Urgent Security update for OIDC plugin Wordpress

There's quite a bit of changes needed: the plugin has also moved to composer, we need a new platform release to adjust for the JWKS key handling, some changes to the package to whitelist the cloudron OIDC server since it appears WP is blocking it etc.

I think if someone is waiting for this, this will take a while. Best to not update the plugin (or if you already updated, you should roll back somehow).

@IniBudi I didn’t make a video as the process is simple, and Cloudron 9.1 will take over soon.

As @humptydumpty (thank you for stepping in) said, the process is guided.

Some important points :

• CCAI original version is dead : site now directs you to CustomAppGateway which is the new start point
• CustomAppGateway gives you choice of installing individual apps from there, or installing CCAI-P which is maybe more useful if installing multiple custom apps
• for individual installations, CustomAppGateway shows a catalogue, pick an item, popup shows a description and a curl one line installation command. Copy that and paste into your desktop/laptop terminal. It will :
  • prompt for your Cloudron, e.g. my.domain.tld
  • prompt for a token (create this in your Cloudron dashboard | Profile | Tokens
  • prompt for app location, eg myapp.mydomain.tld
  • invoke the installation : note that it will likely complete quickly but your Cloudron needs another couple minutes to install the app
• for multiple custom apps, use CustomAppGateway your install CCAI-P : same process as above.
  • you will then have an app in your Cloudron which can install further apps (displays the same catalog as CustomAppGateway but no more curl download links)
  • store your creds in /app/data
  • pick an app and watch installation proceed
  • wait for completion notice.

Note : your auth creds are now always input in your control (your desktop or your own Cloudron environment), never in a 3rd party site.

Let me know if any other questions

I am testing it right now, let's see what other issues are there.

The plugin has also started requiring the 'alg' param in JWKS keys. The field is optional (https://datatracker.ietf.org/doc/html/rfc7517#section-4.4) , but I have added it to our oidcserver now.

The current plugin version has some issues, I have left a note here - https://github.com/oidc-wp/openid-connect-generic/issues/633

Thanks, fixed - https://git.cloudron.io/platform/box/-/commit/51e02da277d972d1d8b514dc15256f88e2fbe201

Good idea. I wanted exactly this a few days back but was lazy to implement. Got the impetus to implement this now. Will be part of 9.1

Custom packages can already have custom env vars.

Part of 9.0

Implemented (indirectly) via Backup sites feature . Just include a single app with whatever schedule in a site.