8.32 Reducing authorization information inquiry in a nested API invocation

23.2223GPPCommon API Framework for 3GPP Northbound APIsRelease 18TS

Tools: ARFCN - Frequency Conversion for 5G NR/LTE/UMTS/GSM

8.32.1 General

The nested API invocation scenario is a scenario where the first API invocation towards the API exposing function 1 triggers this API exposing function to request another API invocation towards the API exposing function 2, which is in the same API provider domain that the API exposing function 1. Some service APIs may require invoking another service APIs. For example, if the API invoker invokes SEAL locationInfoRetrieval API, the location management server (acting as an API exposing server for the API invoker and as an API invoker for the NEF) may invoke NEF API to retrieve UE location information from 5GC. The CAPIF may reduce the authorization information inquiries for a nested API invocation scenario using procedure described in clause 8.32.3.

8.32.2 Information flows

NOTE: The security aspects of this procedure will be specified by SA3.

Editor’s note: Reference to the appropriate SA3 specification is needed.

8.32.3 Procedure

Figure 8.32.3-1 illustrates the procedure to obtain authorization information in a nested API invocation, in which an API exposing function receiving the service API invocation request interacts with another API exposing function to provide the service.

Pre-conditions:

1. The resource owner can communicate with the API invoker.

2. The API exposing functions 1 and 2 are in the same trust domain.

Figure 8.32.3-1: Procedure for obtaining authorization information in a nested API invocation

1. The API invoker requests authorization information to invoke the service API exposed by the API exposing function 1.

NOTE: This step may use either the existing procedure to obtain authorization to access service API specified in clause 8.16 or the procedure that involves the resource owner client to get authorization information. For the latter case, the detailed procedure will be specified in SA3.

2. The API invoker sends service API invocation request to the API exposing function 1 with the authorization information received in step 1.

3. Based on the service API invocation request, the API exposing function 1 decides to invoke another service API exposed by the API exposing function 2.

4. The API exposing function 1, acting as an API invoker, obtains the authorization information to access the service API exposed by the API exposing function 2.

5. The API invoker sends service API invocation request to the API exposing function with the authorization information received in step 4.