Cloudron makes it easy to run web apps like WordPress, Nextcloud, GitLab on your server. Find out more or install now.


Skip to content
  • Categories
  • Recent
  • Tags
  • Popular
  • Bookmarks
  • Search
Skins
  • Light
  • Cerulean
  • Cosmo
  • Flatly
  • Journal
  • Litera
  • Lumen
  • Lux
  • Materia
  • Minty
  • Morph
  • Pulse
  • Sandstone
  • Simplex
  • Sketchy
  • Spacelab
  • United
  • Yeti
  • Zephyr
  • Dark
  • Cyborg
  • Darkly
  • Quartz
  • Slate
  • Solar
  • Superhero
  • Vapor
  • Default (No Skin)
  • No Skin
Collapse
Brand Logo

Cloudron Forum
Apps | Demo | Docs | Install
  1. Cloudron Forum
  2. WordPress (Developer)
  3. Wordpress apps OIDC: logout/login security issue

Wordpress apps OIDC: logout/login security issue

Scheduled Pinned Locked Moved WordPress (Developer)
5 Posts 3 Posters 84 Views
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • imc67I Offline
    imc67I Offline
    imc67 translator
    wrote on last edited by
    #1

    Suddenly on one of my Cloudrons all Wordpress app got update with the OIDC login method (much sooner than expected!).

    However in my opinion (mentioned before) there is still a security issue with your implementation of OIDC: you can log out of Wordpress (or espoCRM) but pressing "Login with Cloudron" right after (or after leaving your computer and someone else is using it) you are immediately logged in again.

    For computers that are shared like in a non-profit organization with volunteers this is really an issue!

    1 Reply Last reply
    0
    • imc67I Offline
      imc67I Offline
      imc67 translator
      wrote on last edited by
      #2

      There must be a kind of functionality for this: in the Wordpress OpenID Connect Client plugin there is an option:

      End Session Endpoint URL
      Identify provider logout endpoint.
      Example: https://example.com/oauth2/logout

      But not filled in, so there must be a way to really logout?

      1 Reply Last reply
      1
      • girishG Offline
        girishG Offline
        girish Staff
        wrote on last edited by girish
        #3

        I can see the problem for shared PCs but the right approach for shared PCs is to enable some sort of kiosk mode. Or elaborate use of anonymous mode.

        You can try this with wix.com for example:

        • Make sure you are logged out of Google/Gmail
        • Go to wix.com and sign in with google. You are asked to login with Google credentials in a popup.
        • Signout of wix.com
        • Click sign in, you are automatically signed in. You will see the Google popup appear and auto-close in this process of sign in.
        1 Reply Last reply
        0
        • imc67I Offline
          imc67I Offline
          imc67 translator
          wrote on last edited by imc67
          #4

          This perhaps?
          https://openid.net/specs/openid-connect-rpinitiated-1_0.html

          1 Reply Last reply
          0
          • humptydumptyH Offline
            humptydumptyH Offline
            humptydumpty
            wrote on last edited by
            #5
            This post is deleted!
            1 Reply Last reply
            0

            • Login
            • Don't have an account? Register
            • Login or register to search.
            • First post
              Last post
            0
            • Categories
            • Recent
            • Tags
            • Popular
            • Bookmarks
            • Search