Feature Request: allow reading client credentials secret from external command on standard in

I realise that `external-tool` exists but it seems a shame to throw away everything else to avoid having secrets on disk in plain. Alternatively if there were a way to populate the secret via environment variable that would be useful, but less so.