diff --git a/documentation/dsls/DSL:-AshAuthentication.Strategy.Oidc.md b/documentation/dsls/DSL:-AshAuthentication.Strategy.Oidc.md
index c322a77..a90e9bf 100644
--- a/documentation/dsls/DSL:-AshAuthentication.Strategy.Oidc.md
+++ b/documentation/dsls/DSL:-AshAuthentication.Strategy.Oidc.md
@@ -76,10 +76,8 @@ all the same configuration options should you need them.
 | Name | Type | Default | Docs |
 |------|------|---------|------|
 | [`client_id`](#authentication-strategies-oidc-client_id){: #authentication-strategies-oidc-client_id .spark-required} | `(any, any -> any) \| module \| String.t` |  | The OAuth2 client ID.  Takes either a module which implements the `AshAuthentication.Secret` behaviour, a 2 arity anonymous function or a string. |
-| [`authorize_url`](#authentication-strategies-oidc-authorize_url){: #authentication-strategies-oidc-authorize_url .spark-required} | `(any, any -> any) \| module \| String.t` |  | The API url to the OAuth2 authorize endpoint, relative to `site`, e.g `authorize_url fn _, _ -> {:ok, "https://exampe.com/authorize"} end`. Takes either a module which implements the `AshAuthentication.Secret` behaviour, a 2 arity anonymous function or a string. |
-| [`token_url`](#authentication-strategies-oidc-token_url){: #authentication-strategies-oidc-token_url .spark-required} | `(any, any -> any) \| module \| String.t` |  | The API url to access the token endpoint, relative to `site`, e.g `token_url fn _, _ -> {:ok, "https://example.com/oauth_token"} end`. Takes either a module which implements the `AshAuthentication.Secret` behaviour, a 2 arity anonymous function or a string. |
+| [`base_url`](#authentication-strategies-oidc-base_url){: #authentication-strategies-oidc-base_url .spark-required} | `(any, any -> any) \| module \| String.t` |  | The base URL of the OAuth2 server - including the leading protocol (ie `https://`).  Takes either a module which implements the `AshAuthentication.Secret` behaviour, a 2 arity anonymous function or a string. |
 | [`redirect_uri`](#authentication-strategies-oidc-redirect_uri){: #authentication-strategies-oidc-redirect_uri .spark-required} | `(any, any -> any) \| module \| String.t` |  | The callback URI *base*. Not the whole URI back to the callback endpoint, but the URI to your `AuthPlug`. Takes either a module which implements the `AshAuthentication.Secret` behaviour, a 2 arity anonymous function or a string. |
-| [`base_url`](#authentication-strategies-oidc-base_url){: #authentication-strategies-oidc-base_url } | `(any, any -> any) \| module \| String.t` |  | The base URL of the OAuth2 server - including the leading protocol (ie `https://`).  Takes either a module which implements the `AshAuthentication.Secret` behaviour, a 2 arity anonymous function or a string. |
 | [`site`](#authentication-strategies-oidc-site){: #authentication-strategies-oidc-site } | `(any, any -> any) \| module \| String.t` |  | Deprecated: Use `base_url` instead. |
 | [`auth_method`](#authentication-strategies-oidc-auth_method){: #authentication-strategies-oidc-auth_method } | `nil \| :client_secret_basic \| :client_secret_post \| :client_secret_jwt \| :private_key_jwt` | `:client_secret_post` | The authentication strategy used, optional. If not set, no authentication will be used during the access token request. |
 | [`client_secret`](#authentication-strategies-oidc-client_secret){: #authentication-strategies-oidc-client_secret } | `(any, any -> any) \| module \| String.t` |  | The OAuth2 client secret. Required if :auth_method is `:client_secret_basic`, `:client_secret_post` or `:client_secret_jwt`. Takes either a module which implements the `AshAuthentication.Secret` behaviour, a 2 arity anonymous function or a string. |
diff --git a/lib/ash_authentication/strategies/oauth2/plug.ex b/lib/ash_authentication/strategies/oauth2/plug.ex
index 9a4c77f..0525c92 100644
--- a/lib/ash_authentication/strategies/oauth2/plug.ex
+++ b/lib/ash_authentication/strategies/oauth2/plug.ex
@@ -84,12 +84,18 @@ defmodule AshAuthentication.Strategy.OAuth2.Plug do
       |> Map.take(@raw_config_attrs)
       |> Map.put(:http_adapter, {Finch, supervisor: AshAuthentication.Finch})
 
-    with {:ok, config} <- add_secret_value(config, strategy, :authorize_url),
-         {:ok, config} <- add_secret_value(config, strategy, :client_id),
-         {:ok, config} <- add_secret_value(config, strategy, :client_secret),
-         {:ok, config} <- add_secret_value(config, strategy, :base_url),
-         {:ok, config} <- add_secret_value(config, strategy, :token_url),
-         {:ok, config} <- add_secret_value(config, strategy, :user_url, !!strategy.authorize_url),
+    with {:ok, config} <- add_secret_value(config, strategy, :base_url),
+         {:ok, config} <- add_secret_value(config, strategy, :authorize_url, !!strategy.base_url),
+         {:ok, config} <- add_secret_value(config, strategy, :client_id, !!strategy.base_url),
+         {:ok, config} <- add_secret_value(config, strategy, :client_secret, !!strategy.base_url),
+         {:ok, config} <- add_secret_value(config, strategy, :token_url, !!strategy.base_url),
+         {:ok, config} <-
+           add_secret_value(
+             config,
+             strategy,
+             :user_url,
+             !!strategy.authorize_url || !!strategy.base_url
+           ),
          {:ok, redirect_uri} <- build_redirect_uri(strategy),
          {:ok, jwt_algorithm} <-
            Info.authentication_tokens_signing_algorithm(strategy.resource) do
diff --git a/lib/ash_authentication/strategies/oidc/dsl.ex b/lib/ash_authentication/strategies/oidc/dsl.ex
index 20df2ef..3166c09 100644
--- a/lib/ash_authentication/strategies/oidc/dsl.ex
+++ b/lib/ash_authentication/strategies/oidc/dsl.ex
@@ -1,6 +1,8 @@
 defmodule AshAuthentication.Strategy.Oidc.Dsl do
   @moduledoc false
 
+  import Spark.Options.Helpers, only: [make_required!: 2]
+
   alias AshAuthentication.Strategy.{Custom, OAuth2}
 
   @doc false
@@ -24,6 +26,9 @@ defmodule AshAuthentication.Strategy.Oidc.Dsl do
   defp patch_schema do
     OAuth2.dsl()
     |> Map.get(:schema, [])
+    |> make_required!(:base_url)
+    |> Keyword.delete(:authorize_url)
+    |> Keyword.delete(:token_url)
     |> Keyword.delete(:user_url)
     |> Keyword.merge(
       openid_configuration_uri: [
diff --git a/lib/ash_authentication/strategies/oidc/verifier.ex b/lib/ash_authentication/strategies/oidc/verifier.ex
index 486b51a..1833fe7 100644
--- a/lib/ash_authentication/strategies/oidc/verifier.ex
+++ b/lib/ash_authentication/strategies/oidc/verifier.ex
@@ -9,13 +9,9 @@ defmodule AshAuthentication.Strategy.Oidc.Verifier do
   @doc false
   @spec verify(OAuth2.t(), map) :: :ok | {:error, Exception.t()}
   def verify(strategy, _dsl_state) do
-    with :ok <- validate_secret(strategy, :authorize_url),
-         :ok <- validate_secret(strategy, :client_id),
+    with :ok <- validate_secret(strategy, :client_id),
          :ok <- validate_secret(strategy, :client_secret),
-         :ok <- validate_secret(strategy, :redirect_uri),
          :ok <- validate_secret(strategy, :base_url),
-         :ok <- validate_secret(strategy, :token_url),
-         :ok <- validate_secret(strategy, :user_url, [nil]),
          :ok <- validate_secret(strategy, :nonce, [true, false]) do
       if strategy.auth_method == :private_key_jwt do
         validate_secret(strategy, :private_key)
diff --git a/test/support/example/user.ex b/test/support/example/user.ex
index fcded96..1523d4d 100644
--- a/test/support/example/user.ex
+++ b/test/support/example/user.ex
@@ -245,12 +245,10 @@ defmodule Example.User do
 
       oidc do
         authorization_params scope: "openid profile email phone address"
-        authorize_url &get_config/2
         client_id &get_config/2
         client_secret &get_config/2
         redirect_uri &get_config/2
         base_url &get_config/2
-        token_url &get_config/2
       end
     end
   end