Ory Kratos supports several ways to provide configuration values, including secrets like OIDC provider client secrets. The primary methods are: - Plain text in configuration files (YAML, JSON, TOML) - Environment variables, which take precedence over config file values However, the knowledge sources do not mention a built-in mechanism to reference a file path for a secret (such as a client secret) directly in the configuration, where Kratos would read the value from that file at runtime. The recommended approach for sensitive values is to use environment variables, as this avoids storing secrets in plain text configuration files. For example, you can set:

bash export SELFSERVICE_METHODS_OIDC_CONFIG_PROVIDERS='[{"id":"google","provider":"google","mapper_url":"<file_location>","client_id":"<client_id>","client_secret":"<client_secret>", ...}]'

This approach is suggested because configuring OIDC providers via environment variables is possible, though complex due to the structure required for arrays and objects. There is no mention of a special syntax or feature to load secrets from a file path (like

client_secret_file: /path/to/secret

) in the official documentation. If you need to avoid plain text in config files, environment variables are the recommended method, but direct file references for secrets are not documented as supported for Ory Kratos at this time [Configure Ory Kratos](https://www.ory.sh/docs/kratos/configuring) [Social sign-in (self-hosted)](https://www.ory.sh/docs/self-hosted/kratos/configuration/oidc). If you require file-based secret loading, you would need to implement this at the deployment or orchestration level (e.g., using Docker secrets or Kubernetes secrets to inject environment variables), not via a Kratos-native config option.