TR 33.884
Study on Security of Application enablement aspects for
Subscriber-aware Northbound API access
V18.0.1 (Wzip)
2023/06 49 p.
- Rapporteur:
- Dr. Zugenmaier, Alf
NTT DOCOMO INC.
full Table of Contents for TR 33.884 Word version: 18.0.1
1 Scope
2 References
3 Definitions of terms, symbols and abbreviations
5 Key issues
6 Proposed solutions
7 Conclusions
$ Change history
1 Scope p. 7
The scope of present document is based on the requirements for SNA (clause 6.10.2 of TS 22.261) and on the Study on application enablement aspects for subscriber-aware northbound API access (TR 23.700-95).
The objective of this study is to:
-
Identify potential new security requirements related to API invocation (such as user authorization) and define potential solutions to fulfil these requirements. This encompasses:
- Whether and how CAPIF functions can determine the resource owner upon CAPIF invocation.
- Whether and how CAPIF can support obtaining authorization from the resource owner.
- Whether and how CAPIF can support revocation of authorization by the resource owner.
- Whether and how CAPIF can support security procedures with the aim to reduce authorization inquiries for a nested API invocation.
- Identify potential security requirements for APIs used in SNAAPP and define potential solutions to fulfil these requirements.
2 References p. 7
3 Definitions of terms, symbols and abbreviations p. 8
5 Key issues p. 8
5.1 Key issue #1: Checking authentication and authorization of invoker p. 8
5.2 Key Issue #2: Checking authorization before allowing access p. 9
6 Proposed solutions p. 9
6.1 Solution #1: Resource Owner Authorization in API Invocation using OAuth Token p. 9
6.1.1 Introduction p. 9
6.1.2 Solution details p. 10
6.1.2.1 Architecture p. 10
6.1.2.2 Procedure p. 11
6.1.2.3 OAuth 2.0 role mapping p. 12
6.1.2.4 TokenCAPIF Profile p. 13
6.1.3 Evaluation p. 13
6.2 Solution #2: Authentication using OpenID Connect p. 13
6.3 Solution #3: UE Originated API invocation using OAuth Client Credential Grant p. 15
6.4 Solution #4: Authenticate and authorize UE in UE originated API invocation p. 18
6.5 Solution #5: Resource Owner based authorization for resource access p. 21
6.6 Solution #6: Authorization before allowing access to resources p. 23
6.7 Solution #7: Authorizing UE originated API invocation with PKCE flow p. 27
6.8 Solution #8: Validation of OAuth Token p. 28
6.9 Solution #9: OAuth 2.0 based API invocation procedure p. 30
6.10 Solution #10: UE credential based API invocation procedure p. 32
6.11 Solution #11: Providing and Revoking Resource Owner Authorization using OAuth 2.0 Authorization Code Grant p. 35
6.11.1 Introduction p. 35
6.11.2 Solution details p. 35
6.11.2.1 Architecture p. 35
6.11.2.2 Procedure p. 35
6.11.2.3 S-KID p. 37
6.11.2.4 KSNAAPPY derivation function p. 38
6.11.3 Evaluation p. 38
6.12 Solution #12: Providing and Revoking Resource Owner Authorization p. 38
6.12.1 Introduction p. 38
6.12.2 Solution details p. 39
6.12.2.1 Architecture p. 39
6.12.2.2 Procedure p. 39
6.12.2.3 S-KID p. 41
6.12.2.4 KAuz derivation function p. 42
6.12.2.5 Verification information derivation p. 42
6.12.3 Evaluation p. 42
6.13 Solution #13: Resource owner policies based authorization mechanism p. 42
6.14 Solution #14: Reusing CAPIF core function initiated revocation procedure to enable user authorization revocation p. 43
6.15 Solution #15: Authorization revocation to undo API invocation p. 44
6.16 Solution #16: Token Revocation using Short-lived Token p. 45
7 Conclusions p. 47
$ Change history p. 49
