Open gauravji2192 opened 7 hours ago
Hi @gauravji2192
Have you read this ICM document, where it says:
If all API usecases point to the need of On-net scenario and where the consumption device and authentication device are the same, the Frontend flow should be used. eg. NumberVerification
and
If some usecase/s for an API point to off-net scenarios and where consumption and authentication devices could be different, the Backend flow should be used.
Which is basically what you are saying. Of course, the text in CAMARA documents can always be improved.
In practise, you will not know which authentication schemes are supported until you read the API provider's .well-known/openid-configuration
endpoint, which will be API specific. If only "authorization_code" is listed as a valid grant type, well there's your answer.
But specifically for SIM Swap, I'm curious to know who is using Authorisation Code Flow for this API? What is the use case?
Problem description There is no clear guideline in API documentation about Authcode flow vs CIBA flow. Current statement in SIM SWAP API https://github.com/camaraproject/SimSwap/blob/main/code/API_definitions/sim-swap.yaml, " _# Authorization and authentication
Similar issue is with many of existing CAMARA APIs.
Expected action I think there must be an additional line in this statement," In case of 3-legged flow, if application is directly consumed by CSP subscriber then Auth code flow must be used. If application is not consumed directly by CSP subscriber, then CIBA flow must be used. CSP must support both grant type and provide application developer guidance to implement 3-legged oAuth 2.0 grant type based on use case."
Additional context ASPs/Aggregators may face challenge that Operator A in a country X is exposing SIM swap using CIBA and Operator B in same country X is exposing SIM Swap using Auth code grant type. It must be dependent on use case and application requirement.