C.6 Token revocation

33.1223GPPRelease 17Security aspects of Common API Framework (CAPIF) for 3GPP northbound APIsTS

Tools: ARFCN - Frequency Conversion for 5G NR/LTE/UMTS/GSM

In order to limit the time validity of a token, the "exp" and "expires_in" parameters shall be used as a method of access token revocation.

Within the claims of a ‘Method 3 – TLS with OAuth token’ access token, the "exp" parameter shall be used by the AEF to determine whether or not the token has expired. If the current time is beyond the time specified by the "exp" parameter, the associated token shall no longer be considered valid and any requests made with an expired token shall be rejected by the AEF.

Within the claims of an access token response message, the "expires_in" parameter shall be used by the API Invoker to determine validity of the associated token. If the current time is beyond the time specified by the "expires_in" parameter, the associated access token shall no longer be considered valid and no northbound API requests shall be made using the expired access token. The procedure defined in C.3 shall be used to obtain a new access token.