full Contents for  TS 23.222  Word version:   17.0.0

The CAPIF core function allows to revoke subscription of CAPIF events for the subscribing entity related to the service API changes, such as availability events of service APIs, change in service API information, monitoring service API invocations, API invoker onboarding events, etc. This procedure is initiated by the CAPIF core function. NOTE:

This subclause describes the information flows for CAPIF event subscription revocation.

Figure 8.9.3-1 illustrates the procedure for subscription revocation, triggered by the CAPIF core function. Pre-conditions:

1. The subscribing entity has previously subscribed to CAPIF event(s) to the CAPIF core function.

1. The CAPIF core function decides to revoke subscription of CAPIF event(s) for the subscribing entity.
2. The CAPIF core function sends subscription revoke notification to the subscribing entity.
3. The subscribing entity provides a subscription revoke notification acknowledgement to the CAPIF core function.

The procedure in this subclause corresponds to the architectural requirements for authentication between the API invoker and the CAPIF core function.

NOTE:

Figure 8.10.3-1 illustrates the procedure for authentication between the API invoker and the CAPIF core function. Pre-conditions:

1. The API invoker is onboarded with the CAPIF core function and the API invoker profile is created.

1. The API invoker triggers authentication to the CAPIF core function, including the identity confirmed after successful onboarding.
2. Upon receiving the authentication request, the CAPIF core function verifies the identity with the API invoker profile and authenticates the API invoker.
NOTE 1:
The authentication process is specified in subclause 6.2 and subclause 6.3.1 of TS 33.122.
3. The CAPIF core function returns the result of the API invoker identity verification in the authentication response.
NOTE 2:
The CAPIF core function can share the information required for authentication of the API invoker at the AEF.

The API invoker requires to execute this procedure when it needs to obtain or re-obtain (e.g. upon expiry of the authorization information) the authorization to access the service API. Once the API invoker receives the authorization to access the service API, the API invoker can perform one or multiple service API invocations as per the permission limit. This procedure may be performed during the API invoker onboarding process.

NOTE:

Figure 8.11.3-1 illustrates the procedure for obtaining authorization to access the service API. Pre-condition:

1. The API invoker is onboarded and has received an API invoker identity.

1. The API invoker sends an obtain service API authorization request to the CAPIF core function for obtaining permission to access the service API by including the API invoker identity information and any information required for authentication of the API invoker.
2. The CAPIF core function validates the authentication of the API invoker (using authentication information) and checks whether the API invoker is permitted to access the requested service API.
NOTE 1:
The authentication process is specified in subclause 6.5.2.3 of TS 33.122.
3. Based on the API invoker's subscription information the authorization information to access the service APIs is sent to the API invoker in the obtain service API authorization response.
NOTE 2:
The mechanism for distribution of the authorization information for the API invoker to the API exposing function is specified in subclause 6.5.2.3 of TS 33.122.

The CAPIF core function is the central repository of all the policies related to service APIs. The AEF executes this procedure when it needs to obtain the policy to perform access control on the service API invocations (e.g. when policy for performing access control on service API is unavailable at the AEF). The AEF can be within PLMN trust domain or within 3rd party trust domain.

Figure 8.12.3-1 illustrates the procedure for obtaining policy to perform access control on the service API invocations. Pre-conditions:

1. The AEF is hosting the service API but the policy to perform access control is not available with AEF.
2. The CAPIF core function is configured with the access control policies corresponding to one or more service APIs.
3. Authorization details of the AEF are available with the CAPIF core function.

1. The AEF sends an obtain access control policy request to the CAPIF core function for obtaining the policy to perform the access control on service API invocations by including the details of the hosted service API.
2. The CAPIF core function checks whether the AEF is authorized to receive the access control policy corresponding to the service APIs requested.
3. If authorization check is successful, the AEF is provided the access control policy for the service API via an obtain access control policy response. If authorization check is not successful, the AEF is provided with a failure indication via a obtain access control policy response.

NOTE: