diff --git a/flake.nix b/flake.nix
index eef0495..c91cfb4 100644
--- a/flake.nix
+++ b/flake.nix
@@ -41,6 +41,11 @@
           ]);
 
           shellHook = ''
+            export OIDC_CLIENT_ID="putzplan"
+            export OIDC_BASE_URL="http://127.0.0.1:9091"
+            export OIDC_CLIENT_SECRET_FILE="${pkgs.writeText "client_secret" "insecure_secret"}"
+            export OIDC_REDIRECT_URI="http://127.0.0.1:4000/auth"
+
             # allows mix to work on the local directory
             mkdir -p .nix/{mix,hex}
             export MIX_HOME=$PWD/.nix/mix
diff --git a/lib/putzplan/accounts/user.ex b/lib/putzplan/accounts/user.ex
index 6540272..0821257 100644
--- a/lib/putzplan/accounts/user.ex
+++ b/lib/putzplan/accounts/user.ex
@@ -23,11 +23,11 @@ defmodule Putzplan.Accounts.User do
 
     strategies do
       oidc :oidc do
-        client_id "putzplan"
-        base_url "http://127.0.0.1:9091"
-        client_secret "insecure_secret"
+        client_id Putzplan.Secrets
+        base_url Putzplan.Secrets
+        client_secret Putzplan.Secrets
         nonce true
-        redirect_uri "http://127.0.0.1:4000/auth"
+        redirect_uri Putzplan.Secrets
         authorization_params scope: "profile email"
       end
     end
diff --git a/lib/putzplan/secrets.ex b/lib/putzplan/secrets.ex
index a108ece..3a3ad9b 100644
--- a/lib/putzplan/secrets.ex
+++ b/lib/putzplan/secrets.ex
@@ -1,7 +1,64 @@
 defmodule Putzplan.Secrets do
+  require Logger
   use AshAuthentication.Secret
 
   def secret_for([:authentication, :tokens, :signing_secret], Putzplan.Accounts.User, _opts, _ctx) do
     Application.fetch_env(:putzplan, :token_signing_secret)
   end
+
+  def secret_for([:authentication, :strategies, :oidc, name], Putzplan.Accounts.User, _opts, _ctx)
+      when is_atom(name) do
+    name
+    |> Atom.to_string()
+    |> String.upcase()
+    |> secret_from_env()
+    |> dbg
+  end
+
+  defp secret_from_env(name) do
+    name
+    |> from_file
+    |> case do
+      :not_set ->
+        from_env(name)
+
+      other ->
+        other
+    end
+    |> case do
+      {:error, error} ->
+        Logger.error(error)
+        :error
+
+      {:ok, _secret} = ok ->
+        ok
+    end
+  end
+
+  defp from_file(name) do
+    env_name = "OIDC_" <> name <> "_FILE"
+
+    with {:env, {:ok, value}} <- {:env, System.fetch_env(env_name)},
+         {:file, {:ok, contents}} <- {:file, File.read(value)} do
+      {:ok, contents}
+    else
+      {:env, :error} ->
+        Logger.info("#{env_name} is not set trying OIDC_#{name}.")
+        :not_set
+
+      {:file, _} ->
+        {:error, "Error reading secret file for #{name}."}
+    end
+  end
+
+  defp from_env(name) do
+    env_name = "OIDC_#{name}"
+
+    env_name
+    |> System.fetch_env()
+    |> case do
+      :error -> {:error, "#{env_name} is not set!"}
+      other -> other
+    end
+  end
 end