diff --git a/app/services/oauth2.js b/app/services/oauth2.js
index c3f9ead..9be9956 100644
--- a/app/services/oauth2.js
+++ b/app/services/oauth2.js
@@ -151,7 +151,7 @@ class OAuth2Service extends SiteService {
       var code = uuidv4();
       var ac = new OAuth2AuthorizationCode({
         code,
-        clientId: client._id,
+        client: client._id,
         redirectUri,
         user: user._id,
         scopes: client.scopes,
@@ -166,10 +166,21 @@ class OAuth2Service extends SiteService {
 
   async processExchange (client, code, redirectUri, done) {
     try {
-      const ac = await OAuth2AuthorizationCode.findOne({ code });
+      const ac = await OAuth2AuthorizationCode
+        .findOne({ code })
+        .populate([
+          {
+            path: 'client',
+          },
+          {
+            path: 'user',
+            select: 'username username_lc displayName picture',
+          },
+        ]);
+
       this.log.debug('process OAuth2 exchange', { client, code, redirectUri });
-      if (!client._id.equals(ac.clientId)) {
-        this.log.alert('OAuth2 client ID mismatch', { provided: client.id, onfile: ac.clientId });
+      if (!client._id.equals(ac.client._id)) {
+        this.log.alert('OAuth2 client ID mismatch', { provided: client.id, onfile: ac.client._id });
         return done(null, false);
       }
       if (redirectUri !== ac.redirectUri) {
@@ -180,8 +191,8 @@ class OAuth2Service extends SiteService {
       var token = uuidv4();
       var at = new OAuth2AccessToken({
         token,
-        user: ac.userId,
-        client: ac.clientId,
+        user: ac.user._id,
+        client: ac.client._id,
         scope: ac.scope,
       });
       await at.save();