B.2 Authentication and authorization

33.1223GPPRelease 17Security aspects of Common API Framework (CAPIF) for 3GPP northbound APIsTS

Tools: ARFCN - Frequency Conversion for 5G NR/LTE/UMTS/GSM

CAPIF authentication and authorization consists of CAPIF-1e authentication and CAPIF-2e authentication and authorization. Figure B.2-1 shows the functional security flow for CAPIF-1e authentication while Figure B.2-2 shows the functional security flow for CAPIF-2e authentication and authorization.

Prior to starting the security flow for either CAPIF-1e or CAPIF-2e authentication and authorization, successful onboarding of the API Invoker has taken place.

In figure B.2-1, the security flow starts with the API Invoker establishing a TLS connection to the CAPIF core over the CAPIF-1e interface per clause 6.3. Successful TLS establishment results in the opportunity for the CAPIF core to transfer CAPIF-2e AEF authentication and authorization information to the API invoker. After transfer of the CAPIF-2e AEF authentication and authorization information to the API invoker, the TLS session is released and the CAPIF-1e security flow ends.

In the case that either the CAPIF-1e TLS session or API invoker authentication procedure fails, the API Invoker authentication is rejected, AEF authentication and authorization information is not transferred to the API Invoker, and the TLS session with the API Invoker is closed.

Figure B.2-1: CAPIF-1e authentication

Figure B.2-2 shows the security flow for the CAPIF-2e interface. Successful CAPIF-1e authentication and AEF authentication information (as a minimum) is needed for the API invoker to communicate with the AEF.

The security flow begins when the API Invoker makes an authentication request to the AEF. The AEF receives the request and attempts to authenticate the API Invoker. If the AEF does not possess the authentication information to authenticate the API invoker, the AEF can query the CAPIF core for it. If authentication of the API invoker is successful, then a TLS session is established. If authentication of the API invoker fails, the security flow ends.

If authentication of the API invoker is successful, then based on the interested service API, the API Invoker makes a northbound API request.

The AEF attempts to validate the northbound API request. If the AEF does not possess the authorization information for the requested service API, the AEF can query the CAPIF core for it. If validation of the northbound API request is successful, the northbound API is serviced.

Upon completion of the northbound API action(s), the secure session is torn down and the security flow ends.

If the AEF cannot validate the northbound API request, the AEF rejects the northbound API request, tears down the secure session, and ends the security flow.

Figure B.2-2: CAPIF-2e authentication and authorization

Annex C (normative):
Access token profile for ‘Method 3 – TLS with OAuth token’