In the 5G system, the Network Functions securely expose capabilities and events to 3rd party Application Functions (AF) via NEF. The NEF also enable secure provision of information in the 3GPP network by authenticated and authorized AFs. Requirements on security aspects of NEF are captured in clause 5.9.2.3.

For authentication between NEF and an AF that resides outside the 3GPP operator domain, mutual authentication based on client and server certificates shall be performed between the NEF and AF using TLS. Certificate based authentication shall follow the profiles given in clause 6.1.3a of TS 33.310. The identities in the end entity certificates shall be used for authentication and policy checks. The structure of the PKI used for the certificate is out of scope of the present document.

TLS shall be used to provide integrity protection, replay protection and confidentiality protection for the interface between the NEF and the AF. The support of TLS is mandatory. Security profiles for TLS implementation and usage shall follow the provisions given in clause 6.2 of TS 33.210.

After the authentication, NEF determines whether theAF is authorized to send requests for the 3GPP Network Entity. The NEF shall authorize the requests from AF using OAuth-based authorization mechanism, the specific authorization mechanisms shall follow the provisions given in RFC 6749.

When the NEF supports CAPIF for external exposure as specified in clause 6.2.5.1 of TS 23.501, then CAPIF core function shall choose the appropriate CAPIF-2e security method as defined in the subclause 6.5.2 of TS 33.122 for mutual authentication and protection of the NEF - AF interface.