fservida
commented
2 years ago Note for me As the cookie is encrypted, the user is not available unless we poll the OIDC provider (and thus have the same problem). One solution might be to store the users logged in through oidc in the options table and fetch that list to iterate over just as yourls does with the $yourls_user_passwords array.
When logging users directly using "Option 2" it seems that the cookies are not checked and authentication is performed for every request to the OIDC provider.
Don't know if this is the expected behaviour, but it does create problems with for example XHR requests. I think this is due to https://github.com/YOURLS/YOURLS/blob/a2d0d2f626c7ee8fcd280eb91d08c61354578d04/includes/functions-auth.php#L324-L333 not checking cookies is the user is not in the local database.