The procedure in this subclause corresponds to the architectural requirements related to some common access control requirements for service API invocations. It provides access control, based on two cascaded API Exposing Function (AEF) instances. While one AEF instance provides the entry point for the service API and acts as access controller, further AEF instances deliver the functionality of the actual service APIs.
The information flow service API invocation request from the API invoker to the AEF and between AEFs is service API specific and the complete detail of the service API invocation request is out of scope of the present document. Table 220.127.116.11-1
describes the CAPIF related information elements which are included in the service API invocation request.
The information flow service API invocation response from the AEF to the API invoker and between AEFs is service API specific and the complete detail of the service API invocation response is out of scope of the present document. Table 18.104.22.168-1
describes the CAPIF related information elements which are included in the service API invocation response.
illustrates the procedure for CAPIF access control.
The API invoker has performed the service discovery and received the details of the service API which includes the information about the service communication entry point of the AEF‑1 in the CAPIF.
The API invoker is authenticated and authorized to use the service API.
The AEF‑1 in the CAPIF is configured with at least one access policy to be applied to the service API invocation corresponding to the API invoker and service API.
The API invoker performs service API invocation according to the interface of the service API by sending a service API invocation request towards the AEF‑1 which exposes the service API towards the API invoker, and acts as access control entity.
Upon receiving the service API invocation request from the API invoker, the AEF‑1 checks for configuration for access control. As per the configuration for access control, the AEF‑1 performs access control on the service API invocation as per the operator policy.
The AEF‑1 forwards the incoming service API invocation request to the service API provided by AEF‑2.
The AEF‑1 receives a service API invocation response for service API invocation from AEF‑2.
The AEF‑1 resolves the destination API invoker address and modifies the source address information of AEF‑2 within the service API invocation response and forwards the service API invocation response to the API invoker.