Authenticating a user

Given the right information, authenticating a user is easy. In AuthFW though, this information is separated: the Backend knows a secret, and the AuthenticationService must use this secret.

This definition has serious implications on the security of the infrastructure. When the AuthenticationService must know everything to authenticate a user, it must also work with the secret. Since the Backend has its clearly defined function, it is the AuthenticationService that adds the intelligence to the authentication procedure.

Given these conditions, the AuthenticationService must be put in a trusted environment. Also the communication between the Backend and the AuthenticationService must be scrambled. And the framework has another service with a very easily defined function: to authenticate a user.