From 3e1655f659f54ffaf1f4f2fd68eb6dd066ee1bc3 Mon Sep 17 00:00:00 2001 From: heyams Date: Mon, 7 Oct 2024 11:08:26 -0700 Subject: [PATCH 01/26] Add authentication to enduser namespace --- ...d_authentication_enduser_subnamespace.yaml | 25 +++++++++++++++++ model/authentication/registry.yaml | 27 +++++++++++++++++++ model/enduser/common.yaml | 10 +++++++ model/enduser/deprecated/common.yaml | 12 --------- .../deprecated/registry-deprecated.yaml | 24 ----------------- model/enduser/registry.yaml | 21 +++++++++++++++ 6 files changed, 83 insertions(+), 36 deletions(-) create mode 100644 .chloggen/add_authentication_enduser_subnamespace.yaml create mode 100644 model/authentication/registry.yaml create mode 100644 model/enduser/common.yaml delete mode 100644 model/enduser/deprecated/common.yaml delete mode 100644 model/enduser/deprecated/registry-deprecated.yaml create mode 100644 model/enduser/registry.yaml diff --git a/.chloggen/add_authentication_enduser_subnamespace.yaml b/.chloggen/add_authentication_enduser_subnamespace.yaml new file mode 100644 index 0000000000..e412caaf37 --- /dev/null +++ b/.chloggen/add_authentication_enduser_subnamespace.yaml @@ -0,0 +1,25 @@ +# Use this changelog template to create an entry for release notes. +# +# If your change doesn't affect end users you should instead start +# your pull request title with [chore] or use the "Skip Changelog" label. + +# One of 'breaking', 'deprecation', 'new_component', 'enhancement', 'bug_fix' +change_type: new_component + +# The name of the area of concern in the attributes-registry, (e.g. http, cloud, db) +component: enduser + +# A brief description of the change. Surround your text with quotes ("") if it needs to start with a backtick (`). +note: introduce subnamespace `enduser.authentication` with new attributes `enduser.authentication.id`, `enduser.authentication.role`, and `enduser.authentication.scope`. + +# Mandatory: One or more tracking issues related to the change. You can use the PR number here if no issue exists. +# The values here must be integers. +issues: [1104] + +# (Optional) One or more lines of additional information to render under the primary note. +# These lines will be padded with 2 spaces and then inserted directly into the document. +# Use pipe (|) for multiline entries. +subtext: | + The `enduser.authentication` subnamespace is intended to describe the authentication information of the end user. + The new attributes are intended to provide information about the authenticated user in the system, + the role the client is making the request under, and the scopes or granted authorities the client currently possesses. diff --git a/model/authentication/registry.yaml b/model/authentication/registry.yaml new file mode 100644 index 0000000000..9cf00ce9ad --- /dev/null +++ b/model/authentication/registry.yaml @@ -0,0 +1,27 @@ +groups: + - id: registry.authentication + type: attribute_group + display_name: Authentication Attributes + stability: experimental + brief: > + "Describes the authentication information of an authenticated user." + attributes: + - id: authentication.id + type: string + brief: "Unique identifier of an authenticated user in the system." + examples: [ 'S-1-5-21-202424912787-2692429404-2351956786-1000' ] + stability: experimental + - id: authentication.role + type: string + stability: experimental + brief: 'Actual/assumed role the client is making the request under extracted from token or application security context.' + examples: 'admin' + - id: authentication.scope + type: string + stability: experimental + brief: > + Scopes or granted authorities the client currently possesses extracted from token + or application security context. The value would come from the scope associated + with an [OAuth 2.0 Access Token](https://tools.ietf.org/html/rfc6749#section-3.3) + or an attribute value in a [SAML 2.0 Assertion](http://docs.oasis-open.org/security/saml/Post2.0/sstc-saml-tech-overview-2.0.html). + examples: 'read:message, write:files' diff --git a/model/enduser/common.yaml b/model/enduser/common.yaml new file mode 100644 index 0000000000..89118d3124 --- /dev/null +++ b/model/enduser/common.yaml @@ -0,0 +1,10 @@ +groups: + - id: enduser + type: attribute_group + brief: > + This document defines attributes for Events represented using Log Records. + attributes: + - ref: enduser.id + requirement_level: required + - ref: enduser.authentication + requirement_level: required diff --git a/model/enduser/deprecated/common.yaml b/model/enduser/deprecated/common.yaml deleted file mode 100644 index e17dde1bec..0000000000 --- a/model/enduser/deprecated/common.yaml +++ /dev/null @@ -1,12 +0,0 @@ -groups: - - id: identity - type: attribute_group - brief: > - These attributes may be used for any operation with an authenticated and/or authorized enduser. - attributes: - - ref: enduser.id - requirement_level: recommended - - ref: enduser.role - requirement_level: recommended - - ref: enduser.scope - requirement_level: recommended diff --git a/model/enduser/deprecated/registry-deprecated.yaml b/model/enduser/deprecated/registry-deprecated.yaml deleted file mode 100644 index 0f5723e19a..0000000000 --- a/model/enduser/deprecated/registry-deprecated.yaml +++ /dev/null @@ -1,24 +0,0 @@ -groups: - - id: registry.enduser.deprecated - type: attribute_group - display_name: Deprecated End User Attributes - brief: Describes deprecated enduser attributes. Complete enduser namespace has been deprecated - attributes: - - id: enduser.id - type: string - stability: experimental - deprecated: Replaced by `user.id` attribute. - brief: "Deprecated, use `user.id` instead." - examples: 'username' - - id: enduser.role - type: string - stability: experimental - deprecated: Replaced by `user.roles` attribute. - brief: "Deprecated, use `user.roles` instead." - examples: 'admin' - - id: enduser.scope - type: string - stability: experimental - deprecated: Removed. - brief: "Deprecated, no replacement at this time." - examples: 'read:message, write:files' diff --git a/model/enduser/registry.yaml b/model/enduser/registry.yaml new file mode 100644 index 0000000000..dd349be4f1 --- /dev/null +++ b/model/enduser/registry.yaml @@ -0,0 +1,21 @@ + +groups: + - id: registry.enduser + type: attribute_group + display_name: End User Attributes + brief: > + Describes information about the end user, which can be used as a sub-namespace of browser, client, or user domains. + attributes: + - id: enduser.id + type: string + stability: experimental + brief: > + Identifier of an end user who interacts with a system. + This identifier may be unique only through best-effort means and does not imply that the user is authenticated to the system. + examples: ['QdH5CAWJgqVT4rOr0qtumf'] + - id: enduser.authentication + type: attribute_group + stability: experimental + brief: > + Describes the authentication information of an authenticated end user. + ref: registry.authentication From 6f858a23775382a9dca6756409f96b0fb9e14299 Mon Sep 17 00:00:00 2001 From: heyams Date: Mon, 7 Oct 2024 11:19:59 -0700 Subject: [PATCH 02/26] Fix yamllint --- .chloggen/add_authentication_enduser_subnamespace.yaml | 2 +- model/enduser/registry.yaml | 1 - 2 files changed, 1 insertion(+), 2 deletions(-) diff --git a/.chloggen/add_authentication_enduser_subnamespace.yaml b/.chloggen/add_authentication_enduser_subnamespace.yaml index e412caaf37..131b6c653b 100644 --- a/.chloggen/add_authentication_enduser_subnamespace.yaml +++ b/.chloggen/add_authentication_enduser_subnamespace.yaml @@ -4,7 +4,7 @@ # your pull request title with [chore] or use the "Skip Changelog" label. # One of 'breaking', 'deprecation', 'new_component', 'enhancement', 'bug_fix' -change_type: new_component +change_type: enhancement # The name of the area of concern in the attributes-registry, (e.g. http, cloud, db) component: enduser diff --git a/model/enduser/registry.yaml b/model/enduser/registry.yaml index dd349be4f1..aabc8d09fb 100644 --- a/model/enduser/registry.yaml +++ b/model/enduser/registry.yaml @@ -1,4 +1,3 @@ - groups: - id: registry.enduser type: attribute_group From 07cb1eb91b8c141d277a092d36bf30e3173b7f80 Mon Sep 17 00:00:00 2001 From: heyams Date: Mon, 7 Oct 2024 11:51:22 -0700 Subject: [PATCH 03/26] Fix weaver --- model/enduser/common.yaml | 10 ---------- model/enduser/registry.yaml | 10 ++++------ 2 files changed, 4 insertions(+), 16 deletions(-) delete mode 100644 model/enduser/common.yaml diff --git a/model/enduser/common.yaml b/model/enduser/common.yaml deleted file mode 100644 index 89118d3124..0000000000 --- a/model/enduser/common.yaml +++ /dev/null @@ -1,10 +0,0 @@ -groups: - - id: enduser - type: attribute_group - brief: > - This document defines attributes for Events represented using Log Records. - attributes: - - ref: enduser.id - requirement_level: required - - ref: enduser.authentication - requirement_level: required diff --git a/model/enduser/registry.yaml b/model/enduser/registry.yaml index aabc8d09fb..995269d363 100644 --- a/model/enduser/registry.yaml +++ b/model/enduser/registry.yaml @@ -3,7 +3,7 @@ groups: type: attribute_group display_name: End User Attributes brief: > - Describes information about the end user, which can be used as a sub-namespace of browser, client, or user domains. + Describes information about the end user, which can be used as a subdomain of browser, client, or user domains. attributes: - id: enduser.id type: string @@ -12,9 +12,7 @@ groups: Identifier of an end user who interacts with a system. This identifier may be unique only through best-effort means and does not imply that the user is authenticated to the system. examples: ['QdH5CAWJgqVT4rOr0qtumf'] - - id: enduser.authentication - type: attribute_group + - ref: authentication.id stability: experimental - brief: > - Describes the authentication information of an authenticated end user. - ref: registry.authentication + requirement_level: + conditionally_required: if and only if the end user is authenticated. From ee0970fde3f889737dcece1079cedd21ed11cd35 Mon Sep 17 00:00:00 2001 From: heyams Date: Mon, 7 Oct 2024 12:05:05 -0700 Subject: [PATCH 04/26] Update markdowns --- docs/attributes-registry/README.md | 1 + docs/attributes-registry/authentication.md | 17 +++++++++++++++++ docs/attributes-registry/enduser.md | 13 ++++++------- 3 files changed, 24 insertions(+), 7 deletions(-) create mode 100644 docs/attributes-registry/authentication.md diff --git a/docs/attributes-registry/README.md b/docs/attributes-registry/README.md index 35356a67cb..4e21e23c16 100644 --- a/docs/attributes-registry/README.md +++ b/docs/attributes-registry/README.md @@ -34,6 +34,7 @@ Currently, the following namespaces exist: - [Android](android.md) - [Artifact](artifact.md) - [Aspnetcore](aspnetcore.md) +- [Authentication](authentication.md) - [AWS](aws.md) - [Azure](azure.md) - [Browser](browser.md) diff --git a/docs/attributes-registry/authentication.md b/docs/attributes-registry/authentication.md new file mode 100644 index 0000000000..7fc50f4539 --- /dev/null +++ b/docs/attributes-registry/authentication.md @@ -0,0 +1,17 @@ + + + + + +# Authentication + +## Authentication Attributes + +"Describes the authentication information of an authenticated user." + +| Attribute | Type | Description | Examples | Stability | +| ---------------------- | ------ | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | -------------------------------------------------- | ---------------------------------------------------------------- | +| `authentication.id` | string | Unique identifier of an authenticated user in the system. | `S-1-5-21-202424912787-2692429404-2351956786-1000` | ![Experimental](https://img.shields.io/badge/-experimental-blue) | +| `authentication.role` | string | Actual/assumed role the client is making the request under extracted from token or application security context. | `admin` | ![Experimental](https://img.shields.io/badge/-experimental-blue) | +| `authentication.scope` | string | Scopes or granted authorities the client currently possesses extracted from token or application security context. The value would come from the scope associated with an [OAuth 2.0 Access Token](https://tools.ietf.org/html/rfc6749#section-3.3) or an attribute value in a [SAML 2.0 Assertion](http://docs.oasis-open.org/security/saml/Post2.0/sstc-saml-tech-overview-2.0.html). | `read:message, write:files` | ![Experimental](https://img.shields.io/badge/-experimental-blue) | diff --git a/docs/attributes-registry/enduser.md b/docs/attributes-registry/enduser.md index db2d7a5835..3a674523e0 100644 --- a/docs/attributes-registry/enduser.md +++ b/docs/attributes-registry/enduser.md @@ -6,12 +6,11 @@ # Enduser -## Deprecated End User Attributes +## End User Attributes -Describes deprecated enduser attributes. Complete enduser namespace has been deprecated +Describes information about the end user, which can be used as a subdomain of browser, client, or user domains. -| Attribute | Type | Description | Examples | Stability | -| --------------- | ------ | ---------------------------------------- | --------------------------- | -------------------------------------------------------------------------------------------------- | -| `enduser.id` | string | Deprecated, use `user.id` instead. | `username` | ![Deprecated](https://img.shields.io/badge/-deprecated-red)
Replaced by `user.id` attribute. | -| `enduser.role` | string | Deprecated, use `user.roles` instead. | `admin` | ![Deprecated](https://img.shields.io/badge/-deprecated-red)
Replaced by `user.roles` attribute. | -| `enduser.scope` | string | Deprecated, no replacement at this time. | `read:message, write:files` | ![Deprecated](https://img.shields.io/badge/-deprecated-red)
Removed. | +| Attribute | Type | Description | Examples | Stability | +| ------------------- | ------ | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | -------------------------------------------------- | ---------------------------------------------------------------- | +| `authentication.id` | string | Unique identifier of an authenticated user in the system. | `S-1-5-21-202424912787-2692429404-2351956786-1000` | ![Experimental](https://img.shields.io/badge/-experimental-blue) | +| `enduser.id` | string | Identifier of an end user who interacts with a system. This identifier may be unique only through best-effort means and does not imply that the user is authenticated to the system. | `QdH5CAWJgqVT4rOr0qtumf` | ![Experimental](https://img.shields.io/badge/-experimental-blue) | From 38d8687ca80a063faa46ccdd38ed92901087d573 Mon Sep 17 00:00:00 2001 From: heyams Date: Mon, 7 Oct 2024 12:08:25 -0700 Subject: [PATCH 05/26] Generate gh issue --- .github/ISSUE_TEMPLATE/bug_report.yaml | 2 ++ .github/ISSUE_TEMPLATE/change_proposal.yaml | 2 ++ .github/ISSUE_TEMPLATE/new-conventions.yaml | 2 ++ 3 files changed, 6 insertions(+) diff --git a/.github/ISSUE_TEMPLATE/bug_report.yaml b/.github/ISSUE_TEMPLATE/bug_report.yaml index e4e6d6b430..283d18b28d 100644 --- a/.github/ISSUE_TEMPLATE/bug_report.yaml +++ b/.github/ISSUE_TEMPLATE/bug_report.yaml @@ -23,6 +23,7 @@ body: - area:android - area:artifact - area:aspnetcore + - area:authentication - area:aws - area:azure - area:browser @@ -41,6 +42,7 @@ body: - area:disk - area:dns - area:dotnet + - area:enduser - area:error - area:event - area:exception diff --git a/.github/ISSUE_TEMPLATE/change_proposal.yaml b/.github/ISSUE_TEMPLATE/change_proposal.yaml index 4c9316ddf1..2ba99a1d9f 100644 --- a/.github/ISSUE_TEMPLATE/change_proposal.yaml +++ b/.github/ISSUE_TEMPLATE/change_proposal.yaml @@ -15,6 +15,7 @@ body: - area:android - area:artifact - area:aspnetcore + - area:authentication - area:aws - area:azure - area:browser @@ -33,6 +34,7 @@ body: - area:disk - area:dns - area:dotnet + - area:enduser - area:error - area:event - area:exception diff --git a/.github/ISSUE_TEMPLATE/new-conventions.yaml b/.github/ISSUE_TEMPLATE/new-conventions.yaml index e6e543158e..4f23678b18 100644 --- a/.github/ISSUE_TEMPLATE/new-conventions.yaml +++ b/.github/ISSUE_TEMPLATE/new-conventions.yaml @@ -24,6 +24,7 @@ body: - area:android - area:artifact - area:aspnetcore + - area:authentication - area:aws - area:azure - area:browser @@ -42,6 +43,7 @@ body: - area:disk - area:dns - area:dotnet + - area:enduser - area:error - area:event - area:exception From b1cdc13118220a0bbab8ae11fbb55f8d709903b6 Mon Sep 17 00:00:00 2001 From: heyams Date: Mon, 7 Oct 2024 12:13:46 -0700 Subject: [PATCH 06/26] Fix policies-check and compatibility --- docs/attributes-registry/authentication.md | 8 +++----- docs/attributes-registry/enduser.md | 10 ++++++---- model/authentication/registry.yaml | 14 -------------- model/enduser/registry.yaml | 14 ++++++++++++++ 4 files changed, 23 insertions(+), 23 deletions(-) diff --git a/docs/attributes-registry/authentication.md b/docs/attributes-registry/authentication.md index 7fc50f4539..90422ed9ee 100644 --- a/docs/attributes-registry/authentication.md +++ b/docs/attributes-registry/authentication.md @@ -10,8 +10,6 @@ "Describes the authentication information of an authenticated user." -| Attribute | Type | Description | Examples | Stability | -| ---------------------- | ------ | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | -------------------------------------------------- | ---------------------------------------------------------------- | -| `authentication.id` | string | Unique identifier of an authenticated user in the system. | `S-1-5-21-202424912787-2692429404-2351956786-1000` | ![Experimental](https://img.shields.io/badge/-experimental-blue) | -| `authentication.role` | string | Actual/assumed role the client is making the request under extracted from token or application security context. | `admin` | ![Experimental](https://img.shields.io/badge/-experimental-blue) | -| `authentication.scope` | string | Scopes or granted authorities the client currently possesses extracted from token or application security context. The value would come from the scope associated with an [OAuth 2.0 Access Token](https://tools.ietf.org/html/rfc6749#section-3.3) or an attribute value in a [SAML 2.0 Assertion](http://docs.oasis-open.org/security/saml/Post2.0/sstc-saml-tech-overview-2.0.html). | `read:message, write:files` | ![Experimental](https://img.shields.io/badge/-experimental-blue) | +| Attribute | Type | Description | Examples | Stability | +| ------------------- | ------ | --------------------------------------------------------- | -------------------------------------------------- | ---------------------------------------------------------------- | +| `authentication.id` | string | Unique identifier of an authenticated user in the system. | `S-1-5-21-202424912787-2692429404-2351956786-1000` | ![Experimental](https://img.shields.io/badge/-experimental-blue) | diff --git a/docs/attributes-registry/enduser.md b/docs/attributes-registry/enduser.md index 3a674523e0..c166808ed0 100644 --- a/docs/attributes-registry/enduser.md +++ b/docs/attributes-registry/enduser.md @@ -10,7 +10,9 @@ Describes information about the end user, which can be used as a subdomain of browser, client, or user domains. -| Attribute | Type | Description | Examples | Stability | -| ------------------- | ------ | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | -------------------------------------------------- | ---------------------------------------------------------------- | -| `authentication.id` | string | Unique identifier of an authenticated user in the system. | `S-1-5-21-202424912787-2692429404-2351956786-1000` | ![Experimental](https://img.shields.io/badge/-experimental-blue) | -| `enduser.id` | string | Identifier of an end user who interacts with a system. This identifier may be unique only through best-effort means and does not imply that the user is authenticated to the system. | `QdH5CAWJgqVT4rOr0qtumf` | ![Experimental](https://img.shields.io/badge/-experimental-blue) | +| Attribute | Type | Description | Examples | Stability | +| ------------------- | ------ | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | -------------------------------------------------- | ---------------------------------------------------------------- | +| `authentication.id` | string | Unique identifier of an authenticated user in the system. | `S-1-5-21-202424912787-2692429404-2351956786-1000` | ![Experimental](https://img.shields.io/badge/-experimental-blue) | +| `enduser.id` | string | Identifier of an end user who interacts with a system. This identifier may be unique only through best-effort means and does not imply that the user is authenticated to the system. | `QdH5CAWJgqVT4rOr0qtumf` | ![Experimental](https://img.shields.io/badge/-experimental-blue) | +| `enduser.role` | string | Actual/assumed role the client is making the request under extracted from token or application security context. | `admin` | ![Experimental](https://img.shields.io/badge/-experimental-blue) | +| `enduser.scope` | string | Scopes or granted authorities the client currently possesses extracted from token or application security context. The value would come from the scope associated with an [OAuth 2.0 Access Token](https://tools.ietf.org/html/rfc6749#section-3.3) or an attribute value in a [SAML 2.0 Assertion](http://docs.oasis-open.org/security/saml/Post2.0/sstc-saml-tech-overview-2.0.html). | `read:message, write:files` | ![Experimental](https://img.shields.io/badge/-experimental-blue) | diff --git a/model/authentication/registry.yaml b/model/authentication/registry.yaml index 9cf00ce9ad..f475e97e72 100644 --- a/model/authentication/registry.yaml +++ b/model/authentication/registry.yaml @@ -11,17 +11,3 @@ groups: brief: "Unique identifier of an authenticated user in the system." examples: [ 'S-1-5-21-202424912787-2692429404-2351956786-1000' ] stability: experimental - - id: authentication.role - type: string - stability: experimental - brief: 'Actual/assumed role the client is making the request under extracted from token or application security context.' - examples: 'admin' - - id: authentication.scope - type: string - stability: experimental - brief: > - Scopes or granted authorities the client currently possesses extracted from token - or application security context. The value would come from the scope associated - with an [OAuth 2.0 Access Token](https://tools.ietf.org/html/rfc6749#section-3.3) - or an attribute value in a [SAML 2.0 Assertion](http://docs.oasis-open.org/security/saml/Post2.0/sstc-saml-tech-overview-2.0.html). - examples: 'read:message, write:files' diff --git a/model/enduser/registry.yaml b/model/enduser/registry.yaml index 995269d363..e26f37eb37 100644 --- a/model/enduser/registry.yaml +++ b/model/enduser/registry.yaml @@ -12,6 +12,20 @@ groups: Identifier of an end user who interacts with a system. This identifier may be unique only through best-effort means and does not imply that the user is authenticated to the system. examples: ['QdH5CAWJgqVT4rOr0qtumf'] + - id: enduser.role + type: string + stability: experimental + brief: 'Actual/assumed role the client is making the request under extracted from token or application security context.' + examples: 'admin' + - id: enduser.scope + type: string + stability: experimental + brief: > + Scopes or granted authorities the client currently possesses extracted from token + or application security context. The value would come from the scope associated + with an [OAuth 2.0 Access Token](https://tools.ietf.org/html/rfc6749#section-3.3) + or an attribute value in a [SAML 2.0 Assertion](http://docs.oasis-open.org/security/saml/Post2.0/sstc-saml-tech-overview-2.0.html). + examples: 'read:message, write:files' - ref: authentication.id stability: experimental requirement_level: From 068a822e91418a858e832930245177e053116a8f Mon Sep 17 00:00:00 2001 From: heyams Date: Tue, 22 Oct 2024 16:02:12 -0700 Subject: [PATCH 07/26] Update --- model/authentication/registry.yaml | 13 ------------- model/enduser/registry.yaml | 9 ++++++--- 2 files changed, 6 insertions(+), 16 deletions(-) delete mode 100644 model/authentication/registry.yaml diff --git a/model/authentication/registry.yaml b/model/authentication/registry.yaml deleted file mode 100644 index f475e97e72..0000000000 --- a/model/authentication/registry.yaml +++ /dev/null @@ -1,13 +0,0 @@ -groups: - - id: registry.authentication - type: attribute_group - display_name: Authentication Attributes - stability: experimental - brief: > - "Describes the authentication information of an authenticated user." - attributes: - - id: authentication.id - type: string - brief: "Unique identifier of an authenticated user in the system." - examples: [ 'S-1-5-21-202424912787-2692429404-2351956786-1000' ] - stability: experimental diff --git a/model/enduser/registry.yaml b/model/enduser/registry.yaml index e26f37eb37..2a6568dd5e 100644 --- a/model/enduser/registry.yaml +++ b/model/enduser/registry.yaml @@ -14,11 +14,13 @@ groups: examples: ['QdH5CAWJgqVT4rOr0qtumf'] - id: enduser.role type: string + deprecated: "Removed." stability: experimental brief: 'Actual/assumed role the client is making the request under extracted from token or application security context.' examples: 'admin' - id: enduser.scope type: string + deprecated: "Removed." stability: experimental brief: > Scopes or granted authorities the client currently possesses extracted from token @@ -26,7 +28,8 @@ groups: with an [OAuth 2.0 Access Token](https://tools.ietf.org/html/rfc6749#section-3.3) or an attribute value in a [SAML 2.0 Assertion](http://docs.oasis-open.org/security/saml/Post2.0/sstc-saml-tech-overview-2.0.html). examples: 'read:message, write:files' - - ref: authentication.id + - id: enduser.authentication.id + type: string + brief: "Unique identifier of an authenticated user in the system." + examples: [ 'S-1-5-21-202424912787-2692429404-2351956786-1000' ] stability: experimental - requirement_level: - conditionally_required: if and only if the end user is authenticated. From c17bec632b080331ebddd65ce202be5421618e6e Mon Sep 17 00:00:00 2001 From: heyams Date: Tue, 22 Oct 2024 16:09:27 -0700 Subject: [PATCH 08/26] Update changelog --- ...ubnamespace.yaml => add_enduser_authentication_id.yaml} | 7 +++---- 1 file changed, 3 insertions(+), 4 deletions(-) rename .chloggen/{add_authentication_enduser_subnamespace.yaml => add_enduser_authentication_id.yaml} (64%) diff --git a/.chloggen/add_authentication_enduser_subnamespace.yaml b/.chloggen/add_enduser_authentication_id.yaml similarity index 64% rename from .chloggen/add_authentication_enduser_subnamespace.yaml rename to .chloggen/add_enduser_authentication_id.yaml index 131b6c653b..906b73a217 100644 --- a/.chloggen/add_authentication_enduser_subnamespace.yaml +++ b/.chloggen/add_enduser_authentication_id.yaml @@ -10,7 +10,7 @@ change_type: enhancement component: enduser # A brief description of the change. Surround your text with quotes ("") if it needs to start with a backtick (`). -note: introduce subnamespace `enduser.authentication` with new attributes `enduser.authentication.id`, `enduser.authentication.role`, and `enduser.authentication.scope`. +note: introduce new attribute `enduser.authentication.id` and deprecate `enduser.authentication.role`, and `enduser.authentication.scope`. # Mandatory: One or more tracking issues related to the change. You can use the PR number here if no issue exists. # The values here must be integers. @@ -20,6 +20,5 @@ issues: [1104] # These lines will be padded with 2 spaces and then inserted directly into the document. # Use pipe (|) for multiline entries. subtext: | - The `enduser.authentication` subnamespace is intended to describe the authentication information of the end user. - The new attributes are intended to provide information about the authenticated user in the system, - the role the client is making the request under, and the scopes or granted authorities the client currently possesses. + The new attribute `enduser.authentication.id` is intended to provide an unique identifier of an authenticated enduser. + The deprecated attributes `enduser.authentication.role` and `enduser.authentication.scope` are removed from the enduser registry., From d0e26d5cc84dcdb70ff061084d357edbae4abbdd Mon Sep 17 00:00:00 2001 From: heyams Date: Tue, 22 Oct 2024 16:11:26 -0700 Subject: [PATCH 09/26] Update --- docs/attributes-registry/README.md | 1 - docs/attributes-registry/enduser.md | 12 ++++++------ 2 files changed, 6 insertions(+), 7 deletions(-) diff --git a/docs/attributes-registry/README.md b/docs/attributes-registry/README.md index 4e21e23c16..35356a67cb 100644 --- a/docs/attributes-registry/README.md +++ b/docs/attributes-registry/README.md @@ -34,7 +34,6 @@ Currently, the following namespaces exist: - [Android](android.md) - [Artifact](artifact.md) - [Aspnetcore](aspnetcore.md) -- [Authentication](authentication.md) - [AWS](aws.md) - [Azure](azure.md) - [Browser](browser.md) diff --git a/docs/attributes-registry/enduser.md b/docs/attributes-registry/enduser.md index c166808ed0..cc193e8107 100644 --- a/docs/attributes-registry/enduser.md +++ b/docs/attributes-registry/enduser.md @@ -10,9 +10,9 @@ Describes information about the end user, which can be used as a subdomain of browser, client, or user domains. -| Attribute | Type | Description | Examples | Stability | -| ------------------- | ------ | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | -------------------------------------------------- | ---------------------------------------------------------------- | -| `authentication.id` | string | Unique identifier of an authenticated user in the system. | `S-1-5-21-202424912787-2692429404-2351956786-1000` | ![Experimental](https://img.shields.io/badge/-experimental-blue) | -| `enduser.id` | string | Identifier of an end user who interacts with a system. This identifier may be unique only through best-effort means and does not imply that the user is authenticated to the system. | `QdH5CAWJgqVT4rOr0qtumf` | ![Experimental](https://img.shields.io/badge/-experimental-blue) | -| `enduser.role` | string | Actual/assumed role the client is making the request under extracted from token or application security context. | `admin` | ![Experimental](https://img.shields.io/badge/-experimental-blue) | -| `enduser.scope` | string | Scopes or granted authorities the client currently possesses extracted from token or application security context. The value would come from the scope associated with an [OAuth 2.0 Access Token](https://tools.ietf.org/html/rfc6749#section-3.3) or an attribute value in a [SAML 2.0 Assertion](http://docs.oasis-open.org/security/saml/Post2.0/sstc-saml-tech-overview-2.0.html). | `read:message, write:files` | ![Experimental](https://img.shields.io/badge/-experimental-blue) | +| Attribute | Type | Description | Examples | Stability | +|---|---|---|---|---| +| `enduser.authentication.id` | string | Unique identifier of an authenticated user in the system. | `S-1-5-21-202424912787-2692429404-2351956786-1000` | ![Experimental](https://img.shields.io/badge/-experimental-blue) | +| `enduser.id` | string | Identifier of an end user who interacts with a system. This identifier may be unique only through best-effort means and does not imply that the user is authenticated to the system. | `QdH5CAWJgqVT4rOr0qtumf` | ![Experimental](https://img.shields.io/badge/-experimental-blue) | +| `enduser.role` | string | Actual/assumed role the client is making the request under extracted from token or application security context. | `admin` | ![Deprecated](https://img.shields.io/badge/-deprecated-red)
Removed. | +| `enduser.scope` | string | Scopes or granted authorities the client currently possesses extracted from token or application security context. The value would come from the scope associated with an [OAuth 2.0 Access Token](https://tools.ietf.org/html/rfc6749#section-3.3) or an attribute value in a [SAML 2.0 Assertion](http://docs.oasis-open.org/security/saml/Post2.0/sstc-saml-tech-overview-2.0.html). | `read:message, write:files` | ![Deprecated](https://img.shields.io/badge/-deprecated-red)
Removed. | From 614a52eb9c94813ae2bfa01add651d2ad766d6c4 Mon Sep 17 00:00:00 2001 From: heyams Date: Tue, 22 Oct 2024 16:14:35 -0700 Subject: [PATCH 10/26] Fix yamllint --- .chloggen/add_enduser_authentication_id.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.chloggen/add_enduser_authentication_id.yaml b/.chloggen/add_enduser_authentication_id.yaml index 906b73a217..d449bac875 100644 --- a/.chloggen/add_enduser_authentication_id.yaml +++ b/.chloggen/add_enduser_authentication_id.yaml @@ -20,5 +20,5 @@ issues: [1104] # These lines will be padded with 2 spaces and then inserted directly into the document. # Use pipe (|) for multiline entries. subtext: | - The new attribute `enduser.authentication.id` is intended to provide an unique identifier of an authenticated enduser. - The deprecated attributes `enduser.authentication.role` and `enduser.authentication.scope` are removed from the enduser registry., + The new attribute `enduser.authentication.id` is intended to provide an unique identifier of an authenticated enduser. + The deprecated attributes `enduser.authentication.role` and `enduser.authentication.scope` are removed from the enduser registry. \ No newline at end of file From a499237bde1bfa73bae3bc2235217b5ae61091a5 Mon Sep 17 00:00:00 2001 From: heyams Date: Tue, 22 Oct 2024 16:15:44 -0700 Subject: [PATCH 11/26] Fix --- .chloggen/add_enduser_authentication_id.yaml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/.chloggen/add_enduser_authentication_id.yaml b/.chloggen/add_enduser_authentication_id.yaml index d449bac875..300e4f9703 100644 --- a/.chloggen/add_enduser_authentication_id.yaml +++ b/.chloggen/add_enduser_authentication_id.yaml @@ -21,4 +21,5 @@ issues: [1104] # Use pipe (|) for multiline entries. subtext: | The new attribute `enduser.authentication.id` is intended to provide an unique identifier of an authenticated enduser. - The deprecated attributes `enduser.authentication.role` and `enduser.authentication.scope` are removed from the enduser registry. \ No newline at end of file + The deprecated attributes `enduser.authentication.role` and `enduser.authentication.scope` are removed from the enduser registry. + \ No newline at end of file From 5bfbfe233c65d5249afc97cf5c5e94e049920efe Mon Sep 17 00:00:00 2001 From: heyams Date: Tue, 22 Oct 2024 16:18:24 -0700 Subject: [PATCH 12/26] Fix trailing spaces --- .chloggen/add_enduser_authentication_id.yaml | 1 - 1 file changed, 1 deletion(-) diff --git a/.chloggen/add_enduser_authentication_id.yaml b/.chloggen/add_enduser_authentication_id.yaml index 300e4f9703..89248bba51 100644 --- a/.chloggen/add_enduser_authentication_id.yaml +++ b/.chloggen/add_enduser_authentication_id.yaml @@ -22,4 +22,3 @@ issues: [1104] subtext: | The new attribute `enduser.authentication.id` is intended to provide an unique identifier of an authenticated enduser. The deprecated attributes `enduser.authentication.role` and `enduser.authentication.scope` are removed from the enduser registry. - \ No newline at end of file From 5f883d080b6645273dd2679f39dd2cb2458e0608 Mon Sep 17 00:00:00 2001 From: heyams Date: Wed, 23 Oct 2024 11:13:34 -0700 Subject: [PATCH 13/26] Use 'make generate-gh-issue-tempaltes --- .github/ISSUE_TEMPLATE/bug_report.yaml | 1 - .github/ISSUE_TEMPLATE/change_proposal.yaml | 1 - .github/ISSUE_TEMPLATE/new-conventions.yaml | 1 - 3 files changed, 3 deletions(-) diff --git a/.github/ISSUE_TEMPLATE/bug_report.yaml b/.github/ISSUE_TEMPLATE/bug_report.yaml index 283d18b28d..fb9ee37d0d 100644 --- a/.github/ISSUE_TEMPLATE/bug_report.yaml +++ b/.github/ISSUE_TEMPLATE/bug_report.yaml @@ -23,7 +23,6 @@ body: - area:android - area:artifact - area:aspnetcore - - area:authentication - area:aws - area:azure - area:browser diff --git a/.github/ISSUE_TEMPLATE/change_proposal.yaml b/.github/ISSUE_TEMPLATE/change_proposal.yaml index 2ba99a1d9f..fe5acc9841 100644 --- a/.github/ISSUE_TEMPLATE/change_proposal.yaml +++ b/.github/ISSUE_TEMPLATE/change_proposal.yaml @@ -15,7 +15,6 @@ body: - area:android - area:artifact - area:aspnetcore - - area:authentication - area:aws - area:azure - area:browser diff --git a/.github/ISSUE_TEMPLATE/new-conventions.yaml b/.github/ISSUE_TEMPLATE/new-conventions.yaml index 4f23678b18..3affbce455 100644 --- a/.github/ISSUE_TEMPLATE/new-conventions.yaml +++ b/.github/ISSUE_TEMPLATE/new-conventions.yaml @@ -24,7 +24,6 @@ body: - area:android - area:artifact - area:aspnetcore - - area:authentication - area:aws - area:azure - area:browser From 13919ed94ebb6e91c58b71f585313ffdb3cb2fa6 Mon Sep 17 00:00:00 2001 From: heyams Date: Fri, 22 Nov 2024 15:11:11 -0800 Subject: [PATCH 14/26] Update --- docs/attributes-registry/authentication.md | 15 --------------- model/enduser/registry.yaml | 4 ++-- 2 files changed, 2 insertions(+), 17 deletions(-) delete mode 100644 docs/attributes-registry/authentication.md diff --git a/docs/attributes-registry/authentication.md b/docs/attributes-registry/authentication.md deleted file mode 100644 index 90422ed9ee..0000000000 --- a/docs/attributes-registry/authentication.md +++ /dev/null @@ -1,15 +0,0 @@ - - - - - -# Authentication - -## Authentication Attributes - -"Describes the authentication information of an authenticated user." - -| Attribute | Type | Description | Examples | Stability | -| ------------------- | ------ | --------------------------------------------------------- | -------------------------------------------------- | ---------------------------------------------------------------- | -| `authentication.id` | string | Unique identifier of an authenticated user in the system. | `S-1-5-21-202424912787-2692429404-2351956786-1000` | ![Experimental](https://img.shields.io/badge/-experimental-blue) | diff --git a/model/enduser/registry.yaml b/model/enduser/registry.yaml index 2a6568dd5e..a440334a66 100644 --- a/model/enduser/registry.yaml +++ b/model/enduser/registry.yaml @@ -5,11 +5,11 @@ groups: brief: > Describes information about the end user, which can be used as a subdomain of browser, client, or user domains. attributes: - - id: enduser.id + - id: enduser.anonymous.id type: string stability: experimental brief: > - Identifier of an end user who interacts with a system. + Identifier of an anonymous end user who interacts with a system. This identifier may be unique only through best-effort means and does not imply that the user is authenticated to the system. examples: ['QdH5CAWJgqVT4rOr0qtumf'] - id: enduser.role From 5c0d6d3c5518459015d17a1b1004dcad724833b2 Mon Sep 17 00:00:00 2001 From: heyams Date: Fri, 22 Nov 2024 15:29:42 -0800 Subject: [PATCH 15/26] Update --- docs/attributes-registry/enduser.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/attributes-registry/enduser.md b/docs/attributes-registry/enduser.md index cc193e8107..2b4e00bb19 100644 --- a/docs/attributes-registry/enduser.md +++ b/docs/attributes-registry/enduser.md @@ -12,7 +12,7 @@ Describes information about the end user, which can be used as a subdomain of br | Attribute | Type | Description | Examples | Stability | |---|---|---|---|---| +| `enduser.anonymous.id` | string | Identifier of an anonymous end user who interacts with a system. This identifier may be unique only through best-effort means and does not imply that the user is authenticated to the system. | `QdH5CAWJgqVT4rOr0qtumf` | ![Experimental](https://img.shields.io/badge/-experimental-blue) | | `enduser.authentication.id` | string | Unique identifier of an authenticated user in the system. | `S-1-5-21-202424912787-2692429404-2351956786-1000` | ![Experimental](https://img.shields.io/badge/-experimental-blue) | -| `enduser.id` | string | Identifier of an end user who interacts with a system. This identifier may be unique only through best-effort means and does not imply that the user is authenticated to the system. | `QdH5CAWJgqVT4rOr0qtumf` | ![Experimental](https://img.shields.io/badge/-experimental-blue) | | `enduser.role` | string | Actual/assumed role the client is making the request under extracted from token or application security context. | `admin` | ![Deprecated](https://img.shields.io/badge/-deprecated-red)
Removed. | | `enduser.scope` | string | Scopes or granted authorities the client currently possesses extracted from token or application security context. The value would come from the scope associated with an [OAuth 2.0 Access Token](https://tools.ietf.org/html/rfc6749#section-3.3) or an attribute value in a [SAML 2.0 Assertion](http://docs.oasis-open.org/security/saml/Post2.0/sstc-saml-tech-overview-2.0.html). | `read:message, write:files` | ![Deprecated](https://img.shields.io/badge/-deprecated-red)
Removed. | From ff8599917af79e6310919778a4f704420ffed9f6 Mon Sep 17 00:00:00 2001 From: heyams Date: Fri, 22 Nov 2024 15:37:00 -0800 Subject: [PATCH 16/26] Fix identity not found --- docs/general/attributes.md | 9 ++++++--- model/enduser/common.yaml | 19 +++++++++++++++++++ 2 files changed, 25 insertions(+), 3 deletions(-) create mode 100644 model/enduser/common.yaml diff --git a/docs/general/attributes.md b/docs/general/attributes.md index 601b43101d..edfa59837f 100644 --- a/docs/general/attributes.md +++ b/docs/general/attributes.md @@ -396,9 +396,12 @@ These attributes may be used for any operation with an authenticated and/or auth | Attribute | Type | Description | Examples | [Requirement Level](https://opentelemetry.io/docs/specs/semconv/general/attribute-requirement-level/) | Stability | |---|---|---|---|---|---| -| [`enduser.id`](/docs/attributes-registry/enduser.md) | string | Deprecated, use `user.id` instead. | `username` | `Recommended` | ![Deprecated](https://img.shields.io/badge/-deprecated-red)
Replaced by `user.id` attribute. | -| [`enduser.role`](/docs/attributes-registry/enduser.md) | string | Deprecated, use `user.roles` instead. | `admin` | `Recommended` | ![Deprecated](https://img.shields.io/badge/-deprecated-red)
Replaced by `user.roles` attribute. | -| [`enduser.scope`](/docs/attributes-registry/enduser.md) | string | Deprecated, no replacement at this time. | `read:message, write:files` | `Recommended` | ![Deprecated](https://img.shields.io/badge/-deprecated-red)
Removed. | +| [`enduser.authentication.id`](/docs/attributes-registry/enduser.md) | string | Unique identifier of an authenticated user in the system. [1] | `S-1-5-21-202424912787-2692429404-2351956786-1000` | `Required` | ![Experimental](https://img.shields.io/badge/-experimental-blue) | +| [`enduser.anonymous.id`](/docs/attributes-registry/enduser.md) | string | Identifier of an anonymous end user who interacts with a system. This identifier may be unique only through best-effort means and does not imply that the user is authenticated to the system. | `QdH5CAWJgqVT4rOr0qtumf` | `Recommended` | ![Experimental](https://img.shields.io/badge/-experimental-blue) | +| [`enduser.role`](/docs/attributes-registry/enduser.md) | string | Actual/assumed role the client is making the request under extracted from token or application security context. | `admin` | `Recommended` | ![Deprecated](https://img.shields.io/badge/-deprecated-red)
Removed. | +| [`enduser.scope`](/docs/attributes-registry/enduser.md) | string | Scopes or granted authorities the client currently possesses extracted from token or application security context. The value would come from the scope associated with an [OAuth 2.0 Access Token](https://tools.ietf.org/html/rfc6749#section-3.3) or an attribute value in a [SAML 2.0 Assertion](http://docs.oasis-open.org/security/saml/Post2.0/sstc-saml-tech-overview-2.0.html). | `read:message, write:files` | `Recommended` | ![Deprecated](https://img.shields.io/badge/-deprecated-red)
Removed. | + +**[1] `enduser.authentication.id`:** The `enduser.authentication.id` attribute is intended to provide an unique identifier of an authenticated enduser. The deprecated attributes `enduser.authentication.role` and `enduser.authentication.scope` are removed from the enduser registry. diff --git a/model/enduser/common.yaml b/model/enduser/common.yaml new file mode 100644 index 0000000000..3188f0c54e --- /dev/null +++ b/model/enduser/common.yaml @@ -0,0 +1,19 @@ +groups: + - id: identity + type: attribute_group + brief: > + These attributes may be used for any operation with an authenticated and/or authorized enduser. + attributes: + - ref: enduser.anonymous.id + requirement_level: recommended + - ref: enduser.role + deprecated: "Removed." + requirement_level: recommended + - ref: enduser.scope + deprecated: "Removed." + requirement_level: recommended + - ref: enduser.authentication.id + requirement_level: required + note: > + The `enduser.authentication.id` attribute is intended to provide an unique identifier of an authenticated enduser. + The deprecated attributes `enduser.authentication.role` and `enduser.authentication.scope` are removed from the enduser registry. \ No newline at end of file From d626e6c3461164abdbf232525cada01c8ca34fa4 Mon Sep 17 00:00:00 2001 From: heyams Date: Fri, 22 Nov 2024 15:40:24 -0800 Subject: [PATCH 17/26] Update --- .chloggen/add_enduser_authentication_id.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.chloggen/add_enduser_authentication_id.yaml b/.chloggen/add_enduser_authentication_id.yaml index 89248bba51..e68167ebfd 100644 --- a/.chloggen/add_enduser_authentication_id.yaml +++ b/.chloggen/add_enduser_authentication_id.yaml @@ -10,7 +10,7 @@ change_type: enhancement component: enduser # A brief description of the change. Surround your text with quotes ("") if it needs to start with a backtick (`). -note: introduce new attribute `enduser.authentication.id` and deprecate `enduser.authentication.role`, and `enduser.authentication.scope`. +note: introduce new attribute `enduser.authentication.id`, rename `enduser.id` to `enduser.anonymous.id`, and deprecate `enduser.authentication.role`, and `enduser.authentication.scope`. # Mandatory: One or more tracking issues related to the change. You can use the PR number here if no issue exists. # The values here must be integers. From cb32498c8dd308fcc3d20247ca491535b24f7dd6 Mon Sep 17 00:00:00 2001 From: heyams Date: Fri, 22 Nov 2024 15:44:16 -0800 Subject: [PATCH 18/26] Fix yamllint --- model/enduser/common.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/model/enduser/common.yaml b/model/enduser/common.yaml index 3188f0c54e..7a2d0cee5d 100644 --- a/model/enduser/common.yaml +++ b/model/enduser/common.yaml @@ -16,4 +16,4 @@ groups: requirement_level: required note: > The `enduser.authentication.id` attribute is intended to provide an unique identifier of an authenticated enduser. - The deprecated attributes `enduser.authentication.role` and `enduser.authentication.scope` are removed from the enduser registry. \ No newline at end of file + The deprecated attributes `enduser.authentication.role` and `enduser.authentication.scope` are removed from the enduser registry. From 1c53711e1d6a8a64f9d2a336c648c491f9f8bbac Mon Sep 17 00:00:00 2001 From: heyams Date: Fri, 22 Nov 2024 15:54:01 -0800 Subject: [PATCH 19/26] Fix backward compat --- .chloggen/add_enduser_authentication_id.yaml | 2 +- docs/attributes-registry/enduser.md | 1 + docs/general/attributes.md | 1 + model/enduser/common.yaml | 3 +++ model/enduser/registry.yaml | 7 +++++++ 5 files changed, 13 insertions(+), 1 deletion(-) diff --git a/.chloggen/add_enduser_authentication_id.yaml b/.chloggen/add_enduser_authentication_id.yaml index e68167ebfd..0105a996a2 100644 --- a/.chloggen/add_enduser_authentication_id.yaml +++ b/.chloggen/add_enduser_authentication_id.yaml @@ -10,7 +10,7 @@ change_type: enhancement component: enduser # A brief description of the change. Surround your text with quotes ("") if it needs to start with a backtick (`). -note: introduce new attribute `enduser.authentication.id`, rename `enduser.id` to `enduser.anonymous.id`, and deprecate `enduser.authentication.role`, and `enduser.authentication.scope`. +note: introduce new attribute `enduser.authentication.id`, replace `enduser.id` with `enduser.anonymous.id`, and deprecate `enduser.authentication.role`, and `enduser.authentication.scope`. # Mandatory: One or more tracking issues related to the change. You can use the PR number here if no issue exists. # The values here must be integers. diff --git a/docs/attributes-registry/enduser.md b/docs/attributes-registry/enduser.md index 2b4e00bb19..5c6bc64c03 100644 --- a/docs/attributes-registry/enduser.md +++ b/docs/attributes-registry/enduser.md @@ -14,5 +14,6 @@ Describes information about the end user, which can be used as a subdomain of br |---|---|---|---|---| | `enduser.anonymous.id` | string | Identifier of an anonymous end user who interacts with a system. This identifier may be unique only through best-effort means and does not imply that the user is authenticated to the system. | `QdH5CAWJgqVT4rOr0qtumf` | ![Experimental](https://img.shields.io/badge/-experimental-blue) | | `enduser.authentication.id` | string | Unique identifier of an authenticated user in the system. | `S-1-5-21-202424912787-2692429404-2351956786-1000` | ![Experimental](https://img.shields.io/badge/-experimental-blue) | +| `enduser.id` | string | Deprecated, use `enduser.anonymous.id` instead. | `QdH5CAWJgqVT4rOr0qtumf` | ![Deprecated](https://img.shields.io/badge/-deprecated-red)
Replaced by `enduser.anonymous.id` attribute. | | `enduser.role` | string | Actual/assumed role the client is making the request under extracted from token or application security context. | `admin` | ![Deprecated](https://img.shields.io/badge/-deprecated-red)
Removed. | | `enduser.scope` | string | Scopes or granted authorities the client currently possesses extracted from token or application security context. The value would come from the scope associated with an [OAuth 2.0 Access Token](https://tools.ietf.org/html/rfc6749#section-3.3) or an attribute value in a [SAML 2.0 Assertion](http://docs.oasis-open.org/security/saml/Post2.0/sstc-saml-tech-overview-2.0.html). | `read:message, write:files` | ![Deprecated](https://img.shields.io/badge/-deprecated-red)
Removed. | diff --git a/docs/general/attributes.md b/docs/general/attributes.md index edfa59837f..6604d341ac 100644 --- a/docs/general/attributes.md +++ b/docs/general/attributes.md @@ -398,6 +398,7 @@ These attributes may be used for any operation with an authenticated and/or auth |---|---|---|---|---|---| | [`enduser.authentication.id`](/docs/attributes-registry/enduser.md) | string | Unique identifier of an authenticated user in the system. [1] | `S-1-5-21-202424912787-2692429404-2351956786-1000` | `Required` | ![Experimental](https://img.shields.io/badge/-experimental-blue) | | [`enduser.anonymous.id`](/docs/attributes-registry/enduser.md) | string | Identifier of an anonymous end user who interacts with a system. This identifier may be unique only through best-effort means and does not imply that the user is authenticated to the system. | `QdH5CAWJgqVT4rOr0qtumf` | `Recommended` | ![Experimental](https://img.shields.io/badge/-experimental-blue) | +| [`enduser.id`](/docs/attributes-registry/enduser.md) | string | Deprecated, use `enduser.anonymous.id` instead. | `QdH5CAWJgqVT4rOr0qtumf` | `Recommended` | ![Deprecated](https://img.shields.io/badge/-deprecated-red)
Replaced by `enduser.anonymous.id` attribute. | | [`enduser.role`](/docs/attributes-registry/enduser.md) | string | Actual/assumed role the client is making the request under extracted from token or application security context. | `admin` | `Recommended` | ![Deprecated](https://img.shields.io/badge/-deprecated-red)
Removed. | | [`enduser.scope`](/docs/attributes-registry/enduser.md) | string | Scopes or granted authorities the client currently possesses extracted from token or application security context. The value would come from the scope associated with an [OAuth 2.0 Access Token](https://tools.ietf.org/html/rfc6749#section-3.3) or an attribute value in a [SAML 2.0 Assertion](http://docs.oasis-open.org/security/saml/Post2.0/sstc-saml-tech-overview-2.0.html). | `read:message, write:files` | `Recommended` | ![Deprecated](https://img.shields.io/badge/-deprecated-red)
Removed. | diff --git a/model/enduser/common.yaml b/model/enduser/common.yaml index 7a2d0cee5d..54ae23fcad 100644 --- a/model/enduser/common.yaml +++ b/model/enduser/common.yaml @@ -4,6 +4,9 @@ groups: brief: > These attributes may be used for any operation with an authenticated and/or authorized enduser. attributes: + - ref: enduser.id + deprecated: Replaced by `enduser.anonymous.id` attribute. + requirement_level: recommended - ref: enduser.anonymous.id requirement_level: recommended - ref: enduser.role diff --git a/model/enduser/registry.yaml b/model/enduser/registry.yaml index a440334a66..88a36a66b9 100644 --- a/model/enduser/registry.yaml +++ b/model/enduser/registry.yaml @@ -5,6 +5,13 @@ groups: brief: > Describes information about the end user, which can be used as a subdomain of browser, client, or user domains. attributes: + - id: enduser.id + type: string + deprecated: Replaced by `enduser.anonymous.id` attribute. + stability: experimental + examples: ['QdH5CAWJgqVT4rOr0qtumf'] + brief: > + Deprecated, use `enduser.anonymous.id` instead. - id: enduser.anonymous.id type: string stability: experimental From 51d0c99bf41da6942c379968ee0b0a5763176afc Mon Sep 17 00:00:00 2001 From: heyams Date: Tue, 10 Dec 2024 12:15:29 -0800 Subject: [PATCH 20/26] Rename enduser.id to enduser.pseudo.id --- .chloggen/add_enduser_authentication_id.yaml | 2 +- model/enduser/common.yaml | 4 ++-- model/enduser/registry.yaml | 11 ++++++++--- 3 files changed, 11 insertions(+), 6 deletions(-) diff --git a/.chloggen/add_enduser_authentication_id.yaml b/.chloggen/add_enduser_authentication_id.yaml index 0105a996a2..ea4c170f88 100644 --- a/.chloggen/add_enduser_authentication_id.yaml +++ b/.chloggen/add_enduser_authentication_id.yaml @@ -10,7 +10,7 @@ change_type: enhancement component: enduser # A brief description of the change. Surround your text with quotes ("") if it needs to start with a backtick (`). -note: introduce new attribute `enduser.authentication.id`, replace `enduser.id` with `enduser.anonymous.id`, and deprecate `enduser.authentication.role`, and `enduser.authentication.scope`. +note: introduce new attribute `enduser.authentication.id`, replace `enduser.id` with `enduser.pseudo.id`, and deprecate `enduser.authentication.role`, and `enduser.authentication.scope`. # Mandatory: One or more tracking issues related to the change. You can use the PR number here if no issue exists. # The values here must be integers. diff --git a/model/enduser/common.yaml b/model/enduser/common.yaml index 54ae23fcad..e58fce73f0 100644 --- a/model/enduser/common.yaml +++ b/model/enduser/common.yaml @@ -5,9 +5,9 @@ groups: These attributes may be used for any operation with an authenticated and/or authorized enduser. attributes: - ref: enduser.id - deprecated: Replaced by `enduser.anonymous.id` attribute. + deprecated: Replaced by `enduser.pseudo.id` attribute. requirement_level: recommended - - ref: enduser.anonymous.id + - ref: enduser.pseudo.id requirement_level: recommended - ref: enduser.role deprecated: "Removed." diff --git a/model/enduser/registry.yaml b/model/enduser/registry.yaml index 88a36a66b9..526dd8d707 100644 --- a/model/enduser/registry.yaml +++ b/model/enduser/registry.yaml @@ -7,12 +7,17 @@ groups: attributes: - id: enduser.id type: string - deprecated: Replaced by `enduser.anonymous.id` attribute. + deprecated: Replaced by `enduser.pseudo.id` attribute. stability: experimental examples: ['QdH5CAWJgqVT4rOr0qtumf'] brief: > - Deprecated, use `enduser.anonymous.id` instead. - - id: enduser.anonymous.id + Deprecated, use `enduser.pseudo.id` instead. + - id: enduser.pseudo.id + type: string + stability: experimental + brief: > + Pseudonymous identifier of an end user. This identifier is unique to the user but does not reveal their actual identity. + examples: ['QdH5CAWJgqVT4rOr0qtumf'] type: string stability: experimental brief: > From 949bae80082564fd156f1f7e6970f8bd80eb47a3 Mon Sep 17 00:00:00 2001 From: heyams Date: Tue, 10 Dec 2024 12:24:58 -0800 Subject: [PATCH 21/26] Update md --- docs/attributes-registry/enduser.md | 4 ++-- docs/general/attributes.md | 4 ++-- model/enduser/registry.yaml | 6 ------ 3 files changed, 4 insertions(+), 10 deletions(-) diff --git a/docs/attributes-registry/enduser.md b/docs/attributes-registry/enduser.md index 5c6bc64c03..be963ea32b 100644 --- a/docs/attributes-registry/enduser.md +++ b/docs/attributes-registry/enduser.md @@ -12,8 +12,8 @@ Describes information about the end user, which can be used as a subdomain of br | Attribute | Type | Description | Examples | Stability | |---|---|---|---|---| -| `enduser.anonymous.id` | string | Identifier of an anonymous end user who interacts with a system. This identifier may be unique only through best-effort means and does not imply that the user is authenticated to the system. | `QdH5CAWJgqVT4rOr0qtumf` | ![Experimental](https://img.shields.io/badge/-experimental-blue) | | `enduser.authentication.id` | string | Unique identifier of an authenticated user in the system. | `S-1-5-21-202424912787-2692429404-2351956786-1000` | ![Experimental](https://img.shields.io/badge/-experimental-blue) | -| `enduser.id` | string | Deprecated, use `enduser.anonymous.id` instead. | `QdH5CAWJgqVT4rOr0qtumf` | ![Deprecated](https://img.shields.io/badge/-deprecated-red)
Replaced by `enduser.anonymous.id` attribute. | +| `enduser.id` | string | Deprecated, use `enduser.pseudo.id` instead. | `QdH5CAWJgqVT4rOr0qtumf` | ![Deprecated](https://img.shields.io/badge/-deprecated-red)
Replaced by `enduser.pseudo.id` attribute. | +| `enduser.pseudo.id` | string | Pseudonymous identifier of an end user. This identifier is unique to the user but does not reveal their actual identity. | `QdH5CAWJgqVT4rOr0qtumf` | ![Experimental](https://img.shields.io/badge/-experimental-blue) | | `enduser.role` | string | Actual/assumed role the client is making the request under extracted from token or application security context. | `admin` | ![Deprecated](https://img.shields.io/badge/-deprecated-red)
Removed. | | `enduser.scope` | string | Scopes or granted authorities the client currently possesses extracted from token or application security context. The value would come from the scope associated with an [OAuth 2.0 Access Token](https://tools.ietf.org/html/rfc6749#section-3.3) or an attribute value in a [SAML 2.0 Assertion](http://docs.oasis-open.org/security/saml/Post2.0/sstc-saml-tech-overview-2.0.html). | `read:message, write:files` | ![Deprecated](https://img.shields.io/badge/-deprecated-red)
Removed. | diff --git a/docs/general/attributes.md b/docs/general/attributes.md index 6604d341ac..7c76dfbf10 100644 --- a/docs/general/attributes.md +++ b/docs/general/attributes.md @@ -397,8 +397,8 @@ These attributes may be used for any operation with an authenticated and/or auth | Attribute | Type | Description | Examples | [Requirement Level](https://opentelemetry.io/docs/specs/semconv/general/attribute-requirement-level/) | Stability | |---|---|---|---|---|---| | [`enduser.authentication.id`](/docs/attributes-registry/enduser.md) | string | Unique identifier of an authenticated user in the system. [1] | `S-1-5-21-202424912787-2692429404-2351956786-1000` | `Required` | ![Experimental](https://img.shields.io/badge/-experimental-blue) | -| [`enduser.anonymous.id`](/docs/attributes-registry/enduser.md) | string | Identifier of an anonymous end user who interacts with a system. This identifier may be unique only through best-effort means and does not imply that the user is authenticated to the system. | `QdH5CAWJgqVT4rOr0qtumf` | `Recommended` | ![Experimental](https://img.shields.io/badge/-experimental-blue) | -| [`enduser.id`](/docs/attributes-registry/enduser.md) | string | Deprecated, use `enduser.anonymous.id` instead. | `QdH5CAWJgqVT4rOr0qtumf` | `Recommended` | ![Deprecated](https://img.shields.io/badge/-deprecated-red)
Replaced by `enduser.anonymous.id` attribute. | +| [`enduser.pseudo.id`](/docs/attributes-registry/enduser.md) | string | Identifier of an anonymous end user who interacts with a system. This identifier may be unique only through best-effort means and does not imply that the user is authenticated to the system. | `QdH5CAWJgqVT4rOr0qtumf` | `Recommended` | ![Experimental](https://img.shields.io/badge/-experimental-blue) | +| [`enduser.id`](/docs/attributes-registry/enduser.md) | string | Deprecated, use `enduser.pseudo.id` instead. | `QdH5CAWJgqVT4rOr0qtumf` | `Recommended` | ![Deprecated](https://img.shields.io/badge/-deprecated-red)
Replaced by `enduser.pseudo.id` attribute. | | [`enduser.role`](/docs/attributes-registry/enduser.md) | string | Actual/assumed role the client is making the request under extracted from token or application security context. | `admin` | `Recommended` | ![Deprecated](https://img.shields.io/badge/-deprecated-red)
Removed. | | [`enduser.scope`](/docs/attributes-registry/enduser.md) | string | Scopes or granted authorities the client currently possesses extracted from token or application security context. The value would come from the scope associated with an [OAuth 2.0 Access Token](https://tools.ietf.org/html/rfc6749#section-3.3) or an attribute value in a [SAML 2.0 Assertion](http://docs.oasis-open.org/security/saml/Post2.0/sstc-saml-tech-overview-2.0.html). | `read:message, write:files` | `Recommended` | ![Deprecated](https://img.shields.io/badge/-deprecated-red)
Removed. | diff --git a/model/enduser/registry.yaml b/model/enduser/registry.yaml index 526dd8d707..a1f6263782 100644 --- a/model/enduser/registry.yaml +++ b/model/enduser/registry.yaml @@ -18,12 +18,6 @@ groups: brief: > Pseudonymous identifier of an end user. This identifier is unique to the user but does not reveal their actual identity. examples: ['QdH5CAWJgqVT4rOr0qtumf'] - type: string - stability: experimental - brief: > - Identifier of an anonymous end user who interacts with a system. - This identifier may be unique only through best-effort means and does not imply that the user is authenticated to the system. - examples: ['QdH5CAWJgqVT4rOr0qtumf'] - id: enduser.role type: string deprecated: "Removed." From 97788900857570c4eff602bc7e29e4ded1b6a912 Mon Sep 17 00:00:00 2001 From: heyams Date: Tue, 10 Dec 2024 12:26:23 -0800 Subject: [PATCH 22/26] Update --- docs/general/attributes.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/general/attributes.md b/docs/general/attributes.md index 7c76dfbf10..92fe1d9659 100644 --- a/docs/general/attributes.md +++ b/docs/general/attributes.md @@ -397,8 +397,8 @@ These attributes may be used for any operation with an authenticated and/or auth | Attribute | Type | Description | Examples | [Requirement Level](https://opentelemetry.io/docs/specs/semconv/general/attribute-requirement-level/) | Stability | |---|---|---|---|---|---| | [`enduser.authentication.id`](/docs/attributes-registry/enduser.md) | string | Unique identifier of an authenticated user in the system. [1] | `S-1-5-21-202424912787-2692429404-2351956786-1000` | `Required` | ![Experimental](https://img.shields.io/badge/-experimental-blue) | -| [`enduser.pseudo.id`](/docs/attributes-registry/enduser.md) | string | Identifier of an anonymous end user who interacts with a system. This identifier may be unique only through best-effort means and does not imply that the user is authenticated to the system. | `QdH5CAWJgqVT4rOr0qtumf` | `Recommended` | ![Experimental](https://img.shields.io/badge/-experimental-blue) | | [`enduser.id`](/docs/attributes-registry/enduser.md) | string | Deprecated, use `enduser.pseudo.id` instead. | `QdH5CAWJgqVT4rOr0qtumf` | `Recommended` | ![Deprecated](https://img.shields.io/badge/-deprecated-red)
Replaced by `enduser.pseudo.id` attribute. | +| [`enduser.pseudo.id`](/docs/attributes-registry/enduser.md) | string | Pseudonymous identifier of an end user. This identifier is unique to the user but does not reveal their actual identity. | `QdH5CAWJgqVT4rOr0qtumf` | `Recommended` | ![Experimental](https://img.shields.io/badge/-experimental-blue) | | [`enduser.role`](/docs/attributes-registry/enduser.md) | string | Actual/assumed role the client is making the request under extracted from token or application security context. | `admin` | `Recommended` | ![Deprecated](https://img.shields.io/badge/-deprecated-red)
Removed. | | [`enduser.scope`](/docs/attributes-registry/enduser.md) | string | Scopes or granted authorities the client currently possesses extracted from token or application security context. The value would come from the scope associated with an [OAuth 2.0 Access Token](https://tools.ietf.org/html/rfc6749#section-3.3) or an attribute value in a [SAML 2.0 Assertion](http://docs.oasis-open.org/security/saml/Post2.0/sstc-saml-tech-overview-2.0.html). | `read:message, write:files` | `Recommended` | ![Deprecated](https://img.shields.io/badge/-deprecated-red)
Removed. | From 23bb6fed4d8e868bf7124ffa80bb820374ee8875 Mon Sep 17 00:00:00 2001 From: heyams Date: Mon, 13 Jan 2025 13:52:28 -0800 Subject: [PATCH 23/26] Update attributes.md --- docs/general/attributes.md | 29 +---------------------------- 1 file changed, 1 insertion(+), 28 deletions(-) diff --git a/docs/general/attributes.md b/docs/general/attributes.md index 92fe1d9659..e0c91a0e13 100644 --- a/docs/general/attributes.md +++ b/docs/general/attributes.md @@ -414,34 +414,7 @@ system. It is expected this information would be propagated unchanged from node- using the Baggage mechanism. These attributes should not be used to record system-to-system authentication attributes. -Examples of where the `enduser.id` value is extracted from: - -| Authentication protocol | Field or description | -| :---------------------- | :------------------------------ | -| [HTTP Basic/Digest Authentication] | `username` | -| [OAuth 2.0 Bearer Token] | [OAuth 2.0 Client Identifier] value from `client_id` for the [OAuth 2.0 Client Credentials Grant] flow and `subject` or `username` from get token info response for other flows using opaque tokens. | -| [OpenID Connect 1.0 IDToken] | `sub` | -| [SAML 2.0 Assertion] | `urn:oasis:names:tc:SAML:2.0:assertion:Subject` | -| [Kerberos] | `PrincipalName` | - -| Framework | Field or description | -| :---------------------- | :------------------------------ | -| [JavaEE/JakartaEE Servlet] | `javax.servlet.http.HttpServletRequest.getUserPrincipal()` | -| [Windows Communication Foundation] | `ServiceSecurityContext.Current.PrimaryIdentity` | - -[SAML 2.0 Assertion]: http://docs.oasis-open.org/security/saml/Post2.0/sstc-saml-tech-overview-2.0.html -[HTTP Basic/Digest Authentication]: https://tools.ietf.org/html/rfc2617 -[OAuth 2.0 Bearer Token]: https://tools.ietf.org/html/rfc6750 -[OAuth 2.0 Client Identifier]: https://tools.ietf.org/html/rfc6749#section-2.2 -[OAuth 2.0 Client Credentials Grant]: https://tools.ietf.org/html/rfc6749#section-4.4 -[OpenID Connect 1.0 IDToken]: https://openid.net/specs/openid-connect-core-1_0.html#IDToken -[Kerberos]: https://tools.ietf.org/html/rfc4120 -[JavaEE/JakartaEE Servlet]: https://jakarta.ee/specifications/platform/8/apidocs/javax/servlet/http/HttpServletRequest.html -[Windows Communication Foundation]: https://docs.microsoft.com/dotnet/api/system.servicemodel.servicesecuritycontext?view=netframework-4.8 - -Given the sensitive nature of this information, SDKs and exporters SHOULD drop these attributes by -default and then provide a configuration parameter to turn on retention for use cases where the -information is required and would not violate any policies or regulations. +`enduser.pseudo.id` attribute can be set by a specific client component, e.g. through a cookie out of the Span's HTTP request headers. Client side application should be able to stamp this attribute on any telemetry item emitted by the application whenever this cookie is available. ## General thread attributes From f0623df2cd500c4dd4bb46d1f6d13ea44354dd2f Mon Sep 17 00:00:00 2001 From: heyams Date: Mon, 13 Jan 2025 14:11:55 -0800 Subject: [PATCH 24/26] Address comments --- .../deprecated/registry-deprecated.yaml | 28 +++++++++++++++++++ model/enduser/registry.yaml | 23 --------------- 2 files changed, 28 insertions(+), 23 deletions(-) create mode 100644 model/enduser/deprecated/registry-deprecated.yaml diff --git a/model/enduser/deprecated/registry-deprecated.yaml b/model/enduser/deprecated/registry-deprecated.yaml new file mode 100644 index 0000000000..c2ab742064 --- /dev/null +++ b/model/enduser/deprecated/registry-deprecated.yaml @@ -0,0 +1,28 @@ +groups: + - id: registry.enduser.deprecated + type: attribute_group + display_name: Deprecated End User Attributes + brief: "Describes deprecated end user attributes." + attributes: + - id: enduser.id + type: string + brief: 'Deprecated, use `enduser.pseudo.id` instead.' + stability: experimental + deprecated: "Replaced by `enduser.pseudo.id`." + examples: ['QdH5CAWJgqVT4rOr0qtumf'] + - id: enduser.role + type: string + deprecated: "Removed." + stability: experimental + brief: 'Actual/assumed role the client is making the request under extracted from token or application security context.' + examples: 'admin' + - id: enduser.scope + type: string + deprecated: "Removed." + stability: experimental + brief: > + Scopes or granted authorities the client currently possesses extracted from token + or application security context. The value would come from the scope associated + with an [OAuth 2.0 Access Token](https://tools.ietf.org/html/rfc6749#section-3.3) + or an attribute value in a [SAML 2.0 Assertion](http://docs.oasis-open.org/security/saml/Post2.0/sstc-saml-tech-overview-2.0.html). + examples: 'read:message, write:files' \ No newline at end of file diff --git a/model/enduser/registry.yaml b/model/enduser/registry.yaml index a1f6263782..06e3013b71 100644 --- a/model/enduser/registry.yaml +++ b/model/enduser/registry.yaml @@ -5,35 +5,12 @@ groups: brief: > Describes information about the end user, which can be used as a subdomain of browser, client, or user domains. attributes: - - id: enduser.id - type: string - deprecated: Replaced by `enduser.pseudo.id` attribute. - stability: experimental - examples: ['QdH5CAWJgqVT4rOr0qtumf'] - brief: > - Deprecated, use `enduser.pseudo.id` instead. - id: enduser.pseudo.id type: string stability: experimental brief: > Pseudonymous identifier of an end user. This identifier is unique to the user but does not reveal their actual identity. examples: ['QdH5CAWJgqVT4rOr0qtumf'] - - id: enduser.role - type: string - deprecated: "Removed." - stability: experimental - brief: 'Actual/assumed role the client is making the request under extracted from token or application security context.' - examples: 'admin' - - id: enduser.scope - type: string - deprecated: "Removed." - stability: experimental - brief: > - Scopes or granted authorities the client currently possesses extracted from token - or application security context. The value would come from the scope associated - with an [OAuth 2.0 Access Token](https://tools.ietf.org/html/rfc6749#section-3.3) - or an attribute value in a [SAML 2.0 Assertion](http://docs.oasis-open.org/security/saml/Post2.0/sstc-saml-tech-overview-2.0.html). - examples: 'read:message, write:files' - id: enduser.authentication.id type: string brief: "Unique identifier of an authenticated user in the system." From 435fc1ba4091ec11cd15cd2a896c32fb009a4488 Mon Sep 17 00:00:00 2001 From: heyams Date: Mon, 13 Jan 2025 14:14:50 -0800 Subject: [PATCH 25/26] Make update --- docs/attributes-registry/enduser.md | 12 +++++++++++- 1 file changed, 11 insertions(+), 1 deletion(-) diff --git a/docs/attributes-registry/enduser.md b/docs/attributes-registry/enduser.md index be963ea32b..c4d746ff3c 100644 --- a/docs/attributes-registry/enduser.md +++ b/docs/attributes-registry/enduser.md @@ -6,6 +6,9 @@ # Enduser +- [End User Attributes](#end-user-attributes) +- [Deprecated End User Attributes](#deprecated-end-user-attributes) + ## End User Attributes Describes information about the end user, which can be used as a subdomain of browser, client, or user domains. @@ -13,7 +16,14 @@ Describes information about the end user, which can be used as a subdomain of br | Attribute | Type | Description | Examples | Stability | |---|---|---|---|---| | `enduser.authentication.id` | string | Unique identifier of an authenticated user in the system. | `S-1-5-21-202424912787-2692429404-2351956786-1000` | ![Experimental](https://img.shields.io/badge/-experimental-blue) | -| `enduser.id` | string | Deprecated, use `enduser.pseudo.id` instead. | `QdH5CAWJgqVT4rOr0qtumf` | ![Deprecated](https://img.shields.io/badge/-deprecated-red)
Replaced by `enduser.pseudo.id` attribute. | | `enduser.pseudo.id` | string | Pseudonymous identifier of an end user. This identifier is unique to the user but does not reveal their actual identity. | `QdH5CAWJgqVT4rOr0qtumf` | ![Experimental](https://img.shields.io/badge/-experimental-blue) | + +## Deprecated End User Attributes + +Describes deprecated end user attributes. + +| Attribute | Type | Description | Examples | Stability | +|---|---|---|---|---| +| `enduser.id` | string | Deprecated, use `enduser.pseudo.id` instead. | `QdH5CAWJgqVT4rOr0qtumf` | ![Deprecated](https://img.shields.io/badge/-deprecated-red)
Replaced by `enduser.pseudo.id`. | | `enduser.role` | string | Actual/assumed role the client is making the request under extracted from token or application security context. | `admin` | ![Deprecated](https://img.shields.io/badge/-deprecated-red)
Removed. | | `enduser.scope` | string | Scopes or granted authorities the client currently possesses extracted from token or application security context. The value would come from the scope associated with an [OAuth 2.0 Access Token](https://tools.ietf.org/html/rfc6749#section-3.3) or an attribute value in a [SAML 2.0 Assertion](http://docs.oasis-open.org/security/saml/Post2.0/sstc-saml-tech-overview-2.0.html). | `read:message, write:files` | ![Deprecated](https://img.shields.io/badge/-deprecated-red)
Removed. | From ca87ccccf47730f7f8f8b9d053f1e338f53b6c25 Mon Sep 17 00:00:00 2001 From: heyams Date: Mon, 13 Jan 2025 14:18:23 -0800 Subject: [PATCH 26/26] Fix yamllint --- model/enduser/deprecated/registry-deprecated.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/model/enduser/deprecated/registry-deprecated.yaml b/model/enduser/deprecated/registry-deprecated.yaml index c2ab742064..f90a3a3a87 100644 --- a/model/enduser/deprecated/registry-deprecated.yaml +++ b/model/enduser/deprecated/registry-deprecated.yaml @@ -25,4 +25,4 @@ groups: or application security context. The value would come from the scope associated with an [OAuth 2.0 Access Token](https://tools.ietf.org/html/rfc6749#section-3.3) or an attribute value in a [SAML 2.0 Assertion](http://docs.oasis-open.org/security/saml/Post2.0/sstc-saml-tech-overview-2.0.html). - examples: 'read:message, write:files' \ No newline at end of file + examples: 'read:message, write:files'