oidc-wp
diff --git a/‎CHANGELOG.md‎
Lines changed: 56 additions & 0 deletions b/‎CHANGELOG.md‎
Lines changed: 56 additions & 0 deletions
diff --git a/‎README.md‎
Lines changed: 7 additions & 3 deletions b/‎README.md‎
Lines changed: 7 additions & 3 deletions
diff --git a/‎includes/openid-connect-generic-client.php‎
Lines changed: 8 additions & 0 deletions b/‎includes/openid-connect-generic-client.php‎
Lines changed: 8 additions & 0 deletions
diff --git a/‎includes/openid-connect-generic-jwt-validator.php‎
Lines changed: 8 additions & 0 deletions b/‎includes/openid-connect-generic-jwt-validator.php‎
Lines changed: 8 additions & 0 deletions
@@ -1,5 +1,61 @@
 # OpenId Connect Generic Changelog
 
+**3.11.3**
+
+* Feature/improvement: Added configurable issuer setting for JWT validation.
+
+**3.11.2**
+
+* Improvement: Support identity providers that omit algorithm parameter in JWKS (Microsoft Entra ID).
+
+**3.11.1**
+
+* Fix bug created in 3.11.0 release when comparing issuer to derived expected value.
+
+**3.11.0**
+
+**SECURITY RELEASE**
+
+* Security: Added JWT signature verification using JWKS to prevent token forgery
+* Security: Enhanced token claim validation (exp, aud, iss, iat, nonce)
+* Security: Replaced weak state generation with cryptographically secure random_bytes()
+* Security: Fixed open redirect vulnerability in authentication flow
+* Security: Restricted SSL verification bypass to local development environments only
+* Security: Added nonce protection to debug mode to prevent information disclosure
+* Security: Added SSRF protection by default through use of wp_safe_remote_* functions
+* Feature: Added JWKS endpoint configuration setting
+* Feature: Added OpenID Connect discovery document support
+* Feature: Added customizable login button text setting
+* Improvement: Migrated to Composer-managed dependencies
+* Fix: Corrected issuer validation to properly extract base URL from endpoints
+* Fix: Identity token timestamp tracking
+
+**3.10.4**
+
+* Fix issue with finding users on multisite after switch to user options in place of user meta.
+* Improvement: Retry logins for some IDP errors to bypass issue with Safari ITP. Also improves display of error messages that come from the IDP.
+
+**3.10.3**
+
+* Fix issue with log corruption causing fatal error.
+* Fix: Fallback to a POST request for userinfo when GET fails.
+* Fix: Improves multisite compatibility by switching to *_user_options() functions.
+* Fix: Fix for WordPress user session length being very short when refresh tokens are enabled.
+
+**3.10.2**
+
+* Fix: @socialmedialabs - Regression affecting SSO Auto Login with url handling improvement changes.
+
+**3.10.1**
+
+* Chore: @daggerhart - Readme updates and clarifications.
+* Chore: @daggerhart - Release workflow updates.
+* Improved error handling for malformed urls.
+* Fix: @JUVOJustin - Change request for userinfo to GET.
+* Feature: @JUVOJustin - New filter for settings values `openid-connect-generic-settings`.
+* Feature: @JUVOJustin - New filter for state values `openid-connect-generic-new-state-value`.
+
+
 **3.10.0**
 
 - Chore: @timnolte - Dependency updates.
 
@@ -3,7 +3,7 @@
 **Tags:** security, login, oauth2, openidconnect, apps, authentication, autologin, sso  
 **Requires at least:** 5.0  
 **Tested up to:** 6.9.0  
-**Stable tag:** 3.11.2  
+**Stable tag:** 3.11.3  
 **Requires PHP:** 7.4  
 **License:** GPLv2 or later  
 **License URI:** http://www.gnu.org/licenses/gpl-2.0.html  
@@ -49,12 +49,16 @@ On the settings page for this plugin (Dashboard > Settings > OpenID Connect Gene
 
 ## Upgrade Notice ##
 
-### 3.11.2 ###
+### 3.11.3 ###
 
-CRITICAL SECURITY UPDATE: 3.11.x Fixes authentication vulnerabilities including JWT signature bypass and SSRF protection. Update immediately and configure JWKS endpoint in settings.
+SECURITY UPDATE: 3.11.x branch - Fixes authentication vulnerabilities including JWT signature bypass and SSRF protection. Update immediately and configure JWKS endpoint in settings.
 
 ## Changelog ##
 
+### 3.11.3 ###
+
+* Feature/improvement: Added configurable issuer setting for JWT validation.
+
 ### 3.11.2 ###
 
 * Improvement: Support identity providers that omit algorithm parameter in JWKS (Microsoft Entra ID).
 
@@ -698,6 +698,14 @@ public function validate_id_token_claim( $id_token_claim ) {
 			}
 
 			if ( rtrim( $id_token_claim['iss'], '/' ) !== rtrim( $expected_issuer, '/' ) ) {
+				$this->logger->log(
+					sprintf(
+						'Issuer mismatch - Expected: "%s", Received: "%s". Configure the correct issuer in Settings > OpenID Connect Client > Issuer field, or via the OIDC_ISSUER constant.',
+						$expected_issuer,
+						$id_token_claim['iss']
+					),
+					'issuer-mismatch'
+				);
 				return new WP_Error(
 					'invalid-iss',
 					sprintf(
 
@@ -228,6 +228,14 @@ private function validate_jwt_claims( $decoded_jwt ) {
 			}
 
 			if ( rtrim( $decoded_jwt->iss, '/' ) !== rtrim( $this->issuer, '/' ) ) {
+				$this->logger->log(
+					sprintf(
+						'Issuer mismatch - Expected: "%s", Received: "%s". Configure the correct issuer in Settings > OpenID Connect Client > Issuer field, or via the OIDC_ISSUER constant.',
+						$this->issuer,
+						$decoded_jwt->iss
+					),
+					'issuer-mismatch'
+				);
 				return new WP_Error(
 					'invalid-iss',
 					__( 'Token issuer does not match expected issuer.', 'daggerhart-openid-connect-generic' )