diff --git a/openid-connect-common/src/main/java/org/mitre/oauth2/service/impl/DefaultClientUserDetailsService.java b/openid-connect-common/src/main/java/org/mitre/oauth2/service/impl/DefaultClientUserDetailsService.java
index 798e1d557..da1443c06 100644
--- a/openid-connect-common/src/main/java/org/mitre/oauth2/service/impl/DefaultClientUserDetailsService.java
+++ b/openid-connect-common/src/main/java/org/mitre/oauth2/service/impl/DefaultClientUserDetailsService.java
@@ -24,6 +24,7 @@ import java.util.HashSet;
 import org.mitre.oauth2.model.ClientDetailsEntity;
 import org.mitre.oauth2.model.ClientDetailsEntity.AuthMethod;
 import org.mitre.oauth2.service.ClientDetailsEntityService;
+import org.mitre.openid.connect.config.ConfigurationPropertiesBean;
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.security.core.GrantedAuthority;
 import org.springframework.security.core.authority.SimpleGrantedAuthority;
@@ -50,6 +51,9 @@ public class DefaultClientUserDetailsService implements UserDetailsService {
 	@Autowired
 	private ClientDetailsEntityService clientDetailsService;
 
+	@Autowired
+	private ConfigurationPropertiesBean config;
+	
 	@Override
 	public UserDetails loadUserByUsername(String clientId) throws  UsernameNotFoundException {
 
@@ -60,9 +64,10 @@ public class DefaultClientUserDetailsService implements UserDetailsService {
 
 				String password = Strings.nullToEmpty(client.getClientSecret());
 
-				if (client.getTokenEndpointAuthMethod() != null &&
-						(client.getTokenEndpointAuthMethod().equals(AuthMethod.PRIVATE_KEY) ||
-								client.getTokenEndpointAuthMethod().equals(AuthMethod.SECRET_JWT))) {
+				if (config.isHeartMode() || // if we're running HEART mode turn off all client secrets
+						(client.getTokenEndpointAuthMethod() != null &&
+							(client.getTokenEndpointAuthMethod().equals(AuthMethod.PRIVATE_KEY) ||
+								client.getTokenEndpointAuthMethod().equals(AuthMethod.SECRET_JWT)))) {
 
 					// Issue a random password each time to prevent password auth from being used (or skipped)
 					// for private key or shared key clients, see #715
diff --git a/openid-connect-common/src/main/java/org/mitre/oauth2/service/impl/UriEncodedClientUserDetailsService.java b/openid-connect-common/src/main/java/org/mitre/oauth2/service/impl/UriEncodedClientUserDetailsService.java
index 5876a75b0..b2ab65642 100644
--- a/openid-connect-common/src/main/java/org/mitre/oauth2/service/impl/UriEncodedClientUserDetailsService.java
+++ b/openid-connect-common/src/main/java/org/mitre/oauth2/service/impl/UriEncodedClientUserDetailsService.java
@@ -25,6 +25,7 @@ import java.util.HashSet;
 import org.mitre.oauth2.model.ClientDetailsEntity;
 import org.mitre.oauth2.model.ClientDetailsEntity.AuthMethod;
 import org.mitre.oauth2.service.ClientDetailsEntityService;
+import org.mitre.openid.connect.config.ConfigurationPropertiesBean;
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.security.core.GrantedAuthority;
 import org.springframework.security.core.authority.SimpleGrantedAuthority;
@@ -54,6 +55,9 @@ public class UriEncodedClientUserDetailsService implements UserDetailsService {
 	@Autowired
 	private ClientDetailsEntityService clientDetailsService;
 
+	@Autowired
+	private ConfigurationPropertiesBean config;
+	
 	@Override
 	public UserDetails loadUserByUsername(String clientId) throws  UsernameNotFoundException {
 
@@ -66,9 +70,10 @@ public class UriEncodedClientUserDetailsService implements UserDetailsService {
 
 				String encodedPassword = UriUtils.encodeQueryParam(Strings.nullToEmpty(client.getClientSecret()), "UTF-8");
 
-				if (client.getTokenEndpointAuthMethod() != null &&
-						(client.getTokenEndpointAuthMethod().equals(AuthMethod.PRIVATE_KEY) ||
-								client.getTokenEndpointAuthMethod().equals(AuthMethod.SECRET_JWT))) {
+				if (config.isHeartMode() || // if we're running HEART mode turn off all client secrets
+						(client.getTokenEndpointAuthMethod() != null &&
+							(client.getTokenEndpointAuthMethod().equals(AuthMethod.PRIVATE_KEY) ||
+								client.getTokenEndpointAuthMethod().equals(AuthMethod.SECRET_JWT)))) {
 
 					// Issue a random password each time to prevent password auth from being used (or skipped)
 					// for private key or shared key clients, see #715