Content for TS 26.501 Word version: 19.2.0
1…
4…
4.1…
4.2…
4.3…
4.4
4.5…
4.6…
4.7…
4.8
4.9…
4.10…
4.11…
5…
5.2…
5.2.4
5.2.5…
5.3…
5.3.2…
5.4…
5.5…
5.6…
5.7…
5.7.4…
5.7.8
5.7.9…
5.8…
5.10…
5.10.3
5.10.4
5.10.5…
5.10.6…
5.10.7
5.11…
5.12…
5.12.3
5.12.4…
5.12.5…
5.13…
5.14…
6…
6.2…
6.2.2.2…
6.2.3…
6.3…
6.4…
6.8…
6.9…
6.9.5…
6.9.7
6.9.8…
7…
8…
8.2
9…
A…
A.4…
A.8…
A.11…
A.13…
A.15…
A.16…
B…
C…
D…
E…
F…
G…
G.2…
G.3…
H…
4.11 Security architecture
4.11.1 General
4.11.2 Mapping of CAPIF to 5GMS architecture
4.11.2.1 Provisioning a trusted 5GMS AF from a 5GMS Application Provider in the Trusted or External DN at reference point M1
4.11.2.2 Configuring a trusted 5GMS AS from a 5GMS AF in the Trusted or External DN at reference point M3
4.11.2.3 Invoking a 5GMS AF in the Trusted DN from a Media Session Handler at reference point M5
...
...
4.11 Security architecture |R18| p. 81
4.11.1 General p. 81
The 5GMS architecture may support the Common API Framework (CAPIF) as specified in TS 23.222 for the interactions across security trust boundaries defined in clause 4.11.2.
4.11.2 Mapping of CAPIF to 5GMS architecture p. 81
4.11.2.1 Provisioning a trusted 5GMS AF from a 5GMS Application Provider in the Trusted or External DN at reference point M1 p. 81
Aligned with the provisions for securing northbound APIs defined in TS 33.122, access to the provisioning operations of the 5GMS AF at reference point M1 may be authorised by means of the OAuth 2.0 framework defined in RFC 6749. In this case, the CAPIF core function defined in TS 23.222 plays the role of authorization server, the 5GMS AF plays the role of resource server and the 5GMS Application Provider plays the role of client.
When CAPIF is supported at reference point M1, the 5GMS Application Provider in the Trusted or External DN shall be authenticated and authorised by the CAPIF core function before it is permitted to create, modify or remove the provisioned services in the trusted 5GMS AF at reference point M1. To successfully invoke provisioning operations at reference point M1, the 5GMS Application Provider is required to present a valid access token that has previously been issued to it by the CAPIF core function at CAPIF-1/1e.
Figure 4.11.2.1-1: Mapping of 5G Media Streaming architecture to CAPIF
(⇒ copy of original 3GPP image)
(⇒ copy of original 3GPP image)
for 5GMS Application Provider provisioning trusted 5GMS AF
When CAPIF is supported at reference point M1, then:
- The 5GMS AF shall support the CAPIF API provider domain functions (i.e. CAPIF-2/2e, CAPIF-3, CAPIF-4 and CAPIF-5 as specified in TS 23.222).
- The Maf_Provisioning service shall be exposed to the 5GMS Application Provider at reference point CAPIF-2/2e, realising reference point M1.
4.11.2.2 Configuring a trusted 5GMS AS from a 5GMS AF in the Trusted or External DN at reference point M3 p. 82
Aligned with the provisions for securing northbound APIs defined in TS 33.122, access to the configuration operations of the 5GMS AS at reference point M3 may be authorised by means of the OAuth 2.0 framework defined in RFC 6749. In this case, the CAPIF core function defined in TS 23.222 plays the role of authorization server, the 5GMS AS plays the role of resource server and the 5GMS AF plays the role of client.
When CAPIF is supported at reference point M3, the 5GMS AF in the Trusted or External DN shall be authenticated and authorised by the CAPIF core function before it is permitted to create, modify or remove the configurations in the trusted 5GMS AS at reference point M3. To successfully invoke configuration operations at reference point M3, the 5GMS AF is required to present a valid access token that has previously been issued to it by the CAPIF core function at CAPIF-1/1e.
Figure 4.11.2.2-1: Mapping of 5G Media Streaming architecture to CAPIF
(⇒ copy of original 3GPP image)
(⇒ copy of original 3GPP image)
for 5GMS AF provisioning trusted 5GMS AS
When CAPIF is supported at reference point M3, then:
- The 5GMS AS shall support the CAPIF API provider domain functions (i.e. CAPIF-2/2e, CAPIF-3, CAPIF-4 and CAPIF-5 as specified in TS 23.222).
- The Mas_Configuration service shall be exposed to the 5GMS AF at reference point CAPIF-2/2e, realising reference point M3.
4.11.2.3 Invoking a 5GMS AF in the Trusted DN from a Media Session Handler at reference point M5 p. 83
Aligned with the provisions for securing southbound APIs defined in TS 23.222 access to the media session handling operations of the 5GMS AF at reference point M5 may be authorised by means of the OAuth 2.0 framework defined in RFC 6749. In this case, either the CAPIF core function defined in TS 23.222 or the 5GMS Application Provider plays the role of authorization server, the 5GMS AF plays the role of resource server and the Media Session Handler plays the role of client.
When CAPIF is supported at reference point M5, the Resource owner-aware Northbound API Access (RNAA) model is recommended as defined in clause 6.2.3 of TS 23.222. The Media Session Handler in the 5GMS Client shall be authenticated and authorised by the CAPIF core function before it is permitted to invoke media session handling operations on the 5GMS AF at reference point M5. To successfully invoke media session handling operations at reference point M5, the Media Session Handler in the 5GMS Client is required to present a valid access token that has previously been issued to it by the CAPIF core function at CAPIF-1e.
Figure 4.11.2.3-1: Mapping of 5G Media Streaming architecture to CAPIF
(⇒ copy of original 3GPP image)
(⇒ copy of original 3GPP image)
for a 5GMS Client accessing the 5GMS AF
When CAPIF is supported at reference point M5, then:
- The 5GMS AF shall support the CAPIF API provider domain functions (i.e. CAPIF-2e, CAPIF-3, CAPIF-4 and CAPIF-5 as specified in TS 23.222).
- The Maf_SessionHandling service shall be exposed to the Media Session Handler in the 5GMS Client at reference point CAPIF-2e, realising reference point M5.
