It looks like the membership data that is supposed to be cached between requests for 5 minutes is not being cached at all.

It looks like it was assumed that the User object would be serialized after each request, storing the modified membership cache in the session. Turns out that the user is only serialized once from Warden::Proxy#set_user that gets called when authentication is successfully performed the first time.

The solution would be to store the membership data (more precisely, any data potentially changing between requests) in Warden::Proxy#session, which "provides a scoped session data for authenticated users". In order to have access to that scoped session data, the User object needs to receive it at time of first initialization and deserialization. It can be retrieved from warden as follows (in both situations env is available): env['warden'].session(scope)

I'll open a PR for this. @atmos since this will need a minor version bump, should I already include it in the PR or would you like to handle that separately?

Yup, include the version bump in the PR.

All of my work stuff in the last year or so has been with omniauth_github but I can cut releases of this easily enough.