Urgent Security update for OIDC plugin Wordpress
-
The plugin has also started requiring the 'alg' param in JWKS keys. The field is optional (https://datatracker.ietf.org/doc/html/rfc7517#section-4.4) , but I have added it to our oidcserver now.
-
Looks like just a short bit ago version 3.11.3 is out now.
https://github.com/oidc-wp/openid-connect-generic/issues/633#issuecomment-3894814402
I've released 3.11.3 which provides a setting for the issuer url. This seems like the the most reliable way to ensure each site can adjust depending on their IDP.
-
@girish do we need to do anything on the user end?
@humptydumpty said in Urgent Security update for OIDC plugin Wordpress:
@girish do we need to do anything on the user end?
Same question here. Is it something we should manually set? What do we set correctly to work with cloudron?
-
There's quite a bit of changes needed: the plugin has also moved to composer, we need a new platform release to adjust for the JWKS key handling, some changes to the package to whitelist the cloudron OIDC server since it appears WP is blocking it etc.
I think if someone is waiting for this, this will take a while. Best to not update the plugin (or if you already updated, you should roll back somehow).
-
@girish could you please explain? is a broken 3.11.3 more insecure than an insecure older version? Wouldn't it be better to switch to app based authorisation meanwhile and deactivate the plugin?
(Ask me about B2B marketing automation & low code business solutions, if thats interesting for you.)
-
@girish could you please explain? is a broken 3.11.3 more insecure than an insecure older version? Wouldn't it be better to switch to app based authorisation meanwhile and deactivate the plugin?
@dsp76 said in Urgent Security update for OIDC plugin Wordpress:
switch to app based authorisation meanwhile and deactivate the plugin?
That's what I just did. I knew OIDC is more trouble than its worth. BTW, cloning the app won't work. Install a new WP managed app, then import a backup if you decide to go that route.
-
G girish marked this topic as a regular topic
-
Yes tried manually on 2 sites and it’s working!
Thanks for the effort and results
