Add extension for auth context (#1218)

* Add extension for auth context

Signed-off-by: Thomas Bouldin <inlined@google.com>

* PR feedback

Signed-off-by: Thomas Bouldin <inlined@google.com>

* Fix typo

Signed-off-by: Thomas Bouldin <inlined@google.com>

* Add 'unauthenticated' enum to authtype

Signed-off-by: Thomas Bouldin <inlined@google.com>

---------

Signed-off-by: Thomas Bouldin <inlined@google.com>

cloudevents/documented-extensions.md

@@ -40,6 +40,7 @@ for more information.
 
 ## Known Extensions
 
+- [Auth Context](extensions/authcontext.md)
 - [Dataref (Claim Check Pattern)](extensions/dataref.md)
 - [Distributed Tracing](extensions/distributed-tracing.md)
 - [Expiry Time](extensions/expirytime.md)

cloudevents/extensions/authcontext.md

@@ -0,0 +1,63 @@
+# Auth Context
+
+This extension embeds information about the principal which triggered an
+occurence. This allows consumers of the
+CloudEvent to perform user-dependent actions without requiring the user ID to
+be embedded in the `data` or `source` field.
+
+This extension is purely informational and is not intended to secure
+CloudEvents.
+
+## Notational Conventions
+
+As with the main [CloudEvents specification](../spec.md), the key words "MUST",
+"MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT",
+"RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as
+described in [RFC 2119](https://tools.ietf.org/html/rfc2119).
+
+However, the scope of these key words is limited to when this extension is
+used. For example, an attribute being marked as "REQUIRED" does not mean
+it needs to be in all CloudEvents, rather it needs to be included only when 
+this extension is being used.
+
+## Attributes
+
+### authtype
+- Type: `String`
+- Description: An enum representing the type of principal that triggered the
+  occurence. Valid values are:
+  - `app_user`: An end user of an application. Examples include an AWS cognito,
+    Google Cloud Identity Platform, or Azure Active Directory user.
+  - `user`: A user account registered in the infrastructure. Examples include
+    developer accounts secured by IAM in AWS, Google Cloud Platform, or Azure.
+  - `service_account`: A non-user principal used to identify a service.
+  - `api_key`: A non-user API key
+  - `system`: An obscured identity used when a cloud platform or other system
+    service triggers an event. Examples include a database record which
+    was deleted based on a TTL.
+  - `unauthenticated`: No credentials were used to authenticate the change that
+    triggered the occurence.
+- Constraints
+  - REQUIRED
+  - This specification defines the following values, and it is RECOMMENDED that
+    they be used. However, implementations MAY define additional values.
+
+### authid
+- Type: `String`
+- Description: A unique identifier of the principal that triggered the
+  occurence. This might, for example, be a unique ID in an identity database
+  (userID), an email of a platform user or service account, or the label for an
+  API key.
+- Constraints
+  - OPTIONAL
+
+### authclaims
+- Type: `String`
+- Description: A JSON string representing claims of the principal that triggered
+  the event.
+- Constraints
+  - OPTIONAL
+  - MUST NOT contain actual credentials sufficient for the Consumer to
+    impersonate the principal directly.
+  - MAY contain enough information that a Consumer can authenticate against an
+    identity service to mint a credential impersonating the original principal.

cloudevents/languages/he/extensions/authcontext.md

@@ -0,0 +1,2 @@
+# Auth Context
+מסמך זה טרם תורגם. בבקשה תשתמשו [בגרסה האנגלית של המסמך](../../../extensions/authcontext.md) לבינתיים.

cloudevents/languages/zh-CN/extensions/authcontext.md

@@ -0,0 +1,6 @@
+# Auth Context
+
+本文档尚未被翻译，请先阅读英文[原版文档](../../../extensions/authcontext.md) 。
+
+如果您迫切地需要此文档的中文翻译，请[提交一个issue](https://github.com/cloudevents/spec/issues) ，
+我们会尽快安排专人进行翻译。