Cloudron makes it easy to run web apps like WordPress, Nextcloud, GitLab on your server. Find out more or install now.


Skip to content
  • Categories
  • Recent
  • Tags
  • Popular
  • Bookmarks
  • Search
Skins
  • Light
  • Brite
  • Cerulean
  • Cosmo
  • Flatly
  • Journal
  • Litera
  • Lumen
  • Lux
  • Materia
  • Minty
  • Morph
  • Pulse
  • Sandstone
  • Simplex
  • Sketchy
  • Spacelab
  • United
  • Yeti
  • Zephyr
  • Dark
  • Cyborg
  • Darkly
  • Quartz
  • Slate
  • Solar
  • Superhero
  • Vapor
  • Default (No Skin)
  • No Skin
Collapse
Brand Logo

Cloudron Forum
Apps - Status | Demo | Docs | Install
  1. Cloudron Forum
  2. WordPress (Developer)
  3. Urgent Security update for OIDC plugin Wordpress

Urgent Security update for OIDC plugin Wordpress

Scheduled Pinned Locked Moved WordPress (Developer)
wordpressoidcsecurity
15 Posts 5 Posters 98 Views 6 Watching
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • girishG girish

    The plugin has also started requiring the 'alg' param in JWKS keys. The field is optional (https://datatracker.ietf.org/doc/html/rfc7517#section-4.4) , but I have added it to our oidcserver now.

    humptydumptyH Offline
    humptydumptyH Offline
    humptydumpty
    wrote last edited by
    #4

    @girish do we need to do anything on the user end?

    dsp76D 1 Reply Last reply
    1
    • d19dotcaD Offline
      d19dotcaD Offline
      d19dotca
      wrote last edited by
      #5

      Looks like just a short bit ago version 3.11.3 is out now.

      https://github.com/oidc-wp/openid-connect-generic/issues/633#issuecomment-3894814402

      I've released 3.11.3 which provides a setting for the issuer url. This seems like the the most reliable way to ensure each site can adjust depending on their IDP.

      --
      Dustin Dauncey
      www.d19.ca

      1 Reply Last reply
      1
      • humptydumptyH humptydumpty

        @girish do we need to do anything on the user end?

        dsp76D Offline
        dsp76D Offline
        dsp76
        wrote last edited by
        #6

        @humptydumpty said in Urgent Security update for OIDC plugin Wordpress:

        @girish do we need to do anything on the user end?

        Same question here. Is it something we should manually set? What do we set correctly to work with cloudron?

        (Ask me about B2B marketing automation & low code business solutions, if thats interesting for you.)

        1 Reply Last reply
        1
        • girishG Offline
          girishG Offline
          girish
          Staff
          wrote last edited by
          #7

          I am testing it right now, let's see what other issues are there.

          1 Reply Last reply
          4
          • girishG Offline
            girishG Offline
            girish
            Staff
            wrote last edited by girish
            #8

            There's quite a bit of changes needed: the plugin has also moved to composer, we need a new platform release to adjust for the JWKS key handling, some changes to the package to whitelist the cloudron OIDC server since it appears WP is blocking it etc.

            I think if someone is waiting for this, this will take a while. Best to not update the plugin (or if you already updated, you should roll back somehow).

            1 Reply Last reply
            3
            • dsp76D Offline
              dsp76D Offline
              dsp76
              wrote last edited by
              #9

              @girish could you please explain? is a broken 3.11.3 more insecure than an insecure older version? Wouldn't it be better to switch to app based authorisation meanwhile and deactivate the plugin?

              (Ask me about B2B marketing automation & low code business solutions, if thats interesting for you.)

              humptydumptyH 1 Reply Last reply
              0
              • dsp76D dsp76

                @girish could you please explain? is a broken 3.11.3 more insecure than an insecure older version? Wouldn't it be better to switch to app based authorisation meanwhile and deactivate the plugin?

                humptydumptyH Offline
                humptydumptyH Offline
                humptydumpty
                wrote last edited by
                #10

                @dsp76 said in Urgent Security update for OIDC plugin Wordpress:

                switch to app based authorisation meanwhile and deactivate the plugin?

                That's what I just did. I knew OIDC is more trouble than its worth. BTW, cloning the app won't work. Install a new WP managed app, then import a backup if you decide to go that route.

                1 Reply Last reply
                0
                • girishG Offline
                  girishG Offline
                  girish
                  Staff
                  wrote last edited by
                  #11

                  This should be fixed now with the latest package.

                  1 Reply Last reply
                  3
                  • girishG girish marked this topic as a regular topic
                  • imc67I Offline
                    imc67I Offline
                    imc67
                    translator
                    wrote last edited by
                    #12

                    Yes tried manually on 2 sites and it’s working!
                    Thanks for the effort and results 🙏

                    1 Reply Last reply
                    1
                    • dsp76D Offline
                      dsp76D Offline
                      dsp76
                      wrote last edited by
                      #13

                      And what needs to be done on WordPress (Developer)?

                      (Ask me about B2B marketing automation & low code business solutions, if thats interesting for you.)

                      1 Reply Last reply
                      1
                      • imc67I Offline
                        imc67I Offline
                        imc67
                        translator
                        wrote last edited by
                        #14

                        First update app, then update plugin

                        d19dotcaD 1 Reply Last reply
                        0
                        • imc67I imc67

                          First update app, then update plugin

                          d19dotcaD Offline
                          d19dotcaD Offline
                          d19dotca
                          wrote last edited by
                          #15

                          @imc67 I checked just a bit ago but didn’t actually see any update to the Developer one yet. Maybe I checked too early. Hopefully we see it soon so we can update the plugin.

                          --
                          Dustin Dauncey
                          www.d19.ca

                          1 Reply Last reply
                          0
                          Reply
                          • Reply as topic
                          Log in to reply
                          • Oldest to Newest
                          • Newest to Oldest
                          • Most Votes

                          • Login
                          • Don't have an account? Register
                          • Login or register to search.
                          • First post
                            Last post
                          0
                          • Categories
                          • Recent
                          • Tags
                          • Popular
                          • Bookmarks
                          • Search