10 Using Common API Framework

29.5583GPPApplication Programming Interface (API) specificationEnabling Edge ApplicationsRelease 18Stage 3TS

Tools: ARFCN - Frequency Conversion for 5G NR/LTE/UMTS/GSM

10.1 General

EES may expose its services to EAS with support of CAPIF. Also, the EES may also re-expose the network capabilities of the 3GPP core network to the EAS(s) with support of CAPIF architecture, as specified in 3GPP TS 23.558 [2]. When CAPIF is used with EES services, the EES shall support the following as defined in 3GPP TS 29.222 [17]:

– the API exposing function and related APIs over CAPIF-2/2e and CAPIF-3/3e reference points;

– the API publishing function and related APIs over CAPIF-4/4e reference point;

– the API management function and related APIs over CAPIF-5/5e reference point; and

– at least one of the security methods for authentication and authorization, and related security mechanisms.

The EAS supports the role of API Invoker as specified in 3GPP TS 29.222 [17]. In a centralized deployment as defined in 3GPP TS 23.222 [17], where the CAPIF core function and API provider domain functions are co-located, the interactions between the CAPIF core function and API provider domain functions may be independent of CAPIF-3/3e, CAPIF-4/4e and CAPIF-5/5e reference points.

When CAPIF is used with an EES service, the EES shall register all the features for northbound APIs in the CAPIF Core Function.

10.2 Security

When CAPIF is used for external exposure of EES services to EAS, before invoking the API exposed by the EES, the EAS as API invoker shall negotiate the security method (PKI, TLS-PSK or OAUTH2) with CAPIF core function and ensure the EAS has enough credential to authenticate the EAS (see 3GPP TS 29.222 [17], clause 5.6.2.2 and clause 6.2.2.2).

If PKI or TLS-PSK is used as the selected security method between the EAS and the EES, upon API invocation, the EES shall retrieve the authorization information from the CAPIF core function as described in 3GPP TS 29.222 [17], clause 5.6.2.4.

As indicated in 3GPP TS 33.122 [18], the access to the EES APIs may be authorized by means of the OAuth2 protocol (see IETF RFC 6749 [19]), where the CAPIF core function (see 3GPP TS 29.222 [17]) plays the role of the authorization server.

If OAuth2 is used as the selected security method between the EAS and the EES, then the EAS, prior to consuming services offered by the EES APIs, shall obtain a "token" from the authorization server, by invoking the Obtain_Authorization service, as described in 3GPP TS 29.222 [17], clause 5.6.2.3.2.

The EES APIs do not define any scopes for OAuth2 authorization. It is the EES responsibility to check whether the EAS is authorized to use an API based on the "token". Once the EES verifies the "token", it shall check whether the EES identifier in the "token" matches its own published identifier, and whether the API name in the "token" matches its own published API name. If those checks are passed, the EAS has full authority to access any resource or operation for the invoked API

NOTE : For aforementioned security methods, the EES needs to apply admission control according to access control policies after performing the authorization checks.