Add SSO Login to a Fastify Web Portal

Problem/Feature Description

A mid-sized SaaS company is adding single sign-on to their customer portal, which is a Fastify-based web application. The company already has an authorization server running at https://auth.example.com (supporting OpenID Connect), and the portal is deployed at https://portal.example.com. The engineering team wants users to be able to click a login button, be redirected to the authorization server, grant consent, and land back in the portal authenticated with an access token and refresh token stored safely.

The portal is a server-rendered app — the frontend is not a standalone SPA. The auth server credentials (client ID and secret) are available as environment variables CLIENT_ID, CLIENT_SECRET, and the full callback URL is in CALLBACK_URI. The auth server base URL is in AUTH_SERVER.

Output Specification

Implement the following files for a TypeScript Fastify project:

• plugins/oauth.ts — the OAuth2 plugin registration
• routes/auth.ts — the callback handler and logout route

The implementation should be production-ready, handle the full authorization flow, and follow current security best practices for server-side web applications.

Do NOT include environment variable values in the code — read them from process.env.