Content for TS 23.222 Word version: 19.7.0
0…
4…
5…
6…
6.3…
6.4…
7…
8…
8.5…
8.8…
8.9…
8.13…
8.17…
8.21…
8.25…
8.26…
8.28…
8.30…
8.33…
8.36…
9…
10…
10.4…
10.7…
11…
A
B…
B.2…
B.3…
C…
D…
8.30 Deregistering the API provider domain functions on the CAPIF
8.30.1 General
8.30.2 Information flows
8.30.2.1 Deregistration request
8.30.2.2 Deregistration response
8.30.3 Procedure
8.31 API invoker obtaining authorization from resource owner
8.31.1 General
8.31.2 Information flows
8.31.3 Procedure
8.32 Reducing authorization information inquiry in a nested API invocation
8.32.1 General
8.32.2 Information flows
8.32.3 Procedure
...
...
8.30 Deregistering the API provider domain functions on the CAPIF |R16| p. 104
8.30.1 General p. 104
The procedure in this subclause corresponds to the architectural requirements for deregistering the API provider domain functions on the CAPIF. This procedure deregisters the API provider domain functions as authorized users of the CAPIF functionalities.
8.30.2 Information flows p. 104
8.30.2.1 Deregistration request p. 104
Table 8.30.2.1-1 describes the information flow, deregistration request, from the API management function to the CAPIF core function.
| Information element | Status | Description |
|---|---|---|
| Security information | M | Information for CAPIF core function to validate the deregistration request |
8.30.2.2 Deregistration response p. 104
Table 8.30.2.2-1 describes the information flow, deregistration response, from the CAPIF core function to the API management function.
| Information element | Status | Description |
|---|---|---|
| Result | M | Indicates the success or failure of the deregistration operation |
8.30.3 Procedure p. 104
Figure 8.30.3-1 illustrates the procedure for deregistering API provider domain functions on the CAPIF core function.
Step 1.
For deregistration of API provider domain functions on the CAPIF core function, the API management function sends a deregistration request to the CAPIF core function.
Step 2.
The CAPIF core function validates the received request and processes the deregistration request.
Step 3.
The CAPIF core function sends a deregistration response message to the API management function.
Step 4.
The API management function processes the deregistration to the individual API provider domain functions.
8.31 API invoker obtaining authorization from resource owner |R18| p. 105
8.31.1 General p. 105
CAPIF may authorize the API invoker to invoke the service API based on the authorization information from the resource owner given before the API invocation.
Clause 8.31.3 shows the procedure for obtaining the authorization information.
8.31.2 Information flows p. 105
8.31.3 Procedure p. 105
Figure 8.31.3-1 illustrates the procedure for API invoker obtaining authorization from resource owner.
Pre-conditions:
- The resource owner function (ROF) can communicate with the CCF (Authorization function).
- Access to an API exposing function offered service API requires obtaining authorization from a resource owner (RO).
Step 1.
The API invoker requests to obtain authorization information to invoke the service API exposed by the API exposing function (AEF) and to access information owned by the resource owner at the AEF through the invocation of an obtain service API authorization request to the CCF. The request contains API invoker information required for authorization, the information identifying the service API, the purpose for data processing and any information required for authentication of the API invoker. The request may include finer level service API access requirements (e.g., access per service API operation or access per API service resource) and resource owner-related information required to obtain resource owner authorization information.
Step 2.
The CCF performs the authentication of the API invoker (using authentication information). Then the Authorization function determines the authorization by checking the authorization information available in the CCF and by checking the authorization information provided by the RO via the ROF. The request to the ROF contains application service information (e.g. the application service provider and application identifier), the purpose for data processing and the resource owner data information for which the API invoker requests access grants.
Step 3.
Based on the RO authorization information obtained via the ROF, the CCF sends an obtain service API authorization response to the API invoker.
Step 4.
The API invoker sends service API invocation request to the API exposing function with the authorization information received from CCF (Authorization function) in step 3.
Step 5.
The API invoker receives the service API invocation response resulting from the service API invocation once the API exposing function has checked whether the API invoker is authorized to invoke that service API based on the authorization information received from CCF (Authorization function).
8.32 Reducing authorization information inquiry in a nested API invocation |R18| p. 107
8.32.1 General p. 107
The nested API invocation scenario is a scenario where an API invocation towards a first API exposing function triggers that API exposing function to request an API invocation towards a second API exposing function, which is in the same API provider domain as the first API exposing function. This scenario addresses the situation in which a service API may require the services of other service APIs. For example, if the API invoker invokes SEAL SS_LocationInfoRetrieval API (clause 9.4.4 of TS 23.434), the location management server (acting as an API exposing function for the API invoker and as an API invoker for the NEF) may invoke NEF API to retrieve UE location information from 5GC. In this scenario, the CAPIF may reduce the authorization information inquiries for a nested API invocation using procedure described in clause 8.32.3.
8.32.2 Information flows p. 107
8.32.3 Procedure p. 107
Figure 8.32.3-1 illustrates the procedure to obtain authorization information in a nested API invocation, in which an API exposing function receiving the service API invocation request interacts with another API exposing function to provide the service.
Pre-conditions:
- The resource owner function can communicate with the CCF (Authorization function).
- The API exposing functions 1 and 2 are in the same trust domain.
Step 1.
The API invoker requests authorization information to invoke the service API exposed by API exposing function 1.
Step 2.
The API invoker sends a service API invocation request to API exposing function 1 with the authorization information received in step 1. The API exposing function 1 verifies the API invoker request.
Step 3.
Based on the service API invocation request, API exposing function 1 decides to invoke another service API exposed by API exposing function 2.
Step 4.
API exposing function 1, acting as an API invoker, before interacting with API exposing function 2, shall obtain from the CCF the authorization information to access the service API exposed by API exposing function 2.
Step 5.
API exposing function 1, acting as an API invoker sends a service API invocation request to API exposing function 2 with the authorization information received in step 4.
Step 6.
The API exposing function 1 receives the service API invocation response resulting from the service API invocation once API exposing function 2 has checked whether the API exposing function 1, acting as API invoker, is authorized to invoke that service API based on the authorization information.
Step 7.
The API invoker receives the service API invocation response resulting from the service API invocation.
