diff --git a/.chloggen/add_enduser_authentication_id.yaml b/.chloggen/add_enduser_authentication_id.yaml
new file mode 100644
index 0000000000..89248bba51
--- /dev/null
+++ b/.chloggen/add_enduser_authentication_id.yaml
@@ -0,0 +1,24 @@
+# Use this changelog template to create an entry for release notes.
+#
+# If your change doesn't affect end users you should instead start
+# your pull request title with [chore] or use the "Skip Changelog" label.
+
+# One of 'breaking', 'deprecation', 'new_component', 'enhancement', 'bug_fix'
+change_type: enhancement
+
+# The name of the area of concern in the attributes-registry, (e.g. http, cloud, db)
+component: enduser
+
+# A brief description of the change. Surround your text with quotes ("") if it needs to start with a backtick (`).
+note: introduce new attribute `enduser.authentication.id` and deprecate `enduser.authentication.role`, and `enduser.authentication.scope`.
+
+# Mandatory: One or more tracking issues related to the change. You can use the PR number here if no issue exists.
+# The values here must be integers.
+issues: [1104]
+
+# (Optional) One or more lines of additional information to render under the primary note.
+# These lines will be padded with 2 spaces and then inserted directly into the document.
+# Use pipe (|) for multiline entries.
+subtext: |
+ The new attribute `enduser.authentication.id` is intended to provide an unique identifier of an authenticated enduser.
+ The deprecated attributes `enduser.authentication.role` and `enduser.authentication.scope` are removed from the enduser registry.
diff --git a/.github/ISSUE_TEMPLATE/bug_report.yaml b/.github/ISSUE_TEMPLATE/bug_report.yaml
index e4e6d6b430..fb9ee37d0d 100644
--- a/.github/ISSUE_TEMPLATE/bug_report.yaml
+++ b/.github/ISSUE_TEMPLATE/bug_report.yaml
@@ -41,6 +41,7 @@ body:
- area:disk
- area:dns
- area:dotnet
+ - area:enduser
- area:error
- area:event
- area:exception
diff --git a/.github/ISSUE_TEMPLATE/change_proposal.yaml b/.github/ISSUE_TEMPLATE/change_proposal.yaml
index 4c9316ddf1..fe5acc9841 100644
--- a/.github/ISSUE_TEMPLATE/change_proposal.yaml
+++ b/.github/ISSUE_TEMPLATE/change_proposal.yaml
@@ -33,6 +33,7 @@ body:
- area:disk
- area:dns
- area:dotnet
+ - area:enduser
- area:error
- area:event
- area:exception
diff --git a/.github/ISSUE_TEMPLATE/new-conventions.yaml b/.github/ISSUE_TEMPLATE/new-conventions.yaml
index e6e543158e..3affbce455 100644
--- a/.github/ISSUE_TEMPLATE/new-conventions.yaml
+++ b/.github/ISSUE_TEMPLATE/new-conventions.yaml
@@ -42,6 +42,7 @@ body:
- area:disk
- area:dns
- area:dotnet
+ - area:enduser
- area:error
- area:event
- area:exception
diff --git a/docs/attributes-registry/authentication.md b/docs/attributes-registry/authentication.md
new file mode 100644
index 0000000000..90422ed9ee
--- /dev/null
+++ b/docs/attributes-registry/authentication.md
@@ -0,0 +1,15 @@
+
+
+
+
+
+# Authentication
+
+## Authentication Attributes
+
+"Describes the authentication information of an authenticated user."
+
+| Attribute | Type | Description | Examples | Stability |
+| ------------------- | ------ | --------------------------------------------------------- | -------------------------------------------------- | ---------------------------------------------------------------- |
+| `authentication.id` | string | Unique identifier of an authenticated user in the system. | `S-1-5-21-202424912787-2692429404-2351956786-1000` |  |
diff --git a/docs/attributes-registry/enduser.md b/docs/attributes-registry/enduser.md
index a8df586a66..cc193e8107 100644
--- a/docs/attributes-registry/enduser.md
+++ b/docs/attributes-registry/enduser.md
@@ -6,12 +6,13 @@
# Enduser
-## Deprecated End User Attributes
+## End User Attributes
-Describes deprecated enduser attributes. Complete enduser namespace has been deprecated
+Describes information about the end user, which can be used as a subdomain of browser, client, or user domains.
| Attribute | Type | Description | Examples | Stability |
|---|---|---|---|---|
-| `enduser.id` | string | Deprecated, use `user.id` instead. | `username` | 
Replaced by `user.id` attribute. |
-| `enduser.role` | string | Deprecated, use `user.roles` instead. | `admin` | 
Replaced by `user.roles` attribute. |
-| `enduser.scope` | string | Deprecated, no replacement at this time. | `read:message, write:files` | 
Removed. |
+| `enduser.authentication.id` | string | Unique identifier of an authenticated user in the system. | `S-1-5-21-202424912787-2692429404-2351956786-1000` |  |
+| `enduser.id` | string | Identifier of an end user who interacts with a system. This identifier may be unique only through best-effort means and does not imply that the user is authenticated to the system. | `QdH5CAWJgqVT4rOr0qtumf` |  |
+| `enduser.role` | string | Actual/assumed role the client is making the request under extracted from token or application security context. | `admin` | 
Removed. |
+| `enduser.scope` | string | Scopes or granted authorities the client currently possesses extracted from token or application security context. The value would come from the scope associated with an [OAuth 2.0 Access Token](https://tools.ietf.org/html/rfc6749#section-3.3) or an attribute value in a [SAML 2.0 Assertion](http://docs.oasis-open.org/security/saml/Post2.0/sstc-saml-tech-overview-2.0.html). | `read:message, write:files` | 
Removed. |
diff --git a/model/enduser/deprecated/common.yaml b/model/enduser/deprecated/common.yaml
deleted file mode 100644
index e17dde1bec..0000000000
--- a/model/enduser/deprecated/common.yaml
+++ /dev/null
@@ -1,12 +0,0 @@
-groups:
- - id: identity
- type: attribute_group
- brief: >
- These attributes may be used for any operation with an authenticated and/or authorized enduser.
- attributes:
- - ref: enduser.id
- requirement_level: recommended
- - ref: enduser.role
- requirement_level: recommended
- - ref: enduser.scope
- requirement_level: recommended
diff --git a/model/enduser/deprecated/registry-deprecated.yaml b/model/enduser/deprecated/registry-deprecated.yaml
deleted file mode 100644
index 0f5723e19a..0000000000
--- a/model/enduser/deprecated/registry-deprecated.yaml
+++ /dev/null
@@ -1,24 +0,0 @@
-groups:
- - id: registry.enduser.deprecated
- type: attribute_group
- display_name: Deprecated End User Attributes
- brief: Describes deprecated enduser attributes. Complete enduser namespace has been deprecated
- attributes:
- - id: enduser.id
- type: string
- stability: experimental
- deprecated: Replaced by `user.id` attribute.
- brief: "Deprecated, use `user.id` instead."
- examples: 'username'
- - id: enduser.role
- type: string
- stability: experimental
- deprecated: Replaced by `user.roles` attribute.
- brief: "Deprecated, use `user.roles` instead."
- examples: 'admin'
- - id: enduser.scope
- type: string
- stability: experimental
- deprecated: Removed.
- brief: "Deprecated, no replacement at this time."
- examples: 'read:message, write:files'
diff --git a/model/enduser/registry.yaml b/model/enduser/registry.yaml
new file mode 100644
index 0000000000..2a6568dd5e
--- /dev/null
+++ b/model/enduser/registry.yaml
@@ -0,0 +1,35 @@
+groups:
+ - id: registry.enduser
+ type: attribute_group
+ display_name: End User Attributes
+ brief: >
+ Describes information about the end user, which can be used as a subdomain of browser, client, or user domains.
+ attributes:
+ - id: enduser.id
+ type: string
+ stability: experimental
+ brief: >
+ Identifier of an end user who interacts with a system.
+ This identifier may be unique only through best-effort means and does not imply that the user is authenticated to the system.
+ examples: ['QdH5CAWJgqVT4rOr0qtumf']
+ - id: enduser.role
+ type: string
+ deprecated: "Removed."
+ stability: experimental
+ brief: 'Actual/assumed role the client is making the request under extracted from token or application security context.'
+ examples: 'admin'
+ - id: enduser.scope
+ type: string
+ deprecated: "Removed."
+ stability: experimental
+ brief: >
+ Scopes or granted authorities the client currently possesses extracted from token
+ or application security context. The value would come from the scope associated
+ with an [OAuth 2.0 Access Token](https://tools.ietf.org/html/rfc6749#section-3.3)
+ or an attribute value in a [SAML 2.0 Assertion](http://docs.oasis-open.org/security/saml/Post2.0/sstc-saml-tech-overview-2.0.html).
+ examples: 'read:message, write:files'
+ - id: enduser.authentication.id
+ type: string
+ brief: "Unique identifier of an authenticated user in the system."
+ examples: [ 'S-1-5-21-202424912787-2692429404-2351956786-1000' ]
+ stability: experimental