Azure KeyVault and Authentication on client side

Question

Good day,

I have a question about the following scenario:

A client opens a web application in the browser. In the web application, secrets are retrieved from an Azure Key Vault using Javascript. Then, with these secrets a connection to another Azure service is established to retreive data.

Question 1: Azure Key Vault only secures the transfer of the secrets. The client could see / reverse engineer the secrets in the web browser after retrieval and see them in plain?

=> Is this correct and is this still secure?

Question 2: With these secrets the client can authenticate to the other service.

=> Is it possible that the authentication / use of the secrets is only allowed by the web app? So even if the user knows the secrets, he should not be able to use them in another application.

Answer 1

Question 1: Azure Key Vault only secures the transfer of the secrets. The client could see / reverse engineer the secrets in the web browser after retrieval and see them in plain?

=> Is this correct and is this still secure?

That is correct. If you load the secrets to front-end, the user can take the plain text.

Question 2: With these secrets the client can authenticate to the other service.

=> Is it possible that the authentication / use of the secrets is only allowed by the web app? So even if the user knows the secrets, he should not be able to use them in another application.

I would say that is impossible. Your app is a front-end public client application and thus cannot authenticate itself, meaning only the user can be authenticated.

I recommend that you do not load secrets to front-end if there is any possibility of their abuse should a user get them. Instead you will either need a back-end or a different approach where you instead authenticate as the user to the service you are trying to access. But that depends on the service, so please let me know what service you are trying to connect to.