diff --git a/src/common/context.rs b/src/common/context.rs
index 2fa92082c..7f7ea8a55 100644
--- a/src/common/context.rs
+++ b/src/common/context.rs
@@ -1,4 +1,3 @@
-use crate::common::resolve::AuthUser;
 use crate::common::{HARDENED_ENUM_VALUE_0, HARDENED_ENUM_VALUE_1, HARDENED_ENUM_VALUE_2};
 use crate::system::{Group, Hostname, Process, User};
 
@@ -44,7 +43,6 @@ pub struct Context {
     // system
     pub hostname: Hostname,
     pub current_user: CurrentUser,
-    pub auth_user: AuthUser,
     pub process: Process,
     // policy
     pub use_pty: bool,
@@ -102,7 +100,6 @@ impl Context {
             stdin: sudo_options.stdin,
             non_interactive: sudo_options.non_interactive,
             process: Process::new(),
-            auth_user: AuthUser::resolve_root_for_rootpw()?,
             use_pty: true,
             password_feedback: false,
         })
diff --git a/src/sudo/env/tests.rs b/src/sudo/env/tests.rs
index 4b641665d..9ad22108b 100644
--- a/src/sudo/env/tests.rs
+++ b/src/sudo/env/tests.rs
@@ -1,4 +1,4 @@
-use crate::common::resolve::{AuthUser, CurrentUser};
+use crate::common::resolve::CurrentUser;
 use crate::common::{CommandAndArguments, Context};
 use crate::sudo::{
     cli::{SudoAction, SudoRunOptions},
@@ -94,8 +94,6 @@ fn create_test_context(sudo_options: &SudoRunOptions) -> Context {
         groups: vec![],
     });
 
-    let auth_user = AuthUser::from_current_user(current_user.clone());
-
     let current_group = Group {
         gid: GroupId::new(1000),
         name: Some("test".to_string()),
@@ -121,7 +119,6 @@ fn create_test_context(sudo_options: &SudoRunOptions) -> Context {
         hostname: Hostname::fake("test-ubuntu"),
         command,
         current_user: current_user.clone(),
-        auth_user,
         target_user: if sudo_options.user.as_deref() == Some("test") {
             current_user.into()
         } else {
diff --git a/src/sudo/pam.rs b/src/sudo/pam.rs
index 03da62628..97590a1ea 100644
--- a/src/sudo/pam.rs
+++ b/src/sudo/pam.rs
@@ -1,6 +1,7 @@
 use std::ffi::OsString;
 
 use crate::common::context::LaunchType;
+use crate::common::resolve::AuthUser;
 use crate::common::{error::Error, Context};
 use crate::log::{dev_info, user_warn};
 use crate::pam::{CLIConverser, Converser, PamContext, PamError, PamErrorType, PamResult};
@@ -8,7 +9,7 @@ use crate::system::term::current_tty_name;
 
 use super::pipeline::AuthPlugin;
 
-type PamBuilder<C> = dyn Fn(&Context) -> PamResult<PamContext<C>>;
+type PamBuilder<C> = dyn Fn(&Context, AuthUser) -> PamResult<PamContext<C>>;
 
 pub struct PamAuthenticator<C: Converser> {
     builder: Box<PamBuilder<C>>,
@@ -17,7 +18,7 @@ pub struct PamAuthenticator<C: Converser> {
 
 impl<C: Converser> PamAuthenticator<C> {
     fn new(
-        initializer: impl Fn(&Context) -> PamResult<PamContext<C>> + 'static,
+        initializer: impl Fn(&Context, AuthUser) -> PamResult<PamContext<C>> + 'static,
     ) -> PamAuthenticator<C> {
         PamAuthenticator {
             builder: Box::new(initializer),
@@ -28,14 +29,14 @@ impl<C: Converser> PamAuthenticator<C> {
 
 impl PamAuthenticator<CLIConverser> {
     pub fn new_cli() -> PamAuthenticator<CLIConverser> {
-        PamAuthenticator::new(|context| {
+        PamAuthenticator::new(|context, auth_user| {
             init_pam(
                 matches!(context.launch, LaunchType::Login),
                 matches!(context.launch, LaunchType::Shell),
                 context.stdin,
                 context.non_interactive,
                 context.password_feedback,
-                &context.auth_user.name,
+                &auth_user.name,
                 &context.current_user.name,
             )
         })
@@ -43,8 +44,8 @@ impl PamAuthenticator<CLIConverser> {
 }
 
 impl<C: Converser> AuthPlugin for PamAuthenticator<C> {
-    fn init(&mut self, context: &Context) -> Result<(), Error> {
-        self.pam = Some((self.builder)(context)?);
+    fn init(&mut self, context: &Context, auth_user: AuthUser) -> Result<(), Error> {
+        self.pam = Some((self.builder)(context, auth_user)?);
         Ok(())
     }
 
diff --git a/src/sudo/pipeline.rs b/src/sudo/pipeline.rs
index 41d13d341..8a2048feb 100644
--- a/src/sudo/pipeline.rs
+++ b/src/sudo/pipeline.rs
@@ -20,7 +20,7 @@ use crate::system::{escape_os_str_lossy, Process};
 mod list;
 
 pub trait AuthPlugin {
-    fn init(&mut self, context: &Context) -> Result<(), Error>;
+    fn init(&mut self, context: &Context, auth_user: AuthUser) -> Result<(), Error>;
     fn authenticate(&mut self, non_interactive: bool, max_tries: u16) -> Result<(), Error>;
     fn pre_exec(&mut self, target_user: &str) -> Result<Vec<(OsString, OsString)>, Error>;
     fn cleanup(&mut self);
@@ -173,14 +173,14 @@ impl<Auth: AuthPlugin> Pipeline<Auth> {
             prior_validity,
         );
 
-        context.auth_user = match credential {
+        let auth_user = match credential {
             AuthenticatingUser::InvokingUser => {
                 AuthUser::from_current_user(context.current_user.clone())
             }
             AuthenticatingUser::Root => AuthUser::resolve_root_for_rootpw()?,
         };
 
-        self.authenticator.init(context)?;
+        self.authenticator.init(context, auth_user)?;
         if auth_status.must_authenticate {
             self.authenticator
                 .authenticate(context.non_interactive, allowed_attempts)?;