diff --git a/connector/oidc/oidc.go b/connector/oidc/oidc.go
index df849093b9773ea647938651b838b4c59ccef81a..749b56ed0baf847bcd888d09eb6cf98315096b82 100644
--- a/connector/oidc/oidc.go
+++ b/connector/oidc/oidc.go
@@ -3,6 +3,7 @@ package oidc
 
 import (
 	"context"
+	"encoding/json"
 	"errors"
 	"fmt"
 	"net/http"
@@ -61,6 +62,11 @@ var brokenAuthHeaderDomains = []string{
 	"oktapreview.com",
 }
 
+// connectorData stores information for sessions authenticated by this connector
+type connectorData struct {
+	refreshToken []byte
+}
+
 // Detect auth header provider issues for known providers. This lets users
 // avoid having to explicitly set "basicAuthUnsupported" in their config.
 //
@@ -210,8 +216,14 @@ func (c *oidcConnector) HandleCallback(s connector.Scopes, r *http.Request) (ide
 
 // Refresh is used to refresh a session with the refresh token provided by the IdP
 func (c *oidcConnector) Refresh(ctx context.Context, s connector.Scopes, identity connector.Identity) (connector.Identity, error) {
+	cd := connectorData{}
+	err := json.Unmarshal(identity.ConnectorData, &cd)
+	if err != nil {
+		return identity, fmt.Errorf("oidc: failed to unmarshal connector data: %v", err)
+	}
+
 	t := &oauth2.Token{
-		RefreshToken: string(identity.ConnectorData),
+		RefreshToken: string(cd.refreshToken),
 		Expiry:       time.Now().Add(-time.Hour),
 	}
 	token, err := c.oauth2Config.TokenSource(ctx, t).Token()
@@ -284,12 +296,21 @@ func (c *oidcConnector) createIdentity(ctx context.Context, identity connector.I
 		}
 	}
 
+	cd := connectorData{
+		refreshToken: []byte(token.RefreshToken),
+	}
+
+	connData, err := json.Marshal(&cd)
+	if err != nil {
+		return identity, fmt.Errorf("oidc: failed to encode connector data: %v", err)
+	}
+
 	identity = connector.Identity{
 		UserID:        idToken.Subject,
 		Username:      name,
 		Email:         email,
 		EmailVerified: emailVerified,
-		ConnectorData: []byte(token.RefreshToken),
+		ConnectorData: connData,
 	}
 
 	if c.userIDKey != "" {