-
Notifications
You must be signed in to change notification settings - Fork 29
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Follow the principle of data minimization for events based on explicit subscriptions #295
Comments
+1 ... there is also the question which device parameters are being sent back here ... all provided properties within the subscription request (potentially not all of them where used or validated) or only the one used to identify the device? This issue goes also beyond subscription, also in regular API responses (e.g. getSession in quality-on-demand) we have the same topic. As an (interim?) step, we have added the following note in the
|
I think including device info in the response should always be an option, but we need clearer guidelines as to when such information should be included and when it should be omitted. For example:
The reason for the 2-legged rule would be because the API caller can provide multiple device identifiers (which may or may not identify the same device). To avoid information leaks (e.g. confirming whether or not a given IP address is currently allocated to a given MSISDN), the implementation should just "pick one" and return that, as the API caller needs to know which one is being used by the implementation. Possibly we could say that, if only one device identifier is provided, then that does not need to be included in the response, but I think it cleaner to always include the device identifier that is being used, even if the implementation had no choice. The 3-legged rule above is related to the (unresolved) discussion #259, where I currently think a 3-legged token and explicit device identifiers should always result in an error (to avoid the API caller verifying whether or not an explicit device identifier matches the token). If that rule was adopted, then the API caller will not have been able to provide explicit device info in addition to the token, and hence there would be no device info to return. |
In order to move forward on this one and #300 - I pushed Eric proposal ont step further with behavior for each operation: For
For
For
To be completed |
@bigludo7 But multiple device identifiers are allowed in the There are three scenarios to consider when multiple device identifiers are provided in the
My preferred "universal" solution for all these scenarios is simply - where multiple device identifiers are provided in the device object, the API provider can just pick one and return that device identifier in the response. Hence the response does not confirm that all device identifiers match, but does confirm which is being used. The alternative is to only allow a single device identifier to be included in the request |
Thanks a lot @eric-murray for the explanation Talking on this with @patrice-conil, from Orange we have a slight preference for the second option because it seems to use more straightforward for the consumer to send back an error (422 with code). The first option work but for us need some additional understanding from the consumer. As I plan to update the commonalities part does this option 2 is a blocker for you - looking also for the view from the 'usual suspects' on this topic: @shilpa-padgaonkar and @PedroDiez |
@bigludo7 and @eric-murray I would prefer the second option as well. I see the focus of this discussion has been mainly focussed on responses to POST/GET/DELETE Subscription . |
Yes this is a fair point to discuss. About specifically providing the device identifier in the event:
Pending question is about which identifier provide when the subscription has been created with an 3-legs access token and no identifiers present in the body of the request. I guess in this case we could recommend to use the identifier used in the Of course this point is relevant only for device-based notification. I'm wondering if we could provide specific guidelines at commonalities level for the event detail structure but added a line that "Follow the principle of data minimization must be considered by the WG during event structure design" is a must. |
Add part for: - camaraproject#304 - camaraproject#299 - partial camaraproject#295
@shilpa-padgaonkar I've raised a discussion for Geofencing event here: camaraproject/DeviceLocation#270 |
Sorry for being late here: Regarding Subscriptions:
Option 1: "My preferred "universal" solution for all these scenarios is simply - where multiple device identifiers are provided in the device object, the API provider can just pick one and return that device identifier in the response. Hence the response does not confirm that all device identifiers match, but does confirm which is being used." Has the "PROS" of providing flexibility to API Client, and the "CONS" of checking consistency between the identifiers provided Oprion 2: "The alternative is to only allow a single device identifier to be included in the request device object. The API provider would simply return an error if it could not support that identifier. I think API consumers might find this frustrating, but this would also work. And, in this case, there is no need to include the device identifier in the API response." Has the "PROS" of simplicity and the "CONS" that may happen interoperability topics among Telco Operators Not an easy question. Let me think a bit about it and provide feedback Regarding event-notification: Our initial view is always return Device information regardless the suscription is created 2-legged or 3-legged. |
@camaraproject/commonalities_maintainers @PedroDiez @hdamker @bigludo7 As I see it, we have two options when a 2-legged access token and explicit
My preference is Option 1, as this is more flexible for the API consumer. The risk with Option 2 is that an application happily uses one of the device identifiers without issue only to find one day that the application fails because the end user is a customer of an API provider that does not support that identifier and the developer did not implement retrying with an alternative identifier. However, I accept that this is also a risk with Option 1, as the application may still choose to only provide a single device identifier, even if they know more. Either way, better guidance for developers on the use of the So I can live with either option. I'd propose to resolve this with a simple "vote" in these comments. |
Thanks @eric-murray to reinit the conversation. I've still preference for option 2 but can live without any problem with either. |
Problem description
Currently, the basic event data included in explicit subscriptions (for eg. in device-roaming-status-subscriptions.yaml
) includes the device info. Do we need to send back the device info? Can we not restrict the event information to what it is meant to deliver for e.g. in this case roaming statuses? This would be an approach compliant with the principle of data minimization/privacy-by-design.
Expected behavior
The event includes only the data that is "really" needed and is stripped off the default/basic info.
Alternative solution
Additional context
The device-roaming-status-subscriptions is just used in this issue as an example, but this is meant for all APIs that offer events based on explicit subscriptions.
The text was updated successfully, but these errors were encountered: