Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Update location-verification.yaml for Spring25 #281

Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
222 changes: 112 additions & 110 deletions code/API_definitions/location-verification.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -53,29 +53,19 @@ info:

It is important to remark that in cases where personal user data is processed by the API, and users can exercise their rights through mechanisms such as opt-in and/or opt-out, the use of 3-legged access tokens becomes mandatory. This measure ensures that the API remains in strict compliance with user privacy preferences and regulatory obligations, upholding the principles of transparency and user-centric data control.

# Identifying a device from the access token
# Identifying the device from the access token

This specification defines the `device` object field as optional in API requests, specifically in cases where the API is accessed using a 3-legged access token, and the device can be uniquely identified by the token. This approach simplifies API usage for API consumers by relying on the device information associated with the access token used to invoke the API.
This API requires the API consumer to identify a device as the subject of the API as follows:
- When the API is invoked using a two-legged access token, the subject will be identified from the optional `device` object, which therefore MUST be provided.
- When a three-legged access token is used however, this optional identifier MUST NOT be provided, as the subject will be uniquely identified from the access token.

## Handling of device information:
This approach simplifies API usage for API consumers using a three-legged access token to invoke the API by relying on the information that is associated with the access token and was identified during the authentication process.

### Optional device object for 3-legged tokens:
## Error handling:

- When using a 3-legged access token, the device associated with the access token must be considered as the device for the API request. This means that the device object is not required in the request, and if included it must identify the same device, therefore **it is recommended NOT to include it in these scenarios** to simplify the API usage and avoid additional validations.
- If the subject cannot be identified from the access token and the optional `device` object is not included in the request, then the server will return an error with the `422 MISSING_IDENTIFIER` error code.

### Validation mechanism:

- The server will extract the device identification from the access token, if available.
- If the API request additionally includes a `device` object when using a 3-legged access token, the API will validate that the device identifier provided matches the one associated with the access token.
- If there is a mismatch, the API will respond with a 403 - INVALID_TOKEN_CONTEXT error, indicating that the device information in the request does not match the token.

### Error handling for unidentifiable devices:

- If the `device` object is not included in the request and the device information cannot be derived from the 3-legged access token, the server will return a 422 `UNIDENTIFIABLE_DEVICE` error.

### Restrictions for tokens without an associated authenticated identifier:

- For scenarios which do not have a single device identifier associated to the token during the authentication flow, e.g. 2-legged access tokens, the `device` object MUST be provided in the API request. This ensures that the device identification is explicit and valid for each API call made with these tokens.
- If the subject can be identified from the access token and the optional `device` object is also included in the request, then the server will return an error with the `422 UNNECESSARY_IDENTIFIER` error code. This will be the case even if the same device is identified by these two methods, as the server is unable to make this comparison.

# Further info and support

Expand All @@ -84,7 +74,7 @@ info:
license:
name: Apache 2.0
url: https://www.apache.org/licenses/LICENSE-2.0.html
x-camara-commonalities: 0.4.0
x-camara-commonalities: 0.5.0
externalDocs:
description: Project documentation at CAMARA
url: https://github.com/camaraproject/DeviceLocation
Expand Down Expand Up @@ -200,10 +190,6 @@ paths:
$ref: "#/components/responses/VerifyLocationUnprocessableEntity422"
"429":
$ref: "#/components/responses/Generic429"
"500":
$ref: "#/components/responses/Generic500"
"503":
$ref: "#/components/responses/Generic503"
security:
- openId:
- location-verification:verify
Expand Down Expand Up @@ -456,6 +442,7 @@ components:
description: Detailed error description

responses:

Generic400:
description: Bad Request
headers:
Expand All @@ -464,17 +451,25 @@ components:
content:
application/json:
schema:
$ref: "#/components/schemas/ErrorInfo"
allOf:
- $ref: "#/components/schemas/ErrorInfo"
- type: object
properties:
status:
enum:
- 400
code:
enum:
- INVALID_ARGUMENT
- OUT_OF_RANGE
examples:
GENERIC_400_INVALID_ARGUMENT:
summary: Generic Invalid Argument
description: Invalid Argument. Generic Syntax Exception
value:
status: 400
code: INVALID_ARGUMENT
message: Client specified an invalid argument, request body or query param.
GENERIC_400_OUT_OF_RANGE:
summary: Generic Out of Range
description: Out of Range. Specific Syntax Exception used when a given field has a pre-defined range or a invalid filter criteria combination is requested
value:
status: 400
Expand All @@ -489,17 +484,25 @@ components:
content:
application/json:
schema:
$ref: "#/components/schemas/ErrorInfo"
allOf:
- $ref: "#/components/schemas/ErrorInfo"
- type: object
properties:
status:
enum:
- 401
code:
enum:
- UNAUTHENTICATED
- AUTHENTICATION_REQUIRED
examples:
GENERIC_401_UNAUTHENTICATED:
summary: Generic Unauthenticated
description: Request cannot be authenticated
value:
status: 401
code: UNAUTHENTICATED
message: Request not authenticated due to missing, invalid, or expired credentials.
GENERIC_401_AUTHENTICATION_REQUIRED:
summary: Generic Authentication Required
description: New authentication is needed, authentication is no longer valid
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

is it possible to explain the difference between "authentication is no longer valid" and "expired credentials" in more detail ?

value:
status: 401
Expand All @@ -514,18 +517,26 @@ components:
content:
application/json:
schema:
$ref: "#/components/schemas/ErrorInfo"
allOf:
- $ref: "#/components/schemas/ErrorInfo"
- type: object
properties:
status:
enum:
- 403
code:
enum:
- PERMISSION_DENIED
- INVALID_TOKEN_CONTEXT
examples:
GENERIC_403_PERMISSION_DENIED:
summary: Generic Permission Denied
description: Permission denied. OAuth2 token access does not have the required scope or when the user fails operational security
value:
status: 403
code: PERMISSION_DENIED
message: Client does not have sufficient permissions to perform this action.
GENERIC_403_INVALID_TOKEN_CONTEXT:
summary: Invalid access token context
description: Reflects some inconsistency between information in some field of the API and the related OAuth2 Token
description: Reflect some inconsistency between information in some field of the API and the related OAuth2 Token
value:
status: 403
code: INVALID_TOKEN_CONTEXT
Expand All @@ -539,75 +550,92 @@ components:
content:
application/json:
schema:
$ref: "#/components/schemas/ErrorInfo"
allOf:
- $ref: "#/components/schemas/ErrorInfo"
- type: object
properties:
status:
enum:
- 404
code:
enum:
- NOT_FOUND
- IDENTIFIER_NOT_FOUND
examples:
GENERIC_404_NOT_FOUND:
summary: Generic Not Found
description: Resource is not found
value:
status: 404
code: NOT_FOUND
message: "{{resource}} is not found"
GENERIC_404_DEVICE_NOT_FOUND:
summary: Some identifier cannot be matched to a device
description: One or more of the provided device identifiers do not match any device
message: The specified resource is not found.
GENERIC_404_IDENTIFIER_NOT_FOUND:
description: Some identifier cannot be matched to a device
value:
status: 404
code: DEVICE_NOT_FOUND
message: "No device found for a provided identifier"
code: IDENTIFIER_NOT_FOUND
message: Device identifier not found.

VerifyLocationUnprocessableEntity422:
description: Unprocessable Entity
description: Unprocessable Content
headers:
x-correlator:
$ref: "#/components/headers/x-correlator"
content:
application/json:
schema:
$ref: "#/components/schemas/ErrorInfo"
allOf:
- $ref: "#/components/schemas/ErrorInfo"
- type: object
properties:
status:
enum:
- 422
code:
enum:
- IDENTIFIER_MISMATCH
- SERVICE_NOT_APPLICABLE
- MISSING_IDENTIFIER
- UNSUPPORTED_IDENTIFIER
- UNNECESSARY_IDENTIFIER
- LOCATION_VERIFICATION.UNABLE_TO_FULFILL_MAX_AGE
examples:
LOCATION_VERIFICATION_422_UNABLE_TO_FULFILL_MAX_AGE:
summary: Unable to fulfill maxAge
description: The system is not able to provide the fresh location required by the client
GENERIC_422_IDENTIFIER_MISMATCH:
description: Inconsistency between identifiers not pointing to the same device
value:
status: 422
code: LOCATION_VERIFICATION.UNABLE_TO_FULFILL_MAX_AGE
message: "Unable to provide expected freshness for location"
GENERIC_422_UNPROCESSABLE_ENTITY:
summary: Unprocessable entity
description: The request was well-formed but was unable to be processed due to semantic errors or not applicable values. This is the generic error code for 422 responses.
code: IDENTIFIER_MISMATCH
message: Provided identifiers are not consistent.
GENERIC_422_SERVICE_NOT_APPLICABLE:
description: Service not applicable for the provided identifier
value:
status: 422
code: UNPROCESSABLE_ENTITY
message: "Value not acceptable: ..."
GENERIC_422_DEVICE_NOT_APPLICABLE:
summary: Service not applicable to the device
description: The provided device is not compatible with the requested operation, according to the service provider rules.
code: SERVICE_NOT_APPLICABLE
message: The service is not available for the provided identifier.
GENERIC_422_MISSING_IDENTIFIER:
description: An identifier is not included in the request and the device or phone number identification cannot be derived from the 3-legged access token
value:
status: 422
code: DEVICE_NOT_APPLICABLE
message: "The device is not applicable for the requested operation"
GENERIC_422_DEVICE_IDENTIFIERS_MISMATCH:
summary: Device identifiers mismatch
description: Several device identifiers are provided but do not match the same device
code: MISSING_IDENTIFIER
message: The device cannot be identified.
GENERIC_422_UNSUPPORTED_IDENTIFIER:
description: None of the provided identifiers is supported by the implementation
value:
status: 422
code: DEVICE_IDENTIFIERS_MISMATCH
message: "The provided device identifiers do not match the same device"
GENERIC_422_UNSUPPORTED_DEVICE_IDENTIFIERS:
summary: None of the provided device identifiers is supported by the implementation
description: Message may list the supported device identifiers
code: UNSUPPORTED_IDENTIFIER
message: The identifier provided is not supported.
GENERIC_422_UNNECESSARY_IDENTIFIER:
description: An explicit identifier is provided when a device or phone number has already been identified from the access token
value:
status: 422
code: UNSUPPORTED_DEVICE_IDENTIFIERS
message: "Supported device identifiers are: ..."
GENERIC_422_UNIDENTIFIABLE_DEVICE:
summary: No identifier provided
description: No device identifier provided for the device to be located
code: UNNECESSARY_IDENTIFIER
message: The device is already identified by the access token.
LOCATION_VERIFICATION_422_UNABLE_TO_FULFILL_MAX_AGE:
summary: Unable to fulfill maxAge
description: The system is not able to provide the fresh location required by the client
value:
status: 422
code: UNIDENTIFIABLE_DEVICE
message: "A device must be provided"
code: LOCATION_VERIFICATION.UNABLE_TO_FULFILL_MAX_AGE
message: "Unable to provide expected freshness for location"

Generic429:
description: Too Many Requests
Expand All @@ -617,7 +645,17 @@ components:
content:
application/json:
schema:
$ref: "#/components/schemas/ErrorInfo"
allOf:
- $ref: "#/components/schemas/ErrorInfo"
- type: object
properties:
status:
enum:
- 429
code:
enum:
- QUOTA_EXCEEDED
- TOO_MANY_REQUESTS
examples:
GENERIC_429_QUOTA_EXCEEDED:
description: Request is rejected due to exceeding a business quota limit
Expand All @@ -631,39 +669,3 @@ components:
status: 429
code: TOO_MANY_REQUESTS
message: Either out of resource quota or reaching rate limiting.

Generic500:
description: Internal server error
headers:
x-correlator:
$ref: "#/components/headers/x-correlator"
content:
application/json:
schema:
$ref: "#/components/schemas/ErrorInfo"
examples:
GENERIC_500_INTERNAL:
summary: Generic Internal
description: Problem in Server side. Regular Server Exception
value:
status: 500
code: INTERNAL
message: "Internal server error"

Generic503:
description: Service unavailable
headers:
x-correlator:
$ref: "#/components/headers/x-correlator"
content:
application/json:
schema:
$ref: "#/components/schemas/ErrorInfo"
examples:
GENERIC_503_UNAVAILABLE:
summary: Generic Unavailable
description: Service is not available. Temporary situation usually related to maintenance process in the server side
value:
status: 503
code: UNAVAILABLE
message: "Service unavailable"
Loading