I forgot to mention that access token provided by Keycloak looks OK:
{
“exp”: 1593424216,
“iat”: 1593423916,
“jti”: “14d3fab1-ba86-4ba5-bd51-617473b8313a”,
“iss”: “https://keycloak address/auth/realms/realm”,
“aud”: “account”,
“sub”: “e6fdfbc4-d552-4824-8466-92249601c496”,
“typ”: “Bearer”,
“azp”: “kibana”,
“session_state”: “91746596-c205-4a4b-9376-e62f9507471e”,
“acr”: “1”,
“allowed-origins”: [“*”],
“realm_access”: {
“roles”: [“offline_access”, “uma_authorization”]
},
“resource_access”: {
“account”: {
“roles”: [“manage-account”, “manage-account-links”, “view-profile”]
}
},
“scope”: “openid email profile”,
“email_verified”: false,
“name”: “XXX”,
“preferred_username”: “xxx”,
“given_name”: “XXX”,
“email”: “xxx@xxx.com”
}