From 01d87fcd982f512bf4bfdc5564f51d044a3654a8 Mon Sep 17 00:00:00 2001
From: Bart de Water <118401830+bdewater-thatch@users.noreply.github.com>
Date: Wed, 5 Nov 2025 11:16:10 -0500
Subject: [PATCH] feat: Support for access tokens exchange over MTLS

---
 lib/omniauth/strategies/openid_connect.rb | 1 +
 1 file changed, 1 insertion(+)

diff --git a/lib/omniauth/strategies/openid_connect.rb b/lib/omniauth/strategies/openid_connect.rb
index 73dd0fe0..e0c6fd79 100644
--- a/lib/omniauth/strategies/openid_connect.rb
+++ b/lib/omniauth/strategies/openid_connect.rb
@@ -283,6 +283,7 @@ def access_token
         token_request_params[:code_verifier] = params['code_verifier'] || session.delete('omniauth.pkce.verifier') if options.pkce
 
         @access_token = client.access_token!(token_request_params)
+        @access_token = @access_token.to_mtls if options.client_auth_method.match?(/mtls/)
         verify_id_token!(@access_token.id_token) if configured_response_type == 'code'
 
         @access_token