Urgent Security update for OIDC plugin Wordpress

imc67

https://wordpress.org/plugins/daggerhart-openid-connect-generic/

Update 3.11.1
After manual update:

OpenID Connect Generic - Security Configuration Required

Your OpenID Connect authentication is using an insecure fallback method. You must configure the JWKS endpoint in plugin settings as soon as possible.

The current insecure fallback will be removed in version 3.12.0. After that update, authentication will fail until the JWKS endpoint is configured.

Common JWKS endpoints:
• Keycloak: https://your-domain/realms/your-realm/protocol/openid-connect/certs
• Auth0: https://your-domain.auth0.com/.well-known/jwks.json
• Okta: https://your-domain.okta.com/oauth2/default/v1/keys
• Azure AD: https://login.microsoftonline.com/your-tenant/discovery/v2.0/keys
• Google: https://www.googleapis.com/oauth2/v3/certs

I tried to manually update within Wordpress Developer app but login got broken, had to restore.

3.11.0

SECURITY RELEASE

Security: Added JWT signature verification using JWKS to prevent token forgery
Security: Enhanced token claim validation (exp, aud, iss, iat, nonce)
Security: Replaced weak state generation with cryptographically secure random_bytes()
Security: Fixed open redirect vulnerability in authentication flow
Security: Restricted SSL verification bypass to local development environments only
Security: Added nonce protection to debug mode to prevent information disclosure
Security: Added SSRF protection by default through use of wp_safe_remote_* functions
Feature: Added JWKS endpoint configuration setting
Feature: Added OpenID Connect discovery document support
Feature: Added customizable login button text setting
Improvement: Migrated to Composer-managed dependencies
Fix: Corrected issuer validation to properly extract base URL from endpoints
Fix: Identity token timestamp tracking

girish

The current plugin version has some issues, I have left a note here - https://github.com/oidc-wp/openid-connect-generic/issues/633

girish

The plugin has also started requiring the 'alg' param in JWKS keys. The field is optional (https://datatracker.ietf.org/doc/html/rfc7517#section-4.4) , but I have added it to our oidcserver now.

humptydumpty

@girish do we need to do anything on the user end?

d19dotca

Looks like just a short bit ago version 3.11.3 is out now.

https://github.com/oidc-wp/openid-connect-generic/issues/633#issuecomment-3894814402

I've released 3.11.3 which provides a setting for the issuer url. This seems like the the most reliable way to ensure each site can adjust depending on their IDP.

dsp76

@humptydumpty said in Urgent Security update for OIDC plugin Wordpress:

@girish do we need to do anything on the user end?

Same question here. Is it something we should manually set? What do we set correctly to work with cloudron?

girish

I am testing it right now, let's see what other issues are there.

girish

There's quite a bit of changes needed: the plugin has also moved to composer, we need a new platform release to adjust for the JWKS key handling, some changes to the package to whitelist the cloudron OIDC server since it appears WP is blocking it etc.

I think if someone is waiting for this, this will take a while. Best to not update the plugin (or if you already updated, you should roll back somehow).

dsp76

@girish could you please explain? is a broken 3.11.3 more insecure than an insecure older version? Wouldn't it be better to switch to app based authorisation meanwhile and deactivate the plugin?

humptydumpty

@dsp76 said in Urgent Security update for OIDC plugin Wordpress:

switch to app based authorisation meanwhile and deactivate the plugin?

That's what I just did. I knew OIDC is more trouble than its worth. BTW, cloning the app won't work. Install a new WP managed app, then import a backup if you decide to go that route.