diff --git a/lib/comfycamp_web/controllers/oauth_controller.ex b/lib/comfycamp_web/controllers/oauth_controller.ex
index e0392be..1affb08 100644
--- a/lib/comfycamp_web/controllers/oauth_controller.ex
+++ b/lib/comfycamp_web/controllers/oauth_controller.ex
@@ -77,20 +77,21 @@ defmodule ComfycampWeb.OauthController do
     end
   end
 
-  def token(conn, %{"code" => code_value, "redirect_uri" => redirect_uri}) do
+  def token(conn, %{
+        "code" => code_value,
+        "redirect_uri" => redirect_uri,
+        "client_id" => client_id,
+        "client_secret" => client_secret
+      }) do
     # Check that code is still valid and redirect uri has not been altered.
     %OIDCCode{redirect_uri: ^redirect_uri} = code = SSO.get_oidc_code!(code_value)
 
-    # Get client secret.
-    [auth_header] = Plug.Conn.get_req_header(conn, "authorization")
-    "Basic " <> client_secret = auth_header
-
     # Check that client provided a valid secret for an active OIDC app.
-    %OIDCApp{enabled: true} = oidc_app = SSO.get_oidc_app_by_secret!(client_secret)
+    %OIDCApp{enabled: true, client_id: ^client_id} =
+      oidc_app = SSO.get_oidc_app_by_secret!(client_secret)
 
     # Check that OIDC app is referenced by provided code.
-    app_client_id = oidc_app.client_id
-    ^app_client_id = code.oidc_app.client_id
+    ^client_id = code.oidc_app.client_id
 
     # Delete the code.
     SSO.delete_oidc_code(code)