Add OIDC provider for Outline wiki SSO

Add oidc-provider with MongoDB adapter so ghostguild.org can act as the identity provider for the self-hosted Outline wiki. Members authenticate via the existing magic-link flow, with automatic SSO when an active session exists. Includes interaction routes, well-known discovery endpoint, and login page.
2026-03-01 15:46:01 +00:00 · 2026-03-01 15:46:01 +00:00 · 8a529a8e7c
commit 8a529a8e7c
parent a232a7bbf8
13 changed files with 1258 additions and 2 deletions
--- a/server/utils/oidc-mongodb-adapter.ts
+++ b/server/utils/oidc-mongodb-adapter.ts
@ -0,0 +1,114 @@
+/**
+ * MongoDB adapter for oidc-provider.
+ *
+ * Stores OIDC tokens, sessions, and grants in an `oidc_payloads` collection
+ * with TTL indexes for automatic cleanup. Uses the existing Mongoose connection.
+ */
+import mongoose from "mongoose";
+import { connectDB } from "./mongoose.js";
+
+const collectionName = "oidc_payloads";
+
+type MongoPayload = {
+  _id: string;
+  payload: Record<string, unknown>;
+  expiresAt?: Date;
+  userCode?: string;
+  uid?: string;
+  grantId?: string;
+};
+
+let collectionReady = false;
+
+async function getCollection() {
+  await connectDB();
+  const db = mongoose.connection.db!;
+  const col = db.collection<MongoPayload>(collectionName);
+
+  if (!collectionReady) {
+    // TTL index — MongoDB automatically removes documents after expiresAt
+    await col
+      .createIndex({ expiresAt: 1 }, { expireAfterSeconds: 0 })
+      .catch(() => {});
+    // Lookup indexes
+    await col.createIndex({ "payload.grantId": 1 }).catch(() => {});
+    await col.createIndex({ "payload.userCode": 1 }).catch(() => {});
+    await col.createIndex({ "payload.uid": 1 }).catch(() => {});
+    collectionReady = true;
+  }
+
+  return col;
+}
+
+function prefixedId(model: string, id: string) {
+  return `${model}:${id}`;
+}
+
+export class MongoAdapter {
+  model: string;
+
+  constructor(model: string) {
+    this.model = model;
+  }
+
+  async upsert(
+    id: string,
+    payload: Record<string, unknown>,
+    expiresIn: number
+  ) {
+    const col = await getCollection();
+    const expiresAt = expiresIn
+      ? new Date(Date.now() + expiresIn * 1000)
+      : undefined;
+
+    await col.updateOne(
+      { _id: prefixedId(this.model, id) as any },
+      {
+        $set: {
+          payload,
+          ...(expiresAt ? { expiresAt } : {}),
+        },
+      },
+      { upsert: true }
+    );
+  }
+
+  async find(id: string) {
+    const col = await getCollection();
+    const doc = await col.findOne({ _id: prefixedId(this.model, id) as any });
+    if (!doc) return undefined;
+    return doc.payload;
+  }
+
+  async findByUserCode(userCode: string) {
+    const col = await getCollection();
+    const doc = await col.findOne({ "payload.userCode": userCode });
+    if (!doc) return undefined;
+    return doc.payload;
+  }
+
+  async findByUid(uid: string) {
+    const col = await getCollection();
+    const doc = await col.findOne({ "payload.uid": uid });
+    if (!doc) return undefined;
+    return doc.payload;
+  }
+
+  async consume(id: string) {
+    const col = await getCollection();
+    await col.updateOne(
+      { _id: prefixedId(this.model, id) as any },
+      { $set: { "payload.consumed": Math.floor(Date.now() / 1000) } }
+    );
+  }
+
+  async destroy(id: string) {
+    const col = await getCollection();
+    await col.deleteOne({ _id: prefixedId(this.model, id) as any });
+  }
+
+  async revokeByGrantId(grantId: string) {
+    const col = await getCollection();
+    await col.deleteMany({ "payload.grantId": grantId });
+  }
+}
--- a/server/utils/oidc-provider.ts
+++ b/server/utils/oidc-provider.ts
@ -0,0 +1,117 @@
+/**
+ * OIDC Provider configuration for Ghost Guild.
+ *
+ * ghostguild.org acts as the identity provider. Outline wiki is the sole
+ * relying party (client). Members authenticate via the existing magic-link
+ * flow, and the provider issues standard OIDC tokens so Outline can identify
+ * them.
+ */
+import Provider from "oidc-provider";
+import { MongoAdapter } from "./oidc-mongodb-adapter.js";
+import Member from "../models/member.js";
+import { connectDB } from "./mongoose.js";
+
+let _provider: InstanceType<typeof Provider> | null = null;
+
+export async function getOidcProvider() {
+  if (_provider) return _provider;
+
+  const config = useRuntimeConfig();
+  const issuer =
+    process.env.OIDC_ISSUER || config.public.appUrl || "https://ghostguild.org";
+
+  _provider = new Provider(issuer, {
+    adapter: MongoAdapter,
+
+    clients: [
+      {
+        client_id: process.env.OIDC_CLIENT_ID || "outline-wiki",
+        client_secret: process.env.OIDC_CLIENT_SECRET || "",
+        redirect_uris: [
+          "https://wiki.ghostguild.org/auth/oidc.callback",
+          // Local development callback
+          "http://localhost:3100/auth/oidc.callback",
+        ],
+        post_logout_redirect_uris: [
+          "https://wiki.ghostguild.org",
+          "http://localhost:3100",
+        ],
+        grant_types: ["authorization_code", "refresh_token"],
+        response_types: ["code"],
+        token_endpoint_auth_method: "client_secret_post",
+      },
+    ],
+
+    claims: {
+      openid: ["sub"],
+      profile: ["name", "preferred_username"],
+      email: ["email", "email_verified"],
+    },
+
+    scopes: ["openid", "profile", "email", "offline_access"],
+
+    findAccount: async (_ctx: unknown, id: string) => {
+      await connectDB();
+      const member = await (Member as any).findById(id);
+      if (!member) return undefined;
+
+      return {
+        accountId: id,
+        async claims(_use: string, _scope: string) {
+          return {
+            sub: id,
+            name: member.name,
+            preferred_username: member.name,
+            email: member.email,
+            email_verified: true,
+          };
+        },
+      };
+    },
+
+    cookies: {
+      keys: (process.env.OIDC_COOKIE_SECRET || "dev-cookie-secret").split(","),
+    },
+
+    ttl: {
+      AccessToken: 3600, // 1 hour
+      AuthorizationCode: 600, // 10 minutes
+      RefreshToken: 14 * 24 * 60 * 60, // 14 days
+      Session: 14 * 24 * 60 * 60, // 14 days
+      Interaction: 600, // 10 minutes
+      Grant: 14 * 24 * 60 * 60, // 14 days
+    },
+
+    features: {
+      devInteractions: {
+        enabled: process.env.NODE_ENV !== "production",
+      },
+      revocation: { enabled: true },
+      rpInitiatedLogout: { enabled: true },
+    },
+
+    interactions: {
+      url(_ctx: unknown, interaction: { uid: string }) {
+        return `/oidc/interaction/${interaction.uid}`;
+      },
+    },
+
+    // Allow Outline to use PKCE but don't require it
+    pkce: {
+      required: () => false,
+    },
+
+    // Skip consent for our first-party Outline client
+    loadExistingGrant: async (ctx: any) => {
+      const grant = new (ctx.oidc.provider.Grant as any)({
+        accountId: ctx.oidc.session!.accountId,
+        clientId: ctx.oidc.client!.clientId,
+      });
+      grant.addOIDCScope("openid profile email");
+      await grant.save();
+      return grant;
+    },
+  });
+
+  return _provider;
+}