diff --git a/code/API_definitions/location-verification.yaml b/code/API_definitions/location-verification.yaml index b33dbeb4..ed6e49cd 100644 --- a/code/API_definitions/location-verification.yaml +++ b/code/API_definitions/location-verification.yaml @@ -53,29 +53,19 @@ info: It is important to remark that in cases where personal user data is processed by the API, and users can exercise their rights through mechanisms such as opt-in and/or opt-out, the use of 3-legged access tokens becomes mandatory. This measure ensures that the API remains in strict compliance with user privacy preferences and regulatory obligations, upholding the principles of transparency and user-centric data control. - # Identifying a device from the access token + # Identifying the device from the access token - This specification defines the `device` object field as optional in API requests, specifically in cases where the API is accessed using a 3-legged access token, and the device can be uniquely identified by the token. This approach simplifies API usage for API consumers by relying on the device information associated with the access token used to invoke the API. + This API requires the API consumer to identify a device as the subject of the API as follows: + - When the API is invoked using a two-legged access token, the subject will be identified from the optional `device` object, which therefore MUST be provided. + - When a three-legged access token is used however, this optional identifier MUST NOT be provided, as the subject will be uniquely identified from the access token. - ## Handling of device information: + This approach simplifies API usage for API consumers using a three-legged access token to invoke the API by relying on the information that is associated with the access token and was identified during the authentication process. - ### Optional device object for 3-legged tokens: + ## Error handling: - - When using a 3-legged access token, the device associated with the access token must be considered as the device for the API request. This means that the device object is not required in the request, and if included it must identify the same device, therefore **it is recommended NOT to include it in these scenarios** to simplify the API usage and avoid additional validations. + - If the subject cannot be identified from the access token and the optional `device` object is not included in the request, then the server will return an error with the `422 MISSING_IDENTIFIER` error code. - ### Validation mechanism: - - - The server will extract the device identification from the access token, if available. - - If the API request additionally includes a `device` object when using a 3-legged access token, the API will validate that the device identifier provided matches the one associated with the access token. - - If there is a mismatch, the API will respond with a 403 - INVALID_TOKEN_CONTEXT error, indicating that the device information in the request does not match the token. - - ### Error handling for unidentifiable devices: - - - If the `device` object is not included in the request and the device information cannot be derived from the 3-legged access token, the server will return a 422 `UNIDENTIFIABLE_DEVICE` error. - - ### Restrictions for tokens without an associated authenticated identifier: - - - For scenarios which do not have a single device identifier associated to the token during the authentication flow, e.g. 2-legged access tokens, the `device` object MUST be provided in the API request. This ensures that the device identification is explicit and valid for each API call made with these tokens. + - If the subject can be identified from the access token and the optional `device` object is also included in the request, then the server will return an error with the `422 UNNECESSARY_IDENTIFIER` error code. This will be the case even if the same device is identified by these two methods, as the server is unable to make this comparison. # Further info and support @@ -84,7 +74,7 @@ info: license: name: Apache 2.0 url: https://www.apache.org/licenses/LICENSE-2.0.html - x-camara-commonalities: 0.4.0 + x-camara-commonalities: 0.5.0 externalDocs: description: Project documentation at CAMARA url: https://github.com/camaraproject/DeviceLocation @@ -200,10 +190,6 @@ paths: $ref: "#/components/responses/VerifyLocationUnprocessableEntity422" "429": $ref: "#/components/responses/Generic429" - "500": - $ref: "#/components/responses/Generic500" - "503": - $ref: "#/components/responses/Generic503" security: - openId: - location-verification:verify @@ -456,6 +442,7 @@ components: description: Detailed error description responses: + Generic400: description: Bad Request headers: @@ -464,17 +451,25 @@ components: content: application/json: schema: - $ref: "#/components/schemas/ErrorInfo" + allOf: + - $ref: "#/components/schemas/ErrorInfo" + - type: object + properties: + status: + enum: + - 400 + code: + enum: + - INVALID_ARGUMENT + - OUT_OF_RANGE examples: GENERIC_400_INVALID_ARGUMENT: - summary: Generic Invalid Argument description: Invalid Argument. Generic Syntax Exception value: status: 400 code: INVALID_ARGUMENT message: Client specified an invalid argument, request body or query param. GENERIC_400_OUT_OF_RANGE: - summary: Generic Out of Range description: Out of Range. Specific Syntax Exception used when a given field has a pre-defined range or a invalid filter criteria combination is requested value: status: 400 @@ -489,17 +484,25 @@ components: content: application/json: schema: - $ref: "#/components/schemas/ErrorInfo" + allOf: + - $ref: "#/components/schemas/ErrorInfo" + - type: object + properties: + status: + enum: + - 401 + code: + enum: + - UNAUTHENTICATED + - AUTHENTICATION_REQUIRED examples: GENERIC_401_UNAUTHENTICATED: - summary: Generic Unauthenticated description: Request cannot be authenticated value: status: 401 code: UNAUTHENTICATED message: Request not authenticated due to missing, invalid, or expired credentials. GENERIC_401_AUTHENTICATION_REQUIRED: - summary: Generic Authentication Required description: New authentication is needed, authentication is no longer valid value: status: 401 @@ -514,18 +517,26 @@ components: content: application/json: schema: - $ref: "#/components/schemas/ErrorInfo" + allOf: + - $ref: "#/components/schemas/ErrorInfo" + - type: object + properties: + status: + enum: + - 403 + code: + enum: + - PERMISSION_DENIED + - INVALID_TOKEN_CONTEXT examples: GENERIC_403_PERMISSION_DENIED: - summary: Generic Permission Denied description: Permission denied. OAuth2 token access does not have the required scope or when the user fails operational security value: status: 403 code: PERMISSION_DENIED message: Client does not have sufficient permissions to perform this action. GENERIC_403_INVALID_TOKEN_CONTEXT: - summary: Invalid access token context - description: Reflects some inconsistency between information in some field of the API and the related OAuth2 Token + description: Reflect some inconsistency between information in some field of the API and the related OAuth2 Token value: status: 403 code: INVALID_TOKEN_CONTEXT @@ -539,75 +550,92 @@ components: content: application/json: schema: - $ref: "#/components/schemas/ErrorInfo" + allOf: + - $ref: "#/components/schemas/ErrorInfo" + - type: object + properties: + status: + enum: + - 404 + code: + enum: + - NOT_FOUND + - IDENTIFIER_NOT_FOUND examples: GENERIC_404_NOT_FOUND: - summary: Generic Not Found description: Resource is not found value: status: 404 code: NOT_FOUND - message: "{{resource}} is not found" - GENERIC_404_DEVICE_NOT_FOUND: - summary: Some identifier cannot be matched to a device - description: One or more of the provided device identifiers do not match any device + message: The specified resource is not found. + GENERIC_404_IDENTIFIER_NOT_FOUND: + description: Some identifier cannot be matched to a device value: status: 404 - code: DEVICE_NOT_FOUND - message: "No device found for a provided identifier" + code: IDENTIFIER_NOT_FOUND + message: Device identifier not found. VerifyLocationUnprocessableEntity422: - description: Unprocessable Entity + description: Unprocessable Content headers: x-correlator: $ref: "#/components/headers/x-correlator" content: application/json: schema: - $ref: "#/components/schemas/ErrorInfo" + allOf: + - $ref: "#/components/schemas/ErrorInfo" + - type: object + properties: + status: + enum: + - 422 + code: + enum: + - IDENTIFIER_MISMATCH + - SERVICE_NOT_APPLICABLE + - MISSING_IDENTIFIER + - UNSUPPORTED_IDENTIFIER + - UNNECESSARY_IDENTIFIER + - LOCATION_VERIFICATION.UNABLE_TO_FULFILL_MAX_AGE examples: - LOCATION_VERIFICATION_422_UNABLE_TO_FULFILL_MAX_AGE: - summary: Unable to fulfill maxAge - description: The system is not able to provide the fresh location required by the client + GENERIC_422_IDENTIFIER_MISMATCH: + description: Inconsistency between identifiers not pointing to the same device value: status: 422 - code: LOCATION_VERIFICATION.UNABLE_TO_FULFILL_MAX_AGE - message: "Unable to provide expected freshness for location" - GENERIC_422_UNPROCESSABLE_ENTITY: - summary: Unprocessable entity - description: The request was well-formed but was unable to be processed due to semantic errors or not applicable values. This is the generic error code for 422 responses. + code: IDENTIFIER_MISMATCH + message: Provided identifiers are not consistent. + GENERIC_422_SERVICE_NOT_APPLICABLE: + description: Service not applicable for the provided identifier value: status: 422 - code: UNPROCESSABLE_ENTITY - message: "Value not acceptable: ..." - GENERIC_422_DEVICE_NOT_APPLICABLE: - summary: Service not applicable to the device - description: The provided device is not compatible with the requested operation, according to the service provider rules. + code: SERVICE_NOT_APPLICABLE + message: The service is not available for the provided identifier. + GENERIC_422_MISSING_IDENTIFIER: + description: An identifier is not included in the request and the device or phone number identification cannot be derived from the 3-legged access token value: status: 422 - code: DEVICE_NOT_APPLICABLE - message: "The device is not applicable for the requested operation" - GENERIC_422_DEVICE_IDENTIFIERS_MISMATCH: - summary: Device identifiers mismatch - description: Several device identifiers are provided but do not match the same device + code: MISSING_IDENTIFIER + message: The device cannot be identified. + GENERIC_422_UNSUPPORTED_IDENTIFIER: + description: None of the provided identifiers is supported by the implementation value: status: 422 - code: DEVICE_IDENTIFIERS_MISMATCH - message: "The provided device identifiers do not match the same device" - GENERIC_422_UNSUPPORTED_DEVICE_IDENTIFIERS: - summary: None of the provided device identifiers is supported by the implementation - description: Message may list the supported device identifiers + code: UNSUPPORTED_IDENTIFIER + message: The identifier provided is not supported. + GENERIC_422_UNNECESSARY_IDENTIFIER: + description: An explicit identifier is provided when a device or phone number has already been identified from the access token value: status: 422 - code: UNSUPPORTED_DEVICE_IDENTIFIERS - message: "Supported device identifiers are: ..." - GENERIC_422_UNIDENTIFIABLE_DEVICE: - summary: No identifier provided - description: No device identifier provided for the device to be located + code: UNNECESSARY_IDENTIFIER + message: The device is already identified by the access token. + LOCATION_VERIFICATION_422_UNABLE_TO_FULFILL_MAX_AGE: + summary: Unable to fulfill maxAge + description: The system is not able to provide the fresh location required by the client value: status: 422 - code: UNIDENTIFIABLE_DEVICE - message: "A device must be provided" + code: LOCATION_VERIFICATION.UNABLE_TO_FULFILL_MAX_AGE + message: "Unable to provide expected freshness for location" Generic429: description: Too Many Requests @@ -617,7 +645,17 @@ components: content: application/json: schema: - $ref: "#/components/schemas/ErrorInfo" + allOf: + - $ref: "#/components/schemas/ErrorInfo" + - type: object + properties: + status: + enum: + - 429 + code: + enum: + - QUOTA_EXCEEDED + - TOO_MANY_REQUESTS examples: GENERIC_429_QUOTA_EXCEEDED: description: Request is rejected due to exceeding a business quota limit @@ -631,39 +669,3 @@ components: status: 429 code: TOO_MANY_REQUESTS message: Either out of resource quota or reaching rate limiting. - - Generic500: - description: Internal server error - headers: - x-correlator: - $ref: "#/components/headers/x-correlator" - content: - application/json: - schema: - $ref: "#/components/schemas/ErrorInfo" - examples: - GENERIC_500_INTERNAL: - summary: Generic Internal - description: Problem in Server side. Regular Server Exception - value: - status: 500 - code: INTERNAL - message: "Internal server error" - - Generic503: - description: Service unavailable - headers: - x-correlator: - $ref: "#/components/headers/x-correlator" - content: - application/json: - schema: - $ref: "#/components/schemas/ErrorInfo" - examples: - GENERIC_503_UNAVAILABLE: - summary: Generic Unavailable - description: Service is not available. Temporary situation usually related to maintenance process in the server side - value: - status: 503 - code: UNAVAILABLE - message: "Service unavailable"