Okay, with a lot of tests and head scratching and slightly going insane, I found the solution.
Important in opensearch_dashboards.yml is this snippet:
opensearch.requestHeadersAllowlist: ["securitytenant", "authorization", "WWW-Authenticate"]
After setting the header “WWW-Authenticate” it worked like a charm.
This setting in Keycloak is also important:
You need to create the role “admin” and not “all_access” as I always thought.
Sascha