diff --git a/src/config.rs b/src/config.rs
index b70ed6fb05e141b51e165fbf4254284ce9172c5e..0aae4d1e41ed4371e791a2d7c999ea6bc69bc175 100644
--- a/src/config.rs
+++ b/src/config.rs
@@ -34,6 +34,11 @@ pub fn get_config(conf_args: Option<config::Config>) -> config::Config {
     };
     conf.merge(config::File::with_name(&config_file)).ok();
 
+    // Add config from same file with .secret appended, so that OAuth client secrets can be
+    // placed into a file only readable by root to force users to only ever use their user
+    // token acquired using PAM
+    conf.merge(config::File::with_name(&(config_file + ".secret"))).ok();
+
     // Override configuration from environment variables
     conf.merge(config::Environment::with_prefix(BASE_NAME.to_string().to_uppercase().as_str())).ok();