Initial API proposal #9
Conversation
yamamoto0104
requested review from
eric-murray,
Masa8106 and
grgpapadopoulos
as code owners
Delete User story.md for error.
|
I'm converting this to draft until the linting rules (PR #7) have been merged into the repository |
|
The linting rules (PR#7) have been merged into the repository. Thus, I converted this to Open. |
| CreateCheckNumRecycling: | ||
| type: object | ||
| required: | ||
| - phoneNumber |
There was a problem hiding this comment.
You have made phoneNumber required, but the network subscriber will also be identified by a 3-legged access token (this will be the usual method of calling this API according to CAMARA guidelines). Can you explain the API logic when both a 3-legged token and explicit phoneNumber are received?
There was a problem hiding this comment.
@eric-murray
Because we assume that this API uses 2-legged access token.
As the user story mentioned, ASP checks whether there has been a change in the user associated with the phone number after the specified date so that API can ensure that a phone number is correctly linked to an user and prevent mis-delivery before sending SMS messages to an wrong user (if there has been a change).
If we apply 3-legged access token, we cannot use this API. Because ASP may authenticate the wrong user and potentially may ask for the wrong user's consent for the API access with 3-legged access token.
There was a problem hiding this comment.
Hi @yamamoto0104
This is not compliant with ICM requirements, which state:
... in cases where personal user data is processed by the API, and users can exercise their rights through mechanisms such as opt-in and/or opt-out, the use of 3-legged access tokens becomes mandatory
In Europe, for example, end users have the right to opt-out from such anti-fraud APIs processing their data, and hence 3-legged tokens are mandatory. We cannot say to an end user that their legal rights no longer apply just because they might be a fraudster.
Exactly the same situation arises with the SIM Swap API, which does (indeed, must) allow 3-legged tokens. The implementations I am aware of only support CIBA, which does not require any interaction with the end user device itself. The same would apply here.
There was a problem hiding this comment.
Hello @eric-murray
Thank for your comment.
As the description in SIM Swap API yaml file said, 2-legged access tokens can be applicable as one of the options.
If my understanding is incorrect, please let me know.
Restrictions for tokens without an associated authenticated phone number:
- For scenarios which do not have a phone number associated to the token during the authentication flow, e.g. 2-legged access tokens, the
phoneNumberfield MUST be provided in the API request. This ensures that the phone number is explicit and valid for each API call made with these tokens.
There was a problem hiding this comment.
Indeed, if the SIM Swap API is called with a 2-legged access token, then phoneNumber must be provided. But if it is called with a 3-legged token, then a phoneNumber MUST NOT be provided. So the phoneNumber is not a required parameter. This can be seen from the SIM Swap CreateCheckSimSwap schema.
In your proposed API definition, phoneNumber is always a required parameter. So the API consumer would be forced to provide it, irrespective of whether at 2- or 3-legged token was being used.
There was a problem hiding this comment.
Hi @eric-murray
Thank you for your kind response.
We changed phoneNumber as optional and added the phone number description based on SIM-SWAP yaml file.
There was a problem hiding this comment.
Hi @eric-murray
We updated the phone number description based on the Appendix of API design guidelines. We also added 422 error code based on the Appendix.
Appendix A: info.description template for device identification from access token
There was a problem hiding this comment.
You are missing the mandatory ICM template in the info section.
| description: Product documentation at Camara | ||
| url: https://github.com/camaraproject/NumberRecycling | ||
| servers: | ||
| - url: '{apiRoot}/number-recycling/v0.1' |
There was a problem hiding this comment.
| - url: '{apiRoot}/number-recycling/v0.1' | |
| - url: '{apiRoot}/number-recycling/vwip' |
There was a problem hiding this comment.
Thanks, The version was changed.
…d changing 'phoneNumber' as optional parameter.
| description: Correlation id for the different services | ||
| schema: | ||
| type: string | ||
| schemas: |
There was a problem hiding this comment.
A common PhoneNumber schema has been defined by Commonalities, so we should use it here
| schemas: | |
| schemas: | |
| PhoneNumber: | |
| description: A public identifier addressing a telephone subscription. In mobile networks it corresponds to the MSISDN (Mobile Station International Subscriber Directory Number). In order to be globally unique it has to be formatted in international format, according to E.164 standard, prefixed with '+'. | |
| type: string | |
| pattern: '^\+[1-9][0-9]{4,14}$' | |
| example: "+123456789" |
There was a problem hiding this comment.
Thanks for pointing it out. We added the common PhoneNumber schema.
| phoneNumber: | ||
| type: string | ||
| pattern: '^\+[1-9][0-9]{4,14}$' | ||
| example: '+346661113334' | ||
| description: A public identifier addressing a telephone subscription. In mobile networks it corresponds to the MSISDN (Mobile Station International Subscriber Directory Number). In order to be globally unique it has to be formatted in international format, according to E.164 standard, prefixed with '+'. |
There was a problem hiding this comment.
Reference separate schema
| phoneNumber: | |
| type: string | |
| pattern: '^\+[1-9][0-9]{4,14}$' | |
| example: '+346661113334' | |
| description: A public identifier addressing a telephone subscription. In mobile networks it corresponds to the MSISDN (Mobile Station International Subscriber Directory Number). In order to be globally unique it has to be formatted in international format, according to E.164 standard, prefixed with '+'. | |
| phoneNumber: | |
| $ref: '#/components/schemas/PhoneNumber' |
There was a problem hiding this comment.
Thanks. Reference separate schema is added.
…ned by Commonalities.
yamamoto0104
dismissed
eric-murray’s stale review
The merge-base changed after approval.
yamamoto0104
dismissed stale reviews from grgpapadopoulos and eric-murray
The merge-base changed after approval.
yamamoto0104
dismissed
eric-murray’s stale review
The merge-base changed after approval.
|
@yamamoto0104 I'd suggest either:
Alternatively, @hdamker may be able to override whatever github settings are automatically dismissing approvals. |
|
@yamamoto0104 |
|
@eric-murray |
It was actually explicitly deleted within commit 3c20232 from the branch ("Delete User story.md for error."). Beyond that the PR now looks good ... guess you don't need to bypass the branch protection. |
|
Hello @hdamker, @eric-murray |
What type of PR is this?
What this PR does / why we need it:
This is the initial proposal from KDDI for the Number Recycling API
Which issue(s) this PR fixes:
Fixes #8
Special notes for reviewers:
None
Changelog input
Additional documentation
None