diff options
| author | Lars Wirzenius <liw@liw.fi> | 2019-03-31 18:56:47 +0300 |
|---|---|---|
| committer | Lars Wirzenius <liw@liw.fi> | 2019-03-31 18:56:47 +0300 |
| commit | 078021669b293aa82cda4e447b846dce3c2a3b08 (patch) | |
| tree | 762ad34b5983ff3a6da2f9f821f1e9aaa9c8eba3 | |
| parent | d6a5101a691cf6260f83d03978f6c9d37d5ea6f5 (diff) | |
| download | ick.liw.fi-078021669b293aa82cda4e447b846dce3c2a3b08.tar.gz | |
Add: paragraph about why a separate IDP is good architecture
| -rw-r--r-- | yuck.mdwn | 12 |
1 files changed, 12 insertions, 0 deletions
@@ -16,6 +16,18 @@ Yuck supports the **OAuth2** and **OpenID Connect** protocols, and has an API to allow storing and managing data about end users, applications, and other entities related to authentication. +Yuck is intended to be used by web applications. It is not meant for +authentication Unix or ssh logins or such. Status quo is that web +applications often implement authentication themselves, but it is the +opinion of Yuck's authors that this is a bad architectural design. +Having a dedicated identity provider keeps the security sensitive +parts of authentication in one place, without mixing them with +application logic, results in a more cohesive, less coupled +architecture and implementation that is more easily reviewed and +modified. A separate identity provider also makes it easier to provide +single sign-on for groups of applications, without complicating each +application. + Yuck does not provide any services unrelated to authentication. Other services can work with Yuck to control access to them. |