Tech-invite3GPPspaceIETFspace
21222324252627282931323334353637384‑5x

Content for  TS 26.501  Word version:  18.6.0

Top   Top   Up   Prev   Next
1…   4…   4.0.6…   4.1…   4.2…   4.2.2…   4.3…   4.4   4.5…   4.6…   4.7…   4.7.4…   4.8   4.9…   4.10…   5…   5.2…   5.2.4   5.2.5…   5.3…   5.3.2…   5.4…   5.5…   5.6…   5.7…   5.7.4…   5.7.8   5.8…   5.10…   5.10.5…   5.10.6…   5.11…   5.12…   5.12.4…   5.12.5…   6…   6.2…   6.2.2.2…   6.2.3…   6.3…   6.4…   6.8…   6.9…   6.9.5…   6.9.7   7…   8…   9…   A…   A.4…   A.8   A.9   A.10   A.11   A.12   A.13   A.14   A.15…   A.15.3…   B…   B.3   C…   C.3   C.4   C.5   D…   E…
5.2.5 Procedures for downlink media streaming with per-application authorisation of media session handling operations5.2.5.1 Overview5.2.5.2 Authorisation of media session handling at M5d based on access token5.2.5.3 Authorisation of media session handling at M5d based on redirection
...

 

5.2.5  Procedures for downlink media streaming with per-application authorisation of media session handling operations |R18|p. 83

5.2.5.1  Overviewp. 83

This clause defines procedures by which a 5GMSd Application Provider authorises a 5GMSd-Aware Application to invoke media session handling operations on the 5GMSd AF at reference point M5d.

5.2.5.2  Authorisation of media session handling at M5d based on access tokenp. 83

The 5GMSd Application Provider provides a different access token (e.g. a random string) via M8 to each 5GMSd-Aware Application, so that each application instance can identify itself uniquely to the 5GMSd AF. The access token is provided, for example, during the login procedure or is requested at a later stage. The validity of access tokens is often limited in time. The 5GMSd-Aware Application may need to refresh the access token depending on the token validity.
The 5GMSd-Aware Application passes the access token (via an M6 API call) to the Media Session Handler. When the Media Session Handler invokes a media session handling operation at reference point M5, it presents the access token to the 5GMSd AF. Upon receipt of such an access token, the 5GMSd AF verifies whether the access token is valid. If the token is valid, the 5GMSd-Aware Application is authorised to invoke the operation.
When the OAuth 2.0 architecture RFC 6749 is used, the 5GMSd Application Provider acts as authorization server, the 5GMSd-Aware Application acts as client and the 5GMSd AF acts as resource server.
The call flow is depicted below.
Copy of original 3GPP image for 3GPP TS 26.501, Fig. 5.2.5.2-1: Call flow for authorisation based on access token
Figure 5.2.5.2-1: Call flow for authorisation based on access token
(⇒ copy of original 3GPP image)
Up
The steps are as follows:
Step 1.
When the user wants to use the 5GMSd-Aware Application to consume e.g. video content, the user needs to authenticate with the application and the 5GMSd Application Provider at reference point M8. (In some cases, this authorisation may be cached/stored by the application, so that the user is not always challenged to provide the login credentials.)
Step 2.
Based on the login credentials supplied in the previous step, the 5GMSd Application Provider determines the policy rights to which this application service subscription is entitled (e.g. the user may have subscribed to an SD quality video service or a 4K quality video service). According to the subscription entitlement level, the 5GMSd Application Provider creates an access token and passes this token back to the application with the login response.
Step 3.
When the 5GMSd-Aware Application (immediately or later) invokes the Media Session Handler to activate media session handling for a media delivery session, the application passes the access token to the Media Session Handler. The access token may embed a user identifier, or the user identifier may be passed as separate (anonymised) parameter.
Step 4.
When the Media Session Handler invokes a media session handling operation on the 5GMSd AF at reference point M5, it provides the the access token, e.g. as an HTTP request header.
Step 5.
The 5GMSd AF verifies the access token with the 5GMSd Application Provider.
Step 6.
If the 5GMSd AF has verified that the 5GMSd-Aware Application is authorised to invoke the media session handling operation (based on the token), the 5GMSd AF carries out the requested operation. (This may involve further interaction with the PCF or NEF.)
Up

5.2.5.3  Authorisation of media session handling at M5d based on redirectionp. 85

When the OAuth 2.0 RFC 6749 Authorization Code grant type is used, either the 5GMSd Application Provider or the 5GMSd AF acts as authorization server, as shown in Figure 5.2.5.3-1. The Media Session Handler acts as client and the 5GMSd AF acts as resource server.
Copy of original 3GPP image for 3GPP TS 26.501, Fig. 5.2.5.3-1: Alternative deployments of authorization server
Figure 5.2.5.3-1: Alternative deployments of authorization server
(⇒ copy of original 3GPP image)
Up
The call flow is depicted below.
Copy of original 3GPP image for 3GPP TS 26.501, Fig. 5.2.5.3-2: Call flow for authorisation based on access token
Figure 5.2.5.3-2: Call flow for authorisation based on access token
(⇒ copy of original 3GPP image)
Up
Step 1.
When the 5GMSd-Aware Application (immediately or later) invokes the Media Session Handler to activate media session handling for a media delivery session, the application passes only the session access information.
Step 2.
When the Media Session Handler invokes a media session handling operation on the 5GMSd AF (M5 Service) at reference point M5...
Step 3.
...the 5GMSd AF identifies that authorisation is required for accessing the requested service. The 5GMSd AF sends a redirect to the Media Session Handler, which is forwarded to the 5GMSd-Aware Application.
Step 4.
The 5GMSd-Aware Application requests an access token from the authorization server, which is realised either by the 5GMSd Application Provider (at reference point M8u) or by the 5GMSd AF (at reference point M5u).
Step 5.
After determining the policy rights of the requesting 5GMSd-Aware Application, the Authorization Service creates an access token and provides it to the 5GMSd-Aware Application.
Step 6.
The 5GMSd-Aware Application attempts to activate the media session handling operation again, this time providing the access token obtained in the previous step as an additional input paramrter.
Step 7.
The Media Session Handler invokes the media session handling operation again, this time providing the obtained access token.
Step 8.
The 5GMSd AF verifies the access token with the 5GMSd Application Provider.
Step 9.
If the 5GMSd AF is satisfied that the 5GMSd-Aware Application is authorised to invoke the media session handling operation (based on the presented access token), the 5GMSd AF carries out the requested operation. (This may involve further interaction with the PCF or NEF.)
Up

Up   Top   ToC