NOT mandating ‘prompt=none’ in the auth code flow for number verification API #160
Comments
|
Hello @mingshiatwork |
|
Adding more context: the API technical scope: number-verification:verify |
|
I see the issue more as an issue of NumberVerfication. The API consumer can request an auth code without "prompt=none", but IF the MNO determines that consent is not granted and needed e.g. because the end-user opted out, then the MNO SHOULD redirect to end-user authentication and end-user consent collection. The MNO COULD return an error if the MNO decided that consent is needed and not present. Why does the API Consumer not send the request with "prompt=none"? Wouldn't that solve the problem e.g. if the user opted-out and the legal basis requires consent? I created two PR in ICM because I want to achieve interoperability of CAMARA openid providers. NumberVerification mixes two problems into one API:
TS.43 created the operator token for "Device App authentication with OperatorToken" which we are currently integrating into CAMARA. |
|
@bigludo7 We are rolling out the number verification service for enterprise customers and aim to align with the CAMARA specification. However, to ensure compliance with government regulations, it is critical that we do not bypass obtaining the subscriber's consent. |
Problem description
The following line in the number-verification.yaml states that authentication for the Number Verification API must occur automatically without any user interaction, making the prompt=none parameter mandatory for the auth request:
Statement in YAML file:
• - (1): Authentication must be automatic without any user interactions. Authentication methods such as SMS OTP or user/password are incompatible, as the goal is to validate the mobile phone number that is accessing the App. So it is required to be authentication via mobile network and without the user being involved. the use of parameter prompt=none, as described in [OIDC Connect] (https://openid.net/specs/openid-connect-core-1_0.html#AuthRequest), ensures no user interaction.
However, this requirement conflicts with the Identity and Consent Management specifications, which include consent capture as part of both the Authorization Code flow (frontend) and the CIBA flow (backend).
In countries such as Thailand, explicit consent is required before a mobile operator processes a Number Verification API request. As a result, all first-time API auth requests for a subscriber are likely to be rejected if the client includes ‘prompt=none’ in the auth request.
This conflict needs resolution to ensure compliance with both specifications and regulatory requirements.
Expected behavior
The ‘prompt=none’ parameter should not be mandated in the auth code request for the Number Verification API. This flexibility enables the mobile operator to integrate consent capture into the authentication flow. Once consent is obtained, subsequent API requests should proceed without requiring user interaction.
Alternative solution
Additional context
The text was updated successfully, but these errors were encountered: