I have a desktop application that is not hosted in Azure. The app uses some third party apis and we use Key vault to store these api credentials. Our app is also registered in Azure and has access to the vault.
From what I understand, the certificate flow would consist of the certificate being installed when the app is installed on the users machine. And then since the certificate is now installed, wouldn't the user (client) have full access to the vault? Even outside of the app?
Compared to using secret authentication, the user would need the secret key to access the vault. And the secret would be stored in a config file that is compiled and only accessible from within the app. This seems much more secure to me.
Am I missing something here?
You have a fundamental security problem with the application.
No matter what approach you take, the API credentials go through the client. You should assume they are visible to the user.
You cannot securely authenticate to Key Vault as an application because the application is not running in a secure environment. The more secure way would be delegated access; call Key Vault API on behalf of the current user. This requires the user to authenticate and Key Vault authorizes the user.
You could improve the situation somewhat by adding an API of your own that is called by the application, instead of directly calling the other APIs. Of course you still need to authenticate to that API, for which I would recommend you authenticate the user.