diff --git a/oauth2/oauth2.tf b/oauth2/oauth2.tf
index b3f65b4..8564ccb 100644
--- a/oauth2/oauth2.tf
+++ b/oauth2/oauth2.tf
@@ -4,29 +4,9 @@ locals {
     "app.kubernetes.io/component" = "authentik-oauth2"
   })
 }
-resource "kubectl_manifest" "oauth2-secret" {
-  ignore_fields = ["metadata.annotations"]
-  yaml_body     = <<-EOF
-    apiVersion: "secretgenerator.mittwald.de/v1alpha1"
-    kind: "StringSecret"
-    metadata:
-      name: "${local.app_slug}-id"
-      namespace: "${var.namespace}"
-      labels: ${jsonencode(local.oauth2_labels)}
-    spec:
-      forceRegenerate: false
-      fields:
-      - fieldName: "client-id"
-        length: "32"
-  EOF
-}
-data "kubernetes_secret_v1" "oauth2-client-id" {
-  depends_on = [kubectl_manifest.oauth2-secret]
-  metadata {
-    name      = kubectl_manifest.oauth2-secret.name
-    namespace = var.namespace
-    labels = local.oauth2_labels
-  }
+resource "random_password" "client_id" {
+  length           = 32
+  special          = false
 }
 
 data "authentik_certificate_key_pair" "ca" {
@@ -49,7 +29,7 @@ data "authentik_flow" "default-authentication-flow" {
 
 resource "authentik_provider_oauth2" "oauth2" {
   name                = "${local.app_slug}"
-  client_id           = data.kubernetes_secret_v1.oauth2-client-id.data["client-id"]
+  client_id           = random_password.client_id.result
   authentication_flow = data.authentik_flow.default-authentication-flow.id
   authorization_flow  = data.authentik_flow.default-authorization-flow.id
   client_type         = "confidential"
@@ -61,6 +41,17 @@ resource "authentik_provider_oauth2" "oauth2" {
   ]
 }
 
+resource "kubernetes_secret_v1" "oauth2-client-id" {
+  metadata {
+    name      = "${local.app_slug}-id"
+    namespace = var.namespace
+    labels    = local.oauth2_labels
+  }
+  data = {
+    client-id = random_password.client_id.result
+  }
+}
+
 resource "kubernetes_secret_v1" "oauth2-client-secret" {
   metadata {
     name      = "${local.app_slug}-secret"
@@ -68,6 +59,7 @@ resource "kubernetes_secret_v1" "oauth2-client-secret" {
     labels    = local.oauth2_labels
   }
   data = {
+    client-id = random_password.client_id.result
     client-secret = authentik_provider_oauth2.oauth2.client_secret
   }
 }
diff --git a/oauth2/outputs.tf b/oauth2/outputs.tf
index c7cc20c..f852d97 100644
--- a/oauth2/outputs.tf
+++ b/oauth2/outputs.tf
@@ -18,14 +18,14 @@ output "sso_token_url" {
   value = "https://${data.kubernetes_ingress_v1.authentik.spec[0].rule[0].host}/application/o/token/"
 }
 output "client_id" {
-  value = data.kubernetes_secret_v1.oauth2-client-id.data["client-id"]
+  value = random_password.client_id.result
 }
 output "client_secret" {
-  value = data.kubernetes_secret_v1.oauth2-client-secret.data["client-secret"]
+  value = authentik_provider_oauth2.oauth2.client_secret
 }
 
 output "secret_client_id_name" {
-  value = kubectl_manifest.oauth2-secret.name
+  value = kubernetes_secret_v1.oauth2-client-secret.metadata[0].name
 }
 output "secret_client_secret_name" {
   value = kubernetes_secret_v1.oauth2-client-secret.metadata[0].name