diff --git a/flux2/apps/wordpress/kustomization.yaml b/flux2/apps/wordpress/kustomization.yaml
index 5080ac0cd282652c3ce7b056cfba0fc199ca29d8..108aa04c1077391028940bc8b7ad43ef0ce7fd4d 100644
--- a/flux2/apps/wordpress/kustomization.yaml
+++ b/flux2/apps/wordpress/kustomization.yaml
@@ -6,3 +6,4 @@ resources:
   - pvc.yaml
   - release.yaml
   - wordpress-values-configmap.yaml
+  - wp-oauth.yaml
diff --git a/flux2/apps/wordpress/wordpress-values-configmap.yaml b/flux2/apps/wordpress/wordpress-values-configmap.yaml
index a8f426cab71a5196002fbc53410d56ef8dec4a26..40dc509befea87235a01c622f77aeee34c3d5f35 100644
--- a/flux2/apps/wordpress/wordpress-values-configmap.yaml
+++ b/flux2/apps/wordpress/wordpress-values-configmap.yaml
@@ -25,7 +25,7 @@ data:
 
     openid_connect_settings:
       enabled: true
-      client_secret: ${wordpress_oauth_client_secret}
+      client_secret: ${client_secret}
       endpoint_login: https://sso.${domain}/oauth2/auth
       endpoint_userinfo: https://sso.${domain}/userinfo
       endpoint_token: https://sso.${domain}/oauth2/token
diff --git a/flux2/apps/wordpress/wp-oauth.yaml b/flux2/apps/wordpress/wp-oauth.yaml
new file mode 100644
index 0000000000000000000000000000000000000000..54c55ef0813dbac4ebac752e73e405f8658e67db
--- /dev/null
+++ b/flux2/apps/wordpress/wp-oauth.yaml
@@ -0,0 +1,22 @@
+apiVersion: hydra.ory.sh/v1alpha1
+kind: OAuth2Client
+metadata:
+  name: wordpress-newsite-oauth-client
+  namespace: stackspin-apps
+spec:
+  grantTypes:
+    - authorization_code
+    - refresh_token
+    - client_credentials
+    - implicit
+  responseTypes:
+    - id_token
+    - code
+  scope: "openid profile email stackspin_roles offline_access"
+  secretName: stackspin-wordpress-oauth-variables
+  # these are optional
+  redirectUris:
+    - https://www.${domain}/wp-admin/admin-ajax.php?action=openid-connect-authorize
+    # TODO: Dynamic URL
+  # hydraAdmin: {}
+  tokenEndpointAuthMethod: client_secret_post
diff --git a/flux2/cluster/optional/wordpress/wordpress.yaml b/flux2/cluster/optional/wordpress/wordpress.yaml
index 8b5fc60ee5d84bf5c5457e1d8695337d57c26335..ac71141635d49684fc6f54f60456fbf09d473289 100644
--- a/flux2/cluster/optional/wordpress/wordpress.yaml
+++ b/flux2/cluster/optional/wordpress/wordpress.yaml
@@ -28,6 +28,8 @@ spec:
     substituteFrom:
       - kind: Secret
         name: stackspin-wordpress-variables
+      - kind: Secret
+        name: stackspin-wordpress-oauth-variables
       - kind: Secret
         name: stackspin-oauth-variables
       - kind: Secret
diff --git a/flux2/core/base/single-sign-on/single-sign-on-values-configmap.yaml b/flux2/core/base/single-sign-on/single-sign-on-values-configmap.yaml
index 41c3719e415633e677e357ae96c15f5f9636116b..e0568faa4af23e7a24d37449ddefbd04aea653e4 100644
--- a/flux2/core/base/single-sign-on/single-sign-on-values-configmap.yaml
+++ b/flux2/core/base/single-sign-on/single-sign-on-values-configmap.yaml
@@ -104,21 +104,6 @@ data:
         - "authorization_code"
         - "refresh_token"
         - "client_credentials"
-    - clientName: wordpress
-      clientSecret: "${wordpress_oauth_client_secret}"
-      redirectUri: "https://www.${domain}/wp-admin/admin-ajax.php?action=openid-connect-authorize"
-      scopes: "openid profile email stackspin_roles offline_access"
-      clientUri: "https://www.${domain}"
-      clientLogoUri: "https://www.${domain}/wp-admin/images/wordpress-logo.svg"
-      tokenEndpointAuthMethod: "client_secret_post"
-      responseTypes:
-        - "code"
-        - "id_token"
-      grantTypes:
-        - "authorization_code"
-        - "refresh_token"
-        - "client_credentials"
-        - "implicit"
     - clientName: grafana
       clientSecret: "${grafana_oauth_client_secret}"
       redirectUri: "https://grafana.${domain}/login/generic_oauth"
diff --git a/install/generate_secrets.py b/install/generate_secrets.py
index 56666eaf24c2f2e7f869df1a1efaef13888f50ad..04a1896f2286c90c4fdfcb4f420184b5d8896e6f 100644
--- a/install/generate_secrets.py
+++ b/install/generate_secrets.py
@@ -37,7 +37,9 @@ def main():
         sys.exit(1)
     app_name = sys.argv[1]
 
-    create_variables_secret(app_name, env)
+    # Create app variables secret and oauth variables secret
+    for secret in [app_name, f"{app_name}-oauth"]:
+        create_variables_secret(f"stackspin-{secret}-variables.yaml.jinja", env)
     create_basic_auth_secret(app_name, env)
 
 
@@ -47,13 +49,13 @@ def get_templates_dir():
     return os.path.join(os.path.dirname(os.path.realpath(__file__)), 'templates')
 
 
-def create_variables_secret(app_name, env):
+def create_variables_secret(variables_filename, env):
     """Checks if a variables secret for app_name already exists, generates it if necessary"""
-    variables_filename = \
-        os.path.join(get_templates_dir(), f"stackspin-{app_name}-variables.yaml.jinja")
-    if os.path.exists(variables_filename):
+    variables_filepath = \
+        os.path.join(get_templates_dir(), variables_filename)
+    if os.path.exists(variables_filepath):
         # Check if k8s secret already exists, if not, generate it
-        with open(variables_filename) as template_file:
+        with open(variables_filepath) as template_file:
             lines = template_file.read()
             secret_name, secret_namespace = get_secret_metadata(lines)
             new_secret_dict = yaml.safe_load(env.from_string(lines).render())
@@ -79,7 +81,7 @@ def create_variables_secret(app_name, env):
             store_kubernetes_secret(new_secret_dict, secret_namespace,
                                     update=update_secret)
     else:
-        print(f'File {variables_filename} does not exist, no action needed')
+        print(f'Template {variables_filename} does not exist, no action needed')
 
 
 def create_basic_auth_secret(app_name, env):