diff --git a/server/config.go b/server/config.go
index f54e5a29..fac9ef35 100644
--- a/server/config.go
+++ b/server/config.go
@@ -108,15 +108,10 @@ func (cfg *SingleServerConfig) Configure(srv *Server) error {
 		return err
 	}
 
-	cf, err := os.Open(cfg.ClientsFile)
+	clients, err := loadClients(cfg.ClientsFile)
 	if err != nil {
 		return fmt.Errorf("unable to read clients from file %s: %v", cfg.ClientsFile, err)
 	}
-	defer cf.Close()
-	var clients []oidc.ClientIdentity
-	if err := json.NewDecoder(cf).Decode(&clients); err != nil {
-		return fmt.Errorf("unable to read client identities from file %s: %v", cfg.ClientsFile, err)
-	}
 	ciRepo, err := db.NewClientIdentityRepoFromClients(dbMap, clients)
 	if err != nil {
 		return fmt.Errorf("failed to create client identity repo: %v", err)
@@ -164,7 +159,6 @@ func (cfg *SingleServerConfig) Configure(srv *Server) error {
 	srv.SessionManager = sm
 	srv.RefreshTokenRepo = refTokRepo
 	return nil
-
 }
 
 func loadUsers(filepath string) (users []user.UserWithRemoteIdentities, err error) {
@@ -177,6 +171,44 @@ func loadUsers(filepath string) (users []user.UserWithRemoteIdentities, err erro
 	return
 }
 
+func loadClients(filepath string) ([]oidc.ClientIdentity, error) {
+	f, err := os.Open(filepath)
+	if err != nil {
+		return nil, err
+	}
+	defer f.Close()
+	var c []struct {
+		ID           string   `json:"id"`
+		Secret       string   `json:"secret"`
+		RedirectURLs []string `json:"redirectURLs"`
+	}
+	if err := json.NewDecoder(f).Decode(&c); err != nil {
+		return nil, err
+	}
+	clients := make([]oidc.ClientIdentity, len(c))
+	for i, client := range c {
+		redirectURIs := make([]url.URL, len(client.RedirectURLs))
+		for j, u := range client.RedirectURLs {
+			uri, err := url.Parse(u)
+			if err != nil {
+				return nil, err
+			}
+			redirectURIs[j] = *uri
+		}
+
+		clients[i] = oidc.ClientIdentity{
+			Credentials: oidc.ClientCredentials{
+				ID:     client.ID,
+				Secret: client.Secret,
+			},
+			Metadata: oidc.ClientMetadata{
+				RedirectURIs: redirectURIs,
+			},
+		}
+	}
+	return clients, nil
+}
+
 func (cfg *MultiServerConfig) Configure(srv *Server) error {
 	if len(cfg.KeySecrets) == 0 {
 		return errors.New("missing key secret")
diff --git a/static/fixtures/clients.json b/static/fixtures/clients.json
index bc510caa..c5295f1a 100644
--- a/static/fixtures/clients.json
+++ b/static/fixtures/clients.json
@@ -1,22 +1,22 @@
 [
   {
     "id": "XXX",
-    "secret": "secrete",
+    "secret": "c2VjcmV0ZQ==",
     "redirectURLs": ["http://127.0.0.1:5555/callback"]
   },
   {
     "id": "example-app",
-    "secret": "example-app-secret",
+    "secret": "ZXhhbXBsZS1hcHAtc2VjcmV0",
     "redirectURLs": ["http://127.0.0.1:5555/callback"]
   },
   {
     "id": "example-cli",
-    "secret": "example-cli-secret",
+    "secret": "ZXhhbXBsZS1jbGktc2VjcmV0",
     "redirectURLs": ["http://127.0.0.1:8000/admin/v1/oauth/login"]
   },
   {
     "id": "oauth2_proxy",
-    "secret": "proxy",
+    "secret": "cHJveHk=",
     "redirectURLs": ["http://127.0.0.1:4180/oauth2/callback"]
   }
 ]