diff --git a/example/requirements.txt b/example/requirements.txt
index 5f3ff80..1732184 100644
--- a/example/requirements.txt
+++ b/example/requirements.txt
@@ -2,3 +2,7 @@ pyop
 Flask
 gunicorn
 oic>=1.2.1
+setuptools>=70.0.0 # not directly required, pinned by Snyk to avoid a vulnerability
+werkzeug>=3.0.1 # not directly required, pinned by Snyk to avoid a vulnerability
+requests>=2.32.2 # not directly required, pinned by Snyk to avoid a vulnerability
+urllib3>=2.2.2 # not directly required, pinned by Snyk to avoid a vulnerability
diff --git a/setup.py b/setup.py
index 7961abc..0fc26b7 100644
--- a/setup.py
+++ b/setup.py
@@ -2,7 +2,7 @@
 
 setup(
     name='pyop',
-    version='3.4.0',
+    version='3.4.2',
     packages=find_packages('src'),
     package_dir={'': 'src'},
     url='https://github.com/IdentityPython/pyop',
@@ -15,7 +15,7 @@
         'pycryptodomex',
     ],
     extras_require={
-        'mongo': 'pymongo',
+        'mongo': 'pymongo >= 3.12, < 4.0',
         'redis': 'redis',
     },
 )
diff --git a/src/pyop/authz_state.py b/src/pyop/authz_state.py
index 9270f20..35085cf 100644
--- a/src/pyop/authz_state.py
+++ b/src/pyop/authz_state.py
@@ -200,6 +200,7 @@ def exchange_code_for_token(self, authorization_code):
             raise InvalidAuthorizationCode('{} has expired'.format(authorization_code))
 
         authz_info['used'] = True
+        self.authorization_codes[authorization_code] = authz_info
 
         access_token = self._create_access_token(authz_info['sub'], authz_info[self.KEY_AUTHORIZATION_REQUEST],
                                                  authz_info['granted_scope'],
@@ -363,7 +364,7 @@ def get_user_info_for_code(self, authorization_code):
 
         return self.authorization_codes[authorization_code].get(self.KEY_USER_INFO)
 
-    def get_extra_io_token_claims_for_code(self, authorization_code):
+    def get_extra_id_token_claims_for_code(self, authorization_code):
         # type: (str) -> dict
         if authorization_code not in self.authorization_codes:
             raise InvalidAuthorizationCode('{} unknown'.format(authorization_code))
diff --git a/src/pyop/provider.py b/src/pyop/provider.py
index c2a337d..67f9c2d 100644
--- a/src/pyop/provider.py
+++ b/src/pyop/provider.py
@@ -240,7 +240,8 @@ def _create_subject_identifier(self, user_id, client_id, redirect_uri):
         """
         supported_subject_types = self.configuration_information['subject_types_supported'][0]
         subject_type = self.clients[client_id].get('subject_type', supported_subject_types)
-        sector_identifier = urlparse(redirect_uri).netloc
+        sector_identifier_uri = self.clients[client_id].get('sector_identifier_uri', redirect_uri)
+        sector_identifier = urlparse(sector_identifier_uri).netloc
         return self.authz_state.get_subject_identifier(subject_type, user_id, sector_identifier)
 
     def _get_requested_claims_in(self, authentication_request, response_method):
@@ -445,16 +446,13 @@ def _do_code_exchange(self, request,  # type: Dict[str, str]
         if refresh_token is not None:
             response['refresh_token'] = refresh_token
 
-        if extra_id_token_claims is None:
-            extra_id_token_claims = {}
-        elif callable(extra_id_token_claims):
-            if self.stateless:
-                extra_id_token_claims = extra_id_token_claims(sub, authentication_request['client_id'])
-            else:
-                extra_id_token_claims = extra_id_token_claims(user_id, authentication_request['client_id'])
+        extra_id_token_claims = {}
         if self.stateless:
-            extra_id_token_claims_in_code = self.authz_state.get_extra_io_token_claims_for_code(token_request['code'])
+            extra_id_token_claims_in_code = self.authz_state.get_extra_id_token_claims_for_code(token_request['code'])
             extra_id_token_claims.update(extra_id_token_claims_in_code)
+        elif callable(extra_id_token_claims):
+            extra_id_token_claims = extra_id_token_claims(user_id, authentication_request['client_id'])
+        
         requested_claims = self._get_requested_claims_in(authentication_request, 'id_token')
         if self.stateless:
             user_info = self.authz_state.get_user_info_for_code(token_request['code'])
diff --git a/src/pyop/storage.py b/src/pyop/storage.py
index bdc12bf..6ed58c9 100644
--- a/src/pyop/storage.py
+++ b/src/pyop/storage.py
@@ -93,7 +93,7 @@ def from_uri(cls, db_uri, collection, db_name=None, ttl=None, **kwargs):
                 alg=alg
             )
 
-        return ValueError(f"Invalid DB URI: {db_uri}")
+        raise ValueError(f"Invalid DB URI: {db_uri}")
 
     @classmethod
     def type(cls, db_uri):
@@ -105,7 +105,7 @@ def type(cls, db_uri):
         elif url.scheme == "stateless":
             return "stateless"
 
-        return ValueError(f"Invalid DB URI: {db_uri}")
+        raise ValueError(f"Invalid DB URI: {db_uri}")
 
     @property
     def ttl(self):
diff --git a/src/pyop/userinfo.py b/src/pyop/userinfo.py
index ec92c2b..b01e563 100644
--- a/src/pyop/userinfo.py
+++ b/src/pyop/userinfo.py
@@ -31,6 +31,6 @@ def get_claims_for(self, user_id, requested_claims, userinfo=None):
         """
 
         if not userinfo:
-            userinfo = self._db[user_id]
+            userinfo = self._db[user_id] if user_id else {}
         claims = {claim: userinfo[claim] for claim in requested_claims if claim in userinfo}
         return claims