6.3 Nnrf_AccessToken Service API
29.5103GPP5G SystemNetwork function repository servicesRelease 18Stage 3TS
6.3.1 General
This API reuses the API endpoints and input / output parameters specified in IETF RFC 6749 [16] as a custom operation without resources. Hence this clause does not follow the 3GPP API specification guidelines described in 3GPP TS 29.501 [5].
6.3.2 API URI
URIs of this API shall have the following root:
{nrfApiRoot}/oauth2
where {nrfApiRoot} represents the concatenation of the "scheme" and "authority" components of the NRF, as defined in IETF RFC 3986 [17].
6.3.3 Usage of HTTP
6.3.3.1 General
HTTP/2, as defined in IETF RFC 7540 [9], shall be used as specified in clause 5 of 3GPP TS 29.500 [4].
HTTP/2 shall be transported as specified in clause 5.3 of 3GPP TS 29.500 [4].
HTTP messages and bodies this API shall comply with the OpenAPI [10] specification contained in Annex A.
6.3.3.2 HTTP standard headers
6.3.3.2.1 General
The HTTP headers as specified in clause 4.4 of IETF RFC 6749 [16] shall be supported, with the exception that there shall not be "Authorization" HTTP request header in the access token request.
6.3.3.2.2 Content type
The following content types shall be supported:
– The x-www-form-urlencoded format (see clause 17.13.4 of W3C HTML 4.01 Specification [26]). The use of the x-www-form-urlencoded format shall be signalled by the content type "application/x-www-form-urlencoded".
– The JSON format (IETF RFC 8259 [22]). The use of the JSON format shall be signalled by the content type "application/json". See also clause 5.4 of 3GPP TS 29.500 [4].
6.3.3.3 HTTP custom headers
6.3.3.3.1 General
In this release of this specification, no custom headers specific to the OAuth2.0 Authorization Service API are defined. For 3GPP specific HTTP custom headers used across all service-based interfaces, see clause 5.2.3 of 3GPP TS 29.500 [4].
6.3.4 Custom Operations without associated resources
6.3.4.1 Overview
The /token endpoint as specified in IETF RFC 6749 [16] shall be supported. The "token endpoint" URI shall be:
{nrfApiRoot}/oauth2/token
where {nrfApiRoot} is defined in clause 6.3.2.
Table 6.3.4.1-1 provides an overview of the endpoints and applicable HTTP methods.
Table 6.3.4.1-1: Custom operations without associated resources
|
Operation Name |
Custom operation URI |
Mapped HTTP method |
Description |
|
Get (Access Token Request) |
/oauth2/token |
POST |
Access token request for obtaining OAuth2.0 access token. This operation maps to Nnrf_AccessToken_Get service operation. |
6.3.4.2 Operation: Get (Access Token Request)
6.3.4.2.1 Description
This custom operation represents the process for issuing the OAuth2.0 access token.
6.3.4.2.2 Operation Definition
This operation returns an OAuth 2.0 access token based on the input parameters provided. This custom operation shall use the HTTP POST method.
This method shall support the request data structures specified in table 6.3.4.2.2-1 and the response data structures and response codes specified in table 6.3.4.2.2-2. The data structure used for the POST request body shall be using x-www-form-urlencoded format as specified in clause 17.13.4 of W3C HTML 4.01 Specification [26].
Table 6.3.4.2.2-1: Data structures supported by the POST Request Body on this endpoint
|
Data type |
P |
Cardinality |
Description |
|
AccessTokenReq |
M |
1 |
This IE shall contain the request information for the access token request. Content-Type: "application/x-www-form-urlencoded" |
Table 6.3.4.2.2-2: Data structures supported by the POST Response Body on this endpoint
|
Data type |
P |
Cardinality |
Response codes |
Description |
|
AccessTokenRsp |
M |
1 |
200 OK |
This IE shall contain the access token response information. |
|
RedirectResponse |
O |
0..1 |
307 Temporary Redirect |
The NRF shall generate a Location header field containing a URI pointing to the endpoint of another NRF service instance to which the request should be sent. If an SCP redirects the message to another SCP then the location header field shall contain the same URI or a different URI pointing to the endpoint of the NF service producer to which the request should be sent. |
|
RedirectResponse |
O |
0..1 |
308 Permanent Redirect |
The NRF shall generate a Location header field containing a URI pointing to the endpoint of another NRF service instance to which the request should be sent. If an SCP redirects the message to another SCP then the location header field shall contain the same URI or a different URI pointing to the endpoint of the NF service producer to which the request should be sent. |
|
AccessTokenErr |
M |
1 |
400 Bad Request, 401 Unauthorized |
See IETF RFC 6749 [16] clause 5.2. The specific error shall be indicated in the "error" attribute of the AccessTokenErr data type, containing any of the values: – invalid_request – invalid_client – invalid_grant – unauthorized_client – unsupported_grant_type – invalid_scope |
|
ProblemDetails |
O |
0..1 |
400 Bad Request |
This error shall only be returned by an SCP or SEPP for errors they originate. |
Table 6.3.4.2.2-3: Headers supported by the 200 Response Code on this endpoint
|
Name |
Data type |
P |
Cardinality |
Description |
|
Cache-Control |
string |
M |
1 |
Enum: "no-store" |
|
Pragma |
string |
M |
1 |
Enum: "no-cache" |
Table 6.3.4.2.2-4: Headers supported by the 400 Response Code on this endpoint
|
Name |
Data type |
P |
Cardinality |
Description |
|
Cache-Control |
string |
M |
1 |
Enum: "no-store" |
|
Pragma |
string |
M |
1 |
Enum: "no-cache" |
Table 6.3.4.2.2-5: Headers supported by the 307 Response Code on this endpoint
|
Name |
Data type |
P |
Cardinality |
Description |
|
Location |
string |
M |
1 |
A URI pointing to the endpoint of the NRF service instance to which the request should be sent |
Table 6.3.4.2.2-6: Headers supported by the 308 Response Code on this endpoint
|
Name |
Data type |
P |
Cardinality |
Description |
|
Location |
string |
M |
1 |
A URI pointing to the endpoint of the NRF service instance to which the request should be sent |
6.3.5 Data Model
6.3.5.1 General
This clause specifies the application data model supported by the API.
Table 6.3.5.1-1 specifies the data types defined for the OAuth 2.0 Authorization Service API. The AccessTokenReq data structure shall be converted to the content type "application/x-www-form-urlencoded" when the OAuth 2.0 Access Token Request is invoked.
Table 6.3.5.1-1: OAuth 2.0 Authorization service specific Data Types
|
Data type |
Clause defined |
Description |
|
AccessTokenReq |
6.3.5.2.2 |
Contains information related to the access token request. |
|
AccessTokenRsp |
6.3.5.2.3 |
Contains information related to the access token response. |
|
AccessTokenClaims |
6.3.5.2.4 |
The claims data structure for the access token. |
|
AccessTokenErr |
6.3.5.2.5 |
Contains error information returned in the access token response. |
|
Audience |
6.3.5.4.1 |
Contains the audience claim of the access token. |
Table 6.3.5.1-2 specifies data types re-used by the OAuth 2.0 Authorization service from other specifications, including a reference to their respective specifications and when needed, a short description of their use.
Table 6.3.5.1-2: OAuth 2.0 Authorization service re-used Data Types
|
Data type |
Reference |
Comments |
|
NfInstanceId |
3GPP TS 29.571 [7] |
|
|
PlmnId |
3GPP TS 29.571 [7] |
PLMN ID |
|
NFType |
3GPP TS 29.510 |
See clause 6.1.6.3.3 |
|
Snssai |
3GPP TS 29.571 [7] |
|
|
NfSetId |
3GPP TS 29.571 [7] |
NF Set ID (see clause 28.12 of 3GPP TS 23.003 [12]) |
|
Uri |
3GPP TS 29.571 [7] |
|
|
RedirectResponse |
3GPP TS 29.571 [7] |
Response body of the redirect response message. |
|
Fqdn |
3GPP TS 29.571 [7] |
Fully Qualified Domain Name |
6.3.5.2 Structured data types
6.3.5.2.1 Introduction
This clause defines the structures to be used in the APIs.
6.3.5.2.2 Type: AccessTokenReq
Table 6.3.5.2.2-1: Definition of type AccessTokenReq
|
Attribute name |
Data type |
P |
Cardinality |
Description |
|
grant_type |
string |
M |
1 |
This IE shall contain the grant type as "client_credentials". Enum: "client_credentials" |
|
nfInstanceId |
NfInstanceId |
M |
1 |
This IE shall contain the NF instance id of the NF service consumer. |
|
nfType |
NFType |
C |
0..1 |
This IE shall be included when the access token request is for an NF type and not for a specific NF / NF service instance. When present, this IE shall contain the NF type of the NF service consumer. (NOTE 3) |
|
targetNfType |
NFType |
C |
0..1 |
This IE shall be included when the access token request is for an NF type and not for a specific NF / NF service instance. When present, this IE shall contain the NF type of the NF service producer. |
|
scope |
string |
M |
1 |
This IE shall contain the scopes requested by the NF service consumer. The scopes shall consist of a list of NF service name(s) of the NF service producer(s) or resource/operation-level scopes defined by each service API, separated by whitespaces, as described in IETF RFC 6749 [16], clause 3.3. The service name(s) included in this attribute shall be any of the services defined in the ServiceName enumerated type (see clause 6.1.6.3.11). The resource/operation-level scopes shall be any of those defined in the "securitySchemes" clause of each service API. pattern: ‘^([a-zA-Z0-9_:-]+)( [a-zA-Z0-9_:-]+)*$’ See NOTE 2. |
|
targetNfInstanceId |
NfInstanceId |
C |
0..1 |
This IE shall be included, if available and if it is an access token request for a specific NF Service Producer. When present this IE shall contain the NF Instance ID of the specific NF Service Producer for which the access token is requested. |
|
requesterPlmn |
PlmnId |
C |
0..1 |
This IE shall be included when the NF service consumer in one PLMN requests a service access authorization for an NF service producer from a different PLMN. When present, this IE shall contain the PLMN ID of the requester NF service consumer. (NOTE 3) (NOTE 4) |
|
requesterPlmnList |
array(PlmnId) |
C |
2..N |
This IE shall be included when the NF service consumer serving a PLMN, with more than one PLMN ID, requests a service access authorization for an NF service producer from a different PLMN. When present, this IE shall contain the PLMN IDs of the requester NF service consumer. (NOTE 4) |
|
requesterSnssaiList |
array(Snssai) |
O |
1..N |
When present, this IE shall contain the list of S-NSSAIs of the requester NF service consumer. This may be used by the NRF to validate that the requester NF service consumer is allowed to access the target NF Service Producer. (NOTE 3) |
|
requesterFqdn |
Fqdn |
O |
0..1 |
When present, this IE shall contain the FQDN of the requester NF Service Consumer. This may be used by the NRF to validate that the requester NF service consumer is allowed to access the target NF Service Producer. (NOTE 3) |
|
requesterSnpnList |
array(PlmnIdNid) |
O |
1..N |
When present, this IE shall contain the list of SNPNs the requester NF service consumer belongs to. This may be used by the NRF to validate that the requester NF service consumer is allowed to access the target NF Service Producer. (NOTE 3) |
|
targetPlmn |
PlmnId |
C |
0..1 |
This IE shall be included when the NF service consumer in one PLMN or SNPN requests a service access authorization for an NF service producer from a different PLMN. When present, this IE shall contain the PLMN ID of the target PLMN (i.e., PLMN ID of the NF service producer). |
|
targetSnpn |
PlmnIdNid |
C |
0..1 |
This IE shall be included when the NF service consumer in one PLMN or SNPN requests a service access authorization for an NF service producer from a different SNPN. When present, this IE shall contain the SNPN ID of the target SNPN (i.e., SNPN ID of the NF service producer). |
|
targetSnssaiList |
array(Snssai) |
O |
1..N |
This IE may be included during an access token request for an NF type and not for a specific NF / NF service instance. When present, this IE shall contain the list of S-NSSAIs of the NF Service Producer. |
|
targetNsiList |
array(string) |
O |
1..N |
This IE may be included during an access token request for an NF type and not for a specific NF / NF service instance. When present, this IE shall contain the list of NSIs of the NF Service Producer. |
|
targetNfSetId |
NfSetId |
O |
0..1 |
This IE may be included during an access token request for an NF type and not for a specific NF / NF service instance. When present, this IE shall contain the NF Set ID of the NF Service Producer. |
|
targetNfServiceSetId |
NfServiceSetId |
O |
0..1 |
This IE may be included during an access token request for a specific NF / NF service instance. When present, this IE shall contain the NF Service Set ID of the NF Service Producer. This may be used by the NRF to validate that the requester NF service consumer is allowed to access the target NF service instance. (NOTE 3) |
|
hnrfAccessTokenUri |
Uri |
C |
0..1 |
If included, this IE shall contain the API URI of the Access Token Service (see clause 6.3.2) of the NRF in home PLMN. It shall be included during an access token request for an hSMF in the home routed roaming scenario, if it is returned from the NSSF in the home PLMN (see clause 6.1.6.2.11 of 3GPP TS 29.531 [42]). |
|
sourceNfInstanceId |
NfInstanceId |
C |
0..1 |
This IE shall be included, if available and if it is an access token request from the DCCF as NF Service Consumer request data from NF Service Producers on behalf of the source NF. When present this IE shall contain the NF Instance ID of the source NF which intend to collects data from NF Service Producer. |
|
NOTE 1: This data structure shall not be treated as a JSON object. It shall be treated as a key, value pair data structure to be encoded using x-www-form-urlencoded format as specified in clause 17.13.4 of W3C HTML 4.01 Specification [26]. NOTE 2: Though scope attribute is optional as per IETF RFC 6749 [16], it is mandatory for 3GPP as per 3GPP TS 33.501 [15]. NOTE 3: An access token request should be rejected if the requester NF is not allowed to access the target NF based on the authorization parameters in the NF profile of the target NF. The authorization parameters in NF Profile are those used by NRF to determine whether a given NF Instance / NF Service Instance can be discovered by an NF Service Consumer in order to consume its offered services (e.g. "allowedNfTypes", "allowedNfDomains", etc.). Based on operator’s policies, an access token request not including the requester’s information necessary to validate the authorization parameters in the target NF Profile may be rejected. NOTE 4: When the NF service consumer is serving a PLMN consisting of one PLMN ID, the attribute "requesterPlmn" shall be used; otherwise, if the NF service consumer is serving a PLMN consisting of more than one PLMN ID, the attribute "requesterPlmnList" shall be used. |
||||
EXAMPLE:
The following is an example of an Access Token Request message, with a request body encoded as x-www-form-urlencoded, with following input parameters:
– NF Instance Id of the NF Service Consumer: 4e0b2760-0356-42c4-b739-8d6aaa491b63
– NF Type of the NF Service Consumer: AMF
– NF Type of the NF Service Producer: UDM
– Requested scopes: "nudm-sdm", "nudm-uecm" and "nudm-ueau"
– PLMN ID of the NF Service Consumer: MCC=123, MNC=456
– PLMN ID of the NF Service Producer: MCC=321, MNC=654
– S-NSSAIs of the NF Service Producer: (SST=1, SD=A08923) and (SST=2)
– NSIs of the NF Service Producer: "Slice A, instance 1" and "Slice B, instance 2"
Note that the URL-encoding of the request body requires to percent-encode the reserved characters ([ ] { } " : ,) that appear in JSON-encoded structured input parameters (such as "requesterPlmn"), and in string input parameters (such as "scope", or "targetNsiList" array elements). Spaces are percent-encoded as ‘+’.
The request body, before URL-encoding, and displayed in multiples lines only for illustration purposes, would be:
grant_type=client_credentials
&nfInstanceId=4e0b2760-0356-42c4-b739-8d6aaa491b63
&nfType=AMF
&targetNfType=UDM
&scope=nudm-sdm nudm-uecm nudm-ueau
&requesterPlmn={"mcc":"123","mnc":"456"}
&targetPlmn={"mcc":"321","mnc":"654"}
&targetSnssaiList=[{"sst":1,"sd":"A08923"},{"sst":2}]
&targetNsiList=Slice A, instance 1
&targetNsiList=Slice B, instance 2
The actual request message, after URL-encoding, and where all input parameters are contained into one single line in the request body, would be:
POST /oauth2/token
Content-Type: application/x-www-form-urlencoded
Accept: application/json
grant_type=client_credentials&nfInstanceId=4e0b2760‑0356‑42c4‑b739‑8d6aaa491b63&nfType=AMF&targetNfType=UDM&scope=nudm‑sdm+nudm‑uecm+nudm‑ueau&requesterPlmn=%7B%22mcc%22%3A%22123%22%2C%22mnc%22%3A%22456%22%7D&targetPlmn=%7B%22mcc%22%3A%22321%22%2C%22mnc%22%3A%22654%22%7D&targetSnssaiList=%5B%7B%22sst%22%3A1%2C%22sd%22%3A%22A08923%22%7D%2C%7B%22sst%22%3A2%7D%5D&targetNsiList=Slice+A%2C+instance+1&targetNsiList=Slice+B%2C+instance+2
6.3.5.2.3 Type: AccessTokenRsp
Table 6.3.5.2.3-1: Definition of type AccessTokenRsp
|
Attribute name |
Data type |
P |
Cardinality |
Description |
|
access_token |
string |
M |
1 |
This IE shall contain JWS Compact Serialized representation of the JWS signed JSON object containing AccessTokenClaims (see clause 6.3.5.2.4). |
|
token_type |
string |
M |
1 |
This IE shall contain the token type, set to value "Bearer". Enum: "Bearer" |
|
expires_in |
integer |
C |
0..1 |
This IE when present shall contain the number of seconds after which the access token is considered to be expired. As indicated in IETF RFC 6749 [16], this attribute should be included, unless the expiration time of the token is made available by other means (e.g. deployment-specific documentation). |
|
scope |
string |
C |
0..1 |
This IE when present shall contain the scopes granted to the NF service consumer. The scopes shall consist of a list of NF service name(s) of the NF service producer(s) or resource/operation-level scopes defined by each service API, separated by whitespaces, as described in IETF RFC 6749 [16], clause 3.3. The service name(s) included in this attribute shall be any of the services defined in the ServiceName enumerated type (see clause 6.1.6.3.11). The resource/operation-level scopes shall be any of those defined in the "securitySchemes" clause of each service API. As indicated in IETF RFC 6749 [16], this attribute shall be present if it is different than the scope included in the access token request; if it is the same as the requested scope, this attribute may be absent. pattern: ‘^([a-zA-Z0-9_:-]+)( [a-zA-Z0-9_:-]+)*$’ |
6.3.5.2.4 Type: AccessTokenClaims
Table 6.3.5.2.4-1: Definition of type AccessTokenClaims
|
Attribute name |
Data type |
P |
Cardinality |
Description |
|
iss |
NfInstanceId |
M |
1 |
This IE shall contain NF instance id of the NRF. , corresponding to the standard "Issuer" claim described in IETF RFC 7519 [25], clause 4.1.1 |
|
sub |
NfInstanceId |
M |
1 |
This IE shall contain the NF instance ID of the NF service consumer, corresponding to the standard "Subject" claim described in IETF RFC 7519 [25], clause 4.1.2. |
|
aud |
Audience |
M |
1 |
This IE shall contain the NF service producer’s NF instance ID(s) (if the exact NF instance(s) of the NF service producer is known) or the NF type of NF service producers for which the claim is applicable, corresponding to the standard "Audience" claim described in IETF RFC 7519 [25], clause 4.1.3. |
|
scope |
string |
M |
1 |
This IE shall contain the name of the NF services and the resource/operation-level scopes for which the access_token is authorized for use; this claim corresponds to a private claim, as described in IETF RFC 7519 [25], clause 4.3. pattern: ‘^([a-zA-Z0-9_:-]+)( [a-zA-Z0-9_:-]+)*$’ |
|
exp |
integer |
M |
1 |
This IE shall contain the expiration time after which the access_token is considered to be expired, corresponding to the standard "Expiration Time" claim described in IETF RFC 7519 [25], clause 4.1.4. |
|
consumerPlmnId |
PlmnId |
C |
0..1 |
This IE shall be included if the NRF supports providing PLMN ID of the NF service consumer in the access token claims, to be interpreted for subject (sub IE), as specified in clause 13.4.1.2 of 3GPP TS 33.501 [15]. If an NF service producer that receives this IE in the token included in the authorization header does not understand this IE, it shall be ignored. |
|
consumerSnpnId |
PlmnIdNid |
C |
0..1 |
This IE shall be included if the NRF supports providing SNPN ID of the NF service consumer in the access token claims, to be interpreted for subject (sub IE), as specified in clause 13.4.1.2 of 3GPP TS 33.501[15]. If an NF service producer that receives this IE in the token included in the authorization header does not understand this IE, it shall be ignored. |
|
producerPlmnId |
PlmnId |
C |
0..1 |
This IE shall be included if the access token is granted for an NF service producer belonging to an PLMN and the NRF supports providing PLMN ID of the NF service producer in the access token claims, to be interpretted for audience (aud IE), as specified in clause 13.4.1.2 of 3GPP TS 33.501 [15]. If an NF service producer that receives this IE in the token included in the authorization header does not understand this IE, it shall be ignored. |
|
producerSnpnId |
PlmnIdNid |
C |
0..1 |
This IE shall be included if the access token is granted for an NF service producer belonging to an SNPN and the NRF supports providing SNPN ID of the NF service producer in the access token claims, to be interpreted for audience (aud IE), as specified in clause 13.4.1.2 of 3GPP TS 33.501 [15]. When present, it shall contain the SNPN ID of the SNPN the target NF service producer belongs to. If an NF service producer that receives this IE in the token included in the authorization header does not understand this IE, it shall be ignored. |
|
producerSnssaiList |
array(Snssai) |
O |
1..N |
This IE may be included if the NRF supports providing list of S-NSSAIs of the NF service producer in the access token claims. If an NF service producer that receives this IE in the token included in the authorization header does not understand this IE, it shall be ignored. |
|
producerNsiList |
array(string) |
O |
1..N |
This IE may be included if the NRF supports providing list of NSIs of the NF service producer in the access token claims. If an NF service producer that receives this IE in the token included in the authorization header does not understand this IE, it shall be ignored. |
|
producerNfSetId |
NfSetId |
O |
0..1 |
This IE may be included if the NRF supports providing NF Set ID of the NF service producer in the access token claims and if the audience contains an NF type. When present, it shall indicate the NF Set ID of the NF service producer instances for which the claim is applicable. If an NF service producer that receives this IE in the token included in the authorization header does not understand this IE, it shall be ignored. |
|
producerNfServiceSetId |
NfServiceSetId |
O |
0..1 |
This IE may be included during an access token request for a specific NF / NF service instance, if the targetNfServiceSetId IE is present in the Access Token Request. When present, this IE shall contain the NF Service Set ID of the NF Service Producer for which the access token is applicable. If an NF service producer that receives this IE in the token included in the authorization header does not understand this IE, it shall be ignored. |
|
sourceNfInstanceId |
NfInstanceId |
C |
0..1 |
This IE shall be included if the NRF supports providing NF Instance ID of the source NF in the access token claims (if it is an access token request from the DCCF as NF Service Consumer request data from NF Service Producers on behalf of the source NF), to be interpreted for subject (sub IE), as specified in Annex X of 3GPP TS 33.501 [15]. |
6.3.5.2.5 Type: AccessTokenErr
Table 6.3.5.2.5-1: Definition of type AccessTokenErr
|
Attribute name |
Data type |
P |
Cardinality |
Description |
|
error |
string |
M |
1 |
This IE shall contain the error described in IETF RFC 6749 [16], clause 5.2. Enum: "invalid_request" "invalid_client" "invalid_grant" "unauthorized_client" "unsupported_grant_type" "invalid_scope" |
|
error_description |
string |
O |
0..1 |
When present, this IE shall contain the human-readable additional information to indicate the error that occurred, as described in IETF RFC 6749 [16], clause 5.2. |
|
error_uri |
string |
O |
0..1 |
When present, this IE shall contain the URI identifying a human-readable additional information about the error, as described in IETF RFC 6749 [16], clause 5.2. |
6.3.5.3 Simple data types and enumerations
6.3.5.3.1 Introduction
This clause defines simple data types and enumerations that can be referenced from data structures defined in the previous clauses.
6.3.5.3.2 Simple data types
There are no specific simple data types defined in this version of this API. For the re-used data types from other specifications see clause 6.3.5.1
6.3.5.3.3 Void
6.3.5.4 Data types describing alternative data types or combinations of data types
6.3.5.4.1 Type: Audience
Table 6.3.5.4.1-1: Definition of type Audience as a list of "non-exclusive alternatives"
|
Data type |
Cardinality |
Description |
Applicability |
|
NFType |
1 |
NF type |
|
|
array(NfInstanceId) |
1..N |
Array of NF Instance Ids |
6.3.6 Error Handling
6.3.6.1 General
HTTP error handling shall be supported as specified in IETF RFC 6749 [16] for errors returned by NRF as Oauth 2.0 authorization server, and also as specified in clause 5.2.7.4 of 3GPP TS 29.500 [4] for errors returned by SCP or SEPP.
6.3.6.2 Protocol Errors
Protocol errors handling shall be supported as specified in clause 5.2.7 of 3GPP TS 29.500 [4].
6.3.6.3 Application Errors
The application errors defined for the Nnrf_AccessToken service are listed in Table 6.3.X.3-1, and correspond to the values of the "error" attribute (see clause 6.3.5.2.5).
Table 6.3.6.3-1: Application errors
|
Application Error |
HTTP status code |
Description |
|
invalid_request |
400 Bad Request |
See IETF RFC 6749 [16] |
|
invalid_client |
400 Bad Request, 401 Unauthorized |
See IETF RFC 6749 [16] |
|
invalid_grant |
400 Bad Request |
See IETF RFC 6749 [16] |
|
unauthorized_client |
400 Bad Request |
See IETF RFC 6749 [16] |
|
unsupported_grant_type |
400 Bad Request |
See IETF RFC 6749 [16] |
|
invalid_scope |
400 Bad Request |
See IETF RFC 6749 [16] |