fix: resolve review comments

config/runtime.exs

@@ -21,7 +21,7 @@ get_env_or_file = fn var_name, default ->
     file_path ->
       case File.read(file_path) do
         {:ok, content} ->
-          String.trim(content)
+          String.trim_trailing(content)
 
         {:error, reason} ->
           raise """
@@ -119,10 +119,25 @@ if config_env() == :prod do
 
   # Rauthy OIDC configuration
   # Supports OIDC_CLIENT_SECRET or OIDC_CLIENT_SECRET_FILE for Docker secrets.
+  # OIDC_CLIENT_SECRET is required only if OIDC is being used (indicated by explicit OIDC env vars).
+  oidc_base_url = System.get_env("OIDC_BASE_URL")
+  oidc_client_id = System.get_env("OIDC_CLIENT_ID")
+  oidc_in_use = not is_nil(oidc_base_url) or not is_nil(oidc_client_id)
+
+  client_secret =
+    if oidc_in_use do
+      get_env_or_file!.("OIDC_CLIENT_SECRET", """
+      environment variable OIDC_CLIENT_SECRET (or OIDC_CLIENT_SECRET_FILE) is missing.
+      This is required when OIDC authentication is configured (OIDC_BASE_URL or OIDC_CLIENT_ID is set).
+      """)
+    else
+      get_env_or_file.("OIDC_CLIENT_SECRET", nil)
+    end
+
   config :mv, :rauthy,
-    client_id: System.get_env("OIDC_CLIENT_ID") || "mv",
-    base_url: System.get_env("OIDC_BASE_URL") || "http://localhost:8080/auth/v1",
-    client_secret: get_env_or_file.("OIDC_CLIENT_SECRET", nil),
+    client_id: oidc_client_id || "mv",
+    base_url: oidc_base_url || "http://localhost:8080/auth/v1",
+    client_secret: client_secret,
     redirect_uri:
       System.get_env("OIDC_REDIRECT_URI") || "http://#{host}:#{port}/auth/user/rauthy/callback"