diff --git a/services/auth/source/oauth2/source.go b/services/auth/source/oauth2/source.go
index 675005e55a..41f8bef360 100644
--- a/services/auth/source/oauth2/source.go
+++ b/services/auth/source/oauth2/source.go
@@ -6,6 +6,8 @@ package oauth2
 import (
 	"code.gitea.io/gitea/models/auth"
 	"code.gitea.io/gitea/modules/json"
+	"code.gitea.io/gitea/modules/secret"
+	"code.gitea.io/gitea/modules/setting"
 )
 
 // Source holds configuration for the OAuth2 login source.
@@ -13,6 +15,7 @@ type Source struct {
 	Provider                      string
 	ClientID                      string
 	ClientSecret                  string
+	ClientSecretEncrypt						string // Encrypted Client Secret
 	OpenIDConnectAutoDiscoveryURL string
 	CustomURLMapping              *CustomURLMapping
 	IconURL                       string
@@ -33,11 +36,30 @@ type Source struct {
 
 // FromDB fills up an OAuth2Config from serialized format.
 func (source *Source) FromDB(bs []byte) error {
-	return json.UnmarshalHandleDoubleEncode(bs, &source)
+	err := json.UnmarshalHandleDoubleEncode(bs, &source)
+	if err != nil {
+		return err
+	}
+
+	if source.ClientSecretEncrypt != "" {
+		source.ClientSecret, err = secret.DecryptSecret(setting.SecretKey, source.ClientSecretEncrypt)
+		source.ClientSecretEncrypt = ""
+	}
+
+	return err
 }
 
-// ToDB exports an SMTPConfig to a serialized format.
+// ToDB exports an OAuth2Config to a serialized format.
 func (source *Source) ToDB() ([]byte, error) {
+	var err error
+
+	source.ClientSecretEncrypt, err = secret.EncryptSecret(setting.SecretKey, source.ClientSecret)
+	if err != nil {
+		return nil, err
+	}
+
+	source.ClientSecret = ""
+
 	return json.Marshal(source)
 }