diff --git a/services/src/main/java/org/keycloak/broker/oidc/AbstractOAuth2IdentityProvider.java b/services/src/main/java/org/keycloak/broker/oidc/AbstractOAuth2IdentityProvider.java
index f7f07e43cf..8c31e1eac8 100755
--- a/services/src/main/java/org/keycloak/broker/oidc/AbstractOAuth2IdentityProvider.java
+++ b/services/src/main/java/org/keycloak/broker/oidc/AbstractOAuth2IdentityProvider.java
@@ -47,6 +47,7 @@ import org.keycloak.services.ErrorPage;
 import org.keycloak.services.ErrorResponseException;
 import org.keycloak.services.messages.Messages;
 import org.keycloak.sessions.AuthenticationSessionModel;
+import org.keycloak.vault.VaultStringSecret;
 
 import javax.ws.rs.GET;
 import javax.ws.rs.QueryParam;
@@ -442,12 +443,14 @@ public abstract class AbstractOAuth2IdentityProvider<C extends OAuth2IdentityPro
         }
 
         public SimpleHttp generateTokenRequest(String authorizationCode) {
-            return SimpleHttp.doPost(getConfig().getTokenUrl(), session)
-                    .param(OAUTH2_PARAMETER_CODE, authorizationCode)
-                    .param(OAUTH2_PARAMETER_CLIENT_ID, getConfig().getClientId())
-                    .param(OAUTH2_PARAMETER_CLIENT_SECRET, getConfig().getClientSecret())
-                    .param(OAUTH2_PARAMETER_REDIRECT_URI, session.getContext().getUri().getAbsolutePath().toString())
-                    .param(OAUTH2_PARAMETER_GRANT_TYPE, OAUTH2_GRANT_TYPE_AUTHORIZATION_CODE);
+            try (VaultStringSecret vaultStringSecret = session.vault().getStringSecret(getConfig().getClientSecret())) {
+                return SimpleHttp.doPost(getConfig().getTokenUrl(), session)
+                        .param(OAUTH2_PARAMETER_CODE, authorizationCode)
+                        .param(OAUTH2_PARAMETER_CLIENT_ID, getConfig().getClientId())
+                        .param(OAUTH2_PARAMETER_CLIENT_SECRET, vaultStringSecret.get().orElse(getConfig().getClientSecret()))
+                        .param(OAUTH2_PARAMETER_REDIRECT_URI, session.getContext().getUri().getAbsolutePath().toString())
+                        .param(OAUTH2_PARAMETER_GRANT_TYPE, OAUTH2_GRANT_TYPE_AUTHORIZATION_CODE);
+            }
         }
     }
 
diff --git a/services/src/main/java/org/keycloak/broker/oidc/OIDCIdentityProvider.java b/services/src/main/java/org/keycloak/broker/oidc/OIDCIdentityProvider.java
index 086b491476..bc649b5b56 100755
--- a/services/src/main/java/org/keycloak/broker/oidc/OIDCIdentityProvider.java
+++ b/services/src/main/java/org/keycloak/broker/oidc/OIDCIdentityProvider.java
@@ -51,6 +51,7 @@ import org.keycloak.services.resources.IdentityBrokerService;
 import org.keycloak.services.resources.RealmsResource;
 import org.keycloak.sessions.AuthenticationSessionModel;
 import org.keycloak.util.JsonSerialization;
+import org.keycloak.vault.VaultStringSecret;
 
 import javax.ws.rs.GET;
 import javax.ws.rs.Path;
@@ -188,12 +189,12 @@ public class OIDCIdentityProvider extends AbstractOAuth2IdentityProvider<OIDCIde
      */
     public String refreshTokenForLogout(KeycloakSession session, UserSessionModel userSession) {
         String refreshToken = userSession.getNote(FEDERATED_REFRESH_TOKEN);
-        try {
+        try (VaultStringSecret vaultStringSecret = session.vault().getStringSecret(getConfig().getClientSecret())) {
             return SimpleHttp.doPost(getConfig().getTokenUrl(), session)
                     .param("refresh_token", refreshToken)
                     .param(OAUTH2_PARAMETER_GRANT_TYPE, OAUTH2_GRANT_TYPE_REFRESH_TOKEN)
                     .param(OAUTH2_PARAMETER_CLIENT_ID, getConfig().getClientId())
-                    .param(OAUTH2_PARAMETER_CLIENT_SECRET, getConfig().getClientSecret()).asString();
+                    .param(OAUTH2_PARAMETER_CLIENT_SECRET, vaultStringSecret.get().orElse(getConfig().getClientSecret())).asString();
         } catch (IOException e) {
             throw new RuntimeException(e);
         }
@@ -231,7 +232,7 @@ public class OIDCIdentityProvider extends AbstractOAuth2IdentityProvider<OIDCIde
             event.error(Errors.INVALID_TOKEN);
             return exchangeNotLinked(uriInfo, authorizedClient, tokenUserSession, tokenSubject);
         }
-        try {
+        try (VaultStringSecret vaultStringSecret = session.vault().getStringSecret(getConfig().getClientSecret())) {
             String modelTokenString = model.getToken();
             AccessTokenResponse tokenResponse = JsonSerialization.readValue(modelTokenString, AccessTokenResponse.class);
             Integer exp = (Integer) tokenResponse.getOtherClaims().get(ACCESS_TOKEN_EXPIRATION);
@@ -243,7 +244,7 @@ public class OIDCIdentityProvider extends AbstractOAuth2IdentityProvider<OIDCIde
                         .param("refresh_token", tokenResponse.getRefreshToken())
                         .param(OAUTH2_PARAMETER_GRANT_TYPE, OAUTH2_GRANT_TYPE_REFRESH_TOKEN)
                         .param(OAUTH2_PARAMETER_CLIENT_ID, getConfig().getClientId())
-                        .param(OAUTH2_PARAMETER_CLIENT_SECRET, getConfig().getClientSecret()).asString();
+                        .param(OAUTH2_PARAMETER_CLIENT_SECRET, vaultStringSecret.get().orElse(getConfig().getClientSecret())).asString();
                 if (response.contains("error")) {
                     logger.debugv("Error refreshing token, refresh token expiration?: {0}", response);
                     model.setToken(null);
@@ -302,7 +303,7 @@ public class OIDCIdentityProvider extends AbstractOAuth2IdentityProvider<OIDCIde
             event.error(Errors.INVALID_TOKEN);
             return exchangeTokenExpired(uriInfo, authorizedClient, tokenUserSession, tokenSubject);
         }
-        try {
+        try (VaultStringSecret vaultStringSecret = session.vault().getStringSecret(getConfig().getClientSecret())) {
             long expiration = Long.parseLong(tokenUserSession.getNote(FEDERATED_TOKEN_EXPIRATION));
             if (expiration == 0 || expiration > Time.currentTime()) {
                 AccessTokenResponse tokenResponse = new AccessTokenResponse();
@@ -320,7 +321,7 @@ public class OIDCIdentityProvider extends AbstractOAuth2IdentityProvider<OIDCIde
                     .param("refresh_token", refreshToken)
                     .param(OAUTH2_PARAMETER_GRANT_TYPE, OAUTH2_GRANT_TYPE_REFRESH_TOKEN)
                     .param(OAUTH2_PARAMETER_CLIENT_ID, getConfig().getClientId())
-                    .param(OAUTH2_PARAMETER_CLIENT_SECRET, getConfig().getClientSecret()).asString();
+                    .param(OAUTH2_PARAMETER_CLIENT_SECRET, vaultStringSecret.get().orElse(getConfig().getClientSecret())).asString();
             if (response.contains("error")) {
                 logger.debugv("Error refreshing token, refresh token expiration?: {0}", response);
                 event.detail(Details.REASON, "requested_issuer token expired");
diff --git a/services/src/main/java/org/keycloak/social/twitter/TwitterIdentityProvider.java b/services/src/main/java/org/keycloak/social/twitter/TwitterIdentityProvider.java
index e8e5196430..680865b9aa 100755
--- a/services/src/main/java/org/keycloak/social/twitter/TwitterIdentityProvider.java
+++ b/services/src/main/java/org/keycloak/social/twitter/TwitterIdentityProvider.java
@@ -42,6 +42,7 @@ import org.keycloak.services.ErrorPage;
 import org.keycloak.services.managers.ClientSessionCode;
 import org.keycloak.services.messages.Messages;
 import org.keycloak.sessions.AuthenticationSessionModel;
+import org.keycloak.vault.VaultStringSecret;
 import twitter4j.Twitter;
 import twitter4j.TwitterFactory;
 import twitter4j.auth.AccessToken;
@@ -83,9 +84,9 @@ public class TwitterIdentityProvider extends AbstractIdentityProvider<OAuth2Iden
 
     @Override
     public Response performLogin(AuthenticationRequest request) {
-        try {
+        try (VaultStringSecret vaultStringSecret = session.vault().getStringSecret(getConfig().getClientSecret())) {
             Twitter twitter = new TwitterFactory().getInstance();
-            twitter.setOAuthConsumer(getConfig().getClientId(), getConfig().getClientSecret());
+            twitter.setOAuthConsumer(getConfig().getClientId(), vaultStringSecret.get().orElse(getConfig().getClientSecret()));
 
             URI uri = new URI(request.getRedirectUri() + "?state=" + request.getState().getEncoded());
 
@@ -188,10 +189,10 @@ public class TwitterIdentityProvider extends AbstractIdentityProvider<OAuth2Iden
             }
 
             AuthenticationSessionModel authSession = null;
-            try {
+            try (VaultStringSecret vaultStringSecret = session.vault().getStringSecret(getConfig().getClientSecret())) {
                 Twitter twitter = new TwitterFactory().getInstance();
 
-                twitter.setOAuthConsumer(getConfig().getClientId(), getConfig().getClientSecret());
+                twitter.setOAuthConsumer(getConfig().getClientId(), vaultStringSecret.get().orElse(getConfig().getClientSecret()));
 
                 IdentityBrokerState idpState = IdentityBrokerState.encoded(state);
                 String clientId = idpState.getClientId();
diff --git a/testsuite/integration-arquillian/servers/auth-server/jboss/common/vault/consumer_oidc__idp b/testsuite/integration-arquillian/servers/auth-server/jboss/common/vault/consumer_oidc__idp
new file mode 100644
index 0000000000..536aca34db
--- /dev/null
+++ b/testsuite/integration-arquillian/servers/auth-server/jboss/common/vault/consumer_oidc__idp
@@ -0,0 +1 @@
+secret
\ No newline at end of file
diff --git a/testsuite/integration-arquillian/servers/auth-server/jboss/pom.xml b/testsuite/integration-arquillian/servers/auth-server/jboss/pom.xml
index 1a27583bff..c3336d4c98 100644
--- a/testsuite/integration-arquillian/servers/auth-server/jboss/pom.xml
+++ b/testsuite/integration-arquillian/servers/auth-server/jboss/pom.xml
@@ -220,6 +220,7 @@
                                             <includes>
                                                 <include>master_smtp__key</include>
                                                 <include>test_smtp__key</include>
+                                                <include>consumer_oidc__idp</include>
                                             </includes>
                                         </resource>
                                     </resources>
diff --git a/testsuite/integration-arquillian/tests/base/src/main/java/org/keycloak/testsuite/broker/BrokerTestConstants.java b/testsuite/integration-arquillian/tests/base/src/main/java/org/keycloak/testsuite/broker/BrokerTestConstants.java
index b2c2b85cb0..6bb79fd848 100644
--- a/testsuite/integration-arquillian/tests/base/src/main/java/org/keycloak/testsuite/broker/BrokerTestConstants.java
+++ b/testsuite/integration-arquillian/tests/base/src/main/java/org/keycloak/testsuite/broker/BrokerTestConstants.java
@@ -13,6 +13,7 @@ class BrokerTestConstants {
 
     final static String CLIENT_ID = "brokerapp";
     final static String CLIENT_SECRET = "secret";
+    final static String VAULT_CLIENT_SECRET = "${vault.oidc_idp}";
 
     final static String USER_LOGIN = "testuser";
     final static String USER_EMAIL = "user@localhost.com";
diff --git a/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/broker/KcOidcBrokerVaultConfiguration.java b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/broker/KcOidcBrokerVaultConfiguration.java
new file mode 100644
index 0000000000..214f083389
--- /dev/null
+++ b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/broker/KcOidcBrokerVaultConfiguration.java
@@ -0,0 +1,23 @@
+package org.keycloak.testsuite.broker;
+
+import org.keycloak.representations.idm.IdentityProviderRepresentation;
+import org.keycloak.testsuite.arquillian.SuiteContext;
+
+import static org.keycloak.testsuite.broker.BrokerTestConstants.VAULT_CLIENT_SECRET;
+
+/**
+ * @author Martin Kanis <mkanis@redhat.com>
+ */
+public class KcOidcBrokerVaultConfiguration extends KcOidcBrokerConfiguration {
+
+    public static final KcOidcBrokerVaultConfiguration INSTANCE = new KcOidcBrokerVaultConfiguration();
+
+    @Override
+    public IdentityProviderRepresentation setUpIdentityProvider(SuiteContext suiteContext) {
+        IdentityProviderRepresentation idpRep = super.setUpIdentityProvider(suiteContext);
+
+        idpRep.getConfig().put("clientSecret", VAULT_CLIENT_SECRET);
+
+        return idpRep;
+    }
+}
diff --git a/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/broker/KcOidcBrokerVaultTest.java b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/broker/KcOidcBrokerVaultTest.java
new file mode 100644
index 0000000000..cf1f4b8200
--- /dev/null
+++ b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/broker/KcOidcBrokerVaultTest.java
@@ -0,0 +1,12 @@
+package org.keycloak.testsuite.broker;
+
+/**
+ * @author Martin Kanis <mkanis@redhat.com>
+ */
+public class KcOidcBrokerVaultTest extends KcOidcBrokerTest {
+
+    @Override
+    protected BrokerConfiguration getBrokerConfiguration() {
+        return KcOidcBrokerVaultConfiguration.INSTANCE;
+    }
+}
diff --git a/testsuite/integration-arquillian/tests/base/src/test/resources/vault/consumer_oidc__idp b/testsuite/integration-arquillian/tests/base/src/test/resources/vault/consumer_oidc__idp
new file mode 100644
index 0000000000..536aca34db
--- /dev/null
+++ b/testsuite/integration-arquillian/tests/base/src/test/resources/vault/consumer_oidc__idp
@@ -0,0 +1 @@
+secret
\ No newline at end of file