For the interfaces (EDGE-1/4), the EEC, EES and ECS shall support and use HTTP/2 with
"https" URIs as specified in
RFC 9113 and
RFC 9110. In addition, the TLS profile shall be compliant with the profile given in
clause 6.2 of TS 33.210 .
For the interfaces EDGE-2/7/8,
-
If the NEF APIs are selected, security aspects of Network Exposure Function including the protection of NEF-AF interface and support of CAPIF defined in clause 12 of TS 33.501 shall be reused, i.e., use of TLS.
-
If the SCEF APIs are selected, the Security procedures for reference point SCEF-SCS/AS defined in clause 5.5 of TS 33.187 can be reused here, i.e., use of TLS.
For the interfaces (EDGE-3/6/9), the EAS, EES and ECS shall support and use HTTP/2 with
"https" URIs as specified in
RFC 9113 and
RFC 9110. In addition, the TLS profile shall be compliant with the profile given in
clause 6.2 of TS 33.210 .
The ECS shall be configured with the information of authorization methods (token-based authorization or local authorization) used by EESes.
Authentication between EEC and ECS shall be done during the execution of the TLS handshake protocol.. Details of the authentication method (e.g., TLS certificates, usage of
AKMA [11] or
GBA [12] as methods to arrange the PSK for TLS) are out of scope of the present document. If the EEC sends the GPSI to the ECS, then the ECS shall also authenticate the GPSI. The details of how to authenticate the GPSI is out of scope of the present document.
After successful authentication, the ECS shall authorize the EEC by its local authorization policy.
After successful authentication and authorization, the ECS decides whether
OAuth 2.0 [15] access tokens are required for the candidate EESes using the configuration information and issues separate EES access tokens to be used for each candidate EESes that use token-based authorization. The ECS, EEC and EES respectively assume the role of authorization server, client and resource server roles defined in
[15].
"Client Credentials" grant type and bearer tokens
[16] shall be used. JSON Web Token (JWT) as specified in IETF
RFC 7519 for encoding and the JSON signature profile as specified in IETF
RFC 7515 for protection of tokens shall be followed. This token profile also applies for
clause 6.3 of the present document. The claims of the EES service tokens in the form of JWT
[17] shall include the ECS FQDN (issuer), EEC ID (client_id), GPSI (subject), expected EES service name(s) (scope), EES FQDN (audience), expiration time (expiration). The ECS shall send the service response back to the EEC, which may include EES access token(s).
Authentication between EEC and EES shall be done during the execution of the TLS handshake protocol.. Details of the authentication method (e.g., TLS certificates, usage of
AKMA [11] or
GBA [12] as methods to arrange the PSK for TLS) are out of scope of the present document. If the EEC sends the GPSI to the EES, then the EES shall also authenticate the GPSI. The details of how to authenticate the GPSI is out of scope of the present document.
For authorization of EEC by the EES, the EEC shall send the OAuth 2.0 [15] access token, if received from the ECS, to the EES. The token profile is specified in
clause 6.2 of the present document. If the EES requires access token for authorization, then the EES shall authorize the EEC by using the token. Otherwise, the EES shall authorize the EEC by its local authorization policy.
After successful authentication and authorization, the EES shall process the request and sends the service response back to the EEC.
According to
clause 8.7.3 of TS 23.558, the EES may re-expose the network capabilities of the 3GPP core network to the EAS(s) as per the CAPIF architecture specified in
TS 23.222. If the CAPIF architecture is used, the CAPIF functional security model specified in
TS 33.122 shall be used for Authentication and authorization in EES capability exposure.
If CAPIF is not used, mutual authentication with TLS certificates using TLS shall be used. The TLS and certificates shall follow the profiles defined in
TS 33.210 and
TS 33.310, and the authorization is based on local authorization policy at the EES.
As specified in
clause 6.1, TLS is used for EDGE-9 reference point (between edge enabler servers) security. For authentication between EESs, X.509 certificates shall be used. The certificates shall follow the profile given in
clause 6.1.3a of TS 33.310. The identities in the end-entity certificates shall be used for authentication and policy checks. Identities in the end-entity certificate shall be based on endpoint information (e.g., URI, FQDN, IP address) as described in
TS 23.558.
Authorization between EESs is based on local authorization policy.