Content for TS 23.222 Word version: 19.7.0

0… 4… 5… 6… 6.3… 6.4… 7… 8… 8.5… 8.8… 8.9… 8.13… 8.17… 8.21… 8.25… 8.26… 8.28… 8.30… 8.33… 8.36… 9… 10… 10.4… 10.7… 11… A B… B.2… B.3… C… D…

8.33 Obtaining collective authorization from a resource owner 8.33.1 General 8.33.2 Information flows 8.33.3 Procedure 8.34 UE-deployed API invoker accessing other UEs' resources of a group 8.34.1 General 8.34.2 Information flows 8.34.3 Procedure 8.35 Revoking resource owner authorization 8.35.1 General 8.35.2 Information flows 8.35.3 Procedure
...

8.33 Obtaining collective authorization from a resource owner |R19| p. 108

8.33.1 General p. 108

Using the procedure described in clause 8.31 the CAPIF may authorize an API invoker to invoke a service API based on the authorization information from the resource owner given before the API invocation. This clause describes an extension to that procedure to enable the CAPIF to obtain authorization information from the resource owner relating to multiple API invokers and service APIs in a single interaction.

Clause 8.33.3 shows the procedure for obtaining collective authorization information from a resource owner via their resource owner function.

8.33.2 Information flows p. 108

8.33.3 Procedure p. 108

Figure 8.33.3-1 illustrates the procedure for obtaining collective authorization from resource owner.

The mechanism to obtain collective authorization from a resource owner is supported by the CAPIF core function.

Pre-conditions:

The resource owner function can communicate with the CCF (Authorization function).
Access to an API exposing function offered service API requires obtaining authorization from a resource owner.
The API invoker is successfully onboarded as described in clause 8.1.
The CCF is configured for handling collective authorization, see Table 8.33.3-1.

Reproduction of 3GPP TS 23.222, Fig. 8.33.3-1: Procedure for obtaining collective authorization from resource owner

Figure 8.33.3-1: Procedure for obtaining collective authorization from resource owner

Step 1.

An API invoker sends obtain service API authorization request to the CAPIF core function for obtaining permission to access a service API by including its API invoker identity information and any information required for authentication of the API invoker. The API invoker includes in the request information about the purpose and the targeted resources and operations to be performed on those resources.

Step 2.

The CCF performs the authentication of the API invoker (using authentication information) and checks whether it is permitted to access the requested service API by checking whether a resource owner authorization information is already available for that API invoker. If the authorization for accessing the requested resources for the signalled purpose is already granted, the procedure continues with step 4.

Step 3.

If authorization information is not available regarding whether the API invoker is permitted to access the requested service API (i.e., there is no applicable resource owner authorization information available) the collective resource owner authorization configuration (Table 8.33.3-1) is assessed.

If authorization trigger criteria have been specified as part of the collective resource owner authorization configuration, interactions with the resource owner are only initiated once the trigger conditions are met.

If trigger criteria have not been set or once the trigger conditions are met, the authorization function determines the authorization by interacting with the resource owner via the ROF deployed on a UE. Based on the configured collective resource owner authorization configuration at the CCF and any cached "obtain service API authorization requests", the scope of the request towards the ROF can be expanded to include additional API invokers and or service APIs based on the assumption that there is an association between the requesting API invoker and the API exposing functions and API invokers listed in the CCF configuration.

Step 4.

Based on the RO authorization information obtained via the ROF for each API invoker and corresponding service API(s), the CCF sends an API invoker specific service API authorization response (as described in clause 8.31) to the API invoker that initially triggered the collective resource owner authorization information requested and to each API invoker for which a obtain service API authorization request was received (for the same service API) whilst the collective resource owner authorization configuration duration timer was running, i.e., the cached requests.

Step 5.

An API invoker that receives the service API authorization response can send service API invocation requests to the API exposing function with their API invoker specific resource owner authorization information as described in clause 8.31.

Step 6.

The API exposing function will send a service API invocation response once it has successfully checked that the API invoker is authorized to invoke that service API based on the authorization information.

Table 8.33.3-1: Collective resource owner authorization configuration

Information element	Status	Description
List of API invoker associations (NOTE 1)	O	Lists of API invokers with their associated service APIs.
> API invoker identity information list	M	List of API invoker identities.
> Service API identification list	M	List of AEF service API identities.
List of trigger criteria (NOTE 1)	O	Criteria for triggering requesting of resource owner authorization.
> Duration (NOTE 2)	O	Initiate request towards RO via ROF after the given duration (in seconds) after receiving a obtain service authorization request from an API invoker.
> Timeperiod (NOTE 2)	O	Time period during which notifications may be sent towards RO via ROF.
> Resource owner identifier	O	Can only be included if a duration or timeslot is included. Indicates that the resource owner authorization trigger criteria is to be applied to the specific resource owner identified by their GPSI, i.e., no other resource owner authorization trigger criteria shall be applied for that resource owner.
NOTE 1: At least one of these attributes shall be present. NOTE 2: Only one of these attributes shall be present.

8.34 UE-deployed API invoker accessing other UEs' resources of a group |R19| p. 110

8.34.1 General p. 110

This clause specifies the procedures for API invoker on a UE to be able to access the services exposing resources of other UEs of a group. The UEs belong to the same group and the same VAL service provider (IoT case) or the same user and all of them belong to the same CAPIF provider domain.

The authorization relationship between UE2 (the API invoker is in UE2) and UE1, given by the membership to the same group, is within the CAPIF provider domain. The difference of this scenario compared with the procedure of an API invoker obtaining authorization from resource owner described in clause 8.31 is that:

the API invoker is not deployed in the UE whose resources are being accessed,
the API invoker needs to provide in the request, in addition to the identity of the UE whose resources are being accessed, the Group Identifier and the identity of the UE2; and
the group membership needs to be managed by the CAPIF provider as described in Annex E.

8.34.2 Information flows p. 110

8.34.3 Procedure p. 111

Figure 8.34.3-1 presents the procedure for enabling a UE-hosted API invoker accessing network-hosted resources owned by other UEs that belong to the same group.

Pre-condition:

The network hosts individual resources for a group of UEs which can be accessed via AEF provided the necessary security conditions are met.
UE1 and UE2 belong to the same group and the same VAL service provider (IoT case) or the same user.
CCF is provisioned with the information of a Group Resource Owner (GRO) which indicates UE 1 as the authorized RO (e.g. by business relationship between the group of UEs) to provide resource owner authorization for the resources belonging to the UEs in this group.

Reproduction of 3GPP TS 23.222, Fig. 8.34.3-1: UE-deployed API invoker accessing other UEs' resources of a group

Figure 8.34.3-1: UE-deployed API invoker accessing other UEs' resources of a group

Step 1.

The API invoker (e.g., in UE 2) sends an Obtain service API authorization request to the CCF for obtaining permission to access the service API for other UE's resources hosted in the network (e.g., location) by including the API invoker identity information and any information required for authentication of the API invoker. The request includes API invoker information, the group identifier, and the UE in a group whose resources are to be accessed, and the identity of UE2. Additionally, the API invoker may include in the request information about the purpose and operations (scope) to be performed on the targeted resources.

Step 2.

CCF performs authentication of the API invoker (using authentication information) as specified in TS 33.122.

Step 3.

The CCF, based on the group identifier determines that RO authorization is provided by a GRO. The CCF then resolves the identity of the GRO responsible for the group of UEs based on the provisioned group context information related to the GRO, as specified in Annex E. The CCF shall additionally check whether UE2 belongs to the group.

Step 4.

If step 3 is successful, the CCF performs the resource owner authorization check using the GRO as the RO for the requested resources of other UE(s) belonging to the group.

Step 5.

Based on the group resource owner authorization received in step 4, the CCF sends an Obtain service API authorization response to the API invoker. The authorization response indicates that the access to UE (resource owner) network resource(s) is authorized for an indicated scope.

Step 6.

The API invoker sends service API invocation request to the API exposing function with the RO authorization information received in step 5.

Step 7.

The API invoker receives the service API invocation response resulting from the service API invocation once the API exposing function has checked whether the API invoker is authorized to invoke that service API based on the RO authorization information.

8.35 Revoking resource owner authorization |R19| p. 112

8.35.1 General p. 112

The procedure in this subclause corresponds to the architectural requirements for revoking resource owner authorization.

8.35.2 Information flows p. 112

The information flows for the interactions between the CAPIF core function, the API Invoker and the AEF are described in clause 8.23.2.

8.35.3 Procedure p. 112

Figure 8.35.3-1 illustrates the procedure for revoking resource owner authorization to access service API initiated by the resource owner function.

Pre-conditions:

The API invoker is authenticated and authorized to use the service API.

Reproduction of 3GPP TS 23.222, Fig. 8.35.3-1: Procedure for revoking resource owner authorization

Figure 8.35.3-1: Procedure for revoking resource owner authorization

Step 1.

The RO triggers the revocation of the resource authorization via ROF.

Step 2.

The ROF requests resource authorization revocation to the CAPIF core function.

Step 3.

The CAPIF core function determines the revoked authorization information for the API Invoker and Service API as specified in clause 6.5.3.4 of TS 33.122.

Step 4.

The CAPIF core function sends a revoke resource authorization notification to the API invoker according to the procedure in clause 8.23.4.

Step 5.

The CAPIF core function sends a revoke resource authorization notification to the API exposing function according to the procedure in clause 8.23.4.