Open PedroDiez opened 5 days ago
cc @rartych, @shilpa-padgaonkar, @bigludo7, @eric-murray
I don't like the proposal to maintain a parallel set of error codes dependent on whether the API used device
or just phoneNumber
as the optional "API subject" identifier to be used with 2-legged access tokens.
In all cases, the Device
object could have been used, but for various reasons the simpler phoneNumber
was used. And whilst someone may think that they do not want, for example, their API to support identifying mobile subscriptions from IP addresses, by accepting 3-legged access tokens they enable exactly that.
This is more than semantics. Having a parallel set of error codes complicates implementation logic for what is the same logical error, as the error to be returned is dependent solely on the options offered to identify the API subject. And I think application developers will also get confused if they are working with several APIs, as they end up implementing parallel but identical error traps for the "device" and "phone number" error codes.
Why, for example, should the error codes be different for:
POST /check
{ "device" : { "phoneNumber" : "+1234567890" } }
and
POST /check
{ "phoneNumber" : "+1234567890" }
I think it would be better if we could just agree on a common term that applies to both the "device" and the "subscription" (or "account" or whatever), both of which just identify the API subject. Given that application developers will have to get familiar with 3-legged tokens, and given that the ID token refers to device or subscription as the "subject", irrespective of how it was identified, I'd propose the term "API_SUBJECT" to replace both "DEVICE" and "PHONE_NUMBER".
So we could have (note that some of these are likely to become redundant shortly):
UNSUPPORTED_API_SUBJECT_IDENTIFIER
API_SUBJECT_NOT_FOUND
SERVICE_NOT_APPLICABLE_TO_API_SUBJECT
API_SUBJECT_CANNOT_BE_IDENTIFIED
UNNECESSARY_API_SUBJECT_IDENTIFIER
API_SUBJECT_IDENTIFIER_MISMATCH
In all cases, the exact error can be clarified in the message
, which will only generally be read by a person and so can be used to resolve their confusion. Unlike the error code, which must be read and processed by a machine, which will not care about the exact name used.
After reviewing this with @PedroDiez, we think that certain standard HTTP codes would not need to be documented explicitly for every API operation. In particular those 4xx codes returned when the client sends something not specified as accepted by the API, as that is the standard expected behaviour:
5xx errors are unexpected errors and quite standard as well, so we may discuss also whether they need to be explicitly indicated.
Regarding distinguishing error codes for device vs phoneNumber. there is a good point in @eric-murray's comment, but the term "API_SUBJECT" I don't think is friendly enough. We suggest to simplify the codes removing the references to "device" as generally the term "identifier" is enough in this context, and we also have the message
to add additional details if necessary, so we could consolidate the codes as:
UNSUPPORTED_API_SUBJECT_IDENTIFIER
-> UNSUPPORTED_IDENTIFIER
API_SUBJECT_NOT_FOUND
-> IDENTIFIER_NOT_FOUND
SERVICE_NOT_APPLICABLE_TO_API_SUBJECT
-> SERVICE_NOT_APPLICABLE
API_SUBJECT_CANNOT_BE_IDENTIFIED
-> MISSING_IDENTIFIER
UNNECESSARY_API_SUBJECT_IDENTIFIER
-> UNNECESSARY_IDENTIFIER
API_SUBJECT_IDENTIFIER_MISMATCH
-> IDENTIFIER_MISMATCH
If we decide to change the codes from Fall24 meta, for Spring25 one, that would imply a compatibility breaking change to released APIs. Probably, we should not release a new version just to adopt the new codes, but if a new version is released to include additional functionality, then the new codes must be adopted.
@jlurien Yes, I'm fine with this proposal
Problem description Two enhancements are proposed inder this issue:
phoneNumber
concept in the same fashion as done fordevice
in MetaRelease Fall 24 for device error responsesPossible evolution
1) Normalize Mandatory Error status
6.1 Standardized use of CAMARA error responses
the following information:Mandatory Errors to be documented in CAMARA API Spec YAML are the following:
2) Define specific Errors for
phoneNumber
conceptAdd a new section
6.3 Error Responses - phoneNumber
to detail error scenarios for phoneNumberNOTE: New exceptions would be added to
CAMARA_common.yaml
for referenceAlternative solution
Additional context
There are CAMARA APIs where phoneNumber represents the end's user subscription (e.g SIM-SWAP, Number Verification, Carrier Billing, KYC family,...). Therefore having specific errors related to the concept of phoneNumber is the natural way to address error scenarios in a fully semantic and user-friendly way
Proposed as a child issue of #306