Changeset 3460486

Timestamp:

02/13/2026 04:36:09 AM (6 weeks ago)

Author:

daggerhart

Message:

Update to version 3.11.3 from GitHub

Location:

daggerhart-openid-connect-generic

Files:

• tags/3.11.3 (copied) (copied from daggerhart-openid-connect-generic/trunk)
• tags/3.11.3/includes/openid-connect-generic-client-wrapper.php (modified) (1 diff)
• tags/3.11.3/includes/openid-connect-generic-client.php (modified) (6 diffs)
• tags/3.11.3/includes/openid-connect-generic-jwt-validator.php (modified) (1 diff)
• tags/3.11.3/includes/openid-connect-generic-option-settings.php (modified) (2 diffs)
• tags/3.11.3/includes/openid-connect-generic-settings-page.php (modified) (2 diffs)
• tags/3.11.3/languages/openid-connect-generic.pot (modified) (21 diffs)
• tags/3.11.3/openid-connect-generic.php (modified) (3 diffs)
• tags/3.11.3/readme.txt (modified) (2 diffs)
• tags/3.11.3/vendor/composer/installed.php (modified) (2 diffs)
• trunk/includes/openid-connect-generic-client-wrapper.php (modified) (1 diff)
• trunk/includes/openid-connect-generic-client.php (modified) (6 diffs)
• trunk/includes/openid-connect-generic-jwt-validator.php (modified) (1 diff)
• trunk/includes/openid-connect-generic-option-settings.php (modified) (2 diffs)
• trunk/includes/openid-connect-generic-settings-page.php (modified) (2 diffs)
• trunk/languages/openid-connect-generic.pot (modified) (21 diffs)
• trunk/openid-connect-generic.php (modified) (3 diffs)
• trunk/readme.txt (modified) (2 diffs)
• trunk/vendor/composer/installed.php (modified) (2 diffs)

daggerhart-openid-connect-generic/tags/3.11.3/includes/openid-connect-generic-client-wrapper.php

@@ -915 +915 @@
         // Check if JWKS endpoint is configured for JWT signature verification.
         if ( ! empty( $this->settings->endpoint_jwks ) ) {
+            // Use configured issuer if provided, otherwise derive from endpoint_login.
+            $issuer = ! empty( $this->settings->issuer ) ?
+                $this->settings->issuer :
+                ( ! empty( $this->settings->endpoint_login ) ? $this->client->get_issuer_from_endpoint( $this->settings->endpoint_login ) : '' );
+
             // Use JWT validator for secure signature verification.
             $jwt_validator = new OpenID_Connect_Generic_JWT_Validator(
                 $this->settings->endpoint_jwks,
                 $this->settings->client_id,
-                $this->client->get_issuer_from_endpoint( $this->settings->endpoint_login ),
+                $issuer,
                 $this->settings->jwks_cache_ttl,
                 $this->settings->allow_internal_idp,

daggerhart-openid-connect-generic/tags/3.11.3/includes/openid-connect-generic-client.php

@@ -102 +102 @@
 
     /**
+     * The issuer URL for JWT validation.
+     *
+     * @see OpenID_Connect_Generic_Option_Settings::issuer
+     *
+     * @var string
+     */
+    private $issuer;
+
+    /**
      * The JWKS cache TTL in seconds.
      *
@@ -147 +156 @@
      * @param string                               $acr_values         @see OpenID_Connect_Generic_Option_Settings::acr_values for description.
      * @param string                               $endpoint_jwks      @see OpenID_Connect_Generic_Option_Settings::endpoint_jwks for description.
+     * @param string                               $issuer             @see OpenID_Connect_Generic_Option_Settings::issuer for description.
      * @param int                                  $jwks_cache_ttl     @see OpenID_Connect_Generic_Option_Settings::jwks_cache_ttl for description.
      * @param int                                  $state_time_limit   @see OpenID_Connect_Generic_Option_Settings::state_time_limit for description.
@@ -152 +162 @@
      * @param OpenID_Connect_Generic_Option_Logger $logger             The plugin logging object instance.
      */
-    public function __construct( $client_id, $client_secret, $scope, $endpoint_login, $endpoint_userinfo, $endpoint_token, $redirect_uri, $acr_values, $endpoint_jwks, $jwks_cache_ttl, $state_time_limit, $allow_internal_idp, $logger ) {
+    public function __construct( $client_id, $client_secret, $scope, $endpoint_login, $endpoint_userinfo, $endpoint_token, $redirect_uri, $acr_values, $endpoint_jwks, $issuer, $jwks_cache_ttl, $state_time_limit, $allow_internal_idp, $logger ) {
         $this->client_id = $client_id;
         $this->client_secret = $client_secret;
@@ -162 +172 @@
         $this->acr_values = $acr_values;
         $this->endpoint_jwks = $endpoint_jwks;
+        $this->issuer = $issuer;
         $this->jwks_cache_ttl = $jwks_cache_ttl;
         $this->state_time_limit = $state_time_limit;
@@ -544 +555 @@
         // Check if JWKS endpoint is configured for JWT signature verification.
         if ( ! empty( $this->endpoint_jwks ) ) {
+            // Use configured issuer if provided, otherwise derive from endpoint_login.
+            $issuer = ! empty( $this->issuer )
+                ? $this->issuer
+                : $this->get_issuer_from_endpoint( $this->endpoint_login );
+
             // Use JWT validator for secure signature verification.
             $jwt_validator = new OpenID_Connect_Generic_JWT_Validator(
                 $this->endpoint_jwks,
                 $this->client_id,
-                $this->get_issuer_from_endpoint( $this->endpoint_login ),
+                $issuer,
                 $this->jwks_cache_ttl,
                 $this->allow_internal_idp,
@@ -672 +688 @@
         }
 
-        // Validate issuer claim if endpoint_login is configured.
-        if ( ! empty( $this->endpoint_login ) ) {
+        // Validate issuer claim if configured or endpoint_login is available.
+        $expected_issuer = ! empty( $this->issuer ) ?
+            $this->issuer :
+            ( ! empty( $this->endpoint_login ) ? $this->get_issuer_from_endpoint( $this->endpoint_login ) : '' );
+
+        if ( ! empty( $expected_issuer ) ) {
             if ( ! isset( $id_token_claim['iss'] ) ) {
                 return new WP_Error( 'missing-iss', __( 'Token missing issuer claim.', 'daggerhart-openid-connect-generic' ), $id_token_claim );
             }
 
-            // Extract expected issuer from endpoint_login (base URL).
-            $expected_issuer = $this->get_issuer_from_endpoint( $this->endpoint_login );
-
             if ( rtrim( $id_token_claim['iss'], '/' ) !== rtrim( $expected_issuer, '/' ) ) {
+                $this->logger->log(
+                    sprintf(
+                        'Issuer mismatch - Expected: "%s", Received: "%s". Configure the correct issuer in Settings > OpenID Connect Client > Issuer field, or via the OIDC_ISSUER constant.',
+                        $expected_issuer,
+                        $id_token_claim['iss']
+                    ),
+                    'issuer-mismatch'
+                );
                 return new WP_Error(
                     'invalid-iss',

daggerhart-openid-connect-generic/tags/3.11.3/includes/openid-connect-generic-jwt-validator.php

@@ -229 +229 @@
 
             if ( rtrim( $decoded_jwt->iss, '/' ) !== rtrim( $this->issuer, '/' ) ) {
+                $this->logger->log(
+                    sprintf(
+                        'Issuer mismatch - Expected: "%s", Received: "%s". Configure the correct issuer in Settings > OpenID Connect Client > Issuer field, or via the OIDC_ISSUER constant.',
+                        $this->issuer,
+                        $decoded_jwt->iss
+                    ),
+                    'issuer-mismatch'
+                );
                 return new WP_Error(
                     'invalid-iss',

daggerhart-openid-connect-generic/tags/3.11.3/includes/openid-connect-generic-option-settings.php

@@ -36 +36 @@
  * @property string $endpoint_end_session The IDP logout endpoint URL.
  * @property string $endpoint_jwks        The IDP JWKS endpoint URL for JWT signature verification.
+ * @property string $issuer               The IDP issuer URL for JWT validation (optional - derived from endpoint_login if not set).
  * @property int    $jwks_cache_ttl       The JWKS cache TTL in seconds.
  * @property string $acr_values           The Authentication contract as defined on the IDP.
@@ -99 +100 @@
         'endpoint_userinfo'         => 'OIDC_ENDPOINT_USERINFO_URL',
         'endpoint_jwks'             => 'OIDC_ENDPOINT_JWKS_URL',
+        'issuer'                    => 'OIDC_ISSUER',
         'login_type'                => 'OIDC_LOGIN_TYPE',
         'scope'                     => 'OIDC_CLIENT_SCOPE',

daggerhart-openid-connect-generic/tags/3.11.3/includes/openid-connect-generic-settings-page.php

@@ -309 +309 @@
                 'section'     => 'client_settings',
             ),
+            'issuer' => array(
+                'title'       => __( 'Issuer', 'daggerhart-openid-connect-generic' ),
+                'description' => __( 'Identity provider issuer URL for JWT validation. If not set, the issuer will be automatically derived from the Login Endpoint URL. Only configure this if your IDP uses a different issuer than the base URL of the login endpoint.', 'daggerhart-openid-connect-generic' ),
+                'example'     => 'https://example.com',
+                'type'        => 'text',
+                'disabled'    => defined( 'OIDC_ISSUER' ),
+                'section'     => 'client_settings',
+            ),
             'jwks_cache_ttl' => array(
                 'title'       => __( 'JWKS Cache TTL (seconds)', 'daggerhart-openid-connect-generic' ),
@@ -777 +785 @@
             'userinfo_endpoint'      => 'endpoint_userinfo',
             'jwks_uri'               => 'endpoint_jwks',
+            'issuer'                 => 'issuer',
             'end_session_endpoint'   => 'endpoint_end_session',
         );

daggerhart-openid-connect-generic/tags/3.11.3/languages/openid-connect-generic.pot

@@ -3 +3 @@
 msgid ""
 msgstr ""
-"Project-Id-Version: OpenID Connect Generic 3.11.2\n"
+"Project-Id-Version: OpenID Connect Generic 3.11.3\n"
 "Report-Msgid-Bugs-To: "
 "https://github.com/oidc-wp/openid-connect-generic/issues\n"
-"POT-Creation-Date: 2026-02-12 21:27:15+00:00\n"
+"POT-Creation-Date: 2026-02-13 04:19:17+00:00\n"
 "MIME-Version: 1.0\n"
 "Content-Type: text/plain; charset=utf-8\n"
@@ -48 +48 @@
 msgstr ""
 
-#: includes/openid-connect-generic-client-wrapper.php:987
+#: includes/openid-connect-generic-client-wrapper.php:992
 msgid "User claim incomplete."
 msgstr ""
 
-#: includes/openid-connect-generic-client-wrapper.php:1090
+#: includes/openid-connect-generic-client-wrapper.php:1095
 msgid "Bad user claim result."
 msgstr ""
 
-#: includes/openid-connect-generic-client-wrapper.php:1156
+#: includes/openid-connect-generic-client-wrapper.php:1161
 msgid "Can not authorize."
 msgstr ""
 
-#: includes/openid-connect-generic-client-wrapper.php:1185
+#: includes/openid-connect-generic-client-wrapper.php:1190
 msgid "Failed user creation."
 msgstr ""
 
-#: includes/openid-connect-generic-client.php:259
+#: includes/openid-connect-generic-client.php:270
 msgid "Missing state."
 msgstr ""
 
-#: includes/openid-connect-generic-client.php:263
+#: includes/openid-connect-generic-client.php:274
 msgid "Invalid state."
 msgstr ""
 
-#: includes/openid-connect-generic-client.php:278
+#: includes/openid-connect-generic-client.php:289
 msgid "Missing authentication code."
 msgstr ""
 
-#: includes/openid-connect-generic-client.php:323
+#: includes/openid-connect-generic-client.php:334
 msgid "Request for authentication token failed."
 msgstr ""
 
-#: includes/openid-connect-generic-client.php:356
+#: includes/openid-connect-generic-client.php:367
 msgid "Refresh token failed."
 msgstr ""
 
-#: includes/openid-connect-generic-client.php:371
+#: includes/openid-connect-generic-client.php:382
 msgid "Missing token body."
 msgstr ""
 
-#: includes/openid-connect-generic-client.php:379
+#: includes/openid-connect-generic-client.php:390
 msgid "Invalid token."
 msgstr ""
 
-#: includes/openid-connect-generic-client.php:440
+#: includes/openid-connect-generic-client.php:451
 msgid "Request for userinfo failed."
 msgstr ""
 
-#: includes/openid-connect-generic-client.php:504
+#: includes/openid-connect-generic-client.php:515
 msgid "Missing authentication state."
 msgstr ""
 
-#: includes/openid-connect-generic-client.php:541
+#: includes/openid-connect-generic-client.php:552
 msgid "No identity token."
 msgstr ""
 
-#: includes/openid-connect-generic-client.php:576
+#: includes/openid-connect-generic-client.php:592
 msgid "Missing identity token."
 msgstr ""
 
-#: includes/openid-connect-generic-client.php:635
+#: includes/openid-connect-generic-client.php:651
 msgid "Bad ID token claim."
 msgstr ""
 
-#: includes/openid-connect-generic-client.php:640
+#: includes/openid-connect-generic-client.php:656
 msgid "No subject identity."
 msgstr ""
 
-#: includes/openid-connect-generic-client.php:645
+#: includes/openid-connect-generic-client.php:661
 #: includes/openid-connect-generic-jwt-validator.php:184
 msgid "Token missing expiration claim."
 msgstr ""
 
-#: includes/openid-connect-generic-client.php:648
+#: includes/openid-connect-generic-client.php:664
 msgid "Token has expired."
 msgstr ""
 
-#: includes/openid-connect-generic-client.php:653
+#: includes/openid-connect-generic-client.php:669
 #: includes/openid-connect-generic-jwt-validator.php:192
 msgid "Token missing issued at claim."
 msgstr ""
 
-#: includes/openid-connect-generic-client.php:658
+#: includes/openid-connect-generic-client.php:674
 #: includes/openid-connect-generic-jwt-validator.php:200
 msgid "Token missing audience claim."
 msgstr ""
 
-#: includes/openid-connect-generic-client.php:671
+#: includes/openid-connect-generic-client.php:687
 #: includes/openid-connect-generic-jwt-validator.php:217
 msgid "Token audience does not match client."
 msgstr ""
 
-#: includes/openid-connect-generic-client.php:677
+#: includes/openid-connect-generic-client.php:697
 #: includes/openid-connect-generic-jwt-validator.php:226
 msgid "Token missing issuer claim."
 msgstr ""
 
-#: includes/openid-connect-generic-client.php:687
-#: includes/openid-connect-generic-jwt-validator.php:233
+#: includes/openid-connect-generic-client.php:712
+#: includes/openid-connect-generic-jwt-validator.php:241
 msgid "Token issuer does not match expected issuer."
 msgstr ""
 
-#: includes/openid-connect-generic-client.php:697
+#: includes/openid-connect-generic-client.php:722
 msgid "No matching acr values."
 msgstr ""
 
-#: includes/openid-connect-generic-client.php:717
+#: includes/openid-connect-generic-client.php:742
 msgid "Bad user claim."
 msgstr ""
 
-#: includes/openid-connect-generic-client.php:737
+#: includes/openid-connect-generic-client.php:762
 msgid "Invalid user claim."
 msgstr ""
 
-#: includes/openid-connect-generic-client.php:742
+#: includes/openid-connect-generic-client.php:767
 msgid "Error from the IDP."
 msgstr ""
 
-#: includes/openid-connect-generic-client.php:751
+#: includes/openid-connect-generic-client.php:776
 msgid "Incorrect user claim."
 msgstr ""
 
-#: includes/openid-connect-generic-client.php:758
+#: includes/openid-connect-generic-client.php:783
 msgid "Unauthorized access."
 msgstr ""
@@ -191 +191 @@
 msgstr ""
 
-#: includes/openid-connect-generic-jwt-validator.php:307
+#: includes/openid-connect-generic-jwt-validator.php:315
 msgid "JWKS URI not configured. JWT signature verification requires JWKS endpoint."
 msgstr ""
 
-#: includes/openid-connect-generic-jwt-validator.php:338
+#: includes/openid-connect-generic-jwt-validator.php:346
 #. translators: %s is the error message
 msgid "JWT verification failed: %s"
@@ -358 +358 @@
 
 #: includes/openid-connect-generic-settings-page.php:312
+msgid "Issuer"
+msgstr ""
+
+#: includes/openid-connect-generic-settings-page.php:313
+msgid ""
+"Identity provider issuer URL for JWT validation. If not set, the issuer "
+"will be automatically derived from the Login Endpoint URL. Only configure "
+"this if your IDP uses a different issuer than the base URL of the login "
+"endpoint."
+msgstr ""
+
+#: includes/openid-connect-generic-settings-page.php:320
 msgid "JWKS Cache TTL (seconds)"
 msgstr ""
 
-#: includes/openid-connect-generic-settings-page.php:313
+#: includes/openid-connect-generic-settings-page.php:321
 msgid "Time in seconds to cache JWKS keys. Default: 3600 (1 hour)"
 msgstr ""
 
-#: includes/openid-connect-generic-settings-page.php:319
+#: includes/openid-connect-generic-settings-page.php:327
 msgid "ACR values"
 msgstr ""
 
-#: includes/openid-connect-generic-settings-page.php:320
+#: includes/openid-connect-generic-settings-page.php:328
 msgid "Use a specific defined authentication contract from the IDP - optional."
 msgstr ""
 
-#: includes/openid-connect-generic-settings-page.php:326
+#: includes/openid-connect-generic-settings-page.php:334
 msgid "Identity Key"
 msgstr ""
 
-#: includes/openid-connect-generic-settings-page.php:327
+#: includes/openid-connect-generic-settings-page.php:335
 msgid ""
 "Where in the user claim array to find the user's identification data. "
@@ -384 +396 @@
 msgstr ""
 
-#: includes/openid-connect-generic-settings-page.php:333
+#: includes/openid-connect-generic-settings-page.php:341
 msgid "HTTP Request Timeout"
 msgstr ""
 
-#: includes/openid-connect-generic-settings-page.php:334
+#: includes/openid-connect-generic-settings-page.php:342
 msgid "Set the timeout for requests made to the IDP. Default value is 5."
 msgstr ""
 
-#: includes/openid-connect-generic-settings-page.php:340
+#: includes/openid-connect-generic-settings-page.php:348
 msgid "Enforce Privacy"
 msgstr ""
 
-#: includes/openid-connect-generic-settings-page.php:341
+#: includes/openid-connect-generic-settings-page.php:349
 msgid "Require users be logged in to see the site."
 msgstr ""
 
-#: includes/openid-connect-generic-settings-page.php:347
+#: includes/openid-connect-generic-settings-page.php:355
 msgid "Alternate Redirect URI"
 msgstr ""
 
-#: includes/openid-connect-generic-settings-page.php:348
+#: includes/openid-connect-generic-settings-page.php:356
 msgid ""
 "Provide an alternative redirect route. Useful if your server is causing "
@@ -412 +424 @@
 msgstr ""
 
-#: includes/openid-connect-generic-settings-page.php:353
+#: includes/openid-connect-generic-settings-page.php:361
 msgid "Nickname Key"
 msgstr ""
 
-#: includes/openid-connect-generic-settings-page.php:354
+#: includes/openid-connect-generic-settings-page.php:362
 msgid ""
 "Where in the user claim array to find the user's nickname. Possible "
@@ -422 +434 @@
 msgstr ""
 
-#: includes/openid-connect-generic-settings-page.php:360
+#: includes/openid-connect-generic-settings-page.php:368
 msgid "Email Formatting"
 msgstr ""
 
-#: includes/openid-connect-generic-settings-page.php:361
+#: includes/openid-connect-generic-settings-page.php:369
 msgid ""
 "String from which the user's email address is built. Specify \"{email}\" as "
@@ -432 +444 @@
 msgstr ""
 
-#: includes/openid-connect-generic-settings-page.php:367
+#: includes/openid-connect-generic-settings-page.php:375
 msgid "Display Name Formatting"
 msgstr ""
 
-#: includes/openid-connect-generic-settings-page.php:368
+#: includes/openid-connect-generic-settings-page.php:376
 msgid "String from which the user's display name is built."
 msgstr ""
 
-#: includes/openid-connect-generic-settings-page.php:374
+#: includes/openid-connect-generic-settings-page.php:382
 msgid "Identify with User Name"
 msgstr ""
 
-#: includes/openid-connect-generic-settings-page.php:375
+#: includes/openid-connect-generic-settings-page.php:383
 msgid ""
 "If checked, the user's identity will be determined by the user name instead "
@@ -450 +462 @@
 msgstr ""
 
-#: includes/openid-connect-generic-settings-page.php:380
+#: includes/openid-connect-generic-settings-page.php:388
 msgid "State time limit"
 msgstr ""
 
-#: includes/openid-connect-generic-settings-page.php:381
+#: includes/openid-connect-generic-settings-page.php:389
 msgid "State valid time in seconds. Defaults to 180"
 msgstr ""
 
-#: includes/openid-connect-generic-settings-page.php:386
+#: includes/openid-connect-generic-settings-page.php:394
 msgid "Enable Refresh Token"
 msgstr ""
 
-#: includes/openid-connect-generic-settings-page.php:387
+#: includes/openid-connect-generic-settings-page.php:395
 msgid ""
 "If checked, support refresh tokens used to obtain access tokens from "
@@ -468 +480 @@
 msgstr ""
 
-#: includes/openid-connect-generic-settings-page.php:392
+#: includes/openid-connect-generic-settings-page.php:400
 msgid "Disable SSL Verify"
 msgstr ""
 
-#: includes/openid-connect-generic-settings-page.php:394
+#: includes/openid-connect-generic-settings-page.php:402
 #. translators: %1$s HTML tags for layout/styles (strong tag start with warning
 #. class), %2$s closing HTML tag for styles.
@@ -482 +494 @@
 msgstr ""
 
-#: includes/openid-connect-generic-settings-page.php:399
+#: includes/openid-connect-generic-settings-page.php:407
 msgid "Allow Internal IDP"
 msgstr ""
 
-#: includes/openid-connect-generic-settings-page.php:401
+#: includes/openid-connect-generic-settings-page.php:409
 #. translators: %1$s HTML tags for layout/styles (strong tag start with warning
 #. class), %2$s closing HTML tag for styles.
@@ -496 +508 @@
 msgstr ""
 
-#: includes/openid-connect-generic-settings-page.php:406
+#: includes/openid-connect-generic-settings-page.php:414
 msgid "Link Existing Users"
 msgstr ""
 
-#: includes/openid-connect-generic-settings-page.php:407
+#: includes/openid-connect-generic-settings-page.php:415
 msgid ""
 "If a WordPress account already exists with the same identity as a "
@@ -507 +519 @@
 msgstr ""
 
-#: includes/openid-connect-generic-settings-page.php:413
+#: includes/openid-connect-generic-settings-page.php:421
 msgid "Create user if does not exist"
 msgstr ""
 
-#: includes/openid-connect-generic-settings-page.php:414
+#: includes/openid-connect-generic-settings-page.php:422
 msgid ""
 "If the user identity is not linked to an existing WordPress user, it is "
@@ -519 +531 @@
 msgstr ""
 
-#: includes/openid-connect-generic-settings-page.php:420
+#: includes/openid-connect-generic-settings-page.php:428
 msgid "Redirect Back to Origin Page"
 msgstr ""
 
-#: includes/openid-connect-generic-settings-page.php:421
+#: includes/openid-connect-generic-settings-page.php:429
 msgid ""
 "After a successful OpenID Connect authentication, this will redirect the "
@@ -534 +546 @@
 msgstr ""
 
-#: includes/openid-connect-generic-settings-page.php:427
+#: includes/openid-connect-generic-settings-page.php:435
 msgid "Redirect to the login screen when session is expired"
 msgstr ""
 
-#: includes/openid-connect-generic-settings-page.php:428
+#: includes/openid-connect-generic-settings-page.php:436
 msgid ""
 "When enabled, this will automatically redirect the user back to the "
@@ -544 +556 @@
 msgstr ""
 
-#: includes/openid-connect-generic-settings-page.php:434
+#: includes/openid-connect-generic-settings-page.php:442
 msgid "Enable Logging"
 msgstr ""
 
-#: includes/openid-connect-generic-settings-page.php:435
+#: includes/openid-connect-generic-settings-page.php:443
 msgid "Very simple log messages for debugging purposes."
 msgstr ""
 
-#: includes/openid-connect-generic-settings-page.php:441
+#: includes/openid-connect-generic-settings-page.php:449
 msgid "Log Limit"
 msgstr ""
 
-#: includes/openid-connect-generic-settings-page.php:442
+#: includes/openid-connect-generic-settings-page.php:450
 msgid ""
 "Number of items to keep in the log. These logs are stored as an option in "
@@ -562 +574 @@
 msgstr ""
 
-#: includes/openid-connect-generic-settings-page.php:507
+#: includes/openid-connect-generic-settings-page.php:515
 msgid "Notes"
 msgstr ""
 
-#: includes/openid-connect-generic-settings-page.php:510
+#: includes/openid-connect-generic-settings-page.php:518
 msgid "Redirect URI"
 msgstr ""
 
-#: includes/openid-connect-generic-settings-page.php:514
+#: includes/openid-connect-generic-settings-page.php:522
 msgid "Login Button Shortcode"
 msgstr ""
 
-#: includes/openid-connect-generic-settings-page.php:518
+#: includes/openid-connect-generic-settings-page.php:526
 msgid "Authentication URL Shortcode"
 msgstr ""
 
-#: includes/openid-connect-generic-settings-page.php:523
+#: includes/openid-connect-generic-settings-page.php:531
 msgid "Logs"
 msgstr ""
 
-#: includes/openid-connect-generic-settings-page.php:612
+#: includes/openid-connect-generic-settings-page.php:620
 msgid "Example"
 msgstr ""
 
-#: includes/openid-connect-generic-settings-page.php:625
+#: includes/openid-connect-generic-settings-page.php:633
 msgid "Enter your OpenID Connect identity provider settings."
 msgstr ""
 
-#: includes/openid-connect-generic-settings-page.php:634
+#: includes/openid-connect-generic-settings-page.php:642
 msgid "Modify the interaction between OpenID Connect and WordPress users."
 msgstr ""
 
-#: includes/openid-connect-generic-settings-page.php:643
+#: includes/openid-connect-generic-settings-page.php:651
 msgid "Control the authorization mechanics of the site."
 msgstr ""
 
-#: includes/openid-connect-generic-settings-page.php:652
+#: includes/openid-connect-generic-settings-page.php:660
 msgid "Log information about login attempts through OpenID Connect Generic."
 msgstr ""
 
-#: includes/openid-connect-generic-settings-page.php:667
+#: includes/openid-connect-generic-settings-page.php:675
 msgid "Please enter a discovery URL."
 msgstr ""
 
-#: includes/openid-connect-generic-settings-page.php:676
+#: includes/openid-connect-generic-settings-page.php:684
 msgid "Invalid discovery URL format."
 msgstr ""
 
-#: includes/openid-connect-generic-settings-page.php:687
+#: includes/openid-connect-generic-settings-page.php:695
 msgid "Discovery URL must use HTTPS in production environments."
 msgstr ""
 
-#: includes/openid-connect-generic-settings-page.php:707
+#: includes/openid-connect-generic-settings-page.php:715
 #. translators: %s: error message
 msgid "Failed to fetch discovery document: %s"
 msgstr ""
 
-#: includes/openid-connect-generic-settings-page.php:719
+#: includes/openid-connect-generic-settings-page.php:727
 #. translators: %d: HTTP status code
 msgid "Discovery document request returned HTTP %d."
 msgstr ""
 
-#: includes/openid-connect-generic-settings-page.php:732
+#: includes/openid-connect-generic-settings-page.php:740
 msgid "Discovery document is not valid JSON."
 msgstr ""
 
-#: includes/openid-connect-generic-settings-page.php:751
+#: includes/openid-connect-generic-settings-page.php:759
 #. translators: %s: comma-separated list of missing fields
 msgid "Discovery document is missing required fields: %s"
 msgstr ""
 
-#: includes/openid-connect-generic-settings-page.php:815
+#: includes/openid-connect-generic-settings-page.php:824
 msgid "Security check failed. Please try again."
 msgstr ""
 
-#: includes/openid-connect-generic-settings-page.php:859
+#: includes/openid-connect-generic-settings-page.php:868
 #. translators: %d: number of fields populated
 msgid ""
@@ -648 +660 @@
 msgstr[1] ""
 
-#: includes/openid-connect-generic-settings-page.php:886
+#: includes/openid-connect-generic-settings-page.php:895
 msgid "Quick Setup: Import from Discovery Document"
 msgstr ""
 
-#: includes/openid-connect-generic-settings-page.php:890
+#: includes/openid-connect-generic-settings-page.php:899
 msgid ""
 "Auto-populate endpoint settings from your identity provider's OpenID "
@@ -659 +671 @@
 msgstr ""
 
-#: includes/openid-connect-generic-settings-page.php:898
+#: includes/openid-connect-generic-settings-page.php:907
 msgid "Discovery URL"
 msgstr ""
 
-#: includes/openid-connect-generic-settings-page.php:910
+#: includes/openid-connect-generic-settings-page.php:919
 msgid "Enter your identity provider's OpenID Connect discovery endpoint URL."
 msgstr ""
 
-#: includes/openid-connect-generic-settings-page.php:912
+#: includes/openid-connect-generic-settings-page.php:921
 msgid "Examples:"
 msgstr ""
 
-#: includes/openid-connect-generic-settings-page.php:923
+#: includes/openid-connect-generic-settings-page.php:932
 msgid "Load Configuration"
 msgstr ""
 
-#: openid-connect-generic.php:251
+#: openid-connect-generic.php:252
 msgid "Private site"
 msgstr ""
 
-#: openid-connect-generic.php:281
+#: openid-connect-generic.php:282
 msgid "OpenID Connect Generic - Security Configuration Required"
 msgstr ""
 
-#: openid-connect-generic.php:288
+#: openid-connect-generic.php:289
 #. translators: %s is a link to the settings page
 msgid ""
@@ -691 +703 @@
 msgstr ""
 
-#: openid-connect-generic.php:295
+#: openid-connect-generic.php:296
 msgid ""
 "The current insecure fallback will be removed in version 3.12.0. After that "
@@ -697 +709 @@
 msgstr ""
 
-#: openid-connect-generic.php:298
+#: openid-connect-generic.php:299
 msgid "Common JWKS endpoints:"
 msgstr ""

daggerhart-openid-connect-generic/tags/3.11.3/openid-connect-generic.php

@@ -17 +17 @@
  * Plugin URI:        https://github.com/oidc-wp/openid-connect-generic
  * Description:       Connect to an OpenID Connect identity provider using Authorization Code Flow.
- * Version:           3.11.2
+ * Version:           3.11.3
  * Requires at least: 5.0
  * Requires PHP:      7.4
@@ -94 +94 @@
      * @var string
      */
-    const VERSION = '3.11.2';
+    const VERSION = '3.11.3';
 
     /**
@@ -160 +160 @@
             $this->settings->acr_values,
             $this->settings->endpoint_jwks,
+            $this->settings->issuer ?? '',
             $this->settings->jwks_cache_ttl,
             $this->get_state_time_limit( $this->settings ),

daggerhart-openid-connect-generic/tags/3.11.3/readme.txt

@@ -4 +4 @@
 Requires at least: 5.0
 Tested up to: 6.9.0
-Stable tag: 3.11.2
+Stable tag: 3.11.3
 Requires PHP: 7.4
 License: GPLv2 or later
@@ -50 +50 @@
 == Upgrade Notice ==
 
-= 3.11.2 =
+= 3.11.3 =
 
 SECURITY UPDATE: 3.11.x branch - Fixes authentication vulnerabilities including JWT signature bypass and SSRF protection. Update immediately and configure JWKS endpoint in settings.
 
 == Changelog ==
+
+= 3.11.3 =
+
+* Feature/improvement: Added configurable issuer setting for JWT validation.
 
 = 3.11.2 =

daggerhart-openid-connect-generic/tags/3.11.3/vendor/composer/installed.php

@@ -2 +2 @@
     'root' => array(
         'name' => 'daggerhart/openid-connect-generic',
-        'pretty_version' => '3.11.2',
-        'version' => '3.11.2.0',
-        'reference' => '1810fffbabb261cd81108575ccfd186bd2495d86',
+        'pretty_version' => '3.11.3',
+        'version' => '3.11.3.0',
+        'reference' => '0ef442c0f61bda837bddacec37b96035176bee27',
         'type' => 'wordpress-plugin',
         'install_path' => __DIR__ . '/../../',
@@ -21 +21 @@
         ),
         'daggerhart/openid-connect-generic' => array(
-            'pretty_version' => '3.11.2',
-            'version' => '3.11.2.0',
-            'reference' => '1810fffbabb261cd81108575ccfd186bd2495d86',
+            'pretty_version' => '3.11.3',
+            'version' => '3.11.3.0',
+            'reference' => '0ef442c0f61bda837bddacec37b96035176bee27',
             'type' => 'wordpress-plugin',
             'install_path' => __DIR__ . '/../../',

daggerhart-openid-connect-generic/trunk/includes/openid-connect-generic-client-wrapper.php

@@ -915 +915 @@
         // Check if JWKS endpoint is configured for JWT signature verification.
         if ( ! empty( $this->settings->endpoint_jwks ) ) {
+            // Use configured issuer if provided, otherwise derive from endpoint_login.
+            $issuer = ! empty( $this->settings->issuer ) ?
+                $this->settings->issuer :
+                ( ! empty( $this->settings->endpoint_login ) ? $this->client->get_issuer_from_endpoint( $this->settings->endpoint_login ) : '' );
+
             // Use JWT validator for secure signature verification.
             $jwt_validator = new OpenID_Connect_Generic_JWT_Validator(
                 $this->settings->endpoint_jwks,
                 $this->settings->client_id,
-                $this->client->get_issuer_from_endpoint( $this->settings->endpoint_login ),
+                $issuer,
                 $this->settings->jwks_cache_ttl,
                 $this->settings->allow_internal_idp,

daggerhart-openid-connect-generic/trunk/includes/openid-connect-generic-client.php

@@ -102 +102 @@
 
     /**
+     * The issuer URL for JWT validation.
+     *
+     * @see OpenID_Connect_Generic_Option_Settings::issuer
+     *
+     * @var string
+     */
+    private $issuer;
+
+    /**
      * The JWKS cache TTL in seconds.
      *
@@ -147 +156 @@
      * @param string                               $acr_values         @see OpenID_Connect_Generic_Option_Settings::acr_values for description.
      * @param string                               $endpoint_jwks      @see OpenID_Connect_Generic_Option_Settings::endpoint_jwks for description.
+     * @param string                               $issuer             @see OpenID_Connect_Generic_Option_Settings::issuer for description.
      * @param int                                  $jwks_cache_ttl     @see OpenID_Connect_Generic_Option_Settings::jwks_cache_ttl for description.
      * @param int                                  $state_time_limit   @see OpenID_Connect_Generic_Option_Settings::state_time_limit for description.
@@ -152 +162 @@
      * @param OpenID_Connect_Generic_Option_Logger $logger             The plugin logging object instance.
      */
-    public function __construct( $client_id, $client_secret, $scope, $endpoint_login, $endpoint_userinfo, $endpoint_token, $redirect_uri, $acr_values, $endpoint_jwks, $jwks_cache_ttl, $state_time_limit, $allow_internal_idp, $logger ) {
+    public function __construct( $client_id, $client_secret, $scope, $endpoint_login, $endpoint_userinfo, $endpoint_token, $redirect_uri, $acr_values, $endpoint_jwks, $issuer, $jwks_cache_ttl, $state_time_limit, $allow_internal_idp, $logger ) {
         $this->client_id = $client_id;
         $this->client_secret = $client_secret;
@@ -162 +172 @@
         $this->acr_values = $acr_values;
         $this->endpoint_jwks = $endpoint_jwks;
+        $this->issuer = $issuer;
         $this->jwks_cache_ttl = $jwks_cache_ttl;
         $this->state_time_limit = $state_time_limit;
@@ -544 +555 @@
         // Check if JWKS endpoint is configured for JWT signature verification.
         if ( ! empty( $this->endpoint_jwks ) ) {
+            // Use configured issuer if provided, otherwise derive from endpoint_login.
+            $issuer = ! empty( $this->issuer )
+                ? $this->issuer
+                : $this->get_issuer_from_endpoint( $this->endpoint_login );
+
             // Use JWT validator for secure signature verification.
             $jwt_validator = new OpenID_Connect_Generic_JWT_Validator(
                 $this->endpoint_jwks,
                 $this->client_id,
-                $this->get_issuer_from_endpoint( $this->endpoint_login ),
+                $issuer,
                 $this->jwks_cache_ttl,
                 $this->allow_internal_idp,
@@ -672 +688 @@
         }
 
-        // Validate issuer claim if endpoint_login is configured.
-        if ( ! empty( $this->endpoint_login ) ) {
+        // Validate issuer claim if configured or endpoint_login is available.
+        $expected_issuer = ! empty( $this->issuer ) ?
+            $this->issuer :
+            ( ! empty( $this->endpoint_login ) ? $this->get_issuer_from_endpoint( $this->endpoint_login ) : '' );
+
+        if ( ! empty( $expected_issuer ) ) {
             if ( ! isset( $id_token_claim['iss'] ) ) {
                 return new WP_Error( 'missing-iss', __( 'Token missing issuer claim.', 'daggerhart-openid-connect-generic' ), $id_token_claim );
             }
 
-            // Extract expected issuer from endpoint_login (base URL).
-            $expected_issuer = $this->get_issuer_from_endpoint( $this->endpoint_login );
-
             if ( rtrim( $id_token_claim['iss'], '/' ) !== rtrim( $expected_issuer, '/' ) ) {
+                $this->logger->log(
+                    sprintf(
+                        'Issuer mismatch - Expected: "%s", Received: "%s". Configure the correct issuer in Settings > OpenID Connect Client > Issuer field, or via the OIDC_ISSUER constant.',
+                        $expected_issuer,
+                        $id_token_claim['iss']
+                    ),
+                    'issuer-mismatch'
+                );
                 return new WP_Error(
                     'invalid-iss',

daggerhart-openid-connect-generic/trunk/includes/openid-connect-generic-jwt-validator.php

@@ -229 +229 @@
 
             if ( rtrim( $decoded_jwt->iss, '/' ) !== rtrim( $this->issuer, '/' ) ) {
+                $this->logger->log(
+                    sprintf(
+                        'Issuer mismatch - Expected: "%s", Received: "%s". Configure the correct issuer in Settings > OpenID Connect Client > Issuer field, or via the OIDC_ISSUER constant.',
+                        $this->issuer,
+                        $decoded_jwt->iss
+                    ),
+                    'issuer-mismatch'
+                );
                 return new WP_Error(
                     'invalid-iss',

daggerhart-openid-connect-generic/trunk/includes/openid-connect-generic-option-settings.php

@@ -36 +36 @@
  * @property string $endpoint_end_session The IDP logout endpoint URL.
  * @property string $endpoint_jwks        The IDP JWKS endpoint URL for JWT signature verification.
+ * @property string $issuer               The IDP issuer URL for JWT validation (optional - derived from endpoint_login if not set).
  * @property int    $jwks_cache_ttl       The JWKS cache TTL in seconds.
  * @property string $acr_values           The Authentication contract as defined on the IDP.
@@ -99 +100 @@
         'endpoint_userinfo'         => 'OIDC_ENDPOINT_USERINFO_URL',
         'endpoint_jwks'             => 'OIDC_ENDPOINT_JWKS_URL',
+        'issuer'                    => 'OIDC_ISSUER',
         'login_type'                => 'OIDC_LOGIN_TYPE',
         'scope'                     => 'OIDC_CLIENT_SCOPE',

daggerhart-openid-connect-generic/trunk/includes/openid-connect-generic-settings-page.php

@@ -309 +309 @@
                 'section'     => 'client_settings',
             ),
+            'issuer' => array(
+                'title'       => __( 'Issuer', 'daggerhart-openid-connect-generic' ),
+                'description' => __( 'Identity provider issuer URL for JWT validation. If not set, the issuer will be automatically derived from the Login Endpoint URL. Only configure this if your IDP uses a different issuer than the base URL of the login endpoint.', 'daggerhart-openid-connect-generic' ),
+                'example'     => 'https://example.com',
+                'type'        => 'text',
+                'disabled'    => defined( 'OIDC_ISSUER' ),
+                'section'     => 'client_settings',
+            ),
             'jwks_cache_ttl' => array(
                 'title'       => __( 'JWKS Cache TTL (seconds)', 'daggerhart-openid-connect-generic' ),
@@ -777 +785 @@
             'userinfo_endpoint'      => 'endpoint_userinfo',
             'jwks_uri'               => 'endpoint_jwks',
+            'issuer'                 => 'issuer',
             'end_session_endpoint'   => 'endpoint_end_session',
         );

daggerhart-openid-connect-generic/trunk/languages/openid-connect-generic.pot

@@ -3 +3 @@
 msgid ""
 msgstr ""
-"Project-Id-Version: OpenID Connect Generic 3.11.2\n"
+"Project-Id-Version: OpenID Connect Generic 3.11.3\n"
 "Report-Msgid-Bugs-To: "
 "https://github.com/oidc-wp/openid-connect-generic/issues\n"
-"POT-Creation-Date: 2026-02-12 21:27:15+00:00\n"
+"POT-Creation-Date: 2026-02-13 04:19:17+00:00\n"
 "MIME-Version: 1.0\n"
 "Content-Type: text/plain; charset=utf-8\n"
@@ -48 +48 @@
 msgstr ""
 
-#: includes/openid-connect-generic-client-wrapper.php:987
+#: includes/openid-connect-generic-client-wrapper.php:992
 msgid "User claim incomplete."
 msgstr ""
 
-#: includes/openid-connect-generic-client-wrapper.php:1090
+#: includes/openid-connect-generic-client-wrapper.php:1095
 msgid "Bad user claim result."
 msgstr ""
 
-#: includes/openid-connect-generic-client-wrapper.php:1156
+#: includes/openid-connect-generic-client-wrapper.php:1161
 msgid "Can not authorize."
 msgstr ""
 
-#: includes/openid-connect-generic-client-wrapper.php:1185
+#: includes/openid-connect-generic-client-wrapper.php:1190
 msgid "Failed user creation."
 msgstr ""
 
-#: includes/openid-connect-generic-client.php:259
+#: includes/openid-connect-generic-client.php:270
 msgid "Missing state."
 msgstr ""
 
-#: includes/openid-connect-generic-client.php:263
+#: includes/openid-connect-generic-client.php:274
 msgid "Invalid state."
 msgstr ""
 
-#: includes/openid-connect-generic-client.php:278
+#: includes/openid-connect-generic-client.php:289
 msgid "Missing authentication code."
 msgstr ""
 
-#: includes/openid-connect-generic-client.php:323
+#: includes/openid-connect-generic-client.php:334
 msgid "Request for authentication token failed."
 msgstr ""
 
-#: includes/openid-connect-generic-client.php:356
+#: includes/openid-connect-generic-client.php:367
 msgid "Refresh token failed."
 msgstr ""
 
-#: includes/openid-connect-generic-client.php:371
+#: includes/openid-connect-generic-client.php:382
 msgid "Missing token body."
 msgstr ""
 
-#: includes/openid-connect-generic-client.php:379
+#: includes/openid-connect-generic-client.php:390
 msgid "Invalid token."
 msgstr ""
 
-#: includes/openid-connect-generic-client.php:440
+#: includes/openid-connect-generic-client.php:451
 msgid "Request for userinfo failed."
 msgstr ""
 
-#: includes/openid-connect-generic-client.php:504
+#: includes/openid-connect-generic-client.php:515
 msgid "Missing authentication state."
 msgstr ""
 
-#: includes/openid-connect-generic-client.php:541
+#: includes/openid-connect-generic-client.php:552
 msgid "No identity token."
 msgstr ""
 
-#: includes/openid-connect-generic-client.php:576
+#: includes/openid-connect-generic-client.php:592
 msgid "Missing identity token."
 msgstr ""
 
-#: includes/openid-connect-generic-client.php:635
+#: includes/openid-connect-generic-client.php:651
 msgid "Bad ID token claim."
 msgstr ""
 
-#: includes/openid-connect-generic-client.php:640
+#: includes/openid-connect-generic-client.php:656
 msgid "No subject identity."
 msgstr ""
 
-#: includes/openid-connect-generic-client.php:645
+#: includes/openid-connect-generic-client.php:661
 #: includes/openid-connect-generic-jwt-validator.php:184
 msgid "Token missing expiration claim."
 msgstr ""
 
-#: includes/openid-connect-generic-client.php:648
+#: includes/openid-connect-generic-client.php:664
 msgid "Token has expired."
 msgstr ""
 
-#: includes/openid-connect-generic-client.php:653
+#: includes/openid-connect-generic-client.php:669
 #: includes/openid-connect-generic-jwt-validator.php:192
 msgid "Token missing issued at claim."
 msgstr ""
 
-#: includes/openid-connect-generic-client.php:658
+#: includes/openid-connect-generic-client.php:674
 #: includes/openid-connect-generic-jwt-validator.php:200
 msgid "Token missing audience claim."
 msgstr ""
 
-#: includes/openid-connect-generic-client.php:671
+#: includes/openid-connect-generic-client.php:687
 #: includes/openid-connect-generic-jwt-validator.php:217
 msgid "Token audience does not match client."
 msgstr ""
 
-#: includes/openid-connect-generic-client.php:677
+#: includes/openid-connect-generic-client.php:697
 #: includes/openid-connect-generic-jwt-validator.php:226
 msgid "Token missing issuer claim."
 msgstr ""
 
-#: includes/openid-connect-generic-client.php:687
-#: includes/openid-connect-generic-jwt-validator.php:233
+#: includes/openid-connect-generic-client.php:712
+#: includes/openid-connect-generic-jwt-validator.php:241
 msgid "Token issuer does not match expected issuer."
 msgstr ""
 
-#: includes/openid-connect-generic-client.php:697
+#: includes/openid-connect-generic-client.php:722
 msgid "No matching acr values."
 msgstr ""
 
-#: includes/openid-connect-generic-client.php:717
+#: includes/openid-connect-generic-client.php:742
 msgid "Bad user claim."
 msgstr ""
 
-#: includes/openid-connect-generic-client.php:737
+#: includes/openid-connect-generic-client.php:762
 msgid "Invalid user claim."
 msgstr ""
 
-#: includes/openid-connect-generic-client.php:742
+#: includes/openid-connect-generic-client.php:767
 msgid "Error from the IDP."
 msgstr ""
 
-#: includes/openid-connect-generic-client.php:751
+#: includes/openid-connect-generic-client.php:776
 msgid "Incorrect user claim."
 msgstr ""
 
-#: includes/openid-connect-generic-client.php:758
+#: includes/openid-connect-generic-client.php:783
 msgid "Unauthorized access."
 msgstr ""
@@ -191 +191 @@
 msgstr ""
 
-#: includes/openid-connect-generic-jwt-validator.php:307
+#: includes/openid-connect-generic-jwt-validator.php:315
 msgid "JWKS URI not configured. JWT signature verification requires JWKS endpoint."
 msgstr ""
 
-#: includes/openid-connect-generic-jwt-validator.php:338
+#: includes/openid-connect-generic-jwt-validator.php:346
 #. translators: %s is the error message
 msgid "JWT verification failed: %s"
@@ -358 +358 @@
 
 #: includes/openid-connect-generic-settings-page.php:312
+msgid "Issuer"
+msgstr ""
+
+#: includes/openid-connect-generic-settings-page.php:313
+msgid ""
+"Identity provider issuer URL for JWT validation. If not set, the issuer "
+"will be automatically derived from the Login Endpoint URL. Only configure "
+"this if your IDP uses a different issuer than the base URL of the login "
+"endpoint."
+msgstr ""
+
+#: includes/openid-connect-generic-settings-page.php:320
 msgid "JWKS Cache TTL (seconds)"
 msgstr ""
 
-#: includes/openid-connect-generic-settings-page.php:313
+#: includes/openid-connect-generic-settings-page.php:321
 msgid "Time in seconds to cache JWKS keys. Default: 3600 (1 hour)"
 msgstr ""
 
-#: includes/openid-connect-generic-settings-page.php:319
+#: includes/openid-connect-generic-settings-page.php:327
 msgid "ACR values"
 msgstr ""
 
-#: includes/openid-connect-generic-settings-page.php:320
+#: includes/openid-connect-generic-settings-page.php:328
 msgid "Use a specific defined authentication contract from the IDP - optional."
 msgstr ""
 
-#: includes/openid-connect-generic-settings-page.php:326
+#: includes/openid-connect-generic-settings-page.php:334
 msgid "Identity Key"
 msgstr ""
 
-#: includes/openid-connect-generic-settings-page.php:327
+#: includes/openid-connect-generic-settings-page.php:335
 msgid ""
 "Where in the user claim array to find the user's identification data. "
@@ -384 +396 @@
 msgstr ""
 
-#: includes/openid-connect-generic-settings-page.php:333
+#: includes/openid-connect-generic-settings-page.php:341
 msgid "HTTP Request Timeout"
 msgstr ""
 
-#: includes/openid-connect-generic-settings-page.php:334
+#: includes/openid-connect-generic-settings-page.php:342
 msgid "Set the timeout for requests made to the IDP. Default value is 5."
 msgstr ""
 
-#: includes/openid-connect-generic-settings-page.php:340
+#: includes/openid-connect-generic-settings-page.php:348
 msgid "Enforce Privacy"
 msgstr ""
 
-#: includes/openid-connect-generic-settings-page.php:341
+#: includes/openid-connect-generic-settings-page.php:349
 msgid "Require users be logged in to see the site."
 msgstr ""
 
-#: includes/openid-connect-generic-settings-page.php:347
+#: includes/openid-connect-generic-settings-page.php:355
 msgid "Alternate Redirect URI"
 msgstr ""
 
-#: includes/openid-connect-generic-settings-page.php:348
+#: includes/openid-connect-generic-settings-page.php:356
 msgid ""
 "Provide an alternative redirect route. Useful if your server is causing "
@@ -412 +424 @@
 msgstr ""
 
-#: includes/openid-connect-generic-settings-page.php:353
+#: includes/openid-connect-generic-settings-page.php:361
 msgid "Nickname Key"
 msgstr ""
 
-#: includes/openid-connect-generic-settings-page.php:354
+#: includes/openid-connect-generic-settings-page.php:362
 msgid ""
 "Where in the user claim array to find the user's nickname. Possible "
@@ -422 +434 @@
 msgstr ""
 
-#: includes/openid-connect-generic-settings-page.php:360
+#: includes/openid-connect-generic-settings-page.php:368
 msgid "Email Formatting"
 msgstr ""
 
-#: includes/openid-connect-generic-settings-page.php:361
+#: includes/openid-connect-generic-settings-page.php:369
 msgid ""
 "String from which the user's email address is built. Specify \"{email}\" as "
@@ -432 +444 @@
 msgstr ""
 
-#: includes/openid-connect-generic-settings-page.php:367
+#: includes/openid-connect-generic-settings-page.php:375
 msgid "Display Name Formatting"
 msgstr ""
 
-#: includes/openid-connect-generic-settings-page.php:368
+#: includes/openid-connect-generic-settings-page.php:376
 msgid "String from which the user's display name is built."
 msgstr ""
 
-#: includes/openid-connect-generic-settings-page.php:374
+#: includes/openid-connect-generic-settings-page.php:382
 msgid "Identify with User Name"
 msgstr ""
 
-#: includes/openid-connect-generic-settings-page.php:375
+#: includes/openid-connect-generic-settings-page.php:383
 msgid ""
 "If checked, the user's identity will be determined by the user name instead "
@@ -450 +462 @@
 msgstr ""
 
-#: includes/openid-connect-generic-settings-page.php:380
+#: includes/openid-connect-generic-settings-page.php:388
 msgid "State time limit"
 msgstr ""
 
-#: includes/openid-connect-generic-settings-page.php:381
+#: includes/openid-connect-generic-settings-page.php:389
 msgid "State valid time in seconds. Defaults to 180"
 msgstr ""
 
-#: includes/openid-connect-generic-settings-page.php:386
+#: includes/openid-connect-generic-settings-page.php:394
 msgid "Enable Refresh Token"
 msgstr ""
 
-#: includes/openid-connect-generic-settings-page.php:387
+#: includes/openid-connect-generic-settings-page.php:395
 msgid ""
 "If checked, support refresh tokens used to obtain access tokens from "
@@ -468 +480 @@
 msgstr ""
 
-#: includes/openid-connect-generic-settings-page.php:392
+#: includes/openid-connect-generic-settings-page.php:400
 msgid "Disable SSL Verify"
 msgstr ""
 
-#: includes/openid-connect-generic-settings-page.php:394
+#: includes/openid-connect-generic-settings-page.php:402
 #. translators: %1$s HTML tags for layout/styles (strong tag start with warning
 #. class), %2$s closing HTML tag for styles.
@@ -482 +494 @@
 msgstr ""
 
-#: includes/openid-connect-generic-settings-page.php:399
+#: includes/openid-connect-generic-settings-page.php:407
 msgid "Allow Internal IDP"
 msgstr ""
 
-#: includes/openid-connect-generic-settings-page.php:401
+#: includes/openid-connect-generic-settings-page.php:409
 #. translators: %1$s HTML tags for layout/styles (strong tag start with warning
 #. class), %2$s closing HTML tag for styles.
@@ -496 +508 @@
 msgstr ""
 
-#: includes/openid-connect-generic-settings-page.php:406
+#: includes/openid-connect-generic-settings-page.php:414
 msgid "Link Existing Users"
 msgstr ""
 
-#: includes/openid-connect-generic-settings-page.php:407
+#: includes/openid-connect-generic-settings-page.php:415
 msgid ""
 "If a WordPress account already exists with the same identity as a "
@@ -507 +519 @@
 msgstr ""
 
-#: includes/openid-connect-generic-settings-page.php:413
+#: includes/openid-connect-generic-settings-page.php:421
 msgid "Create user if does not exist"
 msgstr ""
 
-#: includes/openid-connect-generic-settings-page.php:414
+#: includes/openid-connect-generic-settings-page.php:422
 msgid ""
 "If the user identity is not linked to an existing WordPress user, it is "
@@ -519 +531 @@
 msgstr ""
 
-#: includes/openid-connect-generic-settings-page.php:420
+#: includes/openid-connect-generic-settings-page.php:428
 msgid "Redirect Back to Origin Page"
 msgstr ""
 
-#: includes/openid-connect-generic-settings-page.php:421
+#: includes/openid-connect-generic-settings-page.php:429
 msgid ""
 "After a successful OpenID Connect authentication, this will redirect the "
@@ -534 +546 @@
 msgstr ""
 
-#: includes/openid-connect-generic-settings-page.php:427
+#: includes/openid-connect-generic-settings-page.php:435
 msgid "Redirect to the login screen when session is expired"
 msgstr ""
 
-#: includes/openid-connect-generic-settings-page.php:428
+#: includes/openid-connect-generic-settings-page.php:436
 msgid ""
 "When enabled, this will automatically redirect the user back to the "
@@ -544 +556 @@
 msgstr ""
 
-#: includes/openid-connect-generic-settings-page.php:434
+#: includes/openid-connect-generic-settings-page.php:442
 msgid "Enable Logging"
 msgstr ""
 
-#: includes/openid-connect-generic-settings-page.php:435
+#: includes/openid-connect-generic-settings-page.php:443
 msgid "Very simple log messages for debugging purposes."
 msgstr ""
 
-#: includes/openid-connect-generic-settings-page.php:441
+#: includes/openid-connect-generic-settings-page.php:449
 msgid "Log Limit"
 msgstr ""
 
-#: includes/openid-connect-generic-settings-page.php:442
+#: includes/openid-connect-generic-settings-page.php:450
 msgid ""
 "Number of items to keep in the log. These logs are stored as an option in "
@@ -562 +574 @@
 msgstr ""
 
-#: includes/openid-connect-generic-settings-page.php:507
+#: includes/openid-connect-generic-settings-page.php:515
 msgid "Notes"
 msgstr ""
 
-#: includes/openid-connect-generic-settings-page.php:510
+#: includes/openid-connect-generic-settings-page.php:518
 msgid "Redirect URI"
 msgstr ""
 
-#: includes/openid-connect-generic-settings-page.php:514
+#: includes/openid-connect-generic-settings-page.php:522
 msgid "Login Button Shortcode"
 msgstr ""
 
-#: includes/openid-connect-generic-settings-page.php:518
+#: includes/openid-connect-generic-settings-page.php:526
 msgid "Authentication URL Shortcode"
 msgstr ""
 
-#: includes/openid-connect-generic-settings-page.php:523
+#: includes/openid-connect-generic-settings-page.php:531
 msgid "Logs"
 msgstr ""
 
-#: includes/openid-connect-generic-settings-page.php:612
+#: includes/openid-connect-generic-settings-page.php:620
 msgid "Example"
 msgstr ""
 
-#: includes/openid-connect-generic-settings-page.php:625
+#: includes/openid-connect-generic-settings-page.php:633
 msgid "Enter your OpenID Connect identity provider settings."
 msgstr ""
 
-#: includes/openid-connect-generic-settings-page.php:634
+#: includes/openid-connect-generic-settings-page.php:642
 msgid "Modify the interaction between OpenID Connect and WordPress users."
 msgstr ""
 
-#: includes/openid-connect-generic-settings-page.php:643
+#: includes/openid-connect-generic-settings-page.php:651
 msgid "Control the authorization mechanics of the site."
 msgstr ""
 
-#: includes/openid-connect-generic-settings-page.php:652
+#: includes/openid-connect-generic-settings-page.php:660
 msgid "Log information about login attempts through OpenID Connect Generic."
 msgstr ""
 
-#: includes/openid-connect-generic-settings-page.php:667
+#: includes/openid-connect-generic-settings-page.php:675
 msgid "Please enter a discovery URL."
 msgstr ""
 
-#: includes/openid-connect-generic-settings-page.php:676
+#: includes/openid-connect-generic-settings-page.php:684
 msgid "Invalid discovery URL format."
 msgstr ""
 
-#: includes/openid-connect-generic-settings-page.php:687
+#: includes/openid-connect-generic-settings-page.php:695
 msgid "Discovery URL must use HTTPS in production environments."
 msgstr ""
 
-#: includes/openid-connect-generic-settings-page.php:707
+#: includes/openid-connect-generic-settings-page.php:715
 #. translators: %s: error message
 msgid "Failed to fetch discovery document: %s"
 msgstr ""
 
-#: includes/openid-connect-generic-settings-page.php:719
+#: includes/openid-connect-generic-settings-page.php:727
 #. translators: %d: HTTP status code
 msgid "Discovery document request returned HTTP %d."
 msgstr ""
 
-#: includes/openid-connect-generic-settings-page.php:732
+#: includes/openid-connect-generic-settings-page.php:740
 msgid "Discovery document is not valid JSON."
 msgstr ""
 
-#: includes/openid-connect-generic-settings-page.php:751
+#: includes/openid-connect-generic-settings-page.php:759
 #. translators: %s: comma-separated list of missing fields
 msgid "Discovery document is missing required fields: %s"
 msgstr ""
 
-#: includes/openid-connect-generic-settings-page.php:815
+#: includes/openid-connect-generic-settings-page.php:824
 msgid "Security check failed. Please try again."
 msgstr ""
 
-#: includes/openid-connect-generic-settings-page.php:859
+#: includes/openid-connect-generic-settings-page.php:868
 #. translators: %d: number of fields populated
 msgid ""
@@ -648 +660 @@
 msgstr[1] ""
 
-#: includes/openid-connect-generic-settings-page.php:886
+#: includes/openid-connect-generic-settings-page.php:895
 msgid "Quick Setup: Import from Discovery Document"
 msgstr ""
 
-#: includes/openid-connect-generic-settings-page.php:890
+#: includes/openid-connect-generic-settings-page.php:899
 msgid ""
 "Auto-populate endpoint settings from your identity provider's OpenID "
@@ -659 +671 @@
 msgstr ""
 
-#: includes/openid-connect-generic-settings-page.php:898
+#: includes/openid-connect-generic-settings-page.php:907
 msgid "Discovery URL"
 msgstr ""
 
-#: includes/openid-connect-generic-settings-page.php:910
+#: includes/openid-connect-generic-settings-page.php:919
 msgid "Enter your identity provider's OpenID Connect discovery endpoint URL."
 msgstr ""
 
-#: includes/openid-connect-generic-settings-page.php:912
+#: includes/openid-connect-generic-settings-page.php:921
 msgid "Examples:"
 msgstr ""
 
-#: includes/openid-connect-generic-settings-page.php:923
+#: includes/openid-connect-generic-settings-page.php:932
 msgid "Load Configuration"
 msgstr ""
 
-#: openid-connect-generic.php:251
+#: openid-connect-generic.php:252
 msgid "Private site"
 msgstr ""
 
-#: openid-connect-generic.php:281
+#: openid-connect-generic.php:282
 msgid "OpenID Connect Generic - Security Configuration Required"
 msgstr ""
 
-#: openid-connect-generic.php:288
+#: openid-connect-generic.php:289
 #. translators: %s is a link to the settings page
 msgid ""
@@ -691 +703 @@
 msgstr ""
 
-#: openid-connect-generic.php:295
+#: openid-connect-generic.php:296
 msgid ""
 "The current insecure fallback will be removed in version 3.12.0. After that "
@@ -697 +709 @@
 msgstr ""
 
-#: openid-connect-generic.php:298
+#: openid-connect-generic.php:299
 msgid "Common JWKS endpoints:"
 msgstr ""

daggerhart-openid-connect-generic/trunk/openid-connect-generic.php

@@ -17 +17 @@
  * Plugin URI:        https://github.com/oidc-wp/openid-connect-generic
  * Description:       Connect to an OpenID Connect identity provider using Authorization Code Flow.
- * Version:           3.11.2
+ * Version:           3.11.3
  * Requires at least: 5.0
  * Requires PHP:      7.4
@@ -94 +94 @@
      * @var string
      */
-    const VERSION = '3.11.2';
+    const VERSION = '3.11.3';
 
     /**
@@ -160 +160 @@
             $this->settings->acr_values,
             $this->settings->endpoint_jwks,
+            $this->settings->issuer ?? '',
             $this->settings->jwks_cache_ttl,
             $this->get_state_time_limit( $this->settings ),

daggerhart-openid-connect-generic/trunk/readme.txt

@@ -4 +4 @@
 Requires at least: 5.0
 Tested up to: 6.9.0
-Stable tag: 3.11.2
+Stable tag: 3.11.3
 Requires PHP: 7.4
 License: GPLv2 or later
@@ -50 +50 @@
 == Upgrade Notice ==
 
-= 3.11.2 =
+= 3.11.3 =
 
 SECURITY UPDATE: 3.11.x branch - Fixes authentication vulnerabilities including JWT signature bypass and SSRF protection. Update immediately and configure JWKS endpoint in settings.
 
 == Changelog ==
+
+= 3.11.3 =
+
+* Feature/improvement: Added configurable issuer setting for JWT validation.
 
 = 3.11.2 =

daggerhart-openid-connect-generic/trunk/vendor/composer/installed.php

@@ -2 +2 @@
     'root' => array(
         'name' => 'daggerhart/openid-connect-generic',
-        'pretty_version' => '3.11.2',
-        'version' => '3.11.2.0',
-        'reference' => '1810fffbabb261cd81108575ccfd186bd2495d86',
+        'pretty_version' => '3.11.3',
+        'version' => '3.11.3.0',
+        'reference' => '0ef442c0f61bda837bddacec37b96035176bee27',
         'type' => 'wordpress-plugin',
         'install_path' => __DIR__ . '/../../',
@@ -21 +21 @@
         ),
         'daggerhart/openid-connect-generic' => array(
-            'pretty_version' => '3.11.2',
-            'version' => '3.11.2.0',
-            'reference' => '1810fffbabb261cd81108575ccfd186bd2495d86',
+            'pretty_version' => '3.11.3',
+            'version' => '3.11.3.0',
+            'reference' => '0ef442c0f61bda837bddacec37b96035176bee27',
             'type' => 'wordpress-plugin',
             'install_path' => __DIR__ . '/../../',