Urgent Security update for OIDC plugin Wordpress

girish

The current plugin version has some issues, I have left a note here - https://github.com/oidc-wp/openid-connect-generic/issues/633

girish

The plugin has also started requiring the 'alg' param in JWKS keys. The field is optional (https://datatracker.ietf.org/doc/html/rfc7517#section-4.4) , but I have added it to our oidcserver now.

humptydumpty

@girish do we need to do anything on the user end?

d19dotca

Looks like just a short bit ago version 3.11.3 is out now.

https://github.com/oidc-wp/openid-connect-generic/issues/633#issuecomment-3894814402

I've released 3.11.3 which provides a setting for the issuer url. This seems like the the most reliable way to ensure each site can adjust depending on their IDP.

dsp76

@humptydumpty said in Urgent Security update for OIDC plugin Wordpress:

@girish do we need to do anything on the user end?

Same question here. Is it something we should manually set? What do we set correctly to work with cloudron?

girish

I am testing it right now, let's see what other issues are there.

girish

There's quite a bit of changes needed: the plugin has also moved to composer, we need a new platform release to adjust for the JWKS key handling, some changes to the package to whitelist the cloudron OIDC server since it appears WP is blocking it etc.

I think if someone is waiting for this, this will take a while. Best to not update the plugin (or if you already updated, you should roll back somehow).

dsp76

@girish could you please explain? is a broken 3.11.3 more insecure than an insecure older version? Wouldn't it be better to switch to app based authorisation meanwhile and deactivate the plugin?

humptydumpty

@dsp76 said in Urgent Security update for OIDC plugin Wordpress:

switch to app based authorisation meanwhile and deactivate the plugin?

That's what I just did. I knew OIDC is more trouble than its worth. BTW, cloning the app won't work. Install a new WP managed app, then import a backup if you decide to go that route.

girish

This should be fixed now with the latest package.

imc67

Yes tried manually on 2 sites and it’s working!
Thanks for the effort and results

dsp76

And what needs to be done on WordPress (Developer)?

imc67

First update app, then update plugin

d19dotca

@imc67 I checked just a bit ago but didn’t actually see any update to the Developer one yet. Maybe I checked too early. Hopefully we see it soon so we can update the plugin.