diff --git a/internal/store/types.go b/internal/store/types.go
index 88758e4..0a69dee 100644
--- a/internal/store/types.go
+++ b/internal/store/types.go
@@ -16,8 +16,18 @@ type User struct {
 	Email              *string    // optional; nil = not set
 	DisabledAt         *time.Time // nil = enabled
 	MustChangePassword bool
-	CreatedAt          time.Time
-	LastLoginAt        *time.Time
+	// AuthSource is "local" (created by admin or bootstrap) or
+	// "oidc" (JIT-provisioned on first OIDC sign-in). Local users
+	// authenticate via password; OIDC users via the IdP and have an
+	// empty PasswordHash.
+	AuthSource string
+	// OIDCSubject is the stable 'sub' claim from the IdP. Set only
+	// when AuthSource == "oidc". Used for fast lookup on subsequent
+	// sign-ins; the username/email may change at the IdP but sub
+	// stays stable.
+	OIDCSubject *string
+	CreatedAt   time.Time
+	LastLoginAt *time.Time
 }
 
 // Role enumerates the access tiers from spec.md §7.2.
@@ -40,6 +50,10 @@ type Session struct {
 	ExpiresAt time.Time
 	IP        string
 	UA        string
+	// IDToken is the OIDC id_token captured at sign-in for OIDC
+	// sessions; empty for local-user sessions. Used as
+	// id_token_hint on RP-initiated logout.
+	IDToken string
 }
 
 // Host mirrors the hosts table. The P2 redesign moved repo-related