Is it possible to "shell" or abstract an oauth2.0 server app into an oidc provider?

The main usecase for this would be allowing applications like kibana/elasticsearch (which only has support for open id), talk with those auth server apps that have only oauth2.0 support...

I still have some more research to do for the OIDC article, but in theory, yes. OIDC runs as an identity layer on top of OAuth. The only thing that makes OIDC unique is that there's a widely accepted "scope" that provides standardized ID information, which is bundled into an ID token and sent with the access token. So there's no reason two applications that are built on the same protocol can't communicate.

Good question, I'll include it when I write the next one.

Kibana supports SAML. At east in the Elastic cloud offering.

https://www.elastic.co/blog/how-to-enable-saml-authenticatio...

Does SAML and OAuth2.0 work together?

We have an SSO server implementing OAuth2.0. We want this to be the basis for logging into elasticsearch/kibana.

PS: we are currently tinkering with the Opendistro version of elasticsearch.

Connect2id and OAuth.net were great resources. But unless you were already familiar with the topic, they were a bit difficult to follow. That's why I started this article with some analogies!