Fosite: question about parameter in OpenIDConnectRequestStorage

[ThunderKeg]

type OpenIDConnectRequestStorage interface {
	// CreateOpenIDConnectSession creates an open id connect session
	// for a given authorize code. This is relevant for explicit open id connect flow.
	CreateOpenIDConnectSession(ctx context.Context, authorizeCode string, requester fosite.Requester) error

	// IsOpenIDConnectSession returns error
	// - nil if a session was found,
	// - ErrNoSessionFound if no session was found
	// - or an arbitrary error if an error occurred.
	GetOpenIDConnectSession(ctx context.Context, authorizeCode string, requester fosite.Requester) (fosite.Requester, error)

	// Deprecated: DeleteOpenIDConnectSession is not called from anywhere.
	// Originally, it should remove an open id connect session from the store.
	DeleteOpenIDConnectSession(ctx context.Context, authorizeCode string) error
}

OpenIDConnectRequestStorage uses authorizeCode as the parameter of Storage. This may cause potential leak of sensitive data. But in other Storage interface, the signature is used. Is it a bug or by design

[vinckr]

Hello @ThunderKeg,
it has been way too long. I am not very familiar with the code but I do not think this is an issue, but if you feel this should be looked at more closely feel free to open a bug report over at the /fosite repository