Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Update error codes and info.description template for device / phone number identifiers #324

Merged
merged 22 commits into from
Nov 28, 2024
Merged
Changes from 21 commits
Commits
Show all changes
22 commits
Select commit Hold shift + click to select a range
3079e4f
Update API-design-guidelines.md
eric-murray Oct 21, 2024
e13381c
Update API-design-guidelines.md
eric-murray Oct 21, 2024
0424073
Update API-design-guidelines.md
eric-murray Oct 21, 2024
c668153
Update API-design-guidelines.md
eric-murray Oct 21, 2024
f675b18
Update API-design-guidelines.md
eric-murray Oct 21, 2024
88cbc9d
Update API-design-guidelines.md
eric-murray Oct 21, 2024
98d7330
Update API-design-guidelines.md
eric-murray Oct 21, 2024
0a92aa7
Update API-design-guidelines.md
eric-murray Oct 21, 2024
f56d825
Update API-design-guidelines.md
eric-murray Oct 21, 2024
5a57137
Update API-design-guidelines.md
eric-murray Oct 22, 2024
8569208
Update API-design-guidelines.md
eric-murray Oct 22, 2024
e0d043b
Update API-design-guidelines.md
eric-murray Nov 5, 2024
ef1757a
Update documentation/API-design-guidelines.md
eric-murray Nov 13, 2024
078b969
Update documentation/API-design-guidelines.md
eric-murray Nov 13, 2024
3388937
Merge branch 'camaraproject:main' into eric-murray-patch-1
eric-murray Nov 15, 2024
ac14502
Update API-design-guidelines.md
eric-murray Nov 15, 2024
d784f43
Update documentation/API-design-guidelines.md
eric-murray Nov 15, 2024
95d6e1a
Update documentation/API-design-guidelines.md
eric-murray Nov 15, 2024
0e17f53
Update API-design-guidelines.md
eric-murray Nov 22, 2024
a5b059c
Typo fixes - hopefully caught them all now
eric-murray Nov 22, 2024
c8a7039
Update API-design-guidelines.md
eric-murray Nov 26, 2024
d0eb065
Update documentation/API-design-guidelines.md
eric-murray Nov 27, 2024
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
56 changes: 31 additions & 25 deletions documentation/API-design-guidelines.md
Original file line number Diff line number Diff line change
Expand Up @@ -81,7 +81,7 @@ This document captures guidelines for the API design in CAMARA project. These gu
- [Security Considerations](#security-considerations)
- [Abuse Protection](#abuse-protection)
- [Notification examples](#notification-examples)
- [Appendix A: `info.description` template for `device` identification from access token](#appendix-a-infodescription-template-for-device-identification-from-access-token)
- [Appendix A (Normative): `info.description` template for when User identification can be from either an access token or explicit identifier](#appendix-a-normative-infodescription-template-for-when-user-identification-can-be-from-either-an-access-token-or-explicit-identifier)


## Common Vocabulary and Acronyms
Expand Down Expand Up @@ -793,9 +793,9 @@ The Following table compiles the guidelines to be adopted:
| 1 | None of the provided device identifiers is supported by the implementation | 422 | UNSUPPORTED_DEVICE_IDENTIFIERS | phoneNumber is required. |
| 2 | Some identifier cannot be matched to a device | 404 | DEVICE_NOT_FOUND | Device identifier not found. |
| 3 | Device identifiers mismatch | 422 | DEVICE_IDENTIFIERS_MISMATCH | Provided device identifiers are not consistent. |
| 4 | Invalid access token context | 403 | INVALID_TOKEN_CONTEXT | Device identifiers are not consistent with access token. |
| 4 | An explicit identifier is provided when a device or phone number has already been identified from the access token | 422 | UNNECESSARY_IDENTIFIER | The device is already identified by the access token. |
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Do we want to throw an error even if the device identifier matches? I agree that the consumer did not need to send it, but given that it is a match, I wouldn't throw an error for this and make it send the request again.

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yes, this is necessary. See Issue #259, and the summary in the PR description above.

To only throw an error on a mismatch would be enabling "number verification" functionality for all APIs that allow authorisation code flow, irrespective of User consent. For CIBA, it would allow confirmation as to whether an IP address or operator token matched a particular MSISDN.

The alternative was to always ignore the explicit identifier if a 3-legged token was used (irrespective of whether the User matched or not). The problem with that solution is that the API consumer might misunderstand which User is the subject of the API if they were not aware they were using a 3-legged token which already had an associated User.

| 5 | Service not applicable to the device | 422 | DEVICE_NOT_APPLICABLE | The service is not available for the provided device. |
| 6 | The device identifier is not included in the request and the device information cannot be derived from the 3-legged access token | 422 | UNIDENTIFIABLE_DEVICE | The device cannot be identified. |
| 6 | An identifier is not included in the request and the device or phone number identification cannot be derived from the 3-legged access token | 422 | MISSING_IDENTIFIER | The device cannot be identified. |



Expand Down Expand Up @@ -1976,40 +1976,46 @@ response:
204 No Content
```

## Appendix A: `info.description` template for `device` identification from access token
## Appendix A (Normative): `info.description` template for when User identification can be from either an access token or explicit identifier

The documentation template below is recommended to be used as part of the API documentation in `info.description` property in the CAMARA API specs which use the `device`object defined in [CAMARA_common.yaml](/artifacts/CAMARA_common.yaml) artifact. This template provides guidance on how to handle device information in API requests **when using 3-legged access tokens and the device can be uniquely identified by the token**.
When an API requires a User (as defined by the [ICM Glossary](https://github.com/camaraproject/IdentityAndConsentManagement/blob/main/documentation/CAMARA-API-access-and-user-consent.md#glossary-of-terms-and-concepts)) to be identified in order to get access to that User's data (as Resource Owner), the User can be identified in one of two ways:
- If the access token is a Three-Legged Access Token, then the User will already have been associated with that token by the API provider, which in turn may be identified from the physical device that calls the `/authorize` endpoint for the OIDC authorisation code flow, or from the `login_hint` parameter of the OIDC CIBA flow (which can be a device IP, phone number or operator token). The `sub` claim of the ID token returned with the access token will confirm that an association with the User has been made, although this will not identify the User directly given that the `sub` will not be a globally unique identifier nor contain PII as per the [CAMARA ICM Security and Interoperability](https://github.com/camaraproject/IdentityAndConsentManagement/blob/main/documentation/CAMARA-Security-Interoperability.md#id-token-sub-claim) requirements.
eric-murray marked this conversation as resolved.
Show resolved Hide resolved
- If the access token is a Two-Legged Access Token, no User is associated with the token, an hence an explicit identifier MUST be provided. This is typically either a `Device` object named `device`, or a `PhoneNumber` string named `phoneNumber`. Both of these schema are defined in the [CAMARA_common.yaml](/artifacts/CAMARA_common.yaml) artifact. In both cases, it is the User that is being identified, although the `device` identifier allows this indirectly by identifying an active physical device.

Note: With the current 3-legged authorization flows used by CAMARA, only a single end user can be associated with the access token. For the OIDC authorization code flow, only a single device can call the `/authorize` endpoint and get the code. And for CIBA, `login_hint` is currently limited to a single phone number or IP address (which can optionally include a port).
If an API provider issues Thee-Legged Access Tokens for use with the API, the following error may occur:
- **Both a Three-Legged Access Token and an explicit User identifier (device or phone number) are provided by the API consumer.**

```md
# Identifying a device from the access token
Whilst it might be considered harmless to proceed if both identify the same User, returning an error only when the two do not match would allow the API consumer to confirm the identity of the User associated with the access token, which they might otherwise not know. Although this functionality is supported by some APIs (e.g. Number Verification, KYC Match), for others it may exceed the scope consented to by the User.

This specification defines the `device` object field as optional in API requests, specifically in cases where the API is accessed using a 3-legged access token, and the device can be uniquely identified by the token. This approach simplifies API usage for API consumers by relying on the device information associated with the access token used to invoke the API.
In this case, a `422 UNNECESSARY_IDENTIFIER` error code MUST be returned unless the scope of the API allows it to explicitly confirm whether or not the supplied identity matches that bound to the Three-Legged Access Token.

## Handling of device information:
If an API provider issues Two-Legged Access Tokens for use with the API, the following error may occur:
- **Neither a Three-legged Access Token nor an explicit User identifier (device or phone number) are provided by the API consumer.**

### Optional device object for 3-legged tokens:
One or other MUST be provided to identify the User.

- When using a 3-legged access token, the device associated with the access token must be considered as the device for the API request. This means that the device object is not required in the request, and if included it must identify the same device, therefore **it is recommended NOT to include it in these scenarios** to simplify the API usage and avoid additional validations.
In this case, a `422 MISSING_IDENTIFIER` error code MUST be returned, indicating that the API provider cannot identify the User from the provided information.

### Validation mechanism:
The documentation template below is RECOMMENDED to be used as part of the `info.description` API documentation to explain to the API consumer how the pattern works.

- The server will extract the device identification from the access token, if available.
- If the API request additionally includes a `device` object when using a 3-legged access token, the API will validate that the device identifier provided matches the one associated with the access token.
- If there is a mismatch, the API will respond with a 403 - INVALID_TOKEN_CONTEXT error, indicating that the device information in the request does not match the token.
This template is applicable to CAMARA APIs which:
- require the User (i.e. Resource Owner) to be identified; and
- may have implementations which accept Two-Legged Access Tokens; and
- do NOT allow the API to confirm whether or not the optional User identifier (`device` or `phoneNumber`) matches that associated with the Three-Legged Access Token
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Would be great if we could stick to the same term as used below "subject identifier"

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Unfortunately "subject identifier" is not a defined CAMARA term, and so potentially ambiguous in normative sections of a standard. I am trying to use terms from the ICM glossary in normative sections (e.g. "User"), but felt "subject identifier" was a more natural term for the informative info.description.

I wouldn't expect application developers to necessarily read our glossary, but API developers should be aware of it.


### Error handling for unidentifiable devices:
The template SHOULD be customised for each API using it by deleting one of the options where marked by (*)
```md
# Identifying the [ device | phone number ](*) from the access token

- If the `device` object is not included in the request and the device information cannot be derived from the 3-legged access token, the server will return a 422 `UNIDENTIFIABLE_DEVICE` error.
This API requires the API consumer to identify a [ device | phone number ](*) as the subject of the API as follows:
- When the API is invoked using a two-legged access token, the subject will be identified from the optional [`device` object | `phoneNumber` field](*), which therefore MUST be provided.
- When a three-legged access token is used however, this optional identifier MUST NOT be provided, as the subject will be uniquely identified from the access token.

### Restrictions for tokens without an associated authenticated identifier:
This approach simplifies API usage for API consumers using a three-legged access token to invoke the API by relying on the information that is associated with the access token and was identified during the authentication process.

- For scenarios which do not have a single device identifier associated to the token during the authentication flow, e.g. 2-legged access tokens, the `device` object MUST be provided in the API request. This ensures that the device identification is explicit and valid for each API call made with these tokens.
```
## Error handling:

By following these guidelines, API consumers can use the authenticated device identifier associated with 3-legged access tokens, simplifying implementation and validation. This mechanism ensures that device identification is handled efficiently and securely, and appropriately accommodates different token types.
- If the subject cannot be identified from the access token and the optional [`device` object | `phoneNumber` field](*) is not included in the request, then the server will return an error with the `422 MISSING_IDENTIFIER` error code.

Depending on the functionality provided by the CAMARA API, some API subprojects may still define other specific identifiers that differs from the common `device` object definition. Not all APIs necessarily have to refer to a device, e.g. Carrier Billing API only defines a phone number as a way to identify the mobile account to be billed, Know Your Costumer only defines a phone number as a way to identify the associated account data or Home Devices QoD API defines public IP v4 address as a way to identify the user home network.

Therefore, the mechanism described in this template is not applicable to all APIs, but could be used as way to make `device` object more interoperable and usable for API consumers.
- If the subject can be identified from the access token and the optional [`device` object | `phoneNumber` field](*) is also included in the request, then the server will return an error with the `422 UNNECESSARY_IDENTIFIER` error code. This will the case even if the same [ device | phone number ](*) is identified by these two methods, as the server is unable to make this comparison.
```