Client Authentication #21
Description
Note that this epic relates only to practices identifying that the end client (user/system) is whom it claims to be, not whether it may or may not take an action. This is the difference between authentication (the former) and authorization (the latter).
As a business critical function, the system must be able to reliably determine that a calling client is whom they claim to be. The authentication method must
- appeal to a source of authority, which no FACET-Acq system is regarding individual or system identity
- provide revokability to compromised or access-terminated identities
- stateless
- secure
- non-intrusive