Add authentication to enduser namespace

heyams · heyams · commit 3e1655f659f5 · 2024-10-07T11:08:26.000-07:00
diff --git a/.chloggen/add_authentication_enduser_subnamespace.yaml b/.chloggen/add_authentication_enduser_subnamespace.yaml
@@ -0,0 +1,25 @@
+# Use this changelog template to create an entry for release notes.
+#
+# If your change doesn't affect end users you should instead start
+# your pull request title with [chore] or use the "Skip Changelog" label.
+
+# One of 'breaking', 'deprecation', 'new_component', 'enhancement', 'bug_fix'
+change_type: new_component
+
+# The name of the area of concern in the attributes-registry, (e.g. http, cloud, db)
+component: enduser
+
+# A brief description of the change. Surround your text with quotes ("") if it needs to start with a backtick (`).
+note: introduce subnamespace `enduser.authentication` with new attributes `enduser.authentication.id`, `enduser.authentication.role`, and `enduser.authentication.scope`.
+
+# Mandatory: One or more tracking issues related to the change. You can use the PR number here if no issue exists.
+# The values here must be integers.
+issues: [1104]
+
+# (Optional) One or more lines of additional information to render under the primary note.
+# These lines will be padded with 2 spaces and then inserted directly into the document.
+# Use pipe (|) for multiline entries.
+subtext: |
+  The `enduser.authentication` subnamespace is intended to describe the authentication information of the end user.
+  The new attributes are intended to provide information about the authenticated user in the system,
+  the role the client is making the request under, and the scopes or granted authorities the client currently possesses.
diff --git a/model/authentication/registry.yaml b/model/authentication/registry.yaml
@@ -0,0 +1,27 @@
+groups:
+  - id: registry.authentication
+    type: attribute_group
+    display_name: Authentication Attributes
+    stability: experimental
+    brief: >
+      "Describes the authentication information of an authenticated user."
+    attributes:
+      - id: authentication.id
+        type: string
+        brief: "Unique identifier of an authenticated user in the system."
+        examples: [ 'S-1-5-21-202424912787-2692429404-2351956786-1000' ]
+        stability: experimental
+      - id: authentication.role
+        type: string
+        stability: experimental
+        brief: 'Actual/assumed role the client is making the request under extracted from token or application security context.'
+        examples: 'admin'
+      - id: authentication.scope
+        type: string
+        stability: experimental
+        brief: >
+          Scopes or granted authorities the client currently possesses extracted from token
+          or application security context. The value would come from the scope associated
+          with an [OAuth 2.0 Access Token](https://tools.ietf.org/html/rfc6749#section-3.3)
+          or an attribute value in a [SAML 2.0 Assertion](http://docs.oasis-open.org/security/saml/Post2.0/sstc-saml-tech-overview-2.0.html).
+        examples: 'read:message, write:files'
diff --git a/model/enduser/common.yaml b/model/enduser/common.yaml
@@ -0,0 +1,10 @@
+groups:
+  - id: enduser
+    type: attribute_group
+    brief: >
+      This document defines attributes for Events represented using Log Records.
+    attributes:
+      - ref: enduser.id
+        requirement_level: required
+      - ref: enduser.authentication
+        requirement_level: required
diff --git a/model/enduser/deprecated/common.yaml b/model/enduser/deprecated/common.yaml
diff --git a/model/enduser/deprecated/registry-deprecated.yaml b/model/enduser/deprecated/registry-deprecated.yaml
diff --git a/model/enduser/registry.yaml b/model/enduser/registry.yaml
@@ -0,0 +1,21 @@
+
+groups:
+  - id: registry.enduser
+    type: attribute_group
+    display_name: End User Attributes
+    brief: >
+      Describes information about the end user, which can be used as a sub-namespace of browser, client, or user domains.
+    attributes:
+      - id: enduser.id
+        type: string
+        stability: experimental
+        brief: >
+          Identifier of an end user who interacts with a system.
+          This identifier may be unique only through best-effort means and does not imply that the user is authenticated to the system.
+        examples: ['QdH5CAWJgqVT4rOr0qtumf']
+      - id: enduser.authentication
+        type: attribute_group
+        stability: experimental
+        brief: >
+          Describes the authentication information of an authenticated end user.
+        ref: registry.authentication
