Using CloudEvents extension Authcontext for certain event types

camaraproject / Commonalities

Repository to describe, develop, document and test the common guidelines and assets for CAMARA APIs

Apache License 2.0

12 stars 25 forks source link

Using CloudEvents extension Authcontext for certain event types #150

Open shilpa-padgaonkar opened 7 months ago

shilpa-padgaonkar commented 7 months ago

Problem description Does it make sense to add the authcontext cloudevents extension for certain implicit subscriptions so that device id need not be added to data?

Possible evolution Include the authcontext extension where applicable

Alternative solution

Additional context

bigludo7 commented 7 months ago

@shilpa-padgaonkar I will probably need more to understand how to leverage the 3 attributes: authtype, authid and authclaims. Suppose here for implicit subscription that the Application XXX for a carrier billing payment on line 0601 request to get notified. My understanding will to use Auth Context as such:

"authContext": {
   "authtype": "service_account"
   "authid" : "XXX"
}

Reading the document I got the feeling that this more to identify the application triggering the notification than identifying the device id which is notified. WDYT ?

PedroDiez commented 5 months ago

My two cents:

Prefer to no manage this so far. It is not related to Events securization. As per CloudEvents: This extension embeds information about the principal which triggered an occurrence. This allows consumers of the CloudEvent to perform user-dependent actions without requiring the user ID to be embedded in the data or source field
Currently, in CAMARA APIs (AFAIK) we do not manage explicitly “user ID” concept, this could also have considerations within I&CM. We are also in opening discussion about how to manage different device identifiers in implementation (Issue#127) as well as an issue to propose Device model simplification (Issue#171). So my feeling is that will can generate more discussion around this

shilpa-padgaonkar commented 5 months ago

@PedroDiez @bigludo7 IMHO we can leave this issue out of meta-release scope. As @PedroDiez has mentioned, the user-id concept will need some conclusion in ICM wg probably under https://github.com/camaraproject/IdentityAndConsentManagement/issues/136 . Hence, this issue was also not added to the consolidated issue for subscriptions, as this can be dealt with later.

shilpa-padgaonkar commented 5 months ago

Setting label backlog as discussed here https://github.com/camaraproject/Commonalities/issues/185

This issue will be taken up after we have some more progress here https://github.com/camaraproject/IdentityAndConsentManagement/issues/136