Release/3.11.3 (#640)

* Add configurable issuer setting for JWT validation (#639)

Fixes issuer mismatch errors when the IDP's issuer differs from the
login endpoint base URL. The issuer can be configured via the Issuer
setting, OIDC_ISSUER constant, or auto-populated from discovery
documents. Defaults to deriving from endpoint_login for backward
compatibility.

* 3.11.3

* Log issuer mismatch details for admins to fix the problem

* Release 3.11.3 version bump and tasks

Author: daggerhart

CHANGELOG.md

@@ -1,5 +1,61 @@
 # OpenId Connect Generic Changelog
 
+**3.11.3**
+
+* Feature/improvement: Added configurable issuer setting for JWT validation.
+
+**3.11.2**
+
+* Improvement: Support identity providers that omit algorithm parameter in JWKS (Microsoft Entra ID).
+
+**3.11.1**
+
+* Fix bug created in 3.11.0 release when comparing issuer to derived expected value.
+
+**3.11.0**
+
+**SECURITY RELEASE**
+
+* Security: Added JWT signature verification using JWKS to prevent token forgery
+* Security: Enhanced token claim validation (exp, aud, iss, iat, nonce)
+* Security: Replaced weak state generation with cryptographically secure random_bytes()
+* Security: Fixed open redirect vulnerability in authentication flow
+* Security: Restricted SSL verification bypass to local development environments only
+* Security: Added nonce protection to debug mode to prevent information disclosure
+* Security: Added SSRF protection by default through use of wp_safe_remote_* functions
+* Feature: Added JWKS endpoint configuration setting
+* Feature: Added OpenID Connect discovery document support
+* Feature: Added customizable login button text setting
+* Improvement: Migrated to Composer-managed dependencies
+* Fix: Corrected issuer validation to properly extract base URL from endpoints
+* Fix: Identity token timestamp tracking
+
+**3.10.4**
+
+* Fix issue with finding users on multisite after switch to user options in place of user meta.
+* Improvement: Retry logins for some IDP errors to bypass issue with Safari ITP. Also improves display of error messages that come from the IDP.
+
+**3.10.3**
+
+* Fix issue with log corruption causing fatal error.
+* Fix: Fallback to a POST request for userinfo when GET fails.
+* Fix: Improves multisite compatibility by switching to *_user_options() functions.
+* Fix: Fix for WordPress user session length being very short when refresh tokens are enabled.
+
+**3.10.2**
+
+* Fix: @socialmedialabs - Regression affecting SSO Auto Login with url handling improvement changes.
+
+**3.10.1**
+
+* Chore: @daggerhart - Readme updates and clarifications.
+* Chore: @daggerhart - Release workflow updates.
+* Improved error handling for malformed urls.
+* Fix: @JUVOJustin - Change request for userinfo to GET.
+* Feature: @JUVOJustin - New filter for settings values `openid-connect-generic-settings`.
+* Feature: @JUVOJustin - New filter for state values `openid-connect-generic-new-state-value`.
+
+
 **3.10.0**
 
 - Chore: @timnolte - Dependency updates.

README.md

@@ -3,7 +3,7 @@
 **Tags:** security, login, oauth2, openidconnect, apps, authentication, autologin, sso  
 **Requires at least:** 5.0  
 **Tested up to:** 6.9.0  
-**Stable tag:** 3.11.2  
+**Stable tag:** 3.11.3  
 **Requires PHP:** 7.4  
 **License:** GPLv2 or later  
 **License URI:** http://www.gnu.org/licenses/gpl-2.0.html  
@@ -49,12 +49,16 @@ On the settings page for this plugin (Dashboard > Settings > OpenID Connect Gene
 
 ## Upgrade Notice ##
 
-### 3.11.2 ###
+### 3.11.3 ###
 
-CRITICAL SECURITY UPDATE: 3.11.x Fixes authentication vulnerabilities including JWT signature bypass and SSRF protection. Update immediately and configure JWKS endpoint in settings.
+SECURITY UPDATE: 3.11.x branch - Fixes authentication vulnerabilities including JWT signature bypass and SSRF protection. Update immediately and configure JWKS endpoint in settings.
 
 ## Changelog ##
 
+### 3.11.3 ###
+
+* Feature/improvement: Added configurable issuer setting for JWT validation.
+
 ### 3.11.2 ###
 
 * Improvement: Support identity providers that omit algorithm parameter in JWKS (Microsoft Entra ID).

includes/openid-connect-generic-client-wrapper.php

@@ -914,11 +914,16 @@ private function get_claim( $claimname, $userinfo, &$claimvalue ) {
 
 		// Check if JWKS endpoint is configured for JWT signature verification.
 		if ( ! empty( $this->settings->endpoint_jwks ) ) {
+			// Use configured issuer if provided, otherwise derive from endpoint_login.
+			$issuer = ! empty( $this->settings->issuer ) ?
+				$this->settings->issuer :
+				( ! empty( $this->settings->endpoint_login ) ? $this->client->get_issuer_from_endpoint( $this->settings->endpoint_login ) : '' );
+
 			// Use JWT validator for secure signature verification.
 			$jwt_validator = new OpenID_Connect_Generic_JWT_Validator(
 				$this->settings->endpoint_jwks,
 				$this->settings->client_id,
-				$this->client->get_issuer_from_endpoint( $this->settings->endpoint_login ),
+				$issuer,
 				$this->settings->jwks_cache_ttl,
 				$this->settings->allow_internal_idp,
 				$this->logger

includes/openid-connect-generic-client.php

@@ -100,6 +100,15 @@ class OpenID_Connect_Generic_Client {
 	 */
 	private $endpoint_jwks;
 
+	/**
+	 * The issuer URL for JWT validation.
+	 *
+	 * @see OpenID_Connect_Generic_Option_Settings::issuer
+	 *
+	 * @var string
+	 */
+	private $issuer;
+
 	/**
 	 * The JWKS cache TTL in seconds.
 	 *
@@ -146,12 +155,13 @@ class OpenID_Connect_Generic_Client {
 	 * @param string                               $redirect_uri       @see OpenID_Connect_Generic_Option_Settings::redirect_uri for description.
 	 * @param string                               $acr_values         @see OpenID_Connect_Generic_Option_Settings::acr_values for description.
 	 * @param string                               $endpoint_jwks      @see OpenID_Connect_Generic_Option_Settings::endpoint_jwks for description.
+	 * @param string                               $issuer             @see OpenID_Connect_Generic_Option_Settings::issuer for description.
 	 * @param int                                  $jwks_cache_ttl     @see OpenID_Connect_Generic_Option_Settings::jwks_cache_ttl for description.
 	 * @param int                                  $state_time_limit   @see OpenID_Connect_Generic_Option_Settings::state_time_limit for description.
 	 * @param bool                                 $allow_internal_idp @see OpenID_Connect_Generic_Option_Settings::allow_internal_idp for description.
 	 * @param OpenID_Connect_Generic_Option_Logger $logger             The plugin logging object instance.
 	 */
-	public function __construct( $client_id, $client_secret, $scope, $endpoint_login, $endpoint_userinfo, $endpoint_token, $redirect_uri, $acr_values, $endpoint_jwks, $jwks_cache_ttl, $state_time_limit, $allow_internal_idp, $logger ) {
+	public function __construct( $client_id, $client_secret, $scope, $endpoint_login, $endpoint_userinfo, $endpoint_token, $redirect_uri, $acr_values, $endpoint_jwks, $issuer, $jwks_cache_ttl, $state_time_limit, $allow_internal_idp, $logger ) {
 		$this->client_id = $client_id;
 		$this->client_secret = $client_secret;
 		$this->scope = $scope;
@@ -161,6 +171,7 @@ public function __construct( $client_id, $client_secret, $scope, $endpoint_login
 		$this->redirect_uri = $redirect_uri;
 		$this->acr_values = $acr_values;
 		$this->endpoint_jwks = $endpoint_jwks;
+		$this->issuer = $issuer;
 		$this->jwks_cache_ttl = $jwks_cache_ttl;
 		$this->state_time_limit = $state_time_limit;
 		$this->allow_internal_idp = $allow_internal_idp;
@@ -543,11 +554,16 @@ public function get_id_token_claim( $token_response ) {
 
 		// Check if JWKS endpoint is configured for JWT signature verification.
 		if ( ! empty( $this->endpoint_jwks ) ) {
+			// Use configured issuer if provided, otherwise derive from endpoint_login.
+			$issuer = ! empty( $this->issuer )
+				? $this->issuer
+				: $this->get_issuer_from_endpoint( $this->endpoint_login );
+
 			// Use JWT validator for secure signature verification.
 			$jwt_validator = new OpenID_Connect_Generic_JWT_Validator(
 				$this->endpoint_jwks,
 				$this->client_id,
-				$this->get_issuer_from_endpoint( $this->endpoint_login ),
+				$issuer,
 				$this->jwks_cache_ttl,
 				$this->allow_internal_idp,
 				$this->logger
@@ -671,16 +687,25 @@ public function validate_id_token_claim( $id_token_claim ) {
 			return new WP_Error( 'invalid-aud', __( 'Token audience does not match client.', 'daggerhart-openid-connect-generic' ), $id_token_claim );
 		}
 
-		// Validate issuer claim if endpoint_login is configured.
-		if ( ! empty( $this->endpoint_login ) ) {
+		// Validate issuer claim if configured or endpoint_login is available.
+		$expected_issuer = ! empty( $this->issuer ) ?
+			$this->issuer :
+			( ! empty( $this->endpoint_login ) ? $this->get_issuer_from_endpoint( $this->endpoint_login ) : '' );
+
+		if ( ! empty( $expected_issuer ) ) {
 			if ( ! isset( $id_token_claim['iss'] ) ) {
 				return new WP_Error( 'missing-iss', __( 'Token missing issuer claim.', 'daggerhart-openid-connect-generic' ), $id_token_claim );
 			}
 
-			// Extract expected issuer from endpoint_login (base URL).
-			$expected_issuer = $this->get_issuer_from_endpoint( $this->endpoint_login );
-
 			if ( rtrim( $id_token_claim['iss'], '/' ) !== rtrim( $expected_issuer, '/' ) ) {
+				$this->logger->log(
+					sprintf(
+						'Issuer mismatch - Expected: "%s", Received: "%s". Configure the correct issuer in Settings > OpenID Connect Client > Issuer field, or via the OIDC_ISSUER constant.',
+						$expected_issuer,
+						$id_token_claim['iss']
+					),
+					'issuer-mismatch'
+				);
 				return new WP_Error(
 					'invalid-iss',
 					sprintf(

includes/openid-connect-generic-jwt-validator.php

@@ -228,6 +228,14 @@ private function validate_jwt_claims( $decoded_jwt ) {
 			}
 
 			if ( rtrim( $decoded_jwt->iss, '/' ) !== rtrim( $this->issuer, '/' ) ) {
+				$this->logger->log(
+					sprintf(
+						'Issuer mismatch - Expected: "%s", Received: "%s". Configure the correct issuer in Settings > OpenID Connect Client > Issuer field, or via the OIDC_ISSUER constant.',
+						$this->issuer,
+						$decoded_jwt->iss
+					),
+					'issuer-mismatch'
+				);
 				return new WP_Error(
 					'invalid-iss',
 					__( 'Token issuer does not match expected issuer.', 'daggerhart-openid-connect-generic' )

includes/openid-connect-generic-option-settings.php

@@ -35,6 +35,7 @@
  * @property string $endpoint_token       The IDP token validation endpoint URL.
  * @property string $endpoint_end_session The IDP logout endpoint URL.
  * @property string $endpoint_jwks        The IDP JWKS endpoint URL for JWT signature verification.
+ * @property string $issuer               The IDP issuer URL for JWT validation (optional - derived from endpoint_login if not set).
  * @property int    $jwks_cache_ttl       The JWKS cache TTL in seconds.
  * @property string $acr_values           The Authentication contract as defined on the IDP.
  *
@@ -98,6 +99,7 @@ class OpenID_Connect_Generic_Option_Settings {
 		'endpoint_token'            => 'OIDC_ENDPOINT_TOKEN_URL',
 		'endpoint_userinfo'         => 'OIDC_ENDPOINT_USERINFO_URL',
 		'endpoint_jwks'             => 'OIDC_ENDPOINT_JWKS_URL',
+		'issuer'                    => 'OIDC_ISSUER',
 		'login_type'                => 'OIDC_LOGIN_TYPE',
 		'scope'                     => 'OIDC_CLIENT_SCOPE',
 		'create_if_does_not_exist'  => 'OIDC_CREATE_IF_DOES_NOT_EXIST',

includes/openid-connect-generic-settings-page.php

@@ -308,6 +308,14 @@ private function get_settings_fields() {
 				'disabled'    => defined( 'OIDC_ENDPOINT_JWKS_URL' ),
 				'section'     => 'client_settings',
 			),
+			'issuer' => array(
+				'title'       => __( 'Issuer', 'daggerhart-openid-connect-generic' ),
+				'description' => __( 'Identity provider issuer URL for JWT validation. If not set, the issuer will be automatically derived from the Login Endpoint URL. Only configure this if your IDP uses a different issuer than the base URL of the login endpoint.', 'daggerhart-openid-connect-generic' ),
+				'example'     => 'https://example.com',
+				'type'        => 'text',
+				'disabled'    => defined( 'OIDC_ISSUER' ),
+				'section'     => 'client_settings',
+			),
 			'jwks_cache_ttl' => array(
 				'title'       => __( 'JWKS Cache TTL (seconds)', 'daggerhart-openid-connect-generic' ),
 				'description' => __( 'Time in seconds to cache JWKS keys. Default: 3600 (1 hour)', 'daggerhart-openid-connect-generic' ),
@@ -776,6 +784,7 @@ private function populate_settings_from_discovery( $discovery ) {
 			'token_endpoint'         => 'endpoint_token',
 			'userinfo_endpoint'      => 'endpoint_userinfo',
 			'jwks_uri'               => 'endpoint_jwks',
+			'issuer'                 => 'issuer',
 			'end_session_endpoint'   => 'endpoint_end_session',
 		);