So this means you are leaking your Client Secret! Which is against the developer agreement.
The exception is using implicit auth in your extension, which would mean users are logging in twice.
Code being minified still means your client Secret is in the file in the clear and easy to steal.
If you did a second Authentication loop, and got an implicit bearer, then you can lookup the user by bearer.
But you already have the users UserID from onAuthorised.
If you continue with your code as is, you are in violation of the developer services agreement, and your extension will be denied