NumberVerification - NUMBER_VERIFICATION.USER_NOT_AUTHENTICATED_BY_MOBILE_NETWORK Error

[FLieshout]

The NumberVerification API defines an 403 | NUMBER_VERIFICATION.USER_NOT_AUTHENTICATED_BY_MOBILE_NETWORK error on the 'resource' endpoint.

In our scenario we validate in the authorize request if the request comes from a Mobile Network.
If not we return the NUMBER_VERIFICATION.USER_NOT_AUTHENTICATED_BY_MOBILE_NETWORK error on the authorize step. [Front-end flow]

If you want to obtain a token, to make a resource request. You need to have a valid authorization_code, this will only work if Client Authentication is used via Mobile Network.

So, can someone explain me, what the purpose is of this error at resource endpoint level?
Maybe if there might be a scenario where the Back-end flow has been used instead of the Front-end flow, that this error needs to be thrown?

Like this test scenario:

@NumberVerification_phone_number_verify205_must_have_used_network_authentication
  Scenario:  verify phone number with valid access token but network authentication was not used
    Given they use the base url
    And the resource is "/verify"
    And one of the scopes associated with the access token is number-verification:verify
    When the HTTPS "GET" request is sent
    And the connection the request is sent over originates from a device with NUMBERVERIFY_VERIFY_MATCH_PHONENUMBER1
    And the information, e.g. authentication method reference, associated with the access token indicates that network authentication was NOT used
    And the response header "x-correlator" has same value as the request header "x-correlator"
    And the response header "Content-Type" is "application/json"
    And the response body complies with the OAS schema at "/components/schemas/ErrorInfo"
    Then the response status code is 403
    And the response property "$.status" is 403
    And the response property "$.code" is "NUMBER_VERIFICATION.USER_NOT_AUTHENTICATED_BY_MOBILE_NETWORK"
    And the response property "$.message" is "The subscription must be identified via the mobile network to use this servicet."

[bigludo7]

Hello
I'm sharing your interrogation.
I've same behavior in my implem: If you're not under mobile network we did not provide an authorization code and... game over.

@AxelNennker @fernandopradocabrillo Any other opinion?

[fernandopradocabrillo]

I'm checking internally how we handle this error

[fernandopradocabrillo]

Checking with my collegues from the auth teams it seems that we don't filter scopes based on acr values. So, at least for now, we are using the error defined in the API.

How do you handle in your implementations when the client requests scopes from multiple APIs in addition to the NV scopes?

[FLieshout]

In our implementation we filter endpoints on IP ranges, so in our case the authorize endpoint (front-end flow) must explicitly come from a mobile network.
There is a possibility that the client performs an authorize call (back-end flow) with the number verification scope during testing of the API, then it seems useful to me that you can display this error within the resource request.

[eric-murray]

@FLieshout
See the CAMARA Security and Interoperability Profile statement on ACRs, specifically:

This documents defines that Camara OpenId Providers MUST ignore the parameter acr_values.

Be aware that implementing API behaviour based on ACR values potentially creates all sorts of interoperability issues, as CAMARA have not defined nor adopted any specific values.

[FLieshout]

Sorry I meant IP ranges instead of acr_values.