Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Initial contribution of Age_Verification.yaml #50

Open
wants to merge 45 commits into
base: main
Choose a base branch
from

Conversation

ToshiWakayama-KDDI
Copy link
Collaborator

What type of PR is this?

  • enhancement/feature

What this PR does / why we need it:

  • Initial contribution of Age_Verification.yaml to create the initial version of Age Verification API (v0.1.0)

Which issue(s) this PR fixes:

Special notes for reviewers:

Changelog input

Additional documentation

Update the design proposal for Age Verification API specifications
@GillesInnov35
Copy link
Collaborator

GillesInnov35 commented Feb 2, 2024

To start the discussion

  • Some functional restrictions may exist, for example:
    • User's phone number must be the primary phone number of the contract holder because the age of secondary phone number and (particularly for a minor) must not be stored according to the local law
    • the returned attribute isVerified (boolean) could be replaced by a string (enum=Y:Yes, N-AV: No, information available, N-NAV: No, information not available).
  • Also, some information could be help with the decision,
    • does a parental control exist for this user phone number?
    • tenure of the contract

GillesInnov35
GillesInnov35 previously approved these changes Feb 2, 2024
Copy link
Collaborator

@GillesInnov35 GillesInnov35 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks

@GillesInnov35
Copy link
Collaborator

GillesInnov35 commented Feb 5, 2024

Proposition of User Story

User Story: KYC Age Verification - Verify the age of a user

Item Details
Summary As an application developer of an age-restricted site or application, I want to verifiy the age of a customer with user's information held by the MNO.
Roles, Actors and Scope Roles: Customer:User
Actors: Mobile Network Operators (MNO), hyperscalers, application developers, enterprise.
Scope: Any phone line (not limited to 4G, 5G)
Pre-conditions The preconditions are listed below:
  1. The Customer:User has provided mandatory information of its identity
  2. Application developer has onboarded to MNO API
  3. Application developer has API credentials
  4. Privacy legal base requirement has been solved (Customer privacy)
Activities/Steps Starts when: The customer application server makes a request to the Age Verification service (API) with the age restricted value.
Ends when: The MNO service returns True if the age has been correctly verified else it returns False.
Post-conditions The application developer can make decision to use this customer data to follow-up its process
Exceptions Several exceptions might occur during the KYC Age Verification API operations:
  • Unauthorized: Not valid credentials (e.g. use of already expired access token).
  • Not Found: The number provided is not managed by the MNO
  • Invalid input: Not all mandatory input data to invoke operation (e.g. phone number).

Add firstName and FamilyName attributes to be compared with MNO information
Addition of MiddleNames
@GillesInnov35
Copy link
Collaborator

Find a draft proposal of API documentation (to be reviewed)
KYC-AgeVerify.MD

with Huub (KPN) proposition: assurance level
@ToshiWakayama-KDDI
Copy link
Collaborator Author

Hi @GillesInnov35 , all,

Regarding the draft User Story above, it looks good to me. Just some comments for error corrections:

  1. 'Scope: Any phone line (not limlited to 4G, 5G)'

limlited -> limited

  1. 'Starts when: The customer application server makes a request to the KYC service (API) with the age restricted value.'

the KYC service (API) -> the Age Verification service (API)

  1. 'Exceptions Several exceptions might occur during the KYC Match API operations:'

the KYC Match API operations -> the Age Verificaiton API operations

Thanks.
Toshi

assuranceLevel is now a enum (Low, Substancial, High) and not a score.
@GillesInnov35
Copy link
Collaborator

Thanks a lot @ToshiWakayama-KDDI , errors have been corrected.
BR
Gilles

@GillesInnov35
Copy link
Collaborator

@ToshiWakayama-KDDI, @HuubAppelboom , @KevScarr, @fernandopradocabrillo I've updated this design proposal. Let me know if it's ok according to your comments
Thanks
BR
Gilles

@GillesInnov35
Copy link
Collaborator

thanks @rartych for your point

@ToshiWakayama-KDDI
Copy link
Collaborator Author

hi @GillesInnov35

@ToshiWakayama-KDDI , you're right 400 - OUT OF RANGE should be added with description Client specified an invalid range. Thanks Gilles

Oh, sorry, my mistake.
Status: 400
Code: OUT_OF_RANGE
Message: Client specified an invalid range

Could add the above, please? I still do not know how to propose modification of yaml as Fernando does.

Thanks,
Toshi

@GillesInnov35
Copy link
Collaborator

hi @ToshiWakayama-KDDI, the bellow error example exists in the errors section of AgeVerification yaml file. From what I see that is what the next Commonalities version recommend, isn't it ?

       GENERIC_422_SERVICE_NOT_APPLICABLE:
          description: Service is not available for the provided identifier
          value:
            status: 422
            code: SERVICE_NOT_APPLICABLE
            message: The service is not available for the provided identifier.

for the second point which concerns Out Of Range, I've added the error example. Tell me if it's OK

        GENERIC_400_OUT_OF_RANGE:
          description: Out of Range. Specific Syntax Exception used when a given field has a pre-defined range or a invalid filter criteria combination is requested
          value:
            status: 400
            code: OUT_OF_RANGE
            message: Client specified an invalid range.

As the yaml file name is not corect, perhaps we should create a new PR with the last file version in order to have a global approval ?

Thanks
BR
Gilles

@ToshiWakayama-KDDI
Copy link
Collaborator Author

Hi @GillesInnov35 ,

hi @ToshiWakayama-KDDI, the bellow error example exists in the errors section of AgeVerification yaml file. From what I see that is what the next Commonalities version recommend, isn't it ?

       GENERIC_422_SERVICE_NOT_APPLICABLE:
          description: Service is not available for the provided identifier
          value:
            status: 422
            code: SERVICE_NOT_APPLICABLE
            message: The service is not available for the provided identifier.

To the best of my knowledge, no, I don't think so. According to the latest updated API Design guidelines https://github.com/camaraproject/Commonalities/blob/main/documentation/API-design-guidelines.md#61-standardized-use-of-camara-error-responses , my understanding is that "422 DEVICE_NOT_APPLICABLE The service is not available for the provided device. " is existing, instead of previous "422 NOT_SUPPORTED Service not supported for this phoneNumber".

So, my proposal was to add "422 DEVICE_NOT_APPLICABLE The service is not available for the provided device."

I hope I am correct.

Many thanks,
Toshi

@ToshiWakayama-KDDI
Copy link
Collaborator Author

Hi @GillesInnov35 ,

for the second point which concerns Out Of Range, I've added the error example. Tell me if it's OK

        GENERIC_400_OUT_OF_RANGE:
          description: Out of Range. Specific Syntax Exception used when a given field has a pre-defined range or a invalid filter criteria combination is requested
          value:
            status: 400
            code: OUT_OF_RANGE
            message: Client specified an invalid range.

Thank you so much. It is OK with me.

Thanks,
Toshi

@ToshiWakayama-KDDI
Copy link
Collaborator Author

Hi @GillesInnov35 ,

As the yaml file name is not corect, perhaps we should create a new PR with the last file version in order to have a global approval ?

Thanks, again. I didn't notice that. Rafal's pointing by bold finally made me notice it. Yes, we should not to forget it.

Thanks,
Toshi

@GillesInnov35
Copy link
Collaborator

@ToshiWakayama-KDDI , regarding the PR#316 (https://github.com/camaraproject/Commonalities/pull/316/files) I don't see any reference to DEVICE.

@rartych
Copy link
Collaborator

rartych commented Nov 29, 2024

As the yaml file name is not corect, perhaps we should create a new PR with the last file version in order to have a global approval ?

Thanks, again. I didn't notice that. Rafal's pointing by bold finally made me notice it. Yes, we should not to forget it.

You can edit the filename within this PR

GillesInnov35 and others added 2 commits December 5, 2024 14:25
Thanks

Co-authored-by: Fernando Prado Cabrillo <[email protected]>
@GillesInnov35
Copy link
Collaborator

hi @fernandopradocabrillo, yes same as kyc-match. Huub has proposed algo to calculate the result PR #81
Gilles

Thanks Fernando

Co-authored-by: Fernando Prado Cabrillo <[email protected]>
- `POST /ageverify`

Takes the network subscription identifier (e.g. the mobile phone number for a mobile network subscriber) and check the age of the user is older than the age's threshold in the request.
If information of the user's identity such as `givenName`, `familyName`, `address` match with information held by the MNO.
Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggestion to replace this sentence with the below for more clarification.

Additionally, as optional function, provides (1) if age check is done against another form of official identification or not (verifiedStatus) and (2) how close the information of user's identity such as such as givenName, familyName, address etc. is to information held by the MNO (identityMatchScore).

Thanks,
Toshi

## Inputs

The endpoint request body is a JSON object with the following parameters:
- `phoneNumber`: The network subscription identifier (i.e. the phone number of the subscriber). [Required only in case a 2-legged flow has been agreed between API Provider and API Consumer; otherwise, none]
Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggestion to replace this sentence with below based on Huub's comment #50 (comment) :

  • phoneNumber: The network subscription identifier (i.e. the phone number of the subscriber). [Required only in case a 2-legged flow has been agreed between API Provider and API Consumer; otherwise, do not include phoneNumber]

(change to 'otherwise, none)

Thanks,
Toshi

Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

wdyt @ToshiWakayama-KDDI ? It sounds more restrictive

Suggested change
- `phoneNumber`: The network subscription identifier (i.e. the phone number of the subscriber). [Required only in case a 2-legged flow has been agreed between API Provider and API Consumer; otherwise, none]
- `phoneNumber`: The network subscription identifier (i.e. the phone number of the subscriber). [Required only in case a 2-legged flow has been agreed between API Provider and API Consumer following CAMARA directives; otherwise, phoneNumber must not be included]

If successful, a JSON object is returned containing the following data:
- `ageCheck`: Indicate 'true' when the age of the user is the same age or older than the age threshold (age >= age threshold), and 'false' if not (age < age threshold). Otherwise, 'not_available'.
- `verifiedStatus`: true if the information provided was checked against another form of official identification, otherwise false.
- `identityMatchScore`: the overall match score of identity information provided in the request compared to what MNO holds.
Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggestion to add notes to these two sentences for more clarificaiton as below:

  • verifiedStatus: true if the information provided was checked against another form of official identification, otherwise false.
    Note: It is optional if an API provider wants to indicate this status.
  • identityMatchScore: the overall match score of identity information provided in the request compared to what MNO holds.
    Note: It is optional for an API provider to return the match score. If an API provider decides not to return the match score, even though any of idDocument, name, givenName, familyName, middieNames, familyNameAtBirth, birthdate, email are included in the request body, no identityMatchScore parameter will not be returned.

I have commented similar suggestion already #50 (comment), but it has not been captured yet.

Thanks,
Toshi

Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hi @ToshiWakayama-KDDI! Thanks for the proposal. From TEF we are thinking in something similar. We would like to complete the text stating that, additionally to what you include about not returning the identityScore, it can also be calculated using internal data from the MNO and not only from the input received. For example if the line is part of a multi-line contract so we cannot be sure if it is the owner of the line, if it has parental control activated it may indicate that it is a line used by a child, etc

Suggested change
- `identityMatchScore`: the overall match score of identity information provided in the request compared to what MNO holds.
- `identityMatchScore`: The overall score of identity information available in the Operator, information either provided in the request body comparing it to the one that the MNO holds or directly using internal MNO's information. It is optional for the Operator to return the Identity match score.

Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

hi @fernandopradocabrillo, could explain what do you mean by

or directly using internal MNO's information.

I've understood that identityMatchScore was only a score calculated according to the provided attributes in the request. I didn't get what match score a MNO could calculate without providing any information of identity.
Thanks a lot for the clarification
Gilles

Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Sure, we were thinking that there is information not provided in the request that can also be useful to calculate the identity score, for example, let's say that the line is part of a multi-line contract. If you provide the name or idDocument, etc, it will match with the ones owned by the mno, but it won't be precise since the line can be a line used by a child or a spouse. So using internal information can help increase or reduce the match score. Other information can also be useful, for example if the line has any kind of parental control, it can indicate that the data match the owner's but since it has the parental control it may indicate that is used by a child.

I hope this explains better the idea @GillesInnov35

@ToshiWakayama-KDDI
Copy link
Collaborator Author

Hi @GillesInnov35 , @fernandopradocabrillo ,

Please advise me if the following 'Errors' part is described in the Commonalities API Design Guidelines. I cannot find it by myself...


## Errors
If the authentication token is not valid, a `401 UNAUTHENTICATED` error is returned
If the API call contain a formatting or other error, a `400 INVALID_ARGUMENT` error is returned.
If the network subscription cannot be identified from the provided parameters (e.g. the subscription identifier is not associated with any customer of the CSP), a `404 IDENTIFIER_NOT_FOUND` error is returned.
If the API consumer has a valid access token but is not authorised to obtain tenure information for the specified network subscription, then a `403 PERMISSION_DENIED` error is returned.
Other errors may be returned as specified below.

Many thanks,
Toshi

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

6 participants