From b62d87bdfab9536fff1cd560c2090b0be11316de Mon Sep 17 00:00:00 2001
From: Cursor Agent <cursoragent@cursor.com>
Date: Mon, 12 Jan 2026 23:50:05 +0000
Subject: [PATCH 1/2] Add idToken to OauthAccessToken for OIDC providers

Co-authored-by: jacob.foshee <jacob.foshee@clerk.dev>
---
 packages/backend/src/api/resources/JSON.ts             | 2 ++
 packages/backend/src/api/resources/OauthAccessToken.ts | 6 ++++++
 2 files changed, 8 insertions(+)

diff --git a/packages/backend/src/api/resources/JSON.ts b/packages/backend/src/api/resources/JSON.ts
index d2cdd0c7b6a..6128e1ddc16 100644
--- a/packages/backend/src/api/resources/JSON.ts
+++ b/packages/backend/src/api/resources/JSON.ts
@@ -300,6 +300,8 @@ export interface OauthAccessTokenJSON {
   // Only set in OAuth 1.0 tokens
   token_secret?: string;
   expires_at?: number;
+  // Only present for OIDC-compliant OAuth 2.0 providers when available
+  id_token?: string;
 }
 
 export interface OAuthApplicationJSON extends ClerkResourceJSON {
diff --git a/packages/backend/src/api/resources/OauthAccessToken.ts b/packages/backend/src/api/resources/OauthAccessToken.ts
index ce08f22fcc6..e83c8f4089c 100644
--- a/packages/backend/src/api/resources/OauthAccessToken.ts
+++ b/packages/backend/src/api/resources/OauthAccessToken.ts
@@ -10,6 +10,11 @@ export class OauthAccessToken {
     readonly scopes?: string[],
     readonly tokenSecret?: string,
     readonly expiresAt?: number,
+    /**
+     * The ID token retrieved from the OIDC provider.
+     * Only present for OIDC-compliant OAuth 2.0 providers when available.
+     */
+    readonly idToken?: string,
   ) {}
 
   static fromJSON(data: OauthAccessTokenJSON) {
@@ -22,6 +27,7 @@ export class OauthAccessToken {
       data.scopes,
       data.token_secret,
       data.expires_at,
+      data.id_token,
     );
   }
 }

From 3264e229ced1f0c59d4ff973cb7c90787b8abc07 Mon Sep 17 00:00:00 2001
From: Cursor Agent <cursoragent@cursor.com>
Date: Mon, 12 Jan 2026 23:55:31 +0000
Subject: [PATCH 2/2] Checkpoint before follow-up message

Co-authored-by: jacob.foshee <jacob.foshee@clerk.dev>
---
 .changeset/oauth-idtoken-member.md | 5 +++++
 1 file changed, 5 insertions(+)
 create mode 100644 .changeset/oauth-idtoken-member.md

diff --git a/.changeset/oauth-idtoken-member.md b/.changeset/oauth-idtoken-member.md
new file mode 100644
index 00000000000..f13ed6141fc
--- /dev/null
+++ b/.changeset/oauth-idtoken-member.md
@@ -0,0 +1,5 @@
+---
+"@clerk/backend": patch
+---
+
+Add optional `idToken` member to `OauthAccessToken` returned by `getUserOauthAccessToken`. The ID token is retrieved from OIDC providers and is only present for OIDC-compliant OAuth 2.0 providers when available.