Top   in Index   Prev   Next

TR 33.884
Study on Security of Application enablement aspects for
Subscriber-aware Northbound API access

V18.0.1 (Wzip)  2023/06  49 p.
Dr. Zugenmaier, Alf

full Table of Contents for  TR 33.884  Word version:  18.0.1

Here   Top


1  Scopep. 7

The scope of present document is based on the requirements for SNA (clause 6.10.2 of TS 22.261) and on the Study on application enablement aspects for subscriber-aware northbound API access (TR 23.700-95).
The objective of this study is to:
  1. Identify potential new security requirements related to API invocation (such as user authorization) and define potential solutions to fulfil these requirements. This encompasses:
    • Whether and how CAPIF functions can determine the resource owner upon CAPIF invocation.
    • Whether and how CAPIF can support obtaining authorization from the resource owner.
    • Whether and how CAPIF can support revocation of authorization by the resource owner.
    • Whether and how CAPIF can support security procedures with the aim to reduce authorization inquiries for a nested API invocation.
    The study is not exclusively tailored to CAPIF, but should align with widely deployed authorization frameworks.
  2. Identify potential security requirements for APIs used in SNAAPP and define potential solutions to fulfil these requirements.
This objective includes UE-originated API invocation.

2  Referencesp. 7

3  Definitions of terms, symbols and abbreviationsp. 8

3.1  Termsp. 8

3.2  Symbolsp. 8

3.3  Abbreviationsp. 8

5  Key issuesp. 8

6  Proposed solutionsp. 9

6.1  Solution #1: Resource Owner Authorization in API Invocation using OAuth Tokenp. 9

6.2  Solution #2: Authentication using OpenID Connectp. 13

6.3  Solution #3: UE Originated API invocation using OAuth Client Credential Grantp. 15

6.4  Solution #4: Authenticate and authorize UE in UE originated API invocationp. 18

6.5  Solution #5: Resource Owner based authorization for resource accessp. 21

6.6  Solution #6: Authorization before allowing access to resourcesp. 23

6.7  Solution #7: Authorizing UE originated API invocation with PKCE flowp. 27

6.8  Solution #8: Validation of OAuth Tokenp. 28

6.9  Solution #9: OAuth 2.0 based API invocation procedurep. 30

6.10  Solution #10: UE credential based API invocation procedurep. 32

6.11  Solution #11: Providing and Revoking Resource Owner Authorization using OAuth 2.0 Authorization Code Grantp. 35

6.12  Solution #12: Providing and Revoking Resource Owner Authorizationp. 38

6.13  Solution #13: Resource owner policies based authorization mechanismp. 42

6.14  Solution #14: Reusing CAPIF core function initiated revocation procedure to enable user authorization revocationp. 43

6.15  Solution #15: Authorization revocation to undo API invocationp. 44

6.16  Solution #16: Token Revocation using Short-lived Tokenp. 45

7  Conclusionsp. 47

$  Change historyp. 49

Up   Top