diff --git a/extensions/oidc/runtime/src/main/java/io/quarkus/oidc/runtime/OidcRecorder.java b/extensions/oidc/runtime/src/main/java/io/quarkus/oidc/runtime/OidcRecorder.java
index d0db470486f0d..1a0ea2274cc87 100644
--- a/extensions/oidc/runtime/src/main/java/io/quarkus/oidc/runtime/OidcRecorder.java
+++ b/extensions/oidc/runtime/src/main/java/io/quarkus/oidc/runtime/OidcRecorder.java
@@ -156,13 +156,13 @@ private Uni<TenantConfigContext> createTenantContext(Vertx vertx, OidcTenantConf
 
         try {
             verifyAuthServerUrl(oidcConfig);
-            OidcCommonUtils.verifyCommonConfiguration(oidcConfig, isServiceApp(oidcConfig), true);
+            OidcCommonUtils.verifyCommonConfiguration(oidcConfig, OidcUtils.isServiceApp(oidcConfig), true);
         } catch (ConfigurationException t) {
             return Uni.createFrom().failure(t);
         }
 
         if (!oidcConfig.discoveryEnabled.orElse(true)) {
-            if (!isServiceApp(oidcConfig)) {
+            if (!OidcUtils.isServiceApp(oidcConfig)) {
                 if (!oidcConfig.authorizationPath.isPresent() || !oidcConfig.tokenPath.isPresent()) {
                     throw new ConfigurationException(
                             "'web-app' applications must have 'authorization-path' and 'token-path' properties "
@@ -183,7 +183,7 @@ private Uni<TenantConfigContext> createTenantContext(Vertx vertx, OidcTenantConf
             }
         }
 
-        if (isServiceApp(oidcConfig)) {
+        if (OidcUtils.isServiceApp(oidcConfig)) {
             if (oidcConfig.token.refreshExpired) {
                 throw new ConfigurationException(
                         "The 'token.refresh-expired' property can only be enabled for " + ApplicationType.WEB_APP
@@ -219,7 +219,7 @@ private Uni<TenantConfigContext> createTenantContext(Vertx vertx, OidcTenantConf
     }
 
     private static TenantConfigContext createTenantContextFromPublicKey(OidcTenantConfig oidcConfig) {
-        if (!isServiceApp(oidcConfig)) {
+        if (!OidcUtils.isServiceApp(oidcConfig)) {
             throw new ConfigurationException("'public-key' property can only be used with the 'service' applications");
         }
         LOG.debug("'public-key' property for the local token verification is set,"
@@ -359,6 +359,7 @@ public Uni<OidcProviderClient> apply(OidcConfigurationMetadata metadata, Throwab
                         }
                         return Uni.createFrom().item(new OidcProviderClient(client, metadata, oidcConfig));
                     }
+
                 });
     }
 
@@ -376,15 +377,10 @@ private static OidcConfigurationMetadata createLocalMetadata(OidcTenantConfig oi
                 oidcConfig.token.issuer.orElse(null));
     }
 
-    private static boolean isServiceApp(OidcTenantConfig oidcConfig) {
-        return ApplicationType.SERVICE.equals(oidcConfig.applicationType.orElse(ApplicationType.SERVICE));
-    }
-
     private static void verifyAuthServerUrl(OidcCommonConfig oidcConfig) {
         if (!oidcConfig.getAuthServerUrl().isPresent()) {
             throw new ConfigurationException("'quarkus.oidc.auth-server-url' property must be configured");
         }
         OidcCommonUtils.verifyEndpointUrl(oidcConfig.getAuthServerUrl().get());
     }
-
 }
diff --git a/extensions/oidc/runtime/src/main/java/io/quarkus/oidc/runtime/OidcUtils.java b/extensions/oidc/runtime/src/main/java/io/quarkus/oidc/runtime/OidcUtils.java
index 4213bff15ebaa..35bf0fdd3d923 100644
--- a/extensions/oidc/runtime/src/main/java/io/quarkus/oidc/runtime/OidcUtils.java
+++ b/extensions/oidc/runtime/src/main/java/io/quarkus/oidc/runtime/OidcUtils.java
@@ -29,6 +29,7 @@
 import io.quarkus.oidc.AuthorizationCodeTokens;
 import io.quarkus.oidc.OIDCException;
 import io.quarkus.oidc.OidcTenantConfig;
+import io.quarkus.oidc.OidcTenantConfig.ApplicationType;
 import io.quarkus.oidc.OidcTenantConfig.Authentication;
 import io.quarkus.oidc.RefreshToken;
 import io.quarkus.oidc.TokenIntrospection;
@@ -78,6 +79,14 @@ private OidcUtils() {
 
     }
 
+    public static boolean isServiceApp(OidcTenantConfig oidcConfig) {
+        return ApplicationType.SERVICE.equals(oidcConfig.applicationType.orElse(ApplicationType.SERVICE));
+    }
+
+    public static boolean isWebApp(OidcTenantConfig oidcConfig) {
+        return ApplicationType.WEB_APP.equals(oidcConfig.applicationType.orElse(ApplicationType.SERVICE));
+    }
+
     public static boolean isEncryptedToken(String token) {
         return new StringTokenizer(token, ".").countTokens() == 5;
     }
diff --git a/extensions/oidc/runtime/src/main/java/io/quarkus/oidc/runtime/TenantConfigContext.java b/extensions/oidc/runtime/src/main/java/io/quarkus/oidc/runtime/TenantConfigContext.java
index c25e570e38902..40142f7ab37e7 100644
--- a/extensions/oidc/runtime/src/main/java/io/quarkus/oidc/runtime/TenantConfigContext.java
+++ b/extensions/oidc/runtime/src/main/java/io/quarkus/oidc/runtime/TenantConfigContext.java
@@ -47,8 +47,9 @@ public TenantConfigContext(OidcProvider client, OidcTenantConfig config, boolean
         this.oidcConfig = config;
         this.ready = ready;
 
-        pkceSecretKey = provider != null && provider.client != null ? createPkceSecretKey(config) : null;
-        tokenEncSecretKey = provider != null && provider.client != null ? createTokenEncSecretKey(config) : null;
+        boolean isService = OidcUtils.isServiceApp(config);
+        pkceSecretKey = !isService && provider != null && provider.client != null ? createPkceSecretKey(config) : null;
+        tokenEncSecretKey = !isService && provider != null && provider.client != null ? createTokenEncSecretKey(config) : null;
     }
 
     private static SecretKey createPkceSecretKey(OidcTenantConfig config) {