-
Notifications
You must be signed in to change notification settings - Fork 582
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add extension for auth context #1218
Changes from 1 commit
File filter
Filter by extension
Conversations
Jump to
Diff view
Diff view
There are no files selected for viewing
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,55 @@ | ||
# Auth Context | ||
|
||
This extension embeds information about the principal which triggered an occurence. This allows consumers of the | ||
CloudEvent to perform user-dependent actions without requiring the user ID to | ||
be embedded in the `data` or `source` field. | ||
|
||
This extension is purely informational and is not intended to secure CloudEvents. | ||
|
||
## Notational Conventions | ||
|
||
As with the main [CloudEvents specification](../spec.md), the key words "MUST", | ||
"MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", | ||
"RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as | ||
described in [RFC 2119](https://tools.ietf.org/html/rfc2119). | ||
|
||
However, the scope of these key words is limited to when this extension is | ||
used. For example, an attribute being marked as "REQUIRED" does not mean | ||
it needs to be in all CloudEvents, rather it needs to be included only when | ||
this extension is being used. | ||
|
||
## Attributes | ||
|
||
### authtype | ||
|
||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. for consistency , let's remove this blank line There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Done |
||
- Type: `String` | ||
- Description: An enum representing the type of principal that triggered the occurence. | ||
Valid values are: | ||
- `app_user`: An end user of an application. Examples include an AWS cognito, | ||
Google Cloud Identity Platform, or Azure Active Directory user. | ||
- `user`: A user account registered in the infrastructure. Examples include | ||
developer accounts secured by IAM in AWS, Google Cloud Platform, or Azure. | ||
- `service_account`: A non-user principal used to identify a service. | ||
- `api_key`: A non-user API key | ||
- `system`: An obscured identity used when a cloud platform or other system | ||
service triggers an event. Examples include a database record which | ||
was deleted based on a TTL. | ||
- Constriants | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Nit: Contraints (sorry for not spotting this before) There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. "before"? do we have this typo in other docs? I couldn't find it There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. I had early access to this PR ;) |
||
- REQUIRED | ||
- SHOULD be one of the above enum values | ||
- If the enum values are not sufficient for a Producer, they SHOULD amend this spec to include the new enum value. | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. For folks who want to extend this w/o submitting a PR (e.g. they want to keep their values proprietary/secret/inhouse), we normally will say stuff like: This specification defines the following values, and it is RECOMMENDED that they be used. However, implementations MAY define additional values. There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Sure. |
||
|
||
### authid | ||
- Type: `String` | ||
- Description: A unique identifier of the principal that triggered the occurence. This might, for example, be a unique ID in an identity database (userID), an email of a platform user or service account, or the label for an API key. | ||
- Constraints | ||
- OPTIONAL | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Should this be REQUIRED? Seems like w/o this info the extension doesn't provide too much value to the consumer. Unless there are cases in just knowing "some" app_user caused it??? There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. I think many clouds will not have an ID for api keys and most clouds will not want to have an ID for system changes. There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. ah ok - thanks! There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Also I just added "unauthenticated" to the enum for "authtype" so that a provider can indicate that this extension is supported but the request had no authentication. That would obviously not come with an authid either. There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. ok can you sign your commits? |
||
|
||
### authclaims | ||
- Type: `String` | ||
- Description: A JSON string representing claims of the principal that triggered | ||
the event. This field MAY be omitted. | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. You can remove the "This field MAY be omitted" since you tagged it as optional already There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Done |
||
- Constraints | ||
- OPTIONAL | ||
- MUST NOT contain actual credentials sufficient for the Consumer to impersonate the principal directly. | ||
- MAY contain enough information that a Consumer can authenticate against an identity service to mint a credential impersonating the original principal. |
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,2 @@ | ||
# Auth Context | ||
מסמך זה טרם תורגם. בבקשה תשתמשו [בגרסה האנגלית של המסמך](../../../extensions/authcontext.md) לבינתיים. |
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,6 @@ | ||
# Auth Context | ||
|
||
本文档尚未被翻译,请先阅读英文[原版文档](../../../extensions/authcontext.md) 。 | ||
|
||
如果您迫切地需要此文档的中文翻译,请[提交一个issue](https://github.com/cloudevents/spec/issues) , | ||
我们会尽快安排专人进行翻译。 |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
can you wrap all line at 80?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Done