Open Chintanlodariya opened 1 month ago
GET/subscriptions should return all the subscriptions created by the same client which is calling the endpoint, not for all clients.
GET/subscriptions should return all the subscriptions created by the same client which is calling the endpoint, not for all clients.
is there any standard definition in CAMARA commonalities for segregation of clients
segregation of clients
Client's authentication and Authorisation are being discussed under CAMARA APIs access and user consent management
GET/subscriptions should return all the subscriptions created by the same client which is calling the endpoint, not for all clients
In case the API client is an aggregator then I presume this API would respond with all the subscriptions for the user identifier (MSISDN/IP etc..) rather than all the subscriptions created by the client/aggregator which in practice could be for multiple different users.
Is this understanding, correct?
@Chintanlodariya This is a fair point. My recommendation for you is to take a look on subscription rule of engagement here and provide your comment in Commonalities as this is valid for all our subscription.
In my understanding the client of the API is in that case still the application which triggers the API call. So the aggregator provides application specific credentials. So we are able to provide a list of subscriptions which were created by the application.
GET/subscriptions: As this particular service API will respond to all the activated subscriptions, if this is consumed by any external application function, then all the subscription information will be exposed, which might not be relevant to that application function and lead to a threat.