code review

handler/oauth2/flow_resource_owner.go

@@ -33,6 +33,11 @@ type ResourceOwnerPasswordCredentialsGrantHandler struct {
 	}
 }
 
+type Session interface {
+	// SetSubject sets the session's subject.
+	SetSubject(subject string)
+}
+
 // HandleTokenEndpointRequest implements https://tools.ietf.org/html/rfc6749#section-4.3.2
 func (c *ResourceOwnerPasswordCredentialsGrantHandler) HandleTokenEndpointRequest(ctx context.Context, request fosite.AccessRequester) error {
 	if !c.CanHandleTokenEndpointRequest(ctx, request) {
@@ -58,13 +63,13 @@ func (c *ResourceOwnerPasswordCredentialsGrantHandler) HandleTokenEndpointReques
 	password := request.GetRequestForm().Get("password")
 	if username == "" || password == "" {
 		return errorsx.WithStack(fosite.ErrInvalidRequest.WithHint("Username or password are missing from the POST body."))
-	} else if identityID, err := c.ResourceOwnerPasswordCredentialsGrantStorage.Authenticate(ctx, username, password); errors.Is(err, fosite.ErrNotFound) {
+	} else if sub, err := c.ResourceOwnerPasswordCredentialsGrantStorage.Authenticate(ctx, username, password); errors.Is(err, fosite.ErrNotFound) {
 		return errorsx.WithStack(fosite.ErrInvalidGrant.WithHint("Unable to authenticate the provided username and password credentials.").WithWrap(err).WithDebug(err.Error()))
 	} else if err != nil {
 		return errorsx.WithStack(fosite.ErrServerError.WithWrap(err).WithDebug(err.Error()))
 	} else {
-		if sess, ok := request.GetSession().(fosite.ExtraClaimsSession); ok {
-			sess.GetExtraClaims()["identity_id"] = identityID
+		if sess, ok := request.GetSession().(Session); ok {
+			sess.SetSubject(sub)
 		}
 	}
 

handler/oauth2/flow_resource_owner_storage.go

@@ -8,7 +8,7 @@ import (
 )
 
 type ResourceOwnerPasswordCredentialsGrantStorage interface {
-	Authenticate(ctx context.Context, name string, secret string) (string, error)
+	Authenticate(ctx context.Context, name string, secret string) (subject string, err error)
 	AccessTokenStorage
 	RefreshTokenStorage
 }