11 Using Common API Framework

29.5383GPPApplication Programming Interfaces (API) specificationEnabling MSGin5G ServiceRelease 18Stage 3TS

Tools: ARFCN - Frequency Conversion for 5G NR/LTE/UMTS/GSM

11.1 General

When CAPIF is used with a MSGin5G service, the MSGin5G Server shall support the following as defined in 3GPP TS 29.222 [8]:

– the API exposing function and related APIs over CAPIF-2/2e and CAPIF-3/3e reference points;

– the API publishing function and related APIs over CAPIF-4/4e reference point;

– the API management function and related APIs over CAPIF-5/5e reference point; and

– at least one of the security methods for authentication and authorization, and related security mechanisms.

In a centralized deployment as defined in 3GPP TS 23.222 [7], where the CAPIF core function and API provider domain functions are co-located, the interactions between the CAPIF core function and API provider domain functions may be independent of CAPIF-3/3e, CAPIF-4/4e and CAPIF-5/5e reference points.

When CAPIF is used with a MSGin5G service, the MSGin5G Server shall register all the features for northbound APIs in the CAPIF Core Function.

11.2 Security

When CAPIF is used for external exposure, before invoking the API exposed by the MSGin5G Server, the NF service consumer (e.g. the Application Server) as API invoker shall negotiate the security method (PKI, TLS-PSK or OAUTH2) with CAPIF core function and ensure the MSGin5G Server has enough credential to authenticate the NF service consumer (e.g. the Application Server), see 3GPP TS 29.222 [8], clause 5.6.2.2 and clause 6.2.2.2.

If PKI or TLS-PSK is used as the selected security method between the NF service consumer (e.g. the Application Server) and the MSGin5G Server, upon API invocation, the MSGin5G Server shall retrieve the authorization information from the CAPIF core function as described in 3GPP TS 29.222 [8], clause 5.6.2.4.

As indicated in 3GPP TS 33.122 [22], the access to the MSGin5G APIs may be authorized by means of the OAuth2 protocol (see IETF RFC 6749 [21]), using the "Client Credentials" authorization grant, where the CAPIF core function (see 3GPP TS 29.222 [8]) plays the role of the authorization server.

NOTE 1: In this release, only "Client Credentials" authorization grant is supported.

If OAuth2 is used as the selected security method between the NF service consumer (e.g. the Application Server) and the MSGin5G Server, the the NF service consumer (e.g. the Application Server), prior to consuming services offered by the MSGin5G APIs, shall obtain a "token" from the authorization server, by invoking the Obtain_Authorization service, as described in 3GPP TS 29.222 [8], clause 5.6.2.3.2.

The MSGin5G APIs do not define any scopes for OAuth2 authorization. It is the MSGin5G Server responsibility to check whether the NF service consumer (e.g. the Application Server) is authorized to use an API based on the "token". Once the MSGin5G Server verifies the "token", it shall check whether the MSGin5G Server identifier in the "token" matches its own published identifier, and whether the API name in the "token" matches its own published API name. If those checks are passed, the NF service consumer (e.g. the Application Server) has full authority to access any resource or operation for the invoked API.

NOTE 2: For aforementioned security methods, the MSGin5G Server needs to apply admission control according to access control policies after performing the authorization checks.