diff --git a/src/oidcclients.js b/src/oidcclients.js
index 0536474e2..5b720bbdb 100644
--- a/src/oidcclients.js
+++ b/src/oidcclients.js
@@ -50,7 +50,7 @@ async function add(data) {
     assert.strictEqual(typeof data.appId, 'string');
     assert(data.tokenSignatureAlgorithm === 'RS256' || data.tokenSignatureAlgorithm === 'EdDSA');
 
-    const id = 'cid-' + hat(128);
+    const id = data.id || 'cid-' + hat(128);
     const secret = hat(256);
 
     const query = `INSERT INTO ${OIDC_CLIENTS_TABLE_NAME} (id, secret, name, appId, loginRedirectUri, tokenSignatureAlgorithm) VALUES (?, ?, ?, ?, ?, ?)`;
diff --git a/src/services.js b/src/services.js
index 5412c1591..a24117a4a 100644
--- a/src/services.js
+++ b/src/services.js
@@ -2147,6 +2147,7 @@ async function setupOidc(app, options) {
 
     // ensure we keep the secret
     const data = {
+        id: app.id,
         secret: result ? result.secret : hat(4 * 128),
         loginRedirectUri: options.loginRedirectUri || '',
         logoutRedirectUri: options.logoutRedirectUri || '',
@@ -2155,8 +2156,8 @@ async function setupOidc(app, options) {
         appId: app.id
     };
 
-    if (result) await oidcClients.update(app.id, data);
-    else await oidcClients.add(app.id, data);
+    if (result) await oidcClients.update(data.id, data);
+    else await oidcClients.add(data);
 }
 
 async function teardownOidc(app, options) {