diff --git a/auth/oidc.go b/auth/oidc.go
index 62664c2c9b3b3d45b5bdeba946b5a266190e05a2..e0159d74bbfe136b7c3fff57b880fa85e37689d2 100644
--- a/auth/oidc.go
+++ b/auth/oidc.go
@@ -51,7 +51,12 @@ func (s *OIDCSession) refresh(ctx context.Context) (*Session, error) {
 		return nil, errors.New("fetching OIDC UserInfo failed: " + err.Error())
 	}
 
-	newS := &Session{}
+	// TOOD: if we later use sessions.update() it is overkill generate
+	//       a whole new session...
+	newS, err := NewSession()
+	if err != nil {
+		return nil, err
+	}
 	if err := userInfo.Claims(newS); err != nil {
 		return nil, errors.New("parsing OIDC UserInfo failed: " + err.Error())
 	}
@@ -59,6 +64,19 @@ func (s *OIDCSession) refresh(ctx context.Context) (*Session, error) {
 	return newS, nil
 }
 
+// This is only safe when session is logged in!
+func (s *OIDCSession) MarshalJSON() ([]byte, error) {
+	t, err := s.tokenSource.Token()
+	if err != nil {
+		return nil, err
+	}
+	return json.Marshal(struct {
+		Token *oauth2.Token `json:"token,omitempty"`
+	}{
+		Token: t,
+	})
+}
+
 type OIDCBackend struct {
 	loginTimeout time.Duration
 	issuerURL    string
@@ -115,7 +133,7 @@ func (b *OIDCBackend) NewOIDCSession(ctx context.Context, arguments json.RawMess
 		}
 
 		os.tokenSource = oauth2.StaticTokenSource(&oauth2Token)
-		if s, err = s.oidc.refresh(ctx); err != nil {
+		if s, err = os.refresh(ctx); err != nil {
 			return
 		}
 		s.setState(SessionStateLoggedIn)
diff --git a/auth/sessions.go b/auth/sessions.go
index d85663a8f4b7350e2117c811043859500d787f39..c4c0db0de2b4007aca44004a56ed67d460f9655a 100644
--- a/auth/sessions.go
+++ b/auth/sessions.go
@@ -175,27 +175,31 @@ func (s *Session) cleanup() {
 }
 
 func (s *Session) MarshalJSON() ([]byte, error) {
-	var expires *time.Time
-	if deadline, ok := s.ctx.Deadline(); ok {
-		expires = &deadline
-	}
-	return json.Marshal(struct {
+	data := struct {
 		ID       string       `json:"id"`
 		State    SessionState `json:"state"`
 		Expires  *time.Time   `json:"expires,omitempty"`
 		Username string       `json:"username"`
 		ReadOnly bool         `json:"readonly"`
 		AllShows bool         `json:"all-shows"`
-		Shows    []string     `json:"shows"`
+		Shows    []string     `json:"shows,omitempty"`
+		OIDC     *OIDCSession `json:"oidc,omitempty"`
 	}{
 		ID:       s.id,
 		State:    s.State(),
-		Expires:  expires,
 		Username: s.Username,
 		ReadOnly: s.ReadOnly,
 		AllShows: s.AllShows,
 		Shows:    s.Shows,
-	})
+	}
+	if deadline, ok := s.ctx.Deadline(); ok {
+		data.Expires = &deadline
+	}
+	// this should only be enabled for debug purposes
+	// if data.State == SessionStateLoggedIn {
+	// 	data.OIDC = s.oidc
+	// }
+	return json.Marshal(data)
 }
 
 func (s *Session) getToken() string {