10 Using Common API Framework

29.1163GPPRelease 18Representational state transfer over xMB reference point between content provider and BM-SCTS

Tools: ARFCN - Frequency Conversion for 5G NR/LTE/UMTS/GSM

10.1 General

When CAPIF is used with BM-SC, BM-SC shall support the following as defined in 3GPP TS 29.222 [40]:

– the API exposing function and related APIs over CAPIF-2/2e and CAPIF-3/3e reference points;

– the API publishing function and related APIs over CAPIF-4/4e reference point;

– the API management function and related APIs over CAPIF-5/5e reference point; and

– at least one of the the security methods for authentication and authorization, and related security mechanisms.

In a centralized deployment as defined in 3GPP TS 23.222 [39], where the CAPIF core function and API provider domain functions are co-located, the interactions between the CAPIF core function and API provider domain functions may be independent of CAPIF-3/3e, CAPIF-4/4e and CAPIF-5/5e reference points.

10.2 Security

When CAPIF is used for external exposure, before invoking the API exposed by the BM-SC, the Content Provider as API invoker shall negotiate the security method (PKI, TLS-PSK or OAuth 2.0) with CAPIF core function and ensure the BM-SC has enough credential to authenticate the Content Provider (see 3GPP TS 29.222 [40], clause 5.6.2.2 and clause 6.2.2.2).

If PKI or TLS-PSK is used as the selected security method between the Content Provider and the BM-SC, upon API invocation, the BM-SC shall retrieve the authorization information from the CAPIF core function as described in 3GPP TS 29.222 [40], clause 5.6.2.4.

As indicated in 3GPP TS 33.122 [41], the access to the xMB API may be authorized by means of the OAuth 2.0 protocol (see IETF RFC 6749 [42]), using the "Client Credentials" authorization grant, where the CAPIF core function (see 3GPP TS 29.222 [40]) plays the role of the authorization server.

NOTE 1: In this release, only "Client Credentials" authorization grant is supported.

If OAuth 2.0 is used as the selected security method between the Content Provider and the BM-SC, the Content Provider, prior to consuming services offered by the xMB API, shall obtain a "access token" from the authorization server, by invoking the Obtain_Authorization service, as described in 3GPP TS 29.222 [40], clause 5.6.2.3.2.

The xMB API do not define any scopes for OAuth 2.0 authorization. It is the BM-SC responsibility to check whether the Content Provider is authorized to use an API based on the "token". Once the BM-SC verifies the "token", it shall check whether the BM-SC identifier in the "token" matches its own published identifier, and whether the API name in the "token" matches its own published API name. If those checks are passed, the Content Provider has full authority to access any resource or operation for the invoked API.

NOTE 2: For aforementioned security methods, the BM-SC needs to apply admission control according to access control policies after performing the authorization checks.

Annex A (informative):
Call Flows