Open APIs

Hello everyone.

In our country, a new law related to personal data protection is being implemented, and from the cybersecurity area we have received the directive not to expose sensitive data in URLs.
Example: ID, MSISDN, etc.

However, we have some TMF GET operations that send sensitive data through query parameters. Examples:

TMF637
Request:
/tmf-api/productInventory/v5/product?realizingResource.resourceCharacteristic.name=msisdn&realizingResource.resourceCharacteristic.value=56900000000

TMF632
Request:
/tmf-api/party/v5/individual?individualIdentification.identificationType=RUT&individualIdentification.identificationId=11111111-1

The suggestion from the cybersecurity team is to switch to the POST method with sensitive data in the body, but this does not seem to align with the standard.

The questions are:

• Have other companies encountered these cases?
• How have they resolved them?
• Is there any implementation guidance from TM Forum?

Thank you, best regards.

Soledad.

Hi Maria,

we at Deutsche Telekom have the same issue, security department forbids having sensitive data in URLs (which also includes query parameters).
So far our solution was also to use POST, but meanwhile, a new HTTP method "QUERY" has been defined, and is supported by the latest OAS Version 3.2.0. In essence, QUERY is a GET with the quenry parameters in the body (possibly also using more complex query syntax), which solves the problem.

At TMF, it is currently discussed when/how to switch to OAS 3.2, and I assume that latest in the next Version 6, but maybe even before, using QUERY will be introduced.

Regards,
Lutz