From 9c680c655f6ee1962b12f0132f6cf92dde3111e9 Mon Sep 17 00:00:00 2001
From: Jacob Foshee <jacob.foshee@clerk.dev>
Date: Wed, 14 Jan 2026 11:59:35 -0600
Subject: [PATCH] feat(backend): Add OauthAccessToken idToken member (#7583)

Co-authored-by: Cursor Agent <cursoragent@cursor.com>
---
 .changeset/oauth-idtoken-member.md                     | 5 +++++
 packages/backend/src/api/resources/JSON.ts             | 2 ++
 packages/backend/src/api/resources/OauthAccessToken.ts | 6 ++++++
 3 files changed, 13 insertions(+)
 create mode 100644 .changeset/oauth-idtoken-member.md

diff --git a/.changeset/oauth-idtoken-member.md b/.changeset/oauth-idtoken-member.md
new file mode 100644
index 00000000000..f13ed6141fc
--- /dev/null
+++ b/.changeset/oauth-idtoken-member.md
@@ -0,0 +1,5 @@
+---
+"@clerk/backend": patch
+---
+
+Add optional `idToken` member to `OauthAccessToken` returned by `getUserOauthAccessToken`. The ID token is retrieved from OIDC providers and is only present for OIDC-compliant OAuth 2.0 providers when available.
diff --git a/packages/backend/src/api/resources/JSON.ts b/packages/backend/src/api/resources/JSON.ts
index 4aee90821ea..88e3d0c001e 100644
--- a/packages/backend/src/api/resources/JSON.ts
+++ b/packages/backend/src/api/resources/JSON.ts
@@ -316,6 +316,8 @@ export interface OauthAccessTokenJSON {
   // Only set in OAuth 1.0 tokens
   token_secret?: string;
   expires_at?: number;
+  // Only present for OIDC-compliant OAuth 2.0 providers when available
+  id_token?: string;
 }
 
 export interface OAuthApplicationJSON extends ClerkResourceJSON {
diff --git a/packages/backend/src/api/resources/OauthAccessToken.ts b/packages/backend/src/api/resources/OauthAccessToken.ts
index ce08f22fcc6..e83c8f4089c 100644
--- a/packages/backend/src/api/resources/OauthAccessToken.ts
+++ b/packages/backend/src/api/resources/OauthAccessToken.ts
@@ -10,6 +10,11 @@ export class OauthAccessToken {
     readonly scopes?: string[],
     readonly tokenSecret?: string,
     readonly expiresAt?: number,
+    /**
+     * The ID token retrieved from the OIDC provider.
+     * Only present for OIDC-compliant OAuth 2.0 providers when available.
+     */
+    readonly idToken?: string,
   ) {}
 
   static fromJSON(data: OauthAccessTokenJSON) {
@@ -22,6 +27,7 @@ export class OauthAccessToken {
       data.scopes,
       data.token_secret,
       data.expires_at,
+      data.id_token,
     );
   }
 }