What are some best practices around obtaining sensitive app configuration data? The two "data topics" I am mostly concerned about are client id and client secret for OIDC authentication, but this would also go for less sensitive data such as service endpoints, etc.
On first run of app, should a call be made to an (un)protected service endpoint to get this data?