From c724e59692cd8bbb62980bcb51dd327f17b70e2c Mon Sep 17 00:00:00 2001 From: Eric Murray Date: Wed, 4 Dec 2024 17:07:51 +0000 Subject: [PATCH 1/7] Update device-reachability-status.yaml --- .../device-reachability-status.yaml | 29 +++++++++---------- 1 file changed, 14 insertions(+), 15 deletions(-) diff --git a/code/API_definitions/device-reachability-status.yaml b/code/API_definitions/device-reachability-status.yaml index 510f91f..dd47ef4 100644 --- a/code/API_definitions/device-reachability-status.yaml +++ b/code/API_definitions/device-reachability-status.yaml @@ -37,29 +37,28 @@ info: It is important to remark that in cases where personal user data is processed by the API, and users can exercise their rights through mechanisms such as opt-in and/or opt-out, the use of 3-legged access tokens becomes mandatory. This measure ensures that the API remains in strict compliance with user privacy preferences and regulatory obligations, upholding the principles of transparency and user-centric data control. - # Identifying a device from the access token + # Identifying the device from the access token - This specification defines the `device` object field as optional in API requests, specifically in cases where the API is accessed using a 3-legged access token, and the device can be uniquely identified by the token. This approach simplifies API usage for API consumers by relying on the device information associated with the access token used to invoke the API. + This API requires the API consumer to identify a device as the subject of the API as follows: + - When the API is invoked using a two-legged access token, the subject will be identified from the optional `device` object, which therefore MUST be provided. - ## Handling of device information: + - When a three-legged access token is used however, this optional identifier MUST NOT be provided, as the subject will be uniquely identified from the access token. - ### Optional device object for 3-legged tokens: + This approach simplifies API usage for API consumers using a three-legged access token to invoke the API by relying on the information that is associated with the access token and was identified during the authentication process. - - When using a 3-legged access token, the device associated with the access token must be considered as the device for the API request. This means that the device object is not required in the request, and if included it must identify the same device, therefore **it is recommended NOT to include it in these scenarios** to simplify the API usage and avoid additional validations. + ## Error handling: + - If the subject cannot be identified from the access token and the optional `device` object is not included in the request, then the server will return an error with the `422 MISSING_IDENTIFIER` error code. - ### Validation mechanism: + - If the subject can be identified from the access token and the optional `device` object is also included in the request, then the server will return an error with the `422 UNNECESSARY_IDENTIFIER` error code. This will be the case even if the same device is identified by these two methods, as the server is unable to make this comparison. - - The server will extract the device identification from the access token, if available. - - If the API request additionally includes a `device` object when using a 3-legged access token, the API will validate that the device identifier provided matches the one associated with the access token. - - If there is a mismatch, the API will respond with a 403 - INVALID_TOKEN_CONTEXT error, indicating that the device information in the request does not match the token. + # Multi-SIM scenario handling - ### Error handling for unidentifiable devices: + In multi-SIM scenarios where more than one mobile device is associated with a phone number (e.g. a smartphone with an associated smartwatch), it might not be possible to uniquely identify the device for which the reachability status should be returned from that phone number. If the phone number is used as the device identifier when querying in a multi-SIM scenario, the API may respond with an error, return a combined status for the multi-SIM group as a whole, or return the status for a single device in the multi-SIM group which may not be the intended device. - - If the `device` object is not included in the request and the device information cannot be derived from the 3-legged access token, the server will return a 422 `UNIDENTIFIABLE_DEVICE` error. - - ### Restrictions for tokens without an associated authenticated identifier: - - - For scenarios which do not have a single device identifier associated to the token during the authentication flow, e.g. 2-legged access tokens, the `device` object MUST be provided in the API request. This ensures that the device identification is explicit and valid for each API call made with these tokens. + Possible solutions in such a scenario include: + - Using the authorisation code flow to obtain an access token, which will automatically identify the intended device + - Identifying the intended device from a unique identifier for that device, such as its source IP address and port + - Check with the SIM provider whether a unique "secondary" phone number is already associated with each device, and use the secondary phone number to identify the intended device if available. # Further info and support From 524f3b29a9e18daad3839a6a5999f61a21378108 Mon Sep 17 00:00:00 2001 From: Eric Murray Date: Wed, 4 Dec 2024 17:10:10 +0000 Subject: [PATCH 2/7] Update device-reachability-status.yaml --- code/API_definitions/device-reachability-status.yaml | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/code/API_definitions/device-reachability-status.yaml b/code/API_definitions/device-reachability-status.yaml index dd47ef4..088d76f 100644 --- a/code/API_definitions/device-reachability-status.yaml +++ b/code/API_definitions/device-reachability-status.yaml @@ -53,7 +53,10 @@ info: # Multi-SIM scenario handling - In multi-SIM scenarios where more than one mobile device is associated with a phone number (e.g. a smartphone with an associated smartwatch), it might not be possible to uniquely identify the device for which the reachability status should be returned from that phone number. If the phone number is used as the device identifier when querying in a multi-SIM scenario, the API may respond with an error, return a combined status for the multi-SIM group as a whole, or return the status for a single device in the multi-SIM group which may not be the intended device. + In multi-SIM scenarios where more than one mobile device is associated with a phone number (e.g. a smartphone with an associated smartwatch), it might not be possible to uniquely identify the device for which the reachability status should be returned from that phone number. If the phone number is used as the device identifier when querying in a multi-SIM scenario, the API may: + - respond with an error, or + - return a combined status for the multi-SIM group as a whole, or + - return the status for a single device in the multi-SIM group, which may not be the intended device. Possible solutions in such a scenario include: - Using the authorisation code flow to obtain an access token, which will automatically identify the intended device From 35d4d3dbc68ead61a737cec52bc65ba4974df92e Mon Sep 17 00:00:00 2001 From: Eric Murray Date: Wed, 18 Dec 2024 10:22:04 +0000 Subject: [PATCH 3/7] Update device-roaming-status.yaml --- .../device-roaming-status.yaml | 32 ++++++++++--------- 1 file changed, 17 insertions(+), 15 deletions(-) diff --git a/code/API_definitions/device-roaming-status.yaml b/code/API_definitions/device-roaming-status.yaml index 2077fac..c8fa72f 100644 --- a/code/API_definitions/device-roaming-status.yaml +++ b/code/API_definitions/device-roaming-status.yaml @@ -45,29 +45,31 @@ info: It is important to remark that in cases where personal user data is processed by the API, and users can exercise their rights through mechanisms such as opt-in and/or opt-out, the use of 3-legged access tokens becomes mandatory. This measure ensures that the API remains in strict compliance with user privacy preferences and regulatory obligations, upholding the principles of transparency and user-centric data control. - # Identifying a device from the access token + # Identifying the device from the access token - This specification defines the `device` object field as optional in API requests, specifically in cases where the API is accessed using a 3-legged access token, and the device can be uniquely identified by the token. This approach simplifies API usage for API consumers by relying on the device information associated with the access token used to invoke the API. + This API requires the API consumer to identify a device as the subject of the API as follows: + - When the API is invoked using a two-legged access token, the subject will be identified from the optional `device` object, which therefore MUST be provided. - ## Handling of device information: + - When a three-legged access token is used however, this optional identifier MUST NOT be provided, as the subject will be uniquely identified from the access token. - ### Optional device object for 3-legged tokens: + This approach simplifies API usage for API consumers using a three-legged access token to invoke the API by relying on the information that is associated with the access token and was identified during the authentication process. - - When using a 3-legged access token, the device associated with the access token must be considered as the device for the API request. This means that the device object is not required in the request, and if included it must identify the same device, therefore **it is recommended NOT to include it in these scenarios** to simplify the API usage and avoid additional validations. + ## Error handling: + - If the subject cannot be identified from the access token and the optional `device` object is not included in the request, then the server will return an error with the `422 MISSING_IDENTIFIER` error code. - ### Validation mechanism: + - If the subject can be identified from the access token and the optional `device` object is also included in the request, then the server will return an error with the `422 UNNECESSARY_IDENTIFIER` error code. This will be the case even if the same device is identified by these two methods, as the server is unable to make this comparison. - - The server will extract the device identification from the access token, if available. - - If the API request additionally includes a `device` object when using a 3-legged access token, the API will validate that the device identifier provided matches the one associated with the access token. - - If there is a mismatch, the API will respond with a 403 - INVALID_TOKEN_CONTEXT error, indicating that the device information in the request does not match the token. + # Multi-SIM scenario handling - ### Error handling for unidentifiable devices: + In multi-SIM scenarios where more than one mobile device is associated with a phone number (e.g. a smartphone with an associated smartwatch), it might not be possible to uniquely identify the device for which the roaming status should be returned from that phone number. If the phone number is used as the device identifier when querying in a multi-SIM scenario, the API may: + - respond with an error, or + - return a combined status for the multi-SIM group as a whole, or + - return the status for a single device in the multi-SIM group, which may not be the intended device. - - If the `device` object is not included in the request and the device information cannot be derived from the 3-legged access token, the server will return a 422 `UNIDENTIFIABLE_DEVICE` error. - - ### Restrictions for tokens without an associated authenticated identifier: - - - For scenarios which do not have a single device identifier associated to the token during the authentication flow, e.g. 2-legged access tokens, the `device` object MUST be provided in the API request. This ensures that the device identification is explicit and valid for each API call made with these tokens. + Possible solutions in such a scenario include: + - Using the authorisation code flow to obtain an access token, which will automatically identify the intended device + - Identifying the intended device from a unique identifier for that device, such as its source IP address and port + - Check with the SIM provider whether a unique "secondary" phone number is already associated with each device, and use the secondary phone number to identify the intended device if available. # Further info and support From 4d6f9304f7ad4d7c50610f17d4cafd225b202b48 Mon Sep 17 00:00:00 2001 From: Eric Murray Date: Wed, 18 Dec 2024 10:31:49 +0000 Subject: [PATCH 4/7] Update device-reachability-status-subscriptions.yaml --- .../device-reachability-status-subscriptions.yaml | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/code/API_definitions/device-reachability-status-subscriptions.yaml b/code/API_definitions/device-reachability-status-subscriptions.yaml index 0b3ff0a..0d5823f 100644 --- a/code/API_definitions/device-reachability-status-subscriptions.yaml +++ b/code/API_definitions/device-reachability-status-subscriptions.yaml @@ -65,6 +65,18 @@ info: It is important to remark that in cases where personal user data is processed by the API, and users can exercise their rights through mechanisms such as opt-in and/or opt-out, the use of 3-legged access tokens becomes mandatory. This measure ensures that the API remains in strict compliance with user privacy preferences and regulatory obligations, upholding the principles of transparency and user-centric data control. + ### Multi-SIM scenario handling + + In multi-SIM scenarios where more than one mobile device is associated with a phone number (e.g. a smartphone with an associated smartwatch), it might not be possible to uniquely identify from that phone number the device for which reachability status updates should be provided. If the phone number is used as the device identifier when creating a subscription for a multi-SIM scenario, the API may: + - respond with an error, or + - provide status updates for the multi-SIM group as a whole, or + - provide status updates only for a single device in the multi-SIM group, which may not be the intended device. + + Possible solutions in such a scenario include: + - Using the authorisation code flow to obtain an access token, which will automatically identify the intended device + - Identifying the intended device from a unique identifier for that device, such as its source IP address and port + - Check with the SIM provider whether a unique "secondary" phone number is already associated with each device, and use the secondary phone number to identify the intended device if available. + license: name: Apache 2.0 url: https://www.apache.org/licenses/LICENSE-2.0.html From ed5298703f456aa639a3bcea299804f6d5f69cb3 Mon Sep 17 00:00:00 2001 From: Eric Murray Date: Wed, 18 Dec 2024 10:33:08 +0000 Subject: [PATCH 5/7] Update device-roaming-status-subscriptions.yaml --- .../device-roaming-status-subscriptions.yaml | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/code/API_definitions/device-roaming-status-subscriptions.yaml b/code/API_definitions/device-roaming-status-subscriptions.yaml index 678a32d..63eeb76 100644 --- a/code/API_definitions/device-roaming-status-subscriptions.yaml +++ b/code/API_definitions/device-roaming-status-subscriptions.yaml @@ -67,6 +67,18 @@ info: It is important to remark that in cases where personal user data is processed by the API, and users can exercise their rights through mechanisms such as opt-in and/or opt-out, the use of 3-legged access tokens becomes mandatory. This measure ensures that the API remains in strict compliance with user privacy preferences and regulatory obligations, upholding the principles of transparency and user-centric data control. + ### Multi-SIM scenario handling + + In multi-SIM scenarios where more than one mobile device is associated with a phone number (e.g. a smartphone with an associated smartwatch), it might not be possible to uniquely identify from that phone number the device for which roaming status updates should be provided. If the phone number is used as the device identifier when creating a subscription for a multi-SIM scenario, the API may: + - respond with an error, or + - provide status updates for the multi-SIM group as a whole, or + - provide status updates only for a single device in the multi-SIM group, which may not be the intended device. + + Possible solutions in such a scenario include: + - Using the authorisation code flow to obtain an access token, which will automatically identify the intended device + - Identifying the intended device from a unique identifier for that device, such as its source IP address and port + - Check with the SIM provider whether a unique "secondary" phone number is already associated with each device, and use the secondary phone number to identify the intended device if available. + license: name: Apache 2.0 url: https://www.apache.org/licenses/LICENSE-2.0.html From e22b75a5d207bb00da2551638767e1a54af6f27f Mon Sep 17 00:00:00 2001 From: Eric Murray Date: Wed, 18 Dec 2024 14:31:20 +0000 Subject: [PATCH 6/7] Update connected-network-type.yaml --- code/API_definitions/connected-network-type.yaml | 13 +++++++++++++ 1 file changed, 13 insertions(+) diff --git a/code/API_definitions/connected-network-type.yaml b/code/API_definitions/connected-network-type.yaml index ea1758b..fdf4e82 100644 --- a/code/API_definitions/connected-network-type.yaml +++ b/code/API_definitions/connected-network-type.yaml @@ -46,10 +46,23 @@ info: - If the subject cannot be identified from the access token and the optional `device` object is not included in the request, then the server will return an error with the `422 MISSING_IDENTIFIER` error code. - If the subject can be identified from the access token and the optional `device` object is also included in the request, then the server will return an error with the `422 UNNECESSARY_IDENTIFIER` error code. This will be the case even if the same device is identified by these two methods, as the server is unable to make this comparison. + ## Further info and support (FAQs will be added in a later version of the documentation) + ### Multi-SIM scenario handling + + In multi-SIM scenarios where more than one mobile device is associated with a phone number (e.g. a smartphone with an associated smartwatch), it might not be possible to uniquely identify from that phone number the device for which the connected network type should be returned. If the phone number is used as the device identifier when querying in a multi-SIM scenario, the API may: + - respond with an error, or + - return a common connected network type for the multi-SIM group as a whole, or + - return the connected network type for a single device in the multi-SIM group, which may not be the intended device. + + Possible solutions in such a scenario include: + - Using the authorisation code flow to obtain an access token, which will automatically identify the intended device + - Identifying the intended device from a unique identifier for that device, such as its source IP address and port + - Check with the SIM provider whether a unique "secondary" phone number is already associated with each device, and use the secondary phone number to identify the intended device if available. + termsOfService: http://swagger.io/terms/ contact: email: project-email@sample.com From 492c352f55b8a97b6df93deb65c2c1b3252c59fa Mon Sep 17 00:00:00 2001 From: Eric Murray Date: Wed, 18 Dec 2024 14:33:19 +0000 Subject: [PATCH 7/7] Update connected-network-type.yaml --- code/API_definitions/connected-network-type.yaml | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/code/API_definitions/connected-network-type.yaml b/code/API_definitions/connected-network-type.yaml index fdf4e82..ca9bfa0 100644 --- a/code/API_definitions/connected-network-type.yaml +++ b/code/API_definitions/connected-network-type.yaml @@ -33,7 +33,11 @@ info: The endpoint `POST /retrieve` allows to get connected Network Type. - # Identifying the device from the access token + # Further info and support + + (FAQs will be added in a later version of the documentation) + + ### Identifying the device from the access token This API requires the API consumer to identify a device as the subject of the API as follows: - When the API is invoked using a two-legged access token, the subject will be identified from the optional `device` object, which therefore MUST be provided. @@ -47,10 +51,6 @@ info: - If the subject can be identified from the access token and the optional `device` object is also included in the request, then the server will return an error with the `422 UNNECESSARY_IDENTIFIER` error code. This will be the case even if the same device is identified by these two methods, as the server is unable to make this comparison. - ## Further info and support - - (FAQs will be added in a later version of the documentation) - ### Multi-SIM scenario handling In multi-SIM scenarios where more than one mobile device is associated with a phone number (e.g. a smartphone with an associated smartwatch), it might not be possible to uniquely identify from that phone number the device for which the connected network type should be returned. If the phone number is used as the device identifier when querying in a multi-SIM scenario, the API may: