diff --git a/auth/api/iam/api.go b/auth/api/iam/api.go
index e6e8afe337..08f6c9c33d 100644
--- a/auth/api/iam/api.go
+++ b/auth/api/iam/api.go
@@ -212,7 +212,7 @@ func (r Wrapper) HandleTokenRequest(ctx context.Context, request HandleTokenRequ
 
 func (r Wrapper) Callback(ctx context.Context, request CallbackRequestObject) (CallbackResponseObject, error) {
 	// check id in path
-	_, err := r.toOwnedDID(ctx, request.Did)
+	_, err := r.toOwnedDIDForOAuth2(ctx, request.Did)
 	if err != nil {
 		// this is an OAuthError already, will be rendered as 400 but that's fine (for now) for an illegal id
 		return nil, err
diff --git a/auth/client/iam/client.go b/auth/client/iam/client.go
index a4336be4d2..95a40e45e8 100644
--- a/auth/client/iam/client.go
+++ b/auth/client/iam/client.go
@@ -41,7 +41,8 @@ type HTTPClient struct {
 	httpClient core.HTTPRequestDoer
 }
 
-// OAuthAuthorizationServerMetadata retrieves the OAuth authorization server metadata for the given web DID.
+// OAuthAuthorizationServerMetadata retrieves the OAuth authorization server metadata for the given oauth issuer.
+// oauthIssuer is the oauth.AuthorizationServerMetadata.Issuer from which the metadata endpoint is derived.
 func (hb HTTPClient) OAuthAuthorizationServerMetadata(ctx context.Context, oauthIssuer string) (*oauth.AuthorizationServerMetadata, error) {
 	metadataURL, err := oauth.IssuerIdToWellKnown(oauthIssuer, oauth.AuthzServerWellKnown, hb.strictMode)
 	if err != nil {