6 API Definitions
29.3093GPPBootstrapping Server Function (GBA BSF) ServicesRelease 17TS
6.1 Nbsp_GBA Service API
6.1.1 Introduction
The Nbsp_GBA service shall use the Nbsp_GBA API.
The API URI of the Nbsp_GBA API shall be:
{apiRoot}/<apiName>/<apiVersion>
The request URIs used in HTTP requests from the NF service consumer towards the NF service producer shall have the Resource URI structure defined in clause 4.4.1 of 3GPP TS 29.501 [5], i.e.:
{apiRoot}/<apiName>/<apiVersion>/<apiSpecificResourceUriPart>
with the following components:
– The {apiRoot} shall be set as described in 3GPP TS 29.501 [5].
– The <apiName> shall be "nbsp-gba".
– The <apiVersion> shall be "v1".
– The <apiSpecificResourceUriPart> shall be set as described in clause 6.1.3.
6.1.2 Usage of HTTP
6.1.2.1 General
HTTP/2, IETF RFC 7540 [11], shall be used as specified in clause 5 of 3GPP TS 29.500 [4].
HTTP/2 shall be transported as specified in clause 5.3 of 3GPP TS 29.500 [4].
The OpenAPI [6] specification of HTTP messages and content bodies for the Nbsp_GBA API is contained in Annex A.
6.1.2.2 HTTP standard headers
6.1.2.2.1 General
See clause 5.2.2 of 3GPP TS 29.500 [4] for the usage of HTTP standard headers.
6.1.2.2.2 Content type
JSON, IETF RFC 8259 [12], shall be used as content type of the HTTP bodies specified in the present specification as specified in clause 5.4 of 3GPP TS 29.500 [4]. The use of the JSON format shall be signalled by the content type "application/json".
"Problem Details" JSON object shall be used to indicate additional details of the error in a HTTP response body and shall be signalled by the content type "application/problem+json", as defined in IETF RFC 7807 [13].
6.1.2.3 HTTP custom headers
The mandatory HTTP custom header fields specified in clause 5.2.3.2 of 3GPP TS 29.500 [4] shall be supported, and the optional HTTP custom header fields specified in clause 5.2.3.3 of 3GPP TS 29.500 [4] may be supported.
6.1.3 Resources
In this release of this specification, no resources are defined for the Nbsp_GBA service.
6.1.3.1 Overview
The structure of the Resource URIs of the Nbsp_GBA service is shown in figure 6.1.3.1-1.
Figure 6.1.3.1-1: Resource URI structure of the Nbsp_GBA API
6.1.4 Custom Operations without associated resources
6.1.4.1 Overview
Table 6.1.4.1-1: Custom operations without associated resources
|
Operation Name |
Custom operation URI |
Mapped HTTP method |
Description |
|
Bootstrapping Info Retrieval |
/bootstrapping-info-retrieval |
POST |
|
|
Push Info Retrieval |
/push-info-retrieval |
POST |
6.1.4.2 Operation: Bootstrapping Info Retrieval
6.1.4.2.1 Description
6.1.4.2.2 Operation Definition
This operation shall support the response data structures and response codes specified in tables 6.1.4.2.2-1 and 6.1.4.2.2-2.
Table 6.1.4.2.2-1: Data structures supported by the POST Request Body
|
Data type |
P |
Cardinality |
Description |
|
BootstrappingInfoRequest |
M |
1 |
Request body of the Bootstrapping Info Request |
Table 6.1.4.2.2-2: Data structures supported by the POST Response Body
|
Data type |
P |
Cardinality |
Response codes |
Description |
|
BootstrappingInfoResponse |
M |
1 |
200 OK |
A response body containing the BootstrappingInfoResponse shall be returned. |
|
RedirectResponse |
O |
0..1 |
307 Temporary Redirect |
Temporary redirection. The response shall include a Location header field containing a different URI. The URI shall be an alternative URI of the resource located on an alternative service instance within the same GBA BSF (service) set. |
|
RedirectResponse |
O |
0..1 |
308 Permanent Redirect |
Permanent redirection. The response shall include a Location header field containing a different URI. The URI shall be an alternative URI of the resource located on an alternative service instance within the same GBA BSF (service) set. |
|
ProblemDetails |
O |
0..1 |
403 Forbidden |
The NAF is not authorized to request Bootstrapping Information from the GBA BSF. |
|
NOTE: The mandatory HTTP error status code for the POST method listed in Table 5.2.7.1-1 of 3GPP TS 29.500 [4] also apply. |
||||
Table 6.1.4.2.2-3: Headers supported by the 307 Response Code
|
Name |
Data type |
P |
Cardinality |
Description |
|
Location |
string |
M |
1 |
An alternative URI of the resource located on an alternative service instance within the same GBA BSF (service) set. |
|
3gpp-Sbi-Target-Nf-Id |
string |
O |
0..1 |
Identifier of the target NF (service) instance ID towards which the request is redirected. |
Table 6.1.4.2.2-4: Headers supported by the 308 Response Code
|
Name |
Data type |
P |
Cardinality |
Description |
|
Location |
string |
M |
1 |
An alternative URI of the resource located on an alternative service instance within the same GBA BSF (service) set. |
|
3gpp-Sbi-Target-Nf-Id |
string |
O |
0..1 |
Identifier of the target NF (service) instance ID towards which the request is redirected. |
6.1.4.3 Operation: Push Info Retrieval
6.1.4.3.1 Description
6.1.4.3.2 Operation Definition
This operation shall support the response data structures and response codes specified in tables 6.1.4.3.2-1 and 6.1.4.3.2-2.
Table 6.1.4.3.2-1: Data structures supported by the POST Request Body
|
Data type |
P |
Cardinality |
Description |
|
PushInfoRequest |
M |
1 |
Request body of the Push Info Request |
Table 6.1.4.3.2-2: Data structures supported by the POST Response Body
|
Data type |
P |
Cardinality |
Response codes |
Description |
|
PushInfoResponse |
M |
1 |
200 OK |
A response body containing the PushInfoResponse shall be returned. |
|
RedirectResponse |
O |
0..1 |
307 Temporary Redirect |
Temporary redirection. The response shall include a Location header field containing a different URI. The URI shall be an alternative URI of the resource located on an alternative service instance within the same GBA BSF (service) set. |
|
RedirectResponse |
O |
0..1 |
308 Permanent Redirect |
Permanent redirection. The response shall include a Location header field containing a different URI. The URI shall be an alternative URI of the resource located on an alternative service instance within the same GBA BSF (service) set. |
|
ProblemDetails |
O |
0..1 |
403 Forbidden |
The Push-NAF is not authorized to request GBA Push Information (GPI) from the GBA BSF. |
|
NOTE: The mandatory HTTP error status code for the POST method listed in Table 5.2.7.1-1 of 3GPP TS 29.500 [4] also apply. |
||||
Table 6.1.4.3.2-3: Headers supported by the 307 Response Code
|
Name |
Data type |
P |
Cardinality |
Description |
|
Location |
string |
M |
1 |
An alternative URI of the resource located on an alternative service instance within the same GBA BSF (service) set. |
|
3gpp-Sbi-Target-Nf-Id |
string |
O |
0..1 |
Identifier of the target NF (service) instance ID towards which the request is redirected. |
Table 6.1.4.3.2-4: Headers supported by the 308 Response Code
|
Name |
Data type |
P |
Cardinality |
Description |
|
Location |
string |
M |
1 |
An alternative URI of the resource located on an alternative service instance within the same GBA BSF (service) set. |
|
3gpp-Sbi-Target-Nf-Id |
string |
O |
0..1 |
Identifier of the target NF (service) instance ID towards which the request is redirected. |
6.1.5 Notifications
In this release of this specification, no notifications are defined for the Nbsp_GBA service.
6.1.6 Data Model
6.1.6.1 General
This clause specifies the application data model supported by the API.
Table 6.1.6.1-1 specifies the data types defined for the Nbsp_GBA service-based interface protocol.
Table 6.1.6.1-1: Nbsp_GBA specific Data Types
|
Data type |
Clause defined |
Description |
|
BootstrappingInfoRequest |
6.1.6.2.2 |
Request body of the HTTP POST operation for resource "/bootstrapping-info-request". |
|
BootstrappingInfoResponse |
6.1.6.2.3 |
Response body of the HTTP POST operation for resource "/bootstrapping-info-request". |
|
PushInfoRequest |
6.1.6.2.4 |
Request body of the HTTP POST operation for resource "/push-info-request". |
|
PushInfoResponse |
6.1.6.2.5 |
Response body of the HTTP POST operation for resource "/push-info-request". |
|
NafId |
6.1.6.2.6 |
NAF ID, containing the NAF FQDN and the Ua Security Protocol Identifier. |
|
UssListItem |
6.1.6.2.7 |
Data item in a User Security Settings array list. |
|
Uss |
6.1.6.2.8 |
User Security Settings for a given GAA Service. |
|
UeIdsItem |
6.1.6.2.9 |
Data item in a UE ID array list. |
|
FlagsItem |
6.1.6.2.10 |
Data item in a Flags array list. |
|
GsId |
6.1.6.3.2 |
GAA Service Identifier. |
|
GsType |
6.1.6.3.2 |
GAA Service Type. |
|
BtId |
6.1.6.3.2 |
Bootstrapping Transaction Identifier. |
|
MeKeyMaterial |
6.1.6.3.2 |
ME Key Material (hex-encoded string). |
|
UiccKeyMaterial |
6.1.6.3.2 |
UICC key material (hex-encoded string). |
|
UeId |
6.1.6.3.2 |
Public Identity of the UE. |
|
Impi |
6.1.6.3.2 |
IMS Private Identity of the UE |
|
Flag |
6.1.6.3.2 |
GAA authorization flags, as defined in 3GPP TS 29.109 [17], Annex C. |
|
GbaPushInfo |
6.1.6.3.2 |
GBA Push Info (hex-encoded string). |
|
NafGroup |
6.1.6.3.2 |
NAF Group (string). |
|
PtId |
6.1.6.3.2 |
P-TID. |
|
UiccAppLabel |
6.1.6.3.2 |
UICC Application Label (string). |
|
Auts |
6.1.6.3.2 |
AUTS in UMTS AKA. |
|
Rand |
6.1.6.3.2 |
RAND in UMTS AKA. |
|
KeyChoice |
6.1.6.3.3 |
Type of key (ME-based or UICC-based) that the NAF shall use. |
|
UiccOrMe |
6.1.6.3.4 |
Indicates whether GBA_ME or GBA_U is to be used for GBA push. |
|
SecFeature |
6.1.6.3.5 |
Security features supported by the BSF or the NAF. |
|
GbaType |
6.1.6.3.6 |
Authentication type used by the UE for GBA. |
|
UeIdType |
6.1.6.3.7 |
Type of UE Identity (public or private). |
Table 6.1.6.1-2 specifies data types re-used by the Nbsp_GBA service-based interface protocol from other specifications, including a reference to their respective specifications and when needed, a short description of their use within the Nbsp_GBA service-based interface.
Table 6.1.6.1-2: Nbsp_GBA re-used Data Types
|
Data type |
Reference |
Comments |
|
Uint32 |
3GPP TS 29.571 [18] |
Unsigned 32-bit integer. |
|
DateTime |
3GPP TS 29.571 [18] |
String with a "date-time" format, as defined by OpenAPI [6]. |
|
ProblemDetails |
3GPP TS 29.571 [18] |
Response body of error response messages. |
|
RedirectResponse |
3GPP TS 29.571 [18] |
Response body of a redirect response message. |
|
Fqdn |
3GPP TS 29.571 [18] |
Fully Qualified Domain Name |
6.1.6.2 Structured data types
6.1.6.2.1 Introduction
This clause defines the structures to be used in resource representations.
6.1.6.2.2 Type: BootstrappingInfoRequest
Table 6.1.6.2.2-1: Definition of type BootstrappingInfoRequest
|
Attribute name |
Data type |
P |
Cardinality |
Description |
|
btId |
BtId |
M |
1 |
Bootstrapping Transaction Identifier |
|
nafId |
NafId |
M |
1 |
NAF Identifier |
|
gbaUAware |
boolean |
O |
0..1 |
GBA-U Awareness Indicator. true: The sending node is GBA_U aware false (default) or absent: The sending node is not GBA_U aware. |
|
gsIds |
array(GsId) |
O |
1..N |
GBA Service Identifiers |
6.1.6.2.3 Type: BootstrappingInfoResponse
Table 6.1.6.2.3-1: Definition of type BootstrappingInfoResponse
|
Attribute name |
Data type |
P |
Cardinality |
Description |
|
meKeyMaterial |
MeKeyMaterial |
M |
1 |
ME key material (Ks_NAF or Ks_Ext_NAF) |
|
uiccKeyMaterial |
UiccKeyMaterial |
O |
0..1 |
UICC key material (Ks_Int_NAF) |
|
keyExpiryTime |
DateTime |
O |
0..1 |
Key expiry time |
|
bootstrappingInfoCreationTime |
DateTime |
O |
0..1 |
Bootstrapping Info Creation Time |
|
ussList |
array(UssListItem) |
O |
1..N |
GBA User Security Settings per GBA Service Identifier |
|
gbaType |
GbaType |
O |
0..1 |
Authentication type that was used by the UE during the bootstrapping procedure. |
|
impi |
Impi |
O |
0..1 |
UE Private Identity |
6.1.6.2.4 Type: PushInfoRequest
Table 6.1.6.2.4-1: Definition of type PushInfoRequest
|
Attribute name |
Data type |
P |
Cardinality |
Description |
|
ueId |
UeId |
M |
1 |
User Identity. |
|
ueIdType |
UeIdType |
M |
1 |
Type of UE identity (public or private). |
|
uiccAppLabel |
UiccAppLabel |
M |
1 |
UICC Application Label. |
|
nafId |
NafId |
M |
1 |
NAF Identifier. |
|
ptId |
PtId |
M |
1 |
P-TID (NAF SA Identifier). |
|
uiccOrMe |
UiccOrMe |
M |
1 |
Indicates whether GBA_ME or GBA_U is to be used for GBA push. |
|
requestedLifeTime |
DateTime |
M |
1 |
Requested key lifetime for the NAF keys. |
|
privateIdRequest |
boolean |
O |
0..1 |
Indicates to the BSF whether the UE private identity shall be returned to the NAF in the response message. true: the private identity is requested by the NAF, and it shall be returned by the BSF. false (default) or absent: the private identity is not requested by the NAF. |
|
gbaUAware |
boolean |
O |
0..1 |
GBA-U Awareness Indicator. |
|
gsIds |
array(GsId) |
O |
1..N |
GBA Service Identifiers. |
|
auts |
Auts |
O |
0..1 |
AUTS in UMTS AKA. |
|
rand |
Rand |
O |
0..1 |
RAND in UMTS AKA. |
|
securityFeaturesRequest |
array(SecFeature) |
O |
1..N |
Security Features supported by the NAF. |
6.1.6.2.5 Type: PushInfoResponse
Table 6.1.6.2.5-1: Definition of type PushInfoResponse
|
Attribute name |
Data type |
P |
Cardinality |
Description |
|
meKeyMaterial |
MeKeyMaterial |
M |
1 |
ME key material (Ks_NAF or Ks_Ext_NAF). |
|
gbaPushInfo |
GbaPushInfo |
M |
1 |
GBA Push Info |
|
uiccKeyMaterial |
UiccKeyMaterial |
O |
0..1 |
UICC key material (Ks_Int_NAF). |
|
keyExpiryTime |
DateTime |
O |
0..1 |
Key expiry time. |
|
bootstrappingInfoCreationTime |
DateTime |
O |
0..1 |
Bootstrapping Info Creation Time. |
|
ussList |
array(UssListItem) |
O |
1..N |
GBA User Security Settings per GBA Service Identifier |
|
gbaType |
GbaType |
O |
0..1 |
GBA Type. |
|
impi |
Impi |
O |
0..1 |
UE Private Identity. |
|
securityFeaturesResponse |
array(SecFeature) |
O |
0..N |
If the BSF does not support the usage of securityFeatures or the NAF did not include any securityFeaturesRequest attribute in the PushInfoRequest message, this IE shall be absent. If securityFeatures element is not defined in the GUSS of the UE, or there is no common securityFeature between NAF and BSF, the BSF shall include an empty array in the securityFeaturesResponse attribute. |
6.1.6.2.6 Type: NafId
Table 6.1.6.2.6-1: Definition of type NafId
|
Attribute name |
Data type |
P |
Cardinality |
Description |
|
nafFqdn |
Fqdn |
M |
1 |
FQDN of the NAF. |
|
uaSecProtId |
string |
M |
1 |
Ua Security Protocol Identifier. It shall contain 5 octets, as described in 3GPP TS 33.220 [14], encoded as a sequence of 10 hexadecimal characters. pattern: "^[A-Fa-f0-9]{10}$" |
6.1.6.2.7 Type: UssListItem
Table 6.1.6.2.7-1: Definition of type UssListItem
|
Attribute name |
Data type |
P |
Cardinality |
Description |
|
uss |
Uss |
M |
1 |
User Security Settings. |
6.1.6.2.8 Type: Uss
Table 6.1.6.2.8-1: Definition of type Uss
|
Attribute name |
Data type |
P |
Cardinality |
Description |
|
gsId |
GsId |
M |
1 |
GAA Service ID. |
|
gsType |
GsType |
M |
1 |
GAA Service Type. |
|
ueIds |
array(UeIdsItem) |
M |
1..N |
List of UE Identities |
|
nafGroup |
NafGroup |
O |
0..1 |
NAF Group. |
|
flags |
array(FlagsItem) |
O |
1..N |
List of security flags supported for the current GAA service. |
|
keyChoice |
KeyChoice |
O |
0..1 |
Type of key that the NAF shall use. |
6.1.6.2.9 Type: UeIdsItem
Table 6.1.6.2.9-1: Definition of type UeIdsItem
|
Attribute name |
Data type |
P |
Cardinality |
Description |
|
ueId |
UeId |
M |
1 |
Identity of the UE |
6.1.6.2.10 Type: FlagsItem
Table 6.1.6.2.10-1: Definition of type FlagsItem
|
Attribute name |
Data type |
P |
Cardinality |
Description |
|
flag |
Flag |
M |
1 |
Security flag supported for the corresponding GAA Service. |
6.1.6.3 Simple data types and enumerations
6.1.6.3.1 Introduction
This clause defines simple data types and enumerations that can be referenced from data structures defined in the previous clauses.
6.1.6.3.2 Simple data types
The simple data types defined in table 6.1.6.3.2-1 shall be supported.
Table 6.1.6.3.2-1: Simple data types
|
Type Name |
Type Definition |
Description |
|
GsId |
Uint32 |
GAA Service Identifier. For 3GPP standardized values, see 3GPP TS 29.109 [17], Annex B. |
|
GsType |
Uint32 |
GAA Service Type. For 3GPP standardized values, see 3GPP TS 29.109 [17], Annex B. |
|
BtId |
string |
Bootstrapping Transaction Identifier. It shall take the form of a NAI, where the realm part identifies the FQDN of the BSF. See 3GPP TS 33.220 [14]. |
|
MeKeyMaterial |
string |
ME key material, containing a 256-bit key, encoded as a sequence of 64 hexadecimal characters. pattern: "^[A-Fa-f0-9]{64}$" |
|
UiccKeyMaterial |
string |
UICC key material, containing a 256-bit key, encoded as a sequence of 64 hexadecimal characters. pattern: "^[A-Fa-f0-9]{64}$" |
|
UeId |
string |
Identity of the UE. |
|
Impi |
string |
IMS Private Identity of the UE. |
|
Flag |
Uint32 |
GAA authorization flags, associated to the specific GAA Service Type, as defined in 3GPP TS 29.109 [17], Annex C. |
|
GbaPushInfo |
string |
GBA Push Info binary data, as defined in 3GPP TS 33.223 [15], clause 5.3.5, encoded as a sequence of hexadecimal characters. pattern: "^([A-Fa-f0-9]{2})+$" |
|
NafGroup |
string |
NAF Group. |
|
PtId |
string |
P-TID. |
|
UiccAppLabel |
string |
UICC Application Label. |
|
Auts |
string |
AUTS in UMTS AKA, containing a 112-bit value, encoded as a sequence of 28 hexadecimal characters. pattern: "^[A-Fa-f0-9]{28}$" |
|
Rand |
string |
RAND in UMTS AKA, containing a 128-bit value, encoded as a sequence of 32 hexadecimal characters. pattern: "^[A-Fa-f0-9]{32}$" |
6.1.6.3.3 Enumeration: KeyChoice
The enumeration KeyChoice represents the type of key that the NAF shall use. It shall comply with the provisions defined in table 6.1.6.3.3-1.
Table 6.1.6.3.3-1: Enumeration KeyChoice
|
Enumeration value |
Description |
|
"ME_BASED_KEY" |
Ks_ NAF or Ks_ext_NAF shall be used by the NAF. |
|
"UICC_BASED_KEY" |
Ks_int_NAF shall be used by the NAF. |
|
"ME_UICC_BASED_KEYS" |
Ks_ext_NAF or Ks_int_NAF can be used by the NAF. |
6.1.6.3.4 Enumeration: UiccOrMe
The enumeration UiccOrMe represents whether GBA_ME or GBA_U is to be used for GBA push. It shall comply with the provisions defined in table 6.1.6.3.4-1.
Table 6.1.6.3.4-1: Enumeration UiccOrMe
|
Enumeration value |
Description |
|
"GBA_ME" |
GBA_ME shall be used. |
|
"GBA_U" |
GBA_U shall be used. |
6.1.6.3.5 Enumeration: SecFeature
The enumeration SecFeature represents security features supported by the BSF or the NAF. It shall comply with the provisions defined in table 6.1.6.3.5-1.
Table 6.1.6.3.5-1: Enumeration SecFeature
|
Enumeration value |
Description |
|
"GPL_U" |
The UICC supports Generic Push Layer, as specified in 3GPP TS 33.224 [16]. |
6.1.6.3.6 Enumeration: GbaType
The enumeration GbaType represents the authentication type that was used during bootstrapping procedure. It shall comply with the provisions defined in table 6.1.6.3.6-1.
Table 6.1.6.3.6-1: Enumeration GbaType
|
Enumeration value |
Description |
|
"3G_GBA" |
The 3G GBA has been performed as defined in 3GPP TS 33.220 [14]. |
|
"2G_GBA" |
The 2G GBA has been performed as defined in 3GPP TS 33.220 [14], Annex I. |
|
"GBA_DIGEST" |
The GBA Digest has been performed as defined in 3GPP TS 33.220 [14], Annex M. |
6.1.6.3.7 Enumeration: UeIdType
The enumeration UeIdType represents the type of the identity of the user. It shall comply with the provisions defined in table 6.1.6.3.7-1.
Table 6.1.6.3.7-1: Enumeration UeIdType
|
Enumeration value |
Description |
|
"PUBLIC" |
Public user identity. |
|
"PRIVATE" |
Private user identity. |
6.1.7 Error Handling
6.1.7.1 General
For the Nbsp_GBA API, HTTP error responses shall be supported as specified in clause 4.8 of 3GPP TS 29.501 [5]. Protocol errors and application errors specified in table 5.2.7.2-1 of 3GPP TS 29.500 [4] shall be supported for an HTTP method if the corresponding HTTP status codes are specified as mandatory for that HTTP method in table 5.2.7.1-1 of 3GPP TS 29.500 [4].
In addition, the requirements in the following clauses are applicable for the Nbsp_GBA API.
6.1.7.2 Protocol Errors
No specific procedures for the Nbsp_GBA service are specified.
6.1.7.3 Application Errors
The application errors defined for the Nbsp_GBA service are listed in Table 6.1.7.3-1.
Table 6.1.7.3-1: Application errors
|
Application Error |
HTTP status code |
Description |
6.1.8 Feature negotiation
The optional features in table 6.1.8-1 are defined for the Nbsp_GBA API. They shall be negotiated using the extensibility mechanism defined in clause 6.6 of 3GPP TS 29.500 [4].
Table 6.1.8-1: Supported Features
|
Feature number |
Feature Name |
Description |
6.1.9 Security
As indicated in 3GPP TS 33.501 [8] and 3GPP TS 29.500 [4], the access to the Nbsp_GBA API may be authorized by means of the OAuth2 protocol (see IETF RFC 6749 [9]), based on local configuration, using the "Client Credentials" authorization grant, where the NRF (see 3GPP TS 29.510 [10]) plays the role of the authorization server.
If OAuth2 is used, an NF Service Consumer, prior to consuming services offered by the Nbsp_GBA API, shall obtain a "token" from the authorization server, by invoking the Access Token Request service, as described in 3GPP TS 29.510 [10], clause 5.4.2.2.
NOTE: When multiple NRFs are deployed in a network, the NRF used as authorization server is the same NRF that the NF Service Consumer used for discovering the Nbsp_GBA service.
The Nbsp_GBA API defines a single scope "nbsp-gba" for the entire service, and it does not define any additional scopes at resource or operation level.
Annex A (normative): OpenAPI specification