My webapp has secure Oauth 2.0 authentication with Azure AD B2C. Users have files stored in an Azure Blob Storage which they should be able to access in the web app. Do I need to create an API which the web app calls, providing the user's access token, to securely let users access Blob Storage? Or once the user is authenticated, can I simply store Azure Blob Storage's connection string as an environment variable in the application which is only used when the user is authenticated?
I am worried if having the connection string called by the application itself could be vulnerable to malicious actors. My full stack is NextJs WebApp hosted on Azure App Services, NextAuth, Azure AD B2C, and Azure Blob Storage
