7 Using Common API Framework

29.5223GPP5G SystemNetwork Exposure Function Northbound APIsRelease 18Stage 3TS

Tools: ARFCN - Frequency Conversion for 5G NR/LTE/UMTS/GSM

7.1 General

When CAPIF is used with an NEF that is used for external exposure, the NEF shall support the following as defined in 3GPP TS 29.222 [12]:

– the API exposing function and related APIs over CAPIF-2/2e and CAPIF-3/3e reference points;

– the API publishing function and related APIs over CAPIF-4/4e reference point;

– the API management function and related APIs over CAPIF-5/5e reference point; and

– at least one of the security methods for authentication and authorization, and related security mechanisms.

In a centralized deployment as defined in 3GPP TS 23.222 [11], where the CAPIF core function and API provider domain functions are co-located, the interactions between the CAPIF core function and API provider domain functions may be independent of CAPIF-3/3e, CAPIF-4/4e and CAPIF-5/5e reference points.

7.2 Security

When CAPIF is used for external exposure, before invoking the API exposed by the NEF, the AF as API invoker shall negotiate the security method (PKI, TLS-PSK or OAUTH2) with CAPIF core function and ensure the NEF has enough credential to authenticate the AF (see 3GPP TS 29.222 [12], clause 5.6.2.2 and clause 6.2.2.2).

If PKI or TLS-PSK is used as the selected security method between the AF and the NEF, upon API invocation, the NEF shall retrieve the authorization information from the CAPIF core function as described in 3GPP TS 29.222 [12], clause 5.6.2.4.

As indicated in 3GPP TS 33.122 [14], the access to the NEF northbound APIs may be authorized by means of the OAuth2 protocol (see IETF RFC 6749 [13]), using the "Client Credentials" authorization grant, where the CAPIF core function (see 3GPP TS 29.222 [12]) plays the role of the authorization server.

NOTE 1: In this release, only "Client Credentials" authorization grant is supported.

If OAuth2 is used as the selected security method between the AF and the NEF, the AF, prior to consuming services offered by the NEF northbound APIs, shall obtain a "token" from the authorization server, by invoking the Obtain_Authorization service, as described in 3GPP TS 29.222 [12], clause 5.6.2.3.2.

The NEF northbound APIs do not define any scopes for OAuth2 authorization. It is the NEF responsibility to check whether the AF is authorized to use an API based on the "token". Once the NEF verifies the "token", it shall check whether the NEF identifier in the "token" matches its own published identifier, and whether the API name in the "token" matches its own published API name. If those checks are passed, the AF has full authority to access any resource or operation for the invoked API.

NOTE 2: For aforementioned security methods, the NEF needs to apply admission control according to access control policies after performing the authorization checks.

NOTE 3: The security requirement in the current clause does not apply for the NiddConfigurationTrigger and the MsisdnLessMoSms APIs since they are the NEF initiated interaction with the AF. How the security scheme works for the NiddConfigurationTrigger and MsisdnLessMoSms APIs is left to configuration.

Annex A (normative):
OpenAPI representation for NEF Northbound APIs