OIDC: use Application config :oidc from runtime.exs for client secret in prod

lib/mv/config.ex

@@ -360,11 +360,29 @@ defmodule Mv.Config do
   end
 
   @doc """
-  Returns the OIDC client secret. ENV first, then Settings.
+  Returns the OIDC client secret.
+  In production, uses the value from config :mv, :oidc (set by runtime.exs from OIDC_CLIENT_SECRET or OIDC_CLIENT_SECRET_FILE).
+  Otherwise ENV OIDC_CLIENT_SECRET, then Settings.
   """
   @spec oidc_client_secret() :: String.t() | nil
   def oidc_client_secret do
+    case Application.get_env(:mv, :oidc) do
+      oidc when is_list(oidc) ->
+        case Keyword.get(oidc, :client_secret) do
+          nil ->
             env_or_setting("OIDC_CLIENT_SECRET", :oidc_client_secret)
+
+          secret when is_binary(secret) ->
+            s = String.trim(secret)
+            if s != "", do: s, else: env_or_setting("OIDC_CLIENT_SECRET", :oidc_client_secret)
+
+          _ ->
+            env_or_setting("OIDC_CLIENT_SECRET", :oidc_client_secret)
+        end
+
+      _ ->
+        env_or_setting("OIDC_CLIENT_SECRET", :oidc_client_secret)
+    end
   end
 
   @doc """
@@ -426,7 +444,10 @@ defmodule Mv.Config do
   def oidc_client_id_env_set?, do: env_set?("OIDC_CLIENT_ID")
   def oidc_base_url_env_set?, do: env_set?("OIDC_BASE_URL")
   def oidc_redirect_uri_env_set?, do: env_set?("OIDC_REDIRECT_URI")
-  def oidc_client_secret_env_set?, do: env_set?("OIDC_CLIENT_SECRET")
+
+  def oidc_client_secret_env_set?,
+    do: env_set?("OIDC_CLIENT_SECRET") or env_set?("OIDC_CLIENT_SECRET_FILE")
+
   def oidc_admin_group_name_env_set?, do: env_set?("OIDC_ADMIN_GROUP_NAME")
   def oidc_groups_claim_env_set?, do: env_set?("OIDC_GROUPS_CLAIM")
   def oidc_only_env_set?, do: env_set?("OIDC_ONLY")