diff --git a/gitea/conf/conf.ini.tpl b/gitea/conf/conf.ini.tpl
index e7a58c0..b931518 100644
--- a/gitea/conf/conf.ini.tpl
+++ b/gitea/conf/conf.ini.tpl
@@ -129,8 +129,8 @@ LOGIN_REMEMBER_DAYS = 30
 MIN_PASSWORD_LENGTH = 10
 IMPORT_LOCAL_PATHS = true
 DISABLE_GIT_HOOKS = true
-SECRET_KEY     = ${secret_key}
-INTERNAL_TOKEN = ${internal_token}
+SECRET_KEY     = "${secret_key}"
+INTERNAL_TOKEN = "${internal_token}"
 
 [service]
 ; ; More detail: https://github.com/gogits/gogs/issues/165
@@ -297,3 +297,8 @@ MIRROR = 300
 CLONE = 300
 PULL = 300
 GC = 60
+
+[oauth2]
+ENABLE = false
+; this is same as JWT secret above
+JWT_SECRET = "${oauth2-jwt-secret}"
diff --git a/gitea/data.tf b/gitea/data.tf
index aa45624..460f9f9 100644
--- a/gitea/data.tf
+++ b/gitea/data.tf
@@ -12,10 +12,11 @@ data "template_file" "gitea-config-file" {
   template = "${file("${path.module}/conf/conf.ini.tpl")}"
 
   vars {
-    secret_key     = "${var.secret-key}"
-    internal_token = "${var.internal-token}"
-    smtp_password  = "${var.smtp-password}"
-    lfs-jwt-secret = "${var.lfs-jwt-secret}"
-    mysql-password = "${var.mysql-password}"
+    secret_key        = "${var.secret-key}"
+    internal_token    = "${var.internal-token}"
+    smtp_password     = "${var.smtp-password}"
+    lfs-jwt-secret    = "${var.lfs-jwt-secret}"
+    mysql-password    = "${var.mysql-password}"
+    oauth2-jwt-secret = "${var.oauth2-jwt-secret}"
   }
 }
diff --git a/gitea/variables.tf b/gitea/variables.tf
index 093e8dc..5457f6f 100644
--- a/gitea/variables.tf
+++ b/gitea/variables.tf
@@ -12,6 +12,7 @@ variable "secret-key" {}
 variable "internal-token" {}
 variable "smtp-password" {}
 variable "lfs-jwt-secret" {}
+variable "oauth2-jwt-secret" {}
 variable "mysql-password" {}
 
 variable "traefik-network-id" {}
diff --git a/main.tf b/main.tf
index 35608b8..2e74634 100644
--- a/main.tf
+++ b/main.tf
@@ -34,14 +34,15 @@ module "timemachine" {
 }
 
 module "gitea" {
-  source         = "gitea"
-  domain         = "git.captnemo.in"
-  traefik-labels = "${var.traefik-common-labels}"
-  ips            = "${var.ips}"
-  secret-key     = "${data.pass_password.gitea-secret-key.password}"
-  internal-token = "${data.pass_password.gitea-internal-token.password}"
-  smtp-password  = "${data.pass_password.gitea-smtp-password.password}"
-  lfs-jwt-secret = "${data.pass_password.gitea-lfs-jwt-secret.password}"
+  source            = "gitea"
+  domain            = "git.captnemo.in"
+  traefik-labels    = "${var.traefik-common-labels}"
+  ips               = "${var.ips}"
+  secret-key        = "${data.pass_password.gitea-secret-key.password}"
+  internal-token    = "${data.pass_password.gitea-internal-token.password}"
+  smtp-password     = "${data.pass_password.gitea-smtp-password.password}"
+  lfs-jwt-secret    = "${data.pass_password.gitea-lfs-jwt-secret.password}"
+  oauth2-jwt-secret = "${data.pass_password.gitea-oauth2-jwt-secret.password}"
 
   //passed, but not used
   mysql-password = ""
diff --git a/secrets.tf b/secrets.tf
index c312eef..7511d6d 100644
--- a/secrets.tf
+++ b/secrets.tf
@@ -18,6 +18,10 @@ data "pass_password" "gitea-secret-key" {
   path = "GITEA_SECRET_KEY"
 }
 
+data "pass_password" "gitea-oauth2-jwt-secret" {
+  path = "GITEA_OAUTH2_JWT_SECRET"
+}
+
 data "pass_password" "gf-security-admin-password" {
   path = "GRAFANA_ADMIN_PASSWORD"
 }