Open APIs

Expand all | Collapse all

Notifications - Authorization

  • 1.  Notifications - Authorization

    TM Forum Member
    Posted Jun 15, 2021 15:52
    Edited by Marcos Donato da Silva Jun 15, 2021 17:02

    I was checking the Notification Aspects on many APIs
    (TMF620, TMF622, TMF630, TMF645, TMF688 for instance...) and
    I found no guidance on how to deal with security aspects when
    delivering messages to registered callbacks.

    What's the recommendation?
    Is there any plan to include option to update default subscription
    payload to store at least basic authorization
    credentials when sending a notification subscription?
    What about HTTPS? Is there any plan to suggest HTTPs usage at callback messages? (all examples are
    pointing plain HTTP call back addresses)

    Thanks and Regards,

    Marcos Donato da Silva
    Ericsson Inc.

  • 2.  RE: Notifications - Authorization

    TM Forum Member
    Posted Jun 16, 2021 02:30
    Hi Marcos
    Firstly, please note that the examples are only examples, they are not authoritative (although they should ideally pass validation against the API's swagger). HTTPS is certainly recommended, but not mandated (or even checked) by the Open API.
    Regarding security, it is expected, like any HTTP(s) transaction, that you will put appropriate authentication credentials in the HTTP header. For back-end communication such as invoking callbacks, you'll need to set up credentials for use by background software (resource identification if you like) and use these when invoking the callback.
    All of the above is outside the functional scope of API definition.
    Hope it helps.

    Jonathan Goldberg
    Amdocs Management Limited
    Any opinions and statements made by me on this forum are purely personal, and do not necessarily reflect the position of the TM Forum or my employer.

  • 3.  RE: Notifications - Authorization

    TM Forum Member
    Posted Jun 17, 2021 14:20
    Hi Marcos,

    As described in TMF630 authentication is not in scope of the openAPI specifications.
    That doesn't mean however that there should be no authorisation at all.

    HTTPS and header based authentication/authorisation methods should be considered.

    If required nothing is prohibiting to extend the Hub data model with an extension to handle your specific security concept. The generic support of polymorphism and pattern extensions is described in the TMF API Guidelines v3.0 Part 2 document.


    Koen Peeters
    Ciminko Luxembourg