diff --git a/server/src/main/java/password/pwm/AppProperty.java b/server/src/main/java/password/pwm/AppProperty.java
index fa4fbbdcc..8baa0ec4a 100644
--- a/server/src/main/java/password/pwm/AppProperty.java
+++ b/server/src/main/java/password/pwm/AppProperty.java
@@ -143,18 +143,6 @@ public enum AppProperty
     HTTP_PARAM_NAME_SSO_OVERRIDE                    ( "http.parameter.ssoOverride" ),
     HTTP_PARAM_MAX_READ_LENGTH                      ( "http.parameter.maxReadLength" ),
     HTTP_PARAM_SESSION_VERIFICATION                 ( "http.parameter.sessionVerification" ),
-    HTTP_PARAM_OAUTH_ACCESS_TOKEN                   ( "http.parameter.oauth.accessToken" ),
-    HTTP_PARAM_OAUTH_ATTRIBUTES                     ( "http.parameter.oauth.attributes" ),
-    HTTP_PARAM_OAUTH_CLIENT_ID                      ( "http.parameter.oauth.clientID" ),
-    HTTP_PARAM_OAUTH_CLIENT_SECRET                  ( "http.parameter.oauth.clientSecret" ),
-    HTTP_PARAM_OAUTH_CODE                           ( "http.parameter.oauth.code" ),
-    HTTP_PARAM_OAUTH_EXPIRES                        ( "http.parameter.oauth.expires" ),
-    HTTP_PARAM_OAUTH_RESPONSE_TYPE                  ( "http.parameter.oauth.responseType" ),
-    HTTP_PARAM_OAUTH_REDIRECT_URI                   ( "http.parameter.oauth.redirectUri" ),
-    HTTP_PARAM_OAUTH_REFRESH_TOKEN                  ( "http.parameter.oauth.refreshToken" ),
-    HTTP_PARAM_OAUTH_SCOPE                          ( "http.parameter.oauth.scope" ),
-    HTTP_PARAM_OAUTH_STATE                          ( "http.parameter.oauth.state" ),
-    HTTP_PARAM_OAUTH_GRANT_TYPE                     ( "http.parameter.oauth.grantType" ),
     HTTP_DOWNLOAD_BUFFER_SIZE                       ( "http.download.buffer.size" ),
     HTTP_SESSION_RECYCLE_AT_AUTH                    ( "http.session.recycleAtAuth" ),
     HTTP_SERVLET_ENABLE_POST_REDIRECT_GET           ( "http.servlet.enablePostRedirectGet" ),
@@ -224,11 +212,6 @@ public enum AppProperty
     NMAS_IGNORE_NMASCR_DURING_FORCECHECK            ( "nmas.ignoreNmasCrDuringForceSetupCheck" ),
     NMAS_USE_LOCAL_SASL_FACTORY                     ( "nmas.useLocalSaslFactory" ),
     NMAS_FORCE_SASL_FACTORY_REGISTRATION            ( "nmas.forceSaslFactoryRegistration" ),
-    OAUTH_ID_REQUEST_TYPE                           ( "oauth.id.requestType" ),
-    OAUTH_ID_ACCESS_GRANT_TYPE                      ( "oauth.id.accessGrantType" ),
-    OAUTH_ID_REFRESH_GRANT_TYPE                     ( "oauth.id.refreshGrantType" ),
-    OAUTH_ENABLE_TOKEN_REFRESH                      ( "oauth.enableTokenRefresh" ),
-    OAUTH_RETURN_URL_OVERRIDE                       ( "oauth.returnUrlOverride" ),
 
     /* Allows one older TOTP token - compensate for clock out of sync */
     TOTP_PAST_INTERVALS                             ( "otp.totp.pastIntervals" ),
diff --git a/server/src/main/java/password/pwm/DomainProperty.java b/server/src/main/java/password/pwm/DomainProperty.java
index 596ff689b..42146e79c 100644
--- a/server/src/main/java/password/pwm/DomainProperty.java
+++ b/server/src/main/java/password/pwm/DomainProperty.java
@@ -44,6 +44,18 @@ public enum DomainProperty
     HTTP_COOKIE_NONCE_NAME                          ( "http.cookie.nonce.name" ),
     HTTP_COOKIE_NONCE_LENGTH                        ( "http.cookie.nonce.length" ),
     HTTP_COOKIE_SAMESITE_VALUE                      ( "http.cookie.sameSite.value" ),
+    HTTP_PARAM_OAUTH_ACCESS_TOKEN                   ( "http.parameter.oauth.accessToken" ),
+    HTTP_PARAM_OAUTH_ATTRIBUTES                     ( "http.parameter.oauth.attributes" ),
+    HTTP_PARAM_OAUTH_CLIENT_ID                      ( "http.parameter.oauth.clientID" ),
+    HTTP_PARAM_OAUTH_CLIENT_SECRET                  ( "http.parameter.oauth.clientSecret" ),
+    HTTP_PARAM_OAUTH_CODE                           ( "http.parameter.oauth.code" ),
+    HTTP_PARAM_OAUTH_EXPIRES                        ( "http.parameter.oauth.expires" ),
+    HTTP_PARAM_OAUTH_RESPONSE_TYPE                  ( "http.parameter.oauth.responseType" ),
+    HTTP_PARAM_OAUTH_REDIRECT_URI                   ( "http.parameter.oauth.redirectUri" ),
+    HTTP_PARAM_OAUTH_REFRESH_TOKEN                  ( "http.parameter.oauth.refreshToken" ),
+    HTTP_PARAM_OAUTH_SCOPE                          ( "http.parameter.oauth.scope" ),
+    HTTP_PARAM_OAUTH_STATE                          ( "http.parameter.oauth.state" ),
+    HTTP_PARAM_OAUTH_GRANT_TYPE                     ( "http.parameter.oauth.grantType" ),
     LDAP_RESOLVE_CANONICAL_DN                       ( "ldap.resolveCanonicalDN" ),
     LDAP_CACHE_CANONICAL_ENABLE                     ( "ldap.cache.canonical.enable" ),
     LDAP_CACHE_CANONICAL_SECONDS                    ( "ldap.cache.canonical.seconds" ),
@@ -68,7 +80,12 @@ public enum DomainProperty
     LDAP_SEARCH_PARALLEL_ENABLE                     ( "ldap.search.parallel.enable" ),
     LDAP_SEARCH_PARALLEL_FACTOR                     ( "ldap.search.parallel.factor" ),
     LDAP_SEARCH_PARALLEL_THREAD_MAX                 ( "ldap.search.parallel.threadMax" ),
-    LDAP_ORACLE_POST_TEMPPW_USE_CURRENT_TIME        ( "ldap.oracle.postTempPasswordUseCurrentTime" ),;
+    LDAP_ORACLE_POST_TEMPPW_USE_CURRENT_TIME        ( "ldap.oracle.postTempPasswordUseCurrentTime" ),
+    OAUTH_ID_REQUEST_TYPE                           ( "oauth.id.requestType" ),
+    OAUTH_ID_ACCESS_GRANT_TYPE                      ( "oauth.id.accessGrantType" ),
+    OAUTH_ID_REFRESH_GRANT_TYPE                     ( "oauth.id.refreshGrantType" ),
+    OAUTH_ENABLE_TOKEN_REFRESH                      ( "oauth.enableTokenRefresh" ),
+    OAUTH_RETURN_URL_OVERRIDE                       ( "oauth.returnUrlOverride" ),;
 
     private final String key;
     private final String defaultValue;
diff --git a/server/src/main/java/password/pwm/http/servlet/oauth/OAuthConsumerServlet.java b/server/src/main/java/password/pwm/http/servlet/oauth/OAuthConsumerServlet.java
index 904cffb2c..1fe59fa2c 100644
--- a/server/src/main/java/password/pwm/http/servlet/oauth/OAuthConsumerServlet.java
+++ b/server/src/main/java/password/pwm/http/servlet/oauth/OAuthConsumerServlet.java
@@ -20,9 +20,9 @@
 
 package password.pwm.http.servlet.oauth;
 
-import password.pwm.AppProperty;
-import password.pwm.PwmDomain;
+import password.pwm.DomainProperty;
 import password.pwm.PwmConstants;
+import password.pwm.PwmDomain;
 import password.pwm.bean.ProfileID;
 import password.pwm.bean.UserIdentity;
 import password.pwm.config.DomainConfig;
@@ -197,7 +197,7 @@ protected void processAction( final PwmRequest pwmRequest )
             }
         }
 
-        final String requestCodeStr = pwmRequest.readParameterAsString( config.readAppProperty( AppProperty.HTTP_PARAM_OAUTH_CODE ) );
+        final String requestCodeStr = pwmRequest.readParameterAsString( config.readDomainProperty( DomainProperty.HTTP_PARAM_OAUTH_CODE ) );
         LOGGER.trace( pwmRequest, () -> "received code from oauth server: " + requestCodeStr );
 
         final OAuthResolveResults resolveResults;
diff --git a/server/src/main/java/password/pwm/http/servlet/oauth/OAuthMachine.java b/server/src/main/java/password/pwm/http/servlet/oauth/OAuthMachine.java
index db1bd4dd3..702140143 100644
--- a/server/src/main/java/password/pwm/http/servlet/oauth/OAuthMachine.java
+++ b/server/src/main/java/password/pwm/http/servlet/oauth/OAuthMachine.java
@@ -21,7 +21,7 @@
 package password.pwm.http.servlet.oauth;
 
 import org.apache.http.HttpStatus;
-import password.pwm.AppProperty;
+import password.pwm.DomainProperty;
 import password.pwm.bean.LoginInfoBean;
 import password.pwm.bean.ProfileID;
 import password.pwm.bean.SessionLabel;
@@ -37,16 +37,16 @@
 import password.pwm.http.HttpMethod;
 import password.pwm.http.PwmRequest;
 import password.pwm.http.PwmURL;
+import password.pwm.http.servlet.PwmServletDefinition;
 import password.pwm.svc.httpclient.PwmHttpClient;
 import password.pwm.svc.httpclient.PwmHttpClientConfiguration;
 import password.pwm.svc.httpclient.PwmHttpClientRequest;
 import password.pwm.svc.httpclient.PwmHttpClientResponse;
-import password.pwm.http.servlet.PwmServletDefinition;
 import password.pwm.util.BasicAuthInfo;
 import password.pwm.util.java.CollectionUtil;
 import password.pwm.util.java.JavaHelper;
-import password.pwm.util.json.JsonFactory;
 import password.pwm.util.java.StringUtil;
+import password.pwm.util.json.JsonFactory;
 import password.pwm.util.logging.PwmLogger;
 import password.pwm.util.macro.MacroRequest;
 
@@ -84,7 +84,7 @@ static Optional<OAuthRequestState> readOAuthRequestState(
     )
             throws PwmUnrecoverableException
     {
-        final String requestStateStr = pwmRequest.readParameterAsString( pwmRequest.getDomainConfig().readAppProperty( AppProperty.HTTP_PARAM_OAUTH_STATE ) );
+        final String requestStateStr = pwmRequest.readParameterAsString( pwmRequest.getDomainConfig().readDomainProperty( DomainProperty.HTTP_PARAM_OAUTH_STATE ) );
         if ( requestStateStr != null )
         {
             final OAuthState oAuthState = pwmRequest.decryptObject( requestStateStr, OAuthState.class );
@@ -116,17 +116,17 @@ public void redirectUserToOAuthServer(
         final DomainConfig config = pwmRequest.getDomainConfig();
         final String state = makeStateStringForRequest( pwmRequest, nextUrl, forgottenPasswordProfile );
         final String redirectUri = figureOauthSelfEndPointUrl( pwmRequest );
-        final String code = config.readAppProperty( AppProperty.OAUTH_ID_REQUEST_TYPE );
+        final String code = config.readDomainProperty( DomainProperty.OAUTH_ID_REQUEST_TYPE );
 
         final Map<String, String> urlParams = new LinkedHashMap<>();
-        urlParams.put( config.readAppProperty( AppProperty.HTTP_PARAM_OAUTH_CLIENT_ID ), settings.getClientID() );
-        urlParams.put( config.readAppProperty( AppProperty.HTTP_PARAM_OAUTH_RESPONSE_TYPE ), code );
-        urlParams.put( config.readAppProperty( AppProperty.HTTP_PARAM_OAUTH_STATE ), state );
-        urlParams.put( config.readAppProperty( AppProperty.HTTP_PARAM_OAUTH_REDIRECT_URI ), redirectUri );
+        urlParams.put( config.readDomainProperty( DomainProperty.HTTP_PARAM_OAUTH_CLIENT_ID ), settings.getClientID() );
+        urlParams.put( config.readDomainProperty( DomainProperty.HTTP_PARAM_OAUTH_RESPONSE_TYPE ), code );
+        urlParams.put( config.readDomainProperty( DomainProperty.HTTP_PARAM_OAUTH_STATE ), state );
+        urlParams.put( config.readDomainProperty( DomainProperty.HTTP_PARAM_OAUTH_REDIRECT_URI ), redirectUri );
 
         if ( StringUtil.notEmpty( settings.getScope() ) )
         {
-            urlParams.put( config.readAppProperty( AppProperty.HTTP_PARAM_OAUTH_SCOPE ), settings.getScope() );
+            urlParams.put( config.readDomainProperty( DomainProperty.HTTP_PARAM_OAUTH_SCOPE ), settings.getScope() );
         }
 
         if ( userIdentity != null )
@@ -150,16 +150,16 @@ OAuthResolveResults makeOAuthResolveRequest(
     {
         final DomainConfig config = pwmRequest.getDomainConfig();
         final String requestUrl = settings.getCodeResolveUrl();
-        final String grantType = config.readAppProperty( AppProperty.OAUTH_ID_ACCESS_GRANT_TYPE );
+        final String grantType = config.readDomainProperty( DomainProperty.OAUTH_ID_ACCESS_GRANT_TYPE );
         final String redirectUri = figureOauthSelfEndPointUrl( pwmRequest );
         final String clientID = settings.getClientID();
 
         final Map<String, String> requestParams = new HashMap<>();
-        requestParams.put( config.readAppProperty( AppProperty.HTTP_PARAM_OAUTH_CODE ), requestCode );
-        requestParams.put( config.readAppProperty( AppProperty.HTTP_PARAM_OAUTH_GRANT_TYPE ), grantType );
-        requestParams.put( config.readAppProperty( AppProperty.HTTP_PARAM_OAUTH_REDIRECT_URI ), redirectUri );
-        requestParams.put( config.readAppProperty( AppProperty.HTTP_PARAM_OAUTH_CLIENT_ID ), clientID );
-        requestParams.put( config.readAppProperty( AppProperty.HTTP_PARAM_OAUTH_CLIENT_SECRET ), settings.getSecret().getStringValue() );
+        requestParams.put( config.readDomainProperty( DomainProperty.HTTP_PARAM_OAUTH_CODE ), requestCode );
+        requestParams.put( config.readDomainProperty( DomainProperty.HTTP_PARAM_OAUTH_GRANT_TYPE ), grantType );
+        requestParams.put( config.readDomainProperty( DomainProperty.HTTP_PARAM_OAUTH_REDIRECT_URI ), redirectUri );
+        requestParams.put( config.readDomainProperty( DomainProperty.HTTP_PARAM_OAUTH_CLIENT_ID ), clientID );
+        requestParams.put( config.readDomainProperty( DomainProperty.HTTP_PARAM_OAUTH_CLIENT_SECRET ), settings.getSecret().getStringValue() );
 
         final PwmHttpClientResponse restResults = makeHttpRequest( pwmRequest, "oauth code resolver", settings, requestUrl, requestParams, null );
 
@@ -176,9 +176,9 @@ private OAuthResolveResults resolveResultsFromResponseBody(
     )
     {
         final DomainConfig config = pwmRequest.getDomainConfig();
-        final String oauthExpiresParam = config.readAppProperty( AppProperty.HTTP_PARAM_OAUTH_EXPIRES );
-        final String oauthAccessTokenParam = config.readAppProperty( AppProperty.HTTP_PARAM_OAUTH_ACCESS_TOKEN );
-        final String refreshTokenParam = config.readAppProperty( AppProperty.HTTP_PARAM_OAUTH_REFRESH_TOKEN );
+        final String oauthExpiresParam = config.readDomainProperty( DomainProperty.HTTP_PARAM_OAUTH_EXPIRES );
+        final String oauthAccessTokenParam = config.readDomainProperty( DomainProperty.HTTP_PARAM_OAUTH_ACCESS_TOKEN );
+        final String refreshTokenParam = config.readDomainProperty( DomainProperty.HTTP_PARAM_OAUTH_REFRESH_TOKEN );
 
         final long expireSeconds = JavaHelper.silentParseLong( readAttributeFromBodyMap( resolveResponseBodyStr, oauthExpiresParam ), 0 );
         final String accessToken = readAttributeFromBodyMap( resolveResponseBodyStr, oauthAccessTokenParam );
@@ -199,11 +199,11 @@ private OAuthResolveResults makeOAuthRefreshRequest(
     {
         final DomainConfig config = pwmRequest.getDomainConfig();
         final String requestUrl = settings.getCodeResolveUrl();
-        final String grantType = config.readAppProperty( AppProperty.OAUTH_ID_REFRESH_GRANT_TYPE );
+        final String grantType = config.readDomainProperty( DomainProperty.OAUTH_ID_REFRESH_GRANT_TYPE );
 
         final Map<String, String> requestParams = new HashMap<>();
-        requestParams.put( config.readAppProperty( AppProperty.HTTP_PARAM_OAUTH_REFRESH_TOKEN ), refreshCode );
-        requestParams.put( config.readAppProperty( AppProperty.HTTP_PARAM_OAUTH_GRANT_TYPE ), grantType );
+        requestParams.put( config.readDomainProperty( DomainProperty.HTTP_PARAM_OAUTH_REFRESH_TOKEN ), refreshCode );
+        requestParams.put( config.readDomainProperty( DomainProperty.HTTP_PARAM_OAUTH_GRANT_TYPE ), grantType );
 
         final PwmHttpClientResponse restResults = makeHttpRequest( pwmRequest, "OAuth refresh resolver", settings, requestUrl, requestParams, null );
 
@@ -221,8 +221,8 @@ String makeOAuthGetUserInfoRequest(
             final DomainConfig config = pwmRequest.getDomainConfig();
             final String requestUrl = settings.getAttributesUrl();
             final Map<String, String> requestParams = new HashMap<>();
-            requestParams.put( config.readAppProperty( AppProperty.HTTP_PARAM_OAUTH_ACCESS_TOKEN ), accessToken );
-            requestParams.put( config.readAppProperty( AppProperty.HTTP_PARAM_OAUTH_ATTRIBUTES ), settings.getDnAttributeName() );
+            requestParams.put( config.readDomainProperty( DomainProperty.HTTP_PARAM_OAUTH_ACCESS_TOKEN ), accessToken );
+            requestParams.put( config.readDomainProperty( DomainProperty.HTTP_PARAM_OAUTH_ATTRIBUTES ), settings.getDnAttributeName() );
             restResults = makeHttpRequest( pwmRequest, "OAuth userinfo", settings, requestUrl, requestParams, accessToken );
         }
 
@@ -316,11 +316,11 @@ private static String figureOauthSelfEndPointUrl( final PwmRequest pwmRequest )
         final String redirectUri;
 
         {
-            final String returnUrlOverride = pwmRequest.getDomainConfig().readAppProperty( AppProperty.OAUTH_RETURN_URL_OVERRIDE );
+            final String returnUrlOverride = pwmRequest.getDomainConfig().readDomainProperty( DomainProperty.OAUTH_RETURN_URL_OVERRIDE );
             final String siteURL = pwmRequest.getDomainConfig().readSettingAsString( PwmSetting.PWM_SITE_URL );
             if ( returnUrlOverride != null && !returnUrlOverride.trim().isEmpty() )
             {
-                debugSource = "AppProperty(\"" + AppProperty.OAUTH_RETURN_URL_OVERRIDE.getKey() + "\")";
+                debugSource = "DomainProperty(\"" + DomainProperty.OAUTH_RETURN_URL_OVERRIDE.getKey() + "\")";
                 redirectUri = returnUrlOverride
                         + PwmServletDefinition.OAuthConsumer.servletUrl();
             }
@@ -358,7 +358,7 @@ public boolean checkOAuthExpiration(
             final PwmRequest pwmRequest
     ) throws PwmUnrecoverableException
     {
-        if ( !Boolean.parseBoolean( pwmRequest.getDomainConfig().readAppProperty( AppProperty.OAUTH_ENABLE_TOKEN_REFRESH ) ) )
+        if ( !Boolean.parseBoolean( pwmRequest.getDomainConfig().readDomainProperty( DomainProperty.OAUTH_ENABLE_TOKEN_REFRESH ) ) )
         {
             return false;
         }
diff --git a/server/src/main/resources/password/pwm/AppProperty.properties b/server/src/main/resources/password/pwm/AppProperty.properties
index bc0a63fee..6eb95ba24 100644
--- a/server/src/main/resources/password/pwm/AppProperty.properties
+++ b/server/src/main/resources/password/pwm/AppProperty.properties
@@ -152,18 +152,6 @@ http.parameter.passwordExpired=passwordExpired
 http.parameter.maxReadLength=10240
 http.parameter.sessionVerification=stickyRedirectTest
 http.parameter.ssoOverride=sso
-http.parameter.oauth.accessToken=access_token
-http.parameter.oauth.attributes=attributes
-http.parameter.oauth.clientID=client_id
-http.parameter.oauth.clientSecret=client_secret
-http.parameter.oauth.code=code
-http.parameter.oauth.expires=expires_in
-http.parameter.oauth.responseType=response_type
-http.parameter.oauth.redirectUri=redirect_uri
-http.parameter.oauth.refreshToken=refresh_token
-http.parameter.oauth.scope=scope
-http.parameter.oauth.state=state
-http.parameter.oauth.grantType=grant_type
 http.download.buffer.size=102400
 http.session.recycleAtAuth=true
 http.servlet.enablePostRedirectGet=true
@@ -207,11 +195,6 @@ nmas.threads.watchdogDebug=false
 nmas.ignoreNmasCrDuringForceSetupCheck=false
 nmas.useLocalSaslFactory=true
 nmas.forceSaslFactoryRegistration=true
-oauth.id.accessGrantType=authorization_code
-oauth.id.refreshGrantType=refresh_token
-oauth.id.requestType=code
-oauth.enableTokenRefresh=false
-oauth.returnUrlOverride=
 otp.totp.pastIntervals=1
 otp.totp.futureIntervals=1
 otp.totp.intervalSeconds=30
diff --git a/server/src/main/resources/password/pwm/DomainProperty.properties b/server/src/main/resources/password/pwm/DomainProperty.properties
index 46afd7497..2e4c1a489 100644
--- a/server/src/main/resources/password/pwm/DomainProperty.properties
+++ b/server/src/main/resources/password/pwm/DomainProperty.properties
@@ -38,6 +38,18 @@ http.cookie.login.name=SESSION
 http.cookie.nonce.name=ID
 http.cookie.nonce.length=32
 http.cookie.sameSite.value=Strict
+http.parameter.oauth.accessToken=access_token
+http.parameter.oauth.attributes=attributes
+http.parameter.oauth.clientID=client_id
+http.parameter.oauth.clientSecret=client_secret
+http.parameter.oauth.code=code
+http.parameter.oauth.expires=expires_in
+http.parameter.oauth.responseType=response_type
+http.parameter.oauth.redirectUri=redirect_uri
+http.parameter.oauth.refreshToken=refresh_token
+http.parameter.oauth.scope=scope
+http.parameter.oauth.state=state
+http.parameter.oauth.grantType=grant_type
 ldap.resolveCanonicalDN=true
 ldap.cache.canonical.enable=true
 ldap.cache.canonical.seconds=600
@@ -63,3 +75,8 @@ ldap.search.parallel.enable=true
 ldap.search.parallel.factor=5
 ldap.search.parallel.threadMax=50
 ldap.oracle.postTempPasswordUseCurrentTime=false
+oauth.id.accessGrantType=authorization_code
+oauth.id.refreshGrantType=refresh_token
+oauth.id.requestType=code
+oauth.enableTokenRefresh=false
+oauth.returnUrlOverride=