Content for  TS 33.122  Word version:  18.3.0

The API invoker and the API exposing function shall follow the procedure in this sub-clause to establish dedicated secure session using TLS connection based on Pre-Shared Key (PSK). CAPIF-1e authentication shall be used to bootstrap a Pre-Shared key for authenticating a TLS connection for CAPIF-2e. It is assumed that both the API invoker and the CAPIF core function are pre-provisioned with certificates. The TLS profile as specified in Annex E of TS 33.310 shall be used. Figure 6.5.2.1-1 details the message flow between the API invoker, the CAPIF core function and the API exposing function, to establish secure CAPIF-2e interface using a pre-shared key for authentication.

After successful establishment of TLS on CAPIF-2e reference point, the API exposing function shall authorize the API invoker's service API invocation request based on authorization information obtained from CAPIF core function as specified in subclause 8.16 of TS 23.222.

The API invoker and the API exposing function shall follow the procedure in this subclause to establish dedicated secure session over CAPIF-2e using TLS based on certificate based mutual authentication. It is assumed that both API invoker and API exposing function are pre-provisioned with certificates. Figure 6.5.2.2-1 details the message flow between the API invoker, the CAPIF core function and the API exposing function related to this security method.

After successful establishment of TLS on CAPIF-2e reference point, the API exposing function shall authorize the API invoker's service API invocation request based on authorization information obtained from CAPIF core function as specified in subclause 8.16 of TS 23.222.

This method details establishment of secure channel over CAPIF-1e, CAPIF-2e reference points, and uses the OAuth 2.0 [4] token based mechanism to authorize and honour API invoker's northbound API invocations to the API exposing function. Figure 6.5.2.3-1 details security information flows between the API invoker, the CAPIF core function and the API exposing function. It is assumed that the API invoker, the CAPIF core function and the AEF are pre-provisioned with the appropriate credentials and related information to establish a secure session. As per OAuth 2.0 [4], the CAPIF core function shall perform the functionality of the authorization server and provide the token endpoint, the API invoker shall perform the function of the client functionality, while the API exposing function shall perform the resource server functions. The API invoker client (client endpoint) shall be registered as a confidential client type with an authorization grant type of 'client credentials'. The authorization shall be previously arranged in the CAPIF core function. The access token shall follow the profile described in Annex C.

The authorization function shall obtain the necessary permission from the resource owner for allowing the API invoker to access a northbound API. RNAA shall use token-based authorization using OAuth 2.0 framework with the following roles:

• The API invoker has the role of the OAuth 2.0 client.
• The CCF has the role of the OAuth 2.0 authorization server, i.e., providing the access token used for RNAA.
• The AEF has the role of the resource server.

The access tokens used for RNAA shall contain the resource owner ID. The resource owner may be the user of the UE or the owner of the subscription depending on the use case and regulations.The resource owner ID is specified as the GPSI of the corresponding UE if the resource is related to a UE. The access token shall include the resource owner ID and the API invoker ID. The resource owner ID is the GPSI. The API invoker ID binds the token to the API invoker. To avoid privacy issues, GPSI should be different from MSISDN, SUPI etc. AEF shall do the authorization check of the API invocation request for accessing the resources of the resource owner. AEF checks the request against the token, including

1. checking the token integrity and
2. checking whether the GSPI (if present) in the API invocation request is compliant with the resource owner ID in the access token. As the token includes resource owner ID, there is no need for additional UE authentication in API invocation. Moreover, the token should be able to restrict the API invoker to a specific resource (e.g., location, QoS, PDN connectivity status) of the resource owner.

For OAuth 2.0 flows involving redirection, authentication between CCF/AUF and UE should be performed after API Invoker redirects the UE to CCF/AUF. In case of an external AF (i.e., not the application on the UE) being the API invoker, for mutual authentication of API invoker AF and API exposing function, the authentication methods of clause 6.4 and clause 6.5.2 are reused. For authorization, the following OAuth 2.0 flows may be used:

• Client credential flow (according to RFC 6749),
• Authorization code flow (according to RFC 6749), or
• Authorization code flow with PKCE (according to RFC 7636).

CCF shall indicate the selected flows to the API invoker. CCF shall give service authorization which subscribers or users can use RNAA. For selecting the authorization method, the procedure as specified in clause 6.3.1.2 is used with the following RNAA specific additions. The API invoker shall include in the Security Method Request the supported RNAA authorization flows. The CCF shall determine the RNAA authorization flow based on the RNAA capabilities of the CCF, AEF, and API invoker. The API invoker shall use the determined RNAA authorization flow in the subsequent communication with the CCF and AEF.

If client credential flow is used for authorization of the API invoker by the AEF, the procedures in RFC 6749 shall be followed with the following profile:

• The access token request message may include the resource owner ID.
• The CCF shall check whether the API invoker is entitled to consume the API and allowed to access the resources of the resource owner, by using authorization information available in the CCF.
• If the API invoker is on a UE, the CCF shall check that the UE is accessing its own resources. If the API invoker is an AF not on a UE, the check is omitted.

If authorization code flow, optionally with PKCE, is used by the AEF for authorization of the API invoker, the procedures in RFC 6749 and optionally RFC 7636 shall be followed, with the following profile:

• The authorization token and/or authorization request may include the resource owner ID.
• The resource owner dynamically authorizes the API invoker to access the resource owner's resources as described in RFC 6749 and optionally RFC 7636.
• If the API invoker is on a UE, the CCF shall check that the UE is accessing its own resources. The access token shall contain the resource owner ID (i.e. GPSI) and the API invoker ID. If the API invoker is an AF not on a UE, the check is omitted.

The CCF can initiate the Authorization Revocation Request message as defined in clause 8.23.4 of TS 23.222 with additional information to identify the RNAA-related revoked token. AEF, storing the information about the RNAA-related revoked token, shall check whether the token presented by an API invoker is revoked or not, before responding to the API invoker's invocation request. The CCF provided notification message to the API invoker shall include the information to identify the RNAA-related revoked token.