Content for TR 23.700-22 Word version: 19.0.0
0 Introduction
1 Scope
2 References
3 Definitions of terms, symbols and abbreviations
3.1 Terms
3.2 Abbreviations
4 Gap analysis and requirements
4.1 CAPIF impacts due to charging considerations
4.2 Requirements for RNAA
4.3 Requirements for CAPIF interconnection
...
...
0 Introduction p. 9
CAPIF as specified in TS 23.222 is a common API framework for controlled exposure of service APIs. CAPIF is now considered by different 3GPP groups (e.g. SA2, SA5) and external bodies like GSMA, ETSI, ORAN Alliance to enable exposure of APIs. In Rel.18, CAPIF was enhanced considering some RNAA requirements. Further CAPIF enhancements are envisioned to enable use of CAPIF as the API framework for APIs exposure considered by different groups and external bodies.
This TR provides a thorough study of potential enhancements to CAPIF under the scope provided in clause 1.
1 Scope p. 10
The present document studies the potential enhancements to CAPIF (as specified in TS 23.222) to support: a) authentication and authorization interactions between Resource Owner and Authorization Functionality, b) UE-deployed API invoker accessing resources not owned by that UE, c) more granular access control (e.g., at the level of service operations or resources), d) CAPIF with further enhancements to service API status and AEF status, e) CAPIF enhancements identified or originated from other WGs or SDOs/industry forums and f) more CAPIF interconnection services.
2 References p. 10
The following documents contain provisions which, through reference in this text, constitute provisions of the present document.
- References are either specific (identified by date of publication, edition number, version number, etc.) or non-specific.
- For a specific reference, subsequent revisions do not apply.
- For a non-specific reference, the latest version applies. In the case of a reference to a 3GPP document (including a GSM document), a non-specific reference implicitly refers to the latest version of that document in the same Release as the present document.
[1]
TR 21.905: "Vocabulary for 3GPP Specifications".
[2]
TS 23.222: "Common API Framework for 3GPP Northbound APIs".
[3]
TS 33.122: "Security aspects of Common API Framework (CAPIF) for 3GPP northbound APIs".
[4]
TS 22.261: "Service requirements for the 5G system".
[5]
draft-ietf-oauth-browser-based-apps-17: "OAuth 2.0 for Browser-Based Apps".
[6]
RFC 6749: "The OAuth 2.0 Authorization Framework".
[7]
TR 28.849: "Study on charging aspects of Common API Framework for Northbound APIs (CAPIF) phase 2".
→ to date, still a draft
[8]
→ to date, still a draft
TS 29.122: "T8 reference point for northbound Application Programming Interfaces (APIs)".
[9]
TS 23.434: "Service Enabler Architecture Layer for Verticals (SEAL); Functional architecture and information flows".
3 Definitions of terms, symbols and abbreviations p. 10
3.1 Terms p. 10
For the purposes of the present document, the terms given in TR 21.905 and the following apply. A term defined in the present document takes precedence over the definition of the same term, if any, in TR 21.905.
API invoker frontend:
An API invoker incapable of maintaining the confidentiality of their credentials (e.g., clients executing on the device used by the resource owner, such as an installed native application or a web browser-based application), and incapable of secure invoker authentication via any other means.
Group Resource Owner:
A group member who is UE user or an MNO subscriber, capable of granting access on behalf of group members to protected resources associated to the group members via resource owner function.
3.2 Abbreviations p. 11
For the purposes of the present document, the abbreviations given in TR 21.905 and the following apply. An abbreviation defined in the present document takes precedence over the definition of the same abbreviation, if any, in TR 21.905.
ASP
Application Service Provider
BFF
Backend For Frontend
GMS
Group Management Server
GRO
Group Resource Owner
MSISDN
Mobile Station Integrated Services Digital Network
OAM
Operations, Administration and Management
RO
Resource Owner
ROF
Resource Owner Function
SSO
Single Sign-On
4 Gap analysis and requirements p. 11
4.1 CAPIF impacts due to charging considerations p. 11
The gaps and impacts on CAPIF architecture due to charging considerations are studied by SA5 in 3GPP TR 28.849 [7].
4.2 Requirements for RNAA p. 11
[AR-4.2-a]
The CAPIF shall provide mechanisms to manage (provide, obtain, revoke) user consents for API invoker(s) to access the resources owned by resource owners.
[AR-4.2-b]
The CAPIF shall provide mechanisms to enable API invoker on a UE to access resources owned by the resource owner(s) of another UE or group of UE(s).
4.3 Requirements for CAPIF interconnection p. 11
[AR-4.3-a]
The CAPIF shall provide mechanisms for authentication and authorization for access to the service API(s) exposed by a 3rd party CAPIF provider.
