Open APIs

Hi all:
As part of the traceability, I would like to log the user invoking the call using the API. The scenario is that we are building APIs for a BSS process. The first API is the TMF 673 address validation. However, when I looked at the API (most of the API), we don't have a placeholder for capturing the user (from the third parties invoke API from their application). This is extremely valuable for tracking user journeys. I'm wondering which TMF object can be used to extend the API request model 

Hi Ajo

I don't think it is healthy to enhance the functional signature of every API operation with such information. More appropriate would be to use the HTTP header.

The header should already contain authentication information for the security principal invoking the API, but it may be tricky to trace this back to the business party. You could add an extension to the header to transmit the ID or reference to the relevant party.

Good luck

Hi all:
As part of the traceability, I would like to log the user invoking the call using the API. The scenario is that we are building APIs for a BSS process. The first API is the TMF 673 address validation. However, when I looked at the API (most of the API), we don't have a placeholder for capturing the user (from the third parties invoke API from their application). This is extremely valuable for tracking user journeys. I'm wondering which TMF object can be used to extend the API request model 

Hi Jonathan

Thank you for your feedback. Yes, we use OAuth flows to authenticate. Most of our partners we talked to prefer to use from a trusted server, so we set up a client credentials flow (so we know which application or partner is making a call). However, sub-agents are using the web application, so we need to track their name and email to look at the journey from their application. In case of any broken journey or need follow-ups, our client partner manager can contact them. If we look at APIs like ProductQualification, it has user data to capture. 

As per the feedback, if user data is not available as a request model, use HTTP custom headers to track it. Do we need to standardize the approach and custom header names? 

Hi Ajo

I don't think it is healthy to enhance the functional signature of every API operation with such information. More appropriate would be to use the HTTP header.

The header should already contain authentication information for the security principal invoking the API, but it may be tricky to trace this back to the business party. You could add an extension to the header to transmit the ID or reference to the relevant party.

Good luck

Hi all:
As part of the traceability, I would like to log the user invoking the call using the API. The scenario is that we are building APIs for a BSS process. The first API is the TMF 673 address validation. However, when I looked at the API (most of the API), we don't have a placeholder for capturing the user (from the third parties invoke API from their application). This is extremely valuable for tracking user journeys. I'm wondering which TMF object can be used to extend the API request model