6.1.8 Security

29.5103GPP5G SystemNetwork function repository servicesRelease 18Stage 3TS

Tools: ARFCN - Frequency Conversion for 5G NR/LTE/UMTS/GSM

As indicated in clause 13.3 of 3GPP TS 33.501 [15], when static authorization is not used, the access to the Nnrf_NFManagement API may be authorized by means of the OAuth2 protocol (see IETF RFC 6749 [16]), using the "Client Credentials" authorization grant, where the NRF plays the role of the authorization server.

If Oauth2 authorization is used on the Nnrf_NFManagement API, an NF Service Consumer, prior to consuming services offered by the Nnrf_NFManagement API, shall obtain a "token" from the authorization server, by invoking the Access Token Request service, as described in clause 5.4.2.2.

NOTE: When multiple NRFs are deployed in a network, the NRF used as authorization server is the same NRF where the Nnrf_NFManagement service is invoked by the NF Service Producer.

The Nnrf_NFManagement API defines the following scopes for OAuth2 authorization:

Table 6.1.8-1: Oauth2 scopes defined in Nnrf_NFManagement API

Scope	Description
"nnrf-nfm"	Access to the Nnrf_NFManagement API
"nnrf-nfm:nf-instances:read"	Access to read the nf-instances resource, or an individual NF Instance ID resource
"nnrf-nfm: subscriptions:subs-complete-profile"	Access to subscribe to the complete profile of NF instances