diff --git a/Gotrue/Api.cs b/Gotrue/Api.cs
index db412f9..ac1bfc6 100644
--- a/Gotrue/Api.cs
+++ b/Gotrue/Api.cs
@@ -220,23 +220,25 @@ public async Task<PasswordlessSignInState> SignInWithOtp(SignInWithPasswordlessP
 		/// The [idToken] is verified for validity and a new session is established.
 		/// This method of signing in only supports [Provider.Google] or [Provider.Apple].
 		/// </summary>
-		/// <param name="provider">A supported provider (Google, Apple)</param>
-		/// <param name="idToken"></param>
-		/// <param name="nonce"></param>
-		/// <param name="captchaToken"></param>
+		/// <param name="provider">A supported provider (Google, Apple, Azure, Facebook)</param>
+		/// <param name="idToken">OIDC ID token issued by the specified provider. The `iss` claim in the ID token must match the supplied provider. Some ID tokens contain an `at_hash` which require that you provide an `access_token` value to be accepted properly. If the token contains a `nonce` claim you must supply the nonce used to obtain the ID token.</param>
+		/// <param name="accessToken">If the ID token contains an `at_hash` claim, then the hash of this value is compared to the value in the ID token.</param>
+		/// <param name="nonce">If the ID token contains a `nonce` claim, then the hash of this value is compared to the value in the ID token.</param>
+		/// <param name="captchaToken">Verification token received when the user completes the captcha on the site.</param>
 		/// <returns></returns>
 		/// <exception>
 		///     <cref>InvalidProviderException</cref>
 		/// </exception>
-		public Task<Session?> SignInWithIdToken(Provider provider, string idToken, string? nonce = null, string? captchaToken = null)
+		public Task<Session?> SignInWithIdToken(Provider provider, string idToken, string? accessToken = null, string? nonce = null, string? captchaToken = null)
 		{
-			if (provider != Provider.Google && provider != Provider.Apple)
-				throw new GotrueException($"Provider must be `Provider.Google` or `Provider.Apple` not {provider}");
+			if (provider != Provider.Google && provider != Provider.Apple && provider != Provider.Azure && provider != Provider.Facebook)
+				throw new GotrueException($"Provider must be `Google`, `Apple`, `Azure`, or `Facebook` not {provider}");
 
 			var body = new Dictionary<string, object?>
 			{
 				{ "provider", Core.Helpers.GetMappedToAttr(provider).Mapping },
-				{ "id_token", idToken }
+				{ "id_token", idToken },
+				{ "access_token", accessToken }
 			};
 
 			if (!string.IsNullOrEmpty(nonce))
@@ -245,7 +247,6 @@ public async Task<PasswordlessSignInState> SignInWithOtp(SignInWithPasswordlessP
 			if (!string.IsNullOrEmpty(captchaToken))
 				body.Add("gotrue_meta_security", new Dictionary<string, object?> { { "captcha_token", captchaToken } });
 
-
 			return Helpers.MakeRequest<Session>(HttpMethod.Post, $"{Url}/token?grant_type=id_token", body, Headers);
 		}
 
@@ -470,7 +471,7 @@ public ProviderAuthState GetUriForProvider(Provider provider, SignInOptions? opt
 
 			return Helpers.MakeRequest<Session>(HttpMethod.Post, url.ToString(), body, Headers);
 		}
-		
+
 		/// <inheritdoc />
 		public async Task<ProviderAuthState> LinkIdentity(string token, Provider provider, SignInOptions options)
 		{
diff --git a/Gotrue/Client.cs b/Gotrue/Client.cs
index 74a1586..c1299a7 100644
--- a/Gotrue/Client.cs
+++ b/Gotrue/Client.cs
@@ -192,13 +192,15 @@ public async Task<bool> SignIn(string email, SignInOptions? options = null)
 		}
 
 		/// <inheritdoc />
-		public async Task<Session?> SignInWithIdToken(Provider provider, string idToken, string? nonce = null,
+		public async Task<Session?> SignInWithIdToken(Provider provider, string idToken, string? accessToken = null, string? nonce = null,
 			string? captchaToken = null)
 		{
 			if (!Online)
 				throw new GotrueException("Only supported when online", Offline);
 
-			var result = await _api.SignInWithIdToken(provider, idToken, nonce, captchaToken);
+			DestroySession();
+
+			var result = await _api.SignInWithIdToken(provider, idToken, accessToken, nonce, captchaToken);
 
 			UpdateSession(result);
 
@@ -347,7 +349,7 @@ public Task<ProviderAuthState> SignIn(Provider provider, SignInOptions? options
 
 			return null;
 		}
-		
+
 		/// <inheritdoc />
 		public Task<ProviderAuthState> LinkIdentity(Provider provider, SignInOptions options)
 		{
@@ -359,7 +361,7 @@ public Task<ProviderAuthState> LinkIdentity(Provider provider, SignInOptions opt
 
 			if (options.FlowType != OAuthFlowType.PKCE)
 				throw new GotrueException("PKCE flow type is required for this action.", InvalidFlowType);
-			
+
 			return _api.LinkIdentity(CurrentSession.AccessToken!, provider, options);
 		}
 
diff --git a/Gotrue/Interfaces/IGotrueApi.cs b/Gotrue/Interfaces/IGotrueApi.cs
index acdb69d..4116fca 100644
--- a/Gotrue/Interfaces/IGotrueApi.cs
+++ b/Gotrue/Interfaces/IGotrueApi.cs
@@ -22,7 +22,7 @@ public interface IGotrueApi<TUser, TSession> : IGettableHeaders
 		Task<ResetPasswordForEmailState> ResetPasswordForEmail(ResetPasswordForEmailOptions options);
 		Task<BaseResponse> SendMagicLinkEmail(string email, SignInOptions? options = null);
 		Task<BaseResponse> SendMobileOTP(string phone);
-		Task<TSession?> SignInWithIdToken(Provider provider, string idToken, string? nonce = null, string? captchaToken = null);
+		Task<TSession?> SignInWithIdToken(Provider provider, string idToken, string? accessToken = null, string? nonce = null, string? captchaToken = null);
 		Task<TSession?> SignInWithEmail(string email, string password);
 		Task<TSession?> SignInWithPhone(string phone, string password);
 		Task<PasswordlessSignInState> SignInWithOtp(SignInWithPasswordlessEmailOptions options);
diff --git a/Gotrue/Interfaces/IGotrueClient.cs b/Gotrue/Interfaces/IGotrueClient.cs
index ab1a4e2..b81517e 100644
--- a/Gotrue/Interfaces/IGotrueClient.cs
+++ b/Gotrue/Interfaces/IGotrueClient.cs
@@ -252,15 +252,16 @@ public interface IGotrueClient<TUser, TSession> : IGettableHeaders
 		/// The [idToken] is verified for validity and a new session is established.
 		/// This method of signing in only supports [Provider.Google] or [Provider.Apple].
 		/// </summary>
-		/// <param name="provider">A supported provider (Google, Apple)</param>
-		/// <param name="idToken">Provided from External Library</param>
-		/// <param name="nonce">Provided from External Library</param>
-		/// <param name="captchaToken">Provided from External Library</param>
+		/// <param name="provider">Provider name or OIDC `iss` value identifying which provider should be used to verify the provided token. Supported names: `google`, `apple`, `azure`, `facebook`</param>
+		/// <param name="idToken">OIDC ID token issued by the specified provider. The `iss` claim in the ID token must match the supplied provider. Some ID tokens contain an `at_hash` which require that you provide an `access_token` value to be accepted properly. If the token contains a `nonce` claim you must supply the nonce used to obtain the ID token.</param>
+		/// <param name="accessToken">If the ID token contains an `at_hash` claim, then the hash of this value is compared to the value in the ID token.</param>
+		/// <param name="nonce">If the ID token contains a `nonce` claim, then the hash of this value is compared to the value in the ID token.</param>
+		/// <param name="captchaToken">Verification token received when the user completes the captcha on the site.</param>
 		/// <remarks>Calling this method will eliminate the current session (if any).</remarks>
 		/// <exception>
 		///     <cref>InvalidProviderException</cref>
 		/// </exception>
-		Task<TSession?> SignInWithIdToken(Provider provider, string idToken, string? nonce = null, string? captchaToken = null);
+		Task<TSession?> SignInWithIdToken(Provider provider, string idToken, string? accessToken = null, string? nonce = null, string? captchaToken = null);
 
 		/// <summary>
 		/// Creates a new anonymous user.