I have a very similar issue to you, except I am trying to use the AWS Cognito OpenID feature (aka Cognito Hosted UI) as my identity provider,
After setting my callback/redirect URIs to include both https://<kibanaserver> and https://<kibanaserver>/auth/openid/login I have Cognito forwarding back to Kibana, before going into what appears to be the same loop. Obviously my URLs are slightly different as I’m using a different identity provider, but it appears to be the same issue when comparing my network calls to yours.
I’ve tried to set my securityconfig/config.yaml as you have described where openid comes first but skipping the kibanaserver user followed by the basic internal auth domain, but it does not appear to resolve the issue.
Do you think there’s any other relevant config perhaps omitted? I can’t think of what other files would be relevant, but I am grasping at straws…
Half-related thread I found: Redirect Mismatch Error (OIDC - AWS Cognito) - #6 by nick_cloud