diff --git a/connector/atlassiancrowd/atlassiancrowd_test.go b/connector/atlassiancrowd/atlassiancrowd_test.go
index 17d0422ac8..b9e69d5be5 100644
--- a/connector/atlassiancrowd/atlassiancrowd_test.go
+++ b/connector/atlassiancrowd/atlassiancrowd_test.go
@@ -124,19 +124,19 @@ func TestIdentityFromCrowdUser(t *testing.T) {
 	// unset
 	expectEquals(t, i.PreferredUsername, "")
 
-	c.Config.PreferredUsernameField = "key"
+	c.PreferredUsernameField = "key"
 	i = c.identityFromCrowdUser(user)
 	expectEquals(t, i.PreferredUsername, "12345")
 
-	c.Config.PreferredUsernameField = "name"
+	c.PreferredUsernameField = "name"
 	i = c.identityFromCrowdUser(user)
 	expectEquals(t, i.PreferredUsername, "testuser")
 
-	c.Config.PreferredUsernameField = "email"
+	c.PreferredUsernameField = "email"
 	i = c.identityFromCrowdUser(user)
 	expectEquals(t, i.PreferredUsername, "testuser@example.com")
 
-	c.Config.PreferredUsernameField = "invalidstring"
+	c.PreferredUsernameField = "invalidstring"
 	i = c.identityFromCrowdUser(user)
 	expectEquals(t, i.PreferredUsername, "")
 }
diff --git a/server/oauth2.go b/server/oauth2.go
index 7268bcfd3b..ef597955b6 100644
--- a/server/oauth2.go
+++ b/server/oauth2.go
@@ -402,16 +402,16 @@ func (s *Server) newIDToken(ctx context.Context, clientID string, claims storage
 	}
 
 	for _, scope := range scopes {
-		switch {
-		case scope == scopeEmail:
+		switch scope {
+		case scopeEmail:
 			tok.Email = claims.Email
 			tok.EmailVerified = &claims.EmailVerified
-		case scope == scopeGroups:
+		case scopeGroups:
 			tok.Groups = claims.Groups
-		case scope == scopeProfile:
+		case scopeProfile:
 			tok.Name = claims.Username
 			tok.PreferredUsername = claims.PreferredUsername
-		case scope == scopeFederatedID:
+		case scopeFederatedID:
 			tok.FederatedIDClaims = &federatedIDClaims{
 				ConnectorID: connID,
 				UserID:      claims.UserID,
@@ -722,7 +722,7 @@ func (s *storageKeySet) VerifySignature(ctx context.Context, jwt string) (payloa
 		break
 	}
 
-	skeys, err := s.Storage.GetKeys(ctx)
+	skeys, err := s.GetKeys(ctx)
 	if err != nil {
 		return nil, err
 	}
diff --git a/server/rotation.go b/server/rotation.go
index 286b4b57af..49ba7f27f6 100644
--- a/server/rotation.go
+++ b/server/rotation.go
@@ -128,7 +128,7 @@ func (k keyRotator) rotate() error {
 	}
 
 	var nextRotation time.Time
-	err = k.Storage.UpdateKeys(context.Background(), func(keys storage.Keys) (storage.Keys, error) {
+	err = k.UpdateKeys(context.Background(), func(keys storage.Keys) (storage.Keys, error) {
 		tNow := k.now()
 
 		// if you are running multiple instances of dex, another instance
diff --git a/storage/kubernetes/lock.go b/storage/kubernetes/lock.go
index c67380dcc0..ddb3499751 100644
--- a/storage/kubernetes/lock.go
+++ b/storage/kubernetes/lock.go
@@ -58,7 +58,7 @@ func (l *refreshTokenLock) Unlock(id string) {
 	}
 
 	r.Annotations = nil
-	err = l.cli.put(resourceRefreshToken, r.ObjectMeta.Name, r)
+	err = l.cli.put(resourceRefreshToken, r.Name, r)
 	if err != nil {
 		l.cli.logger.Debug("failed to release lock for refresh token", "token_id", id, "err", err)
 	}
@@ -82,7 +82,7 @@ func (l *refreshTokenLock) setLockAnnotation(id string) (bool, error) {
 		}
 
 		r.Annotations = lockData
-		err := l.cli.put(resourceRefreshToken, r.ObjectMeta.Name, r)
+		err := l.cli.put(resourceRefreshToken, r.Name, r)
 		if err == nil {
 			return false, nil
 		}
@@ -108,7 +108,7 @@ func (l *refreshTokenLock) setLockAnnotation(id string) (bool, error) {
 	// Lock time is out, lets break the lock and take the advantage
 	r.Annotations = lockData
 
-	err = l.cli.put(resourceRefreshToken, r.ObjectMeta.Name, r)
+	err = l.cli.put(resourceRefreshToken, r.Name, r)
 	if err == nil {
 		// break lock annotation
 		return false, nil
diff --git a/storage/kubernetes/storage.go b/storage/kubernetes/storage.go
index a53e25549f..f6da992d13 100644
--- a/storage/kubernetes/storage.go
+++ b/storage/kubernetes/storage.go
@@ -155,16 +155,16 @@ func (cli *client) registerCustomResources() (ok bool) {
 
 		r := definitions[i]
 		var i interface{}
-		cli.logger.Info("checking if custom resource has already been created...", "object", r.ObjectMeta.Name)
+		cli.logger.Info("checking if custom resource has already been created...", "object", r.Name)
 		if err := cli.listN(r.Spec.Names.Plural, &i, 1); err == nil {
-			cli.logger.Info("the custom resource already available, skipping create", "object", r.ObjectMeta.Name)
+			cli.logger.Info("the custom resource already available, skipping create", "object", r.Name)
 			continue
 		} else {
-			cli.logger.Info("failed to list custom resource, attempting to create", "object", r.ObjectMeta.Name, "err", err)
+			cli.logger.Info("failed to list custom resource, attempting to create", "object", r.Name, "err", err)
 		}
 
 		err = cli.postResource(cli.crdAPIVersion, "", "customresourcedefinitions", r)
-		resourceName = r.ObjectMeta.Name
+		resourceName = r.Name
 
 		if err != nil {
 			switch err {
@@ -417,7 +417,7 @@ func (cli *client) DeleteClient(ctx context.Context, id string) error {
 	if err != nil {
 		return err
 	}
-	return cli.delete(resourceClient, c.ObjectMeta.Name)
+	return cli.delete(resourceClient, c.Name)
 }
 
 func (cli *client) DeleteRefresh(ctx context.Context, id string) error {
@@ -430,7 +430,7 @@ func (cli *client) DeletePassword(ctx context.Context, email string) error {
 	if err != nil {
 		return err
 	}
-	return cli.delete(resourcePassword, p.ObjectMeta.Name)
+	return cli.delete(resourcePassword, p.Name)
 }
 
 func (cli *client) DeleteOfflineSessions(ctx context.Context, userID string, connID string) error {
@@ -439,7 +439,7 @@ func (cli *client) DeleteOfflineSessions(ctx context.Context, userID string, con
 	if err != nil {
 		return err
 	}
-	return cli.delete(resourceOfflineSessions, o.ObjectMeta.Name)
+	return cli.delete(resourceOfflineSessions, o.Name)
 }
 
 func (cli *client) DeleteConnector(ctx context.Context, id string) error {
@@ -469,7 +469,7 @@ func (cli *client) UpdateRefreshToken(ctx context.Context, id string, updater fu
 		newToken := cli.fromStorageRefreshToken(updated)
 		newToken.ObjectMeta = r.ObjectMeta
 
-		return cli.put(resourceRefreshToken, r.ObjectMeta.Name, newToken)
+		return cli.put(resourceRefreshToken, r.Name, newToken)
 	})
 }
 
@@ -487,7 +487,7 @@ func (cli *client) UpdateClient(ctx context.Context, id string, updater func(old
 
 	newClient := cli.fromStorageClient(updated)
 	newClient.ObjectMeta = c.ObjectMeta
-	return cli.put(resourceClient, c.ObjectMeta.Name, newClient)
+	return cli.put(resourceClient, c.Name, newClient)
 }
 
 func (cli *client) UpdatePassword(ctx context.Context, email string, updater func(old storage.Password) (storage.Password, error)) error {
@@ -504,7 +504,7 @@ func (cli *client) UpdatePassword(ctx context.Context, email string, updater fun
 
 	newPassword := cli.fromStoragePassword(updated)
 	newPassword.ObjectMeta = p.ObjectMeta
-	return cli.put(resourcePassword, p.ObjectMeta.Name, newPassword)
+	return cli.put(resourcePassword, p.Name, newPassword)
 }
 
 func (cli *client) UpdateOfflineSessions(ctx context.Context, userID string, connID string, updater func(old storage.OfflineSessions) (storage.OfflineSessions, error)) error {
@@ -521,7 +521,7 @@ func (cli *client) UpdateOfflineSessions(ctx context.Context, userID string, con
 
 		newOfflineSessions := cli.fromStorageOfflineSessions(updated)
 		newOfflineSessions.ObjectMeta = o.ObjectMeta
-		return cli.put(resourceOfflineSessions, o.ObjectMeta.Name, newOfflineSessions)
+		return cli.put(resourceOfflineSessions, o.Name, newOfflineSessions)
 	})
 }
 
@@ -615,7 +615,7 @@ func (cli *client) GarbageCollect(ctx context.Context, now time.Time) (result st
 	var delErr error
 	for _, authRequest := range authRequests.AuthRequests {
 		if now.After(authRequest.Expiry) {
-			if err := cli.delete(resourceAuthRequest, authRequest.ObjectMeta.Name); err != nil {
+			if err := cli.delete(resourceAuthRequest, authRequest.Name); err != nil {
 				cli.logger.Error("failed to delete auth request", "err", err)
 				delErr = fmt.Errorf("failed to delete auth request: %v", err)
 			}
@@ -633,7 +633,7 @@ func (cli *client) GarbageCollect(ctx context.Context, now time.Time) (result st
 
 	for _, authCode := range authCodes.AuthCodes {
 		if now.After(authCode.Expiry) {
-			if err := cli.delete(resourceAuthCode, authCode.ObjectMeta.Name); err != nil {
+			if err := cli.delete(resourceAuthCode, authCode.Name); err != nil {
 				cli.logger.Error("failed to delete auth code", "err", err)
 				delErr = fmt.Errorf("failed to delete auth code: %v", err)
 			}
@@ -648,7 +648,7 @@ func (cli *client) GarbageCollect(ctx context.Context, now time.Time) (result st
 
 	for _, deviceRequest := range deviceRequests.DeviceRequests {
 		if now.After(deviceRequest.Expiry) {
-			if err := cli.delete(resourceDeviceRequest, deviceRequest.ObjectMeta.Name); err != nil {
+			if err := cli.delete(resourceDeviceRequest, deviceRequest.Name); err != nil {
 				cli.logger.Error("failed to delete device request", "err", err)
 				delErr = fmt.Errorf("failed to delete device request: %v", err)
 			}
@@ -663,7 +663,7 @@ func (cli *client) GarbageCollect(ctx context.Context, now time.Time) (result st
 
 	for _, deviceToken := range deviceTokens.DeviceTokens {
 		if now.After(deviceToken.Expiry) {
-			if err := cli.delete(resourceDeviceToken, deviceToken.ObjectMeta.Name); err != nil {
+			if err := cli.delete(resourceDeviceToken, deviceToken.Name); err != nil {
 				cli.logger.Error("failed to delete device token", "err", err)
 				delErr = fmt.Errorf("failed to delete device token: %v", err)
 			}
@@ -720,7 +720,7 @@ func (cli *client) UpdateDeviceToken(ctx context.Context, deviceCode string, upd
 
 		newToken := cli.fromStorageDeviceToken(updated)
 		newToken.ObjectMeta = r.ObjectMeta
-		return cli.put(resourceDeviceToken, r.ObjectMeta.Name, newToken)
+		return cli.put(resourceDeviceToken, r.Name, newToken)
 	})
 }
 
diff --git a/storage/kubernetes/types.go b/storage/kubernetes/types.go
index a9806add80..1c9bf54ec0 100644
--- a/storage/kubernetes/types.go
+++ b/storage/kubernetes/types.go
@@ -369,7 +369,7 @@ type AuthRequestList struct {
 
 func toStorageAuthRequest(req AuthRequest) storage.AuthRequest {
 	a := storage.AuthRequest{
-		ID:                  req.ObjectMeta.Name,
+		ID:                  req.Name,
 		ClientID:            req.ClientID,
 		ResponseTypes:       req.ResponseTypes,
 		Scopes:              req.Scopes,
@@ -532,7 +532,7 @@ func (cli *client) fromStorageAuthCode(a storage.AuthCode) AuthCode {
 
 func toStorageAuthCode(a AuthCode) storage.AuthCode {
 	return storage.AuthCode{
-		ID:            a.ObjectMeta.Name,
+		ID:            a.Name,
 		ClientID:      a.ClientID,
 		RedirectURI:   a.RedirectURI,
 		ConnectorID:   a.ConnectorID,
@@ -579,7 +579,7 @@ type RefreshList struct {
 
 func toStorageRefreshToken(r RefreshToken) storage.RefreshToken {
 	return storage.RefreshToken{
-		ID:            r.ObjectMeta.Name,
+		ID:            r.Name,
 		Token:         r.Token,
 		ObsoleteToken: r.ObsoleteToken,
 		CreatedAt:     r.CreatedAt,
@@ -739,7 +739,7 @@ func toStorageConnector(c Connector) storage.Connector {
 		ID:              c.ID,
 		Type:            c.Type,
 		Name:            c.Name,
-		ResourceVersion: c.ObjectMeta.ResourceVersion,
+		ResourceVersion: c.ResourceVersion,
 		Config:          c.Config,
 	}
 }
@@ -792,7 +792,7 @@ func (cli *client) fromStorageDeviceRequest(a storage.DeviceRequest) DeviceReque
 
 func toStorageDeviceRequest(req DeviceRequest) storage.DeviceRequest {
 	return storage.DeviceRequest{
-		UserCode:     strings.ToUpper(req.ObjectMeta.Name),
+		UserCode:     strings.ToUpper(req.Name),
 		DeviceCode:   req.DeviceCode,
 		ClientID:     req.ClientID,
 		ClientSecret: req.ClientSecret,
@@ -846,7 +846,7 @@ func (cli *client) fromStorageDeviceToken(t storage.DeviceToken) DeviceToken {
 
 func toStorageDeviceToken(t DeviceToken) storage.DeviceToken {
 	return storage.DeviceToken{
-		DeviceCode:          t.ObjectMeta.Name,
+		DeviceCode:          t.Name,
 		Status:              t.Status,
 		Token:               t.Token,
 		Expiry:              t.Expiry,