Add OIDC provider for Outline wiki SSO

Add oidc-provider with MongoDB adapter so ghostguild.org can act as
the identity provider for the self-hosted Outline wiki. Members
authenticate via the existing magic-link flow, with automatic SSO
when an active session exists. Includes interaction routes, well-known
discovery endpoint, and login page.

server/utils/oidc-provider.ts

@@ -0,0 +1,117 @@
+/**
+ * OIDC Provider configuration for Ghost Guild.
+ *
+ * ghostguild.org acts as the identity provider. Outline wiki is the sole
+ * relying party (client). Members authenticate via the existing magic-link
+ * flow, and the provider issues standard OIDC tokens so Outline can identify
+ * them.
+ */
+import Provider from "oidc-provider";
+import { MongoAdapter } from "./oidc-mongodb-adapter.js";
+import Member from "../models/member.js";
+import { connectDB } from "./mongoose.js";
+
+let _provider: InstanceType<typeof Provider> | null = null;
+
+export async function getOidcProvider() {
+  if (_provider) return _provider;
+
+  const config = useRuntimeConfig();
+  const issuer =
+    process.env.OIDC_ISSUER || config.public.appUrl || "https://ghostguild.org";
+
+  _provider = new Provider(issuer, {
+    adapter: MongoAdapter,
+
+    clients: [
+      {
+        client_id: process.env.OIDC_CLIENT_ID || "outline-wiki",
+        client_secret: process.env.OIDC_CLIENT_SECRET || "",
+        redirect_uris: [
+          "https://wiki.ghostguild.org/auth/oidc.callback",
+          // Local development callback
+          "http://localhost:3100/auth/oidc.callback",
+        ],
+        post_logout_redirect_uris: [
+          "https://wiki.ghostguild.org",
+          "http://localhost:3100",
+        ],
+        grant_types: ["authorization_code", "refresh_token"],
+        response_types: ["code"],
+        token_endpoint_auth_method: "client_secret_post",
+      },
+    ],
+
+    claims: {
+      openid: ["sub"],
+      profile: ["name", "preferred_username"],
+      email: ["email", "email_verified"],
+    },
+
+    scopes: ["openid", "profile", "email", "offline_access"],
+
+    findAccount: async (_ctx: unknown, id: string) => {
+      await connectDB();
+      const member = await (Member as any).findById(id);
+      if (!member) return undefined;
+
+      return {
+        accountId: id,
+        async claims(_use: string, _scope: string) {
+          return {
+            sub: id,
+            name: member.name,
+            preferred_username: member.name,
+            email: member.email,
+            email_verified: true,
+          };
+        },
+      };
+    },
+
+    cookies: {
+      keys: (process.env.OIDC_COOKIE_SECRET || "dev-cookie-secret").split(","),
+    },
+
+    ttl: {
+      AccessToken: 3600, // 1 hour
+      AuthorizationCode: 600, // 10 minutes
+      RefreshToken: 14 * 24 * 60 * 60, // 14 days
+      Session: 14 * 24 * 60 * 60, // 14 days
+      Interaction: 600, // 10 minutes
+      Grant: 14 * 24 * 60 * 60, // 14 days
+    },
+
+    features: {
+      devInteractions: {
+        enabled: process.env.NODE_ENV !== "production",
+      },
+      revocation: { enabled: true },
+      rpInitiatedLogout: { enabled: true },
+    },
+
+    interactions: {
+      url(_ctx: unknown, interaction: { uid: string }) {
+        return `/oidc/interaction/${interaction.uid}`;
+      },
+    },
+
+    // Allow Outline to use PKCE but don't require it
+    pkce: {
+      required: () => false,
+    },
+
+    // Skip consent for our first-party Outline client
+    loadExistingGrant: async (ctx: any) => {
+      const grant = new (ctx.oidc.provider.Grant as any)({
+        accountId: ctx.oidc.session!.accountId,
+        clientId: ctx.oidc.client!.clientId,
+      });
+      grant.addOIDCScope("openid profile email");
+      await grant.save();
+      return grant;
+    },
+  });
+
+  return _provider;
+}