--- a/mod_sasl2_fast/mod_sasl2_fast.lua	Sat Oct 29 12:01:32 2022 +0200
+++ b/mod_sasl2_fast/mod_sasl2_fast.lua	Mon Nov 07 10:19:10 2022 +0000
@@ -63,7 +63,7 @@
 					elseif current_time - token.issued_at > fast_token_min_ttl then
 						rotation_needed = true;
 					end
-					return true, username, hmac_f(token.secret, "Responder"..cb_data), token, rotation_needed;
+					return true, username, hmac_f(token.secret, "Responder"..cb_data), rotation_needed;
 				end
 			end
 			if not tried_current_token then
@@ -173,23 +173,24 @@
 local function new_ht_mechanism(mechanism_name, backend_profile_name, cb_name)
 	return function (sasl_handler, message)
 		local backend = sasl_handler.profile[backend_profile_name];
-		local username, token_hash = message:match("^([^%z]+)%z(.+)$");
-		if not username then
+		local authc_username, token_hash = message:match("^([^%z]+)%z(.+)$");
+		if not authc_username then
 			return "failure", "malformed-request";
 		end
 		local cb_data = cb_name and sasl_handler.profile.cb[cb_name](sasl_handler) or "";
-		local ok, status, response, rotation_needed = backend(
+		local ok, authz_username, response, rotation_needed = backend(
 			mechanism_name,
-			username,
+			authc_username,
 			sasl_handler.client_id,
 			token_hash,
 			cb_data,
 			sasl_handler.invalidate
 		);
 		if not ok then
-			return "failure", status or "not-authorized";
+			-- authz_username is error condition
+			return "failure", authz_username or "not-authorized";
 		end
-		sasl_handler.username = status;
+		sasl_handler.username = authz_username;
 		sasl_handler.rotation_needed = rotation_needed;
 		return "success", response;
 	end