[go: up one dir, main page]

WO2025030300A1 - Information indication method, first api invoker, first network function, and storage medium - Google Patents

Information indication method, first api invoker, first network function, and storage medium Download PDF

Info

Publication number
WO2025030300A1
WO2025030300A1 PCT/CN2023/111361 CN2023111361W WO2025030300A1 WO 2025030300 A1 WO2025030300 A1 WO 2025030300A1 CN 2023111361 W CN2023111361 W CN 2023111361W WO 2025030300 A1 WO2025030300 A1 WO 2025030300A1
Authority
WO
WIPO (PCT)
Prior art keywords
authorization
information
client
network function
code
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
PCT/CN2023/111361
Other languages
French (fr)
Chinese (zh)
Inventor
梁浩然
陆伟
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Beijing Xiaomi Mobile Software Co Ltd
Original Assignee
Beijing Xiaomi Mobile Software Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Beijing Xiaomi Mobile Software Co Ltd filed Critical Beijing Xiaomi Mobile Software Co Ltd
Priority to CN202380010506.8A priority Critical patent/CN117280675A/en
Priority to PCT/CN2023/111361 priority patent/WO2025030300A1/en
Publication of WO2025030300A1 publication Critical patent/WO2025030300A1/en
Pending legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/133Protocols for remote procedure calls [RPC]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/40Network security protocols

Definitions

  • the present disclosure relates to the field of communication technology, and in particular to an information indication method, a first API caller, a first network function and a storage medium.
  • CAPIF Common API Framework
  • the authorization method is not clear.
  • the embodiments of the present disclosure provide an information indication method, a first API caller, a first network function and a storage medium.
  • an information indication method the method being executed by a first application programming interface API caller, the method comprising:
  • the first information indicates an authorization method
  • the authorization method is the authorization method used by the first API caller.
  • an information indication method is provided, the method being performed by a first network function, the method comprising:
  • the authorization method is the authorization method used by the first API caller.
  • an information indication method which is applied to a communication system, and the method includes:
  • the first network function sends a first message to the first API caller
  • the first API caller receives the first information sent by the first network function
  • the first information indicates an authorization method
  • the authorization method is the authorization method used by the first API caller.
  • a first API caller is provided, wherein the first API caller includes:
  • the transceiver module is configured as follows:
  • the first information indicates an authorization method
  • the authorization method is the authorization method used by the first API caller.
  • a first network function includes:
  • the processing module is configured as follows:
  • the authorization method is the authorization method used by the first API caller.
  • a communication system including a first API caller and a first network function, the first API caller is configured to implement the information indication method provided by the first aspect, and the first network function is configured to implement the information indication method provided by the second aspect.
  • a first API caller is provided, wherein the first API caller includes:
  • processors one or more processors
  • the processor is used to call instructions so that the first API caller executes the information indication method provided by the first aspect.
  • a first network function includes:
  • processors one or more processors
  • the processor is used to call instructions to enable the first network function to execute the information indication method provided by the second aspect.
  • a storage medium stores instructions, and when the instructions are executed on a communication device, the communication device executes the information indication method provided by the first aspect, the second aspect or the third aspect.
  • FIG1 is a schematic diagram showing an architecture of a communication system according to an exemplary embodiment
  • FIG2a is a schematic flow chart of an information indication method according to an exemplary embodiment
  • FIG3a is a schematic flow chart of an information indication method according to an exemplary embodiment
  • FIG3b is a schematic flow chart of an information indication method according to an exemplary embodiment
  • FIG4a is a schematic flow chart of an information indication method according to an exemplary embodiment
  • FIG4b is a schematic flow chart of an information indication method according to an exemplary embodiment
  • FIG5a is a schematic flow chart of an information indication method according to an exemplary embodiment
  • Fig. 6a is a schematic flow chart of an information indication method according to an exemplary embodiment
  • Fig. 7a is a schematic diagram showing the structure of a first API caller according to an exemplary embodiment
  • FIG7b is a schematic structural diagram of a first network function according to an exemplary embodiment
  • FIG8a is a schematic structural diagram of a UE according to an exemplary embodiment
  • Fig. 8b is a schematic structural diagram of a communication device according to an exemplary embodiment.
  • the embodiments of the present disclosure provide an information indication method, a first API caller, a first network function and a storage medium.
  • an embodiment of the present disclosure provides an information indication method, the method being executed by a first application programming interface API caller, the method comprising:
  • the first information indicates an authorization method
  • the authorization method is the authorization method used by the first API caller.
  • the first API caller after receiving the first information, can use the authorization method indicated by the first information to perform authorization.
  • the method further includes:
  • the second information indicates a client type of the first API caller, and the client type is used by the first network function to determine an authorization method used by the first API caller.
  • the authorization method used by the first API caller can be determined based on the client type, so that the authorization method used can be clarified.
  • the method further includes:
  • the third information includes the first identifier configured by the first network function for the first API caller, the first API caller is set with a mapping relationship between the first identifier and the client type and/or the first network function is set with a mapping relationship between the first identifier and the client type.
  • the first API caller may report the client type of the first API caller based on the first identifier.
  • the mapping relationship is created by the first network function.
  • the first API caller can determine the first identifier corresponding to the client type based on the mapping relationship.
  • the method further includes:
  • the fourth information includes the first identifier.
  • the first network function can determine the authorization method corresponding to the fourth information after receiving the fourth information, and send the determined authorization method information to the first network function based on the request of the first API caller.
  • the first information indicates the authorization method determined by the first network function based on the first identifier.
  • the first network function can clearly determine the authorization method to be used.
  • the method further includes:
  • the corresponding authorization process is started based on the authorization method.
  • the corresponding authorization process can be started based on the clearly determined authorization method, and the authorization mechanism is more complete and reliable.
  • the authorization mode is authorization code authorization
  • the method further includes:
  • the fifth information includes information that the response type is code and/or the authorization type is authorization code, and the fifth information is used to obtain the authorization code and/or token.
  • the authorization code and/or token may be obtained by sending the fifth information.
  • the authorization method is PKCE-based authorization or authorization code authorization supporting PKCE, and the method further includes:
  • the sixth information includes information of code challenge and/or code verification, and the sixth information is used to obtain an authorization code and/or a token.
  • the authorization code and/or token may be obtained by sending the sixth information.
  • the client type includes one of the following:
  • the authorization method includes one of the following:
  • Authorization code authorization code authorization code
  • an embodiment of the present disclosure provides an information indication method, the method being performed by a first network function, the method comprising:
  • the authorization method is the authorization method used by the first API caller.
  • the authorization method can be clearly determined, which improves the authorization mechanism and makes the authorization more reliable compared to the situation where the authorization method cannot be clearly determined.
  • determining the authorization method includes:
  • the first policy is an authorization policy related to the first resource owner.
  • the authorization method can be determined based on the first policy and/or the result of determining whether the first resource owner needs to participate in the authorization in real time, and the determination method is more flexible.
  • determining the authorization mode based on the first policy and/or a determination result of whether the first resource owner needs to participate in the authorization in real time includes one of the following:
  • the first network function locally stores the first policy and it is determined that the first resource owner does not need to participate in authorization in real time, determining that the authorization method is a client credential authorization method
  • the authorization method is determined to be authorization code authorization, PKCE-based authorization, or authorization code authorization supporting PKCE.
  • different authorization modes may be determined based on the first policy and/or the determination result of whether the first resource owner is required to participate in the authorization in real time.
  • the method further includes:
  • the second information indicates a client type of the first API caller, and the client type is used by the first network function to determine an authorization method used by the first API caller.
  • the method further includes:
  • the third information includes the first identifier configured by the first network function for the first API caller; the first API caller is set with a mapping relationship between the first identifier and the client type and/or the first network function is set with a mapping relationship between the first identifier and the client type.
  • the method further includes:
  • the mapping relationship is created.
  • the method further includes:
  • the fourth information includes the first identifier.
  • the method further includes:
  • the authorization method is determined based on the client type.
  • determining the authorization method based on the client type includes at least one of the following:
  • the authorization method is a PKCE-based authorization or an authorization code authorization method that supports PKCE;
  • the authorization method is not an authorization code authorization method
  • the authorization method is not a client single credential authorization method
  • the authorization method is a PKCE-based authorization or an authorization code authorization method that supports PKCE;
  • the authorization method is an authorization code authorization method
  • different authorization methods may be determined based on different client types.
  • determining that the authorization method is a PKCE-based authorization or an authorization code authorization method that supports PKCE includes:
  • the authorization method is a PKCE-based authorization or an authorization code authorization method that supports PKCE;
  • the authorization method is determined to be a PKCE-based authorization or an authorization code authorization method that supports PKCE.
  • determining that the authorization method is an authorization code authorization method includes:
  • the authorization method is an authorization code authorization method
  • the authorization method is determined to be an authorization code authorization method.
  • determining that the authorization method is a client credential authorization method includes:
  • the authorization mode is determined to be a client credential authorization mode.
  • the method further includes:
  • the first information indicates the authorization method.
  • the authorization mode is authorization code authorization
  • the method further includes:
  • the fifth information includes information that the authorization code and/or the authorization type is an authorization code, and the fifth information is used to obtain the authorization code and/or token.
  • the authorization method is PKCE-based authorization or authorization code authorization supporting PKCE, and the method further includes:
  • the sixth information includes information of code challenge and/or code verification, and the sixth information is used to obtain an authorization code and/or a token.
  • the client type includes one of the following:
  • the authorization method includes one of the following:
  • an embodiment of the present disclosure provides an information indication method, which is applied to a communication system, and the method includes:
  • the first network function sends a first message to the first API caller
  • the first API caller receives the first information sent by the first network function
  • the first information indicates an authorization method
  • the authorization method is the authorization method used by the first API caller.
  • an embodiment of the present disclosure provides a first API caller, characterized in that the first API caller includes:
  • the transceiver module is configured as follows:
  • the first information indicates an authorization method
  • the authorization method is the authorization method used by the first API caller.
  • an embodiment of the present disclosure provides a first network function, characterized in that the first network function includes:
  • the processing module is configured as follows:
  • the authorization method is the authorization method used by the first API caller.
  • an embodiment of the present disclosure provides a communication system, wherein the communication system includes a first API caller and a first network function, the first API caller is configured to implement the information indication method described in the optional implementation manner of the first aspect, and the first network function is configured to implement the information indication method described in the optional implementation manner of the second aspect.
  • an embodiment of the present disclosure provides a first API caller, wherein the first API caller includes:
  • processors one or more processors
  • the processor is used to call instructions so that the first API caller executes the information indication method described in the optional implementation manner of the first aspect.
  • an embodiment of the present disclosure provides a first network function, wherein the first network function includes:
  • processors one or more processors
  • the processor is used to call instructions to enable the first network function to execute the information indication method described in the optional implementation manner of the first aspect.
  • an embodiment of the present disclosure provides a storage medium, wherein the storage medium stores instructions, and when the instructions are executed on a communication device, the communication device executes the information indication method described in the optional implementation manner of the first aspect, the second aspect or the third aspect.
  • an embodiment of the present disclosure provides a program product.
  • the program product When the program product is executed by a communication device, the communication device executes the information indication method described in the optional implementation manner of the first aspect, the second aspect, or the third aspect.
  • an embodiment of the present disclosure provides a computer program, which, when executed on a computer, enables the computer to execute the information indication method described in the optional implementation manner of the first aspect, the second aspect, or the third aspect.
  • the first API caller, the first network function, the communication system, the storage medium, the program product, and the computer program are all used to execute the method provided by the embodiment of the present disclosure. Therefore, the beneficial effects that can be achieved can refer to the beneficial effects in the corresponding method, which will not be repeated here.
  • the disclosed embodiment provides an information indication method, a first API caller, a first network function, a communication system and a storage medium.
  • the information indication method and the information processing method, the information transmission method and other terms can be interchangeable.
  • each step in a certain embodiment can be implemented as an independent embodiment, and the steps can be arbitrarily combined.
  • a solution after removing some steps in a certain embodiment can also be implemented as an independent embodiment, and the order of the steps in a certain embodiment can be arbitrarily exchanged.
  • the optional implementation methods in a certain embodiment can be arbitrarily combined; in addition, the embodiments can be arbitrarily combined, for example, some or all of the steps of different embodiments can be arbitrarily combined, and a certain embodiment can be arbitrarily combined with the optional implementation methods of other embodiments.
  • elements expressed in the singular form such as “a”, “an”, “the”, “above”, “said”, “aforementioned”, “this”, etc., may mean “one and only one", or “one or more”, “at least one”, etc.
  • the noun after the article may be understood as a singular expression or a plural expression.
  • plurality refers to two or more.
  • the terms “at least one (at least one of), “one or more (one or more)”, “a plurality of (a plurality of)”, “multiple (multiple)”, etc. can be used interchangeably.
  • "at least one of A and B", “A and/or B”, “A in one case, B in another case”, “A in one case, B in another case”, etc. may include the following technical solutions according to the situation: in some embodiments, A (A is executed independently of B); in some embodiments, B (B is executed independently of A); in some embodiments, execution is selected from A and B (A and B are selectively executed); in some embodiments, A and B (both A and B are executed). When there are more branches such as A, B, C, etc., the above is also similar.
  • the recording method of "A or B” may include the following technical solutions according to the situation: in some embodiments, A (A is executed independently of B); in some embodiments, B (B is executed independently of A); in some embodiments, execution is selected from A and B (A and B are selectively executed).
  • A A is executed independently of B
  • B B is executed independently of A
  • execution is selected from A and B (A and B are selectively executed).
  • prefixes such as “first” and “second” in the embodiments of the present disclosure are only used to distinguish different description objects, and do not constitute restrictions on the position, order, priority, quantity or content of the description objects.
  • the statement of the description object refers to the description in the context of the claims or embodiments, and should not constitute unnecessary restrictions due to the use of prefixes.
  • the description object is a "field”
  • the ordinal number before the "field” in the "first field” and the "second field” does not limit the position or order between the "fields”
  • the "first” and “second” do not limit whether the "fields” they modify are in the same message, nor do they limit the order of the "first field” and the "second field”.
  • the description object is a "level”
  • the ordinal number before the "level” in the “first level” and the “second level” does not limit the priority between the "levels”.
  • the number of description objects is not limited by the ordinal number, and can be one or more. Taking the "first device” as an example, the number of "devices” can be one or more.
  • the objects modified by different prefixes may be the same or different. For example, if the description object is "device”, then the “first device” and the “second device” may be the same device or different devices, and their types may be the same or different. For another example, if the description object is "information”, then the "first information” and the “second information” may be the same information or different information, and their contents may be the same or different.
  • “including A”, “comprising A”, “used to indicate A”, and “carrying A” can be interpreted as directly carrying A or indirectly indicating A.
  • terms such as “...”, “determine...”, “in the case of...”, “at the time of...”, “when...”, “if...”, “if...”, etc. can be used interchangeably.
  • terms such as “greater than”, “greater than or equal to”, “not less than”, “more than”, “more than or equal to”, “not less than”, “higher than”, “higher than or equal to”, “not lower than”, and “above” can be replaced with each other, and terms such as “less than”, “less than or equal to”, “not greater than”, “less than”, “less than or equal to”, “no more than”, “lower than”, “lower than or equal to”, “not higher than”, and “below” can be replaced with each other.
  • devices, etc. can be interpreted as physical or virtual, and their names are not limited to the names recorded in the embodiments.
  • Terms such as “device”, “equipment”, “device”, “circuit”, “network element”, “node”, “function”, “unit”, “section”, “system”, “network”, “chip”, “chip system”, “entity”, and “subject” can be used interchangeably.
  • network may be interpreted as devices included in the network (eg, access network equipment, core network equipment, etc.).
  • terminal In some embodiments, the terms "terminal”, “terminal device”, “user equipment (UE)”, “user terminal” “mobile station (MS)”, “mobile terminal (MT)", subscriber station, mobile unit, subscriber unit, wireless unit, remote unit, mobile device, wireless device, wireless communication device, remote device, mobile subscriber station, access terminal, mobile terminal, wireless terminal, remote terminal, handset, user agent, mobile client, client and the like can be used interchangeably.
  • the access network device, the core network device, or the network device may be replaced by a terminal.
  • the communication between the access network device, the core network device, or the network device and the terminal is replaced by the communication between multiple terminals (for example, the device to the device).
  • the embodiments of the present disclosure may also be applied to structures such as device-to-device (D2D), vehicle-to-everything (V2X), etc.
  • the terminal has all or part of the functions of the access network device.
  • terms such as "uplink” and "downlink” may also be replaced with terms corresponding to terminal-to-terminal communication (for example, "side”).
  • an uplink channel, a downlink channel, etc. may be replaced with a side channel
  • an uplink, a downlink, etc. may be replaced with a side link.
  • the terminal may be replaced by an access network device, a core network device, or a network device.
  • the access network device, the core network device, or the network device may also be configured to have a structure that has all or part of the functions of the terminal.
  • acquisition of data, information, etc. may comply with the laws and regulations of the country where the data is obtained.
  • data, information, etc. may be obtained with the user's consent.
  • each element, each row, or each column in the table of the embodiments of the present disclosure may be implemented as an independent embodiment, and the combination of any elements, any rows, and any columns may also be implemented as an independent embodiment.
  • FIG1 is a schematic diagram of the architecture of a communication system according to an embodiment of the present disclosure.
  • the communication system 100 includes a first API caller 101 and a first network function 102.
  • the network function may be a network element.
  • the communication system 100 of the present disclosure may also include a terminal and an access network device, etc., which are not limited here.
  • the first network function 102 may be a CAPIF core function (CCF).
  • CCF CAPIF core function
  • the communication system may also include a second network function, a third network function, a fourth network function, and the like.
  • the second network function may be a network exposure function (NEF) or an application programming interface (API) exposure function (AEF).
  • NEF network exposure function
  • API application programming interface
  • the third network function may be Unified Data Management (UDM).
  • UDM Unified Data Management
  • the fourth network function may be a Gateway Mobile Location Center (GMLC) or a sensing function.
  • GMLC Gateway Mobile Location Center
  • the terminal includes, for example, a mobile phone, a wearable device, an Internet of Things device, a car with communication function, a smart car, a tablet computer (Pad), a computer with wireless transceiver function, a virtual reality (VR) terminal device, an augmented reality (AR) terminal device, a wireless terminal device in industrial control (industrial control), a wireless terminal device in self-driving, a wireless terminal device in remote medical surgery, a wireless terminal device in a smart grid (smart grid), a wireless terminal device in transportation safety (transportation safety), a wireless terminal device in a smart city (smart city), and at least one of a wireless terminal device in a smart home (smart home), but is not limited to these.
  • a mobile phone a wearable device, an Internet of Things device, a car with communication function, a smart car, a tablet computer (Pad), a computer with wireless transceiver function, a virtual reality (VR) terminal device, an augmented reality (AR) terminal device, a wireless terminal device
  • the access network device may be, for example, a node or device that accesses a terminal to a wireless network.
  • the access network device may include an evolved Node B (eNB), a next generation evolved Node B (ng-eNB), a next generation Node B (gNB), a node B (NB), a home node B (HNB), a home evolved node B (HeNB), a wireless backhaul device, a radio network controller (RNC), a base station controller (BSC), a base transceiver station (BTS), a base band unit (BBU), a mobile switching center, a base station in a 6G communication system, an open base station (Open RAN), a cloud base station (Cloud RAN), a base station in other communication systems, and at least one of an access node in a Wi-Fi system, but is not limited thereto.
  • eNB evolved Node B
  • ng-eNB next generation evolved Node B
  • gNB next generation Node B
  • NB no
  • the technical solution of the present disclosure may be applicable to the Open RAN architecture.
  • the interfaces between access network devices or within access network devices involved in the embodiments of the present disclosure may become internal interfaces of Open RAN, and the processes and information interactions between these internal interfaces may be implemented through software or programs.
  • the access network device may be composed of a centralized unit (central unit, CU) and a distributed unit (distributed unit, DU), wherein the CU may also be called a control unit (control unit).
  • the CU-DU structure may be used to split the protocol layer of the access network device, with some functions of the protocol layer being centrally controlled by the CU, and the remaining part or all of the functions of the protocol layer being distributed in the DU, and the DU being centrally controlled by the CU, but not limited to this.
  • the core network device may be a device including a first network element, etc., or may be a plurality of devices or a group of devices, each including a first network element.
  • the network element may be virtual or physical.
  • the core network may include, for example, at least one of an Evolved Packet Core (EPC), a 5G Core Network (5GCN), and a Next Generation Core (NGC).
  • EPC Evolved Packet Core
  • 5GCN 5G Core Network
  • NGC Next Generation Core
  • the communication system described in the embodiment of the present disclosure is for the purpose of more clearly illustrating the technical solution of the embodiment of the present disclosure, and does not constitute a limitation on the technical solution provided by the embodiment of the present disclosure.
  • a person skilled in the art can know that with the evolution of the system architecture and the emergence of new business scenarios, the technical solution provided by the embodiment of the present disclosure is also applicable to similar technical problems.
  • the following embodiments of the present disclosure may be applied to the communication system 100 shown in FIG1 , or a part of the main body thereof, but are not limited thereto.
  • the subjects are examples.
  • the communication system may include all or part of the subjects in Figure 1, and may also include other subjects outside Figure 1.
  • the number and form of the subjects are arbitrary.
  • the connection relationship between the subjects is an example.
  • the subjects may be connected or disconnected, and the connection may be in any way, which may be direct or indirect, and may be wired or wireless.
  • LTE Long Term Evolution
  • LTE-A LTE-Advanced
  • LTE-B LTE-Beyond
  • SUPER 3G IMT-Advanced
  • 4G the fourth generation mobile communication system
  • 5G 5G new radio
  • FAA Future Radio Access
  • RAT New Radio
  • NR New Radio
  • NX New radio access
  • the present invention relates to wireless communication systems such as LTE, Wi-Fi (X), Global System for Mobile communications (GSM (registered trademark)), CDMA2000, Ultra Mobile Broadband (UMB), IEEE 802.11 (Wi-Fi (registered trademark)), IEEE 802.16 (WiMAX (registered trademark)), IEEE 802.20, Ultra-WideBand (UWB), Bluetooth (registered trademark), Public Land Mobile Network (PLMN) network, Device to Device (D2D) system, Machine to Machine (M2M) system, Internet of Things (IoT) system, Vehicle to Everything (V2X), systems using other communication methods, and next-generation systems expanded based on them.
  • PLMN Public Land Mobile Network
  • D2D Device to Device
  • M2M Machine to Machine
  • IoT Internet of Things
  • V2X Vehicle to Everything
  • systems using other communication methods and next-generation systems expanded based on them.
  • next-generation systems expanded based on them.
  • a combination of multiple systems for example, a combination of
  • API callers can be authorized to request services, and CAPIF supports security methods such as Transport Layer Security Pre-Shared Key Cipher Suite (TLS-PSK), Public Key Infrastructure (PKI), and Transport Layer Security (TLS) with Open Authentication Application Programming Interface OAuth token.
  • TLS-PSK Transport Layer Security Pre-Shared Key Cipher Suite
  • PKI Public Key Infrastructure
  • TLS Transport Layer Security
  • CAPIF in order to enable resource owners (e.g., end users, subscribers, etc.) to authorize API callers, CAPIF needs to support new security methods, including authorization code authorization and authorization code authorization with proof key exchange (PKCE). Both of these new security methods are implemented based on OAuth tokens.
  • resource owners e.g., end users, subscribers, etc.
  • PKCE proof key exchange
  • CAPIF since client credentials authorization, authorization code authorization, and PKCE authorization code authorization are security methods based on OAuth tokens, CAPIF should inform the API caller of the selected security method that it should trigger before the API caller initiates the security process. However, CAPIF does not have a related mechanism to select an OAuth token-based security method for the API caller.
  • FIG2a is an interactive schematic diagram of an information indication method according to an embodiment of the present disclosure. As shown in FIG2a, the present disclosure embodiment relates to an information indication method, which is used in a communication system 100, and the method includes:
  • Step S2101 The first API caller sends second information to the first network function.
  • the first network function receives second information sent by the first API caller.
  • the second information indicates a client type of the first API caller.
  • the client type includes one of the following:
  • the client type is used by the first network function to determine an authorization method used by the first API caller.
  • the authorization method includes one of the following:
  • Client credentials authorization (client credentials).
  • PKCE-based authorization and PKCE-enabled authorization code authorization are consistent at the PKCE level.
  • the first API caller can be authorized to process the resources of the first resource owner (Resource owner).
  • the first resource owner may be one of: an end user, a subscriber, or a terminal (UE).
  • UE terminal
  • the first API caller can be one of the following: an application function, a terminal, an application running on the terminal (Application residing on UE), or a client running on the terminal (client in the UE).
  • Step S2102 The first network function sends third information to the first API caller.
  • the first API caller receives third information sent by the first network function.
  • the third information includes a first identifier configured by the first network function for the first API caller.
  • the first identifier may be one of the following:
  • API caller identifier API invoker identifier or API invoker ID
  • the first API caller can report the client type
  • the first network function e.g., CCF
  • the first network function can assign an API invoker identifier to the first API caller, and create a mapping relationship between the two on the first network function side.
  • the first API caller is provided with a mapping relationship between the first identifier and the client type.
  • the first network function is provided with a mapping relationship between the first identifier and the client type.
  • the first network function creates the mapping relationship.
  • Step S2103 The first API caller sends fourth information to the first network function.
  • the first network function receives fourth information sent by the first API caller.
  • the fourth information includes the first identification.
  • the fourth information is used to request the first network function to determine an authorization method based on the first identifier.
  • Step S2104 The first network function determines the authorization method.
  • the first network function determines an authorization method, wherein the authorization method is an authorization method used by the first API caller.
  • the first network function determines the authorization method based on the first policy and/or the result of determining whether the first resource owner needs to participate in the authorization in real time. It should be noted that in this scenario, steps S2101, S2102 and S2103 may not be performed.
  • real-time authorization means that the resource owner needs to participate in the authorization process online in real time (for example, by clicking on a pop-up window on the terminal side to authorize), rather than performing non-real-time authorization by presetting relevant policies in the CAPIF framework (i.e., the first policy in the authority).
  • the first policy is an authorization policy associated with the first resource owner.
  • the authorization method is determined to be a client credential authorization method.
  • the authorization method is determined to be authorization code authorization, PKCE-based authorization, or authorization code authorization supporting PKCE.
  • the client type corresponding to the first identifier is determined.
  • the authorization method is determined based on the client type.
  • the authorization method is determined to be a PKCE-based authorization or an authorization code authorization method that supports PKCE.
  • the authorization method is not an authorization code authorization method.
  • the authorization method is not a client single credential authorization method.
  • the authorization method is determined to be a PKCE-based authorization or an authorization code authorization method that supports PKCE.
  • the authorization method is determined to be an authorization code authorization method.
  • the authorization method is determined to be a client credential authorization method.
  • the authorization method is a PKCE-based authorization or an authorization code authorization method that supports PKCE
  • the authorization method is determined to be a PKCE-based authorization or an authorization code authorization method that supports PKCE.
  • the authorization method is an authorization code authorization method
  • the authorization method is determined to be an authorization code authorization method.
  • the authorization method is determined to be a client credential authorization method.
  • Step S2105 The first network function sends the first information to the first API caller.
  • the first API caller receives first information sent by the first network function.
  • the first information indicates the authorization method.
  • the authorization method includes one of the following:
  • the first API caller initiates a corresponding authorization process based on the authorization method.
  • Step S2106 The first API caller sends fifth information to the first network function.
  • the first network function receives fifth information sent by the first API caller.
  • the authorization method is authorization code authorization
  • the first API caller sends fifth information to the first network function.
  • the fifth information includes information that the response type is code (response_type'code') and/or the grant type is authorization code (grant type'authorization_code'), and the fifth information is used to obtain the authorization code and/or token.
  • Step S2107 The first API caller sends sixth information to the first network function.
  • the first network function receives sixth information sent by the first API caller.
  • the authorization method is PKCE-based authorization or authorization code authorization supporting PKCE, and the first API caller sends sixth information to the first network function.
  • the sixth information includes code challenge (code_challenge) and/or code verification (code_verifier) information, and the sixth information is used to obtain an authorization code and/or a token.
  • the term "information” can be interchangeably with terms such as “message”, “signal”, “signaling”, “report”, “configuration”, “indication”, “instruction”, “command”, “channel”, “parameter”, “field”, and "data”.
  • the term “send” can be interchangeable with terms such as “transmit”, “report”, and “transmit”.
  • step S2101 may be implemented as an independent embodiment
  • step S2102 may be implemented as an independent embodiment
  • step S2103 may be implemented as an independent embodiment
  • step S2104 may be implemented as an independent embodiment
  • step S2105 may be implemented as an independent embodiment
  • step S2106 may be implemented as an independent embodiment
  • step S2107 may be implemented as an independent embodiment.
  • step S2104 may be implemented as an independent embodiment in combination with step S2105, but is not limited thereto.
  • FIG3a is a flow chart of an information indication method according to an embodiment of the present disclosure. As shown in FIG3a, the present disclosure embodiment relates to an information indication method, which is executed by a first API caller, and the method includes:
  • Step S3101 Send the second information.
  • step S3101 can refer to the optional implementation of step S2101 in Figure 2a and other related parts of the embodiment involved in Figure 2a, which will not be repeated here.
  • Step S3102 Obtain third information.
  • the first API caller obtains the third information sent by the first network function, but is not limited thereto, and the third information sent by other entities may also be received.
  • the first API caller obtains third information specified by the protocol.
  • the first API caller obtains the third information from an upper layer(s).
  • the first API caller performs processing to obtain the third information.
  • step S3102 can refer to the optional implementation of step S2102 in Figure 2a and other related parts of the embodiment involved in Figure 2a, which will not be repeated here.
  • Step S3103 Send the fourth information.
  • step S3103 can refer to the optional implementation of step S2103 in Figure 2a and other related parts of the embodiment involved in Figure 2a, which will not be repeated here.
  • Step S3104 Obtain first information.
  • the first API caller obtains the first information sent by the first network function, but is not limited thereto, and the first information sent by other entities may also be received.
  • the first API caller obtains first information specified by the protocol.
  • the first API caller obtains the first information from an upper layer(s).
  • the first API caller performs processing to obtain the first information.
  • step S3104 can refer to the optional implementation of step S2105 in Figure 2a and other related parts of the embodiment involved in Figure 2a, which will not be repeated here.
  • Step S3105 Send the fifth information.
  • step S3105 can refer to the optional implementation of step S2106 in Figure 2a and other related parts of the embodiment involved in Figure 2a, which will not be repeated here.
  • Step S3106 Send the sixth information.
  • step S3106 can refer to the optional implementation of step S2107 in Figure 2a and other related parts of the embodiment involved in Figure 2a, which will not be repeated here.
  • the information indication method involved in the embodiment of the present disclosure may include at least one of steps S3101 to S3106.
  • step S3101 may be implemented as an independent embodiment
  • step S3102 may be implemented as an independent embodiment
  • step S3103 may be implemented as an independent embodiment
  • step S3104 may be implemented as an independent embodiment
  • step S3105 may be implemented as an independent embodiment
  • step S3106 may be implemented as an independent embodiment, which is not limited here.
  • FIG3b is a flow chart of an information indication method according to an embodiment of the present disclosure. As shown in FIG3b, the present disclosure embodiment relates to an information indication method, which is executed by a first API caller, and the method includes:
  • Step S3201 Receive first information.
  • the first information indicates an authorization method
  • the authorization method is the authorization method used by the first API caller.
  • step S3201 can refer to the optional implementation of step S2104 in Figure 2a and other related parts of the embodiment involved in Figure 2a, which will not be repeated here.
  • sending the second information to the first network function sending the second information to the first network function
  • the second information indicates the client type of the first API caller, and the client type is used by the first network function to determine the authorization method.
  • the method further comprises:
  • the third information includes the first identifier configured by the first network function for the first API caller, the first API caller is set with a mapping relationship between the first identifier and the client type and/or the first network function is set with a mapping relationship between the first identifier and the client type.
  • mapping relationship is created by the first network function.
  • the method further comprises:
  • the fourth information includes the first identifier.
  • the first information indicates the authorization method determined by the first network function based on the first identifier.
  • the method further comprises:
  • the corresponding authorization process is started based on the authorization method.
  • the authorization method is authorization code authorization, and the method further includes:
  • the fifth information includes information that the response type is code and/or the authorization type is authorization code, and the fifth information is used to obtain the authorization code and/or token.
  • the authorization method is PKCE-based authorization or authorization code authorization supporting PKCE, and the method further includes:
  • the sixth information includes information of code challenge and/or code verification, and the sixth information is used to obtain an authorization code and/or a token.
  • the client type includes one of the following:
  • the authorization method includes one of the following:
  • FIG4a is a flow chart of an information indication method according to an embodiment of the present disclosure. As shown in FIG4a, the present disclosure embodiment relates to an information indication method, which is executed by a first network function, and the method includes:
  • Step S4101 Obtain second information.
  • the first network function obtains the second information sent by the first API caller, but is not limited thereto and may also receive the second information sent by other entities.
  • the first network function obtains second information specified by the protocol.
  • the first network function obtains the second information from an upper layer(s).
  • the first network function performs processing to obtain the second information.
  • step S4101 can refer to the optional implementation of step S2101 in Figure 2a and other related parts of the embodiment involved in Figure 2a, which will not be repeated here.
  • Step S4102 Send the third information.
  • step S4102 can refer to the optional implementation of step S2102 in Figure 2a and other related parts of the embodiment involved in Figure 2a, which will not be repeated here.
  • Step S4103 Obtain the fourth information.
  • the first network function obtains the fourth information sent by the first API caller, but is not limited thereto, and the fourth information sent by other entities may also be received.
  • the first network function obtains fourth information specified by the protocol.
  • the first network function obtains the fourth information from an upper layer(s).
  • the first network function performs processing to obtain the fourth information.
  • the optional implementation of step S4103 can refer to the optional implementation of step S2103 in FIG2a and other related parts in the embodiment involved in FIG2a, which will not be repeated here.
  • Step S4104 Determine the authorization method.
  • step S4104 can refer to the optional implementation of step S2104 in Figure 2a and other related parts of the embodiment involved in Figure 2a, which will not be repeated here.
  • Step S4105 Send the first information.
  • step S4105 can refer to the optional implementation of step S2105 in Figure 2a and other related parts of the embodiment involved in Figure 2a, which will not be repeated here.
  • Step S4106 Obtain the fifth information.
  • the first network function obtains the fifth information sent by the first API caller, but is not limited thereto, and the fifth information sent by other entities may also be received.
  • the first network function obtains fifth information specified by the protocol.
  • the first network function obtains the fifth information from an upper layer(s).
  • the first network function performs processing to obtain the fifth information.
  • step S4106 can refer to the optional implementation of step S2106 in Figure 2a and other related parts of the embodiment involved in Figure 2a, which will not be repeated here.
  • Step S4107 Obtain sixth information.
  • the first network function obtains the sixth information sent by the first API caller, but is not limited thereto, and the sixth information sent by other entities may also be received.
  • the first network function obtains sixth information specified by the protocol.
  • the first network function obtains the sixth information from an upper layer(s).
  • the first network function performs processing to obtain the sixth information.
  • step S4107 can refer to the optional implementation of step S2107 in Figure 2a and other related parts of the embodiment involved in Figure 2a, which will not be repeated here.
  • the information indication method involved in the embodiment of the present disclosure may include at least one of steps S4101 to S4107.
  • step S4101 may be implemented as an independent embodiment
  • step S4102 may be implemented as an independent embodiment
  • step S4103 may be implemented as an independent embodiment
  • step S4104 may be implemented as an independent embodiment
  • step S4105 may be implemented as an independent embodiment
  • step S4106 can be implemented as an independent embodiment
  • step S4107 can be implemented as an independent embodiment.
  • step S4104 combined with step S4105 can be implemented as an independent embodiment, but it is not limited thereto.
  • FIG4b is a flow chart of an information indication method according to an embodiment of the present disclosure. As shown in FIG4b, the present disclosure embodiment relates to an information indication method, which is executed by a first network function, and the method includes:
  • Step S4201 Determine the authorization method.
  • the authorization method is the authorization method used by the first API caller.
  • step S4201 can refer to the optional implementation of step S2104 in Figure 2a and other related parts of the embodiment involved in Figure 2a, which will not be repeated here.
  • determining the authorization method includes:
  • the first policy is an authorization policy related to the first resource owner.
  • determining the authorization method based on the first policy and/or the result of determining whether the first resource owner needs to participate in the authorization in real time includes one of the following:
  • the first network function locally stores the first policy and it is determined that the first resource owner does not need to participate in authorization in real time, determining that the authorization method is a client credential authorization method
  • the authorization method is determined to be authorization code authorization, PKCE-based authorization, or authorization code authorization supporting PKCE.
  • the method further comprises:
  • the second information indicates a client type of the first API caller, and the client type is used by the first network function to determine an authorization method used by the first API caller.
  • the method further comprises:
  • the third information includes the first identifier configured by the first network function for the first API caller; the first API caller is set with a mapping relationship between the first identifier and the client type and/or the first network function is set with a mapping relationship between the first identifier and the client type.
  • the method further comprises:
  • the mapping relationship is created.
  • the method further comprises:
  • the fourth information includes the first identifier.
  • the method further comprises:
  • the authorization method is determined based on the client type.
  • determining the authorization method based on the client type includes at least one of the following:
  • the authorization method is a PKCE-based authorization or an authorization code authorization method that supports PKCE;
  • the authorization method is not an authorization code authorization method
  • the authorization method is not a client single credential authorization method
  • the authorization method is a PKCE-based authorization or an authorization code authorization method that supports PKCE;
  • the authorization method is an authorization code authorization method
  • determining that the authorization method is a PKCE-based authorization or an authorization code authorization method that supports PKCE includes:
  • the authorization method is a PKCE-based authorization or an authorization code authorization method that supports PKCE;
  • the authorization method is determined to be a PKCE authorization code authorization method.
  • determining that the authorization method is an authorization code authorization method includes:
  • the authorization method is an authorization code authorization method
  • the authorization method is determined to be an authorization code authorization method.
  • determining that the authorization method is a client credential authorization method includes:
  • the authorization mode is determined to be a client credential authorization mode.
  • the method further comprises:
  • the first information indicates the authorization method.
  • the authorization method is authorization code authorization, and the method further includes:
  • the fifth information includes information that the response type is code and/or the authorization type is authorization code, and the fifth information is used to obtain the authorization code and/or token.
  • the authorization method is PKCE-based authorization or authorization code authorization supporting PKCE, and the method further includes:
  • the sixth information includes information of code challenge and/or code verification, and the sixth information is used to obtain an authorization code and/or a token.
  • the client type includes one of the following:
  • the authorization method includes one of the following:
  • FIG5a is an interactive schematic diagram of an information indication method according to an embodiment of the present disclosure. As shown in FIG5a, the present disclosure embodiment relates to an information indication method, which is used in a communication system 100, and the method includes one of the following steps:
  • Step S5101 The first network function sends first information to the first API caller.
  • the first API caller receives the first information sent by the first network function.
  • the first information indicates an authorization method
  • the authorization method is the authorization method used by the first API caller.
  • step S5101 can refer to the optional implementation of step S2101 in FIG. 2a and other related parts in the embodiment involved in FIG. 2a, which will not be described in detail here.
  • the above method may include the methods of the above-mentioned communication system side, the first API caller side, the first network function side, etc., which will not be repeated here.
  • FIG6a is an interactive schematic diagram of an information indication method according to an embodiment of the present disclosure. As shown in FIG6a, the embodiment of the present disclosure relates to an information indication method, and the method includes:
  • Step S6101 The API caller (first API caller) sends the client type (e.g., public client or confidential client) to the CCF (first network function) during the login process (onboarding process).
  • the CCF then sends the API caller's identifier (first identifier) to the caller.
  • the CCF creates an association between each API caller's identifier and client type.
  • Step S6102 In order to obtain the authorization method to be used between the API caller, AEF/NEF and CCF, the API caller sends the identifier of the API caller to the CCF.
  • Step S6103 The CCF selects an authorization method for the API caller based on the association between the API caller's identifier and the API caller's client type.
  • CCF selects PKCE-based authorization or authorization code authorization that supports PKCE.
  • CCF selects authorization code authorization or client credentials authorization.
  • Step S6104 CCF notifies the API caller of information about the authorization method (eg, authorization code authorization, authorization code authorization supporting PKCE, PKCE-based authorization, or client credential authorization).
  • the authorization method eg, authorization code authorization, authorization code authorization supporting PKCE, PKCE-based authorization, or client credential authorization.
  • Step S6105 The API calling program triggers the security process according to the selected authorization method.
  • the API caller should send response type 'code' (response_type'code') and grant type 'authorization_code' (grant type'authorization_code') to CCF to obtain the authorization code and token respectively.
  • the API caller should send a code challenge code_challenge and a code verification code_verifier to CCF to obtain an authorization code and a token respectively.
  • the information indication method involved in the embodiment of the present disclosure may include at least one of steps S6101 to S6105.
  • step S6101 may be implemented as an independent embodiment
  • step S6102 may be implemented as an independent embodiment
  • step S6103 may be implemented as an independent embodiment
  • step S6104 may be implemented as an independent embodiment, but is not limited thereto.
  • the embodiments of the present disclosure also provide a device for implementing any of the above methods, for example, a device is provided, the above device includes a unit or module for implementing each step performed by the terminal in any of the above methods.
  • a device for example, a device is provided, the above device includes a unit or module for implementing each step performed by the terminal in any of the above methods.
  • another device is provided, including a unit or module for implementing each step performed by a network device (for example, an access network device, or a core network device, etc.) in any of the above methods.
  • a network device for example, an access network device, or a core network device, etc.
  • the division of the units or modules in the above device is only a division of logical functions, which can be fully or partially integrated into one physical entity or physically separated in actual implementation.
  • the units or modules in the device can be implemented in the form of a processor calling software: for example, the device includes a processor, the processor is connected to a memory, and instructions are stored in the memory.
  • the processor calls the instructions stored in the memory to implement any of the above methods or implement the functions of the units or modules of the above device, wherein the processor is, for example, a general-purpose processor, such as a central processing unit (CPU) or a microprocessor, and the memory is a memory inside the device or a memory outside the device.
  • CPU central processing unit
  • microprocessor a microprocessor
  • the units or modules in the device may be implemented in the form of hardware circuits, and the functions of some or all of the units or modules may be implemented by designing the hardware circuits.
  • the hardware circuits may be understood as one or more processors; for example, in one implementation, the hardware circuits are application-specific integrated circuits (ASICs), and the functions of some or all of the above units or modules may be implemented by designing the logical relationship of the components in the circuits; for another example, in another implementation, the hardware circuits may be implemented by programmable logic devices (PLDs), and Field Programmable Gate Arrays (FPGAs) may be used as an example, which may include a large number of logic gate circuits, and the connection relationship between the logic gate circuits may be configured by configuring the configuration files, thereby implementing the functions of some or all of the above units or modules. All units or modules of the above devices may be implemented in the form of software called by the processor, or in the form of hardware circuits, or in the form of software called by the processor, and the remaining part may be implemented in
  • the processor is a circuit with signal processing capability.
  • the processor may be a circuit with instruction reading and running capability, such as a central processing unit (CPU), a microprocessor, a graphics processing unit (GPU) (which may be understood as a microprocessor), or a digital signal processor (DSP); in another implementation, the processor may implement certain functions through the logical relationship of a hardware circuit, and the logical relationship of the above hardware circuit may be fixed or reconfigurable, such as a hardware circuit implemented by an application-specific integrated circuit (ASIC) or a programmable logic device (PLD), such as an FPGA.
  • ASIC application-specific integrated circuit
  • PLD programmable logic device
  • the process of the processor loading a configuration document to implement the hardware circuit configuration may be understood as the process of the processor loading instructions to implement the functions of some or all of the above units or modules.
  • it can also be a hardware circuit designed for artificial intelligence, which can be understood as an ASIC, such as a neural network processing unit (NPU), a tensor processing unit (TPU), a deep learning processing unit (DPU), etc.
  • NPU neural network processing unit
  • TPU tensor processing unit
  • DPU deep learning processing unit
  • FIG7a is a schematic diagram of the structure of the first API caller provided in an embodiment of the present disclosure.
  • the first API caller 7100 includes: a transceiver module 7101 and a processing module 7102; the transceiver module 7101 is configured to send the first information; the processing module 7102 is configured to perform processing operations.
  • the transceiver module 7101 is used to execute the steps related to information reception and transmission performed by the first API caller 7100 in any of the above information indication methods, which are not repeated here.
  • the processing module 7102 is used to execute the steps related to information processing performed by the first API caller in any of the above information indication methods, which are not repeated here.
  • FIG7b is a schematic diagram of the structure of the first network function provided by an embodiment of the present disclosure.
  • the first network function 7200 includes: a transceiver module 7201 and a processing module 7202; the transceiver module 7201 is configured to receive the first information; the processing module 7202 is configured to perform processing operations.
  • the transceiver module 7201 is used to execute the steps related to information transceiving performed by the first network function 7100 in any of the above information indication methods, which are not repeated here.
  • the processing module 7202 is used to execute the steps related to information processing performed by the first network function in any of the above information indication methods, which are not repeated here.
  • FIG8a is a schematic diagram of the structure of a communication device 8100 provided in an embodiment of the present disclosure.
  • the communication device 8100 may be a network device (e.g., an access network device or a core network device, etc.), or a terminal (e.g., a user device, etc.), or a chip, a chip system, or a processor, etc. that supports a network device to implement any of the above methods, or a chip, a chip system, or a processor, etc. that supports a terminal to implement any of the above information indication methods.
  • the communication device 8100 may be used to implement the information indication method described in the above method embodiment, and the details may refer to the description in the above method embodiment.
  • the communication device 8100 includes one or more processors 8101.
  • the processor 8101 may be a general-purpose processor or a dedicated processor, for example, a baseband processor or a central processing unit.
  • the baseband processor may be used to process the communication protocol and the communication data
  • the central processing unit may be used to control the communication device (such as a base station, a baseband chip, a terminal device, a terminal device chip, a DU or a CU, etc.), execute a program, and process the data of the program.
  • the processor 8101 is used to call instructions so that the communication device 8100 executes any of the above communication methods.
  • the communication device 8100 further includes one or more memories 8102 for storing instructions.
  • the memory 8102 may also be outside the communication device 8100.
  • the communication device 8100 further includes one or more transceivers 8103.
  • the communication steps such as sending and receiving in the above method are executed by the transceiver 8103, and the other steps are executed by the processor 8101.
  • the transceiver may include a receiver and a transmitter, and the receiver and the transmitter may be separate or integrated.
  • the terms such as transceiver, transceiver unit, transceiver, transceiver circuit, etc. may be replaced with each other, the terms such as transmitter, transmission unit, transmitter, transmission circuit, etc. may be replaced with each other, and the terms such as receiver, receiving unit, receiver, receiving circuit, etc. may be replaced with each other.
  • the communication device 8100 further includes one or more interface circuits 8104, which are connected to the memory 8102.
  • the interface circuit 8104 can be used to receive signals from the memory 8102 or other devices, and can be used to send signals to the memory 8102 or other devices.
  • the interface circuit 8104 can read instructions stored in the memory 8102 and send the instructions to the processor 8101.
  • the communication device 8100 described in the above embodiments may be a network device or a terminal, but the scope of the communication device 8100 described in the present disclosure is not limited thereto, and the structure of the communication device 8100 may not be limited by FIG. 8a.
  • the communication device may be an independent device or may be part of a larger device.
  • the communication device may be: (1) an independent integrated circuit IC, or a chip, or a chip system or subsystem; (2) a collection of one or more ICs, optionally, the above IC collection may also include a storage component for storing data and programs; (3) an ASIC, such as a modem; (4) a module that can be embedded in other devices; (5) a receiver, a terminal device, an intelligent terminal device, a cellular phone, a wireless device, a handheld device, a mobile unit, a vehicle-mounted device, a network device, a cloud device, an artificial intelligence device, etc.; (6) others, etc.
  • Fig. 8b is a schematic diagram of the structure of a chip 8200 provided in an embodiment of the present disclosure.
  • the communication device 8100 may be a chip or a chip system
  • the chip 8200 includes one or more processors 8201, and the processor 8201 is used to call instructions so that the chip 8200 executes any of the above communication methods.
  • the chip 8200 further includes one or more interface circuits 8202, which are connected to the memory 8203.
  • the interface circuit 8202 can be used to receive signals from the memory 8203 or other devices, and the interface circuit 8202 can be used to send signals to the memory 8203 or other devices.
  • the interface circuit 8202 can read the instructions stored in the memory 8203 and send the instructions to the processor 8201.
  • the terms such as interface circuit, interface, transceiver pin, and transceiver can be replaced with each other.
  • the chip 8200 further includes one or more memories 8203 for storing instructions.
  • the memory 8203 may be outside the chip 8200.
  • the present disclosure also provides a storage medium, on which instructions are stored, and when the instructions are executed on the communication device 8100, the communication device 8100 executes any of the above methods.
  • the storage medium is an electronic storage medium.
  • the storage medium is a computer-readable storage medium, but it can also be a storage medium readable by other devices.
  • the storage medium can be a non-transitory storage medium, but it can also be a temporary storage medium.
  • the present disclosure also provides a program product, and when the program product is executed by the communication device 8100, the communication device 8100 executes any one of the above communication methods.
  • the program product is a computer program product.
  • the present disclosure also provides a computer program, which, when executed on a computer, enables the computer to execute any one of the above communication methods.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Mobile Radio Communication Systems (AREA)

Abstract

Embodiments of the present disclosure provide an information indication method, a first API invoker, a first network function, a communication system, and a storage medium. The method is executed by a first API invoker. The method comprises: receiving first information sent by a first network function, wherein the first information indicates an authorization mode, and the authorization mode is an authorization mode used by the first API invoker. According to the technical solution provided in the embodiments of the present disclosure, an authorization mode can be specified.

Description

信息指示方法、第一API调用者、第一网络功能和存储介质Information indication method, first API caller, first network function and storage medium 技术领域Technical Field

本公开涉及通信技术领域,尤其涉及信息指示方法、第一API调用者、第一网络功能及存储介质。The present disclosure relates to the field of communication technology, and in particular to an information indication method, a first API caller, a first network function and a storage medium.

背景技术Background Art

在通信技术领域中,在SNAAPPY或RNAA场景中(一种需要用户参与授权的场景),为了使资源所有者(例如,最终用户(end user)、订阅用户(subscriber)等)能够授权应用程序接口(API,Application Programming Interface)调用者,通用API框架(CAPIF,Common API Framework)需要支持新的安全方法。In the field of communication technology, in the SNAAPPY or RNAA scenario (a scenario that requires user participation in authorization), in order to enable resource owners (for example, end users, subscribers, etc.) to authorize application programming interface (API) callers, the Common API Framework (CAPIF) needs to support new security methods.

发明内容Summary of the invention

在授权过程中,授权方式并不明确。During the authorization process, the authorization method is not clear.

本公开实施例提供一种信息指示方法、第一API调用者、第一网络功能及存储介质。The embodiments of the present disclosure provide an information indication method, a first API caller, a first network function and a storage medium.

根据本公开实施例的第一方面,提供一种信息指示方法,所述方法由第一应用程序编程接口API调用者执行,所述方法包括:According to a first aspect of an embodiment of the present disclosure, there is provided an information indication method, the method being executed by a first application programming interface API caller, the method comprising:

接收第一网络功能发送的第一信息;receiving first information sent by a first network function;

其中,所述第一信息指示授权方式,所述授权方式为所述第一API调用者使用的授权方式。Among them, the first information indicates an authorization method, and the authorization method is the authorization method used by the first API caller.

根据本公开实施例的第二方面,提供一种信息指示方法,所述方法由第一网络功能执行,所述方法包括:According to a second aspect of an embodiment of the present disclosure, an information indication method is provided, the method being performed by a first network function, the method comprising:

确定授权方式;Determine the authorization method;

其中,所述授权方式为所述第一API调用者使用的授权方式。Among them, the authorization method is the authorization method used by the first API caller.

根据本公开实施例的第三方面,提供一种信息指示方法,应用于通信系统,所述方法包括:According to a third aspect of an embodiment of the present disclosure, there is provided an information indication method, which is applied to a communication system, and the method includes:

第一网络功能向第一API调用者发送第一信息;The first network function sends a first message to the first API caller;

所述第一API调用者接收所述第一网络功能发送的所述第一信息;The first API caller receives the first information sent by the first network function;

其中,所述第一信息指示授权方式,所述授权方式为所述第一API调用者使用的授权方式。Among them, the first information indicates an authorization method, and the authorization method is the authorization method used by the first API caller.

根据本公开实施例的第四方面,提供一种第一API调用者,所述第一API调用者包括:According to a fourth aspect of an embodiment of the present disclosure, a first API caller is provided, wherein the first API caller includes:

收发模块,被配置为:The transceiver module is configured as follows:

接收第一网络功能发送的第一信息;receiving first information sent by a first network function;

其中,所述第一信息指示授权方式,所述授权方式为所述第一API调用者使用的授权方式。Among them, the first information indicates an authorization method, and the authorization method is the authorization method used by the first API caller.

根据本公开实施例的第五方面,提供一种第一网络功能,所述第一网络功能包括:According to a fifth aspect of an embodiment of the present disclosure, a first network function is provided, wherein the first network function includes:

处理模块,被配置为:The processing module is configured as follows:

确定授权方式;Determine the authorization method;

其中,所述授权方式为所述第一API调用者使用的授权方式。Among them, the authorization method is the authorization method used by the first API caller.

根据本公开实施例的第六方面,提供一种通信系统,其中,所述通信系统包括第一API调用者和第一网络功能,所述第一API调用者被配置为实现第一方面提供的信息指示方法,所述第一网络功能被配置为实现第二方面提供的信息指示方法。According to a sixth aspect of an embodiment of the present disclosure, a communication system is provided, wherein the communication system includes a first API caller and a first network function, the first API caller is configured to implement the information indication method provided by the first aspect, and the first network function is configured to implement the information indication method provided by the second aspect.

根据本公开实施例的第七方面,提供一种第一API调用者,其中,所述第一API调用者包括:According to a seventh aspect of an embodiment of the present disclosure, a first API caller is provided, wherein the first API caller includes:

一个或多个处理器;one or more processors;

其中,所述处理器用于调用指令以使得所述第一API调用者执行第一方面提供的信息指示方法。Among them, the processor is used to call instructions so that the first API caller executes the information indication method provided by the first aspect.

根据本公开实施例的第八方面,提供一种第一网络功能,其中,所述第一网络功能包括:According to an eighth aspect of an embodiment of the present disclosure, a first network function is provided, wherein the first network function includes:

一个或多个处理器;one or more processors;

其中,所述处理器用于调用指令以使得所述第一网络功能执行第二方面提供的信息指示方法。Among them, the processor is used to call instructions to enable the first network function to execute the information indication method provided by the second aspect.

根据本公开实施例的第九方面,提供一种存储介质,其中,所述存储介质存储有指令,当所述指令在通信设备上运行时,使得所述通信设备执行第一方面、第二方面或第三方面提供的信息指示方法。According to a ninth aspect of an embodiment of the present disclosure, a storage medium is provided, wherein the storage medium stores instructions, and when the instructions are executed on a communication device, the communication device executes the information indication method provided by the first aspect, the second aspect or the third aspect.

本公开实施例提供的技术方案可以明确授权方式。The technical solution provided by the embodiments of the present disclosure can clarify the authorization method.

应当理解的是,以上的一般描述和后文的细节描述仅是示例性和解释性的,并不能限制本公开实施例。It should be understood that the foregoing general description and the following detailed description are exemplary and explanatory only and are not restrictive of the embodiments of the present disclosure.

附图说明BRIEF DESCRIPTION OF THE DRAWINGS

此处的附图被并入说明书中并构成本说明书的一部分,示出了符合本发明实施例,并与说明书一起用于解释本发明实施例的原理。 The accompanying drawings, which are incorporated in and constitute a part of this specification, illustrate embodiments consistent with the present invention and, together with the description, serve to explain the principles of the embodiments of the present invention.

图1是根据一示例性实施例示出的一种通信系统的架构示意图;FIG1 is a schematic diagram showing an architecture of a communication system according to an exemplary embodiment;

图2a是根据一示例性实施例示出的一种信息指示方法的流程示意图;FIG2a is a schematic flow chart of an information indication method according to an exemplary embodiment;

图3a是根据一示例性实施例示出的一种信息指示方法的流程示意图;FIG3a is a schematic flow chart of an information indication method according to an exemplary embodiment;

图3b是根据一示例性实施例示出的一种信息指示方法的流程示意图;FIG3b is a schematic flow chart of an information indication method according to an exemplary embodiment;

图4a是根据一示例性实施例示出的一种信息指示方法的流程示意图;FIG4a is a schematic flow chart of an information indication method according to an exemplary embodiment;

图4b是根据一示例性实施例示出的一种信息指示方法的流程示意图;FIG4b is a schematic flow chart of an information indication method according to an exemplary embodiment;

图5a是根据一示例性实施例示出的一种信息指示方法的流程示意图;FIG5a is a schematic flow chart of an information indication method according to an exemplary embodiment;

图6a是根据一示例性实施例示出的一种信息指示方法的流程示意图;Fig. 6a is a schematic flow chart of an information indication method according to an exemplary embodiment;

图7a是根据一示例性实施例示出的一种第一API调用者的结构示意图;Fig. 7a is a schematic diagram showing the structure of a first API caller according to an exemplary embodiment;

图7b是根据一示例性实施例示出的一种第一网络功能的结构示意图;FIG7b is a schematic structural diagram of a first network function according to an exemplary embodiment;

图8a是根据一示例性实施例示出的一种UE的结构示意图;FIG8a is a schematic structural diagram of a UE according to an exemplary embodiment;

图8b是根据一示例性实施例示出的一种通信设备的结构示意图。Fig. 8b is a schematic structural diagram of a communication device according to an exemplary embodiment.

具体实施方式DETAILED DESCRIPTION

本公开实施例提供一种信息指示方法、第一API调用者、第一网络功能及存储介质。The embodiments of the present disclosure provide an information indication method, a first API caller, a first network function and a storage medium.

第一方面,本公开实施例提供了一种信息指示方法,所述方法由第一应用程序编程接口API调用者执行,所述方法包括:In a first aspect, an embodiment of the present disclosure provides an information indication method, the method being executed by a first application programming interface API caller, the method comprising:

接收第一网络功能发送的第一信息;receiving first information sent by a first network function;

其中,所述第一信息指示授权方式,所述授权方式为所述第一API调用者使用的授权方式。Among them, the first information indicates an authorization method, and the authorization method is the authorization method used by the first API caller.

在上述实施例中,第一API调用者在接收到第一信息后,可以使用第一信息指示的授权方式,利用所述授权方式进行授权。In the above embodiment, after receiving the first information, the first API caller can use the authorization method indicated by the first information to perform authorization.

结合第一方面的一些实施例,在一些实施例中,所述方法还包括:In combination with some embodiments of the first aspect, in some embodiments, the method further includes:

向第一网络功能发送第二信息;sending second information to the first network function;

其中,所述第二信息指示第一API调用者的客户端类型,所述客户端类型用于所述第一网络功能确定所述第一API调用者使用的授权方式。The second information indicates a client type of the first API caller, and the client type is used by the first network function to determine an authorization method used by the first API caller.

在上述实施例中,在第一网络功能接收到指示第一API调用者的客户端类型的第二信息后,就可以基于客户端类型确定所述第一API调用者使用的授权方式,从而可以明确使用的授权方式。In the above embodiment, after the first network function receives the second information indicating the client type of the first API caller, the authorization method used by the first API caller can be determined based on the client type, so that the authorization method used can be clarified.

结合第一方面的一些实施例,在一些实施例中,所述方法还包括:In combination with some embodiments of the first aspect, in some embodiments, the method further includes:

接收所述第一网络功能发送的第三信息;receiving third information sent by the first network function;

其中,所述第三信息包含所述第一网络功能给所述第一API调用者配置的第一标识,所述第一API调用者设置有所述第一标识与所述客户端类型之间的映射关系和/或所述第一网络功能设置有所述第一标识与所述客户端类型之间的映射关系。Among them, the third information includes the first identifier configured by the first network function for the first API caller, the first API caller is set with a mapping relationship between the first identifier and the client type and/or the first network function is set with a mapping relationship between the first identifier and the client type.

在上述实施例中,第一API调用者在接收到包含所述第一网络功能给所述第一API调用者配置的第一标识的第三信息后,就可以基于所述第一标识上报第一API调用者的客户端类型。In the above embodiment, after receiving the third information including the first identifier configured by the first network function for the first API caller, the first API caller may report the client type of the first API caller based on the first identifier.

结合第一方面的一些实施例,在一些实施例中,所述映射关系由所述第一网络功能创建。In combination with some embodiments of the first aspect, in some embodiments, the mapping relationship is created by the first network function.

在上述实施例中,由于第一网络功能创建了所述映射关系,第一API调用者就可以基于所述映射关系确定出客户端类型对应的第一标识。In the above embodiment, since the first network function creates the mapping relationship, the first API caller can determine the first identifier corresponding to the client type based on the mapping relationship.

结合第一方面的一些实施例,在一些实施例中,所述方法还包括:In combination with some embodiments of the first aspect, in some embodiments, the method further includes:

向所述第一网络功能发送第四信息;sending fourth information to the first network function;

其中,所述第四信息包含所述第一标识。The fourth information includes the first identifier.

在上述实施例中,由于第四信息包含了第一标识,第一网络功能在接收到第四信息后,就可以确定出第四信息对应的授权方式,并基于第一API调用者的请求向第一网络功能发送确定出的授权方式的信息。In the above embodiment, since the fourth information includes the first identifier, the first network function can determine the authorization method corresponding to the fourth information after receiving the fourth information, and send the determined authorization method information to the first network function based on the request of the first API caller.

结合第一方面的一些实施例,在一些实施例中,所述第一信息指示所述第一网络功能基于第一标识确定的所述授权方式。在上述实施例中,第一网络功能在接收到第一信息后,就可以明确确定出使用的授权方式。In conjunction with some embodiments of the first aspect, in some embodiments, the first information indicates the authorization method determined by the first network function based on the first identifier. In the above embodiments, after receiving the first information, the first network function can clearly determine the authorization method to be used.

结合第一方面的一些实施例,在一些实施例中,所述方法还包括:In combination with some embodiments of the first aspect, in some embodiments, the method further includes:

基于所述授权方式启动对应的授权流程。The corresponding authorization process is started based on the authorization method.

在上述实施例中,可以基于明确确定的授权方式启动对应的授权流程,授权机制更加完善和可靠。In the above embodiment, the corresponding authorization process can be started based on the clearly determined authorization method, and the authorization mechanism is more complete and reliable.

结合第一方面的一些实施例,在一些实施例中,所述授权方式为授权代码授权,所述方法还包括: In combination with some embodiments of the first aspect, in some embodiments, the authorization mode is authorization code authorization, and the method further includes:

向所述第一网络功能发送第五信息;sending fifth information to the first network function;

其中,所述第五信息包括响应类型为代码和/或授权类型为授权代码的信息,所述第五信息用于获取授权代码和/或令牌。The fifth information includes information that the response type is code and/or the authorization type is authorization code, and the fifth information is used to obtain the authorization code and/or token.

在上述实施例中,可以通过发送第五信息获取授权代码和/或令牌。In the above embodiment, the authorization code and/or token may be obtained by sending the fifth information.

结合第一方面的一些实施例,在一些实施例中,所述授权方式为基于PKCE的授权或者支持PKCE的授权代码授权,所述方法还包括:In combination with some embodiments of the first aspect, in some embodiments, the authorization method is PKCE-based authorization or authorization code authorization supporting PKCE, and the method further includes:

向所述第一网络功能发送第六信息;sending sixth information to the first network function;

其中,所述第六信息包括代码挑战和/或代码验证的信息,所述第六信息用于获取授权代码和/或令牌。The sixth information includes information of code challenge and/or code verification, and the sixth information is used to obtain an authorization code and/or a token.

在上述实施例中,可以通过发送第六信息获取授权代码和/或令牌。In the above embodiment, the authorization code and/or token may be obtained by sending the sixth information.

结合第一方面的一些实施例,在一些实施例中,所述客户端类型包括以下之一:In conjunction with some embodiments of the first aspect, in some embodiments, the client type includes one of the following:

公共客户端(public client);public client;

机密客户端(confidential client)。Confidential client.

结合第一方面的一些实施例,在一些实施例中,所述授权方式包括以下之一:In conjunction with some embodiments of the first aspect, in some embodiments, the authorization method includes one of the following:

授权代码authorization code)授权;Authorization code authorization code) authorization;

支持代码交换证明密钥PKCE的授权代码授权(Authorization code grant with the Proof Key of Code Exchange);Supports Authorization code grant with the Proof Key of Code Exchange (PKCE);

基于代码交换证明密钥(PKCE,Proof Key of Code Exchange)的授权;Authorization based on Proof Key of Code Exchange (PKCE);

客户端凭证授权。Client Credentials Grant.

第二方面,本公开实施例提供了一种信息指示方法,所述方法由第一网络功能执行,所述方法包括:In a second aspect, an embodiment of the present disclosure provides an information indication method, the method being performed by a first network function, the method comprising:

确定授权方式;Determine the authorization method;

其中,所述授权方式为第一API调用者使用的授权方式。The authorization method is the authorization method used by the first API caller.

在上述实施例中,可以明确确定出授权方式,相较于不能明确确定授权方式的情况,完善了授权机制,使得授权更加可靠。In the above embodiment, the authorization method can be clearly determined, which improves the authorization mechanism and makes the authorization more reliable compared to the situation where the authorization method cannot be clearly determined.

结合第二方面的一些实施例,在一些实施例中,所述确定授权方式,包括:In conjunction with some embodiments of the second aspect, in some embodiments, determining the authorization method includes:

基于第一策略和/或是否需要第一资源所有者实时地参与授权的确定结果,确定所述授权方式;Determining the authorization method based on the first policy and/or a determination result of whether the first resource owner needs to participate in the authorization in real time;

其中,所述第一策略为第一资源所有者相关的授权策略。The first policy is an authorization policy related to the first resource owner.

在上述实施例中,授权方式可以基于第一策略和/或是否需要第一资源所有者实时地参与授权的确定结果确定,确定方式更加灵活。In the above embodiment, the authorization method can be determined based on the first policy and/or the result of determining whether the first resource owner needs to participate in the authorization in real time, and the determination method is more flexible.

结合第二方面的一些实施例,在一些实施例中,所述基于第一策略和/或是否需要第一资源所有者实时地参与授权的确定结果,确定所述授权方式,包括以下之一:In combination with some embodiments of the second aspect, in some embodiments, determining the authorization mode based on the first policy and/or a determination result of whether the first resource owner needs to participate in the authorization in real time includes one of the following:

若所述第一网络功能本地存储有所述第一策略且确定无需所述第一资源所有者实时地参与授权,确定所述授权方式为客户端凭证授权的方式;If the first network function locally stores the first policy and it is determined that the first resource owner does not need to participate in authorization in real time, determining that the authorization method is a client credential authorization method;

若需要所述第一资源所有者实时地参与授权,确定所述授权方式为授权代码授权、基于PKCE的授权或者支持PKCE的授权代码授权的方式。If the first resource owner is required to participate in the authorization in real time, the authorization method is determined to be authorization code authorization, PKCE-based authorization, or authorization code authorization supporting PKCE.

在上述实施例中,可以基于第一策略和/或是否需要第一资源所有者实时地参与授权的确定结果,确定出不同的所述授权方式。In the above embodiment, different authorization modes may be determined based on the first policy and/or the determination result of whether the first resource owner is required to participate in the authorization in real time.

结合第二方面的一些实施例,在一些实施例中,所述方法还包括:In conjunction with some embodiments of the second aspect, in some embodiments, the method further includes:

接收第一API调用者发送的第二信息;Receiving second information sent by the first API caller;

其中,所述第二信息指示所述第一API调用者的客户端类型,所述客户端类型用于所述第一网络功能确定所述第一API调用者使用的授权方式。The second information indicates a client type of the first API caller, and the client type is used by the first network function to determine an authorization method used by the first API caller.

结合第二方面的一些实施例,在一些实施例中,所述方法还包括:In conjunction with some embodiments of the second aspect, in some embodiments, the method further includes:

向所述第一API调用者发送第三信息;Sending third information to the first API caller;

其中,所述第三信息包含所述第一网络功能给所述第一API调用者配置的第一标识;所述第一API调用者设置有所述第一标识与所述客户端类型之间的映射关系和/或所述第一网络功能设置有所述第一标识与所述客户端类型之间的映射关系。Among them, the third information includes the first identifier configured by the first network function for the first API caller; the first API caller is set with a mapping relationship between the first identifier and the client type and/or the first network function is set with a mapping relationship between the first identifier and the client type.

结合第二方面的一些实施例,在一些实施例中,所述方法还包括:In conjunction with some embodiments of the second aspect, in some embodiments, the method further includes:

创建所述映射关系。The mapping relationship is created.

结合第二方面的一些实施例,在一些实施例中,所述方法还包括:In conjunction with some embodiments of the second aspect, in some embodiments, the method further includes:

接收所述第一API发送的第四信息; Receiving fourth information sent by the first API;

其中,所述第四信息包含所述第一标识。The fourth information includes the first identifier.

结合第二方面的一些实施例,在一些实施例中,所述方法还包括:In conjunction with some embodiments of the second aspect, in some embodiments, the method further includes:

确定所述第一标识对应的所述客户端类型;Determine the client type corresponding to the first identifier;

所述确定授权方式;The determination of the authorization method;

基于所述客户端类型确定所述授权方式。The authorization method is determined based on the client type.

结合第二方面的一些实施例,在一些实施例中,所述基于所述客户端类型确定所述授权方式,包括以下至少之一:In conjunction with some embodiments of the second aspect, in some embodiments, determining the authorization method based on the client type includes at least one of the following:

若所述客户端类型为公共客户端,确定所述授权方式为基于PKCE的授权或者支持PKCE的授权码授权的方式;If the client type is a public client, determine that the authorization method is a PKCE-based authorization or an authorization code authorization method that supports PKCE;

若所述客户端类型为公共客户端,确定所述授权方式不为授权代码授权方式;If the client type is a public client, determining that the authorization method is not an authorization code authorization method;

若所述客户端类型为公共客户端,确定所述授权方式不为客户单凭证授权的方式;If the client type is a public client, determining that the authorization method is not a client single credential authorization method;

若所述客户端类型为保密客户端,确定所述授权方式为基于PKCE的授权或者支持PKCE的授权码授权的方式;If the client type is a confidential client, determining that the authorization method is a PKCE-based authorization or an authorization code authorization method that supports PKCE;

若所述客户端类型为保密客户端,确定所述授权方式为授权代码授权的方式;If the client type is a confidential client, determining that the authorization method is an authorization code authorization method;

若所述客户端类型为保密客户端,确定所述授权方式为客户端凭证授权的方式。If the client type is a confidential client, determine that the authorization method is a client credential authorization method.

在上述实施例中,可以基于不同的客户端类型确定出不同的授权方式。In the above embodiment, different authorization methods may be determined based on different client types.

结合第二方面的一些实施例,在一些实施例中,所述若所述客户端类型为保密客户端,确定所述授权方式为基于PKCE的授权或者支持PKCE的授权码授权的方式,包括:In combination with some embodiments of the second aspect, in some embodiments, if the client type is a confidential client, determining that the authorization method is a PKCE-based authorization or an authorization code authorization method that supports PKCE includes:

若所述客户端类型为保密客户端且所述第一网络功能本地未存储与第一资源所有者相关的第一策略,确定所述授权方式为基于PKCE的授权或者支持PKCE的授权码授权的方式;If the client type is a confidential client and the first network function does not locally store a first policy related to the first resource owner, determine that the authorization method is a PKCE-based authorization or an authorization code authorization method that supports PKCE;

若所述客户端类型为保密客户端且需要第一资源所有者实时地参与授权,确定所述授权方式为基于PKCE的授权或者支持PKCE的授权码授权的方式。If the client type is a confidential client and the first resource owner needs to participate in the authorization in real time, the authorization method is determined to be a PKCE-based authorization or an authorization code authorization method that supports PKCE.

在上述实施例中,可以确定出不同的授权方式。In the above embodiments, different authorization modes may be determined.

结合第二方面的一些实施例,在一些实施例中,所述若所述客户端类型为保密客户端,确定所述授权方式为授权代码授权的方式,包括:In conjunction with some embodiments of the second aspect, in some embodiments, if the client type is a confidential client, determining that the authorization method is an authorization code authorization method includes:

若所述客户端类型为保密客户端且所述第一网络功能本地未存储与第一资源所有者相关的第一策略,确定所述授权方式为授权代码授权的方式;If the client type is a confidential client and the first network function does not locally store a first policy related to the first resource owner, determining that the authorization method is an authorization code authorization method;

若所述客户端类型为保密客户端且需要第一资源所有者实时地参与授权,确定所述授权方式为授权代码授权的方式。If the client type is a confidential client and the first resource owner needs to participate in the authorization in real time, the authorization method is determined to be an authorization code authorization method.

结合第二方面的一些实施例,在一些实施例中,所述若所述客户端类型为保密客户端,确定所述授权方式为客户端凭证授权的方式,包括:In conjunction with some embodiments of the second aspect, in some embodiments, if the client type is a confidential client, determining that the authorization method is a client credential authorization method includes:

若所述客户端类型为保密客户端、所述第一网络功能本地存储有与第一资源所有者相关的第一策略且无需第一资源所有者实时地参与授权,确定所述授权方式为客户端凭证授权的方式。If the client type is a confidential client, the first network function locally stores a first policy related to the first resource owner and the first resource owner does not need to participate in authorization in real time, the authorization mode is determined to be a client credential authorization mode.

结合第二方面的一些实施例,在一些实施例中,所述方法还包括:In conjunction with some embodiments of the second aspect, in some embodiments, the method further includes:

向第一API调用者发送第一信息;Sending a first message to a first API caller;

其中,所述第一信息指示所述授权方式。The first information indicates the authorization method.

结合第二方面的一些实施例,在一些实施例中,所述授权方式为授权代码授权,所述方法还包括:In conjunction with some embodiments of the second aspect, in some embodiments, the authorization mode is authorization code authorization, and the method further includes:

接收第一API调用者发送的第五信息;receiving fifth information sent by the first API caller;

其中,所述第五信息包括为代码和/或授权类型为授权代码的信息,所述第五信息用于获取授权代码和/或令牌。The fifth information includes information that the authorization code and/or the authorization type is an authorization code, and the fifth information is used to obtain the authorization code and/or token.

结合第二方面的一些实施例,在一些实施例中,所述授权方式为基于PKCE的授权或者支持PKCE的授权代码授权,所述方法还包括:In conjunction with some embodiments of the second aspect, in some embodiments, the authorization method is PKCE-based authorization or authorization code authorization supporting PKCE, and the method further includes:

接收第一API调用者发送的第六信息;receiving sixth information sent by the first API caller;

其中,所述第六信息包括代码挑战和/或代码验证的信息,所述第六信息用于获取授权代码和/或令牌。The sixth information includes information of code challenge and/or code verification, and the sixth information is used to obtain an authorization code and/or a token.

结合第二方面的一些实施例,在一些实施例中,所述客户端类型包括以下之一:In conjunction with some embodiments of the second aspect, in some embodiments, the client type includes one of the following:

公共客户端;Public Client;

机密客户端。Confidential Client.

结合第二方面的一些实施例,在一些实施例中,所述授权方式包括以下之一:In conjunction with some embodiments of the second aspect, in some embodiments, the authorization method includes one of the following:

授权代码授权; Authorization code grant;

支持代码交换证明密钥PKCE的授权代码授权;Supports authorization code authorization for code exchange proof key PKCE;

基于代码交换证明密钥PKCE的授权;Authorization based on code exchange proof key PKCE;

客户端凭证授权。Client Credentials Grant.

第三方面,本公开实施例提供了一种信息指示方法,应用于通信系统,所述方法包括:In a third aspect, an embodiment of the present disclosure provides an information indication method, which is applied to a communication system, and the method includes:

第一网络功能向第一API调用者发送第一信息;The first network function sends a first message to the first API caller;

所述第一API调用者接收所述第一网络功能发送的所述第一信息;The first API caller receives the first information sent by the first network function;

其中,所述第一信息指示授权方式,所述授权方式为所述第一API调用者使用的授权方式。Among them, the first information indicates an authorization method, and the authorization method is the authorization method used by the first API caller.

第四方面,本公开实施例提供了一种第一API调用者,其特征在于,所述第一API调用者包括:In a fourth aspect, an embodiment of the present disclosure provides a first API caller, characterized in that the first API caller includes:

收发模块,被配置为:The transceiver module is configured as follows:

接收第一网络功能发送的第一信息;receiving first information sent by a first network function;

其中,所述第一信息指示授权方式,所述授权方式为所述第一API调用者使用的授权方式。Among them, the first information indicates an authorization method, and the authorization method is the authorization method used by the first API caller.

第五方面,本公开实施例提供了一种第一网络功能,其特征在于,所述第一网络功能包括:In a fifth aspect, an embodiment of the present disclosure provides a first network function, characterized in that the first network function includes:

处理模块,被配置为:The processing module is configured as follows:

确定授权方式;Determine the authorization method;

其中,所述授权方式为所述第一API调用者使用的授权方式。Among them, the authorization method is the authorization method used by the first API caller.

第六方面,本公开实施例提供了一种通信系统,其中,所述通信系统包括第一API调用者和第一网络功能,所述第一API调用者被配置为实现第一方面的可选实现方式所描述的信息指示方法,所述第一网络功能被配置为实现第二方面的可选实现方式所描述的信息指示方法。In a sixth aspect, an embodiment of the present disclosure provides a communication system, wherein the communication system includes a first API caller and a first network function, the first API caller is configured to implement the information indication method described in the optional implementation manner of the first aspect, and the first network function is configured to implement the information indication method described in the optional implementation manner of the second aspect.

第七方面,本公开实施例提供了一种第一API调用者,所述第一API调用者包括:In a seventh aspect, an embodiment of the present disclosure provides a first API caller, wherein the first API caller includes:

一个或多个处理器;one or more processors;

其中,所述处理器用于调用指令以使得所述第一API调用者执行第一方面的可选实现方式所描述的信息指示方法。The processor is used to call instructions so that the first API caller executes the information indication method described in the optional implementation manner of the first aspect.

第八方面,本公开实施例提供了一种第一网络功能,所述第一网络功能包括:In an eighth aspect, an embodiment of the present disclosure provides a first network function, wherein the first network function includes:

一个或多个处理器;one or more processors;

其中,所述处理器用于调用指令以使得所述第一网络功能执行第一方面的可选实现方式所描述的信息指示方法。The processor is used to call instructions to enable the first network function to execute the information indication method described in the optional implementation manner of the first aspect.

第九方面,本公开实施例提供了一种存储介质,其中,所述存储介质存储有指令,当所述指令在通信设备上运行时,使得所述通信设备执行第一方面、第二方面或第三方面的可选实现方式所描述的信息指示方法。In a ninth aspect, an embodiment of the present disclosure provides a storage medium, wherein the storage medium stores instructions, and when the instructions are executed on a communication device, the communication device executes the information indication method described in the optional implementation manner of the first aspect, the second aspect or the third aspect.

第十一方面,本公开实施例提供了一种程序产品,所述程序产品被通信设备执行时,使得所述通设备执行第一方面或第二方面或第三方面的可选实现方式所描述的信息指示方法。In an eleventh aspect, an embodiment of the present disclosure provides a program product. When the program product is executed by a communication device, the communication device executes the information indication method described in the optional implementation manner of the first aspect, the second aspect, or the third aspect.

第十二方面,本公开实施例提供了一种计算机程序,当其在计算机上运行时,使得计算机执行第一方面或第二方面或第三方面的可选实现方式所描述的信息指示方法。In a twelfth aspect, an embodiment of the present disclosure provides a computer program, which, when executed on a computer, enables the computer to execute the information indication method described in the optional implementation manner of the first aspect, the second aspect, or the third aspect.

可以理解地,上述第一API调用者、第一网络功能、通信系统、存储介质、程序产品、计算机程序均用于执行本公开实施例所提供的方法。因此,其所能达到的有益效果可以参考对应方法中的有益效果,此处不再赘述。It is understandable that the first API caller, the first network function, the communication system, the storage medium, the program product, and the computer program are all used to execute the method provided by the embodiment of the present disclosure. Therefore, the beneficial effects that can be achieved can refer to the beneficial effects in the corresponding method, which will not be repeated here.

本公开实施例提出了一种信息指示方法、第一API调用者、第一网络功能、通信系统及存储介质。在一些实施例中,信息指示方法与信息处理方法、信息传输方法等术语可以相互替换。The disclosed embodiment provides an information indication method, a first API caller, a first network function, a communication system and a storage medium. In some embodiments, the information indication method and the information processing method, the information transmission method and other terms can be interchangeable.

本公开实施例并非穷举,仅为部分实施例的示意,不作为对本公开保护范围的具体限制。在不矛盾的情况下,某一实施例中的每个步骤均可以作为独立实施例来实施,且各步骤之间可以任意组合,例如,在某一实施例中去除部分步骤后的方案也可以作为独立实施例来实施,且在某一实施例中各步骤的顺序可以任意交换,另外,某一实施例中的可选实现方式可以任意组合;此外,各实施例之间可以任意组合,例如,不同实施例的部分或全部步骤可以任意组合,某一实施例可以与其他实施例的可选实现方式任意组合。The embodiments of the present disclosure are not exhaustive, but are only illustrative of some embodiments, and are not intended to be a specific limitation on the scope of protection of the present disclosure. In the absence of contradiction, each step in a certain embodiment can be implemented as an independent embodiment, and the steps can be arbitrarily combined. For example, a solution after removing some steps in a certain embodiment can also be implemented as an independent embodiment, and the order of the steps in a certain embodiment can be arbitrarily exchanged. In addition, the optional implementation methods in a certain embodiment can be arbitrarily combined; in addition, the embodiments can be arbitrarily combined, for example, some or all of the steps of different embodiments can be arbitrarily combined, and a certain embodiment can be arbitrarily combined with the optional implementation methods of other embodiments.

在各本公开实施例中,如果没有特殊说明以及逻辑冲突,各实施例之间的术语和/或描述具有一致性,且可以互相引用,不同实施例中的技术特征根据其内在的逻辑关系可以组合形成新的实施例。In each embodiment of the present disclosure, unless otherwise specified or there is a logical conflict, the terms and/or descriptions between the embodiments are consistent and can be referenced to each other, and the technical features in different embodiments can be combined to form a new embodiment based on their internal logical relationships.

本公开实施例中所使用的术语只是为了描述特定实施例的目的,而并非作为对本公开的限制。The terms used in the embodiments of the present disclosure are only for the purpose of describing specific embodiments and are not intended to limit the present disclosure.

在本公开实施例中,除非另有说明,以单数形式表示的元素,如“一个”、“一种”、“该”、“上述”、“所述”、“前述”、“这一”等,可以表示“一个且只有一个”,也可以表示“一个或多个”、“至少一个”等。例如,在翻译中使用如英语中的“a”、“an”、“the”等冠词(article)的情况下,冠词之后的名词可以理解为单数表达形式,也可以理解为复数表达形式。 In the embodiments of the present disclosure, unless otherwise specified, elements expressed in the singular form, such as "a", "an", "the", "above", "said", "aforementioned", "this", etc., may mean "one and only one", or "one or more", "at least one", etc. For example, when using articles such as "a", "an", "the" in English in translation, the noun after the article may be understood as a singular expression or a plural expression.

在本公开实施例中,“多个”是指两个或两个以上。In the embodiments of the present disclosure, “plurality” refers to two or more.

在一些实施例中,“至少一者(至少之一、至少一项、至少一个)(at least one of)”、“一个或多个(one or more)”、“多个(a plurality of)”、“多个(multiple)等术语可以相互替换。In some embodiments, the terms "at least one (at least one of), "one or more (one or more)", "a plurality of (a plurality of)", "multiple (multiple)", etc. can be used interchangeably.

在一些实施例中,“A、B中的至少一者”、“A和/或B”、“在一情况下A,在另一情况下B”、“一情况A,另一情况B”等记载方式,根据情况可以包括以下技术方案:在一些实施例中A(与B无关地执行A);在一些实施例中B(与A无关地执行B);在一些实施例中从A和B中选择执行(A和B被选择性执行);在一些实施例中A和B(A和B都被执行)。当有A、B、C等更多分支时也类似上述。In some embodiments, "at least one of A and B", "A and/or B", "A in one case, B in another case", "A in one case, B in another case", etc., may include the following technical solutions according to the situation: in some embodiments, A (A is executed independently of B); in some embodiments, B (B is executed independently of A); in some embodiments, execution is selected from A and B (A and B are selectively executed); in some embodiments, A and B (both A and B are executed). When there are more branches such as A, B, C, etc., the above is also similar.

在一些实施例中,“A或B”等记载方式,根据情况可以包括以下技术方案:在一些实施例中A(与B无关地执行A);在一些实施例中B(与A无关地执行B);在一些实施例中从A和B中选择执行(A和B被选择性执行)。当有A、B、C等更多分支时也类似上述。In some embodiments, the recording method of "A or B" may include the following technical solutions according to the situation: in some embodiments, A (A is executed independently of B); in some embodiments, B (B is executed independently of A); in some embodiments, execution is selected from A and B (A and B are selectively executed). When there are more branches such as A, B, C, etc., the above is also similar.

本公开实施例中的“第一”、“第二”等前缀词,仅仅为了区分不同的描述对象,不对描述对象的位置、顺序、优先级、数量或内容等构成限制,对描述对象的陈述参见权利要求或实施例中上下文的描述,不应因为使用前缀词而构成多余的限制。例如,描述对象为“字段”,则“第一字段”和“第二字段”中“字段”之前的序数词并不限制“字段”之间的位置或顺序,“第一”和“第二”并不限制其修饰的“字段”是否在同一个消息中,也不限制“第一字段”和“第二字段”的先后顺序。再如,描述对象为“等级”,则“第一等级”和“第二等级”中“等级”之前的序数词并不限制“等级”之间的优先级。再如,描述对象的数量并不受序数词的限制,可以是一个或者多个,以“第一装置”为例,其中“装置”的数量可以是一个或者多个。此外,不同前缀词修饰的对象可以相同或不同,例如,描述对象为“装置”,则“第一装置”和“第二装置”可以是相同的装置或者不同的装置,其类型可以相同或不同;再如,描述对象为“信息”,则“第一信息”和“第二信息”可以是相同的信息或者不同的信息,其内容可以相同或不同。The prefixes such as "first" and "second" in the embodiments of the present disclosure are only used to distinguish different description objects, and do not constitute restrictions on the position, order, priority, quantity or content of the description objects. The statement of the description object refers to the description in the context of the claims or embodiments, and should not constitute unnecessary restrictions due to the use of prefixes. For example, if the description object is a "field", the ordinal number before the "field" in the "first field" and the "second field" does not limit the position or order between the "fields", and the "first" and "second" do not limit whether the "fields" they modify are in the same message, nor do they limit the order of the "first field" and the "second field". For another example, if the description object is a "level", the ordinal number before the "level" in the "first level" and the "second level" does not limit the priority between the "levels". For another example, the number of description objects is not limited by the ordinal number, and can be one or more. Taking the "first device" as an example, the number of "devices" can be one or more. In addition, the objects modified by different prefixes may be the same or different. For example, if the description object is "device", then the "first device" and the "second device" may be the same device or different devices, and their types may be the same or different. For another example, if the description object is "information", then the "first information" and the "second information" may be the same information or different information, and their contents may be the same or different.

在一些实施例中,“包括A”、“包含A”、“用于指示A”、“携带A”,可以解释为直接携带A,也可以解释为间接指示A。In some embodiments, “including A”, “comprising A”, “used to indicate A”, and “carrying A” can be interpreted as directly carrying A or indirectly indicating A.

在一些实施例中,“……”、“确定……”、“在……的情况下”、“在……时”、“当……时”、“若……”、“如果……”等术语可以相互替换。In some embodiments, terms such as “…”, “determine…”, “in the case of…”, “at the time of…”, “when…”, “if…”, “if…”, etc. can be used interchangeably.

在一些实施例中,“大于”、“大于或等于”、“不小于”、“多于”、“多于或等于”、“不少于”、“高于”、“高于或等于”、“不低于”、“以上”等术语可以相互替换,“小于”、“小于或等于”、“不大于”、“少于”、“少于或等于”、“不多于”、“低于”、“低于或等于”、“不高于”、“以下”等术语可以相互替换。In some embodiments, terms such as "greater than", "greater than or equal to", "not less than", "more than", "more than or equal to", "not less than", "higher than", "higher than or equal to", "not lower than", and "above" can be replaced with each other, and terms such as "less than", "less than or equal to", "not greater than", "less than", "less than or equal to", "no more than", "lower than", "lower than or equal to", "not higher than", and "below" can be replaced with each other.

在一些实施例中,装置等可以解释为实体的、也可以解释为虚拟的,其名称不限定于实施例中所记载的名称,“装置”、“设备(equipment)”、“设备(device)”、“电路”、“网元”、“节点”、“功能”、“单元”、“部件(section)”、“系统”、“网络”、“芯片”、“芯片系统”、“实体”、“主体”等术语可以相互替换。In some embodiments, devices, etc. can be interpreted as physical or virtual, and their names are not limited to the names recorded in the embodiments. Terms such as "device", "equipment", "device", "circuit", "network element", "node", "function", "unit", "section", "system", "network", "chip", "chip system", "entity", and "subject" can be used interchangeably.

在一些实施例中,“网络”可以解释为网络中包含的装置(例如,接入网设备、核心网设备等)。In some embodiments, "network" may be interpreted as devices included in the network (eg, access network equipment, core network equipment, etc.).

在一些实施例中,“接入网设备(access network device,AN device)”、“无线接入网设备(radio access network device,RAN device)”、“基站(base station,BS)”、“无线基站(radio base station)”、“固定台(fixed station)”、“节点(node)”、“接入点(access point)”、“发送点(transmission point,TP)”、“接收点(reception point,RP)”、“发送接收点(transmission/reception point,TRP)”、“面板(panel)”、“天线面板(antenna panel)”、“天线阵列(antenna array)”、“小区(cell)”、“宏小区(macro cell)”、“小型小区(small cell)”、“毫微微小区(femto cell)”、“微微小区(pico cell)”、“扇区(sector)”、“小区组(cell group)”、“服务小区”、“载波(carrier)”、“分量载波(component carrier)”、“带宽部分(bandwidth part,BWP)”等术语可以相互替换。In some embodiments, the terms "access network device (AN device), "radio access network device (RAN device)", "base station (BS)", "radio base station (radio base station)", "fixed station (fixed station)", "node", "access point (access point)", "transmission point (TP)", "reception point (RP)", "transmission/reception point (TRP)", "panel", "antenna panel (antenna panel)", "antenna array (antenna array)", "cell", "macro cell", "small cell (small cell)", "femto cell (femto cell)", "pico cell (pico cell)", "sector (sector)", "cell group (cell)", "serving cell", "carrier (carrier)", "component carrier (component carrier)", "bandwidth part (bandwidth part (BWP))" and so on can be used interchangeably.

在一些实施例中,“终端(terminal)”、“终端设备(terminal device)”、“用户设备(user equipment,UE)”、“用户终端(user terminal)”、“移动台(mobile station,MS)”、“移动终端(mobile terminal,MT)”、订户站(subscriber station)、移动单元(mobile unit)、订户单元(subscriber unit)、无线单元(wireless unit)、远程单元(remote unit)、移动设备(mobile device)、无线设备(wireless device)、无线通信设备(wireless communication device)、远程设备(remote device)、移动订户站(mobile subscriber station)、接入终端(access terminal)、移动终端(mobile terminal)、无线终端(wireless terminal)、远程终端(remote terminal)、手持设备(handset)、用户代理(user agent)、移动客户端(mobile client)、客户端(client)等术语可以相互替换。In some embodiments, the terms "terminal", "terminal device", "user equipment (UE)", "user terminal" "mobile station (MS)", "mobile terminal (MT)", subscriber station, mobile unit, subscriber unit, wireless unit, remote unit, mobile device, wireless device, wireless communication device, remote device, mobile subscriber station, access terminal, mobile terminal, wireless terminal, remote terminal, handset, user agent, mobile client, client and the like can be used interchangeably.

在一些实施例中,接入网设备、核心网设备、或网络设备可以被替换为终端。例如,针对将接入网设备、核心网设备、或网络设备以及终端间的通信置换为多个终端间的通信(例如,设备对设 备(device-to-device,D2D)、车联网(vehicle-to-everything,V2X)等)的结构,也可以应用本公开的各实施例。在该情况下,也可以设为终端具有接入网设备所具有的全部或部分功能的结构。此外,“上行”、“下行”等术语也可以被替换为与终端间通信对应的术语(例如,“侧行(side)”)。例如,上行信道、下行信道等可以被替换为侧行信道,上行链路、下行链路等可以被替换为侧行链路。In some embodiments, the access network device, the core network device, or the network device may be replaced by a terminal. For example, the communication between the access network device, the core network device, or the network device and the terminal is replaced by the communication between multiple terminals (for example, the device to the device). The embodiments of the present disclosure may also be applied to structures such as device-to-device (D2D), vehicle-to-everything (V2X), etc. In this case, it may also be configured that the terminal has all or part of the functions of the access network device. In addition, terms such as "uplink" and "downlink" may also be replaced with terms corresponding to terminal-to-terminal communication (for example, "side"). For example, an uplink channel, a downlink channel, etc. may be replaced with a side channel, and an uplink, a downlink, etc. may be replaced with a side link.

在一些实施例中,终端可以被替换为接入网设备、核心网设备、或网络设备。在该情况下,也可以设为接入网设备、核心网设备、或网络设备具有终端所具有的全部或部分功能的结构。In some embodiments, the terminal may be replaced by an access network device, a core network device, or a network device. In this case, the access network device, the core network device, or the network device may also be configured to have a structure that has all or part of the functions of the terminal.

在一些实施例中,获取数据、信息等可以遵照所在地国家的法律法规。In some embodiments, acquisition of data, information, etc. may comply with the laws and regulations of the country where the data is obtained.

在一些实施例中,可以在得到用户同意后获取数据、信息等。In some embodiments, data, information, etc. may be obtained with the user's consent.

此外,本公开实施例的表格中的每一元素、每一行、或每一列均可以作为独立实施例来实施,任意元素、任意行、任意列的组合也可以作为独立实施例来实施。In addition, each element, each row, or each column in the table of the embodiments of the present disclosure may be implemented as an independent embodiment, and the combination of any elements, any rows, and any columns may also be implemented as an independent embodiment.

图1是根据本公开实施例示出的通信系统的架构示意图。FIG1 is a schematic diagram of the architecture of a communication system according to an embodiment of the present disclosure.

如图1所示,通信系统100包括第一API调用者101和第一网络功能102。网络功能可以是网元。当然本公开的通信系统100还可以包括终端和接入网设备等,在此不做限定。As shown in Figure 1, the communication system 100 includes a first API caller 101 and a first network function 102. The network function may be a network element. Of course, the communication system 100 of the present disclosure may also include a terminal and an access network device, etc., which are not limited here.

在一些实施例中,第一网络功能102可以是CAPIF核心功能(CCF,CAPIF core function)。In some embodiments, the first network function 102 may be a CAPIF core function (CCF).

当然,该通信系统还可以包含第二网络功能、第三网络功能和第四网络功能等。Of course, the communication system may also include a second network function, a third network function, a fourth network function, and the like.

在一些实施例中,第二网络功能可以是网络开放功能(NEF,Network exposure function)或者应用程序接口(API,Application Programming Interface)开放功能(AEF,API Exposing Function)。In some embodiments, the second network function may be a network exposure function (NEF) or an application programming interface (API) exposure function (AEF).

在一些实施例中,第三网络功能可以是统一数据管理(UDM,Unified Data Management)。In some embodiments, the third network function may be Unified Data Management (UDM).

在一些实施例中,第四网络功能可以是网关移动定位中心(GMLC,Gateway Mobile Location Center)或者感知功能(sensing function)。In some embodiments, the fourth network function may be a Gateway Mobile Location Center (GMLC) or a sensing function.

在一些实施例中,终端例如包括手机(mobile phone)、可穿戴设备、物联网设备、具备通信功能的汽车、智能汽车、平板电脑(Pad)、带无线收发功能的电脑、虚拟现实(virtual reality,VR)终端设备、增强现实(augmented reality,AR)终端设备、工业控制(industrial control)中的无线终端设备、无人驾驶(self-driving)中的无线终端设备、远程手术(remote medical surgery)中的无线终端设备、智能电网(smart grid)中的无线终端设备、运输安全(transportation safety)中的无线终端设备、智慧城市(smart city)中的无线终端设备、智慧家庭(smart home)中的无线终端设备中的至少一者,但不限于此。In some embodiments, the terminal includes, for example, a mobile phone, a wearable device, an Internet of Things device, a car with communication function, a smart car, a tablet computer (Pad), a computer with wireless transceiver function, a virtual reality (VR) terminal device, an augmented reality (AR) terminal device, a wireless terminal device in industrial control (industrial control), a wireless terminal device in self-driving, a wireless terminal device in remote medical surgery, a wireless terminal device in a smart grid (smart grid), a wireless terminal device in transportation safety (transportation safety), a wireless terminal device in a smart city (smart city), and at least one of a wireless terminal device in a smart home (smart home), but is not limited to these.

在一些实施例中,接入网设备例如可以是将终端接入到无线网络的节点或设备,接入网设备可以包括5G通信系统中的演进节点B(evolved NodeB,eNB)、下一代演进节点B(next generation eNB,ng-eNB)、下一代节点B(next generation NodeB,gNB)、节点B(node B,NB)、家庭节点B(home node B,HNB)、家庭演进节点B(home evolved nodeB,HeNB)、无线回传设备、无线网络控制器(radio network controller,RNC)、基站控制器(base station controller,BSC)、基站收发台(base transceiver station,BTS)、基带单元(base band unit,BBU)、移动交换中心、6G通信系统中的基站、开放型基站(Open RAN)、云基站(Cloud RAN)、其他通信系统中的基站、Wi-Fi系统中的接入节点中的至少一者,但不限于此。In some embodiments, the access network device may be, for example, a node or device that accesses a terminal to a wireless network. The access network device may include an evolved Node B (eNB), a next generation evolved Node B (ng-eNB), a next generation Node B (gNB), a node B (NB), a home node B (HNB), a home evolved node B (HeNB), a wireless backhaul device, a radio network controller (RNC), a base station controller (BSC), a base transceiver station (BTS), a base band unit (BBU), a mobile switching center, a base station in a 6G communication system, an open base station (Open RAN), a cloud base station (Cloud RAN), a base station in other communication systems, and at least one of an access node in a Wi-Fi system, but is not limited thereto.

在一些实施例中,本公开的技术方案可适用于Open RAN架构,此时,本公开实施例所涉及的接入网设备间或者接入网设备内的接口可变为Open RAN的内部接口,这些内部接口之间的流程和信息交互可以通过软件或者程序实现。In some embodiments, the technical solution of the present disclosure may be applicable to the Open RAN architecture. In this case, the interfaces between access network devices or within access network devices involved in the embodiments of the present disclosure may become internal interfaces of Open RAN, and the processes and information interactions between these internal interfaces may be implemented through software or programs.

在一些实施例中,接入网设备可以由集中单元(central unit,CU)与分布式单元(distributed unit,DU)组成的,其中,CU也可以称为控制单元(control unit),采用CU-DU的结构可以将接入网设备的协议层拆分开,部分协议层的功能放在CU集中控制,剩下部分或全部协议层的功能分布在DU中,由CU集中控制DU,但不限于此。In some embodiments, the access network device may be composed of a centralized unit (central unit, CU) and a distributed unit (distributed unit, DU), wherein the CU may also be called a control unit (control unit). The CU-DU structure may be used to split the protocol layer of the access network device, with some functions of the protocol layer being centrally controlled by the CU, and the remaining part or all of the functions of the protocol layer being distributed in the DU, and the DU being centrally controlled by the CU, but not limited to this.

在一些实施例中,核心网设备可以是一个设备,包括第一网元等,也可以是多个设备或设备群,分别包括第一网元。网元可以是虚拟的,也可以是实体的。核心网例如包括演进分组核心(Evolved Packet Core,EPC)、5G核心网络(5G Core Network,5GCN)、下一代核心(Next Generation Core,NGC)中的至少一者。In some embodiments, the core network device may be a device including a first network element, etc., or may be a plurality of devices or a group of devices, each including a first network element. The network element may be virtual or physical. The core network may include, for example, at least one of an Evolved Packet Core (EPC), a 5G Core Network (5GCN), and a Next Generation Core (NGC).

可以理解的是,本公开实施例描述的通信系统是为了更加清楚的说明本公开实施例的技术方案,并不构成对于本公开实施例提供的技术方案的限定,本领域普通技术人员可知,随着系统架构的演变和新业务场景的出现,本公开实施例提供的技术方案对于类似的技术问题同样适用。It can be understood that the communication system described in the embodiment of the present disclosure is for the purpose of more clearly illustrating the technical solution of the embodiment of the present disclosure, and does not constitute a limitation on the technical solution provided by the embodiment of the present disclosure. A person skilled in the art can know that with the evolution of the system architecture and the emergence of new business scenarios, the technical solution provided by the embodiment of the present disclosure is also applicable to similar technical problems.

下述本公开实施例可以应用于图1所示的通信系统100、或部分主体,但不限于此。图1所示 的各主体是例示,通信系统可以包括图1中的全部或部分主体,也可以包括图1以外的其他主体,各主体数量和形态为任意,各主体之间的连接关系是例示,各主体之间可以不连接也可以连接,其连接可以是任意方式,可以是直接连接也可以是间接连接,可以是有线连接也可以是无线连接。The following embodiments of the present disclosure may be applied to the communication system 100 shown in FIG1 , or a part of the main body thereof, but are not limited thereto. The subjects are examples. The communication system may include all or part of the subjects in Figure 1, and may also include other subjects outside Figure 1. The number and form of the subjects are arbitrary. The connection relationship between the subjects is an example. The subjects may be connected or disconnected, and the connection may be in any way, which may be direct or indirect, and may be wired or wireless.

本公开各实施例可以应用于长期演进(Long Term Evolution,LTE)、LTE-Advanced(LTE-A)、LTE-Beyond(LTE-B)、SUPER 3G、IMT-Advanced、第四代移动通信系统(4th generation mobile communication system,4G)、)、第五代移动通信系统(5th generation mobile communication system,5G)、5G新空口(new radio,NR)、未来无线接入(Future Radio Access,FRA)、新无线接入技术(New-Radio Access Technology,RAT)、新无线(New Radio,NR)、新无线接入(New radio access,NX)、未来一代无线接入(Future generation radio access,FX)、Global System for Mobile communications(GSM(注册商标))、CDMA2000、超移动宽带(Ultra Mobile Broadband,UMB)、IEEE 802.11(Wi-Fi(注册商标))、IEEE 802.16(WiMAX(注册商标))、IEEE 802.20、超宽带(Ultra-WideBand,UWB)、蓝牙(Bluetooth(注册商标))、陆上公用移动通信网(Public Land Mobile Network,PLMN)网络、设备到设备(Device-to-Device,D2D)系统、机器到机器(Machine to Machine,M2M)系统、物联网(Internet of Things,IoT)系统、车联网(Vehicle-to-Everything,V2X)、利用其他通信方法的系统、基于它们而扩展的下一代系统等。此外,也可以将多个系统组合(例如,LTE或者LTE-A与5G的组合等)应用。The embodiments of the present disclosure may be applied to Long Term Evolution (LTE), LTE-Advanced (LTE-A), LTE-Beyond (LTE-B), SUPER 3G, IMT-Advanced, the fourth generation mobile communication system (4G), the fifth generation mobile communication system (5G), 5G new radio (NR), Future Radio Access (FRA), New-Radio Access Technology (RAT), New Radio (NR), New radio access (NX), Future generation radio access ... The present invention relates to wireless communication systems such as LTE, Wi-Fi (X), Global System for Mobile communications (GSM (registered trademark)), CDMA2000, Ultra Mobile Broadband (UMB), IEEE 802.11 (Wi-Fi (registered trademark)), IEEE 802.16 (WiMAX (registered trademark)), IEEE 802.20, Ultra-WideBand (UWB), Bluetooth (registered trademark), Public Land Mobile Network (PLMN) network, Device to Device (D2D) system, Machine to Machine (M2M) system, Internet of Things (IoT) system, Vehicle to Everything (V2X), systems using other communication methods, and next-generation systems expanded based on them. In addition, a combination of multiple systems (for example, a combination of LTE or LTE-A with 5G, etc.) may also be applied.

在一些实施例中,可以授权API调用者请求服务,CAPIF支持传输层安全预共享密钥密码组(TLS-PSK)、公钥基础设施(PKI)和带开放鉴权应用程序接口OAuth令牌的传输层安全(TLS,Transport Layer Security)等安全方法。In some embodiments, API callers can be authorized to request services, and CAPIF supports security methods such as Transport Layer Security Pre-Shared Key Cipher Suite (TLS-PSK), Public Key Infrastructure (PKI), and Transport Layer Security (TLS) with Open Authentication Application Programming Interface OAuth token.

在一些实施例中,在SNAAPPY或RNAA场景中,为了使资源所有者(例如,最终用户(end user)、订阅用户(subscriber)等)能够授权API调用者,CAPIF需要支持新的安全方法,包括授权代码授权和支持代码交换(PKCE,Proof Key of Code Exchange)证明密钥的授权代码授权。这两种新的安全方法都是基于OAuth令牌实现的。In some embodiments, in SNAAPPY or RNAA scenarios, in order to enable resource owners (e.g., end users, subscribers, etc.) to authorize API callers, CAPIF needs to support new security methods, including authorization code authorization and authorization code authorization with proof key exchange (PKCE). Both of these new security methods are implemented based on OAuth tokens.

在一些实施例中,由于客户端凭证授权、授权代码授权、PKCE授权代码授权是基于OAuth令牌的安全方法,CAPIF应该在API调用者启动安全过程之前通知API调用者它应该触发的所选安全方法。然而,CAPIF没有相关的机制来为API调用者选择基于OAuth令牌的安全方法的机制。In some embodiments, since client credentials authorization, authorization code authorization, and PKCE authorization code authorization are security methods based on OAuth tokens, CAPIF should inform the API caller of the selected security method that it should trigger before the API caller initiates the security process. However, CAPIF does not have a related mechanism to select an OAuth token-based security method for the API caller.

图2a是根据本公开实施例示出的一种信息指示方法的交互示意图。如图2a所示,本公开实施例涉及信息指示方法,用于通信系统100,方法包括:FIG2a is an interactive schematic diagram of an information indication method according to an embodiment of the present disclosure. As shown in FIG2a, the present disclosure embodiment relates to an information indication method, which is used in a communication system 100, and the method includes:

步骤S2101:第一API调用者向第一网络功能发送第二信息。Step S2101: The first API caller sends second information to the first network function.

在一些实施例中,第一网络功能接收第一API调用者发送的第二信息。In some embodiments, the first network function receives second information sent by the first API caller.

在一些实施例中,所述第二信息指示第一API调用者的客户端类型。In some embodiments, the second information indicates a client type of the first API caller.

在一些实施例中,所述客户端类型包括以下之一:In some embodiments, the client type includes one of the following:

公共客户端(public client);public client;

机密客户端(confidential client)。Confidential client.

在一些实施例中,所述客户端类型用于所述第一网络功能确定所述第一API调用者使用的授权方式。In some embodiments, the client type is used by the first network function to determine an authorization method used by the first API caller.

在一些实施例中,所述授权方式包括以下之一:In some embodiments, the authorization method includes one of the following:

授权代码(authorization code)授权;Authorization code authorization;

支持PKCE的授权代码授权(Authorization code grant with the Proof Key of Code Exchange);Support PKCE authorization code authorization (Authorization code grant with the Proof Key of Code Exchange);

基于PKCE的授权;PKCE-based authorization;

客户端凭证授权(client credentials)。Client credentials authorization (client credentials).

在一些实施例中,基于PKCE的授权和支持PKCE的授权代码授权在PKCE的层面是一致的。In some embodiments, PKCE-based authorization and PKCE-enabled authorization code authorization are consistent at the PKCE level.

在一些实施例中,第一API调用者能够被授权处理第一资源所有者(Resource owner)的资源。In some embodiments, the first API caller can be authorized to process the resources of the first resource owner (Resource owner).

在一些实施例中,第一资源所有者可以是以下之一:终端用户(end user)、订阅用户(subscriber)或者终端(UE)。In some embodiments, the first resource owner may be one of: an end user, a subscriber, or a terminal (UE).

在一些实施例中,第一API调用者(API invoker)可以是以下之一:应用功能(Application function)、终端、终端上运行的应用程序(Application residing on UE)或者运行在终端上的客户端(client in the UE)。In some embodiments, the first API caller (API invoker) can be one of the following: an application function, a terminal, an application running on the terminal (Application residing on UE), or a client running on the terminal (client in the UE).

步骤S2102:第一网络功能向第一API调用者发送第三信息。Step S2102: The first network function sends third information to the first API caller.

在一些实施例中,第一API调用者接收第一网络功能发送的第三信息。 In some embodiments, the first API caller receives third information sent by the first network function.

在一些实施例中,所述第三信息包含所述第一网络功能给所述第一API调用者配置的第一标识。In some embodiments, the third information includes a first identifier configured by the first network function for the first API caller.

在一些实施例中,所述第一标识可以是以下之一:In some embodiments, the first identifier may be one of the following:

API调用者身份标识(API invoker identifier或者API invoker ID);API caller identifier (API invoker identifier or API invoker ID);

分配的API调用者身份标识(assigned API invoker ID)。The assigned API invoker ID.

在一些实施例中,第一API调用者可以上报客户端类型,第一网络功能(例如,CCF)可以为第一API调用者分配API invoker identifier,并在第一网络功能侧创建两者之间的映射关系。In some embodiments, the first API caller can report the client type, the first network function (e.g., CCF) can assign an API invoker identifier to the first API caller, and create a mapping relationship between the two on the first network function side.

在一些实施例中,所述第一API调用者设置有所述第一标识与所述客户端类型之间的映射关系。In some embodiments, the first API caller is provided with a mapping relationship between the first identifier and the client type.

在一些实施例中,所述第一网络功能设置有所述第一标识与所述客户端类型之间的映射关系。In some embodiments, the first network function is provided with a mapping relationship between the first identifier and the client type.

在一些实施例中,所述第一网络功能创建所述映射关系。In some embodiments, the first network function creates the mapping relationship.

步骤S2103:第一API调用者向第一网络功能发送第四信息。Step S2103: The first API caller sends fourth information to the first network function.

在一些实施例中,第一网络功能接收第一API调用者发送的第四信息。In some embodiments, the first network function receives fourth information sent by the first API caller.

在一些实施例中,所述第四信息包含所述第一标识。In some embodiments, the fourth information includes the first identification.

在一些实施例中,所述第四信息用于请求所述第一网络功能基于所述第一标识确定的授权方式。In some embodiments, the fourth information is used to request the first network function to determine an authorization method based on the first identifier.

步骤S2104:第一网络功能确定授权方式。Step S2104: The first network function determines the authorization method.

在一些实施例中,第一网络功能确定授权方式,其中,所述授权方式为所述第一API调用者使用的授权方式。In some embodiments, the first network function determines an authorization method, wherein the authorization method is an authorization method used by the first API caller.

在一些实施例中,第一网络功能基于第一策略和/或是否需要第一资源所有者实时地(timely)参与授权的确定结果,确定所述授权方式。需要说明的是,在该场景下,可以不执行步骤S2101、步骤S2102和步骤S2103。In some embodiments, the first network function determines the authorization method based on the first policy and/or the result of determining whether the first resource owner needs to participate in the authorization in real time. It should be noted that in this scenario, steps S2101, S2102 and S2103 may not be performed.

需要说明的是,实时地授权可以是资源所有者需要在线实时参与授权过程(例如,通过点击终端侧弹窗等方式来授权),而不是通过在CAPIF框架中预设相关策略(即权要中的第一策略)等方式来进行非实时授权。It should be noted that real-time authorization means that the resource owner needs to participate in the authorization process online in real time (for example, by clicking on a pop-up window on the terminal side to authorize), rather than performing non-real-time authorization by presetting relevant policies in the CAPIF framework (i.e., the first policy in the authority).

在一些实施例中,所述第一策略为第一资源所有者相关的授权策略。In some embodiments, the first policy is an authorization policy associated with the first resource owner.

在一些实施例中,若所述第一网络功能本地存储有所述第一策略且确定无需所述第一资源所有者实时地参与授权,确定所述授权方式为客户端凭证授权的方式。In some embodiments, if the first network function locally stores the first policy and determines that the first resource owner does not need to participate in authorization in real time, the authorization method is determined to be a client credential authorization method.

在一些实施例中,若需要所述第一资源所有者实时地参与授权,确定所述授权方式为授权代码授权、基于PKCE的授权或者支持PKCE的授权代码授权的方式。In some embodiments, if the first resource owner is required to participate in the authorization in real time, the authorization method is determined to be authorization code authorization, PKCE-based authorization, or authorization code authorization supporting PKCE.

在一些实施例中,确定所述第一标识对应的所述客户端类型。In some embodiments, the client type corresponding to the first identifier is determined.

在一些实施例中,基于所述客户端类型确定所述授权方式。In some embodiments, the authorization method is determined based on the client type.

在一些实施例中,若所述客户端类型为公共客户端,确定所述授权方式为基于PKCE的授权或者支持PKCE的授权码授权的方式。In some embodiments, if the client type is a public client, the authorization method is determined to be a PKCE-based authorization or an authorization code authorization method that supports PKCE.

在一些实施例中,若所述客户端类型为公共客户端,确定所述授权方式不为授权代码授权方式。In some embodiments, if the client type is a public client, it is determined that the authorization method is not an authorization code authorization method.

在一些实施例中,若所述客户端类型为公共客户端,确定所述授权方式不为客户单凭证授权的方式。In some embodiments, if the client type is a public client, it is determined that the authorization method is not a client single credential authorization method.

在一些实施例中,若所述客户端类型为保密客户端,确定所述授权方式为基于PKCE的授权或者支持PKCE的授权码授权的方式。In some embodiments, if the client type is a confidential client, the authorization method is determined to be a PKCE-based authorization or an authorization code authorization method that supports PKCE.

在一些实施例中,若所述客户端类型为保密客户端,确定所述授权方式为授权代码授权的方式。In some embodiments, if the client type is a confidential client, the authorization method is determined to be an authorization code authorization method.

在一些实施例中,若所述客户端类型为保密客户端,确定所述授权方式为客户端凭证授权的方式。In some embodiments, if the client type is a confidential client, the authorization method is determined to be a client credential authorization method.

在一些实施例中,若所述客户端类型为保密客户端且所述第一网络功能本地未存储与第一资源所有者相关的第一策略,确定所述授权方式为基于PKCE的授权或者支持PKCE的授权码授权的方式;In some embodiments, if the client type is a confidential client and the first network function does not locally store a first policy related to the first resource owner, determining that the authorization method is a PKCE-based authorization or an authorization code authorization method that supports PKCE;

在一些实施例中,若所述客户端类型为保密客户端且需要第一资源所有者实时地参与授权,确定所述授权方式为基于PKCE的授权或者支持PKCE的授权码授权的方式。In some embodiments, if the client type is a confidential client and the first resource owner is required to participate in the authorization in real time, the authorization method is determined to be a PKCE-based authorization or an authorization code authorization method that supports PKCE.

在一些实施例中,若所述客户端类型为保密客户端且所述第一网络功能本地未存储与第一资源所有者相关的第一策略,确定所述授权方式为授权代码授权的方式;In some embodiments, if the client type is a confidential client and the first network function does not locally store a first policy related to the first resource owner, determining that the authorization method is an authorization code authorization method;

在一些实施例中,若所述客户端类型为保密客户端且需要第一资源所有者实时地参与授权,确定所述授权方式为授权代码授权的方式。In some embodiments, if the client type is a confidential client and the first resource owner needs to participate in the authorization in real time, the authorization method is determined to be an authorization code authorization method.

在一些实施例中,若所述客户端类型为保密客户端、所述第一网络功能本地存储有与第一资源所有者相关的第一策略且无需第一资源所有者实时地参与授权,确定所述授权方式为客户端凭证授权的方式。 In some embodiments, if the client type is a confidential client, the first network function locally stores a first policy related to the first resource owner and the first resource owner does not need to participate in authorization in real time, the authorization method is determined to be a client credential authorization method.

步骤S2105:第一网络功能向第一API调用者发送第一信息。Step S2105: The first network function sends the first information to the first API caller.

在一些实施例中,第一API调用者接收第一网络功能发送的第一信息。In some embodiments, the first API caller receives first information sent by the first network function.

在一些实施例中,所述第一信息指示所述授权方式。In some embodiments, the first information indicates the authorization method.

在一些实施例中,所述授权方式包括以下之一:In some embodiments, the authorization method includes one of the following:

授权代码授权;Authorization code grant;

支持PKCE的授权代码授权;Support PKCE authorization code authorization;

基于PKCE的授权;PKCE-based authorization;

客户端凭证授权。Client Credentials Grant.

在一些实施例中,第一API调用者基于所述授权方式启动对应的授权流程。In some embodiments, the first API caller initiates a corresponding authorization process based on the authorization method.

步骤S2106:第一API调用者向第一网络功能发送第五信息。Step S2106: The first API caller sends fifth information to the first network function.

在一些实施例中,第一网络功能接收第一API调用者发送的第五信息。In some embodiments, the first network function receives fifth information sent by the first API caller.

在一些实施例中,所述授权方式为授权代码授权,第一API调用者向所述第一网络功能发送第五信息。In some embodiments, the authorization method is authorization code authorization, and the first API caller sends fifth information to the first network function.

在一些实施例中,所述第五信息包括响应类型为代码(response_type'code')和/或授权类型为授权代码(grant type'authorization_code')的信息,所述第五信息用于获取授权代码和/或令牌。In some embodiments, the fifth information includes information that the response type is code (response_type'code') and/or the grant type is authorization code (grant type'authorization_code'), and the fifth information is used to obtain the authorization code and/or token.

步骤S2107:第一API调用者向第一网络功能发送第六信息。Step S2107: The first API caller sends sixth information to the first network function.

在一些实施例中,第一网络功能接收第一API调用者发送的第六信息。In some embodiments, the first network function receives sixth information sent by the first API caller.

在一些实施例中,所述授权方式为基于PKCE的授权或者支持PKCE的授权代码授权,第一API调用者向所述第一网络功能发送第六信息。In some embodiments, the authorization method is PKCE-based authorization or authorization code authorization supporting PKCE, and the first API caller sends sixth information to the first network function.

在一些实施例中,所述第六信息包括代码挑战(code_challenge)和/或代码验证(code_verifier)的信息,所述第六信息用于获取授权代码和/或令牌。In some embodiments, the sixth information includes code challenge (code_challenge) and/or code verification (code_verifier) information, and the sixth information is used to obtain an authorization code and/or a token.

在一些实施例中,术语“信息”可以与“消息(message)”、“信号(signal)”、“信令(signaling)”、“报告(report)”、“配置(configuration)”、“指示(indication)”、“指令(instruction)”、“命令(command)”、“信道”、“参数(parameter)”、“字段”、“数据(data)”等术语可以相互替换。In some embodiments, the term "information" can be interchangeably with terms such as "message", "signal", "signaling", "report", "configuration", "indication", "instruction", "command", "channel", "parameter", "field", and "data".

在一些实施例中,术语“发送”可以与“发射”、“上报”、“传输”等术语相互替换。In some embodiments, the term "send" can be interchangeable with terms such as "transmit", "report", and "transmit".

本公开实施例所涉及的信息指示方法可以包括步骤S2101至步骤S2107中的至少一者。例如,步骤S2101可以作为独立实施例来实施,步骤S2102可以作为独立实施例来实施,步骤S2103可以作为独立实施例来实施,步骤S2104可以作为独立实施例来实施,步骤S2105可以作为独立实施例来实施,步骤S2106可以作为独立实施例来实施,步骤S2107可以作为独立实施例来实施。例如,步骤S2104结合步骤S2105可以作为独立实施例来实施,但不限于此。The information indication method involved in the embodiments of the present disclosure may include at least one of steps S2101 to S2107. For example, step S2101 may be implemented as an independent embodiment, step S2102 may be implemented as an independent embodiment, step S2103 may be implemented as an independent embodiment, step S2104 may be implemented as an independent embodiment, step S2105 may be implemented as an independent embodiment, step S2106 may be implemented as an independent embodiment, and step S2107 may be implemented as an independent embodiment. For example, step S2104 may be implemented as an independent embodiment in combination with step S2105, but is not limited thereto.

图3a是根据本公开实施例示出的一种信息指示方法的流程示意图。如图3a所示,本公开实施例涉及信息指示方法,由第一API调用者执行,上述方法包括:FIG3a is a flow chart of an information indication method according to an embodiment of the present disclosure. As shown in FIG3a, the present disclosure embodiment relates to an information indication method, which is executed by a first API caller, and the method includes:

步骤S3101:发送第二信息。Step S3101: Send the second information.

在一些实施例中,步骤S3101的可选实现方式可以参见图2a的步骤S2101的可选实现方式、及图2a所涉及的实施例中其他关联部分,此处不再赘述。In some embodiments, the optional implementation of step S3101 can refer to the optional implementation of step S2101 in Figure 2a and other related parts of the embodiment involved in Figure 2a, which will not be repeated here.

步骤S3102:获取第三信息。Step S3102: Obtain third information.

在一些实施例中,第一API调用者获取第一网络功能发送的第三信息,但不限于此,也可以接收其他主体发送的第三信息。In some embodiments, the first API caller obtains the third information sent by the first network function, but is not limited thereto, and the third information sent by other entities may also be received.

在一些实施例中,第一API调用者获取由协议规定的第三信息。In some embodiments, the first API caller obtains third information specified by the protocol.

在一些实施例中,第一API调用者从高层(upper layer(s))获取第三信息。In some embodiments, the first API caller obtains the third information from an upper layer(s).

在一些实施例中,第一API调用者进行处理从而得到第三信息。In some embodiments, the first API caller performs processing to obtain the third information.

在一些实施例中,步骤S3102的可选实现方式可以参见图2a的步骤S2102的可选实现方式、及图2a所涉及的实施例中其他关联部分,此处不再赘述。In some embodiments, the optional implementation of step S3102 can refer to the optional implementation of step S2102 in Figure 2a and other related parts of the embodiment involved in Figure 2a, which will not be repeated here.

步骤S3103:发送第四信息。Step S3103: Send the fourth information.

在一些实施例中,步骤S3103的可选实现方式可以参见图2a的步骤S2103的可选实现方式、及图2a所涉及的实施例中其他关联部分,此处不再赘述。In some embodiments, the optional implementation of step S3103 can refer to the optional implementation of step S2103 in Figure 2a and other related parts of the embodiment involved in Figure 2a, which will not be repeated here.

步骤S3104:获取第一信息。Step S3104: Obtain first information.

在一些实施例中,第一API调用者获取第一网络功能发送的第一信息,但不限于此,也可以接收其他主体发送的第一信息。In some embodiments, the first API caller obtains the first information sent by the first network function, but is not limited thereto, and the first information sent by other entities may also be received.

在一些实施例中,第一API调用者获取由协议规定的第一信息。 In some embodiments, the first API caller obtains first information specified by the protocol.

在一些实施例中,第一API调用者从高层(upper layer(s))获取第一信息。In some embodiments, the first API caller obtains the first information from an upper layer(s).

在一些实施例中,第一API调用者进行处理从而得到第一信息。In some embodiments, the first API caller performs processing to obtain the first information.

在一些实施例中,步骤S3104的可选实现方式可以参见图2a的步骤S2105的可选实现方式、及图2a所涉及的实施例中其他关联部分,此处不再赘述。In some embodiments, the optional implementation of step S3104 can refer to the optional implementation of step S2105 in Figure 2a and other related parts of the embodiment involved in Figure 2a, which will not be repeated here.

步骤S3105:发送第五信息。Step S3105: Send the fifth information.

在一些实施例中,步骤S3105的可选实现方式可以参见图2a的步骤S2106的可选实现方式、及图2a所涉及的实施例中其他关联部分,此处不再赘述。In some embodiments, the optional implementation of step S3105 can refer to the optional implementation of step S2106 in Figure 2a and other related parts of the embodiment involved in Figure 2a, which will not be repeated here.

步骤S3106:发送第六信息。Step S3106: Send the sixth information.

在一些实施例中,步骤S3106的可选实现方式可以参见图2a的步骤S2107的可选实现方式、及图2a所涉及的实施例中其他关联部分,此处不再赘述。In some embodiments, the optional implementation of step S3106 can refer to the optional implementation of step S2107 in Figure 2a and other related parts of the embodiment involved in Figure 2a, which will not be repeated here.

本公开实施例所涉及的信息指示方法可以包括步骤S3101至步骤S3106中的至少一者。例如,步骤S3101可以作为独立实施例来实施,步骤S3102可以作为独立实施例来实施,步骤S3103可以作为独立实施例来实施,步骤S3104可以作为独立实施例来实施,步骤S3105可以作为独立实施例来实施,步骤S3106可以作为独立实施例来实施,在此不做限定。The information indication method involved in the embodiment of the present disclosure may include at least one of steps S3101 to S3106. For example, step S3101 may be implemented as an independent embodiment, step S3102 may be implemented as an independent embodiment, step S3103 may be implemented as an independent embodiment, step S3104 may be implemented as an independent embodiment, step S3105 may be implemented as an independent embodiment, and step S3106 may be implemented as an independent embodiment, which is not limited here.

图3b是根据本公开实施例示出的一种信息指示方法的流程示意图。如图3b所示,本公开实施例涉及信息指示方法,由第一API调用者执行,上述方法包括:FIG3b is a flow chart of an information indication method according to an embodiment of the present disclosure. As shown in FIG3b, the present disclosure embodiment relates to an information indication method, which is executed by a first API caller, and the method includes:

步骤S3201:接收第一信息。Step S3201: Receive first information.

在一些实施例中,所述第一信息指示授权方式,所述授权方式为所述第一API调用者使用的授权方式。In some embodiments, the first information indicates an authorization method, and the authorization method is the authorization method used by the first API caller.

在一些实施例中,步骤S3201的可选实现方式可以参见图2a的步骤S2104的可选实现方式、及图2a所涉及的实施例中其他关联部分,此处不再赘述。In some embodiments, the optional implementation of step S3201 can refer to the optional implementation of step S2104 in Figure 2a and other related parts of the embodiment involved in Figure 2a, which will not be repeated here.

在一些实施例中,向第一网络功能发送第二信息;In some embodiments, sending the second information to the first network function;

其中,所述第二信息指示第一API调用者的客户端类型,所述客户端类型用于所述第一网络功能确定所述授权方式。The second information indicates the client type of the first API caller, and the client type is used by the first network function to determine the authorization method.

在一些实施例中,所述方法还包括:In some embodiments, the method further comprises:

接收所述第一网络功能发送的第三信息;receiving third information sent by the first network function;

其中,所述第三信息包含所述第一网络功能给所述第一API调用者配置的第一标识,所述第一API调用者设置有所述第一标识与所述客户端类型之间的映射关系和/或所述第一网络功能设置有所述第一标识与所述客户端类型之间的映射关系。Among them, the third information includes the first identifier configured by the first network function for the first API caller, the first API caller is set with a mapping relationship between the first identifier and the client type and/or the first network function is set with a mapping relationship between the first identifier and the client type.

在一些实施例中,所述映射关系由所述第一网络功能创建。In some embodiments, the mapping relationship is created by the first network function.

在一些实施例中,所述方法还包括:In some embodiments, the method further comprises:

向所述第一网络功能发送第四信息;sending fourth information to the first network function;

其中,所述第四信息包含所述第一标识。The fourth information includes the first identifier.

在一些实施例中,In some embodiments,

所述第一信息指示所述第一网络功能基于第一标识确定的所述授权方式。The first information indicates the authorization method determined by the first network function based on the first identifier.

在一些实施例中,所述方法还包括:In some embodiments, the method further comprises:

基于所述授权方式启动对应的授权流程。The corresponding authorization process is started based on the authorization method.

在一些实施例中,所述授权方式为授权代码授权,所述方法还包括:In some embodiments, the authorization method is authorization code authorization, and the method further includes:

向所述第一网络功能发送第五信息;sending fifth information to the first network function;

其中,所述第五信息包括响应类型为代码和/或授权类型为授权代码的信息,所述第五信息用于获取授权代码和/或令牌。The fifth information includes information that the response type is code and/or the authorization type is authorization code, and the fifth information is used to obtain the authorization code and/or token.

在一些实施例中,所述授权方式为基于PKCE的授权或者支持PKCE的授权代码授权,所述方法还包括:In some embodiments, the authorization method is PKCE-based authorization or authorization code authorization supporting PKCE, and the method further includes:

向所述第一网络功能发送第六信息;sending sixth information to the first network function;

其中,所述第六信息包括代码挑战和/或代码验证的信息,所述第六信息用于获取授权代码和/或令牌。The sixth information includes information of code challenge and/or code verification, and the sixth information is used to obtain an authorization code and/or a token.

在一些实施例中,所述客户端类型包括以下之一:In some embodiments, the client type includes one of the following:

公共客户端;Public Client;

机密客户端。Confidential Client.

在一些实施例中,所述授权方式包括以下之一: In some embodiments, the authorization method includes one of the following:

授权代码授权;Authorization code grant;

支持代码交换证明密钥PKCE的授权代码授权;Supports authorization code authorization for code exchange proof key PKCE;

基于代码交换证明密钥PKCE的授权;Authorization based on code exchange proof key PKCE;

客户端凭证授权。Client Credentials Grant.

图4a是根据本公开实施例示出的一种信息指示方法的流程示意图。如图4a所示,本公开实施例涉及信息指示方法,由第一网络功能执行,上述方法包括:FIG4a is a flow chart of an information indication method according to an embodiment of the present disclosure. As shown in FIG4a, the present disclosure embodiment relates to an information indication method, which is executed by a first network function, and the method includes:

步骤S4101:获取第二信息。Step S4101: Obtain second information.

在一些实施例中,第一网络功能获取第一API调用者发送的第二信息,但不限于此,也可以接收其他主体发送的第二信息。In some embodiments, the first network function obtains the second information sent by the first API caller, but is not limited thereto and may also receive the second information sent by other entities.

在一些实施例中,第一网络功能获取由协议规定的第二信息。In some embodiments, the first network function obtains second information specified by the protocol.

在一些实施例中,第一网络功能从高层(upper layer(s))获取第二信息。In some embodiments, the first network function obtains the second information from an upper layer(s).

在一些实施例中,第一网络功能进行处理从而得到第二信息。In some embodiments, the first network function performs processing to obtain the second information.

在一些实施例中,步骤S4101的可选实现方式可以参见图2a的步骤S2101的可选实现方式、及图2a所涉及的实施例中其他关联部分,此处不再赘述。In some embodiments, the optional implementation of step S4101 can refer to the optional implementation of step S2101 in Figure 2a and other related parts of the embodiment involved in Figure 2a, which will not be repeated here.

步骤S4102:发送第三信息。Step S4102: Send the third information.

在一些实施例中,步骤S4102的可选实现方式可以参见图2a的步骤S2102的可选实现方式、及图2a所涉及的实施例中其他关联部分,此处不再赘述。In some embodiments, the optional implementation of step S4102 can refer to the optional implementation of step S2102 in Figure 2a and other related parts of the embodiment involved in Figure 2a, which will not be repeated here.

步骤S4103:获取第四信息。Step S4103: Obtain the fourth information.

在一些实施例中,第一网络功能获取第一API调用者发送的第四信息,但不限于此,也可以接收其他主体发送的第四信息。In some embodiments, the first network function obtains the fourth information sent by the first API caller, but is not limited thereto, and the fourth information sent by other entities may also be received.

在一些实施例中,第一网络功能获取由协议规定的第四信息。In some embodiments, the first network function obtains fourth information specified by the protocol.

在一些实施例中,第一网络功能从高层(upper layer(s))获取第四信息。In some embodiments, the first network function obtains the fourth information from an upper layer(s).

在一些实施例中,第一网络功能进行处理从而得到第四信息。在一些实施例中,步骤S4103的可选实现方式可以参见图2a的步骤S2103的可选实现方式、及图2a所涉及的实施例中其他关联部分,此处不再赘述。In some embodiments, the first network function performs processing to obtain the fourth information. In some embodiments, the optional implementation of step S4103 can refer to the optional implementation of step S2103 in FIG2a and other related parts in the embodiment involved in FIG2a, which will not be repeated here.

步骤S4104:确定授权方式。Step S4104: Determine the authorization method.

在一些实施例中,步骤S4104的可选实现方式可以参见图2a的步骤S2104的可选实现方式、及图2a所涉及的实施例中其他关联部分,此处不再赘述。In some embodiments, the optional implementation of step S4104 can refer to the optional implementation of step S2104 in Figure 2a and other related parts of the embodiment involved in Figure 2a, which will not be repeated here.

步骤S4105:发送第一信息。Step S4105: Send the first information.

在一些实施例中,步骤S4105的可选实现方式可以参见图2a的步骤S2105的可选实现方式、及图2a所涉及的实施例中其他关联部分,此处不再赘述。In some embodiments, the optional implementation of step S4105 can refer to the optional implementation of step S2105 in Figure 2a and other related parts of the embodiment involved in Figure 2a, which will not be repeated here.

步骤S4106:获取第五信息。Step S4106: Obtain the fifth information.

在一些实施例中,第一网络功能获取第一API调用者发送的第五信息,但不限于此,也可以接收其他主体发送的第五信息。In some embodiments, the first network function obtains the fifth information sent by the first API caller, but is not limited thereto, and the fifth information sent by other entities may also be received.

在一些实施例中,第一网络功能获取由协议规定的第五信息。In some embodiments, the first network function obtains fifth information specified by the protocol.

在一些实施例中,第一网络功能从高层(upper layer(s))获取第五信息。In some embodiments, the first network function obtains the fifth information from an upper layer(s).

在一些实施例中,第一网络功能进行处理从而得到第五信息。In some embodiments, the first network function performs processing to obtain the fifth information.

在一些实施例中,步骤S4106的可选实现方式可以参见图2a的步骤S2106的可选实现方式、及图2a所涉及的实施例中其他关联部分,此处不再赘述。In some embodiments, the optional implementation of step S4106 can refer to the optional implementation of step S2106 in Figure 2a and other related parts of the embodiment involved in Figure 2a, which will not be repeated here.

步骤S4107:获取第六信息。Step S4107: Obtain sixth information.

在一些实施例中,第一网络功能获取第一API调用者发送的第六信息,但不限于此,也可以接收其他主体发送的第六信息。In some embodiments, the first network function obtains the sixth information sent by the first API caller, but is not limited thereto, and the sixth information sent by other entities may also be received.

在一些实施例中,第一网络功能获取由协议规定的第六信息。In some embodiments, the first network function obtains sixth information specified by the protocol.

在一些实施例中,第一网络功能从高层(upper layer(s))获取第六信息。In some embodiments, the first network function obtains the sixth information from an upper layer(s).

在一些实施例中,第一网络功能进行处理从而得到第六信息。In some embodiments, the first network function performs processing to obtain the sixth information.

在一些实施例中,步骤S4107的可选实现方式可以参见图2a的步骤S2107的可选实现方式、及图2a所涉及的实施例中其他关联部分,此处不再赘述。In some embodiments, the optional implementation of step S4107 can refer to the optional implementation of step S2107 in Figure 2a and other related parts of the embodiment involved in Figure 2a, which will not be repeated here.

本公开实施例所涉及的信息指示方法可以包括步骤S4101至步骤S4107中的至少一者。例如,步骤S4101可以作为独立实施例来实施,步骤S4102可以作为独立实施例来实施,步骤S4103可以作为独立实施例来实施,步骤S4104可以作为独立实施例来实施,步骤S4105可以作为独立实施例 来实施,步骤S4106可以作为独立实施例来实施,步骤S4107可以作为独立实施例来实施。例如,步骤S4104结合步骤S4105可以作为独立实施例来实施,但不限于此。The information indication method involved in the embodiment of the present disclosure may include at least one of steps S4101 to S4107. For example, step S4101 may be implemented as an independent embodiment, step S4102 may be implemented as an independent embodiment, step S4103 may be implemented as an independent embodiment, step S4104 may be implemented as an independent embodiment, and step S4105 may be implemented as an independent embodiment. Step S4106 can be implemented as an independent embodiment, and step S4107 can be implemented as an independent embodiment. For example, step S4104 combined with step S4105 can be implemented as an independent embodiment, but it is not limited thereto.

图4b是根据本公开实施例示出的一种信息指示方法的流程示意图。如图4b所示,本公开实施例涉及信息指示方法,由第一网络功能执行,上述方法包括:FIG4b is a flow chart of an information indication method according to an embodiment of the present disclosure. As shown in FIG4b, the present disclosure embodiment relates to an information indication method, which is executed by a first network function, and the method includes:

步骤S4201:确定授权方式。Step S4201: Determine the authorization method.

在一些实施例中,所述授权方式为所述第一API调用者使用的授权方式。In some embodiments, the authorization method is the authorization method used by the first API caller.

在一些实施例中,步骤S4201的可选实现方式可以参见图2a的步骤S2104的可选实现方式、及图2a所涉及的实施例中其他关联部分,此处不再赘述。In some embodiments, the optional implementation of step S4201 can refer to the optional implementation of step S2104 in Figure 2a and other related parts of the embodiment involved in Figure 2a, which will not be repeated here.

在一些实施例中,所述确定授权方式,包括:In some embodiments, determining the authorization method includes:

基于第一策略和/或是否需要第一资源所有者实时地参与授权的确定结果,确定所述授权方式;Determining the authorization method based on the first policy and/or a determination result of whether the first resource owner needs to participate in the authorization in real time;

其中,所述第一策略为第一资源所有者相关的授权策略。The first policy is an authorization policy related to the first resource owner.

在一些实施例中,所述基于第一策略和/或是否需要第一资源所有者实时地参与授权的确定结果,确定所述授权方式,包括以下之一:In some embodiments, determining the authorization method based on the first policy and/or the result of determining whether the first resource owner needs to participate in the authorization in real time includes one of the following:

若所述第一网络功能本地存储有所述第一策略且确定无需所述第一资源所有者实时地参与授权,确定所述授权方式为客户端凭证授权的方式;If the first network function locally stores the first policy and it is determined that the first resource owner does not need to participate in authorization in real time, determining that the authorization method is a client credential authorization method;

若需要所述第一资源所有者实时地参与授权,确定所述授权方式为授权代码授权、基于PKCE的授权或者支持PKCE的授权代码授权的方式。If the first resource owner is required to participate in the authorization in real time, the authorization method is determined to be authorization code authorization, PKCE-based authorization, or authorization code authorization supporting PKCE.

在一些实施例中,所述方法还包括:In some embodiments, the method further comprises:

接收第一API调用者发送的第二信息;Receiving second information sent by the first API caller;

其中,所述第二信息指示所述第一API调用者的客户端类型,所述客户端类型用于所述第一网络功能确定所述第一API调用者使用的授权方式。The second information indicates a client type of the first API caller, and the client type is used by the first network function to determine an authorization method used by the first API caller.

在一些实施例中,所述方法还包括:In some embodiments, the method further comprises:

向所述第一API调用者发送第三信息;Sending third information to the first API caller;

其中,所述第三信息包含所述第一网络功能给所述第一API调用者配置的第一标识;所述第一API调用者设置有所述第一标识与所述客户端类型之间的映射关系和/或所述第一网络功能设置有所述第一标识与所述客户端类型之间的映射关系。Among them, the third information includes the first identifier configured by the first network function for the first API caller; the first API caller is set with a mapping relationship between the first identifier and the client type and/or the first network function is set with a mapping relationship between the first identifier and the client type.

在一些实施例中,所述方法还包括:In some embodiments, the method further comprises:

创建所述映射关系。The mapping relationship is created.

在一些实施例中,所述方法还包括:In some embodiments, the method further comprises:

接收所述第一API发送的第四信息;Receiving fourth information sent by the first API;

其中,所述第四信息包含所述第一标识。The fourth information includes the first identifier.

在一些实施例中,所述方法还包括:In some embodiments, the method further comprises:

确定所述第一标识对应的所述客户端类型;Determine the client type corresponding to the first identifier;

所述确定授权方式;The determination of the authorization method;

基于所述客户端类型确定所述授权方式。The authorization method is determined based on the client type.

在一些实施例中,所述基于所述客户端类型确定所述授权方式,包括以下至少之一:In some embodiments, determining the authorization method based on the client type includes at least one of the following:

若所述客户端类型为公共客户端,确定所述授权方式为基于PKCE的授权或者支持PKCE的授权码授权的方式;If the client type is a public client, determine that the authorization method is a PKCE-based authorization or an authorization code authorization method that supports PKCE;

若所述客户端类型为公共客户端,确定所述授权方式不为授权代码授权方式;If the client type is a public client, determining that the authorization method is not an authorization code authorization method;

若所述客户端类型为公共客户端,确定所述授权方式不为客户单凭证授权的方式;If the client type is a public client, determining that the authorization method is not a client single credential authorization method;

若所述客户端类型为保密客户端,确定所述授权方式为基于PKCE的授权或者支持PKCE的授权码授权的方式;If the client type is a confidential client, determining that the authorization method is a PKCE-based authorization or an authorization code authorization method that supports PKCE;

若所述客户端类型为保密客户端,确定所述授权方式为授权代码授权的方式;If the client type is a confidential client, determining that the authorization method is an authorization code authorization method;

若所述客户端类型为保密客户端,确定所述授权方式为客户端凭证授权的方式。If the client type is a confidential client, determine that the authorization method is a client credential authorization method.

在一些实施例中,所述若所述客户端类型为保密客户端,确定所述授权方式为基于PKCE的授权或者支持PKCE的授权码授权的方式,包括:In some embodiments, if the client type is a confidential client, determining that the authorization method is a PKCE-based authorization or an authorization code authorization method that supports PKCE includes:

若所述客户端类型为保密客户端且所述第一网络功能本地未存储与第一资源所有者相关的第一策略,确定所述授权方式为基于PKCE的授权或者支持PKCE的授权码授权的方式;If the client type is a confidential client and the first network function does not locally store a first policy related to the first resource owner, determine that the authorization method is a PKCE-based authorization or an authorization code authorization method that supports PKCE;

若所述客户端类型为保密客户端且需要第一资源所有者实时地参与授权,确定所述授权方式为PKCE的授权码授权的方式。 If the client type is a confidential client and the first resource owner needs to participate in the authorization in real time, the authorization method is determined to be a PKCE authorization code authorization method.

在一些实施例中,所述若所述客户端类型为保密客户端,确定所述授权方式为授权代码授权的方式,包括:In some embodiments, if the client type is a confidential client, determining that the authorization method is an authorization code authorization method includes:

若所述客户端类型为保密客户端且所述第一网络功能本地未存储与第一资源所有者相关的第一策略,确定所述授权方式为授权代码授权的方式;If the client type is a confidential client and the first network function does not locally store a first policy related to the first resource owner, determining that the authorization method is an authorization code authorization method;

若所述客户端类型为保密客户端且需要第一资源所有者实时地参与授权,确定所述授权方式为授权代码授权的方式。If the client type is a confidential client and the first resource owner needs to participate in the authorization in real time, the authorization method is determined to be an authorization code authorization method.

在一些实施例中,所述若所述客户端类型为保密客户端,确定所述授权方式为客户端凭证授权的方式,包括:In some embodiments, if the client type is a confidential client, determining that the authorization method is a client credential authorization method includes:

若所述客户端类型为保密客户端、所述第一网络功能本地存储有与第一资源所有者相关的第一策略且无需第一资源所有者实时地参与授权,确定所述授权方式为客户端凭证授权的方式。If the client type is a confidential client, the first network function locally stores a first policy related to the first resource owner and the first resource owner does not need to participate in the authorization in real time, the authorization mode is determined to be a client credential authorization mode.

在一些实施例中,所述方法还包括:In some embodiments, the method further comprises:

向第一API调用者发送第一信息;Sending a first message to a first API caller;

其中,所述第一信息指示所述授权方式。The first information indicates the authorization method.

在一些实施例中,所述授权方式为授权代码授权,所述方法还包括:In some embodiments, the authorization method is authorization code authorization, and the method further includes:

接收第一API调用者发送的第五信息;receiving fifth information sent by the first API caller;

其中,所述第五信息包括响应类型为代码和/或授权类型为授权代码的信息,所述第五信息用于获取授权代码和/或令牌。The fifth information includes information that the response type is code and/or the authorization type is authorization code, and the fifth information is used to obtain the authorization code and/or token.

在一些实施例中,所述授权方式为基于PKCE的授权或者支持PKCE的授权代码授权,所述方法还包括:In some embodiments, the authorization method is PKCE-based authorization or authorization code authorization supporting PKCE, and the method further includes:

接收第一API调用者发送的第六信息;receiving sixth information sent by the first API caller;

其中,所述第六信息包括代码挑战和/或代码验证的信息,所述第六信息用于获取授权代码和/或令牌。The sixth information includes information of code challenge and/or code verification, and the sixth information is used to obtain an authorization code and/or a token.

在一些实施例中,所述客户端类型包括以下之一:In some embodiments, the client type includes one of the following:

公共客户端;Public Client;

机密客户端。Confidential Client.

在一些实施例中,所述授权方式包括以下之一:In some embodiments, the authorization method includes one of the following:

授权代码授权;Authorization code grant;

支持代码交换证明密钥PKCE的授权代码授权;Supports authorization code authorization for code exchange proof key PKCE;

基于代码交换证明密钥PKCE的授权;Authorization based on code exchange proof key PKCE;

客户端凭证授权。Client Credentials Grant.

图5a是根据本公开实施例示出的一种信息指示方法的交互示意图。如图5a所示,本公开实施例涉及信息指示方法,用于通信系统100,方法包括以下步骤之一:FIG5a is an interactive schematic diagram of an information indication method according to an embodiment of the present disclosure. As shown in FIG5a, the present disclosure embodiment relates to an information indication method, which is used in a communication system 100, and the method includes one of the following steps:

步骤S5101:第一网络功能向第一API调用者发送第一信息。Step S5101: The first network function sends first information to the first API caller.

在一些实施例中,所述第一API调用者接收所述第一网络功能发送的所述第一信息。In some embodiments, the first API caller receives the first information sent by the first network function.

在一些实施例中,所述第一信息指示授权方式,所述授权方式为所述第一API调用者使用的授权方式。In some embodiments, the first information indicates an authorization method, and the authorization method is the authorization method used by the first API caller.

步骤S5101的可选实现方式可以参见图2a的步骤S2101的可选实现方式、及图2a所涉及的实施例中其他关联部分,此处不再赘述。The optional implementation of step S5101 can refer to the optional implementation of step S2101 in FIG. 2a and other related parts in the embodiment involved in FIG. 2a, which will not be described in detail here.

在一些实施例中,上述方法可以包括上述通信系统侧、第一API调用者侧、第一网络功能侧等实施例的方法,此处不再赘述。In some embodiments, the above method may include the methods of the above-mentioned communication system side, the first API caller side, the first network function side, etc., which will not be repeated here.

图6a是根据本公开实施例示出的一种信息指示方法的交互示意图。如图6a所示,本公开实施例涉及信息指示方法,上述方法包括:FIG6a is an interactive schematic diagram of an information indication method according to an embodiment of the present disclosure. As shown in FIG6a, the embodiment of the present disclosure relates to an information indication method, and the method includes:

步骤S6101:API调用者(第一API调用者)在登录过程(onboarding过程)中向CCF(第一网络功能)发送客户端类型(例如,公共客户端或者机密客户端)。然后CCF将API调用者的标识符(第一标识)发送给调用者。CCF创建每个API调用者的标识符和客户端类型之间的关联。Step S6101: The API caller (first API caller) sends the client type (e.g., public client or confidential client) to the CCF (first network function) during the login process (onboarding process). The CCF then sends the API caller's identifier (first identifier) to the caller. The CCF creates an association between each API caller's identifier and client type.

步骤S6102:为了获得将在API调用者、AEF/NEF和CCF之间使用的授权方法,API调用者向CCF发送API调用者的标识符。Step S6102: In order to obtain the authorization method to be used between the API caller, AEF/NEF and CCF, the API caller sends the identifier of the API caller to the CCF.

步骤S6103:CCF根据API调用者的标识符和API调用者的客户端类型之间的关联来选择API调用者的授权方法。 Step S6103: The CCF selects an authorization method for the API caller based on the association between the API caller's identifier and the API caller's client type.

示例性地,如果API调用者的客户端类型是公共客户端,CCF选择基于PKCE的授权或者支持PKCE的授权码授权。Exemplarily, if the client type of the API caller is a public client, CCF selects PKCE-based authorization or authorization code authorization that supports PKCE.

示例性地,如果API调用者的客户端类型是机密客户端,CCF选择授权代码授权或者客户端凭证授权。Exemplarily, if the client type of the API caller is a confidential client, CCF selects authorization code authorization or client credentials authorization.

步骤S6104:CCF向API调用者通知授权方法的信息(例如,授权码授权、支持PKCE的授权码授权、基于PKCE的授权或者客户端凭证授权)。Step S6104: CCF notifies the API caller of information about the authorization method (eg, authorization code authorization, authorization code authorization supporting PKCE, PKCE-based authorization, or client credential authorization).

步骤S6105:API调用程序根据所选的授权方法触发安全过程。Step S6105: The API calling program triggers the security process according to the selected authorization method.

示例性地,如果选择的授权方法是授权代码授权,则API调用程序应该向CCF发送响应类型'code'(response_type'code')和授权类型'authorization_code'(grant type'authorization_code'),以分别获取授权代码和令牌。Exemplarily, if the selected authorization method is authorization code grant, the API caller should send response type 'code' (response_type'code') and grant type 'authorization_code' (grant type'authorization_code') to CCF to obtain the authorization code and token respectively.

示例性地,如果选择的授权方法是使用基于PKCE的授权或者支持PKCE的授权代码授权,API调用程序应该向CCF发送代码挑战code_challenge和代码验证code_verifier以分别获取授权代码和令牌。Exemplarily, if the selected authorization method is to use PKCE-based authorization or authorization code authorization supporting PKCE, the API caller should send a code challenge code_challenge and a code verification code_verifier to CCF to obtain an authorization code and a token respectively.

本公开实施例所涉及的信息指示方法可以包括步骤S6101至步骤S6105中的至少一者。例如,步骤S6101可以作为独立实施例来实施,步骤S6102可以作为独立实施例来实施,步骤S6103可以作为独立实施例来实施,步骤S6104可以作为独立实施例来实施,但不限于此。The information indication method involved in the embodiment of the present disclosure may include at least one of steps S6101 to S6105. For example, step S6101 may be implemented as an independent embodiment, step S6102 may be implemented as an independent embodiment, step S6103 may be implemented as an independent embodiment, and step S6104 may be implemented as an independent embodiment, but is not limited thereto.

本公开实施例还提供用于实现以上任一方法的装置,例如,提供一种装置,上述装置包括用以实现以上任一种方法中终端所执行的各步骤的单元或模块。再如,还提供另一种装置,包括用以实现以上任一种方法中网络设备(例如,接入网设备、或者核心网设备等)所执行的各步骤的单元或模块。The embodiments of the present disclosure also provide a device for implementing any of the above methods, for example, a device is provided, the above device includes a unit or module for implementing each step performed by the terminal in any of the above methods. For another example, another device is provided, including a unit or module for implementing each step performed by a network device (for example, an access network device, or a core network device, etc.) in any of the above methods.

应理解以上装置中各单元或模块的划分仅是一种逻辑功能的划分,在实际实现时可以全部或部分集成到一个物理实体上,也可以物理上分开。此外,装置中的单元或模块可以以处理器调用软件的形式实现:例如装置包括处理器,处理器与存储器连接,存储器中存储有指令,处理器调用存储器中存储的指令,以实现以上任一种方法或实现上述装置各单元或模块的功能,其中处理器例如为通用处理器,例如中央处理单元(Central Processing Unit,CPU)或微处理器,存储器为装置内的存储器或装置外的存储器。或者,装置中的单元或模块可以以硬件电路的形式实现,可以通过对硬件电路的设计实现部分或全部单元或模块的功能,上述硬件电路可以理解为一个或多个处理器;例如,在一种实现中,上述硬件电路为专用集成电路(application-specific integrated circuit,ASIC),通过对电路内元件逻辑关系的设计,实现以上部分或全部单元或模块的功能;再如,在另一种实现中,上述硬件电路为可以通过可编程逻辑器件(programmable logic device,PLD)实现,以现场可编程门阵列(Field Programmable Gate Array,FPGA)为例,其可以包括大量逻辑门电路,通过配置文件来配置逻辑门电路之间的连接关系,从而实现以上部分或全部单元或模块的功能。以上装置的所有单元或模块可以全部通过处理器调用软件的形式实现,或全部通过硬件电路的形式实现,或部分通过处理器调用软件的形式实现,剩余部分通过硬件电路的形式实现。It should be understood that the division of the units or modules in the above device is only a division of logical functions, which can be fully or partially integrated into one physical entity or physically separated in actual implementation. In addition, the units or modules in the device can be implemented in the form of a processor calling software: for example, the device includes a processor, the processor is connected to a memory, and instructions are stored in the memory. The processor calls the instructions stored in the memory to implement any of the above methods or implement the functions of the units or modules of the above device, wherein the processor is, for example, a general-purpose processor, such as a central processing unit (CPU) or a microprocessor, and the memory is a memory inside the device or a memory outside the device. Alternatively, the units or modules in the device may be implemented in the form of hardware circuits, and the functions of some or all of the units or modules may be implemented by designing the hardware circuits. The hardware circuits may be understood as one or more processors; for example, in one implementation, the hardware circuits are application-specific integrated circuits (ASICs), and the functions of some or all of the above units or modules may be implemented by designing the logical relationship of the components in the circuits; for another example, in another implementation, the hardware circuits may be implemented by programmable logic devices (PLDs), and Field Programmable Gate Arrays (FPGAs) may be used as an example, which may include a large number of logic gate circuits, and the connection relationship between the logic gate circuits may be configured by configuring the configuration files, thereby implementing the functions of some or all of the above units or modules. All units or modules of the above devices may be implemented in the form of software called by the processor, or in the form of hardware circuits, or in the form of software called by the processor, and the remaining part may be implemented in the form of hardware circuits.

在本公开实施例中,处理器是一种具有信号处理能力的电路,在一种实现中,处理器可以是具有指令读取与运行能力的电路,例如中央处理单元(Central Processing Unit,CPU)、微处理器、图形处理器(graphics processing unit,GPU)(可以理解为一种微处理器)、或数字信号处理器(digital signal processor,DSP)等;在另一种实现中,处理器可以通过硬件电路的逻辑关系实现一定功能,上述硬件电路的逻辑关系是固定的或可以重构的,例如处理器为专用集成电路(application-specific integrated circuit,ASIC)或可编程逻辑器件(programmable logic device,PLD)实现的硬件电路,例如FPGA。在可重构的硬件电路中,处理器加载配置文档,实现硬件电路配置的过程,可以理解为处理器加载指令,以实现以上部分或全部单元或模块的功能的过程。此外,还可以是针对人工智能设计的硬件电路,其可以理解为一种ASIC,例如神经网络处理单元(Neural Network Processing Unit,NPU)、张量处理单元(Tensor Processing Unit,TPU)、深度学习处理单元(Deep learning Processing Unit,DPU)等。In the disclosed embodiments, the processor is a circuit with signal processing capability. In one implementation, the processor may be a circuit with instruction reading and running capability, such as a central processing unit (CPU), a microprocessor, a graphics processing unit (GPU) (which may be understood as a microprocessor), or a digital signal processor (DSP); in another implementation, the processor may implement certain functions through the logical relationship of a hardware circuit, and the logical relationship of the above hardware circuit may be fixed or reconfigurable, such as a hardware circuit implemented by an application-specific integrated circuit (ASIC) or a programmable logic device (PLD), such as an FPGA. In a reconfigurable hardware circuit, the process of the processor loading a configuration document to implement the hardware circuit configuration may be understood as the process of the processor loading instructions to implement the functions of some or all of the above units or modules. In addition, it can also be a hardware circuit designed for artificial intelligence, which can be understood as an ASIC, such as a neural network processing unit (NPU), a tensor processing unit (TPU), a deep learning processing unit (DPU), etc.

图7a是本公开实施例提供的第一API调用者的结构示意图。如图7a所示,第一API调用者7100包括:收发模块7101和处理模块7102;所述收发模块7101被配置为发送第一信息;所述处理模块7102被配置为执行处理操作。可选地,收发模块7101用于执行以上任一种信息指示方法中第一API调用者7100执行的与信息收发有关的步骤,此处不再赘述。可选地,处理模块7102于执行以上任一种信息指示方法中第一API调用者执行的与信息处理有关的步骤,此处不再赘述。 FIG7a is a schematic diagram of the structure of the first API caller provided in an embodiment of the present disclosure. As shown in FIG7a, the first API caller 7100 includes: a transceiver module 7101 and a processing module 7102; the transceiver module 7101 is configured to send the first information; the processing module 7102 is configured to perform processing operations. Optionally, the transceiver module 7101 is used to execute the steps related to information reception and transmission performed by the first API caller 7100 in any of the above information indication methods, which are not repeated here. Optionally, the processing module 7102 is used to execute the steps related to information processing performed by the first API caller in any of the above information indication methods, which are not repeated here.

图7b是本公开实施例提供的第一网络功能的结构示意图。如图7b所示,第一网络功能7200包括:收发模块7201和处理模块7202;所述收发模块7201被配置为接收第一信息;所述处理模块7202被配置为执行处理操作。可选地,收发模块7201用于执行以上任一种信息指示方法中第一网络功能7100执行的与信息收发有关的步骤,此处不再赘述。可选地,处理模块7202于执行以上任一种信息指示方法中第一网络功能执行的与信息处理有关的步骤,此处不再赘述。FIG7b is a schematic diagram of the structure of the first network function provided by an embodiment of the present disclosure. As shown in FIG7b, the first network function 7200 includes: a transceiver module 7201 and a processing module 7202; the transceiver module 7201 is configured to receive the first information; the processing module 7202 is configured to perform processing operations. Optionally, the transceiver module 7201 is used to execute the steps related to information transceiving performed by the first network function 7100 in any of the above information indication methods, which are not repeated here. Optionally, the processing module 7202 is used to execute the steps related to information processing performed by the first network function in any of the above information indication methods, which are not repeated here.

图8a是本公开实施例提供的通信设备8100的结构示意图。通信设备8100可以是网络设备(例如,接入网设备或核心网设备等),也可以是终端(例如用户设备等),也可以是支持网络设备实现以上任一种方法的芯片、芯片系统、或处理器等,还可以是支持终端实现以上任一种信息指示方法的芯片、芯片系统、或处理器等。通信设备8100可用于实现上述方法实施例中描述的信息指示方法,具体可以参见上述方法实施例中的说明。FIG8a is a schematic diagram of the structure of a communication device 8100 provided in an embodiment of the present disclosure. The communication device 8100 may be a network device (e.g., an access network device or a core network device, etc.), or a terminal (e.g., a user device, etc.), or a chip, a chip system, or a processor, etc. that supports a network device to implement any of the above methods, or a chip, a chip system, or a processor, etc. that supports a terminal to implement any of the above information indication methods. The communication device 8100 may be used to implement the information indication method described in the above method embodiment, and the details may refer to the description in the above method embodiment.

如图8a所示,通信设备8100包括一个或多个处理器8101。处理器8101可以是通用处理器或者专用处理器等,例如可以是基带处理器或中央处理器。基带处理器可以用于对通信协议以及通信数据进行处理,中央处理器可以用于对通信装置(如,基站、基带芯片,终端设备、终端设备芯片,DU或CU等)进行控制,执行程序,处理程序的数据。处理器8101用于调用指令以使得通信设备8100执行以上任一种通信方法。As shown in FIG8a, the communication device 8100 includes one or more processors 8101. The processor 8101 may be a general-purpose processor or a dedicated processor, for example, a baseband processor or a central processing unit. The baseband processor may be used to process the communication protocol and the communication data, and the central processing unit may be used to control the communication device (such as a base station, a baseband chip, a terminal device, a terminal device chip, a DU or a CU, etc.), execute a program, and process the data of the program. The processor 8101 is used to call instructions so that the communication device 8100 executes any of the above communication methods.

在一些实施例中,通信设备8100还包括用于存储指令的一个或多个存储器8102。可选地,全部或部分存储器8102也可以处于通信设备8100之外。In some embodiments, the communication device 8100 further includes one or more memories 8102 for storing instructions. Optionally, all or part of the memory 8102 may also be outside the communication device 8100.

在一些实施例中,通信设备8100还包括一个或多个收发器8103。在通信设备8100包括一个或多个收发器8103时,上述方法中的发送接收等通信步骤由收发器8103执行,其他步骤由处理器8101执行。In some embodiments, the communication device 8100 further includes one or more transceivers 8103. When the communication device 8100 includes one or more transceivers 8103, the communication steps such as sending and receiving in the above method are executed by the transceiver 8103, and the other steps are executed by the processor 8101.

在一些实施例中,收发器可以包括接收器和发送器,接收器和发送器可以是分离的,也可以集成在一起。可选地,收发器、收发单元、收发机、收发电路等术语可以相互替换,发送器、发送单元、发送机、发送电路等术语可以相互替换,接收器、接收单元、接收机、接收电路等术语可以相互替换。In some embodiments, the transceiver may include a receiver and a transmitter, and the receiver and the transmitter may be separate or integrated. Optionally, the terms such as transceiver, transceiver unit, transceiver, transceiver circuit, etc. may be replaced with each other, the terms such as transmitter, transmission unit, transmitter, transmission circuit, etc. may be replaced with each other, and the terms such as receiver, receiving unit, receiver, receiving circuit, etc. may be replaced with each other.

可选地,通信设备8100还包括一个或多个接口电路8104,接口电路8104与存储器8102连接,接口电路8104可用于从存储器8102或其他装置接收信号,可用于向存储器8102或其他装置发送信号。例如,接口电路8104可读取存储器8102中存储的指令,并将该指令发送给处理器8101。Optionally, the communication device 8100 further includes one or more interface circuits 8104, which are connected to the memory 8102. The interface circuit 8104 can be used to receive signals from the memory 8102 or other devices, and can be used to send signals to the memory 8102 or other devices. For example, the interface circuit 8104 can read instructions stored in the memory 8102 and send the instructions to the processor 8101.

以上实施例描述中的通信设备8100可以是网络设备或者终端,但本公开中描述的通信设备8100的范围并不限于此,通信设备8100的结构可以不受图8a的限制。通信设备可以是独立的设备或者可以是较大设备的一部分。例如所述通信设备可以是:(1)独立的集成电路IC,或芯片,或,芯片系统或子系统;(2)具有一个或多个IC的集合,可选地,上述IC集合也可以包括用于存储数据,程序的存储部件;(3)ASIC,例如调制解调器(Modem);(4)可嵌入在其他设备内的模块;(5)接收机、终端设备、智能终端设备、蜂窝电话、无线设备、手持机、移动单元、车载设备、网络设备、云设备、人工智能设备等等;(6)其他等等。The communication device 8100 described in the above embodiments may be a network device or a terminal, but the scope of the communication device 8100 described in the present disclosure is not limited thereto, and the structure of the communication device 8100 may not be limited by FIG. 8a. The communication device may be an independent device or may be part of a larger device. For example, the communication device may be: (1) an independent integrated circuit IC, or a chip, or a chip system or subsystem; (2) a collection of one or more ICs, optionally, the above IC collection may also include a storage component for storing data and programs; (3) an ASIC, such as a modem; (4) a module that can be embedded in other devices; (5) a receiver, a terminal device, an intelligent terminal device, a cellular phone, a wireless device, a handheld device, a mobile unit, a vehicle-mounted device, a network device, a cloud device, an artificial intelligence device, etc.; (6) others, etc.

图8b是本公开实施例提供的芯片8200的结构示意图。对于通信设备8100可以是芯片或芯片系统的情况,可以参见图8b所示的芯片8200的结构示意图,但不限于此。Fig. 8b is a schematic diagram of the structure of a chip 8200 provided in an embodiment of the present disclosure. In the case where the communication device 8100 may be a chip or a chip system, reference may be made to the schematic diagram of the structure of the chip 8200 shown in Fig. 8b, but the present invention is not limited thereto.

芯片8200包括一个或多个处理器8201,处理器8201用于调用指令以使得芯片8200执行以上任一种通信方法。The chip 8200 includes one or more processors 8201, and the processor 8201 is used to call instructions so that the chip 8200 executes any of the above communication methods.

在一些实施例中,芯片8200还包括一个或多个接口电路8202,接口电路8202与存储器8203连接,接口电路8202可以用于从存储器8203或其他装置接收信号,接口电路8202可用于向存储器8203或其他装置发送信号。例如,接口电路8202可读取存储器8203中存储的指令,并将该指令发送给处理器8201。可选地,接口电路、接口、收发管脚、收发器等术语可以相互替换。In some embodiments, the chip 8200 further includes one or more interface circuits 8202, which are connected to the memory 8203. The interface circuit 8202 can be used to receive signals from the memory 8203 or other devices, and the interface circuit 8202 can be used to send signals to the memory 8203 or other devices. For example, the interface circuit 8202 can read the instructions stored in the memory 8203 and send the instructions to the processor 8201. Optionally, the terms such as interface circuit, interface, transceiver pin, and transceiver can be replaced with each other.

在一些实施例中,芯片8200还包括用于存储指令的一个或多个存储器8203。可选地,全部或部分存储器8203可以处于芯片8200之外。In some embodiments, the chip 8200 further includes one or more memories 8203 for storing instructions. Optionally, all or part of the memory 8203 may be outside the chip 8200.

本公开还提供一种存储介质,上述存储介质上存储有指令,当上述指令在通信设备8100上运行时,使得通信设备8100执行以上任一种方法。可选地,上述存储介质是电子存储介质。可选地,上述存储介质是计算机可读存储介质,但也可以是其他装置可读的存储介质。可选地,上述存储介质可以是非暂时性(non-transitory)存储介质,但也可以是暂时性存储介质。The present disclosure also provides a storage medium, on which instructions are stored, and when the instructions are executed on the communication device 8100, the communication device 8100 executes any of the above methods. Optionally, the storage medium is an electronic storage medium. Optionally, the storage medium is a computer-readable storage medium, but it can also be a storage medium readable by other devices. Optionally, the storage medium can be a non-transitory storage medium, but it can also be a temporary storage medium.

本公开还提供一种程序产品,上述程序产品被通信设备8100执行时,使得通信设备8100执行以上任一种通信方法。可选地,上述程序产品是计算机程序产品。The present disclosure also provides a program product, and when the program product is executed by the communication device 8100, the communication device 8100 executes any one of the above communication methods. Optionally, the program product is a computer program product.

本公开还提供一种计算机程序,当其在计算机上运行时,使得计算机执行以上任一种通信方法。 The present disclosure also provides a computer program, which, when executed on a computer, enables the computer to execute any one of the above communication methods.

本领域技术人员在考虑说明书及实践这里公开的发明后,将容易想到本发明的其它实施方案。本公开旨在涵盖本发明的任何变型、用途或者适应性变化,这些变型、用途或者适应性变化遵循本发明的一般性原理并包括本公开未公开的本技术领域中的公知常识或惯用技术手段。说明书和实施例仅被视为示例性的,本发明的真正范围和精神由下面的权利要求指出。Those skilled in the art will readily appreciate other embodiments of the present invention after considering the specification and practicing the invention disclosed herein. The present disclosure is intended to cover any variations, uses or adaptations of the present invention that follow the general principles of the present invention and include common knowledge or customary techniques in the art that are not disclosed in the present disclosure. The description and examples are to be considered exemplary only, and the true scope and spirit of the present invention are indicated by the following claims.

应当理解的是,本发明并不局限于上面已经描述并在附图中示出的精确结构,并且可以在不脱离其范围进行各种修改和改变。本发明的范围仅由所附的权利要求来限制。 It should be understood that the present invention is not limited to the exact construction that has been described above and shown in the drawings and that various modifications and changes may be made without departing from the scope thereof. The scope of the present invention is limited only by the appended claims.

Claims (35)

一种信息指示方法,其特征在于,所述方法由第一应用程序编程接口API调用者执行,所述方法包括:An information indication method, characterized in that the method is executed by a first application programming interface API caller, and the method comprises: 接收第一网络功能发送的第一信息;receiving first information sent by a first network function; 其中,所述第一信息指示授权方式,所述授权方式为所述第一API调用者使用的授权方式。Among them, the first information indicates an authorization method, and the authorization method is the authorization method used by the first API caller. 根据权利要求1所述的方法,其特征在于,所述方法还包括:The method according to claim 1, characterized in that the method further comprises: 向第一网络功能发送第二信息;sending second information to the first network function; 其中,所述第二信息指示第一API调用者的客户端类型,所述客户端类型用于所述第一网络功能确定所述授权方式。The second information indicates the client type of the first API caller, and the client type is used by the first network function to determine the authorization method. 根据权利要求1或2所述的方法,其特征在于,所述方法还包括:The method according to claim 1 or 2, characterized in that the method further comprises: 接收所述第一网络功能发送的第三信息;receiving third information sent by the first network function; 其中,所述第三信息包含所述第一网络功能给所述第一API调用者配置的第一标识,所述第一API调用者设置有所述第一标识与所述客户端类型之间的映射关系和/或所述第一网络功能设置有所述第一标识与所述客户端类型之间的映射关系。Among them, the third information includes the first identifier configured by the first network function for the first API caller, the first API caller is set with a mapping relationship between the first identifier and the client type and/or the first network function is set with a mapping relationship between the first identifier and the client type. 根据权利要求3所述的方法,其特征在于,所述映射关系由所述第一网络功能创建。The method according to claim 3 is characterized in that the mapping relationship is created by the first network function. 根据权利要求3所述的方法,其特征在于,所述方法还包括:The method according to claim 3, characterized in that the method further comprises: 向所述第一网络功能发送第四信息;sending fourth information to the first network function; 其中,所述第四信息包含所述第一标识第四信息。The fourth information includes the first identification fourth information. 根据权利要求1或者5所述的方法,其特征在于,所述第一信息指示所述第一网络功能基于第一标识确定的所述授权方式。The method according to claim 1 or 5 is characterized in that the first information indicates the authorization method determined by the first network function based on the first identifier. 根据权利要求1所述的方法,其特征在于,所述方法还包括:The method according to claim 1, characterized in that the method further comprises: 基于所述授权方式启动对应的授权流程。The corresponding authorization process is started based on the authorization method. 根据权利要求1所述的方法,其特征在于,所述授权方式为授权代码授权,所述方法还包括:The method according to claim 1, characterized in that the authorization method is authorization code authorization, and the method further comprises: 向所述第一网络功能发送第五信息;sending fifth information to the first network function; 其中,所述第五信息包括响应类型为代码和/或授权类型为授权代码的信息,所述第五信息用于获取授权代码和/或令牌。The fifth information includes information that the response type is code and/or the authorization type is authorization code, and the fifth information is used to obtain the authorization code and/or token. 根据权利要求1所述的方法,其特征在于,所述授权方式为基于PKCE的授权或者支持PKCE的授权代码授权,所述方法还包括:The method according to claim 1, characterized in that the authorization method is PKCE-based authorization or authorization code authorization supporting PKCE, and the method further comprises: 向所述第一网络功能发送第六信息;sending sixth information to the first network function; 其中,所述第六信息包括代码挑战和/或代码验证的信息,所述第六信息用于获取授权代码和/或令牌。The sixth information includes information of code challenge and/or code verification, and the sixth information is used to obtain an authorization code and/or a token. 根据权利要求1-9中任一项所述的方法,其特征在于,所述客户端类型包括以下之一:The method according to any one of claims 1 to 9, wherein the client type includes one of the following: 公共客户端;Public Client; 机密客户端。Confidential Client. 根据权利要求1-10中任一项所述的方法,其特征在于,所述授权方式包括以下之一:The method according to any one of claims 1 to 10, characterized in that the authorization method includes one of the following: 授权代码授权;Authorization code grant; 支持代码交换证明密钥PKCE的授权代码授权;Supports authorization code authorization for code exchange proof key PKCE; 基于代码交换证明密钥PKCE的授权;Authorization based on code exchange proof key PKCE; 客户端凭证授权。Client Credentials Grant. 一种信息指示方法,其特征在于,所述方法由第一网络功能执行,所述方法包括:An information indication method, characterized in that the method is performed by a first network function, and the method comprises: 确定授权方式;Determine the authorization method; 其中,所述授权方式为第一API调用者使用的授权方式。The authorization method is the authorization method used by the first API caller. 根据权利要求12所述的指示方法,其特征在于,所述确定授权方式,包括:The indication method according to claim 12, characterized in that the determining of the authorization mode comprises: 基于第一策略和/或是否需要第一资源所有者实时地参与授权的确定结果,确定所述授权方式;Determining the authorization method based on the first policy and/or a determination result of whether the first resource owner needs to participate in the authorization in real time; 其中,所述第一策略为第一资源所有者相关的授权策略。The first policy is an authorization policy related to the first resource owner. 根据权利要求13所述的指示方法,其特征在于,所述基于第一策略和/或是否需要第一资源所有者实时地参与授权的确定结果,确定所述授权方式,包括以下之一:The indication method according to claim 13, characterized in that the determining of the authorization mode based on the first policy and/or the determination result of whether the first resource owner needs to participate in the authorization in real time comprises one of the following: 若所述第一网络功能本地存储有所述第一策略且确定无需所述第一资源所有者实时地参与授权,确定所述授权方式为客户端凭证授权的方式;If the first network function locally stores the first policy and it is determined that the first resource owner does not need to participate in authorization in real time, determining that the authorization method is a client credential authorization method; 若需要所述第一资源所有者实时地参与授权,确定所述授权方式为授权代码授权、基于PKCE的授权或者支持PKCE的授权代码授权的方式。 If the first resource owner is required to participate in the authorization in real time, the authorization method is determined to be authorization code authorization, PKCE-based authorization, or authorization code authorization supporting PKCE. 根据权利要求12所述的方法,其特征在于,所述方法还包括:The method according to claim 12, characterized in that the method further comprises: 接收第一API调用者发送的第一信息;Receiving a first message sent by a first API caller; 其中,所述第一信息指示所述第一API调用者的客户端类型,所述客户端类型用于所述第一网络功能确定所述第一API调用者使用的授权方式。The first information indicates a client type of the first API caller, and the client type is used by the first network function to determine an authorization method used by the first API caller. 根据权利要求15所述的方法,其特征在于,所述方法还包括:The method according to claim 15, characterized in that the method further comprises: 向所述第一API调用者发送第二信息;Sending second information to the first API caller; 其中,所述第二信息包含所述第一网络功能给所述第一API调用者配置的第一标识;所述第一API调用者设置有所述第一标识与所述客户端类型之间的映射关系和/或所述第一网络功能设置有所述第一标识与所述客户端类型之间的映射关系。Among them, the second information includes the first identifier configured by the first network function for the first API caller; the first API caller is set with a mapping relationship between the first identifier and the client type and/or the first network function is set with a mapping relationship between the first identifier and the client type. 根据权利要求16所述的方法,其特征在于,所述方法还包括:The method according to claim 16, characterized in that the method further comprises: 创建所述映射关系。The mapping relationship is created. 根据权利要求12所述的方法,其特征在于,所述方法还包括:The method according to claim 12, characterized in that the method further comprises: 接收所述第一API发送的第四信息;Receiving fourth information sent by the first API; 其中,所述第四信息包含第一标识。Wherein, the fourth information includes the first identifier. 根据权利要求18所述的方法,其特征在于,所述方法还包括:The method according to claim 18, characterized in that the method further comprises: 确定所述第一标识对应的所述客户端类型;Determine the client type corresponding to the first identifier; 所述确定授权方式;The determination of the authorization method; 基于所述客户端类型确定所述授权方式。The authorization method is determined based on the client type. 根据权利要求19所述的方法,其特征在于,所述基于所述客户端类型确定所述授权方式,包括以下至少之一:The method according to claim 19, wherein determining the authorization method based on the client type comprises at least one of the following: 若所述客户端类型为公共客户端,确定所述授权方式为基于PKCE的授权或者支持PKCE的授权码授权的方式;If the client type is a public client, determine that the authorization method is a PKCE-based authorization or an authorization code authorization method that supports PKCE; 若所述客户端类型为公共客户端,确定所述授权方式不为授权代码授权方式;If the client type is a public client, determining that the authorization method is not an authorization code authorization method; 若所述客户端类型为公共客户端,确定所述授权方式不为客户单凭证授权的方式;If the client type is a public client, determining that the authorization method is not a client single credential authorization method; 若所述客户端类型为保密客户端,确定所述授权方式为基于PKCE的授权或者支持PKCE的授权码授权的方式;If the client type is a confidential client, determining that the authorization method is a PKCE-based authorization or an authorization code authorization method that supports PKCE; 若所述客户端类型为保密客户端,确定所述授权方式为授权代码授权的方式;If the client type is a confidential client, determining that the authorization method is an authorization code authorization method; 若所述客户端类型为保密客户端,确定所述授权方式为客户端凭证授权的方式。If the client type is a confidential client, determine that the authorization method is a client credential authorization method. 根据权利要求20所述的方法,其特征在于,所述若所述客户端类型为保密客户端,确定所述授权方式为基于PKCE的授权或者支持PKCE的授权码授权的方式,包括:The method according to claim 20, characterized in that if the client type is a confidential client, determining that the authorization method is a PKCE-based authorization or an authorization code authorization method that supports PKCE includes: 若所述客户端类型为保密客户端且所述第一网络功能本地未存储与第一资源所有者相关的第一策略,确定所述授权方式为基于PKCE的授权或者支持PKCE的授权码授权的方式;If the client type is a confidential client and the first network function does not locally store a first policy related to the first resource owner, determine that the authorization method is a PKCE-based authorization or an authorization code authorization method that supports PKCE; 若所述客户端类型为保密客户端且需要第一资源所有者实时地参与授权,确定所述授权方式为基于PKCE的授权或者支持PKCE的授权码授权的方式。If the client type is a confidential client and the first resource owner needs to participate in the authorization in real time, the authorization method is determined to be a PKCE-based authorization or an authorization code authorization method that supports PKCE. 根据权利要求20所述的方法,其特征在于,所述若所述客户端类型为保密客户端,确定所述授权方式为授权代码授权的方式,包括:The method according to claim 20, characterized in that if the client type is a confidential client, determining that the authorization method is an authorization code authorization method comprises: 若所述客户端类型为保密客户端且所述第一网络功能本地未存储与第一资源所有者相关的第一策略,确定所述授权方式为授权代码授权的方式;If the client type is a confidential client and the first network function does not locally store a first policy related to the first resource owner, determining that the authorization method is an authorization code authorization method; 若所述客户端类型为保密客户端且需要第一资源所有者实时地参与授权,确定所述授权方式为授权代码授权的方式。If the client type is a confidential client and the first resource owner needs to participate in the authorization in real time, the authorization method is determined to be an authorization code authorization method. 根据权利要求20所述的方法,其特征在于,所述若所述客户端类型为保密客户端,确定所述授权方式为客户端凭证授权的方式,包括:The method according to claim 20, characterized in that if the client type is a confidential client, determining that the authorization method is a client credential authorization method comprises: 若所述客户端类型为保密客户端、所述第一网络功能本地存储有与第一资源所有者相关的第一策略且无需第一资源所有者实时地参与授权,确定所述授权方式为客户端凭证授权的方式。If the client type is a confidential client, the first network function locally stores a first policy related to the first resource owner and the first resource owner does not need to participate in authorization in real time, the authorization mode is determined to be a client credential authorization mode. 根据权利要求12所述的方法,其特征在于,所述方法还包括:The method according to claim 12, characterized in that the method further comprises: 向第一API调用者发送第一信息;Sending a first message to a first API caller; 其中,所述第一信息指示所述授权方式。The first information indicates the authorization method. 根据权利要求12所述的方法,其特征在于,所述授权方式为授权代码授权,所述方法还包括:The method according to claim 12, characterized in that the authorization method is authorization code authorization, and the method further comprises: 接收第一API调用者发送的第五信息;receiving fifth information sent by the first API caller; 其中,所述第五信息包括响应类型为代码和/或授权类型为授权代码的信息,所述第五信息用于 获取授权代码和/或令牌。The fifth information includes information that the response type is code and/or the authorization type is authorization code, and the fifth information is used to Get an authorization code and/or token. 根据权利要求12所述的方法,其特征在于,所述授权方式为基于PKCE的授权或者支持PKCE的授权代码授权,所述方法还包括:The method according to claim 12, characterized in that the authorization method is PKCE-based authorization or authorization code authorization supporting PKCE, and the method further comprises: 接收第一API调用者发送的第六信息;receiving sixth information sent by the first API caller; 其中,所述第六信息包括代码挑战和/或代码验证的信息,所述第六信息用于获取授权代码和/或令牌。The sixth information includes information of code challenge and/or code verification, and the sixth information is used to obtain an authorization code and/or a token. 根据权利要求12-26中任一项所述的方法,其特征在于,所述客户端类型包括以下之一:The method according to any one of claims 12 to 26, wherein the client type comprises one of the following: 公共客户端;Public Client; 机密客户端。Confidential Client. 根据权利要求12-27中任一项所述的方法,其特征在于,所述授权方式包括以下之一:The method according to any one of claims 12 to 27, wherein the authorization method comprises one of the following: 授权代码授权;Authorization code grant; 支持代码交换证明密钥PKCE的授权代码授权;Supports authorization code authorization for code exchange proof key PKCE; 基于代码交换证明密钥PKCE的授权;Authorization based on code exchange proof key PKCE; 客户端凭证授权。Client Credentials Grant. 一种信息指示方法,其特征在于,应用于通信系统,所述方法包括:An information indication method, characterized in that it is applied to a communication system, the method comprising: 第一网络功能向第一API调用者发送第一信息;The first network function sends a first message to the first API caller; 所述第一API调用者接收所述第一网络功能发送的所述第一信息;The first API caller receives the first information sent by the first network function; 其中,所述第一信息指示授权方式,所述授权方式为所述第一API调用者使用的授权方式。Among them, the first information indicates an authorization method, and the authorization method is the authorization method used by the first API caller. 一种第一API调用者,其特征在于,所述第一API调用者包括:A first API caller, characterized in that the first API caller includes: 收发模块,被配置为:The transceiver module is configured as follows: 接收第一网络功能发送的第一信息;receiving first information sent by a first network function; 其中,所述第一信息指示授权方式,所述授权方式为所述第一API调用者使用的授权方式。Among them, the first information indicates an authorization method, and the authorization method is the authorization method used by the first API caller. 一种第一网络功能,其特征在于,所述第一网络功能包括:A first network function, characterized in that the first network function includes: 处理模块,被配置为:The processing module is configured as follows: 确定授权方式;Determine the authorization method; 其中,所述授权方式为第一API调用者使用的授权方式。The authorization method is the authorization method used by the first API caller. 一种通信系统,其特征在于,所述通信系统包括第一API调用者和第一网络功能;所述第一API调用者被配置为实现权利要求1至11中任一项所述的信息指示方法,所述第一网络功能被配置为实现权利要求12至28中任一项所述的信息指示方法。A communication system, characterized in that the communication system includes a first API caller and a first network function; the first API caller is configured to implement the information indication method described in any one of claims 1 to 11, and the first network function is configured to implement the information indication method described in any one of claims 12 to 28. 一种第一API调用者,其特征在于,所述第一API调用者包括:A first API caller, characterized in that the first API caller includes: 存储器,包括可执行指令;memory, including executable instructions; 一个或多个处理器;one or more processors; 其中,所述可执行指令被所述处理器执行时使所述第一API调用者执行权利要求1至11中任一项所述的信息指示方法。When the executable instruction is executed by the processor, the first API caller executes the information indication method according to any one of claims 1 to 11. 一种第一网络设备,其特征在于,所述第一网络设备包括:A first network device, characterized in that the first network device comprises: 存储器,包括可执行指令;memory, including executable instructions; 一个或多个处理器;one or more processors; 其中,所述可执行指令被所述处理器执行时使所述第一网络设备执行权利要求12至28中任一项所述的信息指示方法。When the executable instruction is executed by the processor, the first network device executes the information indication method according to any one of claims 12 to 28. 一种存储介质,其中,所述存储介质存储有指令,当所述指令在通信设备上运行时,使得所述通信设备执行权利要求1至11或者权利要求12至28中任一项所述的信息指示方法。 A storage medium, wherein the storage medium stores instructions, and when the instructions are executed on a communication device, the communication device executes the information indication method according to any one of claims 1 to 11 or claims 12 to 28.
PCT/CN2023/111361 2023-08-06 2023-08-06 Information indication method, first api invoker, first network function, and storage medium Pending WO2025030300A1 (en)

Priority Applications (2)

Application Number Priority Date Filing Date Title
CN202380010506.8A CN117280675A (en) 2023-08-06 2023-08-06 Information indicating method, first API caller, first network function and storage medium
PCT/CN2023/111361 WO2025030300A1 (en) 2023-08-06 2023-08-06 Information indication method, first api invoker, first network function, and storage medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
PCT/CN2023/111361 WO2025030300A1 (en) 2023-08-06 2023-08-06 Information indication method, first api invoker, first network function, and storage medium

Publications (1)

Publication Number Publication Date
WO2025030300A1 true WO2025030300A1 (en) 2025-02-13

Family

ID=89216491

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2023/111361 Pending WO2025030300A1 (en) 2023-08-06 2023-08-06 Information indication method, first api invoker, first network function, and storage medium

Country Status (2)

Country Link
CN (1) CN117280675A (en)
WO (1) WO2025030300A1 (en)

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20190253894A1 (en) * 2018-02-15 2019-08-15 Nokia Technologies Oy Security management for roaming service authorization in communication systems with service-based architecture
CN110362412A (en) * 2018-04-09 2019-10-22 华为技术有限公司 A service API calling method and related device
CN111373712A (en) * 2017-11-16 2020-07-03 三星电子株式会社 Method and system for authenticating Application Program Interface (API) callers

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111373712A (en) * 2017-11-16 2020-07-03 三星电子株式会社 Method and system for authenticating Application Program Interface (API) callers
US20190253894A1 (en) * 2018-02-15 2019-08-15 Nokia Technologies Oy Security management for roaming service authorization in communication systems with service-based architecture
CN110362412A (en) * 2018-04-09 2019-10-22 华为技术有限公司 A service API calling method and related device

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
NOKIA: "OAuth based service authorization framework for SBA", 3GPP DRAFT; S3-180680 OAUTH BASED SERVICE AUTHORIZATION FRAMEWORK FOR SBA V2, 3RD GENERATION PARTNERSHIP PROJECT (3GPP), MOBILE COMPETENCE CENTRE ; 650, ROUTE DES LUCIOLES ; F-06921 SOPHIA-ANTIPOLIS CEDEX ; FRANCE, vol. SA WG3, no. San Diego (US); 20180226 - 20180302, 19 February 2018 (2018-02-19), Mobile Competence Centre ; 650, route des Lucioles ; F-06921 Sophia-Antipolis Cedex ; France , XP051409105 *

Also Published As

Publication number Publication date
CN117280675A (en) 2023-12-22

Similar Documents

Publication Publication Date Title
WO2025035417A1 (en) Information processing method, apparatus, and storage medium
WO2025065653A1 (en) Relay communication methods, relay devices, communication system and storage medium
WO2025015612A1 (en) Resource configuration method and apparatus, and storage medium
WO2025060098A1 (en) Information indication method, terminal, core network device, communication system and storage medium
WO2025065642A1 (en) Relay communication methods, relay devices, terminals, communication system and storage medium
WO2025030300A1 (en) Information indication method, first api invoker, first network function, and storage medium
WO2025091186A1 (en) Key processing methods, communication device, and storage medium
WO2025147966A1 (en) Communication method, core network device, communication system and storage medium
WO2025148050A1 (en) Information transmission method and apparatus, and storage medium
WO2025030301A1 (en) Authorization method, network function, communication system and storage medium
WO2025054998A1 (en) Information processing method, terminal, communication system, and storage medium
WO2025137878A1 (en) Communication method, terminal, communication system, and storage medium
WO2025147964A1 (en) Communication method, core network device, terminal, communication system and storage medium
WO2025020060A1 (en) Information transmission methods, terminal, first entity and second entity
WO2025055002A1 (en) Ranging method, communication device and storage medium
WO2025179600A1 (en) Communication method, communication apparatus, network function and storage medium
WO2025010609A1 (en) Communication processing method and user equipment
WO2025152190A1 (en) Information processing method, communication system, and storage medium
WO2025054785A1 (en) Communication methods, terminals, network devices and communication system
WO2025179499A1 (en) Communication methods, first device, network functions, communication system and storage medium
WO2025217936A1 (en) Method for determining information, communication device, communication system, and storage medium
WO2025213348A1 (en) Communication method, device, and storage medium
WO2025020061A1 (en) Information transmission method, terminal, first entity, and second entity
WO2025060092A1 (en) Information indication methods, core network devices, communication system and storage medium
WO2025065293A1 (en) Information processing method, terminal, access network device, communication system, and storage medium

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 23947883

Country of ref document: EP

Kind code of ref document: A1