Kibana oidc with keycloak perpetual redirect

I’ve setup oidc authentication on kibana and elasticsearch. I’m able to connect with oidc to elasticsearch but I’ve got trouble making kibana authentication working.

When I connect to kibana it sends me to keycloak and the authentication is working well. keycloak sends me back to

http://< kibana url >/auth/openid/login?state=9IuHAymLGrl4DFLuMOtOnV&session_state=617a78d3-2f03-4c02-a5f6-9574dcc97d74&code=8c9df718-43cb-4778-bdb7-d9a22c057c95.617a78d3-2f03-4c02-a5f6-9574dcc97d74.8a3dcaca-4143-4863-b41c-a6904e939064

This url sends me back to kibana base url

http://< kibana url >/

But this send me back again to

http://< kibana url >/auth/openid/login?nextUrl=%2F

It does that several times before send me to

http://< kibana url >/customerror?type=authError

When I look at keycloak logs, I’m seeing kibana requesting the token correctlt:

type=CODE_TO_TOKEN, realmId=36fa5b28-300a-482c-aff9-f2be4448b24d, clientId=kibana-sso, userId=f4ea43e6-62f3-4eab-862b-a6faf38c3722, ipAddress=10.25.22.164, token_id=220015d3-efc5-4f86-b7f9-36832fdf8c0e, grant_type=authorization_code, refresh_token_type=Refresh, scope=‘openid phone email profile address’, refresh_token_id=056d8ddb-3256-4d84-9685-58b92e3e6bbe, code_id=617a78d3-2f03-4c02-a5f6-9574dcc97d74, client_auth_method=client-secret

In elasticsearch logs I’m also seeing kibana to authenticate me with the provided token:

[2020-05-26T17:24:21,964][DEBUG][c.a.o.s.a.BackendRegistry] [rdfoelk01] Rest user ‘User [name=xxxxxxt@google.com, backend_roles=, requestedTenant=null]’ is authenticated

Any insight on what’s wrong?

An answer will be appreciated