Support for OAUTH2 on PCF

Feature Summary and Revision History

Summary Data

Table 1. Summary Data

Applicable Products or Functional Area

PCF

Applicable Platform(s)

SMI

Feature Default Setting

Disabled – Configuration required to enable

Related Documentation

Not Applicable

Revision History

Table 2. Revision History
Revision Details Release

First introduced.

2023.02.0

Feature Description

The PCF supports the OAuth2, which is an authorization protocol and NOT an authentication protocol. The Network Function Repository (NRF) is the designated OAuth2 Authorization Server. The OAuth2 provides the client to the NRF and includes the OAuth2 Access Token validation for the SBI requests from consumer NFs.

The OAuth2 feature needs to enable or disable globally for all SBA interfaces and allows the subscribers to access to a set of resources. For example:

  • Remote APIs

  • User data

Following the "Client Credentials" authorization, the NRF provides the Nnrf_AccessToken service for OAuth2 authorization. The OAuth2 uses Access Tokens, and the Access Token provides the authorization to access resources on behalf of the end user. However, the JSON Web Token (JWT) format needs to used in some contexts. The OAuth2 enables token issuers to include data in the token itself. For security reasons, the Access Tokens may have an expiration date.


Note


There’s no specific format for Access Tokens.


How It Works

This section describes how OAuth2 Support feature works.

Feature Configuration

This section describes how to configure the OAuth2 Support.

To configure the OAuth2 support, use the following configuration:

config 
   oauth2 oauth2Group 
   service type nrf nnrf-oauth2 
   endpoint-profile oauth2Profile 
   capacity 10 
   priority 10  
   uri-scheme http 
   endpoint-name ep1 
   priority 10 
   capacity 10  
   primary ip-address ipv4 10.X.X.X 
   primary ip-address port 81XX 
   secondary ip-address ipv4 10.X.X.X 
   secondary ip-address port 81XX  
   tertiary ip-address ipv4 10.X.X.X 
   tertiary ip-address port 81XX  
end 

Rest-Endpoint Configurations:

  • rest-endpoint oauth-service server false

  • rest-endpoint oauth-service client true


Note


  • The PCF OAuth2 server not supported in this release, so it should be false.


Call Flows

This section describes the call flows for this feature.

OAuth2 Support Call Flow

This section describes the OAuth2 Support call flow.

Figure 1. OAuth2 Support Call Flow
Table 3. OAuth2 Support Call Flow Description

Step

Description

1

The NF Service Consumer sends a Post /OAuth2 /Token Access Token Request to the NRF.

2

The NRF sends 200 OK (Access Token Response) to the NF Service Consumer.

3

The NRF sends 400 Bad Request (Access Token Error) or 3xx to the NF Service Consumer.

Standards Compliance

This feature complies with the following standards specifications:

  • 3GPP 29.510 v15.4.0 "Network function repository services"

  • 33GPP 33.310 "Network Domain Security (NDS); Authentication Framework (AF)"

  • 3GPP 33.501 v16.8.0 "Security architecture and procedures for 5G system"

  • IETF RFC 6749 and 6750 "OAUTH 2.0 Authorization Framework"

  • 3GPP 29.510 v16.9.0 "Network Function Repository Services"

  • 3GPP 29.500 v16.8.0 "Technical Realizations of Service Based Architecture (HTTP Standards reference)"