Use of two-legged authentication for MSISDN verify #156
Replies: 15 comments 7 replies
-
Hello @StefanoFalsetto-CKHIOD For me the 'golden rule' is defined in ICM documentation here
After it is legal privacy regulation interpretation. As far as I know in most European countries the MSISDN is considered as a personal user data so 'mechanically' in CAMARA implem we have to to use 3-legs in these geographies. |
Beta Was this translation helpful? Give feedback.
-
Beyond of the privacy topic mentioned by @bigludo7, what is the use case you might have for 2-legged in this API? The core functionality is to compare the provided phone number with the one deducted from the access token. If the token is not related to a phone number how are you going to verify it? |
Beta Was this translation helpful? Give feedback.
-
Hi guys, @fernandopradocabrillo AccessToken is always related to resolved phone number. But with NAT Session to Phone Number resolution method, there is no need to have 3-legged with the MNO Auth Server. |
Beta Was this translation helpful? Give feedback.
-
Thank you @ab-ip . I think that adding the optional phoneNumber could be useful to cover those use cases which can use the 2-legged authentication method. |
Beta Was this translation helpful? Give feedback.
-
I should confess that I'm a bit lost... If we do not pass the phoneNumber in the body what will you compare with the phone number obtained by the network @StefanoFalsetto-CKHIOD ? As told today in our call we have to be careful about the privacy topic any way. |
Beta Was this translation helpful? Give feedback.
-
@StefanoFalsetto-CKHIOD How do you mean optional phoneNumber can cover 2-legged? |
Beta Was this translation helpful? Give feedback.
-
I am very sorry I mixed up two comments in two different projects. Please ignore my previous comment. Let's stick on my original request: adding the possibility of using the two legged authentication. @bigludo7, as @ab-ip just said, there could be some privacy-related problems with the number share (and by the way, from my previous experience I think it will be hard to see any MNO implementing it). That's not the case for number match, since the information shared is just "match/no match". |
Beta Was this translation helpful? Give feedback.
-
Hi all, First, confirm that of course API always requires a phone number parameter for comparison reasons. Otherwise, as said, there is nothing to validate (if we are speaking about the Second, this number needs to be compared with other number. As @fernandopradocabrillo stated before, the 3-legged token obtained following a frontend flow is indeed the comparison pair that the API is supposed to use. If a 2-legged approach is used, where user is not identified in the token, there is no way to neither compare nor obtain the identity of the user's connection, since both frontend and 3-legged are the solution for it. if there is other way to solve this, obtain information of the device connection without a frontend integration, and include user info in a 2-legged token, please bring this proposal. FInally, privacy. Even when the operator, in |
Beta Was this translation helpful? Give feedback.
-
@jgarciahospital I already explained how it is possible to resolve User data based on the device NAT Session related to Service endpoint. It is not needed to have User in front of MNO Auth Endpoint. Service can provide NAT data (IP+Port) to MNO in order to resolve user, and to connect User for the Token. |
Beta Was this translation helpful? Give feedback.
-
@jgarciahospital I am no GDPR expert but are you sure that from the privacy point of view the clear text information sharing (e.g., location, msisdn, in general all personal data) is totally the same thing of sharing a match (e.g., results obtained from msisdn match)? |
Beta Was this translation helpful? Give feedback.
-
And this option is supported by CAMARA as part of the CIBA flow, passing the end user IP / port in But, of course, CIBA is still a 3-legged flow. And we need to trust the "service" to provide the true IP/port it captured from the device. If we really want to be sure that the device itself is part of the flow, then we are back to the authorisation code flow, where the device itself makes the request (via a re-direct) for the first of the three legs. Then the MNO knows the true IP/port being used. The 2-legged client credentials flow would only work if the device itself was requesting to call the API (so asking to verify its own MSISDN), or the API caller (application server) had previously provided the API provider the IP/port of the end user device using some mechanism not defined by CAMARA (so still "3-legged", but with the first "leg" not defined by CAMARA). I don't see either of these being significant use cases. |
Beta Was this translation helpful? Give feedback.
-
@eric-murray There is no special requirements for "trust" from the Service side. If they dont send valid IP/Port values the user/data wont be resolved or as the worst scenario verification will be false. |
Beta Was this translation helpful? Give feedback.
-
@eric-murray I cannot agree more, perfectly explained. As operators, we are the one who provides the validation of the phone-number belonging to the user's connection, which is the intention (AFAIK) of this service. If looking for an API that translates an IP address into a phone number, maybe that could be covered in separate, but up to now the value proposal is based on the operator been who actively authenticates the user's connection. And of course, in any case based on a two-legged approach, in which case no way of validating the API input phone number with any other parameter. @StefanoFalsetto-CKHIOD about privacy, while of course this will depend on each country/region regulation, phone-number is indeed considered as personal information, and the fact that the API only validates doesn't imply that the developer ends-up with more information than at the beginning, provided by the telco. That is why even validating is supposed to be considered as personal data treatment. |
Beta Was this translation helpful? Give feedback.
-
@StefanoFalsetto-CKHIOD I do not see action to be done following this thread but good discussion. |
Beta Was this translation helpful? Give feedback.
-
@bigludo7 yes we can convert it as discussion. Unfortunately I don't know how to do it. |
Beta Was this translation helpful? Give feedback.
-
Problem description
At the moment it has been chosen to only use 3-legged authentication mechanism with this service to "uphold the principles of transparency and user-centric data control."
But in Camara guidelines it is also stated:
Which specific authorization flows are to be used will be determined during onboarding process, happening between the API Client and the Telco Operator exposing the API, taking into account the declared purpose for accessing the API, while also being subject to the prevailing legal framework dictated by local legislation.
Possible evolution
In cases where the onboarding process and the local legislation permits to use the MSISDN of an end customer (i.e., the consent has already been managed in some other way), it could be useful to allow the possibility to choose between 3-legged and 2-legged authentication flow.
Beta Was this translation helpful? Give feedback.
All reactions