CN116782228A

CN116782228A - Authorization verification method and device

Info

Publication number: CN116782228A
Application number: CN202210237627.3A
Authority: CN
Inventors: 李飞; 何承东; 张博
Original assignee: Huawei Technologies Co Ltd
Current assignee: Huawei Technologies Co Ltd
Priority date: 2022-03-11
Filing date: 2022-03-11
Publication date: 2023-09-19
Also published as: WO2023169206A1

Abstract

The embodiment of the application provides a method for verifying authorization, which comprises the following steps: the first network element receives a service request message from a second network function NF, the second NF being located in a second public land mobile network PLMN, the service request message being for requesting the first NF located in the first PLMN to provide the first service to the second NF, the service request message comprising an access token, a requested destination and an identifier of the second PLMN, the access token comprising a PLMN identifier and an interconnection destination; the first network element performs authorization of the second NF to use the first service, determines that an identifier of the second PLMN is the same as a PLMN identifier in the access token prior to the performing of the authorization, and the purpose of the request is the same as the interworking purpose. Based on the scheme, the security of access control can be improved, and further, the service consumer is ensured to legally acquire the service in the interconnection scene.

Description

Authorization verification method and device

Technical Field

The embodiment of the application relates to the technical field of communication, in particular to a method and a device for verifying authorization.

Background

In the fifth generation (5th generation,5G) of the service system architecture, both parties communicating based on the service interface are respectively referred to as service consumer (service consumer) and service provider (service producer). Wherein the party requesting the service is called a service consumer (may also be called a service requesting network element), and the party providing the service is called a service provider (may also be called a service providing network element). When a Network Function (NF) service consumer requests a service from an NF service provider, the NF service provider needs to perform authorization check on the service requested by the NF service consumer

In an interconnection scenario, the networks of different operators are not directly connected, and a secure edge protection proxy (security edge protection proxies, SEPP) is used at the network connection with other operators to maintain the security of the own network. For example, when the NF service consumer of the carrier a requests a service from the NF service provider of the carrier B, the SEPP verifies whether the carrier a and the carrier B can communicate or not, but the security with respect to access control is to be further improved.

Disclosure of Invention

The embodiment of the application provides a method and a device for authorization verification, which can improve the security of access control and ensure that NF service consumers legally acquire services in an interconnection scene.

In a first aspect, there is provided a method of authorising verification, the method comprising: a first network element receiving a service request message from a second Network Function (NF), the second NF being located in a second public land mobile network (public land mobile network, PLMN), the service request message for requesting the first NF located in a first PLMN to provide a first service to the second NF, the service request message comprising an access token, a requested destination (purpose of request) and an identifier of the second PLMN, the access token comprising a PLMN identifier and an interconnection destination (interconnect purpose); the first network element performs authorization of the second NF for use of the first service, determines that an identifier of the second PLMN is the same as a PLMN identifier in the access token prior to the performing of the authorization, and the purpose of the request is the same as the interworking purpose.

The second NF may be a service request network element, and the first network element may be a first SEPP located in the first PLMN, or may be a second SEPP located in the second PLMN, or may be a service providing network element.

Based on the above scheme, in the process that the NF service consumer requests the first service from the NF service provider, the first network element can perform authorization verification on the NF service consumer according to the identifier of the PLMN in the access token and the interconnection purpose carried in the service request message, that is, verify whether the NF service consumer is authorized to use the requested service. Specifically, NF service consumers in the network indicated by the PLMN identifier in the access token can use the service of the NF service provider for interconnection purposes, and NF service consumers in other networks cannot use the service of the NF service provider for interconnection purposes, so that the NF service consumers are guaranteed to legally acquire the service in the interconnection scenario.

Meanwhile, the purpose of the request in the service request message is the same as the interconnection purpose in the access token, so that the access token is ensured to be used in the interconnection scene, and abuse of the access token can be prevented.

In addition, the scheme provided by the application can perform finer-granularity access control, for example, in some cases, communication can be performed between two PLMNs, but a certain NF service provider cannot provide services for NF service consumers in an interconnection scenario, and the first SEPP (or the second SEPP) can reject services requested by the NF service consumers. That is, according to the conventional scheme, since communication can be performed between two PLMNs, a service request message of an NF service consumer should be forwarded to an NF service provider, but the scheme of the present application may also perform authorization verification on the NF service consumer based on a PLMN identifier in an access token and an interconnection purpose, and if the verification is not passed, the forwarding of the service request message or the direct rejection of the service request of the NF service consumer may be denied.

The specific expression form of the first network element performing the authorization of the second NF to use the first service may be: when a first network element is a second NF, the second NF provides the first service for the first NF under the condition that the second NF is authorized to use the first service; or, when the first network element is a first SEPP located in the first PLMN or a second SEPP located in the second PLMN, the first network element forwards the service request message.

The service request message is associated with a second NF. For example, in one possible scenario, the first network element may receive the service request message directly from the second NF; in another possible scenario, the first network element may receive the service request message from a second SEPP element, where the second SEPP may receive the service request message directly from a second NF; in yet another possible scenario, the first network element may receive the service request message from a first SEPP, where the first SEPP may be the service request message received from a second SEPP, which may be the service request message received directly from a second NF.

It should be appreciated that the information in the access token has been authorized, and the first network element may verify the service request message based on the information in the access token, perform authorization of the second NF to use the first service, or deny the second NF to use the first service.

It will be appreciated that the access token is secured, e.g., integrity protected, so that tampering with information within the access token by malicious NF service consumers may be avoided.

It will be appreciated that all information included in the access token may be verified and that the service requesting network element may be authorised to use the first service of the service providing network element when all information in the access token passes the verification.

With reference to the first aspect, in a possible implementation manner, the service request message further includes information of a second NF, and the access token further includes information of NF; before the performing of the authorization, further comprising: the first network element determines that the information of the second NF is the same as the information of the NF.

The information of NF in the access token may indicate information of a service request network element (NF service consumer) to which the access token is applicable in the interconnection scenario, for example, NF type, NF instance ID, etc. The service request network element to which the access token is applicable may specifically mean that the applicable service request network element may use the access token to obtain the service, or that none of the network elements within range of the applicable service request network element may use the access token to obtain the service.

Based on the technical scheme, in the process that the second NF requests the first service from the first NF, the first network element can authorize the second NF to use the first service according to the identifier of the PLMN, the interconnection purpose and the information of the NF in the access token carried in the service request message, so that the second NF is ensured to be the service request network element applicable to the access token in the interconnection scene, thereby preventing abuse of the access token and further ensuring that NF service consumers legally acquire the service in the interconnection scene.

With reference to the first aspect, in a possible implementation manner, the service request message further includes information of the first service, and the access token includes information of the service; before the performing of the authorization, further comprising: the first network element determines that the information of the first service is the same as the information of the service.

The information of the service in the access token may indicate that the access token is applicable to the service in the interconnection scenario, it being understood that the access token may be used to obtain the service when the applicable service is requested by the service request message. Alternatively, the access token may not be used to obtain a service when the service requested by the service request message does not belong to the applicable service.

Based on the technical scheme, in the process that the second NF requests the first service from the first NF, the first network element can perform authorization verification on the use of the first service by the second NF according to the identifier of the PLMN, the interconnection purpose, the information of the NF and the information of the service in the access token carried in the service request message, so that the service requested by the second NF is further ensured to be the service applicable in the interconnection scene, and further, the NF service consumer can be ensured to legally acquire the service in the interconnection scene.

With reference to the first aspect, in one possible implementation manner, the first network element denies the second NF to use the first service, and before the denial, determines that an identifier of the second PLMN is different from a PLMN identifier in the access token and/or that a purpose of the request is different from the interconnection purpose.

Based on the technical scheme, in the process that the second NF requests the first service from the first NF, the first network element can reject the second NF to use the first service according to the identifier of the PLMN in the access token carried in the service request message and the interconnection purpose, so that malicious NF service consumers can be prevented from illegally acquiring the service in the interconnection scene.

With reference to the first aspect, in a possible implementation manner, the service request message further includes information of a second NF, and the access token further includes information of NF; the method further comprises: the first network element refuses the second NF to use the first service, and before the refusing, it is determined that an identifier of the second PLMN is different from a PLMN identifier in the access token, and/or that a purpose of the request is different from the interconnection purpose, and/or that information of the second NF is different from information of the NF.

Based on the technical scheme, in the process that the second NF requests the first service from the first NF, the first network element can perform authorization verification on the use of the first service by the second NF according to the identifier of the PLMN, the interconnection purpose and the information of the NF in the access token carried in the service request message, so that malicious NF service consumers can be prevented from illegally acquiring the service in the interconnection scene.

With reference to the first aspect, in a possible implementation manner, the service request message further includes information of a second NF and information of the first service, and the access token further includes information of NF and information of service; the method further comprises: the first network element refuses the second NF to use the first service, and before the refusing, it is determined that an identifier of the second PLMN is different from a PLMN identifier in the access token, and/or that a purpose of the request is different from the interconnection purpose, and/or that information of the second NF is different from information of the NF, and/or that information of the first service is different from information of the service.

Based on the technical scheme, in the process that the second NF requests the first service from the first NF, the first network element can authorize the second NF to use the first service according to the identifier of the PLMN, the interconnection purpose, the information of the NF and the information of the service in the access token carried in the service request message, so that malicious NF service consumers can be prevented from illegally acquiring the service in the interconnection scene.

With reference to the first aspect, in one possible implementation manner, the first network element is: the first NF, the SEPP of the first PLMN, or the SEPP of the second PLMN.

In a second aspect, there is provided a method of transmitting an access token, the method comprising: a first network storage function (NF repository function, NRF) located at a first PLMN receives a registration request for a first NF located at the first PLMN, the registration request including a PLMN list allowed access for interworking purposes, the PLMN list including a second PLMN; the first NRF completes registration of the first NF; the first NRF receives a first request message from a second NF, the second NF being located in the second PLMN, the first request message being used for requesting an access token for accessing a first service of the first NF located in the first PLMN, the first request message including an identifier of the second PLMN and the interconnection purpose; in response to the first request message, the first NRF generates the access token, the access token comprising an identifier of the second PLMN and the interconnection purpose; the first NRF sends the access token to the second NF.

The first NF may be a NF service provider and the second NF may be a NF service consumer. The first NF carries, for the interconnection scenario, an identifier of the PLMN that is allowed to access in the process of registering with the first NRF before serving the second NF. The second NF may request the access token from the first NRF, and if the identifier of the PLMN where the second NF is located belongs to the identifier of the PLMN allowing access, the first NRF generates an access token carrying the identifier of the second PLMN and the interconnection purpose, and sends the access token to the second NF.

Based on the above technical solution, in the process that the second NF requests the first NRF for the access token, the second NF may be authorized according to the identifier of the PLMN that the first NF is allowed to access under the interconnection purpose carried in the registration request. In particular, in case it is determined that the identifier of the second PLMN belongs to an identifier of a PLMN that allows access under the interconnection purpose, the first NRF may send an access token to the second NF, where the access token may be used to access the service of the first NF under the interconnection scenario, so that it may be ensured that the NF service consumer legally acquires the service in the interconnection scenario.

With reference to the second aspect, in a possible implementation manner, the registration request further includes: information of NFs of the first NF that are allowed to be accessed for the interconnect purpose; the first request message further includes: information of the second NF; in response to the first request message, the first NRF generates the access token, including: the first NRF determines that the information of the NF allowed to access the first NF under the interconnection purpose comprises the information of the second NF; the first NRF generates the access token, and the access token further comprises information of the second NF; alternatively, the registration request further includes: information of NFs allowed to access the first NF for the interconnection purpose, and information of services allowed to be accessed for the interconnection purpose; the first request message further includes: information of the second NF and information of the first service; in response to the first request message, the first NRF generates the access token, including: the first NRF determines that information of NFs allowed to access the first NF under the interconnection purpose includes information of the second NF, and information of services allowed to be accessed under the interconnection purpose includes information of the first service; the first NRF generates the access token, which further includes information of the second NF and information of the first service.

Based on the above technical solution, in the process that the second NF requests the first NRF for the access token, the second NF may be authorized according to the identifier of the PLMN that the first NF is allowed to access under the interconnection purpose carried in the registration request and the information of the NF that is allowed to access the first NF. Specifically, in the case that it is determined that the identifier of the second PLMN belongs to the PLMN that allows access under the interconnection purpose and the information of the second NF is the same as the information that allows access to the first NF, the first NRF may send an access token to the second NF, where the access token may be used to access the service of the first NF under the interconnection scenario, so that it may be ensured that the NF service consumer legally obtains the service in the interconnection scenario.

Alternatively, the second NF may be authorized according to the identifier of the PLMN that the first NF is allowed to access for the interworking purpose carried in the registration request, the information of the NF that is allowed to access the first NF, and the information of the service that is allowed to be accessed. Specifically, in the case that it is determined that the identifier of the second PLMN belongs to the PLMN that allows access under the interconnection purpose, the information of the second NF is the same as the information of the first NF that allows access, and the information of the first service is the same as the information of the service that allows access, the first NRF may send an access token to the second NF, and the access token may be used to access the service of the first NF under the interconnection scenario, so that it may be ensured that NF service consumers legally acquire the service in the interconnection scenario.

In a third aspect, a service authorization method is provided, the method comprising: the Secure Edge Protection Proxy (SEPP) receives a service request message from a second NF, wherein the second NF is positioned in a second PLMN, and the service request message is used for requesting a first NF positioned in a first PLMN to provide a first service for the second NF; the SEPP executes authorization of the second NF to use the first service according to configured parameters, wherein the configured parameters comprise information of the NF which is allowed to access the first NF under the interconnection purpose, and before the execution of the authorization, the information of the NF which is allowed to access the first NF under the interconnection purpose is determined to comprise the information of the second NF.

It should be appreciated that the SEPP may be a first SEPP located in a first PLMN or a second SEPP located in a second PLMN. For example, the first SEPP or the second SEPP in the embodiment shown in fig. 6.

Based on the above scheme, NF service consumers can send service request messages to service providers, configure parameter lists by SEPP, and perform service authorization on the service request messages. Thus, modifying the parameters of the SEPP configuration can support service authorization of the interconnection scenario and support finer-grained service access control. Before authorizing the second NF to use the first service, the SEPP needs to determine that the information of the second NF belongs to information of the NF that is allowed to access the first NF for the purpose of interconnection, so that a malicious NF service consumer can be prevented from illegally acquiring the service in the interconnection scenario.

Alternatively, the parameters of the configuration may be pre-configured.

With reference to the third aspect, in one possible implementation manner, the SEPP is located in the first PLMN, and the configured parameter further includes a list of PLMNs allowed to access the first PLMN for interconnection purposes, and before the performing authorization, the method further includes: determining that the list of PLMNs allowed to access the first PLMN for the interworking purpose includes the second PLMN; or, the SEPP is located in the second PLMN, and the configured parameters further include a list of PLMNs that the second PLMN is allowed to access for interconnection purposes, and before the performing authorization, the method further includes: determining that the list of PLMNs for which access is allowed to the second PLMN for the interworking purpose includes the first PLMN.

With reference to the third aspect, in one possible implementation manner, the configured parameter further includes information about services allowed to be accessed for the interconnection purpose, and before the performing authorization, the method further includes: the information for determining the service allowed to be accessed under the interconnection purpose comprises the information of the first service carried in the service request message.

With reference to the third aspect, in one possible implementation manner, the method further includes: the SEPP refuses the second NF to use the first service, and before the refusing, the information of the NF which is allowed to access the first NF under the interconnection purpose is determined to not comprise the information of the second NF according to the configured parameters.

With reference to the third aspect, in one possible implementation manner, the security edge protection proxy network element is located in the first PLMN, the configured parameter further includes a list of PLMNs allowed to access the first PLMN for interconnection purposes, and the method further includes: the secure edge protection proxy network element refuses the second network function to use the first service, and before the refusing, determines that the list of PLMNs allowed to access the first PLMN for interconnection purposes does not include the second PLMN; or, the SEPP is located in the second PLMN, the configured parameters further include a list of PLMNs that the second PLMN is allowed to access for interconnection purposes, and the security edge protection proxy network element denies the second network function to use the first service, and before the denial, the method further includes: determining that the list of PLMNs for which access is allowed to the second PLMN for the interworking purpose does not include the first PLMN.

With reference to the third aspect, in a possible implementation manner, the configured parameter further includes information about a service allowed to be accessed for the interconnection purpose, and the method further includes: the SEPP denies the second NF to use the first service, and before the denial, determines that the information of the service permitted to be accessed does not include the information of the first service.

In a fourth aspect, there is provided an apparatus for authorising verification, the apparatus comprising: a transceiver unit, configured to receive a service request message from a second NF, where the second NF is located in a second PLMN, where the service request message is configured to request that a first NF located in a first PLMN provide a first service to the second NF, where the service request message includes an access token, a request destination, and an identifier of the second PLMN, and where the access token includes a PLMN identifier and an interconnection destination; a processing unit, configured to perform authorization of the second NF to use the first service, determine that an identifier of the second PLMN is the same as a PLMN identifier in the access token before performing the authorization, and that a purpose of the request is the same as the interconnection purpose.

In a fifth aspect, there is provided an apparatus for transmitting a token, the apparatus comprising: a receiving and transmitting unit, configured to receive a registration request of a first NF located in the first PLMN, where the registration request includes a PLMN list allowed to be accessed for interconnection purposes, and the PLMN list includes a second PLMN; completing registration of the first NF; receiving a first request message from a second NF, the second NF being located in the second PLMN, the first request message being for requesting an access token for accessing a first service of the first NF located in the first PLMN, the first request message comprising an identifier of the second PLMN and the interworking purpose; a processing unit, configured to generate, in response to the first request message, the access token including an identifier of the second PLMN and the interconnection purpose; the transceiver unit is further configured to: and sending the access token to the second NF.

In a sixth aspect, there is provided an apparatus for service authorization, the apparatus comprising: the receiving and transmitting unit is used for receiving a service request message from a second NF, wherein the second NF is positioned in a second PLMN, and the service request message is used for requesting a first NF positioned in a first PLMN to provide a first service for the second NF; and the processing unit is used for executing the authorization of the second NF to use the first service, the configured parameters comprise information of the NF which is allowed to access the first NF under the interconnection purpose, and before executing the authorization, the information of the NF which is allowed to access the first NF under the interconnection purpose comprises the information of the second NF according to the configured parameters.

It should be understood that the specific implementation manner and the beneficial effects corresponding to the above several devices have been described in detail in the above method embodiments, and specific reference may be made to the above method embodiments, which are not described herein for brevity.

In a seventh aspect, there is provided a method of authorising verification, the method comprising: the method comprises the steps that a first network element receives a service request message from a second NF, wherein the second NF is located in a second PLMN, the service request message is used for requesting the first NF located in a first PLMN to provide first service for the second NF, the service request message comprises an access token, a request purpose and an identifier of the second PLMN, and the access token comprises a PLMN identifier and an interconnection purpose;

Based on the above scheme, in the process that the NF service consumer requests the NF service provider for the service, the first network element can perform authorization verification on the NF service consumer according to the identifier of the PLMN in the access token and the interconnection purpose carried in the service request message, that is, verify whether the NF service consumer is authorized to use the requested service. Specifically, NF service consumers in the network indicated by the PLMN identifier in the access token are able to use the NF service provider's services for interconnection purposes, and NF service consumers in other networks are not able to use the NF service provider's services for interconnection purposes.

The first network element denies the second NF to use the first service in case the identifier of the second PLMN is not identical to the PLMN identifier or in case the purpose of the request is not identical to the interworking purpose.

With reference to the seventh aspect, in a possible implementation manner, the service request message further includes information of a second NF, and the access token further includes information of NF, where the information of NF indicates a service request network element to which the access token is applicable, and the method further includes: and under the condition that the information of the second NF is different from the information of the NF, the first network element refuses the second NF to use the first service.

Based on the technical scheme, in the process that the second NF requests the first service from the first NF, the first network element can authorize the second NF to use the first service according to the identifier of the PLMN, the interconnection purpose and the information of the NF in the access token carried in the service request message, so that the second NF is ensured to be the service request network element applicable to the interconnection scene, thereby preventing abuse of the access token and further preventing malicious service consumers from illegally acquiring the service in the interconnection scene.

With reference to the seventh aspect, in a possible implementation manner, the service request message further includes information of a first service, the access token further includes information of a service, and the information of the service indicates a service to which the access token is applicable, and the method further includes: and under the condition that the information of the first service is different from the information of the service, the first network element refuses the second NF to use the first service.

Based on the technical scheme, in the process that the second NF requests the first service from the first NF, the first network element can perform authorization verification on the second NF by using the first service according to the identifier of the PLMN, the interconnection purpose, the information of the NF and the information of the service in the access token carried in the service request message, so that the service requested by the second NF is ensured to be the service applicable in the interconnection scene, thereby preventing abuse of the access token and further preventing malicious service consumers from illegally acquiring the service in the interconnection scene.

In an eighth aspect, there is provided a computer readable storage medium storing a computer program which, when run on a computer, causes the computer to perform the method of any one of the first aspects or cause the computer to perform the method of the second aspect or cause the computer to perform the method of any one of the third aspects.

In a ninth aspect, there is provided a computer program product comprising computer program instructions which, when run on a computer, cause the computer to perform the method of any one of the first aspect, or cause the computer to perform the method of any one of the second aspect, or cause the computer to perform the method of any one of the third aspect.

In a tenth aspect, there is provided a communications apparatus comprising at least one processor for executing a computer program or instructions stored in a memory to perform the method of any one of the first aspects, or to perform the method of any one of the second aspects, or to perform the method of any one of the third aspects.

In an eleventh aspect, there is provided a communication system including at least two of the apparatus for authentication shown in the fourth aspect, the apparatus for transmitting a token shown in the fifth aspect, and the apparatus for service authorization shown in the sixth aspect.

Drawings

Fig. 1 is a schematic diagram of a network architecture suitable for use with embodiments of the present application.

Fig. 2 shows a schematic diagram of a communication mode in an interconnection scenario.

Fig. 3 shows an exemplary flowchart of a method for authorization verification provided by an embodiment of the present application.

Fig. 4 shows an exemplary flowchart of a method for sending an access token according to an embodiment of the present application.

Fig. 5 shows an exemplary flowchart of a registration method provided by an embodiment of the present application.

Fig. 6 shows an exemplary flowchart of a method for sending an access token according to an embodiment of the present application.

Fig. 7 is an exemplary flowchart of a method for authorization verification provided by an embodiment of the present application.

Fig. 8 is an exemplary flowchart of a method for service authorization according to an embodiment of the present application.

Fig. 9 is a schematic block diagram of an apparatus for authorization verification provided by an embodiment of the present application.

Fig. 10 is a schematic structural diagram of an apparatus for authorization verification according to an embodiment of the present application.

Detailed Description

The technical solutions in the embodiments of the present application will be described below with reference to the accompanying drawings.

The technical scheme of the embodiment of the application can be applied to various communication systems, such as: long term evolution (long term evolution, LTE) systems, LTE frequency division duplex (frequency division duplex, FDD) systems, LTE time division duplex (time division duplex, TDD) systems, universal mobile telecommunications system (universal mobile telecommunication system, UMTS), worldwide interoperability for microwave access (worldwide interoperability for microwave access, wiMAX) communication systems, 5G systems or New Radio (NR), sixth generation (6th generation,6G) systems or future communication systems, and the like. The 5G mobile communication system described in the present application includes a non-independent Networking (NSA) 5G mobile communication system or an independent networking (SA) 5G mobile communication system. The communication system may also be a land public mobile network (public land mobile network, PLMN) network, a device-to-device (D2D) communication system, a machine-to-machine (machine to machine, M2M) communication system, an internet of things (internet of Things, ioT) communication system, or other communication systems.

To facilitate understanding of the embodiments of the present application, a network architecture suitable for use in the embodiments of the present application will be described in detail with reference to fig. 1.

Fig. 1 is a schematic diagram of a network structure suitable for use in the method provided in an embodiment of the present application. As shown in fig. 1, the network architecture is, for example, the third generation partnership project (3rd generation partnership project,3GPP) defined 5G system (the 5h generation system,5GS). The network architecture is a served system architecture, and the network elements in the dashed line frame of fig. 1 are network elements based on the communication of served interfaces, i.e. the communication between the network elements uses the served interfaces. The network architecture may include AN Access Network (AN) and a Core Network (CN), and may also include a User Equipment (UE).

The core network is responsible for maintaining subscription data of the mobile network and providing session management, mobility management, policy management, security authentication and other functions for the UE. The core network may comprise the following network elements: a user plane function (user plane function, UPF), an authentication service function (authentication server function, AUSF), an access and mobility management function (access and mobility management function, AMF), a session management function (session management function, SMF), a network slice selection function (network slice selection function, NSSF), a network open function (network exposure function, NEF), a network function storage function (NF repository function, NRF), a policy control function (policy control function, PCF), a unified data management (unified data management, UDM), and an application function (application function, AF).

The following briefly describes the network elements shown in fig. 1:

1. user Equipment (UE): a terminal device may also be referred to as a device that provides voice/data connectivity to a user, e.g., a handheld device with wireless connectivity, a vehicle mounted device, etc.

It should be understood that the terminal device may be any device that can access the network. And the terminal equipment and the access network equipment can communicate with each other by adopting a certain air interface technology.

2. Access Network (AN): the access network may provide access functions for authorized users in a particular area, including radio access network (radio access network, RAN) equipment and AN equipment. The RAN device is mainly a 3GPP network radio network device, and the AN device may be AN access network device defined by non-3 GPP.

The access network may serve the cell. The terminal device may communicate with the cell via transmission resources (e.g., frequency domain resources, or spectrum resources) allocated by the access network device.

3. AMF network element: the method is mainly used for mobility management, access management and the like, such as user location updating, user registration network, user switching and the like. The AMF may also be used to implement other functions in the mobility management entity (mobility management entity, MME) than session management. Such as lawful interception, or access authorization (or authentication), etc.

4. SMF network element: the method is mainly used for session management, internet protocol (internet protocol, IP) address allocation and management of the UE, terminal nodes of a selective manageable user plane function, policy control or charging function interface, downlink data notification and the like. In the embodiment of the application, the SMF main user is responsible for session management in the mobile network, such as session establishment, modification, release and the like. Specific functions may include, for example, assigning an IP address to a terminal device, selecting a UPF that provides a message forwarding function, etc.

5. UPF network element: is responsible for forwarding and receiving user data in the terminal device. The UPF network element may receive user data from a Data Network (DN) and transmit the user data to a terminal device through an access network device. The UPF network element may also receive user data from the terminal device via the access network device and forward the user data to the data network. The transmission resources and scheduling functions in the UPF network element that serve the terminal device are managed and controlled by the SMF network element.

6. Data Network (DN): the service network for providing data services to the user may be a private network, such as a local area network; or an external network not under the control of an operator, such as the Internet (Internet); but also a proprietary network co-deployed by operators, such as a network providing an IP multimedia subsystem (IP multimedia subsystem, IMS). The UE may access the DN through an established protocol data unit (protocol data unit, PDU) session.

7. Authentication service network element (authentication server function, AUSF): the method is mainly used for safety authentication of the user and the like.

8. Network open function (network exposure function, NEF) network element: the method is mainly used for supporting the opening of the capability and the event, such as safely opening the service and the capability provided by the 3GPP network function to the outside.

9. Network storage network element (network repository function, NRF): mainly provides service registration, discovery and authorization, and maintains available Network Function (NF) instance information, and can implement on-demand configuration of network functions and services and interconnection between NFs. The service registration means that the NF network element needs to register and register with the NRF network element before providing the service. The service discovery means that when the NF network element needs other NF network elements to provide services for the NF network element, service discovery is performed through the NRF network element first to discover the NF network element which is expected to provide services for the NF network element. For example, when NF network element 1 needs NF network element 2 to provide service for it, service discovery needs to be performed through NRF network element to discover NF network element 2.

10. PCF network element: the unified policy framework is used for guiding network behaviors, providing policy rule information for control plane function network elements (such as AMF, SMF network elements and the like), and taking charge of acquiring user subscription information and the like related to policy decision.

11. UDM network element: for generating authentication credentials, user identification processes (e.g., storing and managing user permanent identities, etc.), access authorization control, and subscription data management, etc.

12. -application function (application function, AF) network element: interaction with the 3GPP core network is primarily supported to provide services, such as influencing data routing decisions, interacting with Policy Control Functions (PCFs), or providing third parties to the network side, etc.

13. Service communication proxy (service communication proxy, SCP): for completing routing and forwarding of the servitized interface signaling. The operator can deploy an SCP according to the need, the SCP network element can provide routing and forwarding services for the sender of the service interface signaling, and the sender of the service interface signaling can be, for example, a NF network element. The NF network elements may be configured with information of a corresponding SCP network element that may provide a service for forwarding messages for the NF network elements. In the event that the NF network element needs to communicate using an SCP network element, the NF network element may send a message to the configured SCP network element.

14. The security edge protection proxy (security edge protection proxy, SEPP) is an important component of the 5G roaming security architecture, and is used to implement user roaming, communication and interworking with other operators, and is responsible for message filtering and policy management on the control plane interface between operators, and is mainly used as a border gateway between the control planes of the operator core network.

It should be understood that the network architecture applied to the embodiment of the present application is merely an exemplary network architecture described from the viewpoint of a server architecture, and the network architecture to which the embodiment of the present application is applied is not limited thereto, and any network architecture capable of implementing the functions of the respective network elements described above is applicable to the embodiment of the present application.

It should also be understood that AMF, SMF, UPF, network slice selection function network elements (network slice selection function, NSSF), NEF, AUSF, NRF, PCF, UDM shown in fig. 1 may be understood as network elements in the core network for implementing different functions, e.g. may be combined as desired into network slices. The core network elements can be independent devices or integrated in the same device to realize different functions, and the application is not limited to the specific form of the network elements.

It should also be understood that the above designations are merely intended to facilitate distinguishing between different functions and should not be construed as limiting the application in any way. The application does not exclude the possibility of using other designations in 5G networks as well as in other networks in the future. For example, in a 6G network, some or all of the individual network elements may follow the terminology in 5G, possibly by other names, etc. The names of interfaces between the network elements in fig. 1 are only an example, and the names of interfaces in the specific implementation may be other names, which are not specifically limited by the present application. Furthermore, the names of the transmitted messages (or signaling) between the various network elements described above are also merely an example, and do not constitute any limitation on the function of the message itself.

In order to facilitate understanding of the scheme provided by the embodiment of the present application, a simple description will be first made of a communication mode between service network elements.

In the 5G-serviced system architecture, both parties communicating based on a serviced interface are called service consumers (service consumers) and service providers (service providers), respectively. Wherein the party requesting the service is a service consumer and the party providing the service is called a service producer. A service consumer may also be referred to as a consumer, consumer network element, user, requesting end or requestor, or service consumer network element, etc. The service provider may also be referred to as a providing network element, a service providing network element, a provider, a producer, a responder, etc., and the application is not limited thereto.

In order to facilitate understanding of the scheme provided by the embodiment of the present application, a simple description will be first made of a communication mode between service network elements in an interconnection scenario.

Fig. 2 shows a schematic diagram of a communication mode in an interconnection scenario. In the communication mode shown in fig. 2, the first SEPP and NF service provider are in a first PLMN and the second SEPP and NF service consumer are in a second PLMN. When the NF service consumer sends a service request message to the NF service provider, forwarding through the first SEPP and the second SEPP is required. The first SEPP or the second SEPP may verify whether communication is possible between the first PLMN and the second PLMN, thereby determining whether the service request message is possible.

In the embodiment of the application, the interconnection scenario refers to that service consumers and service providers respectively access in respective networks, but the service consumers need to access services provided by the service providers.

For example, a short message is sent between UE1 of chinese mobile and UE2 of chinese telecommunication, and both UE1 and UE2 are accessed in their respective networks. In this case, the core network of the chinese mobile needs to interact with the core network of the chinese telecommunications to forward the short message, for example, the SMS-GMSC (short message service gateway mobile switching center) of the chinese mobile accesses the UDM of the chinese telecommunications, and we call the service access between the SMS-GMSC of the chinese mobile and the UDM of the chinese telecommunications an interconnection access, which is an interconnection scenario.

In this communication mode, although SEPP can verify whether communication is possible between two PLMNs, it cannot verify whether the NF service consumer can use the service provided by the NF service provider. For example, in some cases, a NF service provider is set to be unable to provide services to service consumers in the interconnection scenario, but may still receive service request messages sent in other networks, at which time the service provider may risk being illegally accessed.

Fig. 3 is a schematic flow chart of a method 300 of authorization verification provided by an embodiment of the application. The method 300 comprises the following steps:

s301, the first network element receives a service request message from the second network function NF.

The service request message is for requesting the first NF to provide the first service to the second NF, the service request message comprising an access token, a request destination and an identifier of the second PLMN, the access token comprising a PLMN identifier and an interconnection destination. Wherein the first NF is located in a first PLMN and the second NF is located in a second PLMN.

The second NF may be a service request network element (service consumer), the first network element may be a first security edge protection proxy network element (first SEPP) located in the first PLMN, or may be a second security edge protection proxy network element (second SEPP) located in the second PLMN, or may be a service providing network element (service provider).

The service request message is associated with a second NF. For example, in one possible scenario, the first network element may receive the service request message directly from the second NF; in another possible scenario, the first network element may receive the service request message from a second secure edge protection proxy network element, where the second secure edge protection proxy network element may receive the service request message directly from a second NF; in yet another possible scenario, a first network element may receive the service request message from a first secure edge protection proxy network element, where the first secure edge protection proxy network element may be the service request message received from a second secure edge protection proxy network element, which may be the service request message received directly from a second NF.

Alternatively, the first network element may receive the service request message from a service communication proxy network element, where the service communication proxy network element may be the service request message received directly from the second network element, or may be the service request message received from the second NF through one or more other service communication proxy network elements. That is, the first network element may communicate with the second NF through one or more serving communication network elements.

S302, the first network element performs authorization of the second NF to use the first service.

It should be appreciated that before the second NF requests to use the service of the first NF, the access token may be requested from a network element (e.g., the first NRF, located in the first PLMN) corresponding to the first NF that distributes the access token, so as to request the service of the first NF using a service request message carrying the access token.

It should be appreciated that the access token in the service request message is secured, and thus the malicious NF cannot tamper with the information within the access token. There may be security protection of the access token by the network element that distributes the access token. For example, the first NRF generates an integrity protection parameter (e.g., a message authentication code MAC) for the access token (or parameters within the access token) using the shared key, and the second NF carries the integrity protection parameter in the service request message. The first network element may verify whether the information in the access token is tampered with based on the integrity protection parameter. For another example, the first NRF signs the information in the security token with the private key, and in the process of authorization verification, determines whether the information in the access token is tampered with by verifying the signature.

It should also be appreciated that the information in the access token has been authorized, and the first network element may verify the service request message based on the information in the access token, perform authorization of the second NF to use the first service, or deny the second NF to use the first service.

The specific expression form of the first network element performing the authorization of the second NF to use the first service may be: in the case that the second NF is authorized to use the first service, the second NF provides the first service to the first NF; or, in case the second NF is authorized to use the first service, forwarding the service request message by the first secure edge protection proxy network element; or, in case the second NF is authorized to use the first service, forwarding the service request message by the second secure edge protection proxy network element.

In an embodiment of the application, the access token comprises a PLMN identifier and an interconnection purpose, and the service request message comprises the requested purpose and an identifier of the second PLMN. Before authorizing the second NF to use the first service, determining that the identifier of the second PLMN is the same as the PLMN identifier in the access token, and determining that the purpose of the request is the same as the interworking purpose.

That is, the first network element may determine that the access token is used in an interworking scenario and that the service request message originates from a network indicated by the PLMN identifier in the access token.

It should be appreciated that the above-described authentication is a necessary condition for authorizing the second NF to use the first service. That is, in addition to the above-described authentication, other authentication may be required, and when all the authentication passes, the second NF is authorized to use the first service.

It will be appreciated that the authentication should be performed on all information included in the access token and that the authorization service requests the network element to use the first service of the service providing network element when all information in the access token passes the authentication.

Optionally, the access token may further include information of NF of the service providing network element. That is, the access token may be used to request the service of the service providing network element. In this way, the service providing network element can specify which service requesting network elements in the network can use its own services.

In some embodiments, the access token further includes information of the NF, and the service request message further includes information of the second NF, at which time it is further determined that the information of the second NF is the same as the information of the NF in the access token before authorizing the second NF to use the first service.

Information of NF in the access token indicates information of a service requesting network element (service consumer) to which the access token is applicable, e.g., NF type, NF instance ID, etc.

It will be appreciated that a service request element for which an access token is applicable may in particular refer to an applicable service request element that may use the access token to obtain a service, or that may not be used by network elements within range of the applicable service request element to obtain a service.

In some embodiments, the access token further includes information for the service, and the service request message further includes information for the first service, where it is further determined that the information for the first service requested by the service request message is the same as the information for the service in the access token before authorizing the second NF to use the first service.

That is, the service request message may request a service indicated by information of the service in the access token.

The specific form of the second network element rejecting the second NF to use the first service may be: and under the condition that the second NF is refused to use the first service, the first network element refuses the service request message to refuse the first service requested by the second NF. The first network element sends a service response message to the second NF, where the service response message is used to indicate that the first service is refused to be provided, and optionally, the service response message further includes a reason for refusing, for example, the reason for refusing may be that the access token is not verified.

In some embodiments, the access token includes a PLMN identifier and an interworking purpose, and the service request message includes the requested purpose and an identifier of the second PLMN. The first network element refuses the second NF to use the first service, determines that an identifier of the second PLMN is not the same as a PLMN identifier in the access token before refusing the second NF to use the first service, and/or determines that the purpose of the request is not the same as the interworking purpose.

In some embodiments, the access token further includes information of the NF, the service request message further includes information of a second NF, the first network element refuses the second NF to use the first service, and before refusing the second NF to use the first service, it is determined that the information of the second NF is different from the information of the NF in the access token.

In some embodiments, the access token further comprises information of a service, the service request message further comprises information of a first service, the first network element refuses the second NF to use the first service, and before refusing the second NF to use the first service, it is determined that the information of the first service requested by the service request message is the same as the information of the service in the access token.

It should be appreciated that if any of the information in the service request message is not the same as the information in the access token (e.g., the information of the first service is not the same as the information of the service in the access token), the first network element denies the second NF to use the first service.

A method 400 of transmitting an access token is described below, as shown in fig. 4, the method 400 comprising:

s410, the first NF sends a registration request to the first NRF, and correspondingly, the first NRF receives the registration request from the first NF.

The first NF and the first NRF are located in a first PLMN, and the second NF is located in a second PLMN.

Specifically, the registration request includes a PLMN list allowed to be accessed for interconnection purposes, where the PLMN list allowed to be accessed includes a second PLMN.

That is, when the first NF registers with the first NRF, a restriction may be imposed on a network where the NF accessing the first NF under the purpose of interconnection is located. For example, the PLMN list allowed to be accessed for interconnection purposes includes a second PLMN, which indicates that the NF in the second PLMN can access the first NF for interconnection purposes.

In some embodiments, the registration request further includes information of network functions for interworking purposes that allow access to said first network function.

That is, when the first NF registers with the first NRF, the NF that accesses the first NF for the purpose of interconnection may be restricted.

In some embodiments, the registration request further includes information of network functions for which access to said first network function is allowed for interworking purposes, and information of services for which access is allowed for interworking purposes.

That is, when the first NF registers with the first NRF, the NF accessing the first NF under the interconnection purpose and the accessed service may be restricted.

S420, the first NRF completes registration of the first NF.

Specifically, after receiving the registration request of the first NF, the first NRF stores a PLMN list allowed to be accessed for interconnection purposes in the registration request.

In some embodiments, the first NRF stores information of network functions that allow access to said first network function for interconnection purposes in the registration request.

In some embodiments, the first NRF stores information of network functions for which access to the first network function is allowed under the interworking purpose in the registration request, and information of services for which access is allowed under the interworking purpose.

It should be understood that after the first NRF completes registration of the first NF, the first NRF may authorize the service request network element according to the stored PLMN list allowed to be accessed for interconnection purposes, and/or information of network functions allowed to be accessed for interconnection purposes, and/or information of services allowed to be accessed for interconnection purposes.

Optionally, the first NRF sends a registration complete message to the first NF.

Optionally, the first NRF sends a registration failure message to the first NF.

S430, the second NF sends a first request message to the first NRF.

The first request message is for requesting an access token for accessing a first service of the first NF, the first request message comprising an identifier of the second PLMN and an interworking purpose.

It should be appreciated that when the second NF sends a first request message to the first NRF to request the access token, it is necessary to carry an identifier of the network in which the second NF is located, and an interworking purpose, which means that the service of the first NF will be requested under the interworking purpose.

In some embodiments, the first request message further includes information of the second NF.

It should be appreciated that when the second NF sends a first request message to the first NRF to request access to the token, it is also necessary to carry information of the second NF, indicating that the second NF will request the service of the first NF for interconnection purposes.

In some embodiments, the first request message further includes information of the second NF and information of the first service.

It should be appreciated that when the second NF sends a first request message to the first NRF to request the access token, it is also necessary to carry information of the second NF and information of the first service, indicating that the second NF will request the first service of the first NF for interconnection purposes.

S440, the first NRF generates an access token in response to the first request message.

The access token includes an identifier of the second PLMN and an interconnection purpose.

It will be appreciated that if the first NRF determines that access to the service of the first NF for interconnection purposes can be granted, the identifier of the second PLMN in the first request message and the interconnection purpose are written to the access token.

In some embodiments, the first NRF determines that the information of the NFs allowed to access the first NF for the interconnection purpose includes information of the second NF, and the first NRF generates an access token further including information of the second NF.

It should be appreciated that if the first NRF determines that the second NF can be authorized to access the services of the first NF for interconnection purposes, information of the second NF in the first request message is written to the access token.

In some embodiments, the first NRF determines that the information of the NF that is allowed to access the first NF for the interconnection purpose includes information of the second NF, and the information of the service that is allowed to be accessed for the interconnection purpose includes information of the first service, and the first NRF generates an access token that further includes information of the second NF and information of the first service.

It should be appreciated that if the first NRF determines that the second NF can be authorized to access the first service of the first NF for interconnection purposes, information of the second NF and information of the first service are written into the access token.

S450, the first NRF sends the access token to the second NF, and correspondingly, the second NF receives the access token sent by the first NRF.

A registration method 500 is described below in connection with fig. 5, the method 500 being performed in a process of NF registration with an NRF. As can be seen in fig. 5, the method 500 includes:

s510, the NF service provider transmits an NF registration message to the first NRF.

In the service system architecture, NFs need to provide services for other NFs after registration by the NRF. When an NF needs other NF to provide service for it, service discovery may be performed through NRF first to discover the NF that is expected to provide service for it.

When the NF performs registration with the NRF, the NF registration message may carry an NF profile (NF profile). NF profile may indicate which of the PLMNs the NF may provide with services, or may indicate which NFs the NF may provide with services, or may indicate which services the NF may provide.

It should be noted that the NF service provider may be any NF, and the first NRF is an NRF in the network where the NF service provider is located. For ease of understanding, NF service providers and the first NRF are described herein as examples.

For example, the NFprofile may include a PLMN list (allowed interconnect PLMN) that is allowed access for interworking purposes that includes one or more PLMNs. PLMNs in the list may access the NF in an interconnection scenario.

Illustratively, the NF service provider carries in the registration message a PLMN list (PLMN 1, PLMN 2) that is allowed to be accessed for interworking purposes, and then the service consumer in PLMN1 or PLMN2 can use the service provided by the NF service provider for interworking purposes. If the NF service consumer is in another PLMN, the NF service consumer may not use the service provided by the NF service provider.

The first NF sends a registration message to the first NRF, and carries a PLMN list (PLMN 1, PLMN 2) that is allowed to be accessed for interconnection purposes in the registration message, if the second NF is located in PLMN1 or PLMN2, the second NF may use the service provided by the first NF for interconnection purposes, and if the second NF is located in another PLMN, for example PLMN3, the second NF may not use the service provided by the first NF.

Alternatively, the PLMN list allowed to be accessed for the interworking purpose may be expressed as "interworking purpose: access allowed PLMN list). I.e. indicating that the access allowed PLMN list is used for interworking purposes.

Optionally, the NFprofile may further include an NF type (allowedinterconnect NF type) that is allowed access for interconnect purposes, the NF type that is allowed access including one or more NF types. The NF type of the NF types that are allowed to access may access the NF for interconnection purposes.

Alternatively, the NF type allowed to be accessed under this interconnection purpose may be expressed as "interconnection purpose: NF type of access allowed. I.e. NF type indicating that the access is allowed is used for interconnect purposes.

Illustratively, the NF service provider carries allowed interconnectNF type in the registration message: (NF type1, NF type 2), then NF service consumers for NF type1 or NF type 2 can use the service provided by NF service provider. If the NF service consumer is of another NFtype, the NF service consumer may not use the service provided by the NF service provider. The allowed interconnectNF type may be understood as NF type allowing access to the NF service provider.

Illustratively, the first NF sends a registration message to the first NRF, and allowed interconnectNF type is carried in the registration message: (NF type1, NF type 2), if the second NF is NF type1 or NF type 2, the second NF may use the service provided by the first NF, and if the second NF is other NF type, for example NF type 3, the second NF may not use the service provided by the first NF.

Optionally, the NFprofile may also include services (allowed interconnect service) that are allowed to be accessed for interconnection purposes, including one or more services. The services that are allowed to be accessed may be accessed by other NFs for interconnection purposes.

Alternatively, the services allowed to be accessed for this interconnection purpose may be expressed as "interconnection purpose: allowing the accessed service. I.e. indicating that the service that is allowed to be accessed is used for interconnection purposes.

Illustratively, the NF service provider carries allowed interconnectservice in the registration message: (service 1, service 2), the NF service consumer can use either service1 or service 2 provided by the NF service provider. If the NF service consumer requests use of other services of the NF service provider, such as service 3, the NF service provider may refuse the NF service consumer to use service 3. The allowed interconnectservice may be understood as services that are allowed to be accessed for interconnection purposes.

Illustratively, the first NF sends a registration message to the first NRF, and allowed interconnect service is carried in the registration message: (service 1, service 2), the first NF may authorize the second NF to use either service1 or service 2 if the second NF requests to use either service1 or service 2 provided by the first NF. If the second NF requests to use other services provided by the first NF, such as service 3, the first NF may refuse the second NF to use service 3.

S520, the first NRF stores NFprofile of the NF service provider.

The first NRF may save the NFprofile of the NF service provider after receiving the registration message. When a subsequent NF service consumer requests an access token from the first NRF, the NF profile may be used to verify whether the NF service consumer requested access token is authorized.

S530, the first NRF sends a registration accept message to NF.

A method 600 of transmitting an access token is described below in connection with fig. 6. As can be seen in fig. 6, method 600 includes:

s610, the NF service consumer sends an access token acquisition request message to the second NRF.

In the service system architecture, when the NF service consumer requests the NF service provider for the service, the NF service provider needs to perform authorization check on the service requested by the NF service consumer, that is, check whether the NF service consumer is authorized to use the requested service, and through the authorization check, the NF service provider can provide the corresponding service for the NF service consumer.

For authorization verification of NF service providers for NF service consumers' requested services, an access token based authorization verification scheme may be used. Before the NF service consumer provides the network element with the service request, the NF service consumer sends an access token acquisition request message to the authorized service network element to request to acquire the access token, and for convenience, the NRF is taken as an authorized service network element for illustration.

It should be noted that, the NF service consumer is an NF that needs to use a service, the second NRF is an NRF of a network where the NF service consumer is located, the NF service provider is an NF that provides a service, and the first NRF is an NRF of a network where the NF service provider is located. NF service consumers and NF service providers can exchange identities depending on who is the NF that provides the service and who is the NF that uses the service. For example, NF service consumers may provide services to other NFs, which in the process may be referred to as NF service providers.

In the interworking scenario, the access token acquisition request message includes an interworking purpose (interconnect purpose) and a PLMN identifier (customerPLMNID, cPLMN ID) of the network where the NF service consumer is located.

Optionally, the access token acquisition request message includes NFtype or desired service name of NF service consumer (expected service name).

S620, the second NRF forwards the access token acquisition request message to the first NRF.

S630, the first NRF verifies whether the NF service consumer is authorized.

The first NRF verifies information in the access token acquisition request message. Specifically, the first NRF verifies whether the information carried in the access token acquisition request message matches with the corresponding information in the NF profile.

It should be noted that, before S630, the NF service provider has already registered in the first NRF, and carries NF profile in the registration message.

Optionally, the first NRF may further pre-configure NF profile of the NF service provider.

It should be understood that for each NF in the network, the NRF network element may pre-configure its corresponding NF profile.

It should be appreciated that the NF profile includes allowed interconnect PLMN of the NF service provider.

It should be appreciated that when the NF profile includes allowed interconnect PLMN, the NF service consumer may be authorized if the PLMN in which the NF service consumer is located is in this allowed interconnect PLMN. If the PLMN the NF service consumer is located is not in the allowed interconnect PLMN, the NF service provider refuses to authorize the NF service consumer. It will be appreciated that NF service consumers in any one PLMN of allowed interconnect PLMN may use the services provided by the NF service provider.

In the embodiment of the present application, the first NRF may verify whether the cpplmn ID carried in the access token acquisition request message is in allowed interconnect PLMN. The request message may be authorized if the cpplmn ID is in allowed interconnect PLMN, and the NF service provider denies authorization if the cpplmn ID is not in allowed interconnect PLMN.

Optionally, the NF profile may also include allowed interconnect NF type or allowed interconnect service of the NF service provider.

It should be appreciated that when the NF profile includes allowed interconnect NF type, the first NRF needs to verify whether the NF type of the NF service consumer carried in the access token acquisition request message is in this allowed interconnect NF type, if the NF type of the NF service consumer is in allowed interconnect NF type, the request message may be authorized, and if the NF type of the NF service consumer is not in allowed interconnect NF type, the NF service provider refuses the authorization.

It should be appreciated that when the NF profile includes allowed interconnect service, the first NRF needs to verify if expected service name carried in the access token acquisition request message is in this allowed interconnect service, the request message may be authorized if the NF service consumer expectedservice name is in allowed interconnect service, and the NF service provider refuses authorization if the NF service consumer expectedservice name is not in allowed interconnect service.

If the verification processes are all verified, the first NRF generates an access token (access token) that includes interconnect purpose and cPLMN ID.

It should be appreciated that interconnect purpose and cpplmn ID in the access token may indicate that the access token may be used for NF service consumers to access for interconnection purposes and that the NF service consumers are located in the network indicated by the cpplmn ID.

Optionally, the access token may also include NF type or service name (service name) of the NF service consumer.

It should be appreciated that NF type in an access token may indicate NF type of NF service consumer that can access using the access token.

It should be appreciated that the service name in the access token is expected service name carried in the access token acquisition request message. That is, what service of the NF service provider the NF service consumer desires to use, if the first NRF authorizes the NF service consumer to use the service, the name of the service is written to an access token, which can be used to use the service of the NF service provider.

Optionally, the access token may also include an NF instance ID of the NF service consumer. S240, the first NRF sends an access token acquisition response message to the second NRF, where the response message includes the access token.

S650, the second NRF forwards an access token acquisition response message to the NF service consumer, where the response message includes the access token.

It should be understood that S640 and S650 are for the first NRF to send an access token acquisition response message to NF service consumption.

Illustratively, if the information in the access token acquisition request message is verified, the first NRF sends the generated access token to the NF service consumer through the access token acquisition response message. Other information may be included in the access token acquisition response message, such as NRF signature information, an expiration time of the access token, and the like.

Correspondingly, the NF service consumer receives the access token from the first NRF and saves the access token for subsequent service usage by the NF service provider in the interconnection scenario during the validity period.

If the authorization verification in S630 is not passed, the first NRF transmits an error response or a rejection response to the NF service consumer.

Alternatively, if the authorization verification in S630 is not passed, the first NRF denies to the NF service consumer, for example, the PLMN where the NF service consumer is located is not legal or the NF type of the NF service consumer is not legal, etc.

A method 700 of authorization verification is described below in conjunction with fig. 7, the method 700 being a process of requesting a service from an NF service provider. As can be seen in fig. 7, method 700 includes:

S701, the NF service consumer sends a service request message to the second SEPP, the service request message being for requesting a service from the NF service provider. The service request message includes an access token.

In an embodiment of the application, the service request message includes a cpplmn ID, a requested destination (purpose of request), and an access token.

Optionally, the service request message may also include NFtype of NF service consumer

Optionally, the service request message may also include expected servicename.

It should be appreciated that the access token includes information that has been authorized, e.g., PLMN identifiers, interconnect purpose.

Optionally, the access token may also include NF type.

Optionally, the access token may also include a service name.

It will be appreciated that the service request message is sent to the NF service provider and that the second SEPP acts as a relay during message transmission.

It will be appreciated that the access token is secured and thus cannot be tampered with by a malicious NF. There may be a security protection of the access token by the network element (e.g. the first NRF) that distributes the access token. For example, the first NRF generates an integrity protection parameter (e.g., a message authentication code MAC) for the access token (or information within the access token) using the shared key, and the second NF carries the integrity protection parameter in the service request message. The first network element may verify whether the information in the access token is tampered with based on the integrity protection parameter. For another example, the first NRF signs the information in the security token with a private key, and during authorization, it may be determined whether the information in the access token has been tampered with by verifying the signature.

S702, the second SEPP verifies whether the service request message is authorized.

Specifically, the second SEPP verifies whether the information in the access token is the same as the information in the service request message.

The second SEPP verifies if request of purpose in the service request message and interconnect purpose in the access token are the same and verifies if the cpplmn ID in the service request message and the PLMN identifier in the access token are the same.

Optionally, if NFtype is included in the acees token, the second SEPP verifies whether NFtype of the NF service consumer in the service request message is the same as NF type in the acees token.

Alternatively, if a service name is included in the acids token, the second SEPP verifies whether the expectedservice in the service request message is the same as the service name in the acids token.

The second SEPP may also compare the expiration time in the access token with the current time to verify whether the access token has expired. Alternatively, the second SEPP may also verify whether the access token has been tampered with based on an integrity protection parameter or signature in the access token.

In the verification process, if the information in the access token is the same as the information in the service request message, the verification is passed. If not, the verification is not passed. If the above flows are all verified, the second SEPP forwards the service request message to the first SEPP in S703.

If any of the above flows fails verification, an error response or a rejection response is sent to the NF service consumer.

S703, the second SEPP forwards the service request message to the first SEPP.

S704, the first SEPP verifies whether the service request message is authorized.

S704 is similar to S702, and specific reference is made to the relevant description of S702.

It should be appreciated that S704 is an optional step, and if the service request message has been authenticated in S702, S704 may not perform the above authentication of the service request message.

If the above flows are all verified, the first SEPP forwards the service request message to the NF service provider in S705.

S705, the first SEPP forwards the service request message to the NF service provider.

S706, the NF service provider verifies whether the service request message is authorized.

Specifically, the NF service provider verifies whether the information in the access token is the same as the information in the service request message.

The NF service provider verifies if request of purpose in the service request message and interconnect purpose in the access token are the same and verifies if the cpplmn ID in the service request message and PLMN identifier in the access token are the same.

Optionally, if NF type is included in the acees token, the NF service provider verifies whether NF type of the NF service consumer in the service request message is the same as NF type in the acees token.

Alternatively, if a service name is included in the capabilities token, the NF service provider verifies whether the expectedservice in the service request message is the same as the service name in the capabilities token.

In addition, the NF service provider may also compare the expiration time in the access token with the current time to verify whether the access token has expired. The NF service provider may also verify that the NF instance ID or NF type of the NF service provider in the access token is the same as its own ID or type.

Optionally, the NF service provider may also perform integrity verification on the access token.

Illustratively, the NF service provider obtains the access token from the service request message and verifies the integrity of the access token. For example, the service request message carries a MAC value generated by a shared key (the shared key is a key shared between the NF service provider and the NRF) on the information in the access token, and the NF service provider verifies the MAC value using the shared key; for another example, if the NRF signed the access token, the NF service provider verifies the signature using the public key of the NRF.

If the above flows are all verified, the NF service provider may execute the service requested by the NF service consumer and send a service response message to the NF service consumer at S707. If any of the above flows fails verification, an error response or a rejection response is sent to the NF service consumer.

Alternatively, the purpose of the request may not be carried in the service request message, but rather authentication may be performed based on interconnect purpose in the accesskey. I.e. to verify if an access is allowed by an accesskey.

S707, the NF service provider sends a service response message to the NF service consumer.

It should be appreciated that in S707, the service response message may be forwarded through the first SEPP, the second SEPP.

A service authorization method 800 is described below in conjunction with fig. 8, where the method 800 is a process of requesting a service from an NF service provider. In method 800, a service consumer may send a service request message to a service provider, configure a list of parameters by SEPP, and service authorize the service request message. Thus, modifying the parameters of the SEPP configuration can support service authorization of the interconnection scenario and support finer-grained service access control.

As can be seen in fig. 8, method 800 includes:

s810, the second SEPP and/or the first SEPP configuration parameter list.

It should be noted that the first SEPP and NF service provider are located in the first PLMN, and the second SEPP and NF service consumer are located in the second PLMN.

Taking the first SEPP as an example, the first SEPP may configure information of NF allowed to access NF service provider for interconnection purpose.

It should be appreciated that there may be multiple NF service providers, each NF service provider corresponding to information of one or more NFs. The information of the NF may be the type of NF or may also be the ID of the NF instance. Illustratively, the first NF service provider allows access by NF service consumers of NF type1 or NFtype2 for interconnection purposes.

The parameter list of the first SEPP configuration may be as shown in table 1, for example.

TABLE 1

It should be understood that the parameter list in table 1 may be selected as required, and not all the parameter lists need to be configured.

It should be appreciated that the information of NF allowed to access (service consumers) in table 1 indicates which service consumers can access the service provider, and it can be understood that for each service provider, the service consumers allowed to access the each service provider are configured; the information of NFs (service providers) allowed to be accessed in table 1 indicates which service providers can be accessed.

Taking the second SEPP as an example for illustration, the parameter list of the second SEPP configuration may be as shown in table 2.

TABLE 2

S820, the NF service consumer sends a service request message to the second SEPP.

The NF service consumer sends a service request message to the second SEPP requesting the NF service provider to provide the service to the NF service consumer, the request message carrying purpose of request and information of NF of the NF service consumer.

Optionally, the service request message carries an identifier of the first PLMN.

Optionally, the service request message carries an identifier of the second PLMN.

Optionally, the service request message carries information of NF of the NF service provider.

Optionally, the service request message carries expectedservice name.

S830, the second SEPP verifies whether the service request message is authorized.

In the case of interconnection, i.e. purpose of request in the request message being interconnect purpose, the second SEPP may verify the service request message according to the configured parameter list, i.e. the second SEPP may perform authorization of the NF service consumer to use the NF service provider's service according to the configured parameters.

If the second SEPP configures information of the NF that is allowed to access, it is verified whether NF information of the NF service consumer belongs to the information of the NF that is allowed to access. If so, the verification passes. If not, the verification is not passed.

If the second SEPP configures information of PLMNs that the second PLMN is allowed to access, it is verified whether the first PLMN belongs to the information of PLMNs that the second PLMN is allowed to access. If so, the verification passes. If not, the verification is not passed.

If the second SEPP configures information of the NF that is allowed to be accessed, it is verified whether NF information of the NF service provider belongs to the information of the NF that is allowed to be accessed. If so, the verification passes. If not, the verification is not passed.

If the second SEPP configures information of the allowed accessed service, it is verified whether expected service name belongs to the information of the allowed accessed service. If so, the verification passes. If not, the verification is not passed.

If the authentication flows pass, the service request message is forwarded to the first SEPP in S840.

S840, the second SEPP forwards the service request message to the first SEPP.

S850, the first SEPP verifies whether the service request message is authorized.

If purpose of request in the request message is interconnect purpose. The first SEPP may verify the service request message based on the configured parameter list:

if the first SEPP configures information of the NF that is allowed to access, it is verified whether NF information of the NF service consumer belongs to the information of the NF that is allowed to access. If so, the verification passes. If not, the verification is not passed.

If the first SEPP is configured with information of PLMNs allowed to access the first PLMN, it is verified whether the second PLMN belongs to the information of PLMNs allowed to access the first PLMN. If so, the verification passes. If not, the verification is not passed.

If the first SEPP configures information of the NF that is allowed to be accessed, it is verified whether NF information of the NF service provider belongs to the information of the NF that is allowed to be accessed. If so, the verification passes. If not, the verification is not passed.

If the first SEPP configures information of the allowed accessed service, it is verified expected service name whether it belongs to the information of the allowed accessed service. If so, the verification passes. If not, the verification is not passed.

If the verification processes are all passed, the service request message is forwarded to the NF service provider in S860.

Alternatively, the authentication procedure performed by the first SEPP and the second SEPP may be performed by either one of the SEPPs.

It should be appreciated that the authentication of the service request message by the first SEPP and the second SEPP may be a preliminary authentication or may be a complete authentication. After the first SEPP and the second SEPP verify, the NF service provider may continue to authenticate the service request message.

S860, the first SEPP forwards the service request message to the NF service provider.

Fig. 9 is a schematic block diagram of an apparatus for authorization verification provided by an embodiment of the present application. The apparatus 900 comprises a transceiver unit 910 and a processing unit 920. The transceiver unit 910 may implement a corresponding communication function, and the processing unit 920 is configured to perform data processing. The transceiver unit 910 may also be referred to as a communication interface or a communication unit.

Optionally, the apparatus 900 may further include a storage unit, where the storage unit may be configured to store instructions and/or data, and the processing unit 920 may read the instructions and/or data in the storage unit, so that the communications apparatus implements the foregoing method embodiments.

The apparatus 900 may be configured to perform the actions performed by the first network element (e.g. the NF service provider, or the first SEPP, or the second SEPP) in the above method embodiment, where the apparatus 900 may be the first network element or a component that may be configured to the first network element, and the transceiver unit 910 is configured to perform the operations related to the transceiver on the first network element side in the above method embodiment, and the processing unit 920 is configured to perform the operations related to the processing of the first network element in the above method embodiment.

Alternatively, the apparatus 900 may be configured to perform the actions performed by the NRF (the first NRF or the second NRF) in the above method embodiment, where the apparatus 900 may be the NRF or a component that may be configured to the NRF, the transceiver 910 is configured to perform the operations related to the transmission and the reception of the NRF in the above method embodiment, and the processing unit 920 is configured to perform the operations related to the processing of the NRF in the above method embodiment.

The apparatus 900 may implement steps or flows performed corresponding to a first network element in the method 300 according to an embodiment of the present application; alternatively, steps or procedures may be implemented that correspond to those performed by the first SEPP, the second SEPP, or the NF service provider in the method 700 according to an embodiment of the present application. The apparatus 900 may include means for performing the method 300 of fig. 3 or the method 700 of fig. 7. And, each element in the apparatus 900 and the other operations and/or functions described above are for implementing a corresponding flow of the method 300 or the method 700, respectively.

When the apparatus 900 is used for executing the method 300 in fig. 3, the transceiver unit 910 may be used for executing the step S301 in the method 300, and the processing unit 920 may be used for executing the step S302 in the method 500.

When the apparatus 900 is used to perform the method 700 in fig. 7, the transceiver unit 910 may be used to perform steps S701, S703, S705, S707 in the method 700, and the processing unit 920 is used to instruct steps S702, S704, S706 in the method 700.

It should be understood that the specific process of each unit performing the corresponding steps has been described in detail in the above method embodiments, and is not described herein for brevity.

The apparatus 900 may also implement steps or processes performed corresponding to the first SEPP, the second SEPP in the method 800 according to the embodiment of the present application, and the apparatus 900 may include a unit for performing the method performed by the method 800 in fig. 8. And, each unit in the apparatus 900 and the other operations and/or functions described above are respectively for implementing the corresponding flow of the method 800.

When the apparatus 900 is used to perform the method 800 in fig. 8, the transceiver unit 910 may be used to perform steps S820, S840 or S860 in the method 800, and the processing unit 920 may be used to perform steps S830, S850 in the method 800.

The apparatus 900 may also implement steps or processes performed corresponding to the first NRF or the second NRF in the method 400, the method 500, or the method 600 according to an embodiment of the present application, and the apparatus 900 may include units for performing the method 400 in fig. 4 or the method 500 in fig. 5 or the method 600 in fig. 6. Also, each element in the apparatus 900 and the other operations and/or functions described above are for implementing a corresponding flow of the method 400 or the method 500 or the method 600, respectively.

When the apparatus 900 is used to perform the method 400 in fig. 4, the transceiving unit 910 may be used to perform step S410 or S430 or S450 in the method 400, and the processing unit 920 may be used to perform step S420 or S440 in the method 400. When the apparatus 900 is used to perform the method 500 in fig. 5, the transceiving unit 910 may be used to perform step S510 or S530 in the method 500, and the processing unit 920 may be used to perform step S520 in the method 500. When the apparatus 900 is used to perform the method 600 in fig. 6, the transceiving unit 910 may be used to perform steps S610, S620, S640 or S650 in the method 600, and the processing unit 920 may be used to perform step S630 in the method 600.

As shown in fig. 10, an embodiment of the present application also provides an apparatus 1000. The device 1000 comprises a processor 1010, the processor 1010 being coupled to a memory 1020, the memory 1020 being for storing computer programs or instructions and/or data, the processor 1010 being for executing the computer programs or instructions and/or data stored by the memory 1020 such that the method in the method embodiments above is performed.

Optionally, the device 1000 includes one or more processors 1010.

Optionally, as shown in fig. 10, the device 1000 may also include a memory 1020.

Optionally, the device 1000 may include one or more memories 1020.

Alternatively, the memory 1020 may be integrated with the processor 1010 or provided separately.

Optionally, as shown in fig. 10, the device 1000 may further comprise a transceiver 1030, the transceiver 1030 being configured to receive and/or transmit signals. For example, the processor 1010 is configured to control the transceiver 1030 to receive and/or transmit signals.

As an option, the apparatus 1000 is configured to implement the operations performed by the first network element or NF service provider or the secure edge protection proxy network element (the first SEPP or the second SEPP) in the above method embodiments.

For example, the processor 1010 is configured to implement the operations related to processing performed by the first network element or NF service provider or the secure edge protection proxy network element (the first SEPP or the second SEPP) in the above method embodiment, and the transceiver 1030 is configured to implement the operations related to transceiving performed by the first network element or NF service provider or the secure edge protection proxy network element (the first SEPP or the second SEPP) in the above method embodiment.

As yet another approach, the apparatus 1000 is used to implement the operations performed by the first NRF or the second NRF in the above method embodiments.

For example, the processor 1010 is configured to implement the operations related to processing performed by the first NRF or the second NRF in the above method embodiment, and the transceiver 1030 is configured to implement the operations related to transceiving performed by the first NRF or the second NRF in the above method embodiment.

It should be understood that the specific process of each module to perform the corresponding steps is described in detail in the above method embodiments, and is not described herein for brevity.

The embodiment of the application also provides a processing device, which comprises a processor and an interface; the processor is configured to perform the method of any of the method embodiments described above.

It should be understood that the processing means described above may be one or more chips. For example, the processing device may be a field programmable gate array (field programmable gate array, FPGA), an application specific integrated chip (application specific integrated circuit, ASIC), a system on chip (SoC), a central processing unit (central processor unit, CPU), a network processor (network processor, NP), a digital signal processing circuit (digital signal processor, DSP), a microcontroller (micro controller unit, MCU), a programmable controller (programmable logic device, PLD) or other integrated chip.

The embodiment of the present application further provides a computer readable storage medium, on which computer instructions for implementing the method performed by the first network element (NF service provider, first SEPP, or second SEPP) or NRF (first NRF or second NRF) in the above method embodiment are stored.

For example, the computer program, when executed by a computer, enables the computer to implement the method performed by the first network element (NF service provider, first SEPP or second SEPP) or the NRF (first NRF or second NRF) in the above method embodiments.

The embodiments of the present application also provide a computer program product comprising instructions which, when executed by a computer, cause the computer to implement the method performed by the first network element (NF service provider, first SEPP, or second SEPP), or the method performed by the NRF (first NRF or second NRF), in the above method embodiments.

The embodiment of the present application also provides a communication system, which includes at least two of the first network element, the first SEPP, the second SEPP, the first NRF, and the second NRF in the above embodiments.

It will be clearly understood by those skilled in the art that, for convenience and brevity, explanation and beneficial effects of the relevant content in any of the above-mentioned communication devices may refer to the corresponding method embodiments provided above, and are not repeated here.

The embodiment of the present application is not particularly limited to the specific structure of the execution body of the method provided by the embodiment of the present application, as long as communication can be performed by the method provided according to the embodiment of the present application by running a program in which codes of the method provided by the embodiment of the present application are recorded. For example, the execution body of the method provided by the embodiment of the present application may be a terminal device or a network device, or may be a functional module in the terminal device or the network device that can call a program and execute the program.

Various aspects or features of the application may be implemented as a method, apparatus, or article of manufacture using standard programming and/or engineering techniques. The term "article of manufacture" as used herein may encompass a computer program accessible from any computer-readable device, carrier, or media.

Among other things, computer readable storage media can be any available media that can be accessed by a computer or data storage devices such as servers, data centers, etc. that contain one or more integration of the available media. Usable (or computer readable) media may include, for example, but are not limited to: magnetic media or magnetic storage devices (e.g., floppy disks, hard disks (e.g., removable disks), magnetic tape), optical media (e.g., compact Discs (CDs), digital versatile discs (digital versatile disc, DVDs), etc.), smart cards and flash memory devices (e.g., erasable programmable read-only memories (EPROMs), cards, sticks, or key drives, etc.), or semiconductor media (e.g., solid State Disks (SSDs), etc., U-discs, read-only memories (ROMs), random access memories (random access memory, RAMs), etc., various media that may store program code.

Various storage media described herein can represent one or more devices and/or other machine-readable media for storing information. The term "machine-readable medium" may include, but is not limited to: wireless channels, and various other media capable of storing, containing, and/or carrying instruction(s) and/or data.

It should be understood that the memory referred to in embodiments of the present application may be volatile memory or nonvolatile memory, or may include both volatile and nonvolatile memory. The nonvolatile memory may be a read-only memory (ROM), a Programmable ROM (PROM), an Erasable PROM (EPROM), an electrically Erasable EPROM (EEPROM), or a flash memory. The volatile memory may be random access memory (random access memory, RAM). For example, RAM may be used as an external cache. By way of example, and not limitation, RAM may include the following forms: static RAM (SRAM), dynamic RAM (DRAM), synchronous DRAM (SDRAM), double data rate SDRAM (DDR SDRAM), enhanced SDRAM (ESDRAM), synchronous DRAM (SLDRAM), and direct memory bus RAM (DR RAM).

It should be noted that when the processor is a general purpose processor, DSP, ASIC, FPGA or other programmable logic device, discrete gate or transistor logic device, discrete hardware components, the memory (storage module) may be integrated into the processor.

It should also be noted that the memory described herein is intended to comprise, without being limited to, these and any other suitable types of memory.

In the several embodiments provided by the present application, it should be understood that the disclosed apparatus and method may be implemented in other manners. For example, the above-described apparatus embodiments are merely illustrative, and for example, the above-described division of units is merely a logical function division, and there may be another division manner in actual implementation, for example, a plurality of units or components may be combined or may be integrated into another system, or some features may be omitted, or not performed. Furthermore, the coupling or direct coupling or communication connection shown or discussed with each other may be through some interface, device or unit indirect coupling or communication connection, which may be in electrical, mechanical or other form.

The units described above as separate components may or may not be physically separate, and components shown as units may or may not be physical units, may be located in one place, or may be distributed over a plurality of network units. Some or all of the units can be selected according to actual needs to realize the scheme provided by the application.

In addition, each functional unit in each embodiment of the present application may be integrated in one unit, or each unit may exist alone physically, or two or more units may be integrated in one unit.

In the above embodiments, it may be implemented in whole or in part by software, hardware, firmware, or any combination thereof.

When implemented in software, may be implemented in whole or in part in the form of a computer program product. The computer program product includes one or more computer instructions. When the computer program instructions are loaded and executed on a computer, the processes or functions in accordance with embodiments of the present application are fully or partially developed. The computer may be a general purpose computer, a special purpose computer, a computer network, or other programmable apparatus. For example, the computer may be a personal computer, a server, or a network device, etc. The computer instructions may be stored in or transmitted from one computer-readable storage medium to another, for example, by wired (e.g., coaxial cable, fiber optic, digital Subscriber Line (DSL)), or wireless (e.g., infrared, wireless, microwave, etc.) means from one website, computer, server, or data center. With respect to computer readable storage media, reference may be made to the description above.

The above is only a specific embodiment of the present application, but the protection scope of the present application is not limited thereto, and any changes or substitutions easily conceivable by those skilled in the art within the technical scope of the present application should be covered in the protection scope of the present application. Therefore, the protection scope of the present application shall be subject to the protection scope of the claims and the specification.

Claims

1. A method of authorization verification, comprising:

a first network element receives a service request message from a second network function, the second network function being located in a second public land mobile communication network, the service request message being for requesting a first network function located in a first public land mobile communication network to provide a first service to the second network function, the service request message comprising an access token, a request destination and an identifier of the second public land mobile communication network, the access token comprising a public land mobile communication network identifier and an interconnection destination;

the first network element performs authorization of the second network function to use the first service, determines that an identifier of the second public land mobile network is the same as a public land mobile network identifier in the access token, and the purpose of the request is the same as the interworking purpose, prior to the performing of the authorization.

2. The method of claim 1, wherein the service request message further comprises information of a second network function, and wherein the access token further comprises information of a network function;

before the performing of the authorization, further comprising: the first network element determines that the information of the second network function is the same as the information of the network function.

3. The method according to claim 1 or 2, wherein the service request message further comprises information of the first service, the access token comprising information of a service;

before the performing of the authorization, further comprising: the first network element determines that the information of the first service is the same as the information of the service.

4. A method according to any one of claims 1 to 3, wherein the method further comprises:

the first network element refuses use of the first service by the second network function, determines that an identifier of the second public land mobile network is not the same as a public land mobile network identifier in the access token, and/or that the purpose of the request is not the same as the interworking purpose, prior to the refusing.

5. A method according to any of claims 1 to 3, wherein the service request message further comprises information of a second network function, the access token further comprising information of a network function;

the method further comprises:

the first network element refuses the second network function to use the first service, and before the refusing, it is determined that the identifier of the second public land mobile network is different from the public land mobile network identifier in the access token, and/or the purpose of the request is different from the interconnection purpose, and/or the information of the second network function is different from the information of the network function.

6. A method according to any of claims 1 to 3, characterized in that the service request message further comprises information of a second network function and information of the first service, the access token further comprising information of a network function and information of a service;

the method further comprises:

the first network element refuses the second network function to use the first service, and before the refusing, it is determined that the identifier of the second public land mobile communication network is different from the public land mobile communication network identifier in the access token, and/or the purpose of the request is different from the interconnection purpose, and/or the information of the second network function is different from the information of the network function, and/or the information of the first service is different from the information of the service.

7. The method according to any one of claim 1 to 6, wherein,

the first network element is: the first network function is a security edge protection proxy network element in the first public land mobile network or a security edge protection proxy network element in the second public land mobile network.

8. A method of transmitting an access token, comprising:

a first network storage function located in a first public land mobile network receiving a registration request for a first network function located in the first public land mobile network, the registration request including a list of public land mobile networks that are allowed access for interworking purposes, the list of public land mobile networks including a second public land mobile network;

the first network storage function completes registration of the first network function;

the first network storage function receiving a first request message from a second network function, the second network function being located in the second public land mobile network, the first request message being for requesting an access token for accessing a first service of a first network function located in the first public land mobile network, the first request message comprising an identifier of the second public land mobile network and the interworking purpose;

In response to the first request message, the first network storage function generates the access token, the access token including an identifier of the second land public mobile network and the interworking purpose;

the first network storage function sends the access token to the second network function.

9. The method of claim 8, wherein the step of determining the position of the first electrode is performed,

the registration request further includes: information of network functions allowing access to the first network function under the interconnection purpose;

the first request message further includes: information of the second network function;

in response to the first request message, the first network storage function generates the access token comprising:

the first network storage function determines that the information of the network function which allows access to the first network function under the interconnection purpose comprises the information of the second network function;

the first network storage function generates the access token, which also includes information of the second network function;

or alternatively, the process may be performed,

the registration request further includes: information of network functions allowing access to the first network function under the interconnection purpose, and information of services allowing access under the interconnection purpose;

The first request message further includes: information of the second network function and information of the first service;

the first network storage function determines that the information of the network function which allows access to the first network function under the interconnection purpose comprises the information of the second network function, and the information of the service which allows access to the first network function under the interconnection purpose comprises the information of the first service;

the first network storage function generates the access token, which also includes information of the second network function and information of the first service.

10. A method of service authorization, comprising:

the method comprises the steps that a safety edge protection proxy network element receives a service request message from a second network function, wherein the second network function is positioned in a second public land mobile communication network, and the service request message is used for requesting a first network function positioned in a first public land mobile communication network to provide first service for the second network function;

the security edge protection proxy network element executes authorization of the second network function to use the first service according to configured parameters, wherein the configured parameters comprise information of the network function which is allowed to access the first network function under the interconnection purpose, and before the execution of authorization, the information of the network function which is allowed to access the first network function under the interconnection purpose is determined to comprise the information of the second network function.

11. The method of claim 10, wherein the security edge protection proxy network element is located in the first public land mobile network, wherein the configured parameters further comprise a list of public land mobile networks for which access to the first public land mobile network is allowed for interworking purposes,

before the performing of the authorization, further comprising: determining that the list of public land mobile networks for which access to the first public land mobile network is allowed for the interworking purpose includes the second public land mobile network;

alternatively, the security edge protection proxy network element is located in the second public land mobile network, the configured parameters further comprise a list of public land mobile networks for interworking purposes that the second public land mobile network is allowed to access,

before the performing of the authorization, further comprising: determining that the list of public land mobile networks for which access is allowed to the second public land mobile network for the interworking purpose includes the first public land mobile network.

12. The method according to claim 10 or 11, wherein the configured parameters further comprise information of services allowed to be accessed for the interconnection purpose,

Before the performing of the authorization, further comprising: the information for determining the service allowed to be accessed under the interconnection purpose comprises the information of the first service carried in the service request message.

13. The method according to any one of claims 10 to 12, characterized in that the method further comprises:

the security edge protection proxy network element refuses the second network function to use the first service, and before the refusing, the information of the network function which allows access to the first network function under the interconnection purpose is determined to not comprise the information of the second network function according to the configured parameters.

14. The method according to any one of claims 10 to 12, wherein the security edge protection proxy network element is located in the first public land mobile network, the configured parameters further comprise a list of public land mobile networks for which access to the first public land mobile network is allowed for interworking purposes,

the method further comprises:

-said secure edge protection proxy network element refusing said second network function to use said first service, prior to said refusing, determining that a list of land public mobile communication networks under said interworking purpose allowed to access said first land public mobile communication network does not include said second land public mobile communication network;

the secure edge protection proxy network element refuses the second network function to use the first service, prior to the refusing, further comprising: determining that the list of public land mobile networks for which access is allowed to the second public land mobile network for the interworking purpose does not include the first public land mobile network.

15. The method according to any one of claims 10 to 12, wherein the configured parameters further comprise information of services allowed to be accessed for the interconnection purpose,

the method further comprises:

the secure edge protection proxy network element denies use of the first service by the second network function, and prior to the denial, determines that the information of the allowed accessed service does not include information of the first service.

16. An apparatus for authorization verification, comprising:

a transceiver unit configured to receive a service request message from a second network function, the second network function being located in a second public land mobile communication network, the service request message being configured to request a first network function located in a first public land mobile communication network to provide a first service to the second network function, the service request message including an access token, a purpose of the request, and an identifier of the second public land mobile communication network, the access token including a public land mobile communication network identifier and an interconnection purpose;

A processing unit for performing authorization of the second network function to use the first service, prior to said performing authorization, determining that the identifier of the second public land mobile network is the same as the public land mobile network identifier in the access token, and that the purpose of the request is the same as the interworking purpose.

17. The apparatus of claim 16, wherein the service request message further comprises information of a second network function, and wherein the access token further comprises information of a network function;

the processing unit is further configured to:

before the performing of the authorization, it is determined that the information of the second network function is identical to the information of the network function.

18. The apparatus according to claim 16 or 17, wherein the service request message further comprises information of the first service, and wherein the access token comprises information of a service;

the processing unit is further configured to: before the performing of the authorization, it is determined that the information of the first service is identical to the information of the service.

19. The apparatus according to any one of claims 16 to 18, wherein the processing unit is further configured to:

-rejecting the second network function from using the first service, -determining, prior to the rejecting, that an identifier of the second public land mobile network is different from a public land mobile network identifier in the access token and/or that the purpose of the request is different from the interworking purpose.

20. The apparatus according to any of claims 16 to 18, wherein the service request message further comprises information of a second network function, and the access token further comprises information of a network function;

the processing unit is further configured to:

-rejecting the second network function from using the first service, -determining, prior to the rejecting, that an identifier of the second public land mobile network is different from a public land mobile network identifier in the access token, and/or that the purpose of the request is different from the interworking purpose, and/or that the information of the second network function is different from the information of the network function.

21. The apparatus according to any of claims 16 to 18, wherein the service request message further comprises information of a second network function and information of the first service, the access token further comprising information of a network function and information of a service;

The processing unit is further configured to:

-rejecting the second network function from using the first service, -determining, prior to the rejecting, that the identifier of the second public land mobile network is different from the public land mobile network identifier in the access token and/or that the purpose of the request is different from the interworking purpose and/or that the information of the second network function is different from the information of the network function and/or that the information of the first service is different from the information of the service.

22. The apparatus according to any one of claims 16 to 21, wherein the apparatus is: the first network function is a security edge protection proxy network element of the first public land mobile network or a security edge protection proxy network element of the second public land mobile network.

23. An apparatus for transmitting a token, comprising:

a transceiver unit for receiving a registration request of a first network function located in the first public land mobile communication network, the registration request including a public land mobile communication network list allowing access for interworking purposes, the public land mobile communication network list including a second public land mobile communication network;

A processing unit, configured to complete registration of the first network function;

the transceiver unit is further configured to receive a first request message from a second network function, where the second network function is located in the second public land mobile network, the first request message being used to request an access token, where the access token is used to access a first service of a first network function located in the first public land mobile network, and the first request message includes an identifier of the second public land mobile network and the interconnection destination;

the processing unit is further configured to generate, in response to the first request message, the access token including an identifier of the second terrestrial public mobile communication network and the interconnection purpose;

the transceiver unit is further configured to: and sending the access token to the second network function.

24. The apparatus of claim 23, wherein the registration request further comprises: information of network functions allowing access to the first network function under the interconnection purpose;

The processing unit is specifically configured to: determining that the information of the network function allowing access to the first network function under the interconnection purpose comprises the information of the second network function;

or alternatively, the process may be performed,

the processing unit is specifically configured to: determining that the information of the network function comprises the information of the second network function, and the information of the service allowed to be accessed under the interconnection purpose comprises the information of the first service;

the access token is generated, the access token further comprising information of the second network function and information of the first service.

25. An apparatus for service authorization, comprising:

a transceiver unit configured to receive a service request message from a second network function, where the second network function is located in a second public land mobile communication network, and the service request message is configured to request a first network function located in a first public land mobile communication network to provide a first service to the second network function;

And the processing unit is used for executing the authorization of the second network function to use the first service, the configured parameters comprise information of the network function which is allowed to access the first network function under the interconnection purpose, and before executing the authorization, the information of the network function which is allowed to access the first network function under the interconnection purpose is determined according to the configured parameters and comprises the information of the second network function.

26. The apparatus of claim 25, wherein the apparatus is located in the first public land mobile network, wherein the configured parameters further comprise a list of public land mobile networks for which access to the first public land mobile network is allowed for interworking purposes,

the processing unit is further configured to: determining, prior to said performing of the authorization, that the list of public land mobile networks under the interconnection purpose that allow access to the first public land mobile network includes the second public land mobile network based on the configured parameters;

or alternatively, the process may be performed,

the processing unit is further configured to: before the performing of the authorization, determining that the list of public land mobile networks for which access to the second public land mobile network is allowed for the interworking purpose includes the first public land mobile network, the device is located in the second public land mobile network, based on the configured parameters, the configured parameters further include the list of public land mobile networks for which access to the second public land mobile network is allowed for the interworking purpose.

27. The apparatus according to claim 25 or 26, wherein the configured parameters further comprise information of services allowed to be accessed for the interconnection purpose,

the processing unit is further configured to: before the authorization is performed, determining that the information of the service allowed to be accessed under the interconnection purpose comprises the information of the first service carried in the service request message according to the configured parameters.

28. The apparatus of any one of claims 25 to 27, wherein the processing unit is further configured to: and refusing the second network function to use the first service, wherein before refusing, the information of the network function which allows access to the first network function under the interconnection purpose is determined to not comprise the information of the second network function according to the configured parameters.

29. The apparatus according to any one of claims 25 to 27, wherein said apparatus is located in said first public land mobile network, wherein said configured parameters further comprise a list of public land mobile networks for which access to said first public land mobile network is allowed for interworking purposes,

the processing unit is further configured to: -rejecting the second network function from using the first service, prior to the rejecting, determining from the configured parameters that the list of public land mobile networks for which access to the first public land mobile network is allowed under the interworking purpose does not include the second public land mobile network;

Alternatively, the device is located in the second public land mobile network, the configured parameters further include a list of public land mobile networks for which access by the second public land mobile network is allowed for interworking purposes,

the processing unit is further configured to: -rejecting the second network function from using the first service, before the rejecting, determining from the configured parameters that the list of public land mobile networks for which access by the second public land mobile network is allowed under the interworking purpose does not include the first public land mobile network.

30. The apparatus according to any one of claims 25 to 27, wherein the configured parameters further comprise information of services allowed to be accessed for the interconnection purpose,

the processing unit is further configured to: and refusing the second network function to use the first service, and determining that the information of the service allowed to be accessed does not comprise the information of the first service according to the configured parameters before the refusing.

31. A computer-readable storage medium, characterized in that the computer-readable storage medium stores a computer program, which, when run on a computer, causes the computer to perform the method of any one of claims 1 to 7, or causes the computer to perform the method of claim 8 or 9, or causes the computer to perform the method of any one of claims 10 to 15.

32. A computer program product comprising computer program instructions which, when run on a computer, cause the computer to perform the method of any one of claims 1 to 7, or cause the computer to perform the method of claim 8 or 9, or cause the computer to perform the method of any one of claims 10 to 15.

33. A communication device comprising at least one processor for executing a computer program or instructions stored in a memory to perform the method of any one of claims 1 to 7, or to perform the method of either claim 8 or 9, or to perform the method of any one of claims 10 to 15.