diff --git a/handler/oauth2/flow_resource_owner.go b/handler/oauth2/flow_resource_owner.go
index ad0b45a2..ff17afb0 100644
--- a/handler/oauth2/flow_resource_owner.go
+++ b/handler/oauth2/flow_resource_owner.go
@@ -58,10 +58,14 @@ func (c *ResourceOwnerPasswordCredentialsGrantHandler) HandleTokenEndpointReques
 	password := request.GetRequestForm().Get("password")
 	if username == "" || password == "" {
 		return errorsx.WithStack(fosite.ErrInvalidRequest.WithHint("Username or password are missing from the POST body."))
-	} else if err := c.ResourceOwnerPasswordCredentialsGrantStorage.Authenticate(ctx, username, password); errors.Is(err, fosite.ErrNotFound) {
+	} else if identityID, err := c.ResourceOwnerPasswordCredentialsGrantStorage.Authenticate(ctx, username, password); errors.Is(err, fosite.ErrNotFound) {
 		return errorsx.WithStack(fosite.ErrInvalidGrant.WithHint("Unable to authenticate the provided username and password credentials.").WithWrap(err).WithDebug(err.Error()))
 	} else if err != nil {
 		return errorsx.WithStack(fosite.ErrServerError.WithWrap(err).WithDebug(err.Error()))
+	} else {
+		if sess, ok := request.GetSession().(fosite.ExtraClaimsSession); ok {
+			sess.GetExtraClaims()["identity_id"] = identityID
+		}
 	}
 
 	// Credentials must not be passed around, potentially leaking to the database!
diff --git a/handler/oauth2/flow_resource_owner_storage.go b/handler/oauth2/flow_resource_owner_storage.go
index ffc07642..d70a0467 100644
--- a/handler/oauth2/flow_resource_owner_storage.go
+++ b/handler/oauth2/flow_resource_owner_storage.go
@@ -8,7 +8,7 @@ import (
 )
 
 type ResourceOwnerPasswordCredentialsGrantStorage interface {
-	Authenticate(ctx context.Context, name string, secret string) error
+	Authenticate(ctx context.Context, name string, secret string) (string, error)
 	AccessTokenStorage
 	RefreshTokenStorage
 }