Thanks a lot everybody for the contributions to this discussion!
Your recommendations were all useful to better understanding the plugin and finally realise a prototype against 10Duke.
I wrote a tutorial about setting up single sign-on for NodeBB.
Full disclosure, I wrote it using my employers OAuth server (FusionAuth) as the user identity provider.
But the plugin and steps should work with any OAuth server. The plugin is here: https://github.com/FusionAuth/nodebb-plugin-fusionauth-oidc