diff --git a/acme/challenge.go b/acme/challenge.go
index 5b06dff6..a4596946 100644
--- a/acme/challenge.go
+++ b/acme/challenge.go
@@ -401,6 +401,7 @@ func wireOIDC01Validate(ctx context.Context, ch *Challenge, db DB, jwk *jose.JSO
 		return WrapErrorISE(err, "error unmarshalling challenge data")
 	}
 
+	// TODO(hs): move this into validation?
 	expectedKeyAuth, err := KeyAuthorization(ch.Token, jwk)
 	if err != nil {
 		return err
@@ -410,7 +411,8 @@ func wireOIDC01Validate(ctx context.Context, ch *Challenge, db DB, jwk *jose.JSO
 			"keyAuthorization does not match; expected %q, but got %q", expectedKeyAuth, oidcPayload.KeyAuth))
 	}
 
-	if err := validateWireOIDCClaims(oidcOptions, idToken, wireID); err != nil {
+	transformedIDToken, err := validateWireOIDCClaims(oidcOptions, idToken, wireID)
+	if err != nil {
 		return storeError(ctx, db, ch, true, WrapError(ErrorRejectedIdentifierType, err, "claims in OIDC ID token don't match"))
 	}
 
@@ -423,15 +425,6 @@ func wireOIDC01Validate(ctx context.Context, ch *Challenge, db DB, jwk *jose.JSO
 		return WrapErrorISE(err, "error updating challenge")
 	}
 
-	parsedIDToken, err := jose.ParseSigned(oidcPayload.IDToken)
-	if err != nil {
-		return WrapErrorISE(err, "invalid OIDC ID token")
-	}
-	oidcToken := make(map[string]interface{})
-	if err := parsedIDToken.UnsafeClaimsWithoutVerification(&oidcToken); err != nil {
-		return WrapErrorISE(err, "failed parsing OIDC id token")
-	}
-
 	orders, err := db.GetAllOrdersByAccountID(ctx, ch.AccountID)
 	if err != nil {
 		return WrapErrorISE(err, "could not find current order by account id")
@@ -441,40 +434,40 @@ func wireOIDC01Validate(ctx context.Context, ch *Challenge, db DB, jwk *jose.JSO
 	}
 
 	order := orders[len(orders)-1]
-	if err := db.CreateOidcToken(ctx, order, oidcToken); err != nil {
+	if err := db.CreateOidcToken(ctx, order, transformedIDToken); err != nil {
 		return WrapErrorISE(err, "failed storing OIDC id token")
 	}
 
 	return nil
 }
 
-func validateWireOIDCClaims(o *wireprovisioner.OIDCOptions, token *oidc.IDToken, wireID wire.ID) error {
+func validateWireOIDCClaims(o *wireprovisioner.OIDCOptions, token *oidc.IDToken, wireID wire.ID) (map[string]any, error) {
 	var m map[string]any
 	if err := token.Claims(&m); err != nil {
-		return fmt.Errorf("failed extracting OIDC ID token claims: %w", err)
+		return nil, fmt.Errorf("failed extracting OIDC ID token claims: %w", err)
 	}
 	transformed, err := o.Transform(m)
 	if err != nil {
-		return fmt.Errorf("failed transforming OIDC ID token: %w", err)
+		return nil, fmt.Errorf("failed transforming OIDC ID token: %w", err)
 	}
 
 	name, ok := transformed["name"]
 	if !ok {
-		return fmt.Errorf("transformed OIDC ID token does not contain 'name'")
+		return nil, fmt.Errorf("transformed OIDC ID token does not contain 'name'")
 	}
 	if wireID.Name != name {
-		return fmt.Errorf("invalid 'name' %q after transformation", name)
+		return nil, fmt.Errorf("invalid 'name' %q after transformation", name)
 	}
 
 	handle, ok := transformed["handle"]
 	if !ok {
-		return fmt.Errorf("transformed OIDC ID token does not contain 'handle'")
+		return nil, fmt.Errorf("transformed OIDC ID token does not contain 'handle'")
 	}
 	if wireID.Handle != handle {
-		return fmt.Errorf("invalid 'handle' %q after transformation", handle)
+		return nil, fmt.Errorf("invalid 'handle' %q after transformation", handle)
 	}
 
-	return nil
+	return transformed, nil
 }
 
 type wireDpopPayload struct {