
xpack.security.authc.realms:
oidc.oidc1:
order: 2
rp.client_id: "kibana"
rp.response_type: code
rp.redirect_uri: "https://localhost:5601/api/security/v1/oidc"
op.issuer: "http://localhost:8080/auth/realms/master"
op.authorization_endpoint: "http://localhost:8080/auth/realms/master/protocol/openid-connect/auth"
op.token_endpoint: "http://localhost:8080/auth/realms/master/protocol/openid-connect/token"
op.jwkset_path: certs.json
op.userinfo_endpoint: "http://localhost:8080/auth/realms/master/protocol/openid-connect/userinfo"
op.endsession_endpoint: "http://localhost:8080/auth/realms/master/protocol/openid-connect/logout"
rp.post_logout_redirect_uri: "https://localhost:5601/logged_out"
claims.principal: preferred_username
You need to find these values from the "well known URL" of your IdP, for a Keycloak server running locally this will be http://localhost:8080/auth/realms/master/.well-known/openid-configuration.
kibana.yml
xpack.security.authc.providers: [oidc]
xpack.security.authc.oidc.realm: "oidc1"
server.xsrf.whitelist: [/api/security/v1/oidc]
xpack.security.enabled: true
You also need to change elasticsearch.hosts to https, set elasticsearch.username and elasticsearch.password, and server.ssl.enabled, server.ssl.certificate, server.ssl.key fields.
You must enable the trial license in order to do all this, because these features are in the platinum license. https://www.elastic.co/guide/en/elasticsearch/reference/current/start-trial.html
You need to add the client secret from Keycloak to Elasticsearch using the keystore tool.
elasticsearch-keystore add xpack.security.authc.realms.oidc.oidc1.rp.client_secret
is the command.
Then you need to create roles and role mappings on Elasticsearch, also create roles and users on Keycloak, so that you can actually use these to log into Kibana.
And that is it. Elasticsearch guides are actually enough on their own, but for a newbie like me it was still somewhat confusing, this could just be me.
Thanks @ikakavas for your help!