diff --git a/src/OrchardCore.Modules/OrchardCore.OpenId/Recipes/OpenIdClientSettingsStep.cs b/src/OrchardCore.Modules/OrchardCore.OpenId/Recipes/OpenIdClientSettingsStep.cs
index dc61025d645..89e93ceac31 100644
--- a/src/OrchardCore.Modules/OrchardCore.OpenId/Recipes/OpenIdClientSettingsStep.cs
+++ b/src/OrchardCore.Modules/OrchardCore.OpenId/Recipes/OpenIdClientSettingsStep.cs
@@ -1,4 +1,6 @@
 using System.Text.Json.Nodes;
+using Microsoft.AspNetCore.DataProtection;
+using OrchardCore.OpenId.Configuration;
 using OrchardCore.OpenId.Services;
 using OrchardCore.OpenId.Settings;
 using OrchardCore.Recipes.Models;
@@ -12,11 +14,17 @@ namespace OrchardCore.OpenId.Recipes;
 public sealed class OpenIdClientSettingsStep : NamedRecipeStepHandler
 {
     private readonly IOpenIdClientService _clientService;
+    private readonly IDataProtectionProvider _dataProtectionProvider;
 
-    public OpenIdClientSettingsStep(IOpenIdClientService clientService)
+    private static readonly char[] ScopeDelimiters = [' ', ','];
+
+    public OpenIdClientSettingsStep(
+        IOpenIdClientService clientService,
+        IDataProtectionProvider dataProtectionProvider)
         : base("OpenIdClientSettings")
     {
         _clientService = clientService;
+        _dataProtectionProvider = dataProtectionProvider;
     }
 
     protected override async Task HandleAsync(RecipeExecutionContext context)
@@ -24,11 +32,19 @@ protected override async Task HandleAsync(RecipeExecutionContext context)
         var model = context.Step.ToObject<OpenIdClientSettingsStepModel>();
         var settings = await _clientService.LoadSettingsAsync();
 
-        settings.Scopes = model.Scopes.Split(' ', ',');
+        settings.Scopes = model.Scopes?.Split(ScopeDelimiters, StringSplitOptions.RemoveEmptyEntries);
         settings.Authority = !string.IsNullOrEmpty(model.Authority) ? new Uri(model.Authority, UriKind.Absolute) : null;
         settings.CallbackPath = model.CallbackPath;
         settings.ClientId = model.ClientId;
-        settings.ClientSecret = model.ClientSecret;
+        if (!string.IsNullOrEmpty(model.ClientSecret))
+        {
+            settings.ClientSecret = model.ClientSecret;
+        }
+        else if (!string.IsNullOrEmpty(model.ClientSecretPlainText))
+        {
+            var protector = _dataProtectionProvider.CreateProtector(nameof(OpenIdClientConfiguration));
+            settings.ClientSecret = protector.Protect(model.ClientSecret);
+        }
         settings.DisplayName = model.DisplayName;
         settings.ResponseMode = model.ResponseMode;
         settings.ResponseType = model.ResponseType;
@@ -50,6 +66,7 @@ public sealed class OpenIdClientSettingsStepModel
 
     public string ClientId { get; set; }
     public string ClientSecret { get; set; }
+    public string ClientSecretPlainText { get; set; }
     public string CallbackPath { get; set; }
     public string SignedOutRedirectUri { get; set; }
     public string SignedOutCallbackPath { get; set; }