diff --git a/authority/provisioner/oidc.go b/authority/provisioner/oidc.go
index 7bf30518..ba684763 100644
--- a/authority/provisioner/oidc.go
+++ b/authority/provisioner/oidc.go
@@ -41,10 +41,14 @@ type openIDPayload struct {
 }
 
 // OIDC represents an OAuth 2.0 OpenID Connect provider.
+//
+// ClientSecret is optional, and it will be only necessary if an implicit flow
+// is not available, the value will be visible in the provisioners endpoint.
 type OIDC struct {
 	Type                  string   `json:"type"`
 	Name                  string   `json:"name"`
 	ClientID              string   `json:"clientID"`
+	ClientSecret          string   `json:"clientSecret,omitempty"`
 	ConfigurationEndpoint string   `json:"configurationEndpoint"`
 	Claims                *Claims  `json:"claims,omitempty"`
 	Admins                []string `json:"admins,omitempty"`