diff --git a/pkg/api/metrics.go b/pkg/api/metrics.go
index 369088820ab..f4b8653e40f 100644
--- a/pkg/api/metrics.go
+++ b/pkg/api/metrics.go
@@ -230,6 +230,11 @@ func (hs *HTTPServer) createRequest(ctx context.Context, ds *models.DataSource,
 		if token := hs.OAuthTokenService.GetCurrentOAuthToken(ctx, query.User); token != nil {
 			delete(query.Headers, "Authorization")
 			query.Headers["Authorization"] = fmt.Sprintf("%s %s", token.Type(), token.AccessToken)
+
+			idToken, ok := token.Extra("id_token").(string)
+			if ok && idToken != "" {
+				query.Headers["X-ID-Token"] = idToken
+			}
 		}
 	}
 
diff --git a/pkg/api/pluginproxy/ds_proxy.go b/pkg/api/pluginproxy/ds_proxy.go
index 5b1806cf7b7..deb1409ef36 100644
--- a/pkg/api/pluginproxy/ds_proxy.go
+++ b/pkg/api/pluginproxy/ds_proxy.go
@@ -269,6 +269,11 @@ func (proxy *DataSourceProxy) director(req *http.Request) {
 	if proxy.oAuthTokenService.IsOAuthPassThruEnabled(proxy.ds) {
 		if token := proxy.oAuthTokenService.GetCurrentOAuthToken(proxy.ctx.Req.Context(), proxy.ctx.SignedInUser); token != nil {
 			req.Header.Set("Authorization", fmt.Sprintf("%s %s", token.Type(), token.AccessToken))
+
+			idToken, ok := token.Extra("id_token").(string)
+			if ok && idToken != "" {
+				req.Header.Set("X-ID-Token", idToken)
+			}
 		}
 	}
 }
diff --git a/pkg/api/pluginproxy/ds_proxy_test.go b/pkg/api/pluginproxy/ds_proxy_test.go
index 846c551d8eb..19af483396a 100644
--- a/pkg/api/pluginproxy/ds_proxy_test.go
+++ b/pkg/api/pluginproxy/ds_proxy_test.go
@@ -487,15 +487,22 @@ func TestDataSourceProxy_routeRule(t *testing.T) {
 			SignedInUser: &models.SignedInUser{UserId: 1},
 			Context:      &web.Context{Req: req},
 		}
+
+		token := &oauth2.Token{
+			AccessToken:  "testtoken",
+			RefreshToken: "testrefreshtoken",
+			TokenType:    "Bearer",
+			Expiry:       time.Now().AddDate(0, 0, 1),
+		}
+		extra := map[string]interface{}{
+			"id_token": "testidtoken",
+		}
+		token = token.WithExtra(extra)
 		mockAuthToken := mockOAuthTokenService{
-			token: &oauth2.Token{
-				AccessToken:  "testtoken",
-				RefreshToken: "testrefreshtoken",
-				TokenType:    "Bearer",
-				Expiry:       time.Now().AddDate(0, 0, 1),
-			},
+			token:        token,
 			oAuthEnabled: true,
 		}
+
 		var routes []*plugins.Route
 		secretsService := secretsManager.SetupTestService(t, fakes.NewFakeSecretsStore())
 		dsService := datasources.ProvideService(bus.New(), nil, secretsService)
@@ -507,6 +514,7 @@ func TestDataSourceProxy_routeRule(t *testing.T) {
 		proxy.director(req)
 
 		assert.Equal(t, "Bearer testtoken", req.Header.Get("Authorization"))
+		assert.Equal(t, "testidtoken", req.Header.Get("X-ID-Token"))
 	})
 
 	t.Run("When SendUserHeader config is enabled", func(t *testing.T) {