Jennie Robinson Faber
8a529a8e7c
Add oidc-provider with MongoDB adapter so ghostguild.org can act as the identity provider for the self-hosted Outline wiki. Members authenticate via the existing magic-link flow, with automatic SSO when an active session exists. Includes interaction routes, well-known discovery endpoint, and login page.
117 lines
3.3 KiB
TypeScript
117 lines
3.3 KiB
TypeScript
/**
|
|
* OIDC Provider configuration for Ghost Guild.
|
|
*
|
|
* ghostguild.org acts as the identity provider. Outline wiki is the sole
|
|
* relying party (client). Members authenticate via the existing magic-link
|
|
* flow, and the provider issues standard OIDC tokens so Outline can identify
|
|
* them.
|
|
*/
|
|
import Provider from "oidc-provider";
|
|
import { MongoAdapter } from "./oidc-mongodb-adapter.js";
|
|
import Member from "../models/member.js";
|
|
import { connectDB } from "./mongoose.js";
|
|
|
|
let _provider: InstanceType<typeof Provider> | null = null;
|
|
|
|
export async function getOidcProvider() {
|
|
if (_provider) return _provider;
|
|
|
|
const config = useRuntimeConfig();
|
|
const issuer =
|
|
process.env.OIDC_ISSUER || config.public.appUrl || "https://ghostguild.org";
|
|
|
|
_provider = new Provider(issuer, {
|
|
adapter: MongoAdapter,
|
|
|
|
clients: [
|
|
{
|
|
client_id: process.env.OIDC_CLIENT_ID || "outline-wiki",
|
|
client_secret: process.env.OIDC_CLIENT_SECRET || "",
|
|
redirect_uris: [
|
|
"https://wiki.ghostguild.org/auth/oidc.callback",
|
|
// Local development callback
|
|
"http://localhost:3100/auth/oidc.callback",
|
|
],
|
|
post_logout_redirect_uris: [
|
|
"https://wiki.ghostguild.org",
|
|
"http://localhost:3100",
|
|
],
|
|
grant_types: ["authorization_code", "refresh_token"],
|
|
response_types: ["code"],
|
|
token_endpoint_auth_method: "client_secret_post",
|
|
},
|
|
],
|
|
|
|
claims: {
|
|
openid: ["sub"],
|
|
profile: ["name", "preferred_username"],
|
|
email: ["email", "email_verified"],
|
|
},
|
|
|
|
scopes: ["openid", "profile", "email", "offline_access"],
|
|
|
|
findAccount: async (_ctx: unknown, id: string) => {
|
|
await connectDB();
|
|
const member = await (Member as any).findById(id);
|
|
if (!member) return undefined;
|
|
|
|
return {
|
|
accountId: id,
|
|
async claims(_use: string, _scope: string) {
|
|
return {
|
|
sub: id,
|
|
name: member.name,
|
|
preferred_username: member.name,
|
|
email: member.email,
|
|
email_verified: true,
|
|
};
|
|
},
|
|
};
|
|
},
|
|
|
|
cookies: {
|
|
keys: (process.env.OIDC_COOKIE_SECRET || "dev-cookie-secret").split(","),
|
|
},
|
|
|
|
ttl: {
|
|
AccessToken: 3600, // 1 hour
|
|
AuthorizationCode: 600, // 10 minutes
|
|
RefreshToken: 14 * 24 * 60 * 60, // 14 days
|
|
Session: 14 * 24 * 60 * 60, // 14 days
|
|
Interaction: 600, // 10 minutes
|
|
Grant: 14 * 24 * 60 * 60, // 14 days
|
|
},
|
|
|
|
features: {
|
|
devInteractions: {
|
|
enabled: process.env.NODE_ENV !== "production",
|
|
},
|
|
revocation: { enabled: true },
|
|
rpInitiatedLogout: { enabled: true },
|
|
},
|
|
|
|
interactions: {
|
|
url(_ctx: unknown, interaction: { uid: string }) {
|
|
return `/oidc/interaction/${interaction.uid}`;
|
|
},
|
|
},
|
|
|
|
// Allow Outline to use PKCE but don't require it
|
|
pkce: {
|
|
required: () => false,
|
|
},
|
|
|
|
// Skip consent for our first-party Outline client
|
|
loadExistingGrant: async (ctx: any) => {
|
|
const grant = new (ctx.oidc.provider.Grant as any)({
|
|
accountId: ctx.oidc.session!.accountId,
|
|
clientId: ctx.oidc.client!.clientId,
|
|
});
|
|
grant.addOIDCScope("openid profile email");
|
|
await grant.save();
|
|
return grant;
|
|
},
|
|
});
|
|
|
|
return _provider;
|
|
}
|