8.16 API invoker authorization to access service APIs

23.2223GPPCommon API Framework for 3GPP Northbound APIsRelease 18TS

8.16.1 General

The procedure in this subclause corresponds to the architectural requirements for API invoker authorization to access service APIs.

A secure communication channel is mandatory in CAPIF.

To reduce latency during API invocation, the API invoker associated authorization information can be made available at the AEF after authentication between the API invoker and the CAPIF core function.

NOTE: The security related aspects related to this procedure are out of scope of the present document.

8.16.2 Information flows

8.16.2.1 Service API invocation request

The information flow service API invocation request from the API invoker to the AEF is service API specific and the complete detail of the service API invocation request is out of scope of the present document. Table 8.16.2.1-1 describes only the CAPIF related information elements which are included in the service API invocation request.

Table 8.16.2.1-1: Service API invocation request

Information element

Status

Description

API invoker identity information

M

The information that determines the identity of the API invoker

Authorization information

O

(see NOTE)

The authorization information obtained before initiating the service API invocation request

Service API identification

M

The identification information of the service API for which invocation is requested. The service API identification is part of the specific service API invocation request.

NOTE: The inclusion of this information element depends on the chosen solution for authorization.

8.16.2.2 Service API invocation response

The information flow service API invocation response from the AEF to the API invoker is service API specific and the complete detail of the service API invocation response is out of scope of the present document. Table 8.16.2.2-1 describes only the CAPIF related information elements which are included in the service API invocation response.

Table 8.16.2.2-1: Service API invocation response

Information element

Status

Description

Result

M

Indicates the success or failure of service API invocation.

8.16.3 Procedure

Figure 8.16.3-1 illustrates the procedure for API invoker authorization to access service APIs.

Pre-conditions:

1. The API invoker has been authenticated.

2. The API invoker associated authorization information is available at AEF.

Figure 8.16.3-1: Procedure for API invoker authorization to access service APIs

1. The API invoker triggers service API invocation request to the AEF, including the service API to be invoked.

NOTE 1: Authentication can also be performed if not authenticated previously.

NOTE 2: The API invoker can trigger several service API invocations asynchronously.

2. Upon receiving the service API invocation request, the AEF checks whether the API invoker is authorized to invoke that service API, based on the authorization information.

2a. If the AEF does not have information required to authorize service API invocation, the AEF obtains the authorization information from the CAPIF core function.

3. The AEF executes the service logic for the invoked service API.

4. The API invoker receives the service API invocation response as a result of the service API invocation.