8.23 CAPIF revoking API invoker authorization

23.2223GPPCommon API Framework for 3GPP Northbound APIsRelease 18TS

Tools: ARFCN - Frequency Conversion for 5G NR/LTE/UMTS/GSM

8.23.1 General

The CAPIF controls the access of service API by the API invoker based on policy or usage limits. If the usage limits have exceeded, the authorization of the API invoker for accessing the service APIs is revoked. The decision to revoke the API invoker authorization may be triggered by the AEF or the CAPIF core function. The AEF can be within PLMN trust domain or within 3^rd party trust domain.

8.23.2 Information flows

8.23.2.1 Revoke API invoker authorization request

Table 8.23.2.1-1 describes the information flow revoke API invoker authorization request from the API exposing function to the CAPIF core function or from the CAPIF core function to the API exposing function.

Table 8.23.2.1-1: Revoke API invoker authorization request

Information element	Status	Description
API invoker identity information	M	The information that determines the identity of the API invoker
Service API identification	M	The identification information of the service API for which the authorization is revoked.
Cause	M	The cause for revoking the API invoker authorization

8.23.2.2 Revoke API invoker authorization response

Table 8.23.2.2-1 describes the information flow revoke API invoker authorization response from the CAPIF core function to the API exposing function or from the API exposing function to the CAPIF core function.

Table 8.23.2.2-1: Revoke API invoker authorization response

Information element	Status	Description
Result	M	Indicates the success or failure of revoke API invoker authorization.

8.23.2.3 Revoke API invoker authorization notify

Table 8.23.2.3-1 describes the information flow revoke API invoker authorization notify from the CAPIF core function to the API invoker.

Table 8.23.2.3-1: Revoke API invoker authorization notify

Information element	Status	Description
API invoker identity information	M	The information that determines the identity of the API invoker whose authorizatio has been revoked
Service API identification	M	The identification information of the service API for which the authorization is revoked.
Cause	M	The cause for revoking the API invoker authorization

8.23.3 Procedure for CAPIF revoking API invoker authorization initiated by AEF

Figure 8.23.3-1 illustrates the procedure for revoking API invoker authorization to access service API initiated by the AEF.

Pre-conditions:

1. The API invoker is authenticated and authorized to use the service API.

2. The AEF in the CAPIF is configured with the access policy to be applied to the service API invocation corresponding to the API invoker and the service API.

3. Authorization details of the AEF are available with the CAPIF core function.

Figure 8.23.3-1: Procedure for revoking API invoker authorization initiated by AEF

1. The AEF triggers the revocation of the API invoker authorization.

2. The AEF sends revoke API invoker authorization request to the CAPIF core function with the details of the API invoker and the service API.

3. Upon receiving the information to revoke the API invoker’s authorization for service API invocation, the CAPIF core function invalidates the API invoker authorization corresponding to the service API.

4. The CAPIF core function sends a revoke API invoker authorization response to the AEF.

5. Upon successful revocation of API invoker authorization corresponding to the service API at the CAPIF core function, the AEF invalidates the API invoker authorization corresponding to the service API.

6. The CAPIF core function sends a revoke API invoker authorization notify to the API invoker whose authorization to access the service API has been revoked.

8.23.4 Procedure for CAPIF revoking API invoker authorization initiated by CAPIF core function

Figure 8.23.4-1 illustrates the procedure for revoking API invoker authorization to access service API initiated by the CAPIF core function.

Pre-conditions:

1. The API invoker is authenticated and authorized to use the service API.

2. The AEF in the CAPIF is configured with the access policy to be applied to the service API invocation corresponding to the API invoker and the service API.

Figure 8.23.4-1: Procedure for revoking API invoker authorization initiated by CAPIF core function

1. The CAPIF core function triggers the revocation of the API invoker authorization.

2. The CAPIF core function sends revoke API invoker authorization request to the AEF with the details of the API invoker and the service API.

3. Upon receiving the information to revoke the API invoker’s authorization for service API invocation, the AEF invalidates the API invoker authorization corresponding to the service API.

4. The AEF sends a revoke API invoker authorization response to the CAPIF core function.

5. The CAPIF core function invalidates the API invoker authorization corresponding to the service API.

6. The CAPIF core function sends a revoke API invoker authorization notify to the API invoker whose authorization to access the service API has been revoked.