link_existing_users flag causes orphans sessions if a concurrent session logs out

[pjeby]

Currently, the openid-connect-generic-user meta flag is set to false when a user logs out (if link_existing_users is set), but this doesn't work correctly if a user has more than one login session, because then the other sessions will stop refreshing tokens and act like ordinary Wordpress sessions. (And thus will remain live with current permissions even if those permissions have been revoked at the IdP.)

Steps to reproduce:

1. Set up a site with Auto-SSO login mode and "link existing users"
2. Log into the site from two different browsers using OIDC, then explicitly log out of one.
3. Wait for the refresh token to expire, then access the site in the second browser. You should get a refresh error, but instead you get a plain WP session unconnected to OIDC.

The problem is that a user meta flag is global to the user, but what is really needed is to know whether the session is linked to an OIDC session, not the user as a whole.

For my own purposes, I'm working around this with a get_user_meta hook which checks that the session is actually OIDC-linked; it does this by adding data to the WP session token in the database (via the attach_session_information hook). This then results in the OIDC plugin seeing a fake openid-connect-generic-user value that reflects whether the session was started with OIDC, instead of a global flag whose value might be corrupt.

This workaround could be avoided, though, by having ensure_tokens_still_fresh() check for a flag in WP_Session_Tokens::get_instance($user_id)->get(wp_get_session_token()). The flag would be set by login_user(), either via an attach_session_information hook, or by directly creating the session token and passing it through to wp_set_auth_cookie().