C.3 Obtaining tokens

33.1223GPPRelease 17Security aspects of Common API Framework (CAPIF) for 3GPP northbound APIsTS

Tools: ARFCN - Frequency Conversion for 5G NR/LTE/UMTS/GSM

C.3.1 General

Once an API Invoker has successfully performed onboarding with the CAPIF Core Function, the API Invoker may request access tokens using ‘Method 3 – TLS with OAuth token’ defined in clause 6.5.2.3. Figure C.3.1-1 shows the access token request and access token response message exchange.

Figure C.3.1-1: Requesting an access token

NOTE 1: Implementation of the OAuth 2.0 token and authorization endpoints within the CAPIF Core Function are out of scope of this document.

NOTE 2: As described in IETF RFC 6749 [4] clause 4.4, the client authentication is used as the authorization grant, therefore no additional authorization request is needed.

C.3.2 Access token request

To obtain an access token, the API Invoker makes a request to the CAPIF Core Function by sending an Access Token Request message with the following parameters using the "application/x-www-form-urlencoded" format, with a character encoding of UTF-8 in the HTTP request entity-body. The access token request parameters are shown in table C.3.2-1.

Table C.3.2-1: Access token request message parameters

Parameter	Values
grant_type	REQUIRED. The value shall be set to "client_credentials".
client_id	REQUIRED. The identifier of the API Invoker making the request. It shall match the value that was assigned to the API Invoker during the onboarding process.
client_cred	OPTIONAL. The client credential that was provided to the API Invoker during the onboarding process.
scope	OPTIONAL. A string containing a space-delimited list, comprising of the following as scopes associated with this token: – List of Services per AEF (e.g. “AEF₁:Service₁,Service₂,Service₃,…,Service_X; AEF₂:Service₁,Service₂,Service₃,…,Service_Z”)

C.3.3 Access token response

If the access token request (i.e. the client credential) is valid and authorized by the CAPIF Core Function, the CAPIF Core Function then returns an access token to the API Invoker in an access token response message; otherwise it will return an error.

The access token response parameters are shown in table C.3.3-1.

Table C.3.3-1: Access token response message parameters

Parameter	Values
access_token	REQUIRED. This is the issued access token.
token_type	REQUIRED. This field shall be “bearer”
expires_in	REQUIRED. The lifetime in seconds of the access token.
scope	OPTIONAL. The granted scope by the CAPIF core function.

Upon receiving the access token reponse message, the API Invoker may now use the access token to make authorized northbound API requests to API Exposure Functions as described in clause 6.5.2.3.