3.11.3 Feature for setting issuer

What's Changed

• Add configurable issuer setting for JWT validation by @daggerhart in #639
• Release/3.11.3 by @daggerhart in #640

Full Changelog: 3.11.2...3.11.3

3.11.2

What's Changed

• Fix JWT verification with Microsoft Entra ID JWKS by @daggerhart in #636
• Release/3.11.2 by @daggerhart in #637

Full Changelog: 3.11.1...3.11.2

3.11.1 Fix bug introduced in 3.11.0

What's Changed

• 629: Fix to better match issuer in jwt validator by @daggerhart in #630
• Release/3.11.1 by @daggerhart in #631

Full Changelog: 3.11.0...3.11.1

3.11.0 Security Maintenance Fixes & Minor Features

Release 3.11.0 - Security Release

🔒 CRITICAL SECURITY UPDATE - Upgrade Immediately

---

Overview

Version 3.11.0 addresses multiple authentication security vulnerabilities, including critical issues that could allow authentication bypass. This release adds comprehensive JWT signature verification and SSRF protection.

All users should upgrade immediately and configure the JWKS endpoint.

---

Security Fixes

Critical Issues

1. JWT Signature Verification Implemented

• Previous versions decoded JWT tokens without cryptographic verification
• Added proper JWT signature verification using JWKS (JSON Web Key Set)
• Implements firebase/php-jwt library for validation
• Validates all required claims: exp, aud, iss, iat, sub
• Action Required: Configure JWKS endpoint (see Configuration below)

2. Aggregated Claims JWT Verification

• Added signature verification for aggregated claims from secondary JWTs
• Prevents injection of forged claims

3. SSRF Protection Added

• Replaced unsafe HTTP functions with SSRF-protected alternatives
• Added allow_internal_idp setting for legitimate internal identity providers
• Secure by default (disabled)
• Enable only for local development or corporate internal IDPs

High Priority Issues

4. Weak State Generation Fixed

• Replaced non-cryptographic mt_rand() with secure random_bytes()
• State values now cryptographically secure

5. Open Redirect Vulnerability Fixed

• Added wp_validate_redirect() to redirect handling
• External redirects now blocked by default

6. SSL Verification Bypass Restricted

• SSL bypass now only works in local development environments
• Requires WP_DEBUG=true and WP_ENVIRONMENT_TYPE=local
• Automatically disabled in production

7. Debug Mode Removed

• Removed debug mode that could expose sensitive settings

---

Configuration Required

JWKS Endpoint Setup (Required for Full Protection)

1. Navigate to: Settings → OpenID Connect Client
2. Find the JWKS URI field
3. Enter your identity provider's JWKS endpoint
4. Test authentication

Common JWKS Endpoints

Keycloak:

https://{domain}/realms/{realm}/protocol/openid-connect/certs

Auth0:

https://{domain}/.well-known/jwks.json

Okta:

https://{domain}/oauth2/default/v1/keys

Azure AD:

https://login.microsoftonline.com/{tenant}/discovery/v2.0/keys

Google:

https://www.googleapis.com/oauth2/v3/certs

Generic OpenID Connect:
Check your IDP's discovery document at:

https://{domain}/.well-known/openid-configuration

Look for the jwks_uri field.

---

New Settings

1. JWKS URI - Identity provider's JWKS endpoint URL

• Location: Settings → OpenID Connect Client
• Environment variable: OIDC_ENDPOINT_JWKS_URL

2. JWKS Cache TTL - Cache duration for JWKS keys (default: 1 hour)

3. Allow Internal IDP - Enable requests to internal network endpoints

• Default: Disabled (secure)
• Enable only for local development or internal corporate IDPs
• Warning: Only enable if you understand the security implications

---

Backwards Compatibility

Sites without JWKS configured will continue to work but remain vulnerable.

Migration Path:

1. Upgrade to 3.11.0
2. Configure JWKS endpoint
3. Test authentication
4. Verify no security warnings in logs

Security warnings will be logged if JWKS is not configured, helping you identify sites that need migration.

---

What's Changed

New Files

• includes/openid-connect-generic-jwt-validator.php - JWT validation class

Modified Files

• includes/openid-connect-generic-client.php - JWT verification, SSRF protection, secure state generation
• includes/openid-connect-generic-client-wrapper.php - Aggregated claims verification, redirect validation, SSL restrictions
• includes/openid-connect-generic-settings-page.php - Debug mode removal, new settings, SSRF protection
• includes/openid-connect-generic-jwt-validator.php - SSRF protection
• openid-connect-generic.php - Settings initialization
• composer.json - Added firebase/php-jwt dependency
• tests/ - Updated unit tests

New Dependencies

• firebase/php-jwt: ^6.10 - Industry-standard JWT validation library

---

Performance Impact

Minimal impact on authentication:

• First authentication: Fetches JWKS from IDP (~200ms)
• Subsequent authentications: Uses cached keys (~5ms)
• Default cache: 1 hour (configurable)

---

Troubleshooting

Authentication fails after upgrade:

• Verify JWKS endpoint is correct and accessible
• Check plugin logs for specific error messages
• Test JWKS endpoint: curl https://your-idp/.well-known/jwks.json

Security warnings in logs:

• Configure JWKS endpoint to resolve warnings
• Enable logging in Settings → OpenID Connect Client

"Invalid audience" error:

• Verify Client ID matches IDP configuration

"Invalid issuer" error:

• Verify Login Endpoint URL matches IDP issuer

---

Upgrade Instructions

Via WordPress Admin:

1. Backup your site first
2. Go to Plugins → Installed Plugins
3. Find OpenID Connect Generic
4. Click Update Now
5. Configure JWKS endpoint

Via Composer:

composer update daggerhart/openid-connect-generic

---

Rollback

If you encounter issues, you can temporarily rollback to 3.10.4:

composer require daggerhart/openid-connect-generic:3.10.4

Note: Rolling back leaves vulnerabilities unfixed. Only rollback temporarily while resolving configuration issues.

---

Support

• Documentation: https://github.com/oidc-wp/openid-connect-generic
• Issues: https://github.com/oidc-wp/openid-connect-generic/issues
• Security Issues: See SECURITY.md for responsible disclosure

---

Credits

• Development Team: Jonathan Daggerhart
• Security Research Community: Thank you for responsible disclosure

3.10.4 Fixes & Maintenance Release

What's Changed

• Fix/get user by identity meta query by @menno-ll in #623
• Fix iOS Safari authentication failures caused by ITP cookie blocking by @ramadanomar in #625
• PR for Release/3.10.4 by @daggerhart in #626

New Contributors

• @menno-ll made their first contribution in #623
• @ramadanomar made their first contribution in #625

Full Changelog: 3.10.3...3.10.4

3.10.3 Fixes & Maintenance Release

What's Changed

• 00 local dev updates by @daggerhart in #598
• 534: Add get_authentication_url shortcode attributes to make_login_button shortcode by @daggerhart in #601
• 534: Fix for redirect_to and login button shortcode attributes by @daggerhart in #602
• chore(deps-dev): Bump the composer-security group with 6 updates by @dependabot[bot] in #600
• chore(deps): Bump the github-actions group with 3 updates by @dependabot[bot] in #599
• 567 user token refresh by @daggerhart in #603
• 00 fatal error when logs isnt array by @daggerhart in #611
• 604 userinfo get post request by @daggerhart in #610
• Fix Multisite User Options Issue by @sneha0410-debug in #609
• chore(deps): Bump lodash from 4.17.21 to 4.17.23 by @dependabot[bot] in #605
• chore(deps-dev): Bump phpunit/phpunit from 9.6.17 to 9.6.33 by @dependabot[bot] in #607
• chore(deps-dev): Bump symfony/process from 6.4.31 to 6.4.33 by @dependabot[bot] in #608
• Release/3.10.3 by @daggerhart in #612

New Contributors

• @sneha0410-debug made their first contribution in #609

Full Changelog: 3.10.2...3.10.3

3.10.2

Fix for regression caused by url handling improvements.

What's Changed

• Fix for issue #591 by @socialmedialabs in #592

New Contributors

• @socialmedialabs made their first contribution in #592

Full Changelog: 3.10.1...3.10.2

3.10.1 Features, Fixes & Maintenance Release

What's Changed

• fix(Wrapper): Fixes handling of optional expires_in attribute in Access Token by @timnolte in #539
• Fix userinfo request method by @JUVOJustin in #563
• chore(deps-dev): Bump express from 4.18.2 to 4.19.2 by @dependabot[bot] in #528
• chore(deps-dev): Bump webpack-dev-middleware from 5.3.3 to 5.3.4 by @dependabot[bot] in #524
• chore(deps-dev): Bump follow-redirects from 1.15.4 to 1.15.6 by @dependabot[bot] in #523
• Chore: @daggerhart - Readme updates and clarifications.
• Chore: @daggerhart - Release workflow updates.
• @daggerhart - Improved error handling for malformed urls.
• Add filters for contextualization by @JUVOJustin in #559
• chore(deps): Bump js-yaml by @dependabot[bot] in #583
• chore(deps): Bump on-headers and compression by @dependabot[bot] in #584
• chore(deps-dev): Bump form-data from 4.0.0 to 4.0.5 by @dependabot[bot] in #585
• chore(deps-dev): Bump node-forge from 1.3.1 to 1.3.3 by @dependabot[bot] in #586
• chore(deps-dev): Bump tmp from 0.2.1 to 0.2.5 by @dependabot[bot] in #587

New Contributors

• @JUVOJustin made their first contribution in #563

Full Changelog: 3.10.0...3.10.1

3.10.0 Features, Fixes & Maintenance Release

What's Changed

• Main by @timnolte in #304
• Development Environment & Dependecies Updates by @timnolte in #369
• Multisite/network configurations use your current blog as the default… by @danc1248 in #364
• added define config with OIDC_LOGIN_TYPE and OIDC_CLIENT_SCOPE by @matchaxnb in #256
• Aggregated claims by @schanzen in #255
• Implement singleton pattern for OpenID_Connect_Generic class by @RobjS in #190
• Updates NPM Modules & Changes Plugin Instance Visibility by @timnolte in #380
• Bump tar from 4.4.13 to 4.4.19 by @dependabot in #377
• Bump ssri from 6.0.1 to 6.0.2 by @dependabot in #382
• Bump lodash from 4.17.19 to 4.17.21 by @dependabot in #383
• Bump path-parse from 1.0.6 to 1.0.7 by @dependabot in #381
• Bump ws from 6.2.1 to 6.2.2 by @dependabot in #385
• Bump hosted-git-info from 2.8.8 to 2.8.9 by @dependabot in #384
• Fix #178 : update user meta after refresh by @rkcreation in #337
• Add openid-connect-generic-session-expired action on session expiry before logout by @jkouris in #228
• Only load admin CSS when showing settings page by @tommcc in #345
• Refresh user claim by @rkcreation in #338
• Acr value support by @Glowsome in #388
• Refactors new ACR Handling Code for Better Code Quality by @timnolte in #389
• Fixes 3.8.0 Regression for User Creation Failure When No Nickname by @timnolte in #390
• Fixes QS not being added to the redirect URL by @slykar in #335
• Fixes User Linking & Creation Issues by @timnolte in #392
• Dependabot Security Related Fixes & Refactoring by @timnolte in #393
• Updates WP to Latest Dev Standard for Local Development by @timnolte in #395
• Refactors Callable Refresh User Claims Function & Action by @timnolte in #396
• Updates to Allow Composer Installers Version 1 & 2 by @timnolte in #426
• Bump minimist from 1.2.5 to 1.2.6 by @dependabot in #398
• Bump grunt from 1.4.1 to 1.5.3 by @dependabot in #407
• Bump terser from 5.12.1 to 5.14.2 by @dependabot in #422
• Fixes and Updates GitHub Actions by @timnolte in #430
• Prepares New Bug Fix and Refactoring Release by @timnolte in #432
• HOWTO.md: fix typo in alter-user-data example by @xdavidwu in #434
• Create an Official Security Policy by @timnolte in #463
• fix(php): Security upgrade php from 7.4-cli to 8.0-cli [Snyk] by @snyk-bot in #479
• fix(deps): Bump minimatch from 3.0.4 to 3.0.8 by @dependabot in #448
• fix(deps): Bump loader-utils from 1.4.0 to 1.4.2 by @dependabot in #449
• fix(deps): Bump decode-uri-component from 0.2.0 to 0.2.2 by @dependabot in #455
• fix(deps): Bump qs from 6.5.2 to 6.5.3 by @dependabot in #457
• fix(deps): Bump simple-git and @wordpress/env by @dependabot in #464
• fix(deps): Bump @sideway/formula from 3.0.0 to 3.0.1 by @dependabot in #470
• fix(deps): Bump got, @wordpress/env and npm by @dependabot in #487
• fix(deps): Bump async from 2.6.3 to 2.6.4 by @dependabot in #485
• fix(deps): Bump webpack from 5.70.0 to 5.83.1 by @dependabot in #484
• fix(deps): Bump json5 from 1.0.1 to 1.0.2 by @dependabot in #460
• fix(deps): Bump http-cache-semantics and npm by @dependabot in #467
• fix(filters): Prevents running the auth url filter twice by @drzraf in #405
• fix: #458 Log Cleanup When Log Limit Changed by @timnolte in #489
• chore: Clean up PHPStan configuration by @szepeviktor in #420
• chore(Unit Testing): Adds Unit Testing & New Local Development Environment by @timnolte in #501
• chore: Updates documentation & GHA workflows to use develop branch by @timnolte in #506
• Bump axios and @wordpress/scripts by @dependabot in #505
• chore(deps-dev): Bump follow-redirects from 1.15.3 to 1.15.4 by @dependabot in #508
• chore(deps-dev): Bump ip from 1.1.8 to 1.1.9 by @dependabot in #515
• feat(Logging): Updates logging to allow for tracking processing time by @timnolte in #522
• feat(Sessions): Add remember me feature via a filter by @menno-ll in #513
• feat(Cookies): Updates WP Cookie Expiration to Same as Session Length by @menno-ll in #514
• 3.10.0 Features, Fixes & Maintenance Release by @timnolte in #529

New Contributors

• @danc1248 made their first contribution in #364
• @matchaxnb made their first contribution in #256
• @schanzen made their first contribution in #255
• @dependabot made their first contribution in #377
• @rkcreation made their first contribution in #337
• @jkouris made their first contribution in #228
• @tommcc made their first contribution in #345
• @Glowsome made their first contribution in #388
• @slykar made their first contribution in #335
• @xdavidwu made their first contribution in #434
• @snyk-bot made their first contribution in #479
• @szepeviktor made their first contribution in #420
• @menno-ll made their first contribution in #513

Full Changelog: 3.9.1...3.10.0

3.9.1 Maintenance Release

What's Changed

• Improvement: @timnolte - Refactors Composer setup and GitHub Actions.
• Improvement: @timnolte - Bumps WordPress tested version compatibility.