From 078021669b293aa82cda4e447b846dce3c2a3b08 Mon Sep 17 00:00:00 2001
From: Lars Wirzenius <liw@liw.fi>
Date: Sun, 31 Mar 2019 18:56:47 +0300
Subject: Add: paragraph about why a separate IDP is good architecture

---
 yuck.mdwn | 12 ++++++++++++
 1 file changed, 12 insertions(+)

diff --git a/yuck.mdwn b/yuck.mdwn
index 6e4f65f..e4f89b5 100644
--- a/yuck.mdwn
+++ b/yuck.mdwn
@@ -16,6 +16,18 @@ Yuck supports the **OAuth2** and **OpenID Connect** protocols, and has
 an API to allow storing and managing data about end users,
 applications, and other entities related to authentication.
 
+Yuck is intended to be used by web applications. It is not meant for
+authentication Unix or ssh logins or such. Status quo is that web
+applications often implement authentication themselves, but it is the
+opinion of Yuck's authors that this is a bad architectural design.
+Having a dedicated identity provider keeps the security sensitive
+parts of authentication in one place, without mixing them with
+application logic, results in a more cohesive, less coupled
+architecture and implementation that is more easily reviewed and
+modified. A separate identity provider also makes it easier to provide
+single sign-on for groups of applications, without complicating each
+application.
+
 Yuck does not provide any services unrelated to authentication. Other
 services can work with Yuck to control access to them.
 
-- 
cgit v1.2.1