Add extension for auth context #1218
There are no files selected for viewing
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,55 @@ | ||
| # Auth Context | ||
|
|
||
| This extension embeds information about the principal which triggered an occurence. This allows consumers of the | ||
| CloudEvent to perform user-dependent actions without requiring the user ID to | ||
| be embedded in the `data` or `source` field. | ||
|
|
||
| This extension is purely informational and is not intended to secure CloudEvents. | ||
|
|
||
| ## Notational Conventions | ||
|
|
||
| As with the main [CloudEvents specification](../spec.md), the key words "MUST", | ||
| "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", | ||
| "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as | ||
| described in [RFC 2119](https://tools.ietf.org/html/rfc2119). | ||
|
|
||
| However, the scope of these key words is limited to when this extension is | ||
| used. For example, an attribute being marked as "REQUIRED" does not mean | ||
| it needs to be in all CloudEvents, rather it needs to be included only when | ||
| this extension is being used. | ||
|
|
||
| ## Attributes | ||
|
|
||
| ### authtype | ||
|
|
||
|
There was a problem hiding this comment. for consistency , let's remove this blank line |
||
| - Type: `String` | ||
| - Description: An enum representing the type of principal that triggered the occurence. | ||
| Valid values are: | ||
| - `app_user`: An end user of an application. Examples include an AWS cognito, | ||
| Google Cloud Identity Platform, or Azure Active Directory user. | ||
| - `user`: A user account registered in the infrastructure. Examples include | ||
| developer accounts secured by IAM in AWS, Google Cloud Platform, or Azure. | ||
| - `service_account`: A non-user principal used to identify a service. | ||
| - `api_key`: A non-user API key | ||
| - `system`: An obscured identity used when a cloud platform or other system | ||
| service triggers an event. Examples include a database record which | ||
| was deleted based on a TTL. | ||
| - Constriants | ||
|
There was a problem hiding this comment. Nit: Contraints (sorry for not spotting this before) There was a problem hiding this comment. "before"? do we have this typo in other docs? I couldn't find it There was a problem hiding this comment. I had early access to this PR ;) |
||
| - REQUIRED | ||
| - SHOULD be one of the above enum values | ||
| - If the enum values are not sufficient for a Producer, they SHOULD amend this spec to include the new enum value. | ||
|
There was a problem hiding this comment. For folks who want to extend this w/o submitting a PR (e.g. they want to keep their values proprietary/secret/inhouse), we normally will say stuff like: This specification defines the following values, and it is RECOMMENDED that they be used. However, implementations MAY define additional values. |
||
|
|
||
| ### authid | ||
| - Type: `String` | ||
| - Description: A unique identifier of the principal that triggered the occurence. This might, for example, be a unique ID in an identity database (userID), an email of a platform user or service account, or the label for an API key. | ||
| - Constraints | ||
| - OPTIONAL | ||
|
There was a problem hiding this comment. Should this be REQUIRED? Seems like w/o this info the extension doesn't provide too much value to the consumer. Unless there are cases in just knowing "some" app_user caused it??? There was a problem hiding this comment. I think many clouds will not have an ID for api keys and most clouds will not want to have an ID for system changes. There was a problem hiding this comment. Also I just added "unauthenticated" to the enum for "authtype" so that a provider can indicate that this extension is supported but the request had no authentication. That would obviously not come with an authid either. There was a problem hiding this comment. ok can you sign your commits? |
||
|
|
||
| ### authclaims | ||
| - Type: `String` | ||
| - Description: A JSON string representing claims of the principal that triggered | ||
| the event. This field MAY be omitted. | ||
|
There was a problem hiding this comment. You can remove the "This field MAY be omitted" since you tagged it as optional already |
||
| - Constraints | ||
| - OPTIONAL | ||
| - MUST NOT contain actual credentials sufficient for the Consumer to impersonate the principal directly. | ||
| - MAY contain enough information that a Consumer can authenticate against an identity service to mint a credential impersonating the original principal. | ||
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,2 @@ | ||
| # Auth Context | ||
| מסמך זה טרם תורגם. בבקשה תשתמשו [בגרסה האנגלית של המסמך](../../../extensions/authcontext.md) לבינתיים. |
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,6 @@ | ||
| # Auth Context | ||
|
|
||
| 本文档尚未被翻译,请先阅读英文[原版文档](../../../extensions/authcontext.md) 。 | ||
|
|
||
| 如果您迫切地需要此文档的中文翻译,请[提交一个issue](https://github.com/cloudevents/spec/issues) , | ||
| 我们会尽快安排专人进行翻译。 |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
can you wrap all line at 80?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Done