6.3 Nudm_UEAuthentication Service API
29.5033GPP5G SystemRelease 18Stage 3TSUnified Data Management Services
6.3.1 API URI
URIs of this API shall have the following root:
{apiRoot}/{apiName}/<apiVersion>
The request URI used in HTTP request from the NF service consumer towards the NF service producer shall have the structure defined in clause 4.4.1 of 3GPP TS 29.501 [5], i.e.:
{apiRoot}/<apiName>/<apiVersion>/<apiSpecificResourceUriPart>
with the following components:
– The {apiRoot} shall be set as described in 3GPP TS 29.501 [5].
– The <apiName> shall be "nudm-ueau".
– The <apiVersion> shall be "v1".
– The <apiSpecificResourceUriPart> shall be set as described in clause 6.3.3.
6.3.2 Usage of HTTP
6.3.2.1 General
HTTP/2, as defined in IETF RFC 7540 [13], shall be used as specified in clause 5 of 3GPP TS 29.500 [4].
HTTP/2 shall be transported as specified in clause 5.3 of 3GPP TS 29.500 [4].
HTTP messages and bodies for the Nudm_UEAU service shall comply with the OpenAPI [14] specification contained in Annex A4.
6.3.2.2 HTTP standard headers
6.3.2.2.1 General
The usage of HTTP standard headers shall be supported as specified in clause 5.2.2 of 3GPP TS 29.500 [4].
6.3.2.2.2 Content type
The following content types shall be supported:
JSON, as defined in IETF RFC 8259 [15], signalled by the content type "application/json".
The Problem Details JSON Object (IETF RFC 7807 [16] signalled by the content type "application/problem+json"
6.3.2.3 HTTP custom headers
6.3.2.3.1 General
The usage of HTTP custom headers shall be supported as specified in clause 5.2.3 of 3GPP TS 29.500 [4].
6.3.3 Resources
6.3.3.1 Overview
This clause describes the structure for the Resource URIs and the resources and methods used for the service.
Figure 6.3.3.1-1 depicts the resource URIs structure for the Nudm_UEAU API.
Figure 6.3.3.1-1: Resource URI structure of the Nudm_UEAU API
Table 6.3.3.1-1 provides an overview of the resources and applicable HTTP methods.
Table 6.3.3.1-1: Resources and methods overview
|
Resource name |
Resource URI |
HTTP method or custom operation |
Description |
|
SecurityInformation |
/{supiOrSuci}/security-information/generate-auth-data |
generate-auth-data (POST) |
If the variable {supiOrSuci} takes the value of a SUCI, the UDM calculates the corresponding SUPI. If the variable {supiOrSuci} takes the value of an anonymous SUCI, the UDM calculates the corresponding anonymous SUPI. The UDM calculates a fresh authentication vector based on the received information and the stored security information for the SUPI if 5G-AKA or EAP-AKA’ is selected. Otherwise, UDM provides corresponding authentication information. |
|
SecurityInformationForRg |
/{supiOrSuci}/security-information-rg |
GET |
If the variable {supiOrSuci} takes the value of a SUCI, the UDM calculates the corresponding SUPI. The UDM decides, based on the received information and the stored authentication profile of the SUPI, that authentication by the home network is not required for the FN-RG. |
|
AuthEvents |
/{supi}/auth-events |
POST |
Create an Authentication Event |
|
Individual AuthEvent |
/{supi}/auth-events/{authEventId} |
PUT |
Update an Authentication Event |
|
HssSecurityInformation (Custom operation) |
/{supi}/hss-security-information/{hssAuthType}/generate-av |
generate-av (POST) |
The UDM generates the authentication vector(s) of the requested type based on stored security information for the SUPI. |
|
GbaSecurityInformation (Custom operation) |
/{supi}/gba-security-information/generate-av |
generate-av (POST) |
The UDM generates the authentication vector(s) of the requested type based on stored security information for the SUPI. |
|
ProSeSecurityInformation (Custom operation) |
/{supiOrSuci}/prose-security-information/generate-av |
generate-av (POST) |
If the variable {supiOrSuci} takes the value of a SUCI, the UDM calculates the corresponding SUPI. The UDM decides, based on the received information and the stored authentication profile of the SUPI. |
6.3.3.2 Resource: SecurityInformation (Custom operation)
6.3.3.2.1 Description
This resource represents the information that is needed together with the serving network name and the access type to calculate a fresh authentication vector. See 3GPP TS 33.501 [6].
6.3.3.2.2 Resource Definition
Resource URI: {apiRoot}/nudm-ueau/v1/{supiOrSuci}/security-information
This resource shall support the resource URI variables defined in table 6.3.3.2.2-1.
Table 6.3.3.2.2-1: Resource URI variables for this resource
|
Name |
Data type |
Definition |
|
apiRoot |
string |
See clause 6.3.1 |
|
supiOrSuci |
string |
Represents the Subscription Permanent Identifier (see 3GPP TS 23.501 [2] clause 5.9.2), or Subscription Concealed Identifier (see 3GPP TS 23.003 [8]). Pattern: See pattern of type SupiOrSuci in 3GPP TS 29.571 [7] (See NOTE 1, NOTE 2, NOTE 3). |
|
NOTE 1: The format for SUCI, when the corresponding SUPI is NAI-based, contains a realm that may include a "minus" character ("-"), which is also used as field separator. Given that the NAI and its realm shall conform to IETF RFC 7542 [29], the regular expression defined here allows for non-ambiguous matching of the different fields of the SUCI, even when the realm contains the "minus" character. NOTE 2: When the SUCI corresponds to a SUPI of type IMSI, and the Null protection scheme is used, the MSIN of the IMSI (which is formatted by the UE and sent over the NAS protocol as Binary Coded Decimal, BCD) shall be formatted in the SUCI as an UTF-8 string containing all decimal digits of the MSIN; see Annex C for SUCI encoding examples. NOTE 3: If the anonymous SUCI contain the realm part, the UDM calculates the corresponding anonymous SUPI. |
||
6.3.3.2.3 Resource Standard Methods
No Standard Methods are supported for this resource.
6.3.3.2.4 Resource Custom Operations
6.3.3.2.4.1 Overview
Table 6.3.3.2.4.1-1: Custom operations
|
Operation Name |
Custom operation URI |
Mapped HTTP method |
Description |
|
generate-auth-data |
/generate-auth-data |
POST |
Select the authentication method and calculate a fresh AV if 5G-AKA or EAP-AKA’ is selected or provides corresponding authentication information. |
6.3.3.2.4.2 Operation: generate-auth-data
6.3.3.2.4.2.1 Description
This custom operation is used by the NF service consumer (AUSF) to request authentication information data for the SUPI/SUCI from the UDM. If SUCI is provided, the UDM calculates the SUPI from the SUCI (see 3GPP TS 33.501 [6]). The UDM calculates an authentication vector taking into account the information received from the NF service consumer (AUSF) and the current representation of this resource if 5G AKA or EAP-AKA’ is selected. For details see 3GPP TS 33.501 [6].
6.3.3.2.4.2.2 Operation Definition
This operation shall support the request data structures specified in table 6.3.3.2.4.2.2-1 and the response data structure and response codes specified in table 6.3.3.2.4.2.2-2.
Table 6.3.3.2.4.2.2-1: Data structures supported by the POST Request Body on this resource
|
Data type |
P |
Cardinality |
Description |
|
AuthenticationInfoRequest |
M |
1 |
Contains the serving network name and Resynchronization Information |
Table 6.3.3.2.4.2.2-2: Data structures supported by the POST Response Body on this resource
|
Data type |
P |
Cardinality |
Response codes |
Description |
|
AuthenticationInfoResult |
M |
1 |
200 OK |
Upon success, a response body containing the selected authentication method and an authentication vector if 5G AKA or EAP-AKA’ has been selected shall be returned |
|
ProblemDetails |
O |
0..1 |
404 Not Found |
The "cause" attribute may be used to indicate one of the following application errors: – USER_NOT_FOUND |
|
ProblemDetails |
O |
0..1 |
403 Forbidden |
The "cause" attribute may be used to indicate one of the following application errors: – AUTHENTICATION_REJECTED – INVALID_HN_PUBLIC_KEY_IDENTIFIER – INVALID_SCHEME_OUTPUT |
|
ProblemDetails |
O |
0..1 |
501 Not Implemented |
The "cause" attribute may be used to indicate one of the following application errors: – UNSUPPORTED_PROTECTION_SCHEME This response shall not be cached. |
|
NOTE: In addition common data structures as listed in table 5.2.7.1-1 of 3GPP TS 29.500 [4] are supported. |
||||
6.3.3.3 Resource: AuthEvents (Collection)
6.3.3.3.1 Description
This resource represents the collection of UE authentication events.
6.3.3.3.2 Resource Definition
Resource URI: {apiRoot}/nudm-ueau/v1/{supi}/auth-events
This resource shall support the resource URI variables defined in table 6.3.3.3.2-1.
Table 6.3.3.3.2-1: Resource URI variables for this resource
|
Name |
Data type |
Definition |
|
apiRoot |
string |
See clause 6.3.1 |
|
supi |
Supi |
Represents the Subscription Permanent Identifier (see 3GPP TS 23.501 [2] clause 5.9.2) |
6.3.3.3.3 Resource Standard Methods
6.3.3.3.3.1 POST
This method shall support the URI query parameters specified in table 6.3.3.3.3.1-1.
Table 6.3.3.3.3.1-1: URI query parameters supported by the POST method on this resource
|
Name |
Data type |
P |
Cardinality |
Description |
|
n/a |
This method shall support the request data structures specified in table 6.3.3.3.3.1-2 and the response data structures and response codes specified in table 6.3.3.3.3.1-3.
Table 6.3.3.3.3.1-2: Data structures supported by the POST Request Body on this resource
|
Data type |
P |
Cardinality |
Description |
|
AuthEvent |
M |
1 |
The UE Authentication Event |
Table 6.3.3.3.3.1-3: Data structures supported by the POST Response Body on this resource
|
Data type |
P |
Cardinality |
Response codes |
Description |
|
AuthEvent |
O |
0..1 |
201 Created |
Upon success, a response body containing a representation of the created Authentication Event may be returned. The HTTP response shall include a "Location" HTTP header that contains the resource URI of the created resource. |
|
ProblemDetails |
O |
0..1 |
404 Not Found |
The "cause" attribute may be used to indicate one of the following application errors: – USER_NOT_FOUND |
|
NOTE: In addition common data structures as listed in table 5.2.7.1-1 of 3GPP TS 29.500 [4] are supported. |
||||
Table 6.3.3.3.3.1-4: Headers supported by the 201 Response Code on this resource
|
Name |
Data type |
P |
Cardinality |
Description |
|
Location |
string |
M |
1 |
Contains the URI of the newly created resource, according to the structure: {apiRoot}/nudm-ueau/v1/{supi}/auth-events/{authEventId} |
6.3.3.4 Resource: SecurityInformationForRg
6.3.3.4.1 Description
This resource represents the security information of FN-RG, see 3GPP TS 33.501 [6].
6.3.3.4.2 Resource Definition
Resource URI: {apiRoot}/nudm-ueau/v1/{supiOrSuci}/security-information-rg
This resource shall support the resource URI variables defined in table 6.3.3.4.2-1.
Table 6.3.3.4.2-1: Resource URI variables for this resource
|
Name |
Data type |
Definition |
|
apiRoot |
string |
See clause 6.3.1 |
|
supiOrSuci |
string |
Represents the Subscription Permanent Identifier (see 3GPP TS 23.501 [2] clause 5.9.2), or Subscription Concealed Identifier (see 3GPP TS 23.003 [8]). Pattern: See pattern of type SupiOrSuci in 3GPP TS 29.571 [7]. (See NOTE 1, NOTE 2). |
|
NOTE 1: The format for SUCI, when the corresponding SUPI is NAI-based, contains a realm that may include a "minus" character ("-"), which is also used as field separator. Given that the NAI and its realm shall conform to IETF RFC 7542 [29], the regular expression defined here allows for non-ambiguous matching of the different fields of the SUCI, even when the realm contains the "minus" character. NOTE 2: When the SUCI corresponds to a SUPI of type IMSI, and the Null protection scheme is used, the MSIN of the IMSI (which is formatted by the UE and sent over the NAS protocol as Binary Coded Decimal, BCD) shall be formatted in the SUCI as an UTF-8 string containing all decimal digits of the MSIN; see Annex C for SUCI encoding examples. |
||
6.3.3.4.3 Resource Standard Methods
6.3.3.4.3.1 GET
This method shall support the URI query parameters specified in table 6.3.3.4.3.1-1.
Table 6.3.3.4.3.1-1: URI query parameters supported by the GET method on this resource
|
Name |
Data type |
P |
Cardinality |
Description |
|
authenticated-ind |
AuthenticatedInd |
M |
1 |
Indicates whether authenticated by the W-AGF or not: |
|
supported-features |
SupportedFeatures |
O |
0..1 |
see 3GPP TS 29.500 [4] clause 6.6 |
|
plmn-id |
PlmnId |
O |
0..1 |
PLMN identity of the PLMN serving the UE |
If "plmn-id" is included, UDM shall return the authentication data of FN-RG in the PLMN identified by "plmn-id".
If "plmn-id" is not included, UDM shall return the authentication data of FN-RG for HPLMN.
This method shall support the request data structures specified in table 6.3.3.4.3.1-2 and the response data structures and response codes specified in table 6.3.3.4.3.1-3.
Table 6.3.3.4.3.1-2: Data structures supported by the GET Request Body on this resource
|
Data type |
P |
Cardinality |
Description |
|
n/a |
Table 6.3.3.4.3.1-3: Data structures supported by the GET Response Body on this resource
|
Data type |
P |
Cardinality |
Response codes |
Description |
|
RgAuthCtx |
M |
1 |
200 OK |
Upon success, a response body containing the authentication indication. |
|
ProblemDetails |
O |
0..1 |
404 Not Found |
The "cause" attribute may be used to indicate the following application error: – USER_NOT_FOUND |
|
ProblemDetails |
O |
0..1 |
403 Forbidden |
The "cause" attribute may be used to indicate one of the following application errors: – AUTHENTICATION_REJECTED – INVALID_SCHEME_OUTPUT |
|
NOTE: In addition common data structures as listed in table 5.2.7.1-1 of 3GPP TS 29.500 [4] are supported. |
||||
6.3.3.5 Resource: HssSecurityInformation (Custom operation)
6.3.3.5.1 Description
This resource represents the information that is needed together with the serving network id and requested authentication method to calculate authentication vector(s) for PS/EPS or IMS domain. See 3GPP TS 23.632 [32].
6.3.3.5.2 Resource Definition
Resource URI: {apiRoot}/nudm-ueau/v1/{supi}/hss-security-information/{hssAuthType}
This resource shall support the resource URI variables defined in table 6.3.3.5.2-1.
Table 6.3.3.5.2-1: Resource URI variables for this resource
|
Name |
Data type |
Definition |
|
apiRoot |
string |
See clause 6.3.1 |
|
supi |
Supi |
Represents the mobile subscription identity (see 3GPP TS 23.003 [8]). |
|
hssAuthType |
Represents the type of AVs requested by the HSS. It is defined as an enumeration of type "HssAuthTypeInUri". |
6.3.3.5.3 Resource Standard Methods
No Standard Methods are supported for this resource.
6.3.3.5.4 Resource Custom Operations
6.3.3.5.4.1 Overview
Table 6.3.3.5.4.1-1: Custom operations
|
Operation Name |
Custom operation URI |
Mapped HTTP method |
CaDescription |
|
generate-av |
/generate-av |
POST |
Calculate the authentication vector(s) according to the requested information (authentication method, serving network id, resync info) |
6.3.3.5.4.2 Operation: generate-av
6.3.3.5.4.2.1 Description
This custom operation is used by the NF service consumer (HSS) to request calculation of authentication vector(s) for the provided SUPI and the requested authentication method.
6.3.3.5.4.2.2 Operation Definition
This operation shall support the request data structures specified in table 6.3.3.5.4.2.2-1 and the response data structure and response codes specified in table 6.3.3.5.4.2.2-2.
Table 6.3.3.5.4.2.2-1: Data structures supported by the POST Request Body on this resource
|
Data type |
P |
Cardinality |
Description |
|
HssAuthenticationInfoRequest |
M |
1 |
Contains the authentication method, number of requested vectors, serving network id and resynchronization information |
Table 6.3.3.5.4.2.2-2: Data structures supported by the POST Response Body on this resource
|
Data type |
P |
Cardinality |
Response codes |
Description |
|
HssAuthenticationInfoResult |
M |
1 |
200 OK |
Upon success, a response body containing authentication vector(s) shall be returned. |
|
ProblemDetails |
O |
0..1 |
404 Not Found |
The "cause" attribute may be used to indicate the following application error: – USER_NOT_FOUND |
|
ProblemDetails |
O |
0..1 |
403 Forbidden |
The "cause" attribute may be used to indicate one of the following application errors: – AUTHENTICATION_REJECTED |
|
ProblemDetails |
O |
0..1 |
501 Not Implemented |
The "cause" attribute may be used to indicate the following application error: – UNSUPPORTED_AUTHENTICATION_METHOD This response shall not be cached. |
|
NOTE: In addition, common data structures as listed in table 5.2.7.1-1 of 3GPP TS 29.500 [4] are supported. |
||||
6.3.3.6 Resource: Individual AuthEvent
6.3.3.6.1 Resource Definition
Resource URI: {apiRoot}/nudm-ueau/v1/{supi}/auth-events/{authEventId}
This resource shall support the resource URI variables defined in table 6.3.3.6.1-1.
Table 6.3.3.6.1-1: Resource URI variables for this resource
|
Name |
Data type |
Definition |
|
apiRoot |
string |
See clause 6.3.1 |
|
supi |
Supi |
Represents the Subscription Permanent Identifier (see 3GPP TS 23.501 [2] clause 5.9.2) |
|
authEventId |
string |
Represents the authEvent Id per UE per serving network assigned by the UDM during ResultConfirmation service operation. |
6.3.3.6.2 Resource Standard Methods
6.3.3.6.2.1 PUT
This method shall support the URI query parameters specified in table 6.3.3.6.2.1-1.
Table 6.3.3.6.2.1-1: URI query parameters supported by the PUT method on this resource
|
Name |
Data type |
P |
Cardinality |
Description |
|
n/a |
This method shall support the request data structures specified in table 6.3.3.6.2.1-2 and the response data structures and response codes specified in table 6.3.3.6.2.1-3.
Table 6.3.3.6.2.1-2: Data structures supported by the PUT Request Body on this resource
|
Data type |
P |
Cardinality |
Description |
|
AuthEvent |
M |
1 |
The UE Authentication Event |
Table 6.3.3.6.2.1-3: Data structures supported by the PUT Response Body on this resource
|
Data type |
P |
Cardinality |
Response codes |
Description |
|||||
|
n/a |
204 No Content |
Upon success, an empty response body shall be returned. |
|||||||
|
ProblemDetails |
O |
0..1 |
404 Not Found |
If the resource corresponding to the authEventId does not exist, a response code of 404 Not Found shall be returned. The "cause" attribute may be set to: – DATA_NOT_FOUND |
|||||
|
NOTE: In addition common data structures as listed in table 5.2.7.1-1 of 3GPP TS 29.500 [4] are supported. |
|||||||||
6.3.3.7 Resource: GbaSecurityInformation (Custom operation)
6.3.3.7.1 Description
This resource represents the information that is needed to calculate authentication vector(s) for GBA’s BSF. See 3GPP TS 33.220 [61].
6.3.3.7.2 Resource Definition
Resource URI: {apiRoot}/nudm-ueau/v1/{supi}/gba-security-information
This resource shall support the resource URI variables defined in table 6.3.3.7.2-1.
Table 6.3.3.7.2-1: Resource URI variables for this resource
|
Name |
Data type |
Definition |
|
apiRoot |
string |
See clause 6.3.1 |
|
supi |
Supi |
Represents the mobile subscription identity (see 3GPP TS 23.003 [8]). |
6.3.3.7.3 Resource Standard Methods
No Standard Methods are supported for this resource.
6.3.3.7.4 Resource Custom Operations
6.3.3.7.4.1 Overview
Table 6.3.3.7.4.1-1: Custom operations
|
Operation Name |
Custom operation URI |
Mapped HTTP method |
CaDescription |
|
generate-av |
/generate-av |
POST |
Calculate the authentication vector(s) |
6.3.3.7.4.2 Operation: generate-av
6.3.3.7.4.2.1 Description
This custom operation is used by the NF service consumer (GBA’s BSF) to request calculation of authentication vector(s) for the provided SUPI.
6.3.3.7.4.2.2 Operation Definition
This operation shall support the request data structures specified in table 6.3.3.7.4.2.2-1 and the response data structure and response codes specified in table 6.3.3.7.4.2.2-2.
Table 6.3.3.7.4.2.2-1: Data structures supported by the POST Request Body on this resource
|
Data type |
P |
Cardinality |
Description |
|
GbaAuthenticationInfoRequest |
M |
1 |
It contains the requested authentication type and, optionally, resynchronization info. |
Table 6.3.3.7.4.2.2-2: Data structures supported by the POST Response Body on this resource
|
Data type |
P |
Cardinality |
Response codes |
Description |
|
GbaAuthenticationInfoResult |
M |
1 |
200 OK |
Upon success, a response body containing an authentication vector of the requested type shall be returned. |
|
ProblemDetails |
O |
0..1 |
404 Not Found |
The "cause" attribute may be used to indicate the following application error: – USER_NOT_FOUND |
|
ProblemDetails |
O |
0..1 |
403 Forbidden |
The "cause" attribute may be used to indicate one of the following application errors: – AUTHENTICATION_REJECTED |
|
ProblemDetails |
O |
0..1 |
501 Not Implemented |
The "cause" attribute may be used to indicate the following application error: – UNSUPPORTED_AUTHENTICATION_METHOD This response shall not be cached. |
|
NOTE: In addition, common data structures as listed in table 5.2.7.1-1 of 3GPP TS 29.500 [4] are supported. |
||||
6.3.3.8 Resource: ProSeSecurityInformation (Custom operation)
6.3.3.8.1 Description
This resource represents the 5G ProSe security information, see 3GPP TS 33.503 [64].
6.3.3.8.2 Resource Definition
Resource URI: {apiRoot}/nudm-ueau/v1/{supiOrSuci}/prose-security-information
This resource shall support the resource URI variables defined in table 6.3.3.8.2-1.
Table 6.3.3.8.2-1: Resource URI variables for this resource
|
Name |
Data type |
Definition |
|
apiRoot |
string |
See clause 6.3.1 |
|
supiOrSuci |
string |
Represents the Subscription Permanent Identifier (see 3GPP TS 23.501 [2] clause 5.9.2), or Subscription Concealed Identifier (see 3GPP TS 23.003 [8]). Pattern: See pattern of type SupiOrSuci in 3GPP TS 29.571 [7] (See NOTE 1, NOTE 2). |
|
NOTE 1: The format for SUCI, when the corresponding SUPI is NAI-based, contains a realm that may include a "minus" character ("-"), which is also used as field separator. Given that the NAI and its realm shall conform to IETF RFC 7542 [29], the regular expression defined here allows for non-ambiguous matching of the different fields of the SUCI, even when the realm contains the "minus" character. NOTE 2: When the SUCI corresponds to a SUPI of type IMSI, and the Null protection scheme is used, the MSIN of the IMSI (which is formatted by the UE and sent over the NAS protocol as Binary Coded Decimal, BCD) shall be formatted in the SUCI as an UTF-8 string containing all decimal digits of the MSIN; see Annex C for SUCI encoding examples. |
||
6.3.3.8.3 Resource Standard Methods
No Standard Methods are supported for this resource.
6.3.3.8.4 Resource Custom Operations
6.3.3.8.4.1 Overview
Table 6.3.3.8.4.1-1: Custom operations
|
Operation Name |
Custom operation URI |
Mapped HTTP method |
Description |
|
generate-av |
/generate-av |
POST |
Generates the 5G ProSe authentication data. |
6.3.3.8.4.2 Operation: generate-av
6.3.3.8.4.2.1 Description
This custom operation is used by the NF service consumer (AUSF) to request ProSe authentication vector(s) for the 5G ProSe Remote UE from the UDM. If SUCI is provided, the UDM calculates the SUPI from the SUCI (see 3GPP TS 33.501 [6]). The UDM calculates an authentication vector taking into account the information received from the NF service consumer (AUSF) and the current representation of this resource if EAP-AKA’ is selected. For details see 3GPP TS 33.501 [6].
6.3.3.8.4.2.2 Operation Definition
This operation shall support the request data structures specified in table 6.3.3.8.4.2.2-1 and the response data structure and response codes specified in table 6.3.3.8.4.2.2-2.
Table 6.3.3.8.4.2.2-1: Data structures supported by the POST Request Body on this resource
|
Data type |
P |
Cardinality |
Description |
|
ProSeAuthenticationInfoRequest |
M |
1 |
Contains the relay service code and, optionally, resynchronization info. |
Table 6.3.3.8.4.2.2-2: Data structures supported by the POST Response Body on this resource
|
Data type |
P |
Cardinality |
Response codes |
Description |
|
ProSeAuthenticationInfoResult |
M |
1 |
200 OK |
Upon success, a response body containing authentication vector(s) shall be returned. |
|
ProblemDetails |
O |
0..1 |
404 Not Found |
The "cause" attribute may be used to indicate the following application error: – USER_NOT_FOUND |
|
ProblemDetails |
O |
0..1 |
403 Forbidden |
The "cause" attribute may be used to indicate one of the following application errors: – AUTHENTICATION_REJECTED |
|
ProblemDetails |
O |
0..1 |
501 Not Implemented |
The "cause" attribute may be used to indicate the following application error: – UNSUPPORTED_AUTHENTICATION_METHOD This response shall not be cached. |
|
NOTE: In addition, common data structures as listed in table 5.2.7.1-1 of 3GPP TS 29.500 [4] are supported. |
||||
6.3.4 Custom Operations without associated resources
In this release of this specification, no custom operations without associated resources are defined for the Nudm_UEAuthentication Service.
6.3.5 Notifications
In this release of this specification, no notifications are defined for the Nudm_UEAuthentication Service.
6.3.6 Data Model
6.3.6.1 General
This clause specifies the application data model supported by the API.
Table 6.3.6.1-1 specifies the data types defined for the Nudm_UEAU service API.
Table 6.3.6.1-1: Nudm_UEAU specific Data Types
|
Data type |
Clause defined |
Description |
|
AuthenticationInfoRequest |
6.3.6.2.2 |
Contains Serving Network Name and Resynchronization Information |
|
AuthenticationInfoResult |
6.3.6.2.3 |
Contains an Authentication Vector (AV) |
|
AvEapAkaPrime |
6.3.6.2.4 |
Contains RAND, XRES, AUTN, CK’, and IK’ |
|
Av5GHeAka |
6.3.6.2.5 |
Contains RAND, XRES*, AUTN, KAUSF |
|
ResynchronizationInfo |
6.3.6.2.6 |
Contains RAND and AUTS |
|
AuthEvent |
6.3.6.2.7 |
Authentication Event |
|
AuthenticationVector |
6.3.6.2.8 |
|
|
RgAuthCtx |
6.3.6.2.9 |
Contains the UE id (i.e. SUPI) and the authentication indication. |
|
HssAuthenticationInfoRequest |
6.3.6.2.10 |
Contains authentication method, serving network id, number of requested vectors and resynchronization information |
|
HssAuthenticationInfoResult |
6.3.6.2.11 |
Contains the authentication vectors for EPS/IMS domain |
|
HssAuthenticationVectors |
6.3.6.2.12 |
|
|
AvEpsAka |
6.3.6.2.13 |
Contains RAND, XRES, AUTN, KASME |
|
AvImsGbaEapAka |
6.3.6.2.14 |
Contains RAND, XRES, AUTN, CK, and IK |
|
GbaAuthenticationInfoRequest |
6.3.6.2.15 |
Contains authentication method and resynchronization information |
|
GbaAuthenticationInfoResult |
6.3.6.2.16 |
Contains the authentication vectors for GBA’s BSF domain |
|
ProSeAuthenticationInfoRequest |
6.3.6.2.17 |
Contains RSC and resynchronization information |
|
ProSeAuthenticationInfoResult |
6.3.6.2.18 |
Contains the authentication vectors for ProSe |
|
ProSeAuthenticationVectors |
6.3.6.2.19 |
Contains the authentication vectors for ProSe |
|
Autn |
6.3.6.3.2 |
|
|
Auts |
6.3.6.3.2 |
|
|
CkPrime |
6.3.6.3.2 |
|
|
IkPrime |
6.3.6.3.2 |
|
|
Kausf |
6.3.6.3.2 |
|
|
Rand |
6.3.6.3.2 |
|
|
ServingNetworkName |
6.3.6.3.2 |
|
|
Success |
6.3.6.3.2 |
|
|
Xres |
6.3.6.3.2 |
|
|
XresStar |
6.3.6.3.2 |
|
|
AuthenticatedInd |
6.3.6.3.2 |
|
|
ConfidentialityKey |
6.3.6.3.2 |
|
|
IntegrityKey |
6.3.6.3.2 |
|
|
Kasme |
6.3.6.3.2 |
|
|
NumOfRequestedVectors |
6.3.6.3.2 |
|
|
Autn |
6.3.6.3.2 |
|
|
AuthType |
6.3.6.3.3 |
|
|
AvType |
6.3.6.3.4 |
|
|
HssAuthType |
6.3.6.3.5 |
|
|
HssAvType |
6.3.6.3.6 |
|
|
HssAuthTypeInUri |
6.3.6.3.7 |
|
|
AccessNetworkId |
6.3.6.3.8 |
|
|
GbaAuthType |
6.3.6.3.10 |
Table 6.3.6.1-2 specifies data types re-used by the Nudm_UEAU service API from other specifications, including a reference to their respective specifications and when needed, a short description of their use within the Nudm_UEAU service API.
Table 6.3.6.1-2: Nudm_UEAU re-used Data Types
|
Data type |
Reference |
Comments |
|
|
ProblemDetails |
3GPP TS 29.571 [7] |
Common data type used in response bodies |
|
|
NfInstanceId |
3GPP TS 29.571 [7] |
Network Function Instance Identifier |
|
|
NfSetId |
3GPP TS 29.571 [7] |
Network Function Set Identifier |
|
|
DateTime |
3GPP TS 29.571 [7] |
||
|
SupportedFeatures |
3GPP TS 29.571 [7] |
see 3GPP TS 29.500 [4] clause 6.6 |
|
|
Supi |
3GPP TS 29.571 [7] |
||
|
CagId |
3GPP TS 29.571 [7] |
||
|
ServerAddressingInfo |
3GPP TS 29.571 [7] |
Server address info, which in this specification contains information of a Provisioning Server (PVS) |
|
|
3GAkaAv |
3GPP TS 29.562 [65] |
See clause 6.3.6.2.5 of 3GPP TS 29.562 |
|
|
ResynchronizationInfo |
3GPP TS 29.562 [65] |
See clause 6.3.6.2.4 of 3GPP TS 29.562 |
|
|
RelayServiceCode |
3GPP TS 29.571 [7] |
||
6.3.6.2 Structured data types
6.3.6.2.1 Introduction
This clause defines the structures to be used in POST request / response bodies.
6.3.6.2.2 Type: AuthenticationInfoRequest
Table 6.3.6.2.2-1: Definition of type AuthenticationInfoRequest
|
Attribute name |
Data type |
P |
Cardinality |
Description |
|
servingNetworkName |
ServingNetworkName |
M |
1 |
See 3GPP TS 33.501 [6] clause 6.1.1.4 |
|
resynchronizationInfo |
ResynchronizationInfo |
O |
0..1 |
Contains RAND and AUTS; see 3GPP TS 33.501 [6] clause 6.1.3.3.2 |
|
supportedFeatures |
SupportedFeatures |
O |
0..1 |
See clause 6.3.8 |
|
ausfInstanceId |
NfInstanceId |
M |
1 |
NF Instance Id of the AUSF |
|
cellCagInfo |
array(CagId) |
O |
1..N |
CAG List of the CAG cell. If the cellCagInfo is absent, the UDM shall not assume the UE is accessing from the PLMN. |
|
n5gcInd |
boolean |
O |
0..1 |
N5GC device Indicator indicates whether the user uses a N5GC device: See 3GPP TS 33.501 [6] true: N5GC device false (default): used device is 5G capable See NOTE |
|
nswoInd |
boolean |
O |
0..1 |
NSWO Indicator (see 3GPP TS 33.501 [6]) When present, this IE shall be set as follows: – true: Non-Seamless WLAN Offload is applied; – false (default): Non-Seamless WLAN Offload is not applied. |
|
disasterRoamingInd |
boolean |
O |
0..1 |
Disaster Roaming Indicator (see 3GPP TS 23.502 [3]). When present, this IE shall be set as follows: – true: Disaster Roaming service is applied; – false (default): Disaster Roaming service is not applied. |
|
NOTE: The attribute n5gcInd is used for EAP-TLS, which is described in the informative annex O of 3GPP TS 33.501 [6] and is not mandatory to support. |
||||
6.3.6.2.3 Type: AuthenticationInfoResult
Table 6.3.6.2.3-1: Definition of type AuthenticationInfoResult
|
Attribute name |
Data type |
P |
Cardinality |
Description |
|
authType |
AuthType |
M |
1 |
Indicates the authentication method |
|
authenticationVector |
AuthenticationVector |
C |
0..1 |
contains an authentication vector if 5G AKA or EAP-AKA’s is selected |
|
supi |
Supi |
C |
0..1 |
SUPI shall be present if the request contained the SUCI within the request URI SUPI or anonymous SUPI shall be present if the request contained the anonymous SUCI within the request URI |
|
akmaInd |
boolean |
C |
0..1 |
When present, this IE shall be set as follows: – true: AKMA keys need to be generated for the UE; – false (default): AKMA keys are not needed. |
|
authAaa |
Boolean |
C |
0..1 |
When present, this IE shall be set as follows: – true: Primary authentication with AAA Server that acts as the EAP server is required, i.e. the AUSF is required to act as EAP proxy towards the AAA Server, or if the UDM receives an anonymous SUCI, the AUSF is indicated to run primary authentication with an external Credentials holder; – false (default): Primary authentication with AAA Server that acts as the EAP server is not required, i.e. the AUSF is required to act as EAP server according to the EAP method defined in authType attribute. See clause 6.3.6.3.3. |
|
routingId |
string |
C |
0..1 |
This IE shall be present if the akmaInd is set to "true". When present, this IE shall include the Routing Indicator contained in the SUCI (see 3GPP TS 23.003 [8], clause 2.2B). |
|
pvsInfo |
array(ServerAddressingInfo) |
C |
1..N |
When present, this IE shall contain the remote Provisioning Server(s) information (PVS FQDN(s) and/or IP address(es)). This is used for the case of SNPN onboarding with DCS hosting AUSF and UDM. |
|
supportedFeatures |
SupportedFeatures |
O |
0..1 |
See clause 6.3.8 |
6.3.6.2.4 Type: AvEapAkaPrime
Table 6.3.6.2.4-1: Definition of type AvEapAkaPrime
|
Attribute name |
Data type |
P |
Cardinality |
Description |
|
avType |
AvType |
M |
1 |
Type of authentication vector |
|
rand |
Rand |
M |
1 |
|
|
xres |
Xres |
M |
1 |
|
|
autn |
Autn |
M |
1 |
|
|
ckPrime |
CkPrime |
M |
1 |
|
|
ikPrime |
IkPrime |
M |
1 |
6.3.6.2.5 Type: Av5GHeAka
Table 6.3.6.2.5-1: Definition of type Av5GHeAka
|
Attribute name |
Data type |
P |
Cardinality |
Description |
|
avType |
AvType |
M |
1 |
Type of authentication vector |
|
rand |
Rand |
M |
1 |
|
|
xresStar |
XresStar |
M |
1 |
|
|
autn |
Autn |
M |
1 |
|
|
kausf |
Kausf |
M |
1 |
6.3.6.2.6 Type: ResynchronizationInfo
Table 6.3.6.2.6-1: Definition of type ResynchronizationInfo
|
Attribute name |
Data type |
P |
Cardinality |
Description |
|
rand |
Rand |
M |
1 |
|
|
auts |
Auts |
M |
1 |
6.3.6.2.7 Type: AuthEvent
Table 6.3.6.2.7-1: Definition of type AuthEvent
|
Attribute name |
Data type |
P |
Cardinality |
Description |
|
nfInstanceId |
NfInstanceId |
M |
1 |
Identifier of the NF instance where the authentication occurred (e.g. AUSF) |
|
success |
Success |
M |
1 |
true indicates success; false indicates no success. Set to false in case of authentication result removal. |
|
timeStamp |
DateTime |
M |
1 |
time stamp of the authentication |
|
authType |
AuthType |
M |
1 |
string |
|
servingNetworkName |
ServingNetworkName |
M |
1 |
See 3GPP TS 33.501 [6] clause 6.1.1.4 |
|
authRemovalInd |
Boolean |
O |
0..1 |
When present, it shall indicate the authentication result in the UDM shall be removed. This IE shall be set as follows: – true: authentication result in the UDM shall be removed; – false (default): authentication result in the UDM shall not be removed. |
|
nfSetId |
NfSetId |
O |
0..1 |
If present, it indicates the NF Set ID where the authentication occurred (e.g. AUSF Set) |
|
resetIds |
array(string) |
O |
1..N |
May be present in Authentication Confirmation response messages. |
6.3.6.2.8 Type: AuthenticationVector
Table 6.3.6.2.8-1: Definition of type AuthenticationVector as a list of alternatives
|
Data type |
Cardinality |
Description |
|
AvEapAkaPrime |
1 |
|
|
Av5GHeAka |
1 |
6.3.6.2.9 Type: RgAuthCtx
Table 6.3.6.2.9-1: Definition of type RgAuthCtx
|
Attribute name |
Data type |
P |
Cardinality |
Description |
|
authInd |
boolean |
M |
1 |
This IE shall be set as follows: – true: authentication is not required; – false (default): authentication is required. |
|
supi |
Supi |
C |
0..1 |
SUPI shall be present if the request contained the SUCI within the request URI |
|
supportedFeatures |
SupportedFeatures |
O |
0..1 |
See clause 6.3.8 |
6.3.6.2.10 Type: HssAuthenticationInfoRequest
Table 6.3.6.2.10-1: Definition of type HssAuthenticationInfoRequest
|
Attribute name |
Data type |
P |
Cardinality |
Description |
|||||
|
hssAuthType |
HssAuthType |
M |
1 |
Indicates the authentication method. |
|||||
|
numOfRequestedVectors |
NumOfRequestedVectors |
M |
1 |
Maximum 5 vectors are allowed per service request. |
|||||
|
requestingNodeType |
NodeType |
C |
0..1 |
Indicates the requesting node type. Should be included when known by the HSS. |
|||||
|
servingNetworkId |
PlmnId |
C |
0..1 |
Shall be present if the authentication method is EPS_AKA. |
|||||
|
resynchronizationInfo |
ResynchronizationInfo |
O |
0..1 |
Contains RAND and AUTS. |
|||||
|
anId |
AccessNetworkId |
O |
0..1 |
Contains the Access Network ID used in the derivation of authentication vectors in EAP-AKA’. |
|||||
|
supportedFeatures |
SupportedFeatures |
O |
0..1 |
See clause 6.3.8 |
|||||
|
NOTE: For GBA authentication type, the number of requested vectors shall be set to 1; for other authentication types, the number of generated vectors by UDM, may be less than the number of requested vectors. |
|||||||||
6.3.6.2.11 Type: HssAuthenticationInfoResult
Table 6.3.6.2.11-1: Definition of type HssAuthenticationInfoResult
|
Attribute name |
Data type |
P |
Cardinality |
Description |
|
hssAuthenticationVectors |
HssAuthenticationVectors |
M |
1 |
|
|
supportedFeatures |
SupportedFeatures |
O |
0..1 |
See clause 6.3.8 |
6.3.6.2.12 Type: HssAuthenticationVectors
Table 6.3.6.2.12-1: Definition of type HssAuthenticationVectors as a list of alternatives
|
Data type |
Cardinality |
Description |
|
array(AvEpsAka) |
1..5 |
|
|
array(AvImsGbaEapAka) |
1..5 |
This data type is also used for UMTS AKA. |
|
array(AvEapAkaPrime) |
1..5 |
6.3.6.2.13 Type: AvEpsAka
Table 6.3.6.2.13-1: Definition of type AvEpsAka
|
Attribute name |
Data type |
P |
Cardinality |
Description |
|
avType |
HssAvType |
M |
1 |
|
|
rand |
Rand |
M |
1 |
|
|
xres |
Xres |
M |
1 |
|
|
autn |
Autn |
M |
1 |
|
|
kasme |
Kasme |
M |
1 |
6.3.6.2.14 Type: AvImsGbaEapAka
Table 6.3.6.2.14-1: Definition of type AvImsGbaEapAka
|
Attribute name |
Data type |
P |
Cardinality |
Description |
|
avType |
HssAvType |
M |
1 |
|
|
rand |
Rand |
M |
1 |
|
|
xres |
Xres |
M |
1 |
|
|
autn |
Autn |
M |
1 |
|
|
ck |
ConfidentialityKey |
M |
1 |
|
|
ik |
IntegrityKey |
M |
1 |
6.3.6.2.15 Type: GbaAuthenticationInfoRequest
Table 6.3.6.2.15-1: Definition of type GbaAuthenticationInfoRequest
|
Attribute name |
Data type |
P |
Cardinality |
Description |
|
authType |
GbaAuthType |
M |
1 |
Indicates the authentication method. |
|
resynchronizationInfo |
ResynchronizationInfo |
O |
0..1 |
Contains RAND and AUTS. |
|
supportedFeatures |
SupportedFeatures |
O |
0..1 |
See clause 6.3.8 |
6.3.6.2.16 Type: GbaAuthenticationInfoResult
Table 6.3.6.2.16-1: Definition of type GbaAuthenticationInfoResult
|
Attribute name |
Data type |
P |
Cardinality |
Description |
|
3gAkaAv |
3GAkaAv |
O |
0..1 |
Contains an AV when the requested authentication type is "DIGEST_AKAV1_MD5" |
|
supportedFeatures |
SupportedFeatures |
O |
0..1 |
See clause 6.3.8 |
6.3.6.2.17 Type: ProSeAuthenticationInfoRequest
Table 6.3.6.2.17-1: Definition of type ProSeAuthenticationInfoRequest
|
Attribute name |
Data type |
P |
Cardinality |
Description |
|
servingNetworkName |
ServingNetworkName |
M |
1 |
See 3GPP TS 33.501 [6] clause 6.1.1.4 |
|
relayServiceCode |
RelayServiceCode |
M |
1 |
Indicates Relay Service Code. See 3GPP TS 29.571 [7] clause 5.4.2 |
|
resynchronizationInfo |
ResynchronizationInfo |
O |
0..1 |
Contains RAND and AUTS. |
|
supportedFeatures |
SupportedFeatures |
O |
0..1 |
See clause 6.3.8 |
6.3.6.2.18 Type: ProSeAuthenticationInfoResult
Table 6.3.6.2.18-1: Definition of type ProSeAuthenticationInfoResult
|
Attribute name |
Data type |
P |
Cardinality |
Description |
|
|
authType |
AuthType |
M |
1 |
Indicates the authentication method. |
|
|
proseAuthenticationVectors |
ProSeAuthenticationVectors |
O |
0..1 |
This IE shall be present if the AUSF of the 5G ProSe Remote UE retrieves the Authentication Vectors from the UDM. When present, this IE shall contain Authentication Vector for Prose. See 3GPP TS 33.503 [64] clause 7.4.2.1 |
|
|
supi |
Supi |
C |
0..1 |
SUPI shall be present if the request contained the SUCI within the request URI |
|
|
supportedFeatures |
SupportedFeatures |
O |
0..1 |
See clause 6.3.8 |
|
6.3.6.2.19 Type: ProSeAuthenticationVectors
Table 6.3.6.2.19-1: Definition of type ProSeAuthenticationVectors as a list of alternatives
|
Data type |
Cardinality |
Description |
|
array(AvEapAkaPrime) |
1..5 |
NOTE |
|
NOTE: Although a cardinality of 1..5 is specified, the UDM should send exactly one Authentication Vector within the array. |
||
6.3.6.3 Simple data types and enumerations
6.3.6.3.1 Introduction
This clause defines simple data types and enumerations that can be referenced from data structures defined in the previous clauses.
6.3.6.3.2 Simple data types
The simple data types defined in table 6.3.6.3.2-1 shall be supported.
Table 6.3.6.3.2-1: Simple data types
|
Type Name |
Type Definition |
Description |
|
Autn |
string |
pattern: "^[A-Fa-f0-9]{32}$" |
|
Auts |
string |
pattern: "^[A-Fa-f0-9]{28}$" |
|
CkPrime |
string |
pattern: "^[A-Fa-f0-9]{32}$" |
|
IkPrime |
string |
pattern: "^[A-Fa-f0-9]{32}$" |
|
Kausf |
string |
pattern: "^[A-Fa-f0-9]{64}$" |
|
Rand |
string |
pattern: "^[A-Fa-f0-9]{32}$" |
|
ServingNetworkName |
string |
See 3GPP TS 33.501 [6] clause 6.1.1.4 |
|
Success |
boolean |
true indicates success, false indicates no success |
|
Xres |
string |
pattern: "^[A-Fa-f0-9]{8,32}$" |
|
XresStar |
string |
pattern: "^[A-Fa-f0-9]{32}$" |
|
AuthenticatedInd |
boolean |
Indicates whether authenticated by the W-AGF or not: – true: authenticated by the W-AGF; – false: unauthenticated by the W-AGF. |
|
ConfidentialityKey |
string |
pattern: "^[A-Fa-f0-9]{32}$" |
|
IntegrityKey |
string |
pattern: "^[A-Fa-f0-9]{32}$" |
|
Kasme |
string |
pattern: "^[A-Fa-f0-9]{64}$" |
|
NumOfRequestedVectors |
integer |
minimum: 1 maximum: 5 |
6.3.6.3.3 Enumeration: AuthType
Table 6.3.6.3.3-1: Enumeration AuthType
|
Enumeration value |
Description |
|
"EAP_AKA_PRIME" |
EAP-AKA’ |
|
"5G_AKA" |
5G AKA |
|
"EAP_TLS" |
EAP-TLS. See NOTE 1 |
|
"NONE" |
No specific EAP method type is signalled. See NOTE 2 |
|
"EAP_TTLS" |
EAP-TTLS. See NOTE 3. |
|
NOTE 1: EAP-TLS is described in the Informative Annex B and Annex O of 3GPP TS 33.501 [6] and is not mandatory to support. NOTE 2: NONE indicates that EAP method type is not signalled, because of the following scenario. Primary authentication with AAA Server that acts as the EAP server is required for the UEs that use credentials from an AAA Server in a Credentials Holder, as described in clause 5.30.2.9.2 of 3GPP TS 23.501 [2]. This value is necessary when authAaa attribute is included in the AuthenticationInfoResult type and because authType is a mandatory attribute. NOTE 3: EAP-TTLS is described in the Informative Annex U of 3GPP TS 33.501 [6] and is optional to support. |
|
6.3.6.3.4 Enumeration: AvType
Table 6.3.6.3.4-1: Enumeration AvType
|
Enumeration value |
Description |
|
"5G_HE_AKA" |
|
|
"EAP_AKA_PRIME" |
6.3.6.3.5 Enumeration: HssAuthType
Table 6.3.6.3.5-1: Enumeration HssAuthType
|
Enumeration value |
Description |
|
"EPS_AKA" |
|
|
"EAP_AKA" |
|
|
"EAP_AKA_PRIME" |
EAP-AKA’ |
|
"IMS_AKA" |
|
|
"GBA_AKA" |
|
|
"UMTS_AKA" |
6.3.6.3.6 Enumeration: HssAvType
Table 6.3.6.3.6-1: Enumeration HssAvType
|
Enumeration value |
Description |
|
"EPS_AKA" |
|
|
"EAP_AKA" |
|
|
"IMS_AKA" |
|
|
"GBA_AKA" |
|
|
"UMTS_AKA" |
6.3.6.3.7 Enumeration: HssAuthTypeInUri
Table 6.3.6.3.7-1: Enumeration HssAuthTypeInUri
|
Enumeration value |
Description |
|
"eps-aka" |
EPS-AKA authentication method |
|
"eap-aka" |
EAP-AKA authentication method |
|
"eap-aka-prime" |
EAP-AKA’ authentication method |
|
"ims-aka" |
IMS-AKA authentication method |
|
"gba-aka" |
GBA-AKA authentication method |
NOTE: This enumeration is used as a variable part of resource URIs, and therefore it follows the naming convention used in URIs (lower case with hyphens); see 3GPP TS 29.501 [5], clause 5.1.
6.3.6.3.8 Enumeration: AccessNetworkId
This data type contains the values for the Access Network Identities defined by 3GPP in the context of non-3GPP access to EPC, used in the generation of EAP-AKA’ authentication vectors. The possible values are originally defined in 3GPP TS 24.302 [49].
Table 6.3.6.3.8-1: Enumeration AccessNetworkId
|
Enumeration value |
Description |
|
"HRPD" |
Access Network: HRPD |
|
"WIMAX" |
Access Network: WiMAX |
|
"WLAN" |
Access Network: Wireless LAN |
|
"ETHERNET" |
Access Network: Ethernet |
6.3.6.3.9 Enumeration: NodeType
Table 6.3.6.3.9-1: Enumeration NodeType
|
Enumeration value |
Description |
|
"AUSF" |
This value is not applicable to the HSS. |
|
"VLR" |
|
|
"SGSN" |
|
|
"S_CSCF" |
|
|
"BSF" |
|
|
"GAN_AAA_SERVER" |
|
|
"WLAN_AAA_SERVER" |
|
|
"MME" |
6.3.6.3.10 Enumeration: GbaAuthType
Table 6.3.6.3.10-1: Enumeration GbaAuthType
|
Enumeration value |
Description |
|
"DIGEST_AKAV1_MD5" |
IMS-AKA authentication scheme |
6.3.7 Error Handling
6.3.7.1 General
HTTP error handling shall be supported as specified in clause 5.2.4 of 3GPP TS 29.500 [4].
6.3.7.2 Protocol Errors
Protocol errors handling shall be supported as specified in clause 5.2.7 of 3GPP TS 29.500 [4].
6.3.7.3 Application Errors
The common application errors defined in the Table 5.2.7.2-1 in 3GPP TS 29.500 [4] may also be used for the Nudm_UEAuthentication service. The following application errors listed in Table 6.3.7.3-1 are specific for the Nudm_UEAuthentication service.
Table 6.3.7.3-1: Application errors
|
Application Error |
HTTP status code |
Description |
|
AUTHENTICATION_REJECTED |
403 Forbidden |
The user is cannot be authenticated with this authentication method e.g. only SIM data available |
|
USER_NOT_FOUND |
404 Not Found |
The user does not exist in the HPLMN |
|
UNSUPPORTED_PROTECTION_SCHEME |
501 Not implemented |
The received protection scheme is not supported by HPLMN |
|
UNSUPPORTED_AUTHENTICATION_METHOD |
501 Not implemented |
The requested authenti-cation method is not supported |
|
INVALID_HN_PUBLIC_KEY_IDENTIFIER |
403 Forbidden |
Invalid HN public key identifier received |
|
INVALID_SCHEME_OUTPUT |
403 Forbidden |
SUCI cannot be decrypted with received data |
|
DATA_NOT_FOUND |
404 Not Found |
Resource corresponding to the authEventId does not exist |
6.3.8 Feature Negotiation
The optional features in table 6.3.8-1 are defined for the Nudm_UEAU API. They shall be negotiated using the extensibility mechanism defined in clause 6.6 of 3GPP TS 29.500 [4].
Table 6.3.8-1: Supported Features
|
Feature number |
Feature Name |
Description |
6.3.9 Security
As indicated in 3GPP TS 33.501 [6] and 3GPP TS 29.500 [4], the access to the Nudm_UEAU API may be authorized by means of the OAuth2 protocol (see IETF RFC 6749 [18]), based on local configuration, using the "Client Credentials" authorization grant, where the NRF (see 3GPP TS 29.510 [19]) plays the role of the authorization server.
If OAuth2 is used, an NF Service Consumer, prior to consuming services offered by the Nudm_UEAU API, shall obtain a "token" from the authorization server, by invoking the Access Token Request service, as described in 3GPP TS 29.510 [19], clause 5.4.2.2.
NOTE: When multiple NRFs are deployed in a network, the NRF used as authorization server is the same NRF that the NF Service Consumer used for discovering the Nudm_UEAU service.
The Nudm_UEAU API defines the following scopes for OAuth2 authorization:
Table 6.3.9-1: Oauth2 scopes defined in Nudm_UEAU API
|
Scope |
Description |
|
"nudm-ueau" |
Access to the Nudm_UEAU API |
|
"nudm-ueau:security-information:generate-auth-data:invoke" |
Acess to invoke the "generate-auth-data" custom operation on the "security-information" resource |
|
"nudm-ueau:security-information-rg:read" |
Access to read the "security-information-rg" resource |
|
"nudm-ueau:auth-events:create" |
Access to create a new child resource on the "auth-events" collection resource |
|
"nudm-ueau:auth-event-id:modify" |
Access to modify (delete) an "auth-event-id" individual resource |
|
"nudm-ueau:hss-security-information:generate-av:invoke" |
Acess to invoke the "generate-av" custom operation on the "hss-security-information" resource |
|
"nudm-ueau:gba-security-information:generate-av:invoke" |
Acess to invoke the "generate-av" custom operation on the "gba-security-information" resource |