Content for TS 23.222 Word version: 19.7.0
0…
4…
5…
6…
6.3…
6.4…
7…
8…
8.5…
8.8…
8.9…
8.13…
8.17…
8.21…
8.25…
8.26…
8.28…
8.30…
8.33…
8.36…
9…
10…
10.4…
10.7…
11…
A
B…
B.2…
B.3…
C…
D…
8.13 Topology hiding
8.13.1 General
8.13.2 Information flows
8.13.2.1 Service API invocation request (API invoker - AEF-1)
8.13.2.2 Service API invocation request (AEF-1 - AEF-2)
8.13.2.3 Service API invocation response (AEF-2 - AEF-1)
8.13.2.4 Service API invocation response (AEF-1 - API invoker)
8.13.3 Procedure
8.14 Authentication between the API invoker and the AEF prior to service API invocation
8.14.1 General
8.14.2 Information flows
8.14.3 Procedure
8.15 Authentication between the API invoker and the AEF upon the service API invocation
8.15.1 General
8.15.2 Information flows
8.15.2.1 Service API invocation request with authentication information
8.15.2.2 Service API invocation response
8.15.3 Procedure
8.16 Service API invocation with AEF authorization
8.16.1 General
8.16.2 Information flows
8.16.2.1 Service API invocation request
8.16.2.2 Service API invocation response
8.16.3 Procedure
...
...
8.13 Topology hiding p. 65
8.13.1 General p. 65
The procedure in this subclause corresponds to the architectural requirements for hiding the topology of the PLMN trust domain from the API invokers accessing the service APIs from outside the PLMN trust domain.
8.13.2 Information flows p. 65
8.13.2.1 Service API invocation request (API invoker - AEF-1) p. 65
The information flow service API invocation request from the API invoker to AEF-1 (AEF acting as service communication entry point) is service API specific and the complete detail of the service API invocation request is out of scope of the present document. Table 8.17.2.1-1 describes the CAPIF related information elements which are included in the service API invocation request.
8.13.2.2 Service API invocation request (AEF-1 - AEF-2) p. 65
The information flow service API invocation request from AEF-1 (AEF acting as service communication entry point) to AEF-2 (destination AEF for handling service API) is service API specific and the complete detail of the service API invocation request is out of scope of the present document. Table 8.17.2.1-1 describes the CAPIF related information elements which are included in the service API invocation request.
8.13.2.3 Service API invocation response (AEF-2 - AEF-1) p. 66
The information flow service API invocation response from AEF-2 (destination AEF for handling service API) to AEF-1 (AEF acting as service communication entry point) is service API specific and the complete detail of the service API invocation response is out of scope of the present document. Table 8.17.2.2-1 describes the CAPIF related information elements which are included in the service API invocation response.
8.13.2.4 Service API invocation response (AEF-1 - API invoker) p. 66
The information flow service API invocation response from AEF-1 (AEF acting as service communication entry point) to the API invoker is service API specific and the complete detail of the service API invocation response is out of scope of the present document. Table 8.17.2.2-1 describes the CAPIF related information elements which are included in the service API invocation response.
8.13.3 Procedure p. 66
Figure 8.13.3-1 illustrates the procedure for CAPIF topology hiding.
Pre-conditions:
- The API invoker has performed the service discovery and received the details of the service API which includes the information about the service communication entry point of the AEF-1 in the CAPIF.
- The API invoker is authenticated and authorized to use the service API.
- The AEF-1 in the CAPIF is configured with a policy for topology hiding including the entry point address of the service API (provided via AEF-2).
Step 1.
The API invoker performs service API invocation according to the interface of the service API by sending a service API invocation request towards the AEF-1 which exposes the service API towards the API invoker, and acts as topology hiding entity.
Step 2.
The AEF-1 further resolves the actual destination service API address information according to the topology hiding policy and forwards the incoming service API invocation request to the service API of the related AEF-2.
Step 3.
The AEF-1 receives a response request for service API invocation from service API provided by AEF-2.
Step 4.
The AEF-1 resolves the destination API invoker address and also modifies the source address information of the AEF-2 within the response request as per topology hiding policy and forwards the response request to the API invoker.
8.14 Authentication between the API invoker and the AEF prior to service API invocation p. 67
8.14.1 General p. 67
The procedure in this subclause corresponds to the architectural requirements for authentication of the API invoker by the AEF.
To reduce latency during API invocation, the API invoker associated authentication information can be made available at the AEF after authentication between the API invoker and the CAPIF core function.
8.14.2 Information flows p. 67
8.14.3 Procedure p. 67
Figure 8.14.3-1 illustrates the procedure for authentication between the API invoker and the AEF.
Pre-condition:
- Optionally, the CAPIF core function has shared the information required for authentication of the API invoker with the AEF.
Step 1.
The API invoker triggers authentication initiation to the AEF, including the API invoker identity.
Step 2.
The AEF obtains the API invoker information required for authentication by the AEF, if not available.
Step 3.
The AEF returns the result of authentication initiation in the authentication initiation response.
Step 4.
The AEF verifies the identity of the API invoker and authenticates the API invoker.
8.15 Authentication between the API invoker and the AEF upon the service API invocation p. 68
8.15.1 General p. 68
The procedure in this subclause corresponds to the architectural requirements for authentication of the API invoker by the AEF upon the service API invocation.
To reduce latency during API invocation, the API invoker associated authentication information can be made available at the AEF after authentication between the API invoker and the CAPIF core function.
8.15.2 Information flows p. 68
8.15.2.1 Service API invocation request with authentication information p. 68
The information flow service API invocation request with authentication information from the API invoker to the AEF is service API specific and the complete detail of the service API invocation request is out of scope of the present document. Table 8.15.2.1-1 describes only the CAPIF related information elements which are included in the service API invocation request.
| Information element | Status | Description |
|---|---|---|
| API invoker identity information | M | The information that determines the identity of the API invoker |
| Authentication information | M
(see NOTE) | The authentication information obtained before initiating the service API invocation request |
| Service API identification | M | The identification information of the service API for which invocation is requested. The service API identification is part of the specific service API invocation request. |
|
NOTE:
The specific security information of this information element is specified in subclause 6.5.2 of TS 33.122.
|
||
8.15.2.2 Service API invocation response p. 68
The information flow service API invocation response from the AEF to the API invoker is service API specific and the complete detail of the service API invocation response is out of scope of the present document. Table 8.15.2.2-1 describes only the CAPIF related information elements which are included in the service API invocation response.
| Information element | Status | Description |
|---|---|---|
| Result | M | Indicates the success or failure of service API invocation. |
| Cause | O | The cause for the request failure. |
8.15.3 Procedure p. 68
Figure 8.15.3-1 illustrates the procedure for authentication of the API invoker by the AEF, where the authentication information is carried in the API invocation request.
Pre-condition:
- Optionally, the CAPIF core function has shared the information required for authentication of the API invoker with the AEF.
Step 1.
The API invoker invokes a service API invocation request with authentication information to the AEF, and includes in this request authentication information, including the API invoker identity.
Step 2.
The AEF obtains the API invoker information required for authentication by the AEF, if not available.
Step 3.
The AEF verifies the identity of the API invoker and authenticates the API invoker.
Step 4.
If the verification was successful, the AEF returns the result of the service API invocation in the Service API invocation response.
8.16 Service API invocation with AEF authorization p. 69
8.16.1 General p. 69
The procedure in this subclause corresponds to the architectural requirements to validate authorization of API invokers upon the service API invocation.
To reduce latency during API invocation, the API invoker associated authorization information can be made available at the AEF after authentication between the API invoker and the CAPIF core function.
8.16.2 Information flows p. 70
8.16.2.1 Service API invocation request p. 70
The information flow service API invocation request from the API invoker to the AEF is service API specific and the complete detail of the service API invocation request is out of scope of the present document. Table 8.16.2.1-1 describes only the CAPIF related information elements which are included in the service API invocation request.
| Information element | Status | Description |
|---|---|---|
| API invoker identity information | M | The information that determines the identity of the API invoker |
| Authorization information | O
(see NOTE) | The authorization information obtained before initiating the service API invocation request |
| Network Slice Info | O
(see NOTE) | The desired network slice information of the service API |
| Service API identification | M | The identification information of the service API for which invocation is requested. The service API identification is part of the specific service API invocation request. |
|
NOTE:
The inclusion of this information element depends on the chosen solution for authorization.
|
||
8.16.2.2 Service API invocation response p. 70
The information flow service API invocation response from the AEF to the API invoker is service API specific and the complete detail of the service API invocation response is out of scope of the present document. Table 8.16.2.2-1 describes only the CAPIF related information elements which are included in the service API invocation response.
| Information element | Status | Description |
|---|---|---|
| Result | M | Indicates the success or failure of service API invocation. |
| Authorization information with resource owner required | O | This information element may be present when the result is failure. Indicates that the required authorization information with resource owner is required. |
8.16.3 Procedure p. 70
Figure 8.16.3-1 illustrates the procedure for API invoker authorization to access service APIs.
Pre-conditions:
- The API invoker has been authenticated.
- The API invoker associated authorization information is available at AEF.
Step 1.
The API invoker triggers service API invocation request to the AEF, including the service API to be invoked.
Step 2.
Upon receiving the service API invocation request, the AEF checks whether the API invoker is authorized to invoke that service API, based on the authorization information.
Step 2a.
If the AEF does not have information required to authorize service API invocation, the AEF obtains the authorization information from the CAPIF core function.
Step 3.
The AEF executes the service logic for the invoked service API.
Step 4.
The API invoker receives the service API invocation response as a result of the service API invocation. If in step 2, the AEF determines that the required resource owner authorization information is not available for the requested service API, then the AEF responds to API Invoker with failure status message indicating that the authorization information with resource owner is not available, as specified in Table 8.16.2.2-1.
