diff --git a/server/handlers.go b/server/handlers.go
index 494af232..6d3f9e7e 100644
--- a/server/handlers.go
+++ b/server/handlers.go
@@ -683,7 +683,7 @@ func (s *Server) handleToken(w http.ResponseWriter, r *http.Request) {
 	}
 
 	if s.hashClientSecret {
-		if err := bcrypt.CompareHashAndPassword([]byte(client.Secret), []byte(clientSecret)); err != nil {
+		if err := bcrypt.CompareHashAndPassword([]byte(clientSecret), []byte(client.Secret)); err != nil {
 			s.tokenErrHelper(w, errInvalidClient, "Invalid client credentials.", http.StatusUnauthorized)
 			return
 		}
diff --git a/server/server_test.go b/server/server_test.go
index cbb298e5..76abbab9 100644
--- a/server/server_test.go
+++ b/server/server_test.go
@@ -1681,7 +1681,7 @@ func TestClientSecretEncryption(t *testing.T) {
 	// Create the OAuth2 config.
 	oauth2Config = &oauth2.Config{
 		ClientID:     clientID,
-		ClientSecret: clientSecret,
+		ClientSecret: string(hash),
 		Endpoint:     p.Endpoint(),
 		Scopes:       requestedScopes,
 	}
@@ -1728,7 +1728,7 @@ func TestClientSecretEncryption(t *testing.T) {
 	// Regester the client above with dex.
 	client := storage.Client{
 		ID:           clientID,
-		Secret:       string(hash),
+		Secret:       clientSecret,
 		RedirectURIs: []string{oauth2Client.URL + "/callback"},
 	}
 	if err := s.storage.CreateClient(client); err != nil {