diff --git a/clientapi/auth/sso/github.go b/clientapi/auth/sso/github.go
index 70f1a95e0..8a4cffab1 100644
--- a/clientapi/auth/sso/github.go
+++ b/clientapi/auth/sso/github.go
@@ -22,8 +22,9 @@ import (
 
 func newGitHubIdentityProvider(cfg *config.IdentityProvider, hc *http.Client) identityProvider {
 	return &oauth2IdentityProvider{
-		cfg: cfg,
-		hc:  hc,
+		cfg:       cfg,
+		oauth2Cfg: &cfg.OAuth2,
+		hc:        hc,
 
 		authorizationURL: "https://github.com/login/oauth/authorize",
 		accessTokenURL:   "https://github.com/login/oauth/access_token",
diff --git a/clientapi/auth/sso/oauth2.go b/clientapi/auth/sso/oauth2.go
index 7e81027d5..f8101ef8a 100644
--- a/clientapi/auth/sso/oauth2.go
+++ b/clientapi/auth/sso/oauth2.go
@@ -31,8 +31,9 @@ import (
 )
 
 type oauth2IdentityProvider struct {
-	cfg *config.IdentityProvider
-	hc  *http.Client
+	cfg       *config.IdentityProvider
+	oauth2Cfg *config.OAuth2
+	hc        *http.Client
 
 	authorizationURL string
 	accessTokenURL   string
@@ -48,7 +49,7 @@ type oauth2IdentityProvider struct {
 
 func (p *oauth2IdentityProvider) AuthorizationURL(ctx context.Context, callbackURL, nonce string) (string, error) {
 	u, err := resolveURL(p.authorizationURL, url.Values{
-		"client_id":     []string{p.cfg.OAuth2.ClientID},
+		"client_id":     []string{p.oauth2Cfg.ClientID},
 		"response_type": []string{"code"},
 		"redirect_uri":  []string{callbackURL},
 		"scope":         []string{strings.Join(p.scopes, " ")},
@@ -121,8 +122,8 @@ func (p *oauth2IdentityProvider) getAccessToken(ctx context.Context, callbackURL
 		"grant_type":    []string{"authorization_code"},
 		"code":          []string{code},
 		"redirect_uri":  []string{callbackURL},
-		"client_id":     []string{p.cfg.OAuth2.ClientID},
-		"client_secret": []string{p.cfg.OAuth2.ClientSecret},
+		"client_id":     []string{p.oauth2Cfg.ClientID},
+		"client_secret": []string{p.oauth2Cfg.ClientSecret},
 	}
 	hreq, err := http.NewRequestWithContext(ctx, http.MethodPost, p.accessTokenURL, strings.NewReader(body.Encode()))
 	if err != nil {
diff --git a/clientapi/auth/sso/oauth2_test.go b/clientapi/auth/sso/oauth2_test.go
index f541a5236..43b040f5c 100644
--- a/clientapi/auth/sso/oauth2_test.go
+++ b/clientapi/auth/sso/oauth2_test.go
@@ -25,6 +25,7 @@ func TestOAuth2IdentityProviderAuthorizationURL(t *testing.T) {
 
 		authorizationURL: "https://oauth2.example.com/authorize",
 	}
+	idp.oauth2Cfg = &idp.cfg.OAuth2
 
 	got, err := idp.AuthorizationURL(ctx, "https://matrix.example.com/continue", "anonce")
 	if err != nil {
@@ -98,6 +99,7 @@ func TestOAuth2IdentityProviderProcessCallback(t *testing.T) {
 				displayNamePath:     "name",
 				suggestedUserIDPath: "preferred_user",
 			}
+			idp.oauth2Cfg = &idp.cfg.OAuth2
 
 			got, err := idp.ProcessCallback(ctx, callbackURL, "anonce", tst.Query)
 			if err != nil {
@@ -145,6 +147,7 @@ func TestOAuth2IdentityProviderGetAccessToken(t *testing.T) {
 
 		accessTokenURL: s.URL + "/token",
 	}
+	idp.oauth2Cfg = &idp.cfg.OAuth2
 
 	got, err := idp.getAccessToken(ctx, callbackURL, "acode")
 	if err != nil {
@@ -198,6 +201,7 @@ func TestOAuth2IdentityProviderGetUserInfo(t *testing.T) {
 		displayNamePath:     "name",
 		suggestedUserIDPath: "preferred_user",
 	}
+	idp.oauth2Cfg = &idp.cfg.OAuth2
 
 	gotSub, gotName, gotSuggestedUser, err := idp.getUserInfo(ctx, "atoken")
 	if err != nil {
diff --git a/clientapi/auth/sso/oidc.go b/clientapi/auth/sso/oidc.go
index ec8d2300f..8cc691582 100644
--- a/clientapi/auth/sso/oidc.go
+++ b/clientapi/auth/sso/oidc.go
@@ -50,8 +50,9 @@ type oidcIdentityProvider struct {
 func newOIDCIdentityProvider(cfg *config.IdentityProvider, hc *http.Client) *oidcIdentityProvider {
 	return &oidcIdentityProvider{
 		oauth2IdentityProvider: &oauth2IdentityProvider{
-			cfg: cfg,
-			hc:  hc,
+			cfg:       cfg,
+			oauth2Cfg: &cfg.OIDC.OAuth2,
+			hc:        hc,
 
 			scopes:              []string{"openid", "profile", "email"},
 			responseMimeType:    "application/json",
diff --git a/clientapi/auth/sso/oidc_test.go b/clientapi/auth/sso/oidc_test.go
index 21205e80c..65e363ec3 100644
--- a/clientapi/auth/sso/oidc_test.go
+++ b/clientapi/auth/sso/oidc_test.go
@@ -26,10 +26,10 @@ func TestOIDCIdentityProviderAuthorizationURL(t *testing.T) {
 	defer s.Close()
 
 	idp := newOIDCIdentityProvider(&config.IdentityProvider{
-		OAuth2: config.OAuth2{
-			ClientID: "aclientid",
-		},
 		OIDC: config.OIDC{
+			OAuth2: config.OAuth2{
+				ClientID: "aclientid",
+			},
 			DiscoveryURL: s.URL + "/discovery",
 		},
 	}, s.Client())
@@ -97,10 +97,10 @@ func TestOIDCIdentityProviderProcessCallback(t *testing.T) {
 
 			sURL = s.URL
 			idp := newOIDCIdentityProvider(&config.IdentityProvider{
-				OAuth2: config.OAuth2{
-					ClientID: "aclientid",
-				},
 				OIDC: config.OIDC{
+					OAuth2: config.OAuth2{
+						ClientID: "aclientid",
+					},
 					DiscoveryURL: sURL + "/discovery",
 				},
 			}, s.Client())
diff --git a/clientapi/auth/sso/sso_test.go b/clientapi/auth/sso/sso_test.go
index 663e07721..c385faaf2 100644
--- a/clientapi/auth/sso/sso_test.go
+++ b/clientapi/auth/sso/sso_test.go
@@ -20,10 +20,10 @@ func TestNewAuthenticator(t *testing.T) {
 			},
 			{
 				Type: config.SSOTypeOIDC,
-				OAuth2: config.OAuth2{
-					ClientID: "aclientid",
-				},
 				OIDC: config.OIDC{
+					OAuth2: config.OAuth2{
+						ClientID: "aclientid",
+					},
 					DiscoveryURL: "http://oidc.example.com/discovery",
 				},
 			},