Urgent Security update for OIDC plugin Wordpress
-
The plugin has also started requiring the 'alg' param in JWKS keys. The field is optional (https://datatracker.ietf.org/doc/html/rfc7517#section-4.4) , but I have added it to our oidcserver now.
-
Looks like just a short bit ago version 3.11.3 is out now.
https://github.com/oidc-wp/openid-connect-generic/issues/633#issuecomment-3894814402
I've released 3.11.3 which provides a setting for the issuer url. This seems like the the most reliable way to ensure each site can adjust depending on their IDP.
-
There's quite a bit of changes needed: the plugin has also moved to composer, we need a new platform release to adjust for the JWKS key handling, some changes to the package to whitelist the cloudron OIDC server since it appears WP is blocking it etc.
I think if someone is waiting for this, this will take a while. Best to not update the plugin (or if you already updated, you should roll back somehow).
-
@girish could you please explain? is a broken 3.11.3 more insecure than an insecure older version? Wouldn't it be better to switch to app based authorisation meanwhile and deactivate the plugin?
(Ask me about B2B marketing automation & low code business solutions, if thats interesting for you.)
-
@girish could you please explain? is a broken 3.11.3 more insecure than an insecure older version? Wouldn't it be better to switch to app based authorisation meanwhile and deactivate the plugin?
@dsp76 said in Urgent Security update for OIDC plugin Wordpress:
switch to app based authorisation meanwhile and deactivate the plugin?
That's what I just did. I knew OIDC is more trouble than its worth. BTW, cloning the app won't work. Install a new WP managed app, then import a backup if you decide to go that route.
-
G girish marked this topic as a regular topic on
-
Yes tried manually on 2 sites and it’s working!
Thanks for the effort and results
-
@dsp76 With the latest developer packages + OIDC plugin 3.11.3 , it should work .
@d19dotca https://forum.cloudron.io/topic/2586/wordpress-developer-package-updates/88 is the package release .
Hello! It looks like you're interested in this conversation, but you don't have an account yet.
Getting fed up of having to scroll through the same posts each visit? When you register for an account, you'll always come back to exactly where you were before, and choose to be notified of new replies (either via email, or push notification). You'll also be able to save bookmarks and upvote posts to show your appreciation to other community members.
With your input, this post could be even better 💗
Register Login