SECURITY UPDATE: 3.11.x branch - Fixes authentication vulnerabilities including JWT signature bypass and SSRF protection. Update immediately and configure JWKS endpoint in settings.<\/p>"},"ratings":{"1":0,"2":0,"3":0,"4":0,"5":20},"assets_icons":[],"assets_banners":[],"assets_blueprints":{},"all_blocks":[],"tagged_versions":["3.10.0","3.10.1","3.10.2","3.10.3","3.10.4","3.11.0","3.11.1","3.11.2","3.11.3","3.3.1","3.4.1","3.5.0","3.6.0","3.7.0","3.7.1","3.8.0","3.8.1","3.8.2","3.8.3","3.8.4","3.8.5","3.9.0","3.9.1"],"block_files":[],"assets_screenshots":[],"screenshots":[],"jetpack_post_was_ever_published":false},"plugin_section":[],"plugin_tags":[896,602,12644,31802,600],"plugin_category":[38,54],"plugin_contributors":[82247,160238],"plugin_business_model":[],"class_list":["post-80590","plugin","type-plugin","status-publish","hentry","plugin_tags-apps","plugin_tags-login","plugin_tags-oauth2","plugin_tags-openidconnect","plugin_tags-security","plugin_category-authentication","plugin_category-security-and-spam-protection","plugin_contributors-daggerhart","plugin_contributors-tnolte","plugin_committers-daggerhart"],"banners":[],"icons":{"svg":false,"icon":"https:\/\/s.w.org\/plugins\/geopattern-icon\/daggerhart-openid-connect-generic.svg","icon_2x":false,"generated":true},"screenshots":[],"raw_content":"\n
This plugin allows to authenticate users against OpenID Connect OAuth2 API with Authorization Code Flow.\nOnce installed, it can be configured to automatically authenticate users (SSO), or provide a \"Login with OpenID Connect\"\nbutton on the login form. After consent has been obtained, an existing user is automatically logged into WordPress, while\nnew users are created in WordPress database.<\/p>\n\n
Much of the documentation can be found on the Settings > OpenID Connect Generic dashboard page.<\/p>\n\n
Please submit issues to the Github repo: https:\/\/github.com\/oidc-wp\/openid-connect-generic<\/p>\n\n\n
\/wp-content\/plugins\/<\/code> directory<\/li>\n- Activate the plugin<\/li>\n
- Visit Settings > OpenID Connect and configure to meet your needs<\/li>\n<\/ol>\n\n\n
\nWhat is the client's Redirect URI?<\/h3><\/dt>\nMost OAuth2 servers will require whitelisting a set of redirect URIs for security purposes. The Redirect URI provided\nby this client is like so: https:\/\/example.com\/wp-admin\/admin-ajax.php?action=openid-connect-authorize<\/p>\n\n
Replace example.com<\/code> with your domain name and path to WordPress.<\/p><\/dd>\nCan I change the client's Redirect URI?<\/h3><\/dt>\nSome OAuth2 servers do not allow for a client redirect URI to contain a query string. The default URI provided by\nthis module leverages WordPress's admin-ajax.php<\/code> endpoint as an easy way to provide a route that does not include\nHTML, but this will naturally involve a query string. Fortunately, this plugin provides a setting that will make use of\nan alternate redirect URI that does not include a query string.<\/p>\n\nOn the settings page for this plugin (Dashboard > Settings > OpenID Connect Generic) there is a checkbox for\nAlternate Redirect URI<\/strong>. When checked, the plugin will use the Redirect URI\n https:\/\/example.com\/openid-connect-authorize.<\/p><\/dd>\n\n<\/dl>\n\n\n3.11.3<\/h4>\n\n\n- Feature\/improvement: Added configurable issuer setting for JWT validation.<\/li>\n<\/ul>\n\n
3.11.2<\/h4>\n\n\n- Improvement: Support identity providers that omit algorithm parameter in JWKS (Microsoft Entra ID).<\/li>\n<\/ul>\n\n
3.11.1<\/h4>\n\n\n- Fix bug created in 3.11.0 release when comparing issuer to derived expected value.<\/li>\n<\/ul>\n\n
3.11.0<\/h4>\n\n
SECURITY RELEASE<\/strong><\/p>\n\n\n- Security: Added JWT signature verification using JWKS to prevent token forgery<\/li>\n
- Security: Enhanced token claim validation (exp, aud, iss, iat, nonce)<\/li>\n
- Security: Replaced weak state generation with cryptographically secure random_bytes()<\/li>\n
- Security: Fixed open redirect vulnerability in authentication flow<\/li>\n
- Security: Restricted SSL verification bypass to local development environments only<\/li>\n
- Security: Added nonce protection to debug mode to prevent information disclosure<\/li>\n
- Security: Added SSRF protection by default through use of wp_safe_remote_* functions<\/li>\n
- Feature: Added JWKS endpoint configuration setting<\/li>\n
- Feature: Added OpenID Connect discovery document support<\/li>\n
- Feature: Added customizable login button text setting<\/li>\n
- Improvement: Migrated to Composer-managed dependencies<\/li>\n
- Fix: Corrected issuer validation to properly extract base URL from endpoints<\/li>\n
- Fix: Identity token timestamp tracking<\/li>\n<\/ul>\n\n
3.10.4<\/h4>\n\n\n- Fix issue with finding users on multisite after switch to user options in place of user meta.<\/li>\n
- Improvement: Retry logins for some IDP errors to bypass issue with Safari ITP. Also improves display of error messages that come from the IDP.<\/li>\n<\/ul>\n\n
3.10.3<\/h4>\n\n\n- Fix issue with log corruption causing fatal error.<\/li>\n
- Fix: Fallback to a POST request for userinfo when GET fails.<\/li>\n
- Fix: Improves multisite compatibility by switching to *_user_options() functions.<\/li>\n
- Fix: Fix for WordPress user session length being very short when refresh tokens are enabled.<\/li>\n<\/ul>\n\n
3.10.2<\/h4>\n\n\n- Fix: @socialmedialabs - Regression affecting SSO Auto Login with url handling improvement changes.<\/li>\n<\/ul>\n\n
3.10.1<\/h4>\n\n\n- Chore: @daggerhart - Readme updates and clarifications.<\/li>\n
- Chore: @daggerhart - Release workflow updates.<\/li>\n
- Improved error handling for malformed urls.<\/li>\n
- Fix: @JUVOJustin - Change request for userinfo to GET.<\/li>\n
- Feature: @JUVOJustin - New filter for settings values
openid-connect-generic-settings<\/code>.<\/li>\n- Feature: @JUVOJustin - New filter for state values
openid-connect-generic-new-state-value<\/code>.<\/li>\n<\/ul>\n\n3.10.0<\/h4>\n\n\n- Chore: @timnolte - Dependency updates.<\/li>\n
- Fix: @drzraf - Prevents running the auth url filter twice.<\/li>\n
- Fix: @timnolte - Updates the log cleanup handling to properly retain the configured number of log entries.<\/li>\n
- Fix: @timnolte - Updates the log display output to reflect the log retention policy.<\/li>\n
- Chore: @timnolte - Adds Unit Testing & New Local Development Environment.<\/li>\n
- Feature: @timnolte - Updates logging to allow for tracking processing time.<\/li>\n
- Feature: @menno-ll - Adds a remember me feature via a new filter.<\/li>\n
- Improvement: @menno-ll - Updates WP Cookie Expiration to Same as Session Length.<\/li>\n<\/ul>\n\n
3.9.1<\/h4>\n\n\n- Improvement: @timnolte - Refactors Composer setup and GitHub Actions.<\/li>\n
- Improvement: @timnolte - Bumps WordPress tested version compatibility.<\/li>\n<\/ul>\n\n
3.9.0<\/h4>\n\n\n- Feature: @matchaxnb - Added support for additional configuration constants.<\/li>\n
- Feature: @schanzen - Added support for agregated claims.<\/li>\n
- Fix: @rkcreation - Fixed access token not updating user metadata after login.<\/li>\n
- Fix: @danc1248 - Fixed user creation issue on Multisite Networks.<\/li>\n
- Feature: @RobjS - Added plugin singleton to support for more developer customization.<\/li>\n
- Feature: @jkouris - Added action hook to allow custom handling of session expiration.<\/li>\n
- Fix: @tommcc - Fixed admin CSS loading only on the plugin settings screen.<\/li>\n
- Feature: @rkcreation - Added method to refresh the user claim.<\/li>\n
- Feature: @Glowsome - Added acr_values support & verification checks that it when defined in options is honored.<\/li>\n
- Fix: @timnolte - Fixed regression which caused improper fallback on missing claims.<\/li>\n
- Fix: @slykar - Fixed missing query string handling in redirect URL.<\/li>\n
- Fix: @timnolte - Fixed issue with some user linking and user creation handling.<\/li>\n
- Improvement: @timnolte - Fixed plugin settings typos and screen formatting.<\/li>\n
- Security: @timnolte - Updated build tooling security vulnerabilities.<\/li>\n
- Improvement: @timnolte - Changed build tooling scripts.<\/li>\n<\/ul>\n\n
3.8.5<\/h4>\n\n\n- Fix: @timnolte - Fixed missing URL request validation before use & ensure proper current page URL is setup for Redirect Back.<\/li>\n
- Fix: @timnolte - Fixed Redirect URL Logic to Handle Sub-directory Installs.<\/li>\n
- Fix: @timnolte - Fixed issue with redirecting user back when the openid_connect_generic_auth_url shortcode is used.<\/li>\n<\/ul>\n\n
3.8.4<\/h4>\n\n\n- Fix: @timnolte - Fixed invalid State object access for redirection handling.<\/li>\n
- Improvement: @timnolte - Fixed local wp-env Docker development environment.<\/li>\n
- Improvement: @timnolte - Fixed Composer scripts for linting and static analysis.<\/li>\n<\/ul>\n\n
3.8.3<\/h4>\n\n\n- Fix: @timnolte - Fixed problems with proper redirect handling.<\/li>\n
- Improvement: @timnolte - Changes redirect handling to use State instead of cookies.<\/li>\n
- Improvement: @timnolte - Refactored additional code to meet coding standards.<\/li>\n<\/ul>\n\n
3.8.2<\/h4>\n\n\n- Fix: @timnolte - Fixed reported XSS vulnerability on WordPress login screen.<\/li>\n<\/ul>\n\n
3.8.1<\/h4>\n\n\n- Fix: @timnolte - Prevent SSO redirect on password protected posts.<\/li>\n
- Fix: @timnolte - CI\/CD build issues.<\/li>\n
- Fix: @timnolte - Invalid redirect handling on logout for Auto Login setting.<\/li>\n<\/ul>\n\n
3.8.0<\/h4>\n\n\n- Feature: @timnolte - Ability to use 6 new constants for setting client configuration instead of storing in the DB.<\/li>\n
- Improvement: @timnolte - Plugin development & contribution updates.<\/li>\n
- Improvement: @timnolte - Refactored to meet WordPress coding standards.<\/li>\n
- Improvement: @timnolte - Refactored to provide localization.<\/li>\n<\/ul>\n\n\n\n