Urgent Security update for OIDC plugin Wordpress

This should be fixed now with the latest package.

@robi investigating ....

@robi sorry for confusion
"CCAI" as a whole is not gone
Just the original browser-centric version requiring users to put auth creds in my site (yuk!)

CustomAppGateway lives on, to install CCAI-P and individual apps.
https://customgateway.appx.uk

This will live for a while, definitely for a month after 9.1 is released, maybe as long as 3-6 months after 9.1.

pushed a new version v1.0.63

Test site : 191CazMVNaAcT9Y1zhkxd9ixMBPs59g2um

tweaked : v1.0.64

There's quite a bit of changes needed: the plugin has also moved to composer, we need a new platform release to adjust for the JWKS key handling, some changes to the package to whitelist the cloudron OIDC server since it appears WP is blocking it etc.

I think if someone is waiting for this, this will take a while. Best to not update the plugin (or if you already updated, you should roll back somehow).

@IniBudi I didn’t make a video as the process is simple, and Cloudron 9.1 will take over soon.

As @humptydumpty (thank you for stepping in) said, the process is guided.

Some important points :

• CCAI original version is dead : site now directs you to CustomAppGateway which is the new start point
• CustomAppGateway gives you choice of installing individual apps from there, or installing CCAI-P which is maybe more useful if installing multiple custom apps
• for individual installations, CustomAppGateway shows a catalogue, pick an item, popup shows a description and a curl one line installation command. Copy that and paste into your desktop/laptop terminal. It will :
  • prompt for your Cloudron, e.g. my.domain.tld
  • prompt for a token (create this in your Cloudron dashboard | Profile | Tokens
  • prompt for app location, eg myapp.mydomain.tld
  • invoke the installation : note that it will likely complete quickly but your Cloudron needs another couple minutes to install the app
• for multiple custom apps, use CustomAppGateway to install CCAI-P : same process as above.
  • you will then have an app in your Cloudron which can install further apps (displays the same catalog as CustomAppGateway but no more curl download links)
  • store your creds in /app/data
  • pick an app and watch installation proceed
  • wait for completion notice.

Note : your auth creds are now always input in your control (your desktop or your own Cloudron environment), never in a 3rd party site.

Let me know if any other questions

I am testing it right now, let's see what other issues are there.

The plugin has also started requiring the 'alg' param in JWKS keys. The field is optional (https://datatracker.ietf.org/doc/html/rfc7517#section-4.4) , but I have added it to our oidcserver now.

The current plugin version has some issues, I have left a note here - https://github.com/oidc-wp/openid-connect-generic/issues/633

Thanks, fixed - https://git.cloudron.io/platform/box/-/commit/51e02da277d972d1d8b514dc15256f88e2fbe201