diff --git a/src/oidcclients.js b/src/oidcclients.js
index 5b720bbdb..a95e8a2bc 100644
--- a/src/oidcclients.js
+++ b/src/oidcclients.js
@@ -50,7 +50,7 @@ async function add(data) {
     assert.strictEqual(typeof data.appId, 'string');
     assert(data.tokenSignatureAlgorithm === 'RS256' || data.tokenSignatureAlgorithm === 'EdDSA');
 
-    const id = data.id || 'cid-' + hat(128);
+    const id = data.id || 'cid-' + hat(128); // oidc addon provides the id for apps as app.id
     const secret = hat(256);
 
     const query = `INSERT INTO ${OIDC_CLIENTS_TABLE_NAME} (id, secret, name, appId, loginRedirectUri, tokenSignatureAlgorithm) VALUES (?, ?, ?, ?, ?, ?)`;
diff --git a/src/oidcserver.js b/src/oidcserver.js
index e32c59540..32cad6c00 100644
--- a/src/oidcserver.js
+++ b/src/oidcserver.js
@@ -457,7 +457,7 @@ async function interactionConfirm(req, res, next) {
 
     const user = await users.get(accountId);
     if (!user) return next(new Error('User not found'));
-    user.ghost = lastSubmission ? lastSubmission.ghost : false; // restore ghost flag
+    user.ghost = !!lastSubmission?.ghost; // restore ghost flag. lastSubmission can be empty if login interaction was skipped (already logged in)
 
     // Check if user has access to the app if client refers to an app
     if (client.appId) {