ue-authentications

(Collection)

/ue-authentications

POST

Initiate the authentication process by providing inputs related to the UE

/ue-authentications/deregister

deregister

(POST)

Clear the security context of the UE

Individual UE authentication (Document)

/ue-authentications/{authCtxId}

See NOTE 1

5g-aka-confirmation

(Document)

/ue-authentications/{authCtxId}/5g-aka-confirmation

PUT

Put the UE response from the 5G-AKA process.

DELETE

DELETE the authentication result.

eap-session

(Document)

/ue-authentications/{authCtxId}/eap-session

POST

Post the EAP response from the UE.

See NOTE.

DELETE

DELETE the authentication result.

rg-authentications

(Collection)

/rg-authentications

POST

Initiate the authentication process by providing inputs related to the FN-RG

Individual RG authentication (Document)

/rg-authentications/{authCtxId}

See NOTE 3

prose-authentications

(Collection)

/prose-authentications

POST

Initiate the authentication process by providing inputs related to the 5G ProSe Remote UE.

prose-auth

(Document)

/prose-authentications/{authCtxId}/prose-auth

POST

Post the EAP response from the 5G ProSe Remote UE.

See NOTE.

DELETE

DELETE the authentication result.

NOTE 1: This resource represents the created individual UE authentication, the URI of the created resource is contained in the "Location" header of the "201 Created" response (See step 2a of Figure 5.2.2.2.2-1 and Figure 5.2.2.2.3.2-1). There are no service operations defined on this resource.

NOTE 2: This POST is used to provide EAP response to the AUSF in a sub-resource (Document) generated by the first POST operation. As this operation is not idempotent (it triggers subsequent EAP operations), a PUT was not adequate.

NOTE 3: This resource represents the created individual RG authentication, the URI of the created resource is contained in the "Location" header of the "201 Created" response (See step 2a of Figure 5.2.2.2.4-1). There are no service operations defined on this resource.

apiRoot

string

See clause 6.1.1

n/a

AuthenticationInfo

M

1

Contains the UE id (i.e. SUCI or SUPI as specified in 3GPP TS 33.501 [8]) and the serving network name.

It may also contain Trace Data as specified in 3GPP TS 23.501 [2].

UEAuthenticationCtx

M

1

201 Created

Upon success, if 5G AKA is selected, the response body will contain one AV and "link" for the AMF to PUT the confirmation.

If an EAP-based method is selected, the response body will contain the EAP method selected, the corresponding EAP packet request and a "link" for the AMF to POST the EAP response.

The HTTP response shall include a "Location" header that contains the resource URI of the created resource.

RedirectResponse

O

0..1

307 Temporary Redirect

Temporary redirection. The response shall include a Location header field containing a different URI, or the same URI if a request is redirected to the same target resource via a different SCP. In the former case, the URI shall be an alternative URI of the resource located on an alternative service instance within the same AUSF or AUSF (service) set.

(NOTE 2)

RedirectResponse

O

0..1

308 Permanent Redirect

Permanent redirection. The response shall include a Location header field containing a different URI, or the same URI if a request is redirected to the same target resource via a different SCP. In the former case, the URI shall be an alternative URI of the resource located on an alternative service instance within the same AUSF or AUSF (service) set.

(NOTE 2)

ProblemDetails

O

0..1

400 Bad Request

This case represents the failure to start authentication service because of input parameter error.

ProblemDetails

O

0..1

403 Forbidden

This case represents when the UE is not allowed to be authenticated.

The "cause" attribute may be used to indicate one of the following application errors:

– AUTHENTICATION_REJECTED

– SERVING_NETWORK_NOT_AUTHORIZED

– INVALID_HN_PUBLIC_KEY_IDENTIFIER

– INVALID_SCHEME_OUTPUT

ProblemDetails

O

0..1

404 Not Found

The "cause" attribute may be used to indicate one of the following application errors:

– USER_NOT_FOUND

ProblemDetails

O

0..1

500 Internal Server Error

This case represents the failure in starting the authentication service because of a server internal error.

If the error is due to a problem with UDM not able to generate the requested AV, the AUSF shall indicate the following application error: "AV_GENERATION_PROBLEM"

ProblemDetails

O

0..1

501 Not Implemented

The "cause" attribute may be used to indicate one of the following application errors:

– UNSUPPORTED_PROTECTION_SCHEME

This response shall not be cached.

NOTE 1: The mandatory HTTP error status codes for the POST method listed in Table 5.2.7.1-1 of 3GPP TS 29.500 [4] other than those specified in the table above also apply, with a ProblemDetails data type (see clause 5.2.7 of 3GPP TS 29.500 [4].

NOTE 2: RedirectResponse may be inserted by an SCP, see clause 6.10.9.1 of 3GPP TS 29.500 [4].

Location

string

M

1

Contains the URI of the newly created resource according to the structure: {apiRoot}/nausf-auth/v1/ue-authentications/{authCtxId}

Location

string

M

1

An alternative URI of the resource located on an alternative service instance within the same AUSF or AUSF (service) set.

Or the same URI, if a request is redirected to the same target resource via a different SCP.

3gpp-Sbi-Target-Nf-Id

string

O

0..1

Identifier of the target NF (service) instance ID towards which the request is redirected

Location

string

M

1

An alternative URI of the resource located on an alternative service instance within the same AUSF or AUSF (service) set.

Or the same URI, if a request is redirected to the same target resource via a different SCP.

3gpp-Sbi-Target-Nf-Id

string

O

0..1

Identifier of the target NF (service) instance ID towards which the request is redirected

{apiRoot}/nausf-auth/v1/ue-authentications/deregister

POST

Clear the Security Context of the UE

DeregistrationInfo

M

1

See 6.1.6.2.11.

n/a

204 No Content

This case represents the handover is cancelled successfully.

RedirectResponse

O

0..1

307 Temporary Redirect

Temporary redirection. The response shall include a Location header field containing a different URI, or the same URI if a request is redirected to the same target resource via a different SCP. In the former case, the URI shall be an alternative URI of the resource located on an alternative service instance within the same AUSF or AUSF (service) set.

(NOTE 2)

RedirectResponse

O

0..1

308 Permanent Redirect

Permanent redirection. The response shall include a Location header field containing a different URI, or the same URI if a request is redirected to the same target resource via a different SCP. In the former case, the URI shall be an alternative URI of the resource located on an alternative service instance within the same AUSF or AUSF (service) set.

(NOTE 2)

ProblemDetails

O

1

404 Not Found

The "cause" attribute may be used to indicate one of the following application errors:

– CONTEXT_NOT_FOUND

See table 6.1.7.3-1 for the description of this error.

NOTE 1: The mandatory HTTP error status codes for the POST method listed in Table 5.2.7.1-1 of 3GPP TS 29.500 [4] other than those specified in the table above also apply, with a ProblemDetails data type (see clause 5.2.7 of 3GPP TS 29.500 [4]).

NOTE 2: RedirectResponse may be inserted by an SCP, see clause 6.10.9.1 of 3GPP TS 29.500 [4].

Location

string

M

1

An alternative URI of the resource located on an alternative service instance within the same AUSF or AUSF (service) set.

Or the same URI, if a request is redirected to the same target resource via a different SCP.

3gpp-Sbi-Target-Nf-Id

string

O

0..1

Identifier of the target NF (service) instance ID towards which the request is redirected

Location

string

M

1

An alternative URI of the resource located on an alternative service instance within the same AUSF or AUSF (service) set.

Or the same URI, if a request is redirected to the same target resource via a different SCP.

3gpp-Sbi-Target-Nf-Id

string

O

0..1

Identifier of the target NF (service) instance ID towards which the request is redirected

apiRoot

string

See clause 6.1.1

authCtxId

string

Represents a specific ue-authentication per UE per serving network

n/a

ConfirmationData

M

1

Contains the "RES*" generated by the UE and provided to the AMF.

ConfirmationDataResponse

M

1

200 OK

This case indicates that the AUSF has performed the verification of the 5G AKA confirmation. The response body shall contain the result of the authentication and the Kseaf if the authentication is successful.

RedirectResponse

O

0..1

307 Temporary Redirect

Temporary redirection. The response shall include a Location header field containing a different URI, or the same URI if a request is redirected to the same target resource via a different SCP. In the former case, the URI shall be an alternative URI of the resource located on an alternative service instance within the same AUSF or AUSF (service) set.

(NOTE 2)

RedirectResponse

O

0..1

308 Permanent Redirect

Permanent redirection. The response shall include a Location header field containing a different URI, or the same URI if a request is redirected to the same target resource via a different SCP. In the former case, the URI shall be an alternative URI of the resource located on an alternative service instance within the same AUSF or AUSF (service) set.

(NOTE 2)

ProblemDetails

O

0..1

400 Bad Request

This case represents a 5G AKA confirmation failure because of input parameter error. This indicates that the AUSF was not able to confirm the authentication.

ProblemDetails

O

0..1

500 Internal Server Error

This case represents a 5G AKA confirmation failure because of a server internal error.

NOTE 1: The mandatory HTTP error status codes for the PUT method listed in Table 5.2.7.1-1 of 3GPP TS 29.500 [4] other than those specified in the table above also apply, with a ProblemDetails data type (see clause 5.2.7 of 3GPP TS 29.500 [4].

NOTE 2: RedirectResponse may be inserted by an SCP, see clause 6.10.9.1 of 3GPP TS 29.500 [4].

Location

string

M

1

An alternative URI of the resource located on an alternative service instance within the same AUSF or AUSF (service) set.

Or the same URI, if a request is redirected to the same target resource via a different SCP.

3gpp-Sbi-Target-Nf-Id

string

O

0..1

Identifier of the target NF (service) instance ID towards which the request is redirected

Location

string

M

1

An alternative URI of the resource located on an alternative service instance within the same AUSF or AUSF (service) set.

Or the same URI, if a request is redirected to the same target resource via a different SCP.

3gpp-Sbi-Target-Nf-Id

string

O

0..1

Identifier of the target NF (service) instance ID towards which the request is redirected

n/a

n/a

n/a

204 No Content

RedirectResponse

O

0..1

307 Temporary Redirect

Temporary redirection. The response shall include a Location header field containing a different URI, or the same URI if a request is redirected to the same target resource via a different SCP. In the former case, the URI shall be an alternative URI of the resource located on an alternative service instance within the same AUSF or AUSF (service) set.

(NOTE 2)

RedirectResponse

O

0..1

308 Permanent Redirect

Permanent redirection. The response shall include a Location header field containing a different URI, or the same URI if a request is redirected to the same target resource via a different SCP. In the former case, the URI shall be an alternative URI of the resource located on an alternative service instance within the same AUSF or AUSF (service) set.

(NOTE 2)

NOTE 1: The mandatory HTTP error status codes for the DELETE method listed in Table 5.2.7.1-1 of 3GPP TS 29.500 [4] other than those specified in the table above also apply, with a ProblemDetails data type (see clause 5.2.7 of 3GPP TS 29.500 [4].

NOTE 2: RedirectResponse may be inserted by an SCP, see clause 6.10.9.1 of 3GPP TS 29.500 [4].

Location

string

M

1

An alternative URI of the resource located on an alternative service instance within the same AUSF or AUSF (service) set.

Or the same URI, if a request is redirected to the same target resource via a different SCP.

3gpp-Sbi-Target-Nf-Id

string

O

0..1

Identifier of the target NF (service) instance ID towards which the request is redirected

Location

string

M

1

An alternative URI of the resource located on an alternative service instance within the same AUSF or AUSF (service) set.

Or the same URI, if a request is redirected to the same target resource via a different SCP.

3gpp-Sbi-Target-Nf-Id

string

O

0..1

Identifier of the target NF (service) instance ID towards which the request is redirected

apiRoot

string

See clause 6.1.1

authCtxId

string

Represents a specifc ue-authentication per UE per serving network

n/a

EapSession

M

1

Contains the EAP packet response (see IETF RFC 3748 [18]) from the UE and transferred by the AMF

EapSession

M

1

200 OK

During an EAP session, the body response shall contain the EAP packet Response and a hypermedia link.

At the end of the EAP session, the body response shall contain the EAP packet Success or Failure (see IETF RFC 3748 [18]) and the Kseaf if the authentication is successful

RedirectResponse

O

0..1

307 Temporary Redirect

Temporary redirection. The response shall include a Location header field containing a different URI, or the same URI if a request is redirected to the same target resource via a different SCP. In the former case, the URI shall be an alternative URI of the resource located on an alternative service instance within the same AUSF or AUSF (service) set.

(NOTE 2)

RedirectResponse

O

0..1

308 Permanent Redirect

Permanent redirection. The response shall include a Location header field containing a different URI, or the same URI if a request is redirected to the same target resource via a different SCP. In the former case, the URI shall be an alternative URI of the resource located on an alternative service instance within the same AUSF or AUSF (service) set.

(NOTE 2)

ProblemDetails

O

0..1

400 Bad Request

This case represents an EAP session failure because of input parameter error. This indicates that the AUSF was not able to continue the EAP session.

ProblemDetails

O

0..1

500 Internal Server Error

This case represents an EAP session failure because of a server internal error.

NOTE: The mandatory HTTP error status codes for the POST method listed in Table 5.2.7.1-1 of 3GPP TS 29.500 [4] other than those specified in the table above also apply, with a ProblemDetails data type (see clause 5.2.7 of 3GPP TS 29.500 [4].

NOTE 2: RedirectResponse may be inserted by an SCP, see clause 6.10.9.1 of 3GPP TS 29.500 [4]

Location

string

M

1

An alternative URI of the resource located on an alternative service instance within the same AUSF or AUSF (service) set.

Or the same URI, if a request is redirected to the same target resource via a different SCP.

3gpp-Sbi-Target-Nf-Id

string

O

0..1

Identifier of the target NF (service) instance ID towards which the request is redirected

Location

string

M

1

An alternative URI of the resource located on an alternative service instance within the same AUSF or AUSF (service) set.

Or the same URI, if a request is redirected to the same target resource via a different SCP.

3gpp-Sbi-Target-Nf-Id

string

O

0..1

Identifier of the target NF (service) instance ID towards which the request is redirected

n/a

n/a

n/a

204 No Content

RedirectResponse

O

0..1

307 Temporary Redirect

Temporary redirection. The response shall include a Location header field containing a different URI, or the same URI if a request is redirected to the same target resource via a different SCP. In the former case, the URI shall be an alternative URI of the resource located on an alternative service instance within the same AUSF or AUSF (service) set.

(NOTE 2)

RedirectResponse

O

0..1

308 Permanent Redirect

Permanent redirection. The response shall include a Location header field containing a different URI, or the same URI if a request is redirected to the same target resource via a different SCP. In the former case, the URI shall be an alternative URI of the resource located on an alternative service instance within the same AUSF or AUSF (service) set.

(NOTE 2)

NOTE 1: The mandatory HTTP error status codes for the DELETE method listed in Table 5.2.7.1-1 of 3GPP TS 29.500 [4] other than those specified in the table above also apply, with a ProblemDetails data type (see clause 5.2.7 of 3GPP TS 29.500 [4].

NOTE 2: RedirectResponse may be inserted by an SCP, see clause 6.10.9.1 of 3GPP TS 29.500 [4].

Location

string

M

1

An alternative URI of the resource located on an alternative service instance within the same AUSF or AUSF (service) set.

Or the same URI, if a request is redirected to the same target resource via a different SCP.

3gpp-Sbi-Target-Nf-Id

string

O

0..1

Identifier of the target NF (service) instance ID towards which the request is redirected

Location

string

M

1

An alternative URI of the resource located on an alternative service instance within the same AUSF or AUSF (service) set.

Or the same URI, if a request is redirected to the same target resource via a different SCP.

3gpp-Sbi-Target-Nf-Id

string

O

0..1

Identifier of the target NF (service) instance ID towards which the request is redirected

apiRoot

string

See clause 6.1.1

n/a

RgAuthenticationInfo

M

1

Contains the UE id (i.e. SUCI as specified in 3GPP TS 23.316 [23] or 3GPP TS 33.501 [8]) and the authenticated indication.

RgAuthCtx

M

1

201 Created

Upon success, the response body will contain the SUPI of the UE and the authentication indication.

The HTTP response shall include a "Location" header that contains the resource URI of the created resource.

RedirectResponse

O

0..1

307 Temporary Redirect

Temporary redirection. The response shall include a Location header field containing a different URI, or the same URI if a request is redirected to the same target resource via a different SCP. In the former case, the URI shall be an alternative URI of the resource located on an alternative service instance within the same AUSF or AUSF (service) set.

(NOTE 2)

RedirectResponse

O

0..1

308 Permanent Redirect

Permanent redirection. The response shall include a Location header field containing a different URI, or the same URI if a request is redirected to the same target resource via a different SCP. In the former case, the URI shall be an alternative URI of the resource located on an alternative service instance within the same AUSF or AUSF (service) set.

(NOTE 2)

ProblemDetails

O

0..1

400 Bad Request

This case represents the failure to start authentication service because of input parameter error.

ProblemDetails

O

0..1

403 Forbidden

This case represents when the UE is not allowed to be authenticated.

The "cause" attribute may be used to indicate one of the following application errors:

– AUTHENTICATION_REJECTED

– INVALID_SCHEME_OUTPUT

ProblemDetails

O

0..1

404 Not Found

The "cause" attribute may be used to indicate the following application error:

– USER_NOT_FOUND

NOTE 1: The mandatory HTTP error status codes for the POST method listed in Table 5.2.7.1-1 of 3GPP TS 29.500 [4] other than those specified in the table above also apply, with a ProblemDetails data type (see clause 5.2.7 of 3GPP TS 29.500 [4].

NOTE 2: RedirectResponse may be inserted by an SCP, see clause 6.10.9.1 of 3GPP TS 29.500 [4].

Location

string

M

1

An alternative URI of the resource located on an alternative service instance within the same AUSF or AUSF (service) set.

Or the same URI, if a request is redirected to the same target resource via a different SCP.

3gpp-Sbi-Target-Nf-Id

string

O

0..1

Identifier of the target NF (service) instance ID towards which the request is redirected

Location

string

M

1

An alternative URI of the resource located on an alternative service instance within the same AUSF or AUSF (service) set.

Or the same URI, if a request is redirected to the same target resource via a different SCP.

3gpp-Sbi-Target-Nf-Id

string

O

0..1

Identifier of the target NF (service) instance ID towards which the request is redirected

apiRoot

string

See clause 6.1.1

n/a

ProSeAuthenticationInfo

M

1

Contains the UE Id (i.e. SUCI as specified in 3GPP TS 33.503 [26]) or the CP-PRUK ID, the Relay Service Code and Nonce_1.

ProSeAuthenticationCtx

M

1

201 Created

Upon success, when UE Id (i.e. SUCI) was received in the request,the response body will contain the EAP method selected, the corresponding EAP packet request and a "link" for the AMF to POST the EAP response.

The HTTP response shall include a "Location" header that contains the resource URI of the created resource.

ProSeAuthenticationResult

M

1

200 OK

Upon success, when CP-PRUK ID was received in the request, the response body will contain the K_{NR_ProSe} and Nonce_2.

RedirectResponse

O

0..1

307 Temporary Redirect

Temporary redirection. The response shall include a Location header field containing a different URI, or the same URI if a request is redirected to the same target resource via a different SCP. In the former case, the URI shall be an alternative URI of the resource located on an alternative service instance within the same AUSF or AUSF (service) set.

(NOTE 2)

RedirectResponse

O

0..1

308 Permanent Redirect

Permanent redirection. The response shall include a Location header field containing a different URI, or the same URI if a request is redirected to the same target resource via a different SCP. In the former case, the URI shall be an alternative URI of the resource located on an alternative service instance within the same AUSF or AUSF (service) set.

(NOTE 2)

ProblemDetails

O

0..1

400 Bad Request

This case represents the failure to start authentication service because of input parameter error.

ProblemDetails

O

0..1

403 Forbidden

This case represents when the 5G ProSe Remote UE is not allowed to be authenticated.

The "cause" attribute may be used to indicate one of the following application errors:

– AUTHENTICATION_REJECTED

– INVALID_HN_PUBLIC_KEY_IDENTIFIER

– INVALID_SCHEME_OUTPUT

ProblemDetails

O

0..1

404 Not Found

The "cause" attribute may be used to indicate one of the following application errors:

– USER_NOT_FOUND

ProblemDetails

O

0..1

500 Internal Server Error

This case represents the failure in starting the authentication service because of a server internal error.

If the error is due to a problem with UDM not able to generate the requested AV, the AUSF shall indicate the following application error: "AV_GENERATION_PROBLEM"

NOTE 1: The mandatory HTTP error status codes for the POST method listed in Table 5.2.7.1-1 of 3GPP TS 29.500 [4] other than those specified in the table above also apply, with a ProblemDetails data type (see clause 5.2.7 of 3GPP TS 29.500 [4].

NOTE 2: RedirectResponse may be inserted by an SCP, see clause 6.10.9.1 of 3GPP TS 29.500 [4].

Location

string

M

1

Contains the URI of the newly created resource according to the structure: {apiRoot}/nausf-auth/v1/prose-authentications/{authCtxId}

Location

string

M

1

An alternative URI of the resource located on an alternative service instance within the same AUSF or AUSF (service) set.

Or the same URI, if a request is redirected to the same target resource via a different SCP.

3gpp-Sbi-Target-Nf-Id

string

O

0..1

Identifier of the target NF (service) instance ID towards which the request is redirected

Location

string

M

1

An alternative URI of the resource located on an alternative service instance within the same AUSF or AUSF (service) set.

Or the same URI, if a request is redirected to the same target resource via a different SCP.

3gpp-Sbi-Target-Nf-Id

string

O

0..1

Identifier of the target NF (service) instance ID towards which the request is redirected

apiRoot

string

See clause 6.1.1

authCtxId

string

Represents a specific prose-authentication per UE

n/a

ProSeEapSession

M

1

Contains the EAP packet response (see IETF RFC 3748 [18]) from the 5G ProSe Remote UE and transferred by the AMF

ProSeEapSession

M

1

200 OK

During an EAP session, the body response shall contain the EAP packet Response and an hypermedia link.

At the end of the EAP session, the body response shall contain the EAP packet Success or Failure (see IETF RFC 3748 [18]) and the K_{NR_ProSe} if the authentication is successful

RedirectResponse

O

0..1

307 Temporary Redirect

Temporary redirection. The response shall include a Location header field containing a different URI, or the same URI if a request is redirected to the same target resource via a different SCP. In the former case, the URI shall be an alternative URI of the resource located on an alternative service instance within the same AUSF or AUSF (service) set.

(NOTE 2)

RedirectResponse

O

0..1

308 Permanent Redirect

Permanent redirection. The response shall include a Location header field containing a different URI, or the same URI if a request is redirected to the same target resource via a different SCP. In the former case, the URI shall be an alternative URI of the resource located on an alternative service instance within the same AUSF or AUSF (service) set.

(NOTE 2)

ProblemDetails

O

0..1

400 Bad Request

This case represents an EAP session failure because of input parameter error. This indicates that the AUSF was not able to continue the EAP session.

ProblemDetails

O

0..1

500 Internal Server Error

This case represents an EAP session failure because of a server internal error.

NOTE: The mandatory HTTP error status codes for the POST method listed in Table 5.2.7.1-1 of 3GPP TS 29.500 [4] other than those specified in the table above also apply, with a ProblemDetails data type (see clause 5.2.7 of 3GPP TS 29.500 [4].

NOTE 2: RedirectResponse may be inserted by an SCP, see clause 6.10.9.1 of 3GPP TS 29.500 [4]

Location

String

M

1

An alternative URI of the resource located on an alternative service instance within the same AUSF or AUSF (service) set.

Or the same URI, if a request is redirected to the same target resource via a different SCP.

3gpp-Sbi-Target-Nf-Id

String

O

0..1

Identifier of the target NF (service) instance ID towards which the request is redirected

Location

string

M

1

An alternative URI of the resource located on an alternative service instance within the same AUSF or AUSF (service) set.

Or the same URI, if a request is redirected to the same target resource via a different SCP.

3gpp-Sbi-Target-Nf-Id

string

O

0..1

Identifier of the target NF (service) instance ID towards which the request is redirected

n/a

n/a

n/a

204 No Content

RedirectResponse

O

0..1

307 Temporary Redirect

Temporary redirection. The response shall include a Location header field containing a different URI, or the same URI if a request is redirected to the same target resource via a different SCP. In the former case, the URI shall be an alternative URI of the resource located on an alternative service instance within the same AUSF or AUSF (service) set.

(NOTE 2)

RedirectResponse

O

0..1

308 Permanent Redirect

Permanent redirection. The response shall include a Location header field containing a different URI, or the same URI if a request is redirected to the same target resource via a different SCP. In the former case, the URI shall be an alternative URI of the resource located on an alternative service instance within the same AUSF or AUSF (service) set.

(NOTE 2)

NOTE 1: The mandatory HTTP error status codes for the DELETE method listed in Table 5.2.7.1-1 of 3GPP TS 29.500 [4] other than those specified in the table above also apply, with a ProblemDetails data type (see clause 5.2.7 of 3GPP TS 29.500 [4].

NOTE 2: RedirectResponse may be inserted by an SCP, see clause 6.10.9.1 of 3GPP TS 29.500 [4].

Location

string

M

1

An alternative URI of the resource located on an alternative service instance within the same AUSF or AUSF (service) set.

Or the same URI, if a request is redirected to the same target resource via a different SCP.

3gpp-Sbi-Target-Nf-Id

string

O

0..1

Identifier of the target NF (service) instance ID towards which the request is redirected

Location

string

M

1

An alternative URI of the resource located on an alternative service instance within the same AUSF or AUSF (service) set.

Or the same URI, if a request is redirected to the same target resource via a different SCP.

3gpp-Sbi-Target-Nf-Id

string

O

0..1

Identifier of the target NF (service) instance ID towards which the request is redirected

AuthenticationInfo

6.1.6.2.2

Contains the UE id (i.e. SUCI or SUPI) and the Serving Network Name.

UEAuthenticationCtx

6.1.6.2.3

Contains the information related to the resource generated to handle the UE authentication. It contains at least the UE id, Serving Network, the Authentication Method and related EAP information or related 5G-AKA information.

5gAuthData

6.1.6.2.4

Contains 5G authentication related information.

Av5gAka

6.1.6.2.5

Contains Authentication Vector for method 5G AKA.

ConfirmationData

6.1.6.2.6

Contains the "RES*" generated by the UE.

EapSession

6.1.6.2.7

Contains information related to the EAP session.

ConfirmationDataResponse

6.1.6.2.8

Contains the result of the authentication.

RgAuthenticationInfo

6.1.6.2.9

Contains the UE id (i.e. SUCI) and the authenticated indication.

RgAuthCtx

6.1.6.2.10

Contains the UE id (i.e. SUPI) and the authentication indication.

DeregistrationInfo

6.1.6.2.11

Contains the UE id (i.e. SUPI).

ProSeAuthenticationInfo

6.1.6.2.12

Contains the information related to the Prose authentication received from the 5G ProSe Remote UE.

ProSeAuthenticationCtx

6.1.6.2.13

Contains the information related to the resource generated to handle the ProSe authentication.

ProSeEapSession

6.1.6.2.14

Contains information related to the EAP session for the 5G ProSe Remote UE.

ProSeAuthData

6.1.6.2.15

Contains ProSe authentication related information.

ProSeAuthenticationResult

6.1.6.2.16

ProSe Authentication Result

EapPayload

6.1.6.3.2

Contains the EAP packets.

ResStar

6.1.6.3.2

Contains the RES*.

Kseaf

6.1.6.3.2

Contains the Kseaf.

HxresStar

6.1.6.3.2

Contains the HXRES*.

Suci

6.1.6.3.2

Contains the SUCI.

KnrProSe

6.1.6.3.2

Contains the K_{NR_ProSe}.

Nonce1

6.1.6.3.2

Contains the Nonce1.

Nonce2

6.1.6.3.2

Contains the Nonce2.

Msk

6.1.6.3.2

Contains the Master Session Key.

AuthType

6.1.6.3.3

Indicates the authentication method used.

AuthResult

6.1.6.3.4

Indicates the result of the authentication.

ResynchronizationInfo

3GPP TS 29.503 [12]

ServingNetworkName

3GPP TS 29.503 [12]

Autn

3GPP TS 29.503 [12]

Rand

3GPP TS 29.503 [12]

LinksValueSchema

3GPP TS 29.571 [10]

3GPP Hypermedia link

ProblemDetails

3GPP TS 29.571 [10]

Common Data Type used in response bodies

Supi

3GPP TS 29.571 [10]

Uri

3GPP TS 29.571 [10]

SupiOrSuci

3GPP TS 29.571 [10]

Pei

3GPP TS 29.571 [10]

TraceData

3GPP TS 29.571 [10]

NfGroupId

3GPP TS 29.571 [10]

CagId

3GPP TS 29.571 [10]

SupportedFeatures

3GPP TS 29.571 [10]

Supported Features

ServerAddressingInfo

3GPP TS 29.571 [10]

RelayServiceCode

3GPP TS 29.571 [10]

5GPrukId

3GPP TS 29.571 [10]

supiOrSuci

SupiOrSuci

M

1

Contains the SUPI or SUCI of the UE.

servingNetworkName

ServingNetworkName

M

1

Contains the Serving Network Name.

resynchronizationInfo

ResynchronizationInfo

O

0..1

Contains RAND and AUTS; see 3GPP 33.501 [8] clause 9.4.

pei

Pei

O

0..1

Permanent Equipment Identifier

traceData

TraceData

O

0..1

Contains TraceData provided by the UDM to the AMF

udmGroupId

NfGroupId

O

0..1

Identity of the UDM group serving the SUPI

routingIndicator

String

O

0..1

When present, it shall indicate the Routing Indicator of the UE.

Pattern: ‘^[0-9]{1,4}$’

cellCagInfo

array(CagId)

O

1..N

CAGList of the CAG cell.

n5gcInd

boolean

O

0..1

N5GC device indicator (see 3GPP TS 33.501 [8]) When present, this IE shall be set as follows:

– true: authentication is for a N5GC device;

– false (default): authentication is not for a N5GC device.

See NOTE

supportedFeatures

SupportedFeatures

C

0..1

This IE shall be present if at least one optional feature defined in clause 6.1.9 is supported.

pvsInfo

array(ServerAddressingInfo)

O

1..N

FQDN(s) and/or IP address(es) of the SNPN UE onboarding Provisioning Servers (PVS).

nswoInd

boolean

O

0..1

NSWO Indicator (see 3GPP TS 33.501 [8])

When present, this IE shall be set as follows:

– true: Non-Seamless WLAN Offload is applied;

– false (default): Non-Seamless WLAN Offload is not applied.

disasterRoamingInd

boolean

O

0..1

Disaster Roaming Indicator (see 3GPP TS 23.502 [3]).

When present, this IE shall be set as follows:

– true: Disaster Roaming service is applied;

– false (default): Disaster Roaming service is not applied.

onboardingInd

boolean

O

0..1

UE Onboarding Indicator for the authentication

When present, this IE shall be set as follows:

– true: authentication is for UE onboarding;

– false (default): authentication is not for UE onboarding.

NOTE: The attribute n5gcInd is used for EAP-TLS, which is described in the informative annex O of 3GPP TS 33.501 [8] and is not mandatory to support.

authType

AuthType

M

1

Indicates the authentication method used for this UE i.e. "5G-AKA-Confirmation", "EAP-AKA’"; "EAP-TLS" or "EAP-TTLS". See clause 6.1.6.3.3

_links

map(LinksValueSchema)

M

1..N

If 5G-AKA has been selected, this IE shall contain a member whose name is set to "5g-aka" and the URI to perform the confirmation.

If an EAP-based method has been selected, this IE shall contain a member whose name is set to "eap-session" and the URI to perform the EAP session.

See NOTE

5gAuthData

5gAuthData

M

1

Contains either 5G-AKA or EAP related information.

servingNetworkName

ServingNetworkName

O

0..1

Contains the Serving Network Name.

NOTE: In the current version of this API, only one hypermedia link is provided

Av5gAka

1

Contains the 5G AV if 5G-AKA has been selected.

EapPayload

1

Contains the EAP packet request.

rand

Rand

M

1

autn

Autn

M

1

hxresStar

HxresStar

M

1

resStar

ResStar

M

1

Contains the "RES*" provided by the UE to the AMF.

If no RES* has been provided by the UE the null value is conveyed to the AUSF.

supportedFeatures

SupportedFeatures

C

0..1

This IE shall be present if at least one optional feature defined in clause 6.1.9 is supported.

eapPayload

EapPayload

M

1

Contains the EAP packet (see IETF RFC 3748 [18]).

If no EAP packet has been provided by the UE the null value is conveyed to the AUSF.

kSeaf

Kseaf

C

0..1

Shall be absent for N5GC device authentication; otherwise:

If the authentication is successful and the consumer is an AMF, the Kseaf shall be included

_links

map(LinksValueSchema)

C

1..N

If the EAP session requires another exchange e.g. for EAP-AKA’ notification, this IE shall contain a member whose name is "eap-session" and the URI to continue the EAP session.

See NOTE.

authResult

AuthResult

C

0..1

Indicates the result of the authentication.

supi

Supi

C

0..1

If the authentication is successful and if the AMF had provided a SUCI, this IE shall contain the SUPI of the UE.

supportedFeatures

SupportedFeatures

C

0..1

This IE shall be present if at least one optional feature defined in clause 6.1.9 is supported.

pvsInfo

array(ServerAddressingInfo)

O

1..N

FQDN(s) and/or IP address(es) of the SNPN UE onboarding Provisioning Servers (PVS).

msk

Msk

C

0..1

If the authentication is successful and the consumer is an NSWOF as indicated by the NSWO indicator received within the AuthenticationInfo, the MSK shall be included (see 3GPP TS 33.501 [8] annex S)

NOTE: In the current version of this API, only 0 or 1 hypermedia link is provided.

authResult

AuthResult

M

1

Indicates the result of the authentication

supi

Supi

C

0..1

If the authentication is successful and if the AMF had provided a SUCI, this IE shall contain the SUPI of the UE

kseaf

Kseaf

C

0..1

Contains the Kseaf if authentication is successful.

pvsInfo

array(ServerAddressingInfo)

O

1..N

FQDN(s) and/or IP address(es) of the SNPN UE onboarding Provisioning Servers (PVS).

suci

Suci

M

1

Contains the SUCI of the FN-RG.

authenticatedInd

boolean

M

1

This IE shall be set as follows:

– true: authenticated by the W-AGF;

– false (default): unauthenticated by the W-AGF.

supportedFeatures

SupportedFeatures

C

0..1

This IE shall be present if at least one optional feature defined in clause 6.1.9 is supported.

authResult

AuthResult

M

1

Indicates the result of the authentication

supi

Supi

C

0..1

If the authentication is successful and if the AMF had provided a SUCI, this IE shall contain the SUPI of the UE.

authInd

boolean

C

0..1

When present, this IE shall be set as follows:

– true: authentication is not required;

– false (default): authentication is required.

supi

Supi

M

1

Contains the SUPI of the UE.

supportedFeatures

SupportedFeatures

C

0..1

This IE shall be present if at least one optional feature defined in clause 6.1.9 is supported.

supiOrSuci

SupiOrSuci

C

0..1

This IE shall be present if received from 5G ProSe Remote UE.

When received, this IE shall contain the SUCI of the 5G ProSe Remote UE.

5gPrukId

5GPrukId

C

0..1

This IE shall be present if the CP-PRUK is received from 5G ProSe Remote UE.

When present, this IE shall Indicate the CP-PRUK ID received from the 5G ProSe Remote UE.

relayServiceCode

RelayServiceCode

M

1

Indicates Relay Service Code. See 3GPP TS 29.571 [7] clause 5.4.2

nonce1

Nonce1

M

1

Indicates Nonce_1.

supportedFeatures

SupportedFeatures

C

0..1

This IE shall be present if at least one optional feature defined in clause 6.1.9 is supported.

authType

AuthType

M

1

Indicates the authentication method used for this UE i.e. "EAP-AKA".

_links

map(LinksValueSchema)

M

1..N

This IE shall contain a member whose name is set to "prose-auth" and the URI to perform the EAP session.

See NOTE

proSeAuthData

ProSeAuthData

M

1

Contains ProSe Authentication related information

supportedFeatures

SupportedFeatures

C

0..1

This IE shall be present if at least one optional feature defined in clause 6.1.9 is supported.

NOTE: In the current version of this API, only one hypermedia link is provided

eapPayload

EapPayload

M

1

Contains the EAP packet (see IETF RFC 3748 [18]).

If no EAP packet has been provided by the 5G ProSe Remote UE the null value is conveyed to the AUSF.

knrProSe

KnrProSe

C

0..1

If the authentication is successful and no EAP packet has been provided by the 5G ProSe Remote UE, the K_{NR_ProSe} shall be included

_links

map(LinksValueSchema)

C

1..N

If the EAP session requires another exchange e.g. for EAP-AKA’ notification, this IE shall contain a member whose name is "prose-auth" and the URI to continue the EAP session.

See NOTE.

authResult

AuthResult

C

0..1

This IE shall be present if no EAP packet has been provided by the 5G ProSe Remote UE.

When present, this IE shall indicate the result of the authentication.

nonce2

Nonce2

C

0..1

If the authentication is successful and no EAP packet has been provided by the 5G ProSe Remote UE, the Nonce_2 shall be included.

5gPrukId

5GPrukId

C

0..1

This IE shall be present if authentication is successful and no EAP packet has been provided by the 5G ProSe Remote UE.

When present, this IE shall contain the CP-PRUK ID to the 5G ProSe Remote UE.

supportedFeatures

SupportedFeatures

C

0..1

This IE shall be present if at least one optional feature defined in clause 6.1.9 is supported.

NOTE: In the current version of this API, only 0 or 1 hypermedia link is provided.

EapPayload

1

Contains the EAP packet request.

knrProSe

KnrProSe

C

0..1

If the authentication is successful, the K_{NR_ProSe} shall be included

nonce2

Nonce2

C

0..1

If the authentication is successful, the Nonce_2 shall be included.

supportedFeatures

SupportedFeatures

C

0..1

This IE shall be present if at least one optional feature defined in clause 6.1.9 is supported.

EapPayload

string

The EAP packet is encoded using base64 (see IETF RFC 4648 [19]) and represented as a String.

Format: byte

ResStar

string

pattern: "^[A-Fa-f0-9]{32}$"; nullable

Kseaf

string

pattern: "^[A-Fa-f0-9]{64}$"

HxresStar

string

pattern: "^[A-Fa-f0-9]{32}$"

Suci

string

String containing a SUCI.

Pattern: "^(suci-(0-[0-9]{3}-[0-9]{2,3}|[1-7]-.+)-[0-9]{1,4}-(0-0-.+|[a-fA-F1-9]-([1-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])-[a-fA-F0-9]+)|.+)$"

KnrProSe

string

String contain the K_{NR_ProSe}

pattern: "^[A-Fa-f0-9]{64}$"

Nonce1

string

The Nonce1 is encoded using base64 (see IETF RFC 4648 [19]) and represented as a String.

Format: byte

Nonce2

string

The Nonce2 is encoded using base64 (see IETF RFC 4648 [19]) and represented as a String.

Format: byte

Msk

string

pattern: "^[A-Fa-f0-9]{128}$"

5G_AKA

5G AKA

EAP_AKA_PRIME

EAP-AKA’

EAP_TLS

EAP-TLS is only used in the case where the Annex B is supported.

EAP_TTLS

EAP-TTLS is used in the case where the Annex U of 3GPP TS 33.501 [8] is supported.

AUTHENTICATION_SUCCESS

This value is used to indicate that the AUSF successfully authenticate the UE

AUTHENTICATION_FAILURE

This value is used to indicate that the AUSF fails to authenticate the UE.

AUTHENTICATION_ONGOING

This value is used during an EAP Session to indicate that the EAP session is still ongoing.

5g-aka

eap-session

SERVING_NETWORK_NOT_AUTHORIZED

403 Forbidden

The serving network is not authorized, e.g. serving PLMN.

AUTHENTICATION_REJECTED

403 Forbidden

The user cannot be authenticated with this authentication method e.g. only SIM data available

INVALID_HN_PUBLIC_KEY_IDENTIFIER

403 Forbidden

Invalid HN public key identifier received

INVALID_SCHEME_OUTPUT

403 Forbidden

SUCI cannot be decrypted with received data

CONTEXT_NOT_FOUND

404 Not Found

The AUSF cannot found the resource corresponding to the URI provided by the NF Service Consumer.

USER_NOT_FOUND

404 Not Found

The user does not exist in the HPLMN

UPSTREAM_SERVER_ERROR

504 Gateway Timeout

No response is received from a remote peer, e.g. from the UDM

NETWORK_FAILURE

504 Gateway Timeout

The request is rejected due to a network problem.

AV_GENERATION_PROBLEM

500 Internal Server Error

The UDM has indicated that it was not able to generate AV.

UNSUPPORTED_PROTECTION_SCHEME

501 Not implemented

The received protection scheme is not supported by HPLMN

1

ES3XX

M

Extended Support of HTTP 307/308 redirection

An NF Service Consumer (e.g. AMF) that supports this feature shall support handling of HTTP 307/308 redirection for any service operation of the UEAuthentication service. An NF Service Consumer that does not support this feature does only support HTTP redirection as specified for 3GPP Release 15.

supi

(Custom operation)

/{supi}/ue-sor/

ue-sor(POST)

Resource for SoR security material computation

apiRoot

string

See clause 6.2.1

supi

Supi

Represents the Subscription Permanent Identifier (see 3GPP TS 23.501 [2] clause 5.9.2)
pattern: See pattern of type Supi in 3GPP TS 29.571 [10]

ue-sor

/ue-sor

POST

The AUSF calculates the SoR-MAC-IAUSF and the CounterSoR to protect the Steering Information List provided. It may also calculate the SoR-XMAC-IUE to verify that the UE received the Steering Information List if the indication that an acknowledgement is requested from the UE.

SorInfo

M

1

Contains the Steering Information List and shall contain the indication of whether an acknowledgement is requested from the UE or not (as specified in 3GPP TS 33.501 [8]).

SorSecurityInfo

M

1

200 OK

Upon success, the response body will contain SoR-MAC-IAUSF and CounterSoR and may contain the SoR-XMAC-IUE_.

RedirectResponse

O

0..1

307 Temporary Redirect

Temporary redirection. The response shall include a Location header field containing a different URI, or the same URI if a request is redirected to the same target resource via a different SCP. In the former case, the URI shall be an alternative URI of the resource located on an alternative service instance within the same AUSF or AUSF (service) set.

(NOTE 2)

RedirectResponse

O

0..1

308 Permanent Redirect

Permanent redirection. The response shall include a Location header field containing a different URI, or the same URI if a request is redirected to the same target resource via a different SCP. In the former case, the URI shall be an alternative URI of the resource located on an alternative service instance within the same AUSF or AUSF (service) set.

(NOTE 2)

ProblemDetails

O

0..1

503 Service Unavailable

The "cause" attribute may be used to indicate one of the following application errors:

– COUNTER_WRAP

See table 6.2.7.3-1 for the description of these errors.

NOTE 1: The mandatory HTTP error status codes for the POST method listed in Table 5.2.7.1-1 of 3GPP TS 29.500 [4] other than those specified in the table above also apply, with a ProblemDetails data type (see clause 5.2.7 of 3GPP TS 29.500 [4].

NOTE 2: RedirectResponse may be inserted by an SCP, see clause 6.10.9.1 of 3GPP TS 29.500 [4].

Location

string

M

1

An alternative URI of the resource located on an alternative service instance within the same AUSF or AUSF (service) set.

Or the same URI, if a request is redirected to the same target resource via a different SCP.

3gpp-Sbi-Target-Nf-Id

string

O

0..1

Identifier of the target NF (service) instance ID towards which the request is redirected

Location

string

M

1

An alternative URI of the resource located on an alternative service instance within the same AUSF or AUSF (service) set.

Or the same URI, if a request is redirected to the same target resource via a different SCP.

3gpp-Sbi-Target-Nf-Id

string

O

0..1

Identifier of the target NF (service) instance ID towards which the request is redirected

SorInfo

6.2.6.2.2

Contains the Steering Information

SorSecurityInfo

6.2.6.2.3

Contains the material generated for securing of SoR. It contains at least the SoR-MAC-IAUSF and CounterSoR.

SteeringInfo

6.2.6.2.4

Contains a combination of one PLMN identity and zero or more access technologies.

SteeringContainer

6.2.6.2.5

Contains the information sent to UE.

SorMac

6.2.6.3.2

MAC value for protecting SOR procedure (SoR-MAC-IAUSF and SoR-XMAC-IUE)

CounterSor

6.2.6.3.2

CounterSoR

AckInd

6.2.6.3.2

Contains indication whether the acknowledgement from UE is needed

SecuredPacket

6.2.6.3.2

Contains a secure packet.

AccessTech

6.2.6.3.3

Access Technology

SorHeader

6.2.6.3.2

Contains the SoR Header.

SorTransparentInfo

6.2.6.3.2

Contains steering information encoded as transparent containers.

PlmnId

3GPP TS 29.571 [10]

PLMN ID

SupportedFeatures

3GPP TS 29.571 [10]

Supported Features

ackInd

AckInd

M

1

Contains the indication whether the acknowledgement from UE is needed.

steeringContainer

SteeringContainer

C

0..1

When present, this information contains the information needed to update the "Operator Controlled PLMN Selector with Access Technology" list stored in the USIM.

It may contain an array of preferred PLMN/AccessTechnologies combinations in priority order. The first entry in the array indicates the highest priority and the last entry indicates the lowest.

Or it may contain a secured packet.

If no change of the "Operator Controlled PLMN Selector with Access Technology" list stored in the USIM is needed then this attribute shall be absent.

sorHeader

SorHeader

O

0..1

This attribute contains SoR Header encoded as defined in clause 6.2.6.3.2 and shall be present if AUSF supports receiving SoR Information encoded as transparent containers.

sorTransparentInfo

SorTransparentInfo

O

0..1

This attribute contains steering information encoded as defined in clause 6.2.6.3.2, and may be present if AUSF supports receiving SoR Information encoded as transparent containers.

It may be absent if no change of the "Operator Controlled PLMN Selector with Access Technology" list stored in the USIM is needed.

supportedFeatures

SupportedFeatures

C

0..1

This IE shall be present if at least one optional feature defined in clause 6.2.9 is supported.

sorMacIausf

SorMac

M

1

Contains the SoR-MAC-IAUSF.

counterSor

CounterSor

M

1

Contains the Counter_SoR.

sorXmacIue

SorMac

O

0..1

When present, contains the SoR-XMAC-I_UE. It shall be included, if the UDM requests the acknowledgement from the UE.

plmnId

PlmnId

M

1

Contains a preferred PLMN identity.

accessTechList

array(AccessTech)

C

1..N

When present it contains the referred access technologies as listed in clause 4.2.5 of 3GPP TS 31.102 [15]. If absent it means that all access technologies are equivalently preferred in this PLMN.

array(SteeringInfo)

1..N

List of PLMN/AccessTechnologies combinations.

SecuredPacket

1

A secured packet containing one or more APDUs commands dedicated to Remote File Management.

SorMac

string

pattern: "^[A-Fa-f0-9]{32}$"

CounterSor

string

pattern: "^[A-Fa-f0-9]{4}$"

AckInd

boolean

true indicates that the SoR-XMAC-I_UE shall be computed and returned in the response

SecuredPacket

string

Contains a secure packet as specified in 3GPP TS 24.501 [20]. It is encoded using base64 and represented as a String.

Format: byte

SorHeader

Bytes

String with format "byte" as defined in OpenAPI Specification [25], i.e. base64-encoded characters, encoding the "SOR Header" IE as specified in clause 9.11.3.51 of 3GPP TS 24.501 [20] (octet 4).

SorTransparentInfo

Bytes

String with format "byte" as defined in OpenAPI Specification [25], i.e. base64-encoded characters, encoding the "SOR transparent container" IE as specified in clause 9.11.3.51 of 3GPP TS 24.501 [20] (starting from octet 23).

"NR"

"EUTRAN_IN_WBS1_MODE_AND_NBS1_MODE"

"EUTRAN_IN_NBS1_MODE_ONLY"

"EUTRAN_IN_WBS1_MODE_ONLY"

"UTRAN"

"GSM_AND_ECGSM_IoT"

"GSM_WITHOUT_ECGSM_IoT"

"ECGSM_IoT_ONLY"

"CDMA_1xRTT"

"CDMA_HRPD"

"GSM_COMPACT"

COUNTER_WRAP

503 Service Unavailable

The Counter_SoR associated with the KAUSF of the UE is about to wrap around. The AUSF suspends the SoR protection service for the UE until a new KAUSF is generated.

1

ES3XX

M

Extended Support of HTTP 307/308 redirection

An NF Service Consumer (e.g. UDM) that supports this feature shall support handling of HTTP 307/308 redirection for any service operation of the SoRProtection service. An NF Service Consumer that does not support this feature does only support HTTP redirection as specified for 3GPP Release 15.

2

sorTransparentSupport

O

This flag is used by AUSF to register (in NRF) its support of receiving SoR Transparent Information instead of individual IEs from UDM.

supi

(Custom operation)

/{supi}/ue-upu/

ue-upu (POST)

Resource for UPU security material computation

apiRoot

string

See clause 6.3.1

supi

Supi

Represents the Subscription Permanent Identifier (see 3GPP TS 23.501 [2] clause 5.9.2)
pattern: See pattern of type Supi in 3GPP TS 29.571 [10]

ue-upu

/ue-upu

POST

The AUSF calculates the UPU-MAC-I_AUSF and the Counter_UPU to protect the UE Parameters Update Data provided. It may also calculate the UPU-XMAC-I_UE to verify that the UE received the UE Parameters Update Data if the indication that an acknowledgement is requested from the UE is provided.

UpuInfo

M

1

Contains the UE Parameters Update Data and shall contain the indication of whether an acknowledgement is requested from the UE or not (as specified in 3GPP TS 33.501 [8]).

UpuSecurityInfo

M

1

200 OK

Upon success, the response body will contain UPU-MAC-I_AUSF and Counter_UPU and may contain the UPU-XMAC-I_UE.

RedirectResponse

O

0..1

307 Temporary Redirect

Temporary redirection. The response shall include a Location header field containing a different URI, or the same URI if a request is redirected to the same target resource via a different SCP. In the former case, the URI shall be an alternative URI of the resource located on an alternative service instance within the same AUSF or AUSF (service) set.

(NOTE 2)

RedirectResponse

O

0..1

308 Permanent Redirect

Permanent redirection. The response shall include a Location header field containing a different URI, or the same URI if a request is redirected to the same target resource via a different SCP. In the former case, the URI shall be an alternative URI of the resource located on an alternative service instance within the same AUSF or AUSF (service) set.

(NOTE 2)

ProblemDetails

O

0..1

503 Service Unavailable

The "cause" attribute may be used to indicate one of the following application errors:

– COUNTER_WRAP

See table 6.3.7.3-1 for the description of these errors.

NOTE 1: The mandatory HTTP error status codes for the POST method listed in Table 5.2.7.1-1 of 3GPP TS 29.500 [4] other than those specified in the table above also apply, with a ProblemDetails data type (see clause 5.2.7 of 3GPP TS 29.500 [4]).

NOTE 2: RedirectResponse may be inserted by an SCP, see clause 6.10.9.1 of 3GPP TS 29.500 [4].

Location

string

M

1

An alternative URI of the resource located on an alternative service instance within the same AUSF or AUSF (service) set.

Or the same URI, if a request is redirected to the same target resource via a different SCP.

3gpp-Sbi-Target-Nf-Id

string

O

0..1

Identifier of the target NF (service) instance ID towards which the request is redirected

Location

string

M

1

An alternative URI of the resource located on an alternative service instance within the same AUSF or AUSF (service) set.

Or the same URI, if a request is redirected to the same target resource via a different SCP.

3gpp-Sbi-Target-Nf-Id

string

O

0..1

Identifier of the target NF (service) instance ID towards which the request is redirected

UpuInfo

6.3.6.2.2

Contains the UE parameters update Information

UpuSecurityInfo

6.3.6.2.3

Contains the material generated for securing of UPU. It contains at least the UPU-MAC-I_AUSF and Counter_UPU.

UpuData

6.3.6.2.4

Contains UE parameters update data set (e.g., the updated Routing ID Data or the Default configured NSSAI).

UpuMac

6.3.6.3.2

MAC value for protecting UPU procedure (UPU-MAC-I_AUSF and UPU-MAC-I_UE)

CounterUpu

6.3.6.3.2

Counter_UPU

UpuAckInd

6.3.6.3.2

Contains the indication of whether the acknowledgement from UE is needed

UpuHeader

6.3.6.3.2

Contains the "UPU Header" IE as specified in clause 9.11.3.53A of 3GPP TS 24.501 [20] (octet 4),

UpuTransparentInfo

6.3.6.3.2

Contains UPU information encoded as transparent container.

Snssai

3GPP TS 29.571 [10]

Default configured NSSAI

SecuredPacket

6.2.6.3.2

Secured Packet

RoutingId

3GPP TS 29.544 [22]

Routing ID

SupportedFeatures

3GPP TS 29.571 [10]

Supported Features

upuDataList

array(UpuData)

M

1..N

This information defines the UE Parameters Update (UPU). A secured packed with the Routing indicator update data and/or the Default configured NSSAI update data are included. See clause 6.3.6.2.4.

This attribute shall be ignored by AUSF when upuTransparentInfo is present.

upuHeader

UpuHeader

O

0..1

This attribute contains UPU Header encoded as defined in clause 6.3.6.3.2.

upuAckInd

UpuAckInd

M

1

Contains the indication of whether the acknowledgement from UE is needed.

supportedFeatures

SupportedFeatures

C

0..1

This IE shall be present if at least one optional feature defined in clause 6.3.9 is supported.

upuTransparentInfo

UpuTransparentInfo

O

0..1

This attribute contains UPU information encoded as defined in clause 6.3.6.3.2, and may be present if AUSF supports receiving UPU Information encoded as transparent container.

upuTransparentSupport

upuMacIausf

UpuMac

M

1

Contains the UPU-MAC-I_AUSF.

counterUpu

CounterUpu

M

1

Contains the Counter_UPU.

upuXmacIue

UpuMac

O

0..1

When present, contains the UPU-XMAC-I_UE. It shall be included, if the UDM requests the acknowledgement from the UE.

secPacket

SecuredPacket

C

0..1

Presents if the Routing indicator update data is required to be updated, and contains a secured packet with the Routing indicator to be updated.

defaultConfNssai

array(Snssai)

C

1..N

Presents if the Default configured NSSAI is required to be updated, and contains the Default configured NSSAI to be updated.

RoutingId

RoutingId

C

0..1

May be present when sent from UDR to UDM. The UDM shall make use of Nspaf services (see 3GPP TS 29.544 [22] to encapsulate the routing id in a secured packet which is then conveyed to the AUSF and AMF.

UpuMac

string

pattern: "^[A-Fa-f0-9]{32}$"

CounterUpu

string

pattern: "^[A-Fa-f0-9]{4}$"

UpuAckInd

boolean

true indicates that the UPU-XMAC-I_UE shall be computed and returned in the response

UpuHeader

string

It contains the "UPU Header" IE as specified in clause 9.11.3.53A of 3GPP TS 24.501 [20] (octet 4), encoded as 2 hexadecimal characters.

Pattern: "^[A-Fa-f0-9]{2}$"

UpuTransparentInfo

Bytes

String with format "byte" as defined in OpenAPI Specification [25], i.e. base64-encoded characters, encoding the "UPU transparent container" IE as specified in clause 9.11.3.53A of 3GPP TS 24.501 [20] (starting from octet 23).

COUNTER_WRAP

503 Service Unavailable

The Counter_UPU associated with the K_AUSF of the UE is about to wrap around. The AUSF suspends the UPU protection service for the UE until a new K_AUSF is generated.

1

ES3XX

M

Extended Support of HTTP 307/308 redirection

An NF Service Consumer (e.g. UDM) that supports this feature shall support handling of HTTP 307/308 redirection for any service operation of the UPUProtection service. An NF Service Consumer that does not support this feature does only support HTTP redirection as specified for 3GPP Release 15.

2

upuTransparentSupport

O

This flag is used by AUSF to register (in NRF) its support of receiving UPU Transparent Information instead of individual Ies from UDM