Logs cannot be written and doesn't work basic auth after setting OIDC

I need to switch Kibana to OIDC auth through keycloak
I have default user dev with basic auth and logs writing by vector (with username logstash) to elasticsearch

When i switch on OIDC, i cannot auth with that dev user and my logs stop writing, because user logstash unable to auth (401)

How can I fix that?

There is a part of my elasticsearch.yml config:

...

xpack.security.enabled: true
xpack.security.transport.ssl.enabled: true
xpack.security.transport.ssl.verification_mode: certificate
xpack.security.transport.ssl.keystore.path: /usr/share/elasticsearch/config/elastic.p12
xpack.security.transport.ssl.truststore.path: /usr/share/elasticsearch/config/elastic.p12
xpack.security.transport.ssl.keystore.password: ""
xpack.security.transport.ssl.truststore.password: ""


xpack.security.http.ssl.enabled: true
xpack.security.http.ssl.keystore.path: /usr/share/elasticsearch/config/someserver.some.domain.p12

xpack:
  security:
    authc:
      realms:
        oidc.oidc1:
          order: 2
          rp.client_id: my_user
          rp.response_type: code 
          rp.redirect_uri: http://somebalancer/kibana/api/security/oidc/callback
          op.issuer: https://some.keycloak.server/auth/realms/somerealm
          op.authorization_endpoint: https://some.keycloak.server/auth/realms/somerealm/protocol/openid-connect/auth
          op.token_endpoint: https://some.keycloak.server/auth/realms/somerealm/protocol/openid-connect/token
          op.jwkset_path: https://some.keycloak.server/auth/realms/somerealm/protocol/openid-connect/certs
          op.userinfo_endpoint: https://some.keycloak.server/auth/realms/somerealm/protocol/openid-connect/userinfo
          op.endsession_endpoint: https://some.keycloak.server/auth/realms/somerealm/protocol/openid-connect/logout
          rp.post_logout_redirect_uri: http://somebalancer/kibana/security/logged_out
          claims.principal: sub
          ssl.certificate_authorities: /usr/share/elasticsearch/config/keycloak.cer
          ssl.verification_mode: none
          claims.groups: groups

...

Part of kibana.yml:

xpack.security.enabled: true

xpack.security.authc.providers:
  oidc.oidc1:
    order: 0
    realm: oidc1
    description: "Log in with my OpenID Connect" 
  basic.basic1:
    order: 1

...

Do you have a license? What do you have in the Kibana and Elasticsearch logs?