search

camaraproject / IdentityAndConsentManagement

Repository to describe, develop, document and test the Identity And Consent Management for CAMARA APIs
Apache License 2.0
21 stars 30 forks source link

No clear guideline in API documentation about Authcode flow vs CIBA flow #219

Open gauravji2192 opened 7 hours ago

gauravji2192 commented 7 hours ago

Problem description There is no clear guideline in API documentation about Authcode flow vs CIBA flow. Current statement in SIM SWAP API https://github.com/camaraproject/SimSwap/blob/main/code/API_definitions/sim-swap.yaml, " _# Authorization and authentication

The "Camara Security and Interoperability Profile" provides details on how a client requests an access token. Please refer to Identify and Consent Management (https://github.com/camaraproject/IdentityAndConsentManagement/) for the released version of the Profile.

Which specific authorization flows are to be used will be determined during onboarding process, happening between the API Client and the Telco Operator exposing the API, taking into account the declared purpose for accessing the API, while also being subject to the prevailing legal framework dictated by local legislation.

It is important to remark that in cases where personal user data is processed by the API, and users can exercise their rights through mechanisms such as opt-in and/or opt-out, the use of 3-legged access tokens becomes mandatory. This measure ensures that the API remains in strict compliance with user privacy preferences and regulatory obligations, upholding the principles of transparency and user-centric data control._"

Similar issue is with many of existing CAMARA APIs.

Expected action I think there must be an additional line in this statement," In case of 3-legged flow, if application is directly consumed by CSP subscriber then Auth code flow must be used. If application is not consumed directly by CSP subscriber, then CIBA flow must be used. CSP must support both grant type and provide application developer guidance to implement 3-legged oAuth 2.0 grant type based on use case."

Additional context ASPs/Aggregators may face challenge that Operator A in a country X is exposing SIM swap using CIBA and Operator B in same country X is exposing SIM Swap using Auth code grant type. It must be dependent on use case and application requirement.

eric-murray commented 5 hours ago

Hi @gauravji2192

Have you read this ICM document, where it says:

If all API usecases point to the need of On-net scenario and where the consumption device and authentication device are the same, the Frontend flow should be used. eg. NumberVerification

and

If some usecase/s for an API point to off-net scenarios and where consumption and authentication devices could be different, the Backend flow should be used.

Which is basically what you are saying. Of course, the text in CAMARA documents can always be improved.

In practise, you will not know which authentication schemes are supported until you read the API provider's .well-known/openid-configuration endpoint, which will be API specific. If only "authorization_code" is listed as a valid grant type, well there's your answer.

But specifically for SIM Swap, I'm curious to know who is using Authorisation Code Flow for this API? What is the use case?