diff --git a/flux2/apps/nextcloud/nextcloud-oauth-client.yaml b/flux2/apps/nextcloud/nextcloud-oauth-client.yaml
index a4fe2f4b4a693ae9d62310b09505934a6bb31ce6..1c81ce29b41ba8643e9f39486d2cab508c21cb98 100644
--- a/flux2/apps/nextcloud/nextcloud-oauth-client.yaml
+++ b/flux2/apps/nextcloud/nextcloud-oauth-client.yaml
@@ -18,5 +18,4 @@ spec:
   # these are optional
   redirectUris:
     - https://files.${domain}/apps/sociallogin/custom_oidc/stackspin
-  # hydraAdmin: {}
   tokenEndpointAuthMethod: client_secret_post
diff --git a/flux2/apps/wekan/kustomization.yaml b/flux2/apps/wekan/kustomization.yaml
index 0cebe4f023593cb83caf64c2b15048684ae2f0f7..f97ed1d649c472e7adc6a3c60b4d7a30af531f04 100644
--- a/flux2/apps/wekan/kustomization.yaml
+++ b/flux2/apps/wekan/kustomization.yaml
@@ -1,8 +1,8 @@
 ---
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
-namespace: stackspin-apps
 resources:
   - pvc.yaml
   - release.yaml
+  - wekan-oauth-client.yaml
   - wekan-values-configmap.yaml
diff --git a/flux2/apps/wekan/pvc.yaml b/flux2/apps/wekan/pvc.yaml
index 71433b596223a7b7b19fc70cea189ef508f4d383..7114d1ec8f939b52598a271fdc1f01d9f73d7100 100644
--- a/flux2/apps/wekan/pvc.yaml
+++ b/flux2/apps/wekan/pvc.yaml
@@ -3,6 +3,7 @@ apiVersion: v1
 kind: PersistentVolumeClaim
 metadata:
   name: wekan
+  namespace: stackspin-apps
 spec:
   accessModes:
     - ReadWriteOnce
diff --git a/flux2/apps/wekan/wekan-oauth-client.yaml b/flux2/apps/wekan/wekan-oauth-client.yaml
new file mode 100644
index 0000000000000000000000000000000000000000..979b74fe5c6086bff617cc0a860f4bdcd3abda10
--- /dev/null
+++ b/flux2/apps/wekan/wekan-oauth-client.yaml
@@ -0,0 +1,23 @@
+apiVersion: hydra.ory.sh/v1alpha1
+kind: OAuth2Client
+metadata:
+  name: wekan-oauth-client
+  # Has to live in the same namespace as the stackspin-wordpress-oauth-variables
+  # secret
+  namespace: flux-system
+spec:
+  # https://github.com/wekan/wekan/wiki/Keycloak
+  grantTypes:
+    - authorization_code
+    - refresh_token
+    - client_credentials
+    - implicit
+  responseTypes:
+    - id_token
+    - code
+  scope: "openid profile email stackspin_roles"
+  secretName: stackspin-wekan-oauth-variables
+  # these are optional
+  redirectUris:
+    - https://wekan.${domain}/_oauth/oidc
+  tokenEndpointAuthMethod: client_secret_post
diff --git a/flux2/apps/wekan/wekan-values-configmap.yaml b/flux2/apps/wekan/wekan-values-configmap.yaml
index 4bbe8a913b7d8b367dd03213ceedcccf6edc84f6..96eebee2ab6adc5694efdcf3a201150cae3a2552 100644
--- a/flux2/apps/wekan/wekan-values-configmap.yaml
+++ b/flux2/apps/wekan/wekan-values-configmap.yaml
@@ -3,6 +3,7 @@ apiVersion: v1
 kind: ConfigMap
 metadata:
   name: stackspin-wekan-values
+  namespace: stackspin-apps
 data:
   values.yaml: |
     # https://github.com/wekan/wekan/blob/master/helm/wekan/values.yaml
@@ -54,7 +55,7 @@ data:
       - name: "MAIL_URL"
         value: "smtps://${outgoing_mail_smtp_user}:${outgoing_mail_smtp_password}@${outgoing_mail_smtp_host}:${outgoing_mail_smtp_port}"
       - name: "OAUTH2_SECRET"
-        value: "${wekan_oauth_client_secret}"
+        value: "${client_secret}"
       - name: "MONGO_URL"
         value: "mongodb://wekan:${mongodb_password}@wekan-mongodb:27017/wekan"
     service:
diff --git a/flux2/apps/wordpress/wp-oauth.yaml b/flux2/apps/wordpress/wordpress-oauth-client.yaml
similarity index 88%
rename from flux2/apps/wordpress/wp-oauth.yaml
rename to flux2/apps/wordpress/wordpress-oauth-client.yaml
index b4910fa08a7ef01b67607b257a802c7b6e640245..e3081e6c6a1141253cec60783503926eade4c9bb 100644
--- a/flux2/apps/wordpress/wp-oauth.yaml
+++ b/flux2/apps/wordpress/wordpress-oauth-client.yaml
@@ -1,7 +1,7 @@
 apiVersion: hydra.ory.sh/v1alpha1
 kind: OAuth2Client
 metadata:
-  name: wordpress-newsite-oauth-client
+  name: wordpress-oauth-client
   # Has to live in the same namespace as the stackspin-wordpress-oauth-variables
   # secret
   namespace: flux-system
@@ -19,6 +19,4 @@ spec:
   # these are optional
   redirectUris:
     - https://www.${domain}/wp-admin/admin-ajax.php?action=openid-connect-authorize
-    # TODO: Dynamic URL
-  # hydraAdmin: {}
   tokenEndpointAuthMethod: client_secret_post
diff --git a/flux2/apps/zulip/kustomization.yaml b/flux2/apps/zulip/kustomization.yaml
index 6931340381a6ce8b17278d7481e4d2e071f88fa0..8cc5ffa9f08edb7fb153d88da01310659f46b9b8 100644
--- a/flux2/apps/zulip/kustomization.yaml
+++ b/flux2/apps/zulip/kustomization.yaml
@@ -4,6 +4,7 @@ namespace: stackspin-apps
 resources:
   - release.yaml
   - zulip-data-pvc.yaml
+  - zulip-oauth-client.yaml
   - zulip-postgres-pvc.yaml
   - zulip-redis-pvc.yaml
   - zulip-values-configmap.yaml
diff --git a/flux2/apps/zulip/zulip-data-pvc.yaml b/flux2/apps/zulip/zulip-data-pvc.yaml
index bea64b1ccd5d8c3945db37bfe9a1b7a5e88f7abb..19fb676fc2666855d407fde9f289853faab5f572 100644
--- a/flux2/apps/zulip/zulip-data-pvc.yaml
+++ b/flux2/apps/zulip/zulip-data-pvc.yaml
@@ -3,6 +3,7 @@ apiVersion: v1
 kind: PersistentVolumeClaim
 metadata:
   name: zulip-data
+  namespace: stackspin-apps
 spec:
   accessModes:
     - ReadWriteOnce
diff --git a/flux2/apps/zulip/zulip-oauth-client.yaml b/flux2/apps/zulip/zulip-oauth-client.yaml
new file mode 100644
index 0000000000000000000000000000000000000000..299a2a5989a0060712852bb7b3fd5412842c4c64
--- /dev/null
+++ b/flux2/apps/zulip/zulip-oauth-client.yaml
@@ -0,0 +1,22 @@
+apiVersion: hydra.ory.sh/v1alpha1
+kind: OAuth2Client
+metadata:
+  name: zulip-oauth-client
+  # Has to live in the same namespace as the stackspin-wordpress-oauth-variables
+  # secret
+  namespace: flux-system
+spec:
+  # https://zulip.readthedocs.io/en/latest/production/authentication-methods.html#openid-connect
+  grantTypes:
+    - authorization_code
+    - refresh_token
+    - client_credentials
+  responseTypes:
+    - id_token
+    - code
+  scope: "openid profile email stackspin_roles"
+  secretName: stackspin-zulip-oauth-variables
+  # these are optional
+  redirectUris:
+    - https://zulip.${domain}/complete/oidc/
+  tokenEndpointAuthMethod: client_secret_post
diff --git a/flux2/apps/zulip/zulip-postgres-pvc.yaml b/flux2/apps/zulip/zulip-postgres-pvc.yaml
index c094878204ee856477326d41728a42d8f083b45f..34e56936996f4c0ac05f6b57ac854265243e099d 100644
--- a/flux2/apps/zulip/zulip-postgres-pvc.yaml
+++ b/flux2/apps/zulip/zulip-postgres-pvc.yaml
@@ -3,6 +3,7 @@ apiVersion: v1
 kind: PersistentVolumeClaim
 metadata:
   name: zulip-postgres
+  namespace: stackspin-apps
 spec:
   accessModes:
     - ReadWriteOnce
diff --git a/flux2/apps/zulip/zulip-redis-pvc.yaml b/flux2/apps/zulip/zulip-redis-pvc.yaml
index 6890704a47c11be6c760946e2d74da80a8318e1f..edf0bad90493e69d53a69abe15d151ff2bdc9342 100644
--- a/flux2/apps/zulip/zulip-redis-pvc.yaml
+++ b/flux2/apps/zulip/zulip-redis-pvc.yaml
@@ -3,6 +3,7 @@ apiVersion: v1
 kind: PersistentVolumeClaim
 metadata:
   name: zulip-redis
+  namespace: stackspin-apps
 spec:
   accessModes:
     - ReadWriteOnce
diff --git a/flux2/apps/zulip/zulip-values-configmap.yaml b/flux2/apps/zulip/zulip-values-configmap.yaml
index 95fbff7ecd8c08560463767c4ab8de600ebb519f..85576acdb250190230c097beb77de90f4ad55aed 100644
--- a/flux2/apps/zulip/zulip-values-configmap.yaml
+++ b/flux2/apps/zulip/zulip-values-configmap.yaml
@@ -3,6 +3,7 @@ apiVersion: v1
 kind: ConfigMap
 metadata:
   name: stackspin-zulip-values
+  namespace: stackspin-apps
 data:
   values.yaml: |
     image:
@@ -85,7 +86,7 @@ data:
         # (https://github.com/greenhost/docker-zulip/commit/d583a2d28707a3b77bf610bedc2c2bb81f2a5f88)
         # NOTE: This is a Python object, not JSON
         SETTING_SOCIAL_AUTH_OIDC_ENABLED_IDPS: '{"stackspin": { "oidc_url": "https://sso.${domain}/", "display_name": "Stackspin", "display_icon": None, "client_id": "zulip", "secret": get_secret("social_auth_oidc_secret"), "auto_signup": True }}'
-        SECRETS_social_auth_oidc_secret: "${zulip_oauth_client_secret}"
+        SECRETS_social_auth_oidc_secret: "${client_secret}"
         # Enable "low memory mode", queue workers run 1 multithreaded process
         QUEUE_WORKERS_MULTIPROCESS: 'False'
       resources:
diff --git a/flux2/cluster/base/dashboard.yaml b/flux2/cluster/base/dashboard.yaml
index eb0aebbc49fe14e179b37ae2da43d1a7d8e28fc4..f7bf842aa84d76f56e85db2eb45ceae5ce16c3ee 100644
--- a/flux2/cluster/base/dashboard.yaml
+++ b/flux2/cluster/base/dashboard.yaml
@@ -20,7 +20,7 @@ spec:
       - kind: Secret
         name: stackspin-dashboard-variables
       - kind: Secret
-        name: stackspin-oauth-variables
+        name: stackspin-dashboard-oauth-variables
       - kind: Secret
         name: stackspin-cluster-variables
   healthChecks:
diff --git a/flux2/cluster/optional/nextcloud/nextcloud.yaml b/flux2/cluster/optional/nextcloud/nextcloud.yaml
index 109299b6124491675b993eb7553fcf9c487bf9d3..a0aecb83d45ef5694e317b78e7205e319b2c679c 100644
--- a/flux2/cluster/optional/nextcloud/nextcloud.yaml
+++ b/flux2/cluster/optional/nextcloud/nextcloud.yaml
@@ -10,6 +10,7 @@ spec:
   dependsOn:
     - name: nginx
     - name: local-path-provisioner
+    - name: single-sign-on
   sourceRef:
     kind: GitRepository
     name: stackspin
diff --git a/flux2/cluster/optional/wekan/wekan.yaml b/flux2/cluster/optional/wekan/wekan.yaml
index d4b13714a75a5f25639026839578126cae960498..76150ba75b6436d1c72435f76fbeaa1df8016fdb 100644
--- a/flux2/cluster/optional/wekan/wekan.yaml
+++ b/flux2/cluster/optional/wekan/wekan.yaml
@@ -10,6 +10,7 @@ spec:
   dependsOn:
     - name: nginx
     - name: local-path-provisioner
+    - name: single-sign-on
   sourceRef:
     kind: GitRepository
     name: stackspin
@@ -29,6 +30,6 @@ spec:
       - kind: Secret
         name: stackspin-wekan-variables
       - kind: Secret
-        name: stackspin-oauth-variables
+        name: stackspin-wekan-oauth-variables
       - kind: Secret
         name: stackspin-cluster-variables
diff --git a/flux2/cluster/optional/zulip/zulip.yaml b/flux2/cluster/optional/zulip/zulip.yaml
index c72a56244d721d6bf2849564ee250bc9e29f81d4..4cb36eccd4296085ab28e44328bd7dcd565443b3 100644
--- a/flux2/cluster/optional/zulip/zulip.yaml
+++ b/flux2/cluster/optional/zulip/zulip.yaml
@@ -10,6 +10,7 @@ spec:
   dependsOn:
     - name: nginx
     - name: local-path-provisioner
+    - name: single-sign-on
   sourceRef:
     kind: GitRepository
     name: stackspin
@@ -45,6 +46,6 @@ spec:
       - kind: Secret
         name: stackspin-zulip-variables
       - kind: Secret
-        name: stackspin-oauth-variables
+        name: stackspin-zulip-oauth-variables
       - kind: Secret
         name: stackspin-cluster-variables
diff --git a/flux2/core/base/dashboard/dashboard-oauth-client.yaml b/flux2/core/base/dashboard/dashboard-oauth-client.yaml
new file mode 100644
index 0000000000000000000000000000000000000000..f77c6209706b65cb78a92562ac98e3c246ed0132
--- /dev/null
+++ b/flux2/core/base/dashboard/dashboard-oauth-client.yaml
@@ -0,0 +1,22 @@
+apiVersion: hydra.ory.sh/v1alpha1
+kind: OAuth2Client
+metadata:
+  name: dashboard-oauth-client
+  # Has to live in the same namespace as the stackspin-wordpress-oauth-variables
+  # secret
+  namespace: flux-system
+spec:
+  grantTypes:
+    - authorization_code
+    - refresh_token
+    - client_credentials
+    - implicit
+  responseTypes:
+    - id_token
+    - code
+  scope: "openid profile email stackspin_roles"
+  secretName: stackspin-dashboard-oauth-variables
+  # these are optional
+  redirectUris:
+    - https://dashboard.${domain}/_oauth/oidc
+  tokenEndpointAuthMethod: client_secret_post
diff --git a/flux2/core/base/dashboard/dashboard-release.yaml b/flux2/core/base/dashboard/dashboard-release.yaml
index 0f1e3447446749dbe6a11543a18099c0f9952f95..3dadb255f8fc70545d76d2a66f83ed44db620b99 100644
--- a/flux2/core/base/dashboard/dashboard-release.yaml
+++ b/flux2/core/base/dashboard/dashboard-release.yaml
@@ -3,6 +3,7 @@ apiVersion: helm.toolkit.fluxcd.io/v2beta1
 kind: HelmRelease
 metadata:
   name: dashboard
+  namespace: stackspin
 spec:
   releaseName: dashboard
   dependsOn:
diff --git a/flux2/core/base/dashboard/dashboard-values-configmap.yaml b/flux2/core/base/dashboard/dashboard-values-configmap.yaml
index 1948aa445bbd2e37da03755e1754c41b15b27079..df64435150e69c7a9faf0c35744111d5a5ae55a5 100644
--- a/flux2/core/base/dashboard/dashboard-values-configmap.yaml
+++ b/flux2/core/base/dashboard/dashboard-values-configmap.yaml
@@ -3,6 +3,7 @@ apiVersion: v1
 kind: ConfigMap
 metadata:
   name: stackspin-dashboard-values
+  namespace: stackspin
 data:
   values.yaml: |
     fullnameOverride: dashboard
diff --git a/flux2/core/base/dashboard/kustomization.yaml b/flux2/core/base/dashboard/kustomization.yaml
index 93dd5096287c3350486e636d8b0ad98285569ca8..9989b257fd7908e49c38f5e1276e73cb523f0c4a 100644
--- a/flux2/core/base/dashboard/kustomization.yaml
+++ b/flux2/core/base/dashboard/kustomization.yaml
@@ -1,7 +1,7 @@
 ---
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
-namespace: stackspin
 resources:
-  - ./dashboard-release.yaml
-  - ./dashboard-values-configmap.yaml
+  - dashboard-oauth-client.yaml
+  - dashboard-release.yaml
+  - dashboard-values-configmap.yaml
diff --git a/flux2/core/base/single-sign-on/single-sign-on-values-configmap.yaml b/flux2/core/base/single-sign-on/single-sign-on-values-configmap.yaml
index da36230613bfaed1d151ef3109c93782cfeac239..2556b1ffc1c7ae6d36271a3c50cb541a09f79f0b 100644
--- a/flux2/core/base/single-sign-on/single-sign-on-values-configmap.yaml
+++ b/flux2/core/base/single-sign-on/single-sign-on-values-configmap.yaml
@@ -92,58 +92,3 @@ data:
               # be on this link:
               registration:
                 ui_url: https://sso.${domain}/login/registration
-
-
-    oAuthClients:
-    - clientName: nextcloud
-      clientSecret: "${nextcloud_oauth_client_secret}"
-      redirectUri: "https://files.${domain}/apps/sociallogin/custom_oidc/stackspin"
-      scopes: "openid profile email stackspin_roles"
-      clientUri: "https://files.${domain}"
-      clientLogoUri: "https://files.${domain}/core/img/favicon-touch.png"
-      tokenEndpointAuthMethod: "client_secret_post"
-      responseTypes:
-        - "code"
-        - "id_token"
-      grantTypes:
-        - "authorization_code"
-        - "refresh_token"
-        - "client_credentials"
-    # https://github.com/wekan/wekan/wiki/Keycloak
-    - clientName: wekan
-      clientSecret: "${wekan_oauth_client_secret}"
-      redirectUri: "https://wekan.${domain}/_oauth/oidc"
-      scopes: "openid profile email"
-      clientUri: "https://wekan.${domain}"
-      clientLogoUri: "https://wekan.${domain}/wekan-logo.svg"
-      tokenEndpointAuthMethod: "client_secret_post"
-      responseTypes:
-        - "code"
-        - "id_token"
-      grantTypes:
-        - "authorization_code"
-        - "refresh_token"
-        - "client_credentials"
-        - "implicit"
-    # https://zulip.readthedocs.io/en/latest/production/authentication-methods.html#openid-connect
-    - clientName: zulip
-      clientSecret: "${zulip_oauth_client_secret}"
-      redirectUri: "https://zulip.${domain}/complete/oidc/"
-      scopes: "openid profile email"
-      clientUri: "https://zulip.${domain}"
-      clientLogoUri: "https://zulip.${domain}/static/images/zulip-logo.svg"
-    - clientName: dashboard
-      clientSecret: "${dashboard_oauth_client_secret}"
-      redirectUri: "https://dashboard.${domain}/_oauth/oidc"
-      scopes: "openid profile email"
-      clientUri: "https://dashboard.${domain}"
-      clientLogoUri: "https://dashboard.${domain}/assets/logo.svg"
-      tokenEndpointAuthMethod: "client_secret_post"
-      responseTypes:
-        - "code"
-        - "id_token"
-      grantTypes:
-        - "authorization_code"
-        - "refresh_token"
-        - "client_credentials"
-        - "implicit"