diff --git a/pkg/services/apiserver/auth/authenticator/signedinuser_test.go b/pkg/services/apiserver/auth/authenticator/signedinuser_test.go
index 6717f7335bb..872958f6ce6 100644
--- a/pkg/services/apiserver/auth/authenticator/signedinuser_test.go
+++ b/pkg/services/apiserver/auth/authenticator/signedinuser_test.go
@@ -47,6 +47,7 @@ func TestSignedInUser(t *testing.T) {
 		require.Equal(t, u.GetName(), res.User.GetName())
 		require.Equal(t, u.GetUID(), res.User.GetUID())
 		require.Equal(t, []string{"1", "2"}, res.User.GetGroups())
+		require.Empty(t, res.User.GetExtra()["id-token"])
 	})
 
 	t.Run("should set ID token when available", func(t *testing.T) {
@@ -71,6 +72,7 @@ func TestSignedInUser(t *testing.T) {
 		require.Equal(t, u.GetName(), res.User.GetName())
 		require.Equal(t, u.GetUID(), res.User.GetUID())
 		require.Equal(t, []string{"1", "2"}, res.User.GetGroups())
+		require.Equal(t, "test-id-token", res.User.GetExtra()["id-token"][0])
 	})
 }
 
diff --git a/pkg/services/authn/identity.go b/pkg/services/authn/identity.go
index be4e25ad4a3..51bd72e5156 100644
--- a/pkg/services/authn/identity.go
+++ b/pkg/services/authn/identity.go
@@ -89,7 +89,14 @@ func (i *Identity) GetIdentityType() identity.IdentityType {
 
 // GetExtra implements identity.Requester.
 func (i *Identity) GetExtra() map[string][]string {
-	return map[string][]string{}
+	extra := map[string][]string{}
+	if i.IDToken != "" {
+		extra["id-token"] = []string{i.IDToken}
+	}
+	if i.GetOrgRole().IsValid() {
+		extra["user-instance-role"] = []string{string(i.GetOrgRole())}
+	}
+	return extra
 }
 
 // GetGroups implements identity.Requester.
diff --git a/pkg/services/user/identity.go b/pkg/services/user/identity.go
index 0d61b0945f2..b5906276ea5 100644
--- a/pkg/services/user/identity.go
+++ b/pkg/services/user/identity.go
@@ -94,7 +94,14 @@ func (u *SignedInUser) GetName() string {
 
 // GetExtra implements Requester.
 func (u *SignedInUser) GetExtra() map[string][]string {
-	return map[string][]string{}
+	extra := map[string][]string{}
+	if u.IDToken != "" {
+		extra["id-token"] = []string{u.IDToken}
+	}
+	if u.OrgRole.IsValid() {
+		extra["user-instance-role"] = []string{string(u.GetOrgRole())}
+	}
+	return extra
 }
 
 // GetGroups implements Requester.