C.2 Access token profile

33.1223GPPRelease 17Security aspects of Common API Framework (CAPIF) for 3GPP northbound APIsTS

Tools: ARFCN - Frequency Conversion for 5G NR/LTE/UMTS/GSM

C.2.1 General

The ‘Method 3 – TLS with OAuth token’ access token contains the token claims described in C.2.2. Token claims are provided by the CAPIF Core Function and contain authentication and authorization information about the API Invoker. Token claims are used by the API Exposing Function for authorization of API Invoker northbound API requests.

C.2.2 Token claims

The CAPIF ‘Method 3 – TLS with OAuth token’ access token shall convey the following claims as defined in IETF RFC 7519 [6] and IETF RFC 6749 [4].

Table C.2.2-1: Access token standard claims

Parameter	Description
exp	REQUIRED. The expiration time of the access token. Implementers MAY provide for some small leeway, usually no more than a few minutes, to account for clock skew (not to exceed 30 seconds).
client_id	REQUIRED. The identifier of the API Invoker making the API request as previously established with the CAPIF Core Function through onboarding.
scope	REQUIRED. A string containing a space-delimited list, comprising of the following as scopes associated with this token: – List of Services per AEF (e.g. “AEF₁:Service₁,Service₂,Service₃,…,Service_X; AEF₂:Service₁,Service₂,Service₃,…,Service_Z”)

The ‘exp’and ‘scope’ parameters of the access token shall be determined by the CAPIF core function based upon the client_id of the API Invoker provided in the Access Token Request message.

The scope parameter ‘List of Services per AEF’ shall contain a full or partial list of services which the API Invoker is permitted to access at each AEF.