Resource-based subscription – GET /subscriptions using a 3-legged access token #304
Comments
|
Generally, if the API consumer uses a 3-legged token, this implies that end user consent is required for the scope being used to access the API, and hence the API should only process the data for that end user. However, this may not always be the case, as end user consent requirements depend very much on local regulation. And for subscriptions, there is the additional question that, if an end user has consented to the creation of a subscription, have they effectively also consented to that subscription being queried or deleted? In other words, does the mere existence of a subscription automatically imply that the end user has consented that being queried or deleted? CAMARA cannot answer that question. So I think the best CAMARA can do is clarify the rules for the general case. Currently, a 3-legged token can only identify a single end user (in the case of mobile networks, a single end user subscription). And all endpoints have an associated scope and, for subscriptions, usually the scopes to create, query or delete a subscription are different, implying that the end user may separately need to consent to each. So I think the general rules need to be:
DELETE /subscriptions/{subscriptionId}:
Additional comments:
|
|
The question is extensible to any API creating/managing resources which are associated to a user or device and may be managed knowing its identifier. For example, in QoD we had a similar discussion regarding sessions. There, we have stated that: For GET / DELETE by id:
There is no operation to list all sessions, but there is a GET by device, and in that case:
This is quite aligned with the proposal by @eric-murray, only adding that for GET /subscriptions/{subscriptionId}:
DELETE /subscriptions/{subscriptionId}:
|
Agree, though this applies whether the token is 2- or 3-legged. |
|
Hello cc: @rartych for guidance |
|
Agree this consideration is not only for subscriptions but also for APIs that at least has the concept of resource creation + resource query (POST+GET) within their functionality |
Add part for: - camaraproject#304 - camaraproject#299 - partial camaraproject#295
Problem description
When creating a resource-based subscription to information related to a device (such as location, roaming status etc) there is today in the POST /subscription subscriptionDetail a device object to indicate which device the subscription relates to.
In case a 3-legged access token is used it is assumed that “the device associated with the access token must be considered as the device for the API request. This means that the device object is not required in the request, and if included it must identify the same device.”
But how should the usage of a 3-legged access token be interpreted when used with GET /subscriptions, GET /subscriptions/{subscriptionId} or DELETE /subscriptions/{subscriptionId} in which the device is not part of the request parameters?
Possible evolution
Describe the expected behavior, in the API-design-guidelines Subscription chapter, when using a 3-legged access token when invoking
Alternative solution
On one hand it would be natural to view device information in the access token as a filter. On the other hand it would be difficult for an application to get a list of all its subscriptions no matter which device it involves with less than having a separate 2-legged access token for that purpose.
Additional context
The text was updated successfully, but these errors were encountered: